From fb3d80b1ac1b4211c2d8cfa3cbfe3d2dce6716b7 Mon Sep 17 00:00:00 2001 From: Philipp Eder Date: Thu, 11 Apr 2024 06:24:21 +0200 Subject: [PATCH 1/3] Add: openvas logs To be able to see openvas logs more easily a new service `openvas` is added. This service tails over `/var/log/openvas/openvas.log`. Additionally an configuration step `configure-openvas` is added. This sets the openvas log level to 128 and changes to log output to `/var/log/openvas/openvas.log` instead of `/var/log/gvm/openvas.log`. To change the log level you can replace the `128` to the desired log level. --- src/_static/docker-compose-22.4.yml | 40 ++++++++++++++++++++++++++++- 1 file changed, 39 insertions(+), 1 deletion(-) diff --git a/src/_static/docker-compose-22.4.yml b/src/_static/docker-compose-22.4.yml index 85742836..630cd863 100644 --- a/src/_static/docker-compose-22.4.yml +++ b/src/_static/docker-compose-22.4.yml @@ -94,7 +94,39 @@ services: - gvmd_socket_vol:/run/gvmd depends_on: - gvmd - + # Sets log level of openvas to the set LOG_LEVEL within the env + # and changes log output to /var/log/openvas instead /var/log/gvm + # to reduce likelyhood of unwanted log interferences + configure-openvas: + image: greenbone/openvas-scanner:stable + volumes: + - openvas_data_vol:/mnt + environment: + LOG_LEVEL: 128 + command: + - /bin/sh + - -c + - | + cp /etc/openvas/openvas.conf /mnt/ + sed "s/127/128/" /etc/openvas/openvas_log.conf | sed 's/gvm/openvas/' > /mnt/openvas_log.conf + chmod 644 /mnt/openvas.conf + chmod 644 /mnt/openvas_log.conf + # shows logs of openvas + openvas: + image: greenbone/openvas-scanner:stable + restart: on-failure + volumes: + - openvas_data_vol:/etc/openvas + - openvas_log_data_vol:/var/log/openvas + command: + - /bin/sh + - -c + - | + cat /etc/openvas/openvas.conf + tail -f /var/log/openvas/openvas.log + depends_on: + configure-openvas: + condition: service_completed_successfully ospd-openvas: image: greenbone/ospd-openvas:stable restart: on-failure @@ -124,6 +156,8 @@ services: - notus_data_vol:/var/lib/notus - ospd_openvas_socket_vol:/run/ospd - redis_socket_vol:/run/redis/ + - openvas_data_vol:/etc/openvas + - openvas_log_data_vol:/var/log/openvas depends_on: redis-server: condition: service_started @@ -131,6 +165,8 @@ services: condition: service_completed_successfully vulnerability-tests: condition: service_completed_successfully + configure-openvas: + condition: service_completed_successfully mqtt-broker: restart: on-failure @@ -177,3 +213,5 @@ volumes: gvmd_socket_vol: ospd_openvas_socket_vol: redis_socket_vol: + openvas_data_vol: + openvas_log_data_vol: From 34741b8d70cfce1bebc574687904f01cc2117c2a Mon Sep 17 00:00:00 2001 From: Philipp Eder Date: Thu, 11 Apr 2024 12:09:57 +0200 Subject: [PATCH 2/3] Add: openvasd Remove: notus With https://github.com/greenbone/openvas-scanner/pull/1519 notus is deprecated in favour of openvasd/notus endpoint. For more details see: https://greenbone.github.io/scanner-api/ for a general overview of the API implemented by openvasd. This removes the dependencies of a mqtt broker as well as notus service. --- src/_static/docker-compose-22.4.yml | 59 +++++++++++++++-------------- 1 file changed, 31 insertions(+), 28 deletions(-) diff --git a/src/_static/docker-compose-22.4.yml b/src/_static/docker-compose-22.4.yml index 630cd863..f6d8c00a 100644 --- a/src/_static/docker-compose-22.4.yml +++ b/src/_static/docker-compose-22.4.yml @@ -101,13 +101,11 @@ services: image: greenbone/openvas-scanner:stable volumes: - openvas_data_vol:/mnt - environment: - LOG_LEVEL: 128 command: - /bin/sh - -c - | - cp /etc/openvas/openvas.conf /mnt/ + printf "table_driven_lsc = yes\nopenvasd_server = http://openvasd:80\n" > /mnt/openvas.conf sed "s/127/128/" /etc/openvas/openvas_log.conf | sed 's/gvm/openvas/' > /mnt/openvas_log.conf chmod 644 /mnt/openvas.conf chmod 644 /mnt/openvas_log.conf @@ -127,6 +125,36 @@ services: depends_on: configure-openvas: condition: service_completed_successfully + + openvasd: + image: greenbone/openvas-scanner:stable + restart: on-failure + environment: + # `service_notus` is set to disable everything but notus, + # if you want to utilize openvasd directly removed `OPENVAS_MOD` + OPENVASD_MOD: service_notus + GNUPGHOME: /etc/openvas/gnupg + LISTENING: 0.0.0.0:80 + volumes: + - openvas_data_vol:/etc/openvas + - openvas_log_data_vol:/var/log/openvas + - gpg_data_vol:/etc/openvas/gnupg + - notus_data_vol:/var/lib/notus + # enable port forwarding when you want to use the http api from your host machine + # ports: + # - 127.0.0.1:3000:80 + depends_on: + vulnerability-tests: + condition: service_completed_successfully + configure-openvas: + condition: service_completed_successfully + gpg-data: + condition: service_completed_successfully + networks: + default: + aliases: + - openvasd + ospd-openvas: image: greenbone/ospd-openvas:stable restart: on-failure @@ -143,8 +171,6 @@ services: "-f", "--config", "/etc/gvm/ospd-openvas.conf", - "--mqtt-broker-address", - "mqtt-broker", "--notus-feed-dir", "/var/lib/notus/advisories", "-m", @@ -168,29 +194,6 @@ services: configure-openvas: condition: service_completed_successfully - mqtt-broker: - restart: on-failure - image: greenbone/mqtt-broker - networks: - default: - aliases: - - mqtt-broker - - broker - - notus-scanner: - restart: on-failure - image: greenbone/notus-scanner:stable - volumes: - - notus_data_vol:/var/lib/notus - - gpg_data_vol:/etc/openvas/gnupg - environment: - NOTUS_SCANNER_MQTT_BROKER_ADDRESS: mqtt-broker - NOTUS_SCANNER_PRODUCTS_DIRECTORY: /var/lib/notus/products - depends_on: - - mqtt-broker - - gpg-data - - vulnerability-tests - gvm-tools: image: greenbone/gvm-tools volumes: From cab213113659c3743c494f29290fb2b099a9b2bf Mon Sep 17 00:00:00 2001 From: Philipp Eder Date: Thu, 11 Apr 2024 13:19:53 +0200 Subject: [PATCH 3/3] Doc: remove notus-scanner and explain openvasd installation --- src/22.4/source-build/index.md | 19 ++++------ src/22.4/source-build/mqtt-broker.md | 30 --------------- src/22.4/source-build/notus-scanner/build.md | 26 ------------- .../notus-scanner/dependencies.md | 37 ------------------- .../source-build/notus-scanner/description.md | 4 -- .../source-build/notus-scanner/download.md | 23 ------------ src/22.4/source-build/openvasd/build.md | 23 ++++++++++++ .../source-build/openvasd/dependencies.md | 29 +++++++++++++++ src/22.4/source-build/openvasd/description.md | 7 ++++ src/22.4/source-build/openvasd/download.md | 23 ++++++++++++ 10 files changed, 90 insertions(+), 131 deletions(-) delete mode 100644 src/22.4/source-build/mqtt-broker.md delete mode 100644 src/22.4/source-build/notus-scanner/build.md delete mode 100644 src/22.4/source-build/notus-scanner/dependencies.md delete mode 100644 src/22.4/source-build/notus-scanner/description.md delete mode 100644 src/22.4/source-build/notus-scanner/download.md create mode 100644 src/22.4/source-build/openvasd/build.md create mode 100644 src/22.4/source-build/openvasd/dependencies.md create mode 100644 src/22.4/source-build/openvasd/description.md create mode 100644 src/22.4/source-build/openvasd/download.md diff --git a/src/22.4/source-build/index.md b/src/22.4/source-build/index.md index 7ae3625e..e8c6feac 100644 --- a/src/22.4/source-build/index.md +++ b/src/22.4/source-build/index.md @@ -142,7 +142,7 @@ export GSAD_VERSION=22.9.0 ```{code-block} :caption: Setting the openvas-scanner version to use -export OPENVAS_SCANNER_VERSION=22.7.9 +export OPENVAS_SCANNER_VERSION=23.0.1 ``` ```{include} /22.4/source-build/openvas-scanner/dependencies.md @@ -174,24 +174,24 @@ export OSPD_OPENVAS_VERSION=22.6.2 ```{include} /22.4/source-build/ospd-openvas/build.md ``` -### notus-scanner +### openvasd -```{include} /22.4/source-build/notus-scanner/description.md +```{include} /22.4/source-build/openvasd/description.md ``` ```{code-block} -:caption: Setting the notus version to use +:caption: Setting the openvas versions to use -export NOTUS_VERSION=22.6.2 +export OPENVAS_DAEMON=23.0.1 ``` -```{include} /22.4/source-build/notus-scanner/dependencies.md +```{include} /22.4/source-build/openvasd/dependencies.md ``` -```{include} /22.4/source-build/notus-scanner/download.md +```{include} /22.4/source-build/openvasd/download.md ``` -```{include} /22.4/source-build/notus-scanner/build.md +```{include} /22.4/source-build/openvasd/build.md ``` ### greenbone-feed-sync @@ -221,9 +221,6 @@ export NOTUS_VERSION=22.6.2 ```{include} /22.4/source-build/redis.md ``` -```{include} /22.4/source-build/mqtt-broker.md -``` - ```{include} /22.4/source-build/directory-permissions.md ``` diff --git a/src/22.4/source-build/mqtt-broker.md b/src/22.4/source-build/mqtt-broker.md deleted file mode 100644 index f738f4ec..00000000 --- a/src/22.4/source-build/mqtt-broker.md +++ /dev/null @@ -1,30 +0,0 @@ -### Setting up the Mosquitto MQTT Broker - -The Mosquitto MQTT broker is used for communication between -*ospd-openvas*, *openvas-scanner* and *notus-scanner*. - -```{eval-rst} -.. tabs:: - .. tab:: Debian/Ubuntu - .. code-block:: - :caption: Installing the Mosquitto broker - - sudo apt install -y mosquitto - - .. tab:: Fedora/CentOS - .. code-block:: - :caption: Installing the Mosquitto broker - - sudo dnf install -y mosquitto -``` - -After installing the Mosquitto broker package, the broker must be started -and the server uri must be added to the *openvas-scanner* configuration. - -```{code-block} -:caption: Starting the broker and adding the server uri to the openvas-scanner configuration - -sudo systemctl start mosquitto.service -sudo systemctl enable mosquitto.service -echo -e "mqtt_server_uri = localhost:1883\ntable_driven_lsc = yes" | sudo tee -a /etc/openvas/openvas.conf -``` diff --git a/src/22.4/source-build/notus-scanner/build.md b/src/22.4/source-build/notus-scanner/build.md deleted file mode 100644 index bbefd1f3..00000000 --- a/src/22.4/source-build/notus-scanner/build.md +++ /dev/null @@ -1,26 +0,0 @@ -```{eval-rst} -.. tabs:: - .. tab:: Debian/Ubuntu - .. code-block:: - :caption: Installing notus-scanner - - cd $SOURCE_DIR/notus-scanner-$NOTUS_VERSION - - mkdir -p $INSTALL_DIR/notus-scanner - - python3 -m pip install --root=$INSTALL_DIR/notus-scanner --no-warn-script-location . - - sudo cp -rv $INSTALL_DIR/notus-scanner/* / - - .. tab:: Fedora/CentOS - .. code-block:: - :caption: Installing notus-scanner - - cd $SOURCE_DIR/notus-scanner-$NOTUS_VERSION - - mkdir -p $INSTALL_DIR/notus-scanner - - python3 -m pip install --prefix=$INSTALL_PREFIX --root=$INSTALL_DIR/notus-scanner --no-warn-script-location . - - sudo cp -rv $INSTALL_DIR/notus-scanner/* / -``` diff --git a/src/22.4/source-build/notus-scanner/dependencies.md b/src/22.4/source-build/notus-scanner/dependencies.md deleted file mode 100644 index 71b97901..00000000 --- a/src/22.4/source-build/notus-scanner/dependencies.md +++ /dev/null @@ -1,37 +0,0 @@ -```{eval-rst} -.. tabs:: - .. tab:: Debian/Ubuntu - .. code-block:: - :caption: Required dependencies for notus-scanner - - sudo apt install -y \ - python3 \ - python3-pip \ - python3-setuptools \ - python3-paho-mqtt \ - python3-psutil \ - python3-gnupg - - .. tab:: Fedora - .. code-block:: - :caption: Required dependencies for notus-scanner - - sudo dnf install -y \ - python3 \ - python3-pip \ - python3-setuptools \ - python3-paho-mqtt \ - python3-psutil \ - python3-gnupg - - .. tab:: CentOS - .. code-block:: - :caption: Required dependencies for notus-scanner - - sudo dnf install -y \ - python3 \ - python3-pip \ - python3-setuptools \ - python3-wheel \ - python3-psutil -``` diff --git a/src/22.4/source-build/notus-scanner/description.md b/src/22.4/source-build/notus-scanner/description.md deleted file mode 100644 index 3f61db3e..00000000 --- a/src/22.4/source-build/notus-scanner/description.md +++ /dev/null @@ -1,4 +0,0 @@ -*notus-scanner* is used for detecting vulnerable products by evaluating -internal system information gathered by *openvas-scanner*. -It communicates with *openvas-scanner* and *ospd-openvas* via -[MQTT](https://en.wikipedia.org/wiki/MQTT). It is running as a daemon. diff --git a/src/22.4/source-build/notus-scanner/download.md b/src/22.4/source-build/notus-scanner/download.md deleted file mode 100644 index fd0ce122..00000000 --- a/src/22.4/source-build/notus-scanner/download.md +++ /dev/null @@ -1,23 +0,0 @@ -```{code-block} -:caption: Downloading the notus-scanner sources - -curl -f -L https://github.com/greenbone/notus-scanner/archive/refs/tags/v$NOTUS_VERSION.tar.gz -o $SOURCE_DIR/notus-scanner-$NOTUS_VERSION.tar.gz -curl -f -L https://github.com/greenbone/notus-scanner/releases/download/v$NOTUS_VERSION/notus-scanner-v$NOTUS_VERSION.tar.gz.asc -o $SOURCE_DIR/notus-scanner-$NOTUS_VERSION.tar.gz.asc -``` - -```{code-block} -:caption: Verifying the source files - -gpg --verify $SOURCE_DIR/notus-scanner-$NOTUS_VERSION.tar.gz.asc $SOURCE_DIR/notus-scanner-$NOTUS_VERSION.tar.gz -``` - -The output of the last command should be similar to: - -```{include} /22.4/source-build/verify.md -``` - -If the signatures are valid, the tarballs can be extracted. - -``` -tar -C $SOURCE_DIR -xvzf $SOURCE_DIR/notus-scanner-$NOTUS_VERSION.tar.gz -``` diff --git a/src/22.4/source-build/openvasd/build.md b/src/22.4/source-build/openvasd/build.md new file mode 100644 index 00000000..5387e73f --- /dev/null +++ b/src/22.4/source-build/openvasd/build.md @@ -0,0 +1,23 @@ +```{eval-rst} +.. tabs:: + .. tab:: Debian/Ubuntu + .. code-block:: + :caption: Installing openvas-scanner + + cd $SOURCE_DIR/openvas-scanner-$NOTUS_VERSION/rust/openvasd + + cargo build --release + + sudo cp -v ../target/release/openvasd /usr/local/bin/ + + .. tab:: Fedora/CentOS + .. code-block:: + :caption: Installing openvas-scanner + + + cd $SOURCE_DIR/openvas-scanner-$NOTUS_VERSION/rust/openvasd + + cargo build --release + + sudo cp -v ../target/release/openvasd /usr/local/bin/ +``` diff --git a/src/22.4/source-build/openvasd/dependencies.md b/src/22.4/source-build/openvasd/dependencies.md new file mode 100644 index 00000000..0722fd4b --- /dev/null +++ b/src/22.4/source-build/openvasd/dependencies.md @@ -0,0 +1,29 @@ +```{eval-rst} +.. tabs:: + .. tab:: Debian/Ubuntu + .. code-block:: + :caption: Required dependencies for openvasd + + sudo apt install -y \ + cargo \ + pkg-config \ + libssl-dev + + .. tab:: Fedora + .. code-block:: + :caption: Required dependencies for openvasd + + sudo dnf install -y \ + cargo \ + pkg-config \ + openssl-devel + + .. tab:: CentOS + .. code-block:: + :caption: Required dependencies for openvasd + + sudo dnf install -y \ + cargo \ + pkg-config \ + openssl-devel +``` diff --git a/src/22.4/source-build/openvasd/description.md b/src/22.4/source-build/openvasd/description.md new file mode 100644 index 00000000..0a378c5c --- /dev/null +++ b/src/22.4/source-build/openvasd/description.md @@ -0,0 +1,7 @@ +*OpenVASD* is used for detecting vulnerable products. + +It controls `openvas-scanner` for scanning and is used to get the results. + +For more information see: +- https://greenbone.github.io/scanner-api/ +- https://github.com/greenbone/openvas-scanner/tree/main/rust/openvasd diff --git a/src/22.4/source-build/openvasd/download.md b/src/22.4/source-build/openvasd/download.md new file mode 100644 index 00000000..27cb228a --- /dev/null +++ b/src/22.4/source-build/openvasd/download.md @@ -0,0 +1,23 @@ +```{code-block} +:caption: Downloading the openvas-scanner sources + +curl -f -L https://github.com/greenbone/openvas-scanner/archive/refs/tags/v$OPENVAS_DAEMON.tar.gz -o $SOURCE_DIR/openvas-scanner-$OPENVAS_DAEMON.tar.gz +curl -f -L https://github.com/greenbone/openvas-scanner/releases/download/v$OPENVAS_DAEMON/openvas-scanner-v$OPENVAS_DAEMON.tar.gz.asc -o $SOURCE_DIR/openvas-scanner-$OPENVAS_DAEMON.tar.gz.asc +``` + +```{code-block} +:caption: Verifying the source file + +gpg --verify $SOURCE_DIR/openvas-scanner-$OPENVAS_DAEMON.tar.gz.asc $SOURCE_DIR/openvas-scanner-$OPENVAS_DAEMON.tar.gz +``` + +The output of the last command should be similar to: + +```{include} /22.4/source-build/verify.md +``` + +If the signature is valid, the tarball can be extracted. + +``` +tar -C $SOURCE_DIR -xvzf $SOURCE_DIR/openvas-scanner-$OPENVAS_DAEMON.tar.gz +```