From 0a333bcfaacbad0dad5757cb0de488b952d694cc Mon Sep 17 00:00:00 2001 From: =?utf8?q?Hasan=20=C3=87ALI=C5=9EIR?= Date: Mon, 12 Aug 2019 18:01:24 +0300 Subject: [PATCH] net-analyzer/openvas-scanner: bump to 6.0.1 & update metadata. MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Bump to 6.0.1. Update metadata. This also fixes bug 684220 and introduces the new USE flag 'cron'. Closes: https://bugs.gentoo.org/684220 Reported-by: aleck Package-Manager: Portage-2.3.69, Repoman-2.3.16 Signed-off-by: Hasan ÇALIŞIR Signed-off-by: Joonas Niilola --- net-analyzer/openvas-scanner/Manifest | 1 + .../openvas-scanner/files/gvm-feed-sync.cron | 1 + .../openvas-scanner/files/gvm-feed-sync.sh | 45 ++++++ .../files/openvas-scanner-6.0.1-sbin.patch | 21 +++ .../files/openvassd-daemon.conf | 17 +++ .../openvas-scanner/files/openvassd.gvm.conf | 124 ++++++++++++++++ .../openvas-scanner/files/openvassd.init | 14 ++ .../openvas-scanner/files/openvassd.logrotate | 13 ++ .../openvas-scanner/files/openvassd.service | 16 ++ net-analyzer/openvas-scanner/metadata.xml | 9 ++ .../openvas-scanner-6.0.1.ebuild | 138 ++++++++++++++++++ 11 files changed, 399 insertions(+) create mode 100644 net-analyzer/openvas-scanner/files/gvm-feed-sync.cron create mode 100644 net-analyzer/openvas-scanner/files/gvm-feed-sync.sh create mode 100644 net-analyzer/openvas-scanner/files/openvas-scanner-6.0.1-sbin.patch create mode 100644 net-analyzer/openvas-scanner/files/openvassd-daemon.conf create mode 100644 net-analyzer/openvas-scanner/files/openvassd.gvm.conf create mode 100644 net-analyzer/openvas-scanner/files/openvassd.init create mode 100644 net-analyzer/openvas-scanner/files/openvassd.logrotate create mode 100644 net-analyzer/openvas-scanner/files/openvassd.service create mode 100644 net-analyzer/openvas-scanner/openvas-scanner-6.0.1.ebuild diff --git a/net-analyzer/openvas-scanner/Manifest b/net-analyzer/openvas-scanner/Manifest index 12763409b469..7d55d149a97f 100644 --- a/net-analyzer/openvas-scanner/Manifest +++ b/net-analyzer/openvas-scanner/Manifest @@ -1 +1,2 @@ DIST openvas-scanner-5.1.3.tar.gz 254159 BLAKE2B d90fa15e143ead53abce66f933a3a4cac327176cca0f23bd88fe771ed7726b1891784ae980644c8335e560d348753115e43cfae83af9704e2d1d02827163563f SHA512 5712ab275058877cfd656e268ed09c81db6617ae247c17092f1fcd037f692f2018daf21b09b82401f99a7361bb485f0e0f7d63f8ff2387839cfdd5a3aaf8424e +DIST openvas-scanner-6.0.1.tar.gz 522100 BLAKE2B af82b41736329bd90ba1ea73a0ace36d4115375f81a7aaff5d3bd50f21cfa3195cdf4012aa952da52c4103a31475de5c5790ef3e2e36180aa06737371fa0e5a0 SHA512 db4087fffe1d50e232fa1e51325cf7f142237e2bd3cc5dcaa1e7058a4871300f352f2c0e700eae72ea9412c347b072e9d1f2eca508b27cb30f36c6895ec95147 diff --git a/net-analyzer/openvas-scanner/files/gvm-feed-sync.cron b/net-analyzer/openvas-scanner/files/gvm-feed-sync.cron new file mode 100644 index 000000000000..5563b92929b1 --- /dev/null +++ b/net-analyzer/openvas-scanner/files/gvm-feed-sync.cron @@ -0,0 +1 @@ +0 2 * * * gvm [ -x /etc/gvm/gvm-feed-sync.sh ] && /bin/bash /etc/gvm/gvm-feed-sync.sh > /dev/null diff --git a/net-analyzer/openvas-scanner/files/gvm-feed-sync.sh b/net-analyzer/openvas-scanner/files/gvm-feed-sync.sh new file mode 100644 index 000000000000..ba21632a4d6c --- /dev/null +++ b/net-analyzer/openvas-scanner/files/gvm-feed-sync.sh @@ -0,0 +1,45 @@ +#!/bin/sh +# Copyright 1999-2019 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 +# GVM cron script that updates feed. + +# Start to update FEED & First NVT. +try=0 +until [ $try -ge 5 ]; do + greenbone-nvt-sync --curl &>/dev/null && break + try=$[$try+1] + sleep 30 +done + +# Check status +if [ $? -eq 0 ]; then + # Avoid your IP temporary banned because of multiple connection + sleep 5 + # Try to update scapdata. + try=0 + until [ $try -ge 5 ]; do + greenbone-scapdata-sync &>/dev/null && break + try=$[$try+1] + sleep 30 + done + + # Check status + if [ $? -eq 0 ]; then + # Avoid your IP temporary banned because of multiple connection + sleep 5 + # Try to update certdata + try=0 + until [ $try -ge 5 ]; do + greenbone-certdata-sync &>/dev/null && break + try=$[$try+1] + sleep 30 + done + + # Check status + if [ $? -eq 0 ]; then + exit 0 + else + exit 1 + fi + fi +fi diff --git a/net-analyzer/openvas-scanner/files/openvas-scanner-6.0.1-sbin.patch b/net-analyzer/openvas-scanner/files/openvas-scanner-6.0.1-sbin.patch new file mode 100644 index 000000000000..d5b8a2a6b62f --- /dev/null +++ b/net-analyzer/openvas-scanner/files/openvas-scanner-6.0.1-sbin.patch @@ -0,0 +1,21 @@ +--- a/src/CMakeLists.txt 2019-07-21 23:16:18.608251465 +0300 ++++ b/src/CMakeLists.txt 2019-07-21 23:17:08.434210058 +0300 +@@ -175,7 +175,7 @@ + ## Install + + install (TARGETS openvassd +- RUNTIME DESTINATION ${SBINDIR} ++ RUNTIME DESTINATION ${BINDIR} + PERMISSIONS OWNER_EXECUTE OWNER_READ OWNER_WRITE + GROUP_READ GROUP_EXECUTE WORLD_READ WORLD_EXECUTE) + +@@ -183,7 +183,7 @@ + DESTINATION ${OPENVAS_SYSCONF_DIR}) + + install (FILES ${CMAKE_BINARY_DIR}/tools/greenbone-nvt-sync +- DESTINATION ${SBINDIR} ++ DESTINATION ${BINDIR} + PERMISSIONS OWNER_EXECUTE OWNER_READ OWNER_WRITE + GROUP_READ GROUP_EXECUTE WORLD_READ WORLD_EXECUTE) + + diff --git a/net-analyzer/openvas-scanner/files/openvassd-daemon.conf b/net-analyzer/openvas-scanner/files/openvassd-daemon.conf new file mode 100644 index 000000000000..6bb70d165355 --- /dev/null +++ b/net-analyzer/openvas-scanner/files/openvassd-daemon.conf @@ -0,0 +1,17 @@ +# OpenVAS Scanner command args + +# e.g --foreground +OPENVAS_SCANNER_OPTIONS="" + +# Scanner listen socket +OPENVAS_SCANNER_LISTEN_SOCKET="--unix-socket=/var/run/openvassd.sock" + +# Scanner listen owner +OPENVAS_SCANNER_LISTEN_OWNER="--listen-owner=gvm" + +# Scanner listen group +OPENVAS_SCANNER_LISTEN_GROUP="--listen-group=gvm" + +# Scanner listen mode +OPENVAS_SCANNER_LISTEN_MODE="--listen-mode=755" + diff --git a/net-analyzer/openvas-scanner/files/openvassd.gvm.conf b/net-analyzer/openvas-scanner/files/openvassd.gvm.conf new file mode 100644 index 000000000000..5dfb8b527454 --- /dev/null +++ b/net-analyzer/openvas-scanner/files/openvassd.gvm.conf @@ -0,0 +1,124 @@ +# You can get detailed informations from https://linux.die.net/man/8/openvassd +# Configuration file of the OpenVAS Security Scanner +# Every line starting with a '#' is a comment + +[Misc] + +# Path to the security checks folder: +plugins_folder = /var/lib/openvas/plugins + +# Path to OpenVAS caching folder: +cache_folder = /var/cache/openvas + +# Path to OpenVAS include directories: +# (multiple entries are separated with colon ':') +include_folders = /var/lib/openvas/plugins + +# Config File +config_file = /etc/openvas/openvassd.conf + +# Maximum number of simultaneous hosts tested : +max_hosts = 30 + +# Maximum number of simultaneous checks against each host tested : +max_checks = 10 + +# Niceness. If set to 'yes', openvassd will renice itself to 10. +be_nice = no + +# Log file (or 'syslog') : +logfile = /var/log/gvm/openvassd.log + +# Shall we log every details of the attack ? (disk intensive) +log_whole_attack = no + +# Log the name of the plugins that are loaded by the server ? +log_plugins_name_at_load = no + +# Dump file for debugging output, use `-' for stdout +dumpfile = /var/log/gvm/openvassd.dump + +# Rules file : +rules = /etc/openvas/openvassd.rules + +# CGI paths to check for (cgi-bin:/cgi-aws:/ can do) +cgi_path = /cgi-bin:/scripts + +# Range of the ports the port scanners will scan : +# 'default' means that OpenVAS will scan ports found in its +# services file. +port_range = default + +# Optimize the test (recommended) : +# Turn off for push hard but increase false positive and slow down scans +optimize_test = yes + +# Optimization : +# Read timeout for the sockets of the tests : +checks_read_timeout = 5 + +# Ports against which two plugins should not be run simultaneously : +# non_simult_ports = Services/www, 139, Services/finger +non_simult_ports = 139, 445 + +# Maximum lifetime of a plugin (in seconds) : +plugins_timeout = 320 + +# Safe checks rely on banner grabbing & If enabled push harder to target: +safe_checks = yes + +# Automatically activate the plugins that are depended on +auto_enable_dependencies = yes + +# Do not echo data from plugins which have been automatically enabled +silent_dependencies = no + +# Designate hosts by MAC address, not IP address (useful for DHCP networks) +use_mac_addr = no + + +#--- Knowledge base saving (can be configured by the client) : +# Save the knowledge base on disk : +save_knowledge_base = no + +# Restore the KB for each test : +kb_restore = no + +# Only test hosts whose KB we do not have : +only_test_hosts_whose_kb_we_dont_have = no + +# Only test hosts whose KB we already have : +only_test_hosts_whose_kb_we_have = no + +# KB test replay : +kb_dont_replay_scanners = no +kb_dont_replay_info_gathering = no +kb_dont_replay_attacks = no +kb_dont_replay_denials = no +kb_max_age = 864000 +#--- end of the KB section + +# Redis socket default setting +db_address = /tmp/redis.sock + +# If this option is set, OpenVAS will not scan a network incrementally +# (10.0.0.1, then 10.0.0.2, 10.0.0.3 and so on..) but will attempt to +# slice the workload throughout the whole network (ie: it will scan +# 10.0.0.1, then 10.0.0.127, then 10.0.0.2, then 10.0.0.128 and so on... +slice_network_addresses = no + +# Should consider all the NASL scripts as being signed ? (unsafe if set to 'yes') +nasl_no_signature_check = yes + +#Certificates +cert_file=/var/lib/gvm/CA/servercert.pem +key_file=/var/lib/gvm/private/CA/serverkey.pem +ca_file=/var/lib/gvm/CA/cacert.pem + +# If you decide to protect your private key with a password, +# uncomment and change next line +# pem_password=password +# If you want to force the use of a client certificate, uncomment next line +# force_pubkey_auth = yes + +#end. diff --git a/net-analyzer/openvas-scanner/files/openvassd.init b/net-analyzer/openvas-scanner/files/openvassd.init new file mode 100644 index 000000000000..9bd7332134fc --- /dev/null +++ b/net-analyzer/openvas-scanner/files/openvassd.init @@ -0,0 +1,14 @@ +#!/sbin/openrc-run +# Copyright 1999-2019 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +name="Open Vulnerability Assessment Scanner" +command="/usr/bin/openvassd" +command_args="${OPENVAS_SCANNER_OPTIONS} ${OPENVAS_SCANNER_LISTEN_SOCKET} ${OPENVAS_SCANNER_LISTEN_OWNER} ${OPENVAS_SCANNER_LISTEN_GROUP} ${OPENVAS_SCANNER_LISTEN_MODE}" +pidfile="/run/openvassd.pid" +command_background="true" + +depend() { + after bootmisc + need localmount net redis +} diff --git a/net-analyzer/openvas-scanner/files/openvassd.logrotate b/net-analyzer/openvas-scanner/files/openvassd.logrotate new file mode 100644 index 000000000000..9cf47d54763d --- /dev/null +++ b/net-analyzer/openvas-scanner/files/openvassd.logrotate @@ -0,0 +1,13 @@ +# Copyright 1999-2019 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 +# Daemon ignore HUP so we use 'copytruncate' instead of 'create' +# with safe file size to prevent losing log entries. + +/var/log/gvm/openvassd.log { + compress + missingok + notifempty + sharedscripts + copytruncate + maxsize 10M +} diff --git a/net-analyzer/openvas-scanner/files/openvassd.service b/net-analyzer/openvas-scanner/files/openvassd.service new file mode 100644 index 000000000000..b7d7df8bbab0 --- /dev/null +++ b/net-analyzer/openvas-scanner/files/openvassd.service @@ -0,0 +1,16 @@ +[Unit] +Description=Open Vulnerability Assessment Scanner +After=network.target +After=redis.service +Before=gvmd.service +Requires=redis.service + +[Service] +Type=forking +EnvironmentFile=-/etc/openvas/sysconfig/openvassd-daemon.conf +ExecStart=/usr/bin/openvassd $OPENVAS_SCANNER_OPTIONS $OPENVAS_SCANNER_LISTEN_SOCKET $OPENVAS_SCANNER_LISTEN_OWNER $OPENVAS_SCANNER_LISTEN_GROUP $OPENVAS_SCANNER_LISTEN_MODE +Restart=on-failure +RestartSec=10 + +[Install] +WantedBy=multi-user.target diff --git a/net-analyzer/openvas-scanner/metadata.xml b/net-analyzer/openvas-scanner/metadata.xml index fa26aa942e17..50c99b9436cc 100644 --- a/net-analyzer/openvas-scanner/metadata.xml +++ b/net-analyzer/openvas-scanner/metadata.xml @@ -10,6 +10,15 @@ Proxy Maintainers + Install a cron job to update GVM's feed daily. Html docs support + + Open Vulnerability Assessment System (OpenVAS) Scanner is the Greenbone Vulnerability Management (GVM) Solution. + It is used for the Greenbone Security Manager appliances and is a full-featured scan engine that executes a continuously + updated and extended feed of Network Vulnerability Tests (NVTs). + + + greenbone/openvas-scanner + diff --git a/net-analyzer/openvas-scanner/openvas-scanner-6.0.1.ebuild b/net-analyzer/openvas-scanner/openvas-scanner-6.0.1.ebuild new file mode 100644 index 000000000000..1700d9421816 --- /dev/null +++ b/net-analyzer/openvas-scanner/openvas-scanner-6.0.1.ebuild @@ -0,0 +1,138 @@ +# Copyright 1999-2019 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=7 + +CMAKE_MAKEFILE_GENERATOR="emake" +inherit cmake-utils flag-o-matic systemd toolchain-funcs + +MY_PN="openvas" +MY_DN="openvassd" + +DESCRIPTION="Open Vulnerability Assessment Scanner" +HOMEPAGE="https://www.greenbone.net/en/" +SRC_URI="https://github.com/greenbone/openvas-scanner/archive/v${PV}.tar.gz -> ${P}.tar.gz" + +SLOT="0" +LICENSE="GPL-2 GPL-2+" +KEYWORDS="~amd64 ~x86" +IUSE="cron extras" + +DEPEND=" + app-crypt/gpgme:= + dev-db/redis + dev-libs/libgcrypt:= + dev-libs/libksba + >=net-analyzer/gvm-libs-10.0.1 + net-analyzer/net-snmp + net-libs/gnutls:= + net-libs/libpcap + net-libs/libssh:= +" + +RDEPEND=" + ${DEPEND} + !~net-analyzer/openvas-scanner-5.1.3 + !net-analyzer/openvas-tools" + +BDEPEND=" + sys-devel/bison + sys-devel/flex + virtual/pkgconfig + extras? ( app-doc/doxygen[dot] + app-doc/xmltoman + app-text/htmldoc + dev-perl/CGI + dev-perl/SQL-Translator + )" + +BUILD_DIR="${WORKDIR}/${MY_PN}-${PV}_build" +S="${WORKDIR}/${MY_PN}-${PV}" + +PATCHES=( + # Install exec. to /usr/bin instead of /usr/sbin + "${FILESDIR}/${P}-sbin.patch" +) + +src_prepare() { + cmake-utils_src_prepare + # QA-Fix | Correct FHS/Gentoo policy paths for 6.0.1 + sed -i -e "s*/doc/openvas-scanner/*/doc/openvas-scanner-${PV}/*g" "$S"/src/CMakeLists.txt || die + # QA-Fix | Remove !CLANG doxygen warnings for 6.0.1 + if use extras; then + if ! tc-is-clang; then + local f + for f in doc/*.in + do + sed -i \ + -e "s*CLANG_ASSISTED_PARSING = NO*#CLANG_ASSISTED_PARSING = NO*g" \ + -e "s*CLANG_OPTIONS*#CLANG_OPTIONS*g" \ + "${f}" || die "couldn't disable CLANG parsing" + done + fi + fi +} + +src_configure() { + local mycmakeargs=( + "-DCMAKE_INSTALL_PREFIX=${EPREFIX}/usr" + "-DLOCALSTATEDIR=${EPREFIX}/var" + "-DSYSCONFDIR=${EPREFIX}/etc" + ) + # Add release hardening flags for 6.0.1 + append-cflags -Wno-format-truncation -Wformat -Wformat-security -D_FORTIFY_SOURCE=2 -fstack-protector + append-ldflags -Wl,-z,relro -Wl,-z,now + cmake-utils_src_configure +} + +src_compile() { + cmake-utils_src_compile + if use extras; then + cmake-utils_src_make -C "${BUILD_DIR}" doc + cmake-utils_src_make doc-full -C "${BUILD_DIR}" doc + HTML_DOCS=( "${BUILD_DIR}"/doc/generated/html/. ) + fi + cmake-utils_src_make rebuild_cache +} + +src_install() { + cmake-utils_src_install + + dodir /etc/openvas + insinto /etc/openvas + newins "${FILESDIR}/${MY_DN}.gvm.conf" openvassd.conf + + insinto /etc/openvas + doins "${FILESDIR}"/redis.conf.example + + dodir /etc/openvas/sysconfig + insinto /etc/openvas/sysconfig + doins "${FILESDIR}/${MY_DN}-daemon.conf" + + if use cron; then + # Install the cron job if they want it. + exeinto /etc/gvm + doexe "${FILESDIR}/gvm-feed-sync.sh" + fowners gvm:gvm /etc/gvm/gvm-feed-sync.sh + + insinto /etc/cron.d + newins "${FILESDIR}"/gvm-feed-sync.cron gvm + fi + + fowners -R gvm:gvm /etc/openvas + + newinitd "${FILESDIR}/${MY_DN}.init" "${MY_DN}" + newconfd "${FILESDIR}/${MY_DN}-daemon.conf" "${MY_DN}" + + dodir /etc/logrotate.d + insinto /etc/logrotate.d + newins "${FILESDIR}/${MY_DN}.logrotate" "${MY_DN}" + + systemd_dounit "${FILESDIR}/${MY_DN}.service" + + # Set proper permissions on required files/directories + keepdir /var/log/gvm + fowners gvm:gvm /var/log/gvm + keepdir /var/lib/openvas/{gnupg,plugins} + fowners -R gvm:gvm /var/lib/openvas +} -- 2.26.2