├── .gitignore
├── docker
    ├── Dockerfile
    ├── base
    │   ├── root
    │   │   ├── defaults
    │   │   │   ├── update-openvas.cron
    │   │   │   ├── openvas.conf
    │   │   │   └── ospd.conf
    │   │   └── etc
    │   │   │   ├── services.d
    │   │   │       ├── cron
    │   │   │       │   └── run
    │   │   │       └── logging
    │   │   │       │   └── run
    │   │   │   └── cont-init.d
    │   │   │       ├── 60-sync
    │   │   │       ├── 50-mailrelay
    │   │   │       └── 30-config
    │   ├── Dockerfile
    │   └── install-pkgs.sh
    ├── gvm
    │   ├── root
    │   │   ├── etc
    │   │   │   ├── services.d
    │   │   │   │   ├── postgres
    │   │   │   │   │   └── run
    │   │   │   │   ├── openvas
    │   │   │   │   │   └── run
    │   │   │   │   ├── gsa
    │   │   │   │   │   └── run
    │   │   │   │   └── gvmd
    │   │   │   │   │   └── run
    │   │   │   └── cont-init.d
    │   │   │   │   └── 50-postgres
    │   │   └── defaults
    │   │   │   └── update-openvas.sh
    │   ├── Dockerfile
    │   └── install-pkgs.sh
    ├── hooks
    │   ├── README.MD
    │   ├── push
    │   ├── build.local
    │   └── build
    ├── openvas
    │   ├── root
    │   │   ├── etc
    │   │   │   └── services.d
    │   │   │   │   ├── openvas
    │   │   │   │       └── run
    │   │   │   │   └── redis
    │   │   │   │       └── run
    │   │   └── defaults
    │   │   │   └── update-openvas.sh
    │   ├── Dockerfile
    │   └── install-pkgs.sh
    └── build
    │   ├── install-pkgs.sh
    │   └── Dockerfile
├── config
    ├── update-openvas.cron
    ├── openvas.conf
    ├── example.env
    └── ospd.conf
├── gvm.service
├── openvas.service
├── docker-compose.slave.yml
├── notes.txt
├── docker-compose.yml
└── README.md


/.gitignore:
--------------------------------------------------------------------------------
1 | data*
2 | local.env
3 | 


--------------------------------------------------------------------------------
/docker/Dockerfile:
--------------------------------------------------------------------------------
1 | # This is a dummy Dockerfile for DockerHub auto builds


--------------------------------------------------------------------------------
/config/update-openvas.cron:
--------------------------------------------------------------------------------
1 | 1 1 * * * /bin/bash /defaults/update-openvas.sh > /dev/stdout
2 | 


--------------------------------------------------------------------------------
/docker/base/root/defaults/update-openvas.cron:
--------------------------------------------------------------------------------
1 | 0 0 * * * /bin/bash /defaults/update-openvas.sh
2 | 


--------------------------------------------------------------------------------
/docker/base/root/etc/services.d/cron/run:
--------------------------------------------------------------------------------
1 | #!/usr/bin/with-contenv bash
2 | 
3 | /usr/sbin/cron -f -L 1


--------------------------------------------------------------------------------
/docker/base/root/etc/services.d/logging/run:
--------------------------------------------------------------------------------
1 | #!/usr/bin/with-contenv bash
2 | 
3 | sleep 10
4 | 
5 | exec s6-setuidgid abc tail -F /usr/local/var/log/gvm/*


--------------------------------------------------------------------------------
/docker/base/root/etc/cont-init.d/60-sync:
--------------------------------------------------------------------------------
1 | #!/usr/bin/with-contenv bash
2 | 
3 | if [ "$UPDATE_ON_START" ] ; then
4 |   bash /defaults/update-openvas.sh
5 | fi


--------------------------------------------------------------------------------
/docker/gvm/root/etc/services.d/postgres/run:
--------------------------------------------------------------------------------
1 | #!/usr/bin/with-contenv bash
2 | 
3 | echo "Starting PostgreSQL..."
4 | s6-setuidgid postgres /usr/lib/postgresql/$PG_MAJOR/bin/postgres


--------------------------------------------------------------------------------
/config/openvas.conf:
--------------------------------------------------------------------------------
1 | # Note - make any config changes to override defaults in here
2 | # see https://github.com/greenbone/openvas/blob/master/doc/openvas.8.in
3 | # example: max_checks = 20


--------------------------------------------------------------------------------
/docker/base/root/defaults/openvas.conf:
--------------------------------------------------------------------------------
1 | # Note - make any config changes to override defaults in here
2 | # see https://github.com/greenbone/openvas/blob/master/doc/openvas.8.in
3 | # example: max_checks = 20


--------------------------------------------------------------------------------
/docker/gvm/root/etc/services.d/openvas/run:
--------------------------------------------------------------------------------
1 | #!/usr/bin/with-contenv bash
2 | 
3 | echo "Starting Open Scanner Protocol daemon for OpenVAS..."
4 | exec s6-setuidgid abc ospd-openvas --foreground --config /config/ospd.conf


--------------------------------------------------------------------------------
/docker/hooks/README.MD:
--------------------------------------------------------------------------------
1 | https://github.com/brimstone/docker-kali
2 | 
3 | https://medium.com/microscaling-systems/labelling-automated-builds-on-docker-hub-f3d073fb8e1
4 | 
5 | https://docs.docker.com/docker-hub/builds/advanced/


--------------------------------------------------------------------------------
/docker/openvas/root/etc/services.d/openvas/run:
--------------------------------------------------------------------------------
1 | #!/usr/bin/with-contenv bash
2 | 
3 | echo "Starting Open Scanner Protocol daemon for OpenVAS..."
4 | exec s6-setuidgid abc ospd-openvas -b $OPENVAS_HOST -p $OPENVAS_PORT --foreground --config /config/ospd.conf


--------------------------------------------------------------------------------
/docker/hooks/push:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | set -ueo pipefail
 3 | 
 4 | #docker push isaudits/gvm:build-20.8
 5 | #docker push isaudits/gvm:base-20.8
 6 | #docker push isaudits/gvm:openvas-20.8
 7 | #docker push isaudits/gvm:gvmd-20.8
 8 | #docker push isaudits/gvm:gvm-20.8
 9 | 
10 | docker push isaudits/gvm


--------------------------------------------------------------------------------
/docker/gvm/root/etc/services.d/gsa/run:
--------------------------------------------------------------------------------
1 | #!/usr/bin/with-contenv bash
2 | 
3 | while  [ ! -S /usr/local/var/run/gvmd.sock ]; do
4 | 	echo "Greenbone Security Assistant - waiting for GVMD..."
5 | 	sleep 10
6 | done
7 | 
8 | echo "Starting Greenbone Security Assistant..."
9 | exec s6-setuidgid abc gsad --foreground --verbose --listen=$GSA_HOST --port=$GSA_PORT --timeout=$GSA_TIMEOUT


--------------------------------------------------------------------------------
/docker/openvas/root/defaults/update-openvas.sh:
--------------------------------------------------------------------------------
1 | #!/usr/bin/with-contenv bash
2 | 
3 | echo "Updating NVTs..."
4 | #s6-setuidgid abc greenbone-nvt-sync
5 | s6-setuidgid abc rsync --compress-level=9 --links --times --omit-dir-times --recursive --partial --quiet rsync://feed.community.greenbone.net:/nvt-feed /usr/local/var/lib/openvas/plugins
6 | sleep 5
7 | 
8 | rm /usr/local/var/run/feed-update.lock || true


--------------------------------------------------------------------------------
/config/example.env:
--------------------------------------------------------------------------------
 1 | # COPY OR RENAME TO "local.env" AND CUSTOMIZE
 2 | 
 3 | # Custom environment variables
 4 | UPDATE_ON_START=true
 5 | SCHEDULED_UPDATES=true
 6 | PUID=1000
 7 | PGID=100
 8 | TZ=America/New_York
 9 | 
10 | # docker-gvm environment variables
11 | GVM_USER=admin
12 | GVM_PASSWORD=admin
13 | GVMD_MAX_IPS_PER_TARGET=4096
14 | GSA_TIMEOUT=600
15 | SMTP_HOST=smtp.example.com
16 | SMTP_PORT=25
17 | SMTP_MASQ=example.com


--------------------------------------------------------------------------------
/config/ospd.conf:
--------------------------------------------------------------------------------
 1 | [OSPD - openvas]
 2 | log_level = INFO
 3 | socket_mode = 0o770
 4 | unix_socket = /var/run/ospd/ospd.sock
 5 | lock_file_dir = /usr/local/var/run
 6 | pid_file = /usr/local/var/run/openvas.pid
 7 | log_file = /usr/local/var/log/gvm/openvas.log
 8 | key_file = /usr/local/var/lib/gvm/private/CA/clientkey.pem
 9 | cert_file = /usr/local/var/lib/gvm/CA/clientcert.pem
10 | ca_file = /usr/local/var/lib/gvm/CA/cacert.pem


--------------------------------------------------------------------------------
/docker/base/root/defaults/ospd.conf:
--------------------------------------------------------------------------------
 1 | [OSPD - openvas]
 2 | log_level = INFO
 3 | socket_mode = 0o770
 4 | unix_socket = /var/run/ospd/ospd.sock
 5 | lock_file_dir = /usr/local/var/run
 6 | pid_file = /usr/local/var/run/openvas.pid
 7 | log_file = /usr/local/var/log/gvm/openvas.log
 8 | key_file = /usr/local/var/lib/gvm/private/CA/clientkey.pem
 9 | cert_file = /usr/local/var/lib/gvm/CA/clientcert.pem
10 | ca_file = /usr/local/var/lib/gvm/CA/cacert.pem


--------------------------------------------------------------------------------
/docker/openvas/Dockerfile:
--------------------------------------------------------------------------------
 1 | FROM isaudits/gvm:base-21.4
 2 | 
 3 | COPY install-pkgs.sh /install-pkgs.sh
 4 | 
 5 | RUN bash /install-pkgs.sh
 6 | 
 7 | COPY --from=isaudits/gvm:build-21.4 /install/openvas_smb/ /install/openvas_scanner/ /usr/local/
 8 | 
 9 | RUN echo "/usr/local/lib" > /etc/ld.so.conf.d/openvas.conf && ldconfig
10 | 
11 | RUN echo "abc ALL=(ALL) NOPASSWD: /usr/local/sbin/openvas" >> /etc/sudoers
12 | 
13 | COPY root/ /
14 | 
15 | 
16 | 


--------------------------------------------------------------------------------
/docker/openvas/root/etc/services.d/redis/run:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/with-contenv bash
 2 | 
 3 | if [ ! -d "/run/redis" ]; then
 4 | 	mkdir /run/redis/
 5 | fi
 6 | 
 7 | chown abc:abc /run/redis/
 8 | 
 9 | if  [ -S /run/redis/redis.sock ]; then
10 |         rm /run/redis/redis.sock
11 | fi
12 | 
13 | exec s6-setuidgid abc redis-server --unixsocket /run/redis/redis.sock --unixsocketperm 766 --timeout 0 --databases 128 --maxclients 512 --port 6379 --bind 127.0.0.1
14 | 
15 | 


--------------------------------------------------------------------------------
/docker/gvm/Dockerfile:
--------------------------------------------------------------------------------
 1 | FROM isaudits/gvm:openvas-21.4
 2 | 
 3 | COPY install-pkgs.sh /install-pkgs.sh
 4 | 
 5 | RUN bash /install-pkgs.sh
 6 | 
 7 | RUN mkdir -p /var/run/postgresql && chown -R postgres /var/run/postgresql
 8 | 
 9 | COPY --from=isaudits/gvm:build-21.4 /install/gvmd/ /install/gsa/ /usr/local/
10 | 
11 | #Grab report_formats from previous version so they can be migrated in case of an upgrade
12 | #COPY --from=isaudits/gvm:gvm-11 /usr/local/share/gvm/gvmd/report_formats/ /usr/local/share/gvm/gvmd/report_formats/
13 | 
14 | RUN echo "abc ALL=(ALL) NOPASSWD: /usr/local/sbin/gsad" >> /etc/sudoers
15 | 
16 | COPY root/ /
17 | 
18 | 
19 | 


--------------------------------------------------------------------------------
/gvm.service:
--------------------------------------------------------------------------------
 1 | # /etc/systemd/system/gvm.service
 2 | 
 3 | # https://stackoverflow.com/questions/43671482/how-to-run-docker-compose-up-d-at-system-start-up
 4 | 
 5 | [Unit]
 6 | Description=Greenboone Vulnerability Manager Docker Compose Application Service
 7 | Requires=docker.service
 8 | After=docker.service
 9 | 
10 | [Service]
11 | Environment=COMPOSE_HTTP_TIMEOUT=200
12 | User=docker
13 | Group=docker
14 | WorkingDirectory=/data/
15 | ExecStart=/usr/local/bin/docker-compose up
16 | ExecStop=/usr/local/bin/docker-compose down
17 | TimeoutStartSec=0
18 | Restart=on-failure
19 | StartLimitIntervalSec=60
20 | StartLimitBurst=3
21 | 
22 | [Install]
23 | WantedBy=multi-user.target


--------------------------------------------------------------------------------
/docker/openvas/install-pkgs.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | apt-get update && apt-get upgrade -y
 4 | 
 5 | # OpenVAS scanner requirements
 6 | { cat <<EOF
 7 | bison
 8 | libgcrypt20
 9 | libglib2.0
10 | libgnutls28-dev
11 | libpcap-dev
12 | libsnmp-dev
13 | libssh-gcrypt-dev
14 | nmap
15 | python3-impacket
16 | redis-server
17 | redis-tools
18 | EOF
19 | } | xargs apt-get install -yq --no-install-recommends
20 | 
21 | #ospd-openvas requirements
22 | { cat <<EOF
23 | python3-redis
24 | python3-psutil
25 | python3-packaging
26 | EOF
27 | } | xargs apt-get install -yq --no-install-recommends
28 | 
29 | pip3 install ospd-openvas~=21.4.0
30 | 
31 | apt-get autoremove -y
32 | 
33 | rm -rf /var/lib/apt/lists/*
34 | 


--------------------------------------------------------------------------------
/openvas.service:
--------------------------------------------------------------------------------
 1 | # /etc/systemd/system/openvas.service
 2 | 
 3 | # https://stackoverflow.com/questions/43671482/how-to-run-docker-compose-up-d-at-system-start-up
 4 | 
 5 | [Unit]
 6 | Description=Openvas Scanner Docker Compose Application Service
 7 | Requires=docker.service
 8 | After=docker.service
 9 | 
10 | [Service]
11 | Environment=COMPOSE_HTTP_TIMEOUT=200
12 | User=docker
13 | Group=docker
14 | WorkingDirectory=/data/
15 | ExecStart=/usr/local/bin/docker-compose -f docker-compose.slave.yml up
16 | ExecStop=/usr/local/bin/docker-compose -f docker-compose.slave.yml down
17 | TimeoutStartSec=0
18 | Restart=on-failure
19 | StartLimitIntervalSec=60
20 | StartLimitBurst=3
21 | 
22 | [Install]
23 | WantedBy=multi-user.target


--------------------------------------------------------------------------------
/docker/gvm/root/defaults/update-openvas.sh:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/with-contenv bash
 2 | 
 3 | echo "Updating NVTs..."
 4 | #s6-setuidgid abc greenbone-nvt-sync
 5 | s6-setuidgid abc rsync --compress-level=9 --links --times --omit-dir-times --recursive --partial --quiet rsync://feed.community.greenbone.net:/nvt-feed /usr/local/var/lib/openvas/plugins
 6 | sleep 5
 7 | 
 8 | rm /usr/local/var/run/feed-update.lock || true
 9 | 
10 | echo "Updating GVMD data..."
11 | s6-setuidgid abc greenbone-feed-sync --type GVMD_DATA
12 | sleep 5
13 | 
14 | rm /usr/local/var/run/feed-update.lock || true
15 | 
16 | echo "Updating SCAP data..."
17 | s6-setuidgid abc greenbone-feed-sync --type SCAP
18 | sleep 5
19 | 
20 | rm /usr/local/var/run/feed-update.lock || true
21 | 
22 | echo "Updating CERT data..."
23 | s6-setuidgid abc greenbone-feed-sync --type CERT
24 | sleep 5
25 | 
26 | rm /usr/local/var/run/feed-update.lock || true
27 | 


--------------------------------------------------------------------------------
/docker/base/Dockerfile:
--------------------------------------------------------------------------------
 1 | FROM lsiobase/ubuntu:focal 
 2 | 
 3 | COPY install-pkgs.sh /install-pkgs.sh
 4 | 
 5 | RUN bash /install-pkgs.sh
 6 | 
 7 | COPY --from=isaudits/gvm:build-21.4 /install/gvm_libs/ /usr/local/
 8 | COPY --from=isaudits/gvm:build-21.4 /install/gvmd/bin/gvm-manage-certs /usr/local/bin/gvm-manage-certs
 9 | 
10 | COPY root/ /
11 | 
12 | ENV UPDATE_ON_START=false \
13 |     SCHEDULED_UPDATES=false \
14 |     GVM_USER="admin" \
15 |     GVM_PASSWORD="admin" \
16 |     SLAVE_USER="scanner" \
17 |     SLAVE_PASSWORD="changethisdamnpassword" \
18 |     GVMD_HOST="0.0.0.0" \
19 |     GVMD_PORT="9391" \
20 |     GVMD_MAXROWS="5000" \
21 |     GVMD_MAX_IPS_PER_TARGET="4096" \
22 |     OPENVAS_HOST="0.0.0.0" \
23 |     OPENVAS_PORT="9391" \
24 |     GSA_HOST="0.0.0.0" \
25 |     GSA_PORT="9392" \
26 |     GSA_TIMEOUT="600" \
27 |     PG_MAJOR="12" \
28 |     PGDATA="/var/lib/postgresql/data" \
29 |     POSTGRES_DB="gvmd"


--------------------------------------------------------------------------------
/docker/hooks/build.local:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | set -ueo pipefail
 3 | 
 4 | # stolen from https://medium.com/microscaling-systems/labelling-automated-builds-on-docker-hub-f3d073fb8e1
 5 | 
 6 | # docker build --build-arg VCS_REF="$(git rev-parse --short HEAD)" \
 7 | #             --build-arg BUILD_DATE="$(date -u +"%Y-%m-%dT%H:%M:%SZ")" \
 8 | #             -t isaudits/gvm:build-21.4 docker/build/.
 9 | 
10 | docker build --build-arg VCS_REF="$(git rev-parse --short HEAD)" \
11 |              --build-arg BUILD_DATE="$(date -u +"%Y-%m-%dT%H:%M:%SZ")" \
12 |              -t isaudits/gvm:base-21.4 docker/base/.
13 | 
14 | docker build --build-arg VCS_REF="$(git rev-parse --short HEAD)" \
15 |              --build-arg BUILD_DATE="$(date -u +"%Y-%m-%dT%H:%M:%SZ")" \
16 |              -t isaudits/gvm:openvas-21.4 -t isaudits/gvm:openvas docker/openvas/.
17 | 
18 | docker build --build-arg VCS_REF="$(git rev-parse --short HEAD)" \
19 |              --build-arg BUILD_DATE="$(date -u +"%Y-%m-%dT%H:%M:%SZ")" \
20 |              -t isaudits/gvm:gvm-21.4 -t isaudits/gvm:latest docker/gvm/.


--------------------------------------------------------------------------------
/docker/gvm/root/etc/services.d/gvmd/run:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/with-contenv bash
 2 | 
 3 | sleep 5
 4 | echo "Attempting to migrate database and create default user"
 5 | #s6-setuidgid abc gvmd gvm-manage-certs -q -a &> /dev/nul || true
 6 | s6-setuidgid abc gvmd --migrate || true
 7 | s6-setuidgid abc gvmd --create-user=${GVM_USER} --password=${GVM_PASSWORD} || true
 8 | 
 9 | echo "Attempting to set max report rows to $GVMD_MAXROWS"
10 | s6-setuidgid abc gvmd --modify-setting 76374a7a-0569-11e6-b6da-28d24461215b --value $GVMD_MAXROWS || true
11 | 
12 | UUID=$(s6-setuidgid abc gvmd --get-users --verbose | grep $GVM_USER | awk '{print $2}')
13 | echo "Granting feed import owner rights to default user ($GVM_USER) with UUID $UUID"
14 | s6-setuidgid abc gvmd --modify-setting 78eceaec-3385-11ea-b237-28d24461215b --value $UUID || true
15 | 
16 | while  [ ! -S /var/run/ospd/ospd.sock ]; do
17 | 	echo "Greenbone Vulnerability Manager - waiting for OSPD..."
18 | 	sleep 10
19 | done
20 | 
21 | echo "Starting Greenbone Vulnerability Manager..."
22 | 
23 | exec s6-setuidgid abc gvmd --max-ips-per-target=$GVMD_MAX_IPS_PER_TARGET --foreground


--------------------------------------------------------------------------------
/docker/base/install-pkgs.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | apt-get update && apt-get upgrade -y
 4 | 
 5 | # Base OS stuff
 6 | { cat <<EOF
 7 | bzip2
 8 | ca-certificates
 9 | cron
10 | curl
11 | git
12 | iputils-ping
13 | traceroute
14 | net-tools
15 | sudo
16 | rsync
17 | wget
18 | ssmtp
19 | EOF
20 | } | xargs apt-get install -yq --no-install-recommends
21 | 
22 | # gvm-libs requirements
23 | { cat <<EOF
24 | gnutls-bin
25 | libgcrypt20
26 | libglib2.0
27 | libgnutls28-dev
28 | libgpgme11
29 | libgpgme-dev
30 | libhiredis-dev
31 | libldap2-dev
32 | libradcli-dev
33 | libssh-gcrypt-dev
34 | libxml2
35 | uuid
36 | EOF
37 | } | xargs apt-get install -yq --no-install-recommends
38 | 
39 | # gvm-libs requirements
40 | { cat <<EOF
41 | libnet-dev
42 | EOF
43 | } | xargs apt-get install -yq --no-install-recommends
44 | 
45 | # ospd requirements
46 | { cat <<EOF
47 | gcc
48 | python3-dev
49 | python3-pip
50 | python3-setuptools
51 | python3-paramiko
52 | python3-lxml
53 | python3-defusedxml
54 | EOF
55 | } | xargs apt-get install -yq --no-install-recommends
56 | 
57 | pip3 install --upgrade pip
58 | pip3 install ospd~=21.4.1
59 | 
60 | rm -rf /var/lib/apt/lists/*
61 | 


--------------------------------------------------------------------------------
/docker/gvm/install-pkgs.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | apt-get update && apt-get upgrade -y
 4 | 
 5 | #gvmd dependencies
 6 | { cat <<EOF
 7 | gnutls-bin
 8 | libglib2.0
 9 | libgnutls28-dev
10 | libical-dev
11 | nsis
12 | postgresql-$PG_MAJOR
13 | rsync
14 | smbclient
15 | sshpass
16 | openssh-client
17 | snmp
18 | socat
19 | texlive-fonts-recommended
20 | texlive-latex-extra
21 | xml-twig-tools
22 | xsltproc
23 | EOF
24 | } | xargs apt-get install -yq --no-install-recommends
25 | 
26 | # gsa dependencies
27 | { cat <<EOF
28 | gnutls-bin
29 | libgcrypt20
30 | libglib2.0
31 | libgnutls28-dev
32 | libmicrohttpd-dev
33 | libxml2
34 | EOF
35 | } | xargs apt-get install -yq --no-install-recommends
36 | 
37 | 
38 | # Install Node.js
39 | curl -sL https://deb.nodesource.com/setup_10.x | bash -
40 | apt-get install nodejs -yq --no-install-recommends
41 | 
42 | 
43 | # Install Yarn
44 | curl -sL https://dl.yarnpkg.com/debian/pubkey.gpg | apt-key add -
45 | echo "deb https://dl.yarnpkg.com/debian/ stable main" | tee /etc/apt/sources.list.d/yarn.list
46 | apt-get update
47 | apt-get install yarn -yq --no-install-recommends
48 | 
49 | apt-get autoremove -y
50 | 
51 | rm -rf /var/lib/apt/lists/*
52 | 


--------------------------------------------------------------------------------
/docker-compose.slave.yml:
--------------------------------------------------------------------------------
 1 | version: '3.4'
 2 | 
 3 | services:
 4 |   #Keeps containers up to date - https://containrrr.github.io/watchtower/
 5 |   watchtower:
 6 |     container_name: watchtower
 7 |     hostname: watchtower
 8 |     restart: always
 9 |     image: containrrr/watchtower
10 |     env_file:
11 |       - ./config/local.env
12 |     volumes:
13 |       - /var/run/docker.sock:/var/run/docker.sock
14 |     command: --schedule "0 0 4 * * *" --cleanup
15 |     
16 |   portainer:
17 |     image: portainer/portainer-ce
18 |     hostname: portainer
19 |     container_name: portainer
20 |     restart: always
21 |     command: -H unix:///var/run/docker.sock
22 |     ports:
23 |       - "9000:9000"
24 |     volumes:
25 |       - /var/run/docker.sock:/var/run/docker.sock
26 |       - portainer:/data
27 |     
28 | openvas:
29 |     image: isaudits/gvm:openvas-21.4
30 |     hostname: openvas
31 |     container_name: openvas
32 |     ports:
33 |       - "9391:9391"
34 |     env_file:
35 |       - ./config/local.env
36 |     volumes:
37 |       - ./config:/config
38 |       - gvm_data:/usr/local/var/lib
39 | 
40 | 
41 | volumes:
42 |   volumes:
43 |   portainer:{}
44 |   gvm_data:
45 |     name: gvm_data


--------------------------------------------------------------------------------
/notes.txt:
--------------------------------------------------------------------------------
 1 | https://github.com/Secure-Compliance-Solutions-LLC/GVM-Docker
 2 | 
 3 | https://github.com/admirito/gvm-containers
 4 | 
 5 | https://github.com/falkowich/gvm10-docker
 6 | 
 7 | https://sadsloth.net/post/install-gvm11-src_part1/
 8 | 
 9 | https://github.com/j1mr10rd4n/docker-debian-s6-postgres
10 | 
11 | SMTP/SYSLOG/CRON:
12 |     https://github.com/ajoergensen/baseimage-alpine
13 |     https://github.com/ajoergensen/baseimage-centos
14 | 
15 | CRON IN LINUXSERVER IMAGE:
16 |     https://github.com/linuxserver/docker-webgrabplus
17 | 
18 | 
19 | 
20 | REPOS:
21 |     https://community.greenbone.net/t/about-gvm-architecture/1231
22 |     https://github.com/greenbone
23 |     https://github.com/greenbone/gvm-libs/blob/master/INSTALL.md
24 |     https://github.com/greenbone/gvmd/blob/master/INSTALL.md
25 |     https://github.com/greenbone/gsa/blob/master/INSTALL.md
26 |     https://github.com/greenbone/openvas/blob/master/INSTALL.md
27 |     https://github.com/greenbone/ospd-openvas
28 | 
29 | ERROR MESSAGES FOR OSPD-GVMD MASTER/SLAVE COMMUNICATION
30 |     https://github.com/greenbone/ospd-openvas/issues/175
31 |     https://github.com/greenbone/ospd/issues/240
32 | 
33 | GVM10 master/slave setup:
34 |     https://sadsloth.net/post/gmv10dockermasterslave/


--------------------------------------------------------------------------------
/docker-compose.yml:
--------------------------------------------------------------------------------
 1 | version: '3.4'
 2 | 
 3 | services:
 4 |   #Keeps containers up to date - https://containrrr.github.io/watchtower/
 5 |   watchtower:
 6 |     container_name: watchtower
 7 |     hostname: watchtower
 8 |     restart: always
 9 |     image: containrrr/watchtower
10 |     env_file:
11 |       - ./config/local.env
12 |     volumes:
13 |       - /var/run/docker.sock:/var/run/docker.sock
14 |     command: --schedule "0 0 4 * * *" --cleanup
15 |     
16 |   portainer:
17 |     image: portainer/portainer-ce
18 |     hostname: portainer
19 |     container_name: portainer
20 |     restart: always
21 |     command: -H unix:///var/run/docker.sock
22 |     ports:
23 |       - "9000:9000"
24 |     volumes:
25 |       - /var/run/docker.sock:/var/run/docker.sock
26 |       - portainer:/data
27 |       
28 |   gvm:
29 |     image: isaudits/gvm:gvm-21.4
30 |     hostname: gvm
31 |     container_name: gvm
32 |     ports:
33 |       - "443:9392"
34 |     env_file:
35 |       - ./config/local.env
36 |     volumes:
37 |       - ./config:/config
38 |       - gvm_data:/usr/local/var/lib
39 |       - gvm_db:/var/lib/postgresql/data
40 |     tty: true
41 | 
42 | volumes:
43 |   portainer:
44 |     name: portainer
45 |   gvm_data:
46 |     name: gvm_data
47 |   gvm_db:
48 |     name: gvm_db


--------------------------------------------------------------------------------
/docker/base/root/etc/cont-init.d/50-mailrelay:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/with-contenv bash
 2 | 
 3 | CONF="/etc/ssmtp/ssmtp.conf"
 4 | : ${SMTP_HOST:="smtp.example.host"}
 5 | : ${SMTP_USER:=''}
 6 | : ${SMTP_PASS:=''}
 7 | : ${SMTP_PORT:='587'}
 8 | : ${SMTP_SECURE:=''}
 9 | : ${SMTP_TLS:='TRUE'}
10 | : ${SMTP_MASQ:='example.host'}
11 | 
12 | SMTP_SECURE=$(echo $SMTP_SECURE | tr '[A-Z]' '[a-z]')
13 | SMTP_TLS=$(echo $SMTP_TLS | tr '[A-Z]' '[a-z]')
14 | 
15 | cat > $CONF <<EOF
16 | MailHub=$SMTP_HOST:$SMTP_PORT
17 | FromLineOverride=YES
18 | Hostname=$SMTP_MASQ
19 | RewriteDomain=$SMTP_MASQ
20 | TLS_CA_Dir=/etc/ssl/certs/
21 | EOF
22 | 
23 | if [[ ! -z $SMTP_USER ]]; then
24 |  echo "AuthUser=$SMTP_USER" >> $CONF
25 | fi
26 | 
27 | if [[ ! -z $SMTP_PASS ]]; then
28 |  echo "AuthUser=$SMTP_PASS" >> $CONF
29 | fi
30 | 
31 | shopt -s nocasematch
32 | if [[ ! -z $SMTP_USER ]] || [[ $SMTP_SECURE == "true" ]]
33 |  then
34 | 	: ${SMTP_SECURE:='TRUE'}
35 | 	if [[ $SMTP_SECURE == "TRUE" ]]
36 | 	 then
37 | 		echo "UseTLS=Yes" >> $CONF
38 | 	 else
39 | 		echo "UseTLS=No" >> $CONF
40 | 	fi
41 | 
42 | 	if [[ $SMTP_SECURE == "true" && $SMTP_TLS = "true" ]]
43 | 	 then
44 | 		echo "UseSTARTTLS=Yes" >> $CONF
45 | 	 else
46 | 		echo "UseSTARTTLS=No" >> $CONF
47 | 	fi
48 |  else
49 | 	echo "UseTLS=No" >> $CONF
50 | 	echo "UseSTARTTLS=No" >> $CONF
51 | fi


--------------------------------------------------------------------------------
/docker/hooks/build:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | set -ueo pipefail
 3 | 
 4 | # stolen from https://medium.com/microscaling-systems/labelling-automated-builds-on-docker-hub-f3d073fb8e1
 5 | 
 6 | # NOTE - MAKE SURE WE GO BACK AND REMOVE OPENVAS AND LATEST TAGS FROM PREVIOUS VERSION WHEN WE PUSH THESE
 7 | # TAGS TO THIS VERSION; DELETE, DO NOT COMMENT TAG LINE OUT OR BUILD WILL FAIL
 8 | 
 9 | docker build --build-arg VCS_REF="$(git rev-parse --short HEAD)" \
10 |              --build-arg BUILD_DATE="$(date -u +"%Y-%m-%dT%H:%M:%SZ")" \
11 |              -t isaudits/gvm:build-21.4 build/.
12 | 
13 | docker build --build-arg VCS_REF="$(git rev-parse --short HEAD)" \
14 |              --build-arg BUILD_DATE="$(date -u +"%Y-%m-%dT%H:%M:%SZ")" \
15 |              -t isaudits/gvm:base-21.4 base/.
16 | 
17 | docker build --build-arg VCS_REF="$(git rev-parse --short HEAD)" \
18 |              --build-arg BUILD_DATE="$(date -u +"%Y-%m-%dT%H:%M:%SZ")" \
19 |              -t isaudits/gvm:openvas-21.4 -t isaudits/gvm:openvas openvas/.
20 |              #-t isaudits/gvm:openvas-21.4 openvas/.
21 | 
22 | docker build --build-arg VCS_REF="$(git rev-parse --short HEAD)" \
23 |              --build-arg BUILD_DATE="$(date -u +"%Y-%m-%dT%H:%M:%SZ")" \
24 |              -t isaudits/gvm:gvm-21.4 -t isaudits/gvm:latest gvm/.
25 |              #-t isaudits/gvm:gvm-21.4 gvm/.


--------------------------------------------------------------------------------
/docker/build/install-pkgs.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | # Borrowed from https://github.com/Secure-Compliance-Solutions-LLC/GVM-Docker/blob/master/install-pkgs.sh
 4 | 
 5 | apt-get update && apt-get upgrade -y
 6 | 
 7 | # removed packages:
 8 | #ike-scan
 9 | #net-tools
10 | #nmap
11 | #nsis
12 | #wapiti
13 | #python3-defusedxml
14 | #python3-dialog
15 | #python3-lxml
16 | #python3-paramiko
17 | #python3-pip
18 | #python3-polib
19 | #python3-psutil
20 | #python3-setuptools
21 | 
22 | { cat <<EOF
23 | bison
24 | build-essential
25 | ca-certificates
26 | cmake
27 | curl
28 | gcc
29 | gcc-mingw-w64
30 | geoip-database
31 | gnutls-bin
32 | graphviz
33 | heimdal-dev
34 | libgcrypt20-dev
35 | libglib2.0-dev
36 | libgnutls28-dev
37 | libgpgme11-dev
38 | libgpgme-dev
39 | libhiredis-dev
40 | libical-dev
41 | libksba-dev
42 | libmicrohttpd-dev
43 | libnet-dev
44 | libnet-snmp-perl
45 | libpcap-dev
46 | libpopt-dev
47 | libsnmp-dev
48 | libssh-gcrypt-dev
49 | libunistring-dev
50 | libxml2-dev
51 | openssh-client
52 | perl-base
53 | pkg-config
54 | postgresql
55 | postgresql-contrib
56 | postgresql-server-dev-all
57 | redis-server
58 | redis-tools
59 | rsync
60 | smbclient
61 | texlive-fonts-recommended
62 | texlive-latex-extra
63 | uuid-dev
64 | wget
65 | whiptail
66 | xsltproc
67 | xml-twig-tools
68 | EOF
69 | } | xargs apt-get install -yq --no-install-recommends
70 | 
71 | 
72 | # Install Node.js
73 | curl -sL https://deb.nodesource.com/setup_10.x | bash -
74 | apt-get install nodejs -yq --no-install-recommends
75 | 
76 | 
77 | # Install Yarn
78 | curl -sL https://dl.yarnpkg.com/debian/pubkey.gpg | apt-key add -
79 | echo "deb https://dl.yarnpkg.com/debian/ stable main" | tee /etc/apt/sources.list.d/yarn.list
80 | apt-get update
81 | apt-get install yarn -yq --no-install-recommends
82 | 
83 | 
84 | rm -rf /var/lib/apt/lists/*
85 | 


--------------------------------------------------------------------------------
/docker/gvm/root/etc/cont-init.d/50-postgres:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/with-contenv bash
 2 | 
 3 | # NOTE - see https://github.com/j1mr10rd4n/docker-debian-s6-postgres/blob/master/service-scripts/postgres-init
 4 | 
 5 | mkdir -p "$PGDATA"
 6 | chown -R postgres "$PGDATA"
 7 | 
 8 | # look specifically for PG_VERSION, as it is expected in the DB dir
 9 | if [ ! -s "$PGDATA/PG_VERSION" ]; then
10 |     su postgres -c /usr/lib/postgresql/"$PG_MAJOR"/bin/initdb
11 | 
12 |     # check password first so we can output the warning before postgres messes it up
13 |     if [ "$POSTGRES_PASSWORD" ]; then
14 |         pass="PASSWORD '$POSTGRES_PASSWORD'"
15 |         authMethod=md5
16 |     else
17 |     #WARNING GOES HERE SOMEHOW
18 |         pass=
19 |         authMethod=trust
20 |     fi
21 | 
22 |     { echo; echo "host all all 0.0.0.0/0 $authMethod"; } >> "$PGDATA/pg_hba.conf"
23 | 
24 |     # internal start of server in order to allow set-up using psql-client       
25 |     # does not listen on TCP/IP and waits until start finishes
26 |     su postgres -c "/usr/lib/postgresql/"$PG_MAJOR"/bin/pg_ctl -D \"$PGDATA\" \
27 |         -o \"-c listen_addresses=''\" \
28 |         -w start"
29 | 
30 |     : ${POSTGRES_USER:=postgres}
31 |     : ${POSTGRES_DB:=$POSTGRES_USER}
32 |     export POSTGRES_USER POSTGRES_DB
33 | 
34 |     if [ "$POSTGRES_DB" != 'postgres' ]; then
35 |         #/usr/lib/postgresql/"$PG_MAJOR"/bin/psql --username postgres "CREATE DATABASE \"$POSTGRES_DB\" ;"
36 | 		su -c "createdb $POSTGRES_DB" postgres
37 |     fi
38 | 
39 |     /usr/lib/postgresql/"$PG_MAJOR"/bin/psql --username postgres -d "$POSTGRES_DB" -c "CREATE EXTENSION adminpack;"
40 | 
41 |     if [ "$POSTGRES_USER" = 'postgres' ]; then
42 |         op='ALTER'
43 |     else
44 |         op='CREATE'
45 |     fi
46 | 
47 |     /usr/lib/postgresql/"$PG_MAJOR"/bin/psql -U postgres -d postgres -c "$op USER \"$POSTGRES_USER\" WITH SUPERUSER $pass ;"
48 | 
49 | 	# GVM specific database initialization tasks
50 | 	su -c "createuser -DRS abc" postgres
51 | 	su -c "psql --command='ALTER DATABASE $POSTGRES_DB OWNER TO abc;'" postgres
52 | 	su -c "psql --dbname=$POSTGRES_DB --command='create role dba with superuser noinherit;'" postgres
53 | 	su -c "psql --dbname=$POSTGRES_DB --command='grant dba to abc;'" postgres
54 | 	su -c "psql --dbname=$POSTGRES_DB --command='create extension \"uuid-ossp\";'" postgres
55 |     su -c "psql --dbname=$POSTGRES_DB --command='create extension \"pgcrypto\";'" postgres
56 | 	
57 |     su postgres -c "/usr/lib/postgresql/"$PG_MAJOR"/bin/pg_ctl -D \"$PGDATA\" -m fast -w stop"
58 |     #set_listen_addresses '*'
59 | 
60 |     echo
61 |     echo 'PostgreSQL init process complete; ready for start up.'
62 |     echo
63 | 
64 | fi


--------------------------------------------------------------------------------
/docker/base/root/etc/cont-init.d/30-config:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/with-contenv bash
 2 | 
 3 | # NOTE - based on https://github.com/linuxserver/docker-webgrabplus/blob/master/root/etc/cont-init.d/30-config
 4 | # The default cron schedule can be edited by mounting /config as a volume and tweaking the default file
 5 | 
 6 | # comment out PAM
 7 | sed -i -e '/pam_loginuid.so/s/^/#/' /etc/pam.d/crond
 8 | 
 9 | # add cron file for running feed updates
10 | [[ ! -e /config/update-openvas.cron ]] && \
11 | 	cp /defaults/update-openvas.cron /config/update-openvas.cron
12 | 
13 | # Check environment variable for cron job changes and update config file
14 | if [ "$UPDATE_CRON" ] ; then
15 |   echo "${UPDATE_CRON} /bin/bash /defaults/update-openvas.sh > /dev/stdout" > /config/update-openvas.cron
16 | fi
17 | 
18 | if [ "$SCHEDULED_UPDATES" ] ; then
19 |   crontab /config/update-openvas.cron
20 | fi
21 | 
22 | # ospd.conf (note - have to manually specify an ospd.conf file on launch since not running as root to keep from erroring out)
23 | [[ ! -e /config/ospd.conf ]] && \
24 | 	cp /defaults/ospd.conf /config/ospd.conf
25 | 
26 | sed -r -i 's|^(socket_mode[[:blank:]]*=[[:blank:]]*).*|\10o770|' /config/ospd.conf
27 | sed -r -i 's|^(unix_socket[[:blank:]]*=[[:blank:]]*).*|\1/var/run/ospd/ospd.sock|' /config/ospd.conf
28 | sed -r -i 's|^(lock_file_dir[[:blank:]]*=[[:blank:]]*).*|\1/usr/local/var/run|' /config/ospd.conf
29 | sed -r -i 's|^(pid_file[[:blank:]]*=[[:blank:]]*).*|\1/usr/local/var/run/openvas.pid|' /config/ospd.conf
30 | sed -r -i 's|^(log_file[[:blank:]]*=[[:blank:]]*).*|\1/usr/local/var/log/gvm/openvas.log|' /config/ospd.conf
31 | 
32 | # openvas.conf
33 | [[ ! -e /config/openvas.conf ]] && \
34 | 	cp /defaults/openvas.conf /config/openvas.conf
35 | ln -s /config/openvas.conf /usr/local/etc/openvas/openvas.conf
36 | 
37 | # generate certificates
38 | gvm-manage-certs -a
39 | 
40 | # disable THP for Redis
41 | echo 'never' > /sys/kernel/mm/transparent_hugepage/enabled && echo 'never' > /sys/kernel/mm/transparent_hugepage
42 | 
43 | # create directories if necessary
44 | mkdir -p /var/run/ospd
45 | mkdir -p /usr/local/var/lib/openvas/plugins
46 | mkdir -p /usr/local/var/lib/gvm/cert-data
47 | mkdir -p /usr/local/var/lib/gvm/scap-data
48 | mkdir -p /usr/local/var/lib/gvm/data-objects
49 | 
50 | chown -R abc:abc \
51 | 	/config \
52 | 	/defaults \
53 | 	/var/run/ospd \
54 | 	/usr/local/var/run \
55 | 	/usr/local/var/log \
56 | 	/usr/local/var/lib/gvm/gvmd \
57 | 	/usr/local/var/lib/gvm/private \
58 | 	/usr/local/var/lib/gvm/CA \
59 | 	/usr/local/share/gvm/gvmd/report_formats
60 | 
61 | chown abc:abc \
62 | 	/usr/local/var/lib/openvas/plugins \
63 | 	/usr/local/var/lib/gvm/cert-data \
64 | 	/usr/local/var/lib/gvm/scap-data \
65 | 	/usr/local/var/lib/gvm/data-objects
66 | 


--------------------------------------------------------------------------------
/docker/build/Dockerfile:
--------------------------------------------------------------------------------
  1 | FROM lsiobase/ubuntu:focal as build
  2 | 
  3 | ENV DEBIAN_FRONTEND=noninteractive
  4 | ENV LANG=C.UTF-8
  5 | 
  6 | COPY install-pkgs.sh /install-pkgs.sh
  7 | 
  8 | RUN bash /install-pkgs.sh
  9 | 
 10 | ENV gvm_libs_version="v21.4.1" \
 11 |     openvas_scanner_version="v21.4.1" \
 12 |     gvmd_version="v21.4.2" \
 13 |     gsa_version="v21.4.1" \
 14 |     openvas_smb="v21.4.0"
 15 | 
 16 | RUN echo "Starting Build..." && mkdir /build && mkdir /install
 17 | 
 18 | FROM build as build-gvm_libs
 19 |     
 20 | RUN cd /build && \
 21 |     wget --no-verbose https://github.com/greenbone/gvm-libs/archive/$gvm_libs_version.tar.gz && \
 22 |     tar -zxf $gvm_libs_version.tar.gz && \
 23 |     cd /build/*/ && \
 24 |     mkdir build && \
 25 |     cd build && \
 26 |     cmake -DCMAKE_BUILD_TYPE=Release .. && \
 27 |     make && \
 28 |     make install && \
 29 |     cd /build && \
 30 |     rm -rf *
 31 | 
 32 | RUN cd /install && \
 33 |     tar cvzf gvm_libs.tar.gz /usr/local/
 34 | 
 35 | FROM build as build-openvas_smb
 36 | 
 37 | RUN cd /build && \
 38 |     wget --no-verbose https://github.com/greenbone/openvas-smb/archive/$openvas_smb.tar.gz && \
 39 |     tar -zxf $openvas_smb.tar.gz && \
 40 |     cd /build/*/ && \
 41 |     mkdir build && \
 42 |     cd build && \
 43 |     cmake -DCMAKE_BUILD_TYPE=Release .. && \
 44 |     make && \
 45 |     make install && \
 46 |     cd /build && \
 47 |     rm -rf *
 48 | 
 49 | RUN cd /install && \
 50 |     tar cvzf openvas_smb.tar.gz /usr/local/
 51 | 
 52 | #NOTE - requires gvm_libs as dependency
 53 | FROM build-gvm_libs as build-gvmd
 54 | 
 55 | RUN cd /build && \
 56 |     wget --no-verbose https://github.com/greenbone/gvmd/archive/$gvmd_version.tar.gz && \
 57 |     tar -zxf $gvmd_version.tar.gz && \
 58 |     cd /build/*/ && \
 59 |     mkdir build && \
 60 |     cd build && \
 61 |     cmake -DCMAKE_BUILD_TYPE=Release .. && \
 62 |     make && \
 63 |     make install && \
 64 |     cd /build && \
 65 |     rm -rf *
 66 | 
 67 | RUN cd /install && \
 68 |     tar cvzf gvmd.tar.gz /usr/local/
 69 | 
 70 | #NOTE - requires gvm_libs as dependency
 71 | FROM build-gvm_libs as build-openvas_scanner
 72 | 
 73 | RUN cd /build && \
 74 |     wget --no-verbose https://github.com/greenbone/openvas-scanner/archive/$openvas_scanner_version.tar.gz && \
 75 |     tar -zxf $openvas_scanner_version.tar.gz && \
 76 |     cd /build/*/ && \
 77 |     mkdir build && \
 78 |     cd build && \
 79 |     cmake -DCMAKE_BUILD_TYPE=Release .. && \
 80 |     make && \
 81 |     make install && \
 82 |     cd /build && \
 83 |     rm -rf *
 84 | 
 85 | RUN cd /install && \
 86 |     tar cvzf openvas_scanner.tar.gz /usr/local/
 87 | 
 88 | #NOTE - requires gvm_libs as dependency
 89 | FROM build-gvm_libs as build-gsa
 90 |     
 91 | RUN cd /build && \
 92 |     wget --no-verbose https://github.com/greenbone/gsa/archive/$gsa_version.tar.gz && \
 93 |     tar -zxf $gsa_version.tar.gz && \
 94 |     cd /build/*/ && \
 95 |     mkdir build && \
 96 |     cd build && \
 97 |     cmake -DCMAKE_BUILD_TYPE=Release .. && \
 98 |     make && \
 99 |     make install && \
100 |     cd /build && \
101 |     rm -rf *
102 | 
103 | RUN cd /install && \
104 |     tar cvzf gsa.tar.gz /usr/local/
105 | 
106 | 
107 | FROM lsiobase/ubuntu:focal
108 | 
109 | #RUN mkdir /install
110 | 
111 | #COPY --from=build-gvm_libs /install/ /install/
112 | #COPY --from=build-openvas_smb /install/ /install/
113 | #COPY --from=build-gvmd /install/ /install/
114 | #COPY --from=build-openvas_scanner /install/ /install/
115 | #COPY --from=build-gsa /install/ /install/
116 | 
117 | RUN mkdir /install && \
118 |     mkdir /install/gvm_libs && \
119 |     mkdir /install/openvas_smb && \
120 |     mkdir /install/gvmd && \
121 |     mkdir /install/openvas_scanner && \
122 |     mkdir /install/gsa
123 | 
124 | COPY --from=build-gvm_libs /usr/local/ /install/gvm_libs
125 | COPY --from=build-openvas_smb /usr/local/ /install/openvas_smb
126 | COPY --from=build-gvmd /usr/local/ /install/gvmd
127 | COPY --from=build-openvas_scanner /usr/local/ /install/openvas_scanner
128 | COPY --from=build-gsa /usr/local/ /install/gsa
129 | 
130 | 
131 | 
132 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | # docker-gvm
  2 | Docker implementation of Greenbone Vulnerability Management (GVM) / OpenVAS
  3 | 
  4 | ## THIS PROJECT IS NO LONGER ACTIVELY MAINTAINED
  5 | Greenbone now maintains their own docker images of all GVM / Openvas components - 
  6 | <https://hub.docker.com/u/greenbone>
  7 | 
  8 | ## Source repo
  9 | <https://github.com/isaudits/docker-gvm>
 10 | 
 11 | ## Run notes
 12 | The easiest way to run is using docker-compose. An example compose file can be
 13 | found in the github repo at <https://github.com/isaudits/docker-gvm/blob/master/docker-compose.yml>.
 14 | 
 15 | The sample compose file references an .env file for defining environment variables
 16 | at config/local.env; a sample .env file can also be found in the github repo.
 17 | 
 18 | ## Environment variables
 19 | The following environment variables can be defined in your docker-compose file or
 20 | the referenced .env file, or can be passed into docker command line:
 21 | 
 22 | - UPDATE_ON_START - run feed update script on launch
 23 | - PUID - PID of non-root user (1000)
 24 | - PGID - GID of non-root user (100)
 25 | - TZ - Time Zone (America/New_York)
 26 | - GVM_USER - username of default GVM user (admin)
 27 | - GVM_PASSWORD - password for default GVM user (admin - can be changed in GSA later)
 28 | - GVMD_MAX_IPS_PER_TARGET - Max hosts per scan target (4096) 
 29 | - GSA_TIMEOUT - HTTP timeout for GSA (600)
 30 | - SMTP_HOST - SMTP relay for emailing reports
 31 | - SMTP_PORT - SMTP relay port
 32 | - SMTP_MASQ - SMTP masquerade domain
 33 | 
 34 | 
 35 | ## Version / upgrade notes
 36 | 
 37 | ### General
 38 | When launching a new build that requires a DB schema migration, the migration will fail while there are any plugin
 39 | updates being processed. This will likely occur if your instance is configured to download plugin updates on startup.
 40 | 
 41 | If you see error messages in the console such as "SCAP sync already running" followed by
 42 | "gvmd: cannot migrate SCAP database" then an ongoing sync is preventing the initial migration from taking place.
 43 | GVMD will fail to launch until this process is completed, so just allow the process to complete and GVMD should
 44 | eventually start.
 45 | 
 46 | Major updates to schema could require some database tables to be reinitialized. GVMD will do this upon start, however
 47 | GSA will not load until this process completes and the GVMD daemon is started.
 48 | 
 49 | TLDR; upon first launch, just walk away for a bit and have a coffee!
 50 | ### 21.4
 51 | No known upgrade issues from 20.8.1 build or higher. Previous build notes apply to upgrades from previous builds. 
 52 | Going forward, release build tags will only be updated to a new tag if minor release causes upgrade or dependency
 53 | issues as was the case from 20.8 to 20.8.1. Major releases (e.g. 21.4 vs 20.8 will continue to receive new build tags).
 54 | ### 20.8.1 / 20.8.2
 55 | Upgraded base image from 20.8 release to Ubuntu 20.04 (Focal) due to required dependency versions not being upgraded in
 56 | 18.04 (Bionic). This also results in an upgrade of Postgres from 10 to 12, which will require the GVM
 57 | database to either be manually updated or recreated. 
 58 | 
 59 | At this point, we have not found a simple way to perform an in-place upgrade of the database. 
 60 | You can TRY the following steps at your own risk (this is unsupported and we will not accept any
 61 | blame if you brick a production database nor will we respond to any support requests for assistance
 62 | with upgrading a database).
 63 | 
 64 |     # backup existing volume
 65 |     docker volume rm gvm_db_bak
 66 |     docker volume create gvm_db_bak
 67 |     docker run --rm -it -v gvm_db:/from -v gvm_db_bak:/to alpine ash -c "cd /from ; cp -av . /to"
 68 | 
 69 |     # export data to temp volume
 70 |     docker volume rm gvm_db_temp
 71 |     docker volume create gvm_db_temp
 72 | 
 73 |     # use 20.8 image to export database
 74 |     docker run --rm -it -v gvm_db:/var/lib/postgresql/data -v gvm_db_temp:/backup --entrypoint /bin/bash isaudits/gvm:gvm-20.8 
 75 | 
 76 |     # dump gvm database 
 77 |     s6-setuidgid postgres /usr/lib/postgresql/10/bin/postgres &
 78 |     sudo -u abc pg_dump -O gvmd >/backup/gvmd_dump.sql
 79 |     exit
 80 | 
 81 |     # use 20.8.1 image to restore database
 82 |     docker volume rm gvm_db
 83 |     docker volume create gvm_db
 84 |     docker run --rm -it -v gvm_db:/var/lib/postgresql/data -v gvm_db_temp:/backup --entrypoint /bin/bash isaudits/gvm:gvm-20.8.1
 85 | 
 86 |     # initialize GVMD database and restore backup
 87 |     cat /etc/cont-init.d/50-postgres | /bin/bash
 88 |     s6-setuidgid postgres /usr/lib/postgresql/12/bin/postgres &
 89 |     sudo -u abc psql -f /backup/gvmd_dump.sql gvmd
 90 |     exit
 91 | 
 92 |     # undo if something screws up
 93 |     docker volume rm gvm_db
 94 |     docker volume create gvm_db
 95 |     docker run --rm -it -v gvm_db_bak:/from -v gvm_db:/to alpine ash -c "cd /from ; cp -av . /to"
 96 | 
 97 |     # if all looks ok, delete temp volumes
 98 |     docker volume rm gvm_db_temp
 99 |     docker volume rm gvm_db_bak
100 | 
101 | ### 20.8
102 | When upgrading from GVM 11, the system has to migrate default reports from those included
103 | with source of GVM 11 (/usr/local/share/gvm/gvmd/report_formats/) to the new feed based
104 | reports. This process fails if the directory is empty (which is the case when this directory
105 | lives inside a docker image for version 11). Solution was to populate this directory inside
106 | the image from our GVM11 base image
107 | 
108 | Default path for ospd socket has changed from /tmp/ospd.sock to /var/run/ospd/ospd.sock;
109 | This path has to be changed in the ospd.conf file. Solution was to implement commands
110 | on startup to set default values in ospd.conf
111 | 
112 | Have to manually change scanner pid path on existing scanner if upgraded from GVM 11;
113 | on portainer, use command shell as user abc:
114 | ```
115 | gvmd --get-scanners
116 | gvmd --modify-scanner=<UUID> --scanner-host=/var/run/ospd/ospd.sock
117 | ```
118 | 
119 | --------------------------------------------------------------------------------
120 | 
121 | Copyright 2020
122 | 
123 | Matthew C. Jones, CPA, CISA, OSCP, CCFE
124 | 
125 | IS Audits & Consulting, LLC - <http://www.isaudits.com/>
126 | 
127 | TJS Deemer Dana LLP - <http://www.tjsdd.com/>
128 | 
129 | --------------------------------------------------------------------------------
130 | 
131 | Except as otherwise specified:
132 | 
133 | This program is free software: you can redistribute it and/or modify it under
134 | the terms of the GNU General Public License as published by the Free Software
135 | Foundation, either version 3 of the License, or (at your option) any later
136 | version.
137 | 
138 | This program is distributed in the hope that it will be useful, but WITHOUT ANY
139 | WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
140 | PARTICULAR PURPOSE. See the GNU General Public License for more details.
141 | 
142 | You should have received a copy of the GNU General Public License along with
143 | this program. If not, see <http://www.gnu.org/licenses/>.


--------------------------------------------------------------------------------