search

isaudits / docker-gvm

Docker container stack for GVM / OpenVAS
49 stars 22 forks source link

Newly built images have missing folders #4

Open swhitman0 opened 2 years ago

swhitman0 commented 2 years ago

The folders /usr/local/var/run and /run/gvm are missing in newly built images. A message in the gvm log says that it is running Greenbone Vulnerability Manager version 21.4.4 (DB revision 242).

mcjon3z commented 2 years ago

It looks like Greenbone changed some paths out of /usr/local - Don't know how but the initial test builds I did on my laptop worked fine. I'm rolling back the commits to the previous working version until I can get time to sort it out as I'm no longer using this in production.

swhitman0 commented 2 years ago

I think I have just about figured it out. I included -DLOCALSTATEDIR=/usr/local/var to the CMake commands. When I am done, I will upload a patch.

mcjon3z commented 2 years ago

That makes sense - I happen to have a test box spun up so I cherry picked the reverted commits back in and added those build flags and seeing how it goes.

I figured out why my previous test worked - at some point I had commented out the build.local file so my local build was still using the previous version's build image as the base instead of rebuilding it...

mcjon3z commented 2 years ago

@swhitman0 - just as an update the build flag introduces additional directory inconsistencies and permissions issues. Testing now with just adding the new run directories mentioned in your original post to cont-init.d/30-config

mcjon3z commented 2 years ago

Build worked and everything is now launching and updating properly but still having the previously reported issue of no open ports being detected since the initial roll out of the 21.4 build.

swhitman0 commented 2 years ago

The following patch fixes all missing folder/file messages. I even include a pwpolicy.conf even though posts in forums said that was just a warning.

However, I'm still getting this message in the log: OSPD[481] 2021-12-03 14:23:35,933: ERROR: (ospd_openvas.openvas) OpenVAS Scanner failed to load VTs. Command '['openvas', '--update-vt-info']' died with <Signals.SIGSEGV: 11>.

diff --git a/docker/base/root/etc/cont-init.d/30-config b/docker/base/root/etc/cont-init.d/30-config
index 66d0ab3..94350e5 100644
--- a/docker/base/root/etc/cont-init.d/30-config
+++ b/docker/base/root/etc/cont-init.d/30-config
@@ -46,6 +46,9 @@ mkdir -p /usr/local/var/lib/openvas/plugins
 mkdir -p /usr/local/var/lib/gvm/cert-data
 mkdir -p /usr/local/var/lib/gvm/scap-data
 mkdir -p /usr/local/var/lib/gvm/data-objects
+mkdir -p /usr/local/var/run
+mkdir -p /usr/local/var/lib/gvm/gvmd 
+mkdir -p /usr/local/share/gvm/gvmd/report_formats

 chown -R abc:abc \
    /config \
@@ -60,6 +63,7 @@ chown -R abc:abc \

 chown abc:abc \
    /usr/local/var/lib/openvas/plugins \
+   /usr/local/var/lib/gvm \
    /usr/local/var/lib/gvm/cert-data \
    /usr/local/var/lib/gvm/scap-data \
    /usr/local/var/lib/gvm/data-objects
diff --git a/docker/build/Dockerfile b/docker/build/Dockerfile
index 22b1a52..af87f57 100644
--- a/docker/build/Dockerfile
+++ b/docker/build/Dockerfile
@@ -23,7 +23,7 @@ RUN cd /build && \
     cd /build/*/ && \
     mkdir build && \
     cd build && \
-    cmake -DCMAKE_BUILD_TYPE=Release .. && \
+    cmake -DCMAKE_BUILD_TYPE=Release -DLOCALSTATEDIR=/usr/local/var .. && \
     make && \
     make install && \
     cd /build && \
@@ -40,7 +40,7 @@ RUN cd /build && \
     cd /build/*/ && \
     mkdir build && \
     cd build && \
-    cmake -DCMAKE_BUILD_TYPE=Release .. && \
+    cmake -DCMAKE_BUILD_TYPE=Release -DLOCALSTATEDIR=/usr/local/var .. && \
     make && \
     make install && \
     cd /build && \
@@ -58,7 +58,7 @@ RUN cd /build && \
     cd /build/*/ && \
     mkdir build && \
     cd build && \
-    cmake -DCMAKE_BUILD_TYPE=Release .. && \
+    cmake -DCMAKE_BUILD_TYPE=Release -DLOCALSTATEDIR=/usr/local/var .. && \
     make && \
     make install && \
     cd /build && \
@@ -76,7 +76,7 @@ RUN cd /build && \
     cd /build/*/ && \
     mkdir build && \
     cd build && \
-    cmake -DCMAKE_BUILD_TYPE=Release .. && \
+    cmake -DCMAKE_BUILD_TYPE=Release -DLOCALSTATEDIR=/usr/local/var .. && \
     make && \
     make install && \
     cd /build && \
@@ -94,7 +94,7 @@ RUN cd /build && \
     cd /build/*/ && \
     mkdir build && \
     cd build && \
-    cmake -DCMAKE_BUILD_TYPE=Release .. && \
+    cmake -DCMAKE_BUILD_TYPE=Release -DLOCALSTATEDIR=/usr/local/var .. && \
     make && \
     make install && \
     cd /build && \
diff --git a/docker/gvm/root/etc/gvm/pwpolicy.conf b/docker/gvm/root/etc/gvm/pwpolicy.conf
new file mode 100644
index 0000000..7dc2c1e
--- /dev/null
+++ b/docker/gvm/root/etc/gvm/pwpolicy.conf
@@ -0,0 +1,117 @@
+# pwpolicy.conf                                      -*- coding: utf-8 -*-
+#
+# This is an example for a pattern file used to validate passwords.
+# Passwords matching an entry in this file are considered weak and
+# will be rejected.
+#
+# The file is line based with comment lines beginning on the *first*
+# position with a '#' and followed by at least one white space.  Empty
+# lines and lines with only white space are ignored.  The other lines
+# may either be verbatim patterns and match as they are (trailing
+# spaces are ignored) or Perl compatible regular expressions (pcre)
+# indicated by a '/' in the first column and terminated by another '/'
+# or end of line.  To reverse the meaning of a regular expression
+# prefix it with an exclamation mark like this:
+#
+#   !/^.{6,}$/
+#
+# This will reject a passphrase with less than 6 characters.  All
+# comparisons are case insensitive; utf-8 encoding must be used.  A
+# few processing instructions are supported:
+#
+#   #+desc[:] A string describing the next pattern
+#
+# This is used to return meaningful error messages.  To end a group of
+# pattern with the same description either a new "#+desc:" line may be
+# used or the instruction:
+#
+#   #+nodesc
+#
+# To include a list of simple pattern use:
+#
+#   #+search[:] FILENAME
+#
+# Note that this is a simple linear search and stops at the first
+# match.  Comments are not allowed in that file.  A line in the
+# dictionary may not be longer than 255 characters.
+#
+# To perform checks on the username/password combination, you should
+# use:
+#
+#   #+username
+#
+# Currently this checks whether the password matches or is included in
+# the password. It may eventually be extended to further tests.
+
+############################
+# This is an example file where all lines are explicitly prefixed with
+# an additional "#" to comment out anything.
+# On your own decision you may activiate policies and modify them.
+# Be aware: By default any password is allowed.
+############################
+
+
+## Let's start with a simple test
+##+desc: Too short (at least 8 characters are required)
+#!/^.{8,}$/
+#
+## Check that the user name does not match the password.
+## (The desc string is not used here.)
+##+username
+#
+##+desc: Only digits
+#/^[[:digit:]]+$/
+#
+##+desc: Not a mix of letters digits and control characters
+#!/[[:alpha:]]+/
+#!/[[:digit:]]+/
+#!/[[:punct:]]+/
+#
+##+desc: No mixed case
+#!/(?-i)([[:lower:]]+.*[[:upper:]]+)|([[:upper:]]+.*[[:lower:]]+)/
+#
+##+desc: Date string
+## A limited check for ISO date strings
+#/^[012][0-9]{3}-?[012][0-9]-?[0123][0-9]$/
+#
+## Reject the usual metavariables.
+##+desc: Meta variable
+#foo
+#bar
+#baz
+#
+##+desc: Common test password
+#password
+#passwort
+#passphrase
+#mantra
+#test
+#abc
+#egal
+#
+## Arbitrary strings
+##+nodesc
+#12345678
+#87654321
+#qwerty
+#qwertyuiop
+#asdfghjkl
+#zxcvbnm
+#qwertzuiop
+#yxcvbnm
+#no-password
+#no password
+#
+##+desc: Test string used by RTTY hams
+#the quick brown fox jumps over the lazy dogs back
+#
+##+desc: German number plate
+#/^[A-Z]{1,3}\s*-\s*[A-Z]{1,2}\s*[0-9]+$/
+#
+##+desc: Dictionary word
+##+search: /usr/share/dict/words
+## Note that searching a large dictionary may take some time, it might
+## be better to use an offline password auditing tool instead.
+
+
+# end of policy file
diff --git a/docker/gvm/root/etc/services.d/gvmd/run b/docker/gvm/root/etc/services.d/gvmd/run
index aa0b710..b6a6623 100644
--- a/docker/gvm/root/etc/services.d/gvmd/run
+++ b/docker/gvm/root/etc/services.d/gvmd/run
@@ -1,5 +1,11 @@
 #!/usr/bin/with-contenv bash

+if [ ! -d "/run/gvm" ]; then
+   mkdir /run/gvm/
+fi
+
+chown abc:abc /run/gvm/
+
 sleep 5
 echo "Attempting to migrate database and create default user"
 #s6-setuidgid abc gvmd gvm-manage-certs -q -a &> /dev/nul || true
@@ -20,4 +26,4 @@ done

 echo "Starting Greenbone Vulnerability Manager..."

-exec s6-setuidgid abc gvmd --max-ips-per-target=$GVMD_MAX_IPS_PER_TARGET --foreground
\ No newline at end of file
+exec s6-setuidgid abc gvmd --max-ips-per-target=$GVMD_MAX_IPS_PER_TARGET --foreground -osp-vt-update=/run/ospd/ospd-openvas.sock
\ No newline at end of file
diff --git a/docker/gvm/root/etc/services.d/openvas/run b/docker/gvm/root/etc/services.d/openvas/run
index 088a94d..acb683a 100644
--- a/docker/gvm/root/etc/services.d/openvas/run
+++ b/docker/gvm/root/etc/services.d/openvas/run
@@ -1,4 +1,4 @@
 #!/usr/bin/with-contenv bash

 echo "Starting Open Scanner Protocol daemon for OpenVAS..."
-exec s6-setuidgid abc ospd-openvas --foreground --config /config/ospd.conf
\ No newline at end of file
+exec s6-setuidgid abc ospd-openvas --foreground --config /config/ospd.conf --unix-socket /run/ospd/ospd-openvas.sock
\ No newline at end of file
mcjon3z commented 2 years ago

I was having similar issues when adding the DLOCALSTATEDIR build flags. Still trying to work out the directory and permissions issues when not using that flag.