安裝 OpenVAS 主機弱掃方案
- Alpine 3.19 + Docker Compose
- vCPU : 4
- RAM : 8GB
- SSD : 60GB
安裝程序
curl -f -O -L https://raw.githubusercontent.com/tryweb/docker-compose/refs/heads/main/openvas/docker-compose.yml -o docker-compose.yml curl -f -O -L https://raw.githubusercontent.com/tryweb/docker-compose/refs/heads/main/openvas/.env.example -o .env
docker-compose.yml
services: vulnerability-tests: image: registry.community.greenbone.net/community/vulnerability-tests environment: STORAGE_PATH: /var/lib/openvas/22.04/vt-data/nasl volumes: - vt_data_vol:/mnt notus-data: image: registry.community.greenbone.net/community/notus-data volumes: - notus_data_vol:/mnt scap-data: image: registry.community.greenbone.net/community/scap-data volumes: - scap_data_vol:/mnt cert-bund-data: image: registry.community.greenbone.net/community/cert-bund-data volumes: - cert_data_vol:/mnt dfn-cert-data: image: registry.community.greenbone.net/community/dfn-cert-data volumes: - cert_data_vol:/mnt depends_on: - cert-bund-data data-objects: image: registry.community.greenbone.net/community/data-objects volumes: - data_objects_vol:/mnt report-formats: image: registry.community.greenbone.net/community/report-formats volumes: - data_objects_vol:/mnt depends_on: - data-objects gpg-data: image: registry.community.greenbone.net/community/gpg-data volumes: - gpg_data_vol:/mnt redis-server: image: registry.community.greenbone.net/community/redis-server restart: on-failure volumes: - redis_socket_vol:/run/redis/ pg-gvm: image: registry.community.greenbone.net/community/pg-gvm:stable restart: on-failure volumes: - psql_data_vol:/var/lib/postgresql - psql_socket_vol:/var/run/postgresql gvmd: image: registry.community.greenbone.net/community/gvmd:stable restart: on-failure environment: MTA_HOST: ${MAIL_HOST} MTA_PORT: ${MAIL_PORT} MTA_TLS: ${MAIL_TLS} MTA_STARTTLS: ${MAIL_STARTTLS} MTA_AUTH: ${MAIL_AUTH} MTA_USER: ${MAIL_USER} MTA_FROM: ${MAIL_FROM} MTA_PASSWORD: ${MAIL_PASSWORD} volumes: - gvmd_data_vol:/var/lib/gvm - scap_data_vol:/var/lib/gvm/scap-data/ - cert_data_vol:/var/lib/gvm/cert-data - data_objects_vol:/var/lib/gvm/data-objects/gvmd - vt_data_vol:/var/lib/openvas/plugins - psql_data_vol:/var/lib/postgresql - gvmd_socket_vol:/run/gvmd - ospd_openvas_socket_vol:/run/ospd - psql_socket_vol:/var/run/postgresql depends_on: pg-gvm: condition: service_started scap-data: condition: service_completed_successfully cert-bund-data: condition: service_completed_successfully dfn-cert-data: condition: service_completed_successfully data-objects: condition: service_completed_successfully report-formats: condition: service_completed_successfully gsa: image: registry.community.greenbone.net/community/gsa:stable restart: on-failure ports: - 0.0.0.0:9392:80 volumes: - gvmd_socket_vol:/run/gvmd depends_on: - gvmd # Sets log level of openvas to the set LOG_LEVEL within the env # and changes log output to /var/log/openvas instead /var/log/gvm # to reduce likelyhood of unwanted log interferences configure-openvas: image: registry.community.greenbone.net/community/openvas-scanner:stable volumes: - openvas_data_vol:/mnt - openvas_log_data_vol:/var/log/openvas command: - /bin/sh - -c - | printf "table_driven_lsc = yes\nopenvasd_server = http://openvasd:80\n" > /mnt/openvas.conf sed "s/127/128/" /etc/openvas/openvas_log.conf | sed 's/gvm/openvas/' > /mnt/openvas_log.conf chmod 644 /mnt/openvas.conf chmod 644 /mnt/openvas_log.conf touch /var/log/openvas/openvas.log chmod 666 /var/log/openvas/openvas.log # shows logs of openvas openvas: image: registry.community.greenbone.net/community/openvas-scanner:stable restart: on-failure volumes: - openvas_data_vol:/etc/openvas - openvas_log_data_vol:/var/log/openvas command: - /bin/sh - -c - | cat /etc/openvas/openvas.conf tail -f /var/log/openvas/openvas.log depends_on: configure-openvas: condition: service_completed_successfully openvasd: image: registry.community.greenbone.net/community/openvas-scanner:stable restart: on-failure environment: # `service_notus` is set to disable everything but notus, # if you want to utilize openvasd directly removed `OPENVASD_MODE` OPENVASD_MODE: service_notus GNUPGHOME: /etc/openvas/gnupg LISTENING: 0.0.0.0:80 volumes: - openvas_data_vol:/etc/openvas - openvas_log_data_vol:/var/log/openvas - gpg_data_vol:/etc/openvas/gnupg - notus_data_vol:/var/lib/notus # enable port forwarding when you want to use the http api from your host machine ports: - 0.0.0.0:3000:80 depends_on: vulnerability-tests: condition: service_completed_successfully configure-openvas: condition: service_completed_successfully gpg-data: condition: service_completed_successfully networks: default: aliases: - openvasd ospd-openvas: image: registry.community.greenbone.net/community/ospd-openvas:stable restart: on-failure hostname: ospd-openvas.local cap_add: - NET_ADMIN # for capturing packages in promiscuous mode - NET_RAW # for raw sockets e.g. used for the boreas alive detection security_opt: - seccomp=unconfined - apparmor=unconfined command: [ "ospd-openvas", "-f", "--config", "/etc/gvm/ospd-openvas.conf", "--notus-feed-dir", "/var/lib/notus/advisories", "-m", "666" ] volumes: - gpg_data_vol:/etc/openvas/gnupg - vt_data_vol:/var/lib/openvas/plugins - notus_data_vol:/var/lib/notus - ospd_openvas_socket_vol:/run/ospd - redis_socket_vol:/run/redis/ - openvas_data_vol:/etc/openvas/ - openvas_log_data_vol:/var/log/openvas depends_on: redis-server: condition: service_started gpg-data: condition: service_completed_successfully vulnerability-tests: condition: service_completed_successfully configure-openvas: condition: service_completed_successfully gvm-tools: image: registry.community.greenbone.net/community/gvm-tools volumes: - gvmd_socket_vol:/run/gvmd - ospd_openvas_socket_vol:/run/ospd depends_on: - gvmd - ospd-openvas volumes: gpg_data_vol: scap_data_vol: cert_data_vol: data_objects_vol: gvmd_data_vol: psql_data_vol: vt_data_vol: notus_data_vol: psql_socket_vol: gvmd_socket_vol: ospd_openvas_socket_vol: redis_socket_vol: openvas_data_vol: openvas_log_data_vol:https://raw.githubusercontent.com/tryweb/docker-compose/refs/heads/main/openvas/docker-compose.yml
- 修改符合需要設定
- gsa 將 Listen IP Port 由 127.0.0.1:9392:80(只接受本機) 改為 0.0.0.0:9392:80 (接受所有來源)
- openvasd 開啟 API 服務 Listen IP Port: 0.0.0.0:3000:80
.env
# SMTP Settings MAIL_HOST=smtp.gmail.com MAIL_PORT=587 MAIL_TLS=on MAIL_STARTTLS=on MAIL_AUTH=on MAIL_USER=your_google_account [email protected] MAIL_PASSWORD=your_google_password
https://raw.githubusercontent.com/tryweb/docker-compose/refs/heads/main/openvas/.env.example
- 修改 .env 內的 SMTP 設定
- 啟動服務
docker compose up -d docker compose logs -f
- 設定管理者帳號密碼
docker compose exec -u gvmd gvmd gvmd --user=admin --new-password='<password>' - 確認弱點資料庫更新狀況
- 設定更新 script
wget https://raw.githubusercontent.com/tryweb/docker-compose/refs/heads/main/openvas/update.sh update.sh
docker compose down rm /var/lib/docker/volumes/root_openvas_log_data_vol/_data/openvas.log docker compose pull docker compose up -d docker image prune -f
https://raw.githubusercontent.com/tryweb/docker-compose/refs/heads/main/openvas/update.sh
- 設定可執行權限
chmod a+x update.sh
問題與解法
1. 手動更新弱點資料庫
- 單純更新 notus-data vulnerability-tests scap-data dfn-cert-data cert-bund-data report-formats data-objects 似乎於更新後系統無法正常運作, 但關閉重啟就可以更新後系統正常運作
docker compose stop docker compose pull docker compose up -d
- 可以透過 gvmd 查看狀況
docker compose logs -f gvmd當出現類似以下訊息就表示已經正確更新與啟動
: gvmd-1 | md manage: INFO:2024-07-25 15h12.53 utc:73: Updating CVSS scores and CVE counts for CPEs gvmd-1 | md manage: INFO:2024-07-25 15h14.21 utc:73: Updating placeholder CPEs gvmd-1 | md manage: INFO:2024-07-25 15h14.34 utc:73: Updating Max CVSS for DFN-CERT gvmd-1 | md manage: INFO:2024-07-25 15h14.36 utc:73: Updating DFN-CERT CVSS max succeeded. gvmd-1 | md manage: INFO:2024-07-25 15h14.36 utc:73: Updating Max CVSS for CERT-Bund gvmd-1 | md manage: INFO:2024-07-25 15h14.37 utc:73: Updating CERT-Bund CVSS max succeeded. gvmd-1 | md manage: INFO:2024-07-25 15h14.38 utc:73: update_scap_end: Updating SCAP info succeeded gvmd-1 | md manage: INFO:2024-07-25 15h14.39 utc:70: Assigning EPSS scores to VTs gvmd-1 | md manage: INFO:2024-07-25 15h14.56 utc:209: OSP service has different VT status (version 202407250605) from database (version 202407240611, 141853 VTs). Starting update ... gvmd-1 | md manage: INFO:2024-07-25 15h15.34 utc:209: Updating VTs in database ... 3 new VTs, 204 changed VTs gvmd-1 | md manage: INFO:2024-07-25 15h15.35 utc:209: Updating VTs in database ... done (141873 VTs). gvmd-1 | md manage: INFO:2024-07-25 15h15.35 utc:207: Assigning EPSS scores to VTs
2. 寄信 SMTP 設定與除錯
- 如果透過 Test Alert 發現異常, 可以進去 gvmd 容器內 debug
docker exec -it root-gvmd-1 bash- 確認環境變數是否正確 Exp.
root@1b2fce44fcf3:/# env MTA_PORT=587 HOSTNAME=1b2fce44fcf3 MTA_STARTTLS=on MTA_PASSWORD=xxxPasswordxxx MTA_TLS=on PWD=/ MTA_USER=jonathan HOME=/root MTA_AUTH=on MTA_HOST=smtp.gmail.com TERM=xterm [email protected] SHLVL=1 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin _=/usr/bin/env
- 測試寄信看問題 Exp.
root@1b2fce44fcf3:/# msmtp -d -f [email protected] [email protected] aaa bbb ccc . loaded system configuration file /etc/msmtprc ignoring user configuration file /root/.msmtprc: No such file or directory falling back to default account : : aliases = (not set) reading recipients from the command line <-- 220 smtp.gmail.com ESMTP ready --> EHLO localhost <-- 250-smtp.gmail.com <-- 250-PIPELINING <-- 250-SIZE 50000000 <-- 250-ETRN <-- 250-ENHANCEDSTATUSCODES <-- 250-8BITMIME <-- 250-DSN <-- 250 STARTTLS --> STARTTLS <-- 220 2.0.0 Start TLS msmtp: TLS certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown. msmtp: could not send mail (account default from /etc/msmtprc)
- 發現問題是無法驗證憑證, 透過安裝或更新信任根憑證來解決
apt update apt install ca-certificates -y
如果已經離開容器, 可以改用
docker exec root-gvmd-1 apt update docker exec root-gvmd-1 apt install ca-certificates -y
3. 檔案空間被 openvas.log 大量使用議題
- 主要會將 log 寫入 /var/lib/docker/volumes/root_openvas_log_data_vol/_data/openvas.log
- 這紀錄檔案不特別處理, 一段時間有可能超過 100G
- 解決方式:
- 配合定期更新週期一起刪除, docker compose 啟動會自動建立
docker compose down rm /var/lib/docker/volumes/root_openvas_log_data_vol/_data/openvas.log docker compose pull docker compose up -d
- 設定環境變數 LOG_LEVEL: 1 (只紀錄 ERROR 與 WARNING)
vi docker-compose.yml: # Sets log level of openvas to the set LOG_LEVEL within the env # and changes log output to /var/log/openvas instead /var/log/gvm # to reduce likelyhood of unwanted log interferences configure-openvas: image: greenbone/openvas-scanner:stable environment: LOG_LEVEL: 1 volumes: - openvas_data_vol:/mnt - openvas_log_data_vol:/var/log/openvas command: - /bin/sh - -c - | :重起 docker compose
docker compose down docker compose up -d