├── README.md ├── add-email-reports-o365.sh ├── openvas-install.sh ├── openvas-upgrade.sh ├── prepare-smb-cred-scan.ps1 └── update-certificates.sh /README.md: -------------------------------------------------------------------------------- 1 | # Greenbone OpenVAS Scanner Build & Upgrade Scripts 2 | 3 | ### 📦 Auto install link 4 | (Do NOT run scripts as root, they will prompt for sudo) 5 | ```bash 6 | wget https://raw.githubusercontent.com/itiligent/Easy-OpenVAS-Installer/main/openvas-install.sh && chmod +x openvas-install.sh && ./openvas-install.sh 7 | ``` 8 | 9 | ### 📦 Auto upgrade link 10 | ```bash 11 | wget https://raw.githubusercontent.com/itiligent/Easy-OpenVAS-Installer/main/openvas-upgrade.sh && chmod +x openvas-upgrade.sh && ./openvas-upgrade.sh 12 | ``` 13 | 14 | ##### 💻 Note: On low power systems cached sudo credentials may timeout and re-prompt 15 | 16 | --- 17 | 18 | ### 📋 Prerequisites 19 | 20 | #### Script defaults will build OpenVAS from latest GithHub release source 21 | - **Supported OS:** 22 | - **Debian 12.x Stable | Ubuntu 24.x LTS** | **Raspbian Bookworm** 23 | - **Required packages**: 24 | - curl & sudo 25 | - **Hardware**: 26 | - Minimum 8GB RAM 27 | - Minimum 80GB Storage 28 | - **Network**: 29 | - IPv6 must be enabled 30 | - Avoid multiple NICs 31 | - **Permissions**: 32 | - Run script as a user with sudo rights, do not run as root. 🛡️ 33 | - **Optional**: 34 | - A private DNS entry for HTTPs console access 35 | - Email PDF scan reports. 36 | - Requires an O365 email-enabled account & email relay permitted from the scanner'S IP address 37 | 38 | --- 39 | 40 | ### 📖 Controlling The Build Version 41 | Both the install and upgrade scripts will check GitHub for the latest release of each module. Specific package versions can be forced by editing the `FORCE PACKAGE VERSIONS` section at the top of each script. 42 | 43 | - _**If forcing specific packages, you must run the edited script manually and not from the auto-link above.**_ 44 | 45 | --- 46 | 47 | ### 📧 Adding Email Reporting To Community Edition 48 | *(Normally a pro version feature)* 49 | 50 | The install script adds the Postfix MTA to enable OpenVAS email reporting capabilities. Configure the included template script `add-email-reports-o365.sh` with your own O365 app password & mail relay configuration. 51 | 52 | --- 53 | 54 | ### ⬆️ Upgrading & Updating OpenVAS 55 | 56 | - A CVE feed update is scheduled by the installer once daily at a random time. This can be adjusted via cron. 57 | - To upgrade all OpenVAS packages to the lastest releases run `openvas-upgrade.sh` from the link above, or edited the script to upgrade to specific versions. 58 | 59 | - _**If forcing specific packages, you must run the edited script manually and not from the auto-link above.**_ 60 | 61 | 62 | --- 63 | 64 | ### 🔒 HTTPS Web Console Access 65 | 66 | The install script automatically configures an HTTP redirect to port 443 and creates TLS certificates based on options in the `CUSTOM CONFIG SETTINGS` section. 67 | 68 | Instructions for importing browser certificates into Windows and Linux clients (to avoid browser HTTPS warnings) are provided on-screen when the install script completes. 69 | 70 | If you wish you change the scanner's DNS name, IP address, or to renew certificates, run `update-certificates.sh` 71 | 72 | --- 73 | 74 | ### 💻 Authenticated Scans Against Windows Hosts 75 | 76 | To scan Windows hosts using SMB authentication: 77 | 78 | 1. Use the PowerShell script `prepare-smb-cred-scan.ps1` to set up Windows systems for SMB credential scanning. 79 | 2. Create a GVM service account, add it to the local Administrators group on each host (ensure it is not a built-in Windows account). 80 | 3. In the management console, configure a new credentials object with the above service account details. 81 | 4. Add Windows hosts to a new scan target and assign the credentials object under _**Credentials for authenticated checks.**_ 82 | 5. Create and run or schedule a scan task for the target(s). 83 | 84 | -------------------------------------------------------------------------------- /add-email-reports-o365.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | ####################################################################################################################### 3 | # SMTP relay with Office 365 Setup 4 | # For Ubuntu / Debian / Raspbian 5 | # David Harrop 6 | # April 2023 7 | ####################################################################################################################### 8 | 9 | # Prerequisites: 10 | # An office 365 account with a mailbox (NON ADMIN!!) 11 | # An app password created for the above office 365 user at https://mysignins.microsoft.com/security-info 12 | # SMTP Auth enabled for that user under "manage mail apps in the Office365 admin centre 13 | 14 | # Prepare text output colours 15 | GREY='\033[0;37m' 16 | LRED='\033[0;91m' 17 | LGREEN='\033[0;92m' 18 | LYELLOW='\033[0;93m' 19 | NC='\033[0m' #No Colour 20 | 21 | clear 22 | 23 | SENDER=$SUDO_USER 24 | SERVER=$(uname -n) 25 | DOMAIN_SEARCH_SUFFIX=$(grep search /etc/resolv.conf | grep -v "#" | sed 's/'search[[:space:]]'//') 26 | 27 | if ! [ $(id -u) = 0 ]; then 28 | echo 29 | echo -e "${CYAN}Please run this script as sudo or root${NC}" 1>&2 30 | exit 1 31 | fi 32 | 33 | echo 34 | echo -e "${LYELLOW}SMTP relay for Office365 setup...${NC}" 35 | 36 | # Install Posfix 37 | echo 38 | echo -e "${GREY}Installing Postfix with non-interactive defaults..." 39 | sudo apt update -qq >/dev/null 2>&1 40 | DEBIAN_FRONTEND="noninteractive" apt-get install postfix mailutils -qq -y >/dev/null 2>&1 41 | if [ $? -ne 0 ]; then 42 | echo -e "${LRED}Postfix install failed. ${GREY}" 1>&2 43 | exit 1 44 | else 45 | echo -e "${LGREEN}OK${GREY}" 46 | fi 47 | 48 | # Get the Office365 smtp authentication credentials 49 | echo 50 | echo -e "${LYELLOW}An Office365 account email account is needed for SMTP relay authentication...${NC}" 51 | echo 52 | read -p "Enter O365 SMTP auth enabled email : " SMTP_EMAIL 53 | read -s -p "Enter the SMTP auth account 'app password': " APP_PWD 54 | echo 55 | echo 56 | 57 | # Remove some default Postifx config items that conflict with new entries 58 | sudo sed -i '/relayhost/d' /etc/postfix/main.cf 59 | sudo sed -i '/smtp_tls_security_level=may/d' /etc/postfix/main.cf 60 | 61 | # For simple relay outbound only, limit Postfix to just loopback and IPv4 62 | sudo sed -i 's/inet_interfaces = all/inet_interfaces = loopback-only/g' /etc/postfix/main.cf 63 | sudo sed -i "s/inet_protocols = all/inet_protocols = ipv4/g" /etc/postfix/main.cf 64 | 65 | echo -e "${GREY}Configuring Postfix for O365 SMTP relay and TLS auth..." 66 | # Add the new Office365 SMTP auth with TLS settings 67 | cat </dev/null 2>&1 68 | relayhost = [smtp.office365.com]:587 69 | smtp_use_tls = yes 70 | smtp_always_send_ehlo = yes 71 | smtp_sasl_auth_enable = yes 72 | smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd 73 | smtp_sasl_security_options = noanonymous 74 | smtp_sasl_tls_security_options = noanonymous 75 | smtp_tls_security_level = encrypt 76 | smtp_generic_maps = hash:/etc/postfix/generic 77 | smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt 78 | EOF 79 | if [ $? -ne 0 ]; then 80 | echo -e "${LRED}Postfix restart failed. ${GREY}" 1>&2 81 | exit 1 82 | else 83 | echo -e "${LGREEN}OK${GREY}" 84 | echo 85 | fi 86 | 87 | # Setup the password file and postmap 88 | sudo touch /etc/postfix/sasl_passwd 89 | cat </dev/null 2>&1 90 | [smtp.office365.com]:587 ${SMTP_EMAIL}:${APP_PWD} 91 | EOF 92 | sudo chown root:root /etc/postfix/sasl_passwd 93 | sudo chmod 0600 /etc/postfix/sasl_passwd 94 | sudo postmap /etc/postfix/sasl_passwd 95 | 96 | # Setup the generic map file 97 | sudo touch /etc/postfix/generic 98 | cat </dev/null 2>&1 99 | root@${SERVER} ${SMTP_EMAIL} 100 | ${SENDER}@${SERVER} ${SMTP_EMAIL} 101 | @${DOMAIN_SEARCH_SUFFIX} ${SMTP_EMAIL} 102 | EOF 103 | sudo chown root:root /etc/postfix/generic 104 | sudo chmod 0600 /etc/postfix/generic 105 | sudo postmap /etc/postfix/generic 106 | 107 | # Restart and test 108 | echo -e "${GREY}Restarting Postfix..." 109 | sudo service postfix restart 110 | if [ $? -ne 0 ]; then 111 | echo -e "${LRED}Postfix restart failed. ${GREY}" 1>&2 112 | exit 1 113 | else 114 | echo -e "${LGREEN}OK${GREY}" 115 | fi 116 | 117 | echo 118 | read -p "Enter an email address to test that email relay is working : " TEST_EMAIL 119 | echo "This is a test email" | mail -s "SMTP Auth Relay Is Working is working" ${TEST_EMAIL} -a "FROM:${SMTP_EMAIL}" 120 | echo -e "${CYAN}Test message sent.." 121 | echo -e ${NC} 122 | -------------------------------------------------------------------------------- /openvas-install.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | ######################################################################################################################### 3 | # Greenbone Vulnerability Manager appliance upgrade script 4 | # Multi-distro support for Ubuntu, Debian & Raspbian 5 | # David Harrop 6 | # January 2025 7 | ######################################################################################################################### 8 | 9 | ######################################################################################################################### 10 | # EDIT THIS SECTION ONLY: All custom settings & dependency mgmt between distros is handled in this section ############## 11 | ######################################################################################################################### 12 | 13 | ## CUSTOM CONFIG SETTINGS ## 14 | DEFAULT_ADMIN_USER="admin" # Set the GVM default admin account username 15 | DEFAULT_ADMIN_PASS="password" # Set the GVM default admin account password 16 | SERVER_NAME="" # Preferred server hostname (installer will prompt if left blank) 17 | LOCAL_DOMAIN="" # Local DNS suffix (defaults to hostname.dns-suffix if left blank) 18 | CERT_DOMAIN="" # TLS certificate dns domain (defaults to hostname.dns-suffix if left blank) 19 | CERT_COUNTRY="AU" # For RSA SSL cert, 2 character country code only, must not be blank 20 | CERT_STATE="Victoria" # For RSA SSL cert, Optional to change, must not be blank 21 | CERT_LOCATION="Melbourne" # For RSA SSL cert, Optional to change, must not be blank 22 | CERT_ORG="Itiligent" # For RSA SSL cert, Optional to change, must not be blank 23 | CERT_OU="SecOps" # For RSA SSL cert, Optional to change, must not be blank 24 | CERT_DAYS="3650" # For RSA SSL cert, number of days until self signed certificate expiry 25 | KEYSIZE=2048 # RSA certificate encryption strength 26 | 27 | ## FORCE PACKAGE VERSIONS or use blank "" to automatically download latest 28 | FORCE_GVM_LIBS_VERSION="" # see https://github.com/greenbone/gvm-libs 29 | FORCE_GVMD_VERSION="" # see https://github.com/greenbone/gvmd 30 | FORCE_PG_GVM_VERSION="" # see https://github.com/greenbone/pg-gvm 31 | FORCE_GSA_VERSION="" # see https://github.com/greenbone/gsa 32 | FORCE_GSAD_VERSION="" # see https://github.com/greenbone/gsad 33 | FORCE_OPENVAS_SMB_VERSION="" # see https://github.com/greenbone/openvas-smb 34 | FORCE_OPENVAS_SCANNER_VERSION="" # see https://github.com/greenbone/openvas-scanner 35 | FORCE_OSPD_OPENVAS_VERSION="" # see https://github.com/greenbone/ospd-openvas 36 | FORCE_OPENVAS_DAEMON=$FORCE_OPENVAS_SCANNER_VERSION # Uses same source as scanner 37 | 38 | ## POSTGRESQL VERSION MANAGEMENT ## 39 | source /etc/os-release 40 | OFFICIAL_POSTGRESQL="false" # Default = false, true = force official Posgresql source repo 41 | case "${VERSION_CODENAME,,}" in 42 | *bookworm*) 43 | OFFICIAL_POSTGRESQL="false" 44 | POSTGRESQL="postgresql postgresql-server-dev-15" 45 | ;; 46 | 47 | *noble*|*trixie*) 48 | OFFICIAL_POSTGRESQL="false" 49 | POSTGRESQL="postgresql postgresql-server-dev-16" 50 | ;; 51 | *) 52 | OFFICIAL_POSTGRESQL="true" # Default to official source if no disto match 53 | POSTGRESQL="postgresql-16 postgresql-server-dev-16" 54 | ;; 55 | esac 56 | 57 | ## DEPENDENCY MANAGEMENT (Any changes here must be replicated in the upgrade script) 58 | # common 59 | COMMON_DEPS="sudo apt-get install --no-install-recommends --assume-yes build-essential curl cron cmake pkg-config python3 python3-pip gnupg wget sudo gnupg2 ufw htop git && sudo DEBIAN_FRONTEND="noninteractive" apt-get install postfix mailutils -y && sudo service postfix restart" 60 | 61 | # gvm-libs 62 | GVMLIBS_DEPS="sudo apt-get install -y libglib2.0-dev libgpgme-dev libgnutls28-dev uuid-dev libssh-gcrypt-dev libhiredis-dev libxml2-dev libpcap-dev libnet1-dev libpaho-mqtt-dev libldap2-dev libradcli-dev doxygen xmltoman graphviz libcjson-dev lcov libcurl4-gnutls-dev libgcrypt-dev " 63 | # extras above greenbone docs: doxygen xmltoman graphviz libcjson-dev lcov (libcurl4-openssl-dev or libcurl4-gnutls-dev) libgcrypt-dev 64 | 65 | # gvmd 66 | GVMD_DEPS1="sudo apt-get install -y libglib2.0-dev libgnutls28-dev libpq-dev ${POSTGRESQL} libical-dev xsltproc rsync libbsd-dev libgpgme-dev libcjson-dev" # extras above greenbone docs: libcjson-dev 67 | GVMD_DEPS2="sudo apt-get install -y --no-install-recommends texlive-latex-extra texlive-fonts-recommended xmlstarlet zip rpm fakeroot dpkg nsis gnupg gpgsm wget sshpass openssh-client socat snmp python3 smbclient python3-lxml gnutls-bin xml-twig-tools" # extras above greenbone docs: xml-twig-tools 68 | 69 | # pg-gvm 70 | PGGVM=DEPS="sudo apt-get install -y libglib2.0-dev libical-dev ${POSTGRESQL}" 71 | 72 | # gsad 73 | GSAD_DEPS="sudo apt-get install -y libmicrohttpd-dev libxml2-dev libglib2.0-dev libgnutls28-dev libbrotli-dev doxygen xmltoman" # extras above greenbone docs: libbrotli-dev libbrotli-dev doxygen xmltoman 74 | 75 | # openvas-smb 76 | OPENVASSMB_DEPS="sudo apt-get install -y gcc-mingw-w64 libgnutls28-dev libglib2.0-dev libpopt-dev libunistring-dev heimdal-multidev perl-base" # extras above greenbone docs: substituted heimdal-dev for heimdal-multidev 77 | 78 | # openvas-scanner 79 | OPENVASSCAN_DEPS="sudo apt-get install -y bison libglib2.0-dev libgnutls28-dev libgcrypt20-dev libpcap-dev libgpgme-dev libksba-dev rsync nmap libjson-glib-dev libcurl4-gnutls-dev libbsd-dev python3-impacket libsnmp-dev pandoc pnscan krb5-multidev" # extras above greenbone docs: pandoc pnscan krb5-multidev 80 | 81 | # ospd-openvas 82 | OSPD_DEPS="sudo apt-get install -y python3 python3-pip python3-setuptools python3-packaging python3-wrapt python3-cffi python3-psutil python3-lxml python3-defusedxml python3-paramiko python3-redis python3-gnupg python3-paho-mqtt" 83 | 84 | # greenbone-feed-sync 85 | FEED_DEPS="sudo apt-get install -y python3 python3-pip" 86 | 87 | # gvm-tools 88 | GVMTOOLS_DEPS="sudo apt-get install -y python3 python3-pip python3-venv python3-setuptools python3-packaging python3-lxml python3-defusedxml python3-paramiko" 89 | 90 | # redis 91 | REDIS_DEPS="sudo apt-get install -y redis-server" 92 | 93 | # openvasd (Any changes here must be replicated in the upgrade script) 94 | case "${VERSION_CODENAME,,}" in 95 | *bookworm*|*noble*|*trixie*) # Options to handle various distros 96 | OPENVASD_DEPS="curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y && sudo apt-get install -y -qq pkg-config libssl-dev" 97 | SOURCE_CARGO_ENV=". \"$HOME/.cargo/env\"" 98 | ;; 99 | *) # Default to this if no disto match 100 | OPENVASD_DEPS="curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y && sudo apt-get install -y -qq pkg-config libssl-dev" 101 | SOURCE_CARGO_ENV=". \"$HOME/.cargo/env\"": # No specific action for other codenames either 102 | ;; 103 | esac 104 | 105 | ## PIP INSTALL MANAGMENT ## (Any changes here must be replicated in the upgrade script) 106 | # Bookworm 107 | if [[ "${VERSION_CODENAME,,}" == *"bookworm"* ]]; then 108 | PIP_SUDO_OSPD="" # add "sudo" to ospd install cmd 109 | PIP_SUDO_FEED="" # add "sudo" to greenbone-feed-updates install cmd 110 | PIP_SUDO_TOOLS="" # add "sudo" to gvm-tools install cmd 111 | PIP_OPTIONS="--no-warn-script-location" # pip install arguments 112 | PIP_UNINSTALL="--break-system-packages" # pip uninstall arguments 113 | # Ubuntu 23.04 & 24.04 114 | elif [[ "${VERSION_CODENAME,,}" == *"noble"* ]]; then 115 | PIP_SUDO_OSPD="sudo" 116 | PIP_SUDO_FEED="" 117 | PIP_SUDO_TOOLS="" 118 | PIP_OPTIONS="--no-warn-script-location" 119 | PIP_UNINSTALL="--break-system-packages" 120 | else 121 | # All other distros 122 | PIP_SUDO_OSPD="" 123 | PIP_SUDO_FEED="" 124 | PIP_SUDO_TOOLS="" 125 | PIP_OPTIONS="--no-warn-script-location" 126 | PIP_UNINSTALL="--break-system-packages" 127 | fi 128 | 129 | ######################################################################################################################### 130 | # Start of script actions - NO NEED TO EDIT BELOW THIS POINT ############################################################ 131 | ######################################################################################################################### 132 | 133 | # Set colours 134 | GREY='\033[0;37m' 135 | GREYB='\033[1;37m' 136 | LGREEN='\033[0;92m' 137 | LGREENB='\033[1;92m' 138 | LRED='\033[0;91m' 139 | LPURPLE='\033[0;95m' 140 | LPURPLEB='\033[1;95m' 141 | LYELLOW='\033[0;93m' 142 | NC='\033[0m' #No Colour 143 | 144 | # Make sure the user is NOT running this script as root 145 | if [[ $EUID -eq 0 ]]; then 146 | echo 147 | echo -e "${LRED}This script must NOT be run as root, it will prompt for sudo when needed." 1>&2 148 | echo -e ${NC} 149 | exit 1 150 | fi 151 | 152 | # Check if sudo is installed. (Debian does not always include sudo by default.) 153 | if ! command -v sudo &> /dev/null; then 154 | echo "${LRED}The sudo package is not installed. Please install sudo." 155 | echo -e ${NC} 156 | exit 1 157 | fi 158 | 159 | # Make sure the user running this script is a member of the sudo group 160 | if ! id -nG "$USER" | grep -qw "sudo"; then 161 | echo 162 | echo -e "${LRED}The current user (${USER}) must be a member of the 'sudo' group & be granted sudo privilages to run this script.${NC}" 1>&2 163 | exit 1 164 | fi 165 | 166 | clear 167 | 168 | # Script branding header 169 | echo 170 | echo -e "${GREYB} Itiligent GVM/OpenVAS Appliance Builder" 171 | echo -e " ${LGREENB}Powered by Greenbone${GREY}" 172 | echo 173 | echo 174 | 175 | # Set global variables & paths 176 | export INSTALL_PREFIX=/usr/local 177 | export PATH=$PATH:$INSTALL_PREFIX/sbin 178 | export SOURCE_DIR=$HOME/source 179 | export BUILD_DIR=$HOME/build 180 | export INSTALL_DIR=$HOME/install 181 | 182 | # Get the default route interface IP address as we need this for TLS certificate creation later 183 | DEFAULT_IP=$(ip addr show $(ip route | awk '/default/ { print $5 }') | grep "inet" | head -n 1 | awk '/inet/ {print $2}' | cut -d'/' -f1) 184 | 185 | # An intitial dns suffix is needed as a starting value for the script prompts. 186 | get_domain_suffix() { 187 | echo "$1" | awk '{print $2}' 188 | } 189 | # Search for "search" & "domain" entries in /etc/resolv.conf 190 | search_line=$(grep -E '^search[[:space:]]+' /etc/resolv.conf) 191 | domain_line=$(grep -E '^domain[[:space:]]+' /etc/resolv.conf) 192 | # Check if both "search" & "domain" lines exist 193 | if [[ -n "$search_line" ]] && [[ -n "$domain_line" ]]; then 194 | # Both "search" & "domain" lines exist, extract the domain suffix from both 195 | search_suffix=$(get_domain_suffix "$search_line") 196 | domain_suffix=$(get_domain_suffix "$domain_line") 197 | # Print the domain suffix that appears first 198 | if [[ ${#search_suffix} -lt ${#domain_suffix} ]]; then 199 | DOMAIN_SUFFIX=$search_suffix 200 | else 201 | DOMAIN_SUFFIX=$domain_suffix 202 | fi 203 | elif [[ -n "$search_line" ]]; then 204 | # If only "search" line exists 205 | DOMAIN_SUFFIX=$(get_domain_suffix "$search_line") 206 | elif [[ -n "$domain_line" ]]; then 207 | # If only "domain" line exists 208 | DOMAIN_SUFFIX=$(get_domain_suffix "$domain_line") 209 | else 210 | # If no "search" or "domain" lines found 211 | DOMAIN_SUFFIX="local" 212 | fi 213 | 214 | # GVM user setup & use this action to trigger our initial sudo prompt 215 | sudo useradd -r -M -U -G sudo -s /usr/sbin/nologin gvm 216 | sudo usermod -aG gvm $USER 217 | 218 | # Fix Python externally managed errors 219 | python_version_dir=$(python3 --version 2>&1 | grep -oP '\d+\.\d+' | head -n 1) 220 | py_file="/usr/lib/python${python_version_dir}/EXTERNALLY-MANAGED" 221 | # Check if the file exists and rename it if it does 222 | if [ -f "$py_file" ]; then 223 | sudo mv "$py_file" "${py_file}.old" 224 | fi 225 | 226 | # Clean up anything from a previously halted install 227 | sudo systemctl stop gsad gvmd ospd-openvas openvasd &>/dev/null 228 | yes | sudo python3 -m pip uninstall ${PIP_UNINSTALL} ospd-openvas greenbone-feed-sync gvm-tools &>/dev/null 229 | cd ~ 230 | sudo rm -rf $SOURCE_DIR &>/dev/null 231 | sudo rm -rf $INSTALL_DIR &>/dev/null 232 | sudo rm -rf $BUILD_DIR &>/dev/null 233 | sudo rm -f /etc/openvas/openvas.conf &>/dev/null 234 | sudo rm -f /etc/redis/redis-openvas.conf &>/dev/null 235 | sudo sed -i '/gvm/d' /etc/sudoers &>/dev/null 236 | 237 | # Create build directories 238 | mkdir -p $SOURCE_DIR 239 | mkdir -p $BUILD_DIR 240 | mkdir -p $INSTALL_DIR 241 | echo 242 | 243 | ######################################################################################################################### 244 | # Install menu prompts ################################################################################################## 245 | ######################################################################################################################### 246 | 247 | # Consistent /etc/hosts & domain suffix values are needed for TLS implementation. The below approach allows the user 248 | # to either hit enter at the prompt to keep current hostname & DNS values, or enter new values for both. 249 | 250 | # Ensure SERVER_NAME is consistent with local host entries 251 | if [[ -z ${SERVER_NAME} ]]; then 252 | echo -e "${LPURPLEB} Update Linux system HOSTNAME? [Enter to keep: ${HOSTNAME}]${GREYB}" 253 | read -p " Enter Linux hostname : " SERVER_NAME 254 | # If hit enter making no SERVER_NAME change, assume the existing hostname as current 255 | if [[ "${SERVER_NAME}" = "" ]]; then 256 | SERVER_NAME=$HOSTNAME 257 | fi 258 | echo 259 | # A SERVER_NAME was derived via the prompt 260 | # Apply the SERVER_NAME value & remove & update any old 127.0.1.1 localhost references 261 | $(sudo hostnamectl set-hostname $SERVER_NAME &>/dev/null &) &>/dev/null 262 | sleep 1 263 | sudo sed -i '/127.0.1.1/d' /etc/hosts &>>/dev/null 264 | echo '127.0.1.1 '${SERVER_NAME}'' | sudo tee -a /etc/hosts &>>/dev/null 265 | $(sudo systemctl restart systemd-hostnamed &>/dev/null &) &>/dev/null 266 | else 267 | echo 268 | # A SERVER_NAME value was derived from a pre-set script variable 269 | # Apply the SERVER_NAME value & remove & update any old 127.0.1.1 localhost references 270 | $(sudo hostnamectl set-hostname $SERVER_NAME &>/dev/null &) &>/dev/null 271 | sleep 1 272 | sudo sed -i '/127.0.1.1/d' /etc/hosts &>>/dev/null 273 | echo '127.0.1.1 '${SERVER_NAME}'' | sudo tee -a /etc/hosts &>>/dev/null 274 | $(sudo systemctl restart systemd-hostnamed &>/dev/null &) &>/dev/null 275 | fi 276 | 277 | # Ensure LOCAL_DOMAIN suffix & localhost entries are consistent 278 | if [[ -z ${LOCAL_DOMAIN} ]]; then 279 | echo -e "${LPURPLEB} Update Linux LOCAL DNS SUFFIX [Enter to keep: ${SERVER_NAME}.${DOMAIN_SUFFIX}]${GREYB}" 280 | read -p " Complete this local domain suffix: $SERVER_NAME." LOCAL_DOMAIN 281 | # If hit enter making no LOCAL_DOMAIN name change, assume the existing domain suffix as current 282 | if [[ "${LOCAL_DOMAIN}" = "" ]]; then 283 | LOCAL_DOMAIN=$DOMAIN_SUFFIX 284 | fi 285 | echo 286 | # A LOCAL_DOMAIN value was derived via the prompt 287 | # Removes any old localhost & resolv file values & update these with the new LOCAL_DOMAIN value 288 | $(sudo systemctl restart systemd-hostnamed &>/dev/null &) &>/dev/null 289 | sleep 1 290 | sudo sed -i "/${DEFAULT_IP}/d" /etc/hosts 291 | sudo sed -i '/domain/d' /etc/resolv.conf 292 | sudo sed -i '/search/d' /etc/resolv.conf 293 | # Refresh the /etc/hosts file with the server name & new local domain value 294 | echo ''${DEFAULT_IP}' '${SERVER_NAME}.${LOCAL_DOMAIN} ${SERVER_NAME}'' | sudo tee -a /etc/hosts &>>/dev/null 295 | # Refresh /etc/resolv.conf with new domain & search suffix values 296 | echo 'domain '${LOCAL_DOMAIN}'' | sudo tee -a /etc/resolv.conf &>>/dev/null 297 | echo 'search '${LOCAL_DOMAIN}'' | sudo tee -a /etc/resolv.conf &>>/dev/null 298 | $(sudo systemctl restart systemd-hostnamed &>/dev/null &) &>/dev/null 299 | else 300 | echo 301 | # A LOCAL_DOMIN value was derived from a pre-set script variable 302 | # Remove any old localhost & resolv file values & update these with the new LOCAL_DOMAIN value 303 | $(sudo systemctl restart systemd-hostnamed &>/dev/null &) &>/dev/null 304 | sleep 1 305 | sudo sed -i "/${DEFAULT_IP}/d" /etc/hosts 306 | sudo sed -i '/domain/d' /etc/resolv.conf 307 | sudo sed -i '/search/d' /etc/resolv.conf 308 | # Refresh the /etc/hosts file with the server name & new local domain value 309 | echo ''${DEFAULT_IP}' '${SERVER_NAME}.${LOCAL_DOMAIN} ${SERVER_NAME}'' | sudo tee -a /etc/hosts &>>/dev/null 310 | # Refresh /etc/resolv.conf with new domain & search suffix values 311 | echo 'domain '${LOCAL_DOMAIN}'' | sudo tee -a /etc/resolv.conf &>>/dev/null 312 | echo 'search '${LOCAL_DOMAIN}'' | sudo tee -a /etc/resolv.conf &>>/dev/null 313 | $(sudo systemctl restart systemd-hostnamed &>/dev/null &) &>/dev/null 314 | fi 315 | 316 | # Now that $SERVER_NAME & $LOCAL_DOMAIN values are updated, both values are merged to create 317 | # a local FQDN value (used in the default TLS certificate config & file name) 318 | DEFAULT_FQDN=$SERVER_NAME.$LOCAL_DOMAIN 319 | 320 | # If the TLS domain name is not manually overridden at the prompt, keep the default FQDN as the TLS domain name 321 | if [ -z "${CERT_DOMAIN}" ]; then 322 | CERT_DOMAIN="${DEFAULT_FQDN}" 323 | fi 324 | 325 | echo -e "${LPURPLEB} GVM web console admin account name [Enter to use: ${DEFAULT_ADMIN_USER}]${GREYB}" 326 | # Prompt for managment console admin acount username 327 | read -r -p " Enter admin account name: " admin_user 328 | ADMIN_USER=${admin_user:-$DEFAULT_ADMIN_USER} 329 | 330 | # Secure prompt for password with confirmation 331 | while true; do 332 | read -r -s -p " Enter admin user password: " password 333 | echo 334 | read -r -s -p " Confirm admin user password: " password_confirm 335 | echo 336 | if [ "${password}" == "${password_confirm}" ]; then 337 | ADMIN_PASS=${password:-$DEFAULT_ADMIN_PASS} 338 | break 339 | else 340 | echo " Passwords do not match. Please try again." 341 | echo 342 | fi 343 | done 344 | 345 | echo 346 | echo -e "${LGREEN}###############################################################################" 347 | echo -e " Updating Linux OS" 348 | echo -e "###############################################################################${NC}" 349 | echo 350 | spin() { 351 | local pid=$! 352 | local delay=0.1 353 | local spinstr='|/-\' 354 | while [ "$(ps a | awk '{print $1}' | grep $pid)" ]; do 355 | local temp=${spinstr#?} 356 | printf "${LPURPLE} [%c] ${NC}" "$spinstr" 357 | local spinstr=$temp${spinstr%"$temp"} 358 | sleep $delay 359 | printf "\b\b\b\b\b\b" 360 | done 361 | printf "\b\b\b\b\b\b" 362 | printf " " 363 | printf "\b\b\b\b\b\b" 364 | echo -ne "\r" 365 | } 366 | ( 367 | # Update Linux base 368 | sudo apt-get update &>/dev/null 369 | sudo DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" upgrade -qq 370 | 371 | # Add the official Postgresql source repo 372 | if [[ "${OFFICIAL_POSTGRESQL}" == "true" ]]; then 373 | sudo apt-get -y install lsb-release &>/dev/null 374 | sudo sh -c 'echo "deb http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" > /etc/apt/sources.list.d/pgdg.list' 375 | sudo wget --quiet -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | sudo tee /etc/apt/trusted.gpg.d/apt.postgresql.org.asc >/dev/null 376 | sudo apt-get update -qq &>/dev/null 377 | fi 378 | ) & 379 | spin 380 | echo 381 | echo "Linux updated successfully...." 382 | 383 | echo 384 | echo -e "${LGREEN}###############################################################################" 385 | echo -e " Installing common dependencies" 386 | echo -e "###############################################################################${NC}" 387 | echo 388 | spin() { 389 | local pid=$! 390 | local delay=0.1 391 | local spinstr='|/-\' 392 | while [ "$(ps a | awk '{print $1}' | grep $pid)" ]; do 393 | local temp=${spinstr#?} 394 | printf "${LPURPLE} [%c] ${NC}" "$spinstr" 395 | local spinstr=$temp${spinstr%"$temp"} 396 | sleep $delay 397 | printf "\b\b\b\b\b\b" 398 | done 399 | printf "\b\b\b\b\b\b" 400 | printf " " 401 | printf "\b\b\b\b\b\b" 402 | echo -ne "\r" 403 | } 404 | ( 405 | # Install dependencies 406 | eval $COMMON_DEPS &>/dev/null 407 | # Import the Greenbone Community Signing Key 408 | curl -f -L https://www.greenbone.net/GBCommunitySigningKey.asc -o /tmp/GBCommunitySigningKey.asc 409 | gpg --import /tmp/GBCommunitySigningKey.asc 410 | echo "8AE4BE429B60A59B311C2E739823FAA60ED1E580:6:" | gpg --import-ownertrust 411 | ) & 412 | spin 413 | echo 414 | echo -e "Common dependencies installed successfully..." 415 | 416 | echo 417 | echo -e "${LGREEN}###############################################################################" 418 | echo -e " Checking latest OpenVAS GitHub releases - edit script to force a version" 419 | echo -e "###############################################################################${NC}" 420 | echo 421 | # Check for the latest OpenVAS release tags from GitHub 422 | get_latest_release() { 423 | curl --silent "https://api.github.com/repos/$1/releases/latest" | # Get latest release from GitHub API 424 | grep '"tag_name":' | # Get tag line 425 | sed -E 's/.*"v?([^"]+)".*/\1/' # Extract version 426 | } 427 | 428 | # Determine the relevant GitHub repos 429 | declare -A repos=( 430 | ["GVM_LIBS_VERSION"]="greenbone/gvm-libs" 431 | ["GVMD_VERSION"]="greenbone/gvmd" 432 | ["PG_GVM_VERSION"]="greenbone/pg-gvm" 433 | ["GSA_VERSION"]="greenbone/gsa" 434 | ["GSAD_VERSION"]="greenbone/gsad" 435 | ["OPENVAS_SMB_VERSION"]="greenbone/openvas-smb" 436 | ["OPENVAS_SCANNER_VERSION"]="greenbone/openvas-scanner" 437 | ["OSPD_OPENVAS_VERSION"]="greenbone/ospd-openvas" 438 | ) 439 | 440 | echo -e " ${LGREEN}Latest OpenVAS package releases available:${NC}" 441 | # Get latest OpenVAS versions 442 | for version in "${!repos[@]}"; do 443 | latest_version=$(get_latest_release "${repos[$version]}") 444 | if [[ -z $latest_version ]]; then 445 | echo -e "${LRED}Failed to retrieve the latest version for ${repos[$version]}. Exiting.${NC}" 446 | exit 1 447 | fi 448 | export $version=$latest_version 449 | echo " $version=$latest_version" 450 | done 451 | 452 | # openvasd uses the same repo as scanner 453 | export OPENVAS_DAEMON=$OPENVAS_SCANNER_VERSION 454 | echo " OPENVAS_DAEMON=$OPENVAS_SCANNER_VERSION" 455 | 456 | # Check for any version overrides 457 | echo 458 | if [[ -n $FORCE_GVM_LIBS_VERSION ]]; then 459 | echo -e "${LGREEN} The following package version(s) are manually forced:${NC}" 460 | elif [[ -n $FORCE_GVMD_VERSION ]]; then 461 | echo -e "${LGREEN} The following package version(s) are manually forced:${NC}" 462 | elif [[ -n $FORCE_PG_GVM_VERSION ]]; then 463 | echo -e "${LGREEN} The following package version(s) are manually forced:${NC}" 464 | elif [[ -n $FORCE_GSA_VERSION ]]; then 465 | echo -e "${LGREEN} The following package version(s) are manually forced:${NC}" 466 | elif [[ -n $FORCE_GSAD_VERSION ]]; then 467 | echo -e "${LGREEN} The following package version(s) are manually forced:${NC}" 468 | elif [[ -n $FORCE_OPENVAS_SMB_VERSION ]]; then 469 | echo -e "${LGREEN} The following package version(s) are manually forced:${NC}" 470 | elif [[ -n $FORCE_OPENVAS_SCANNER_VERSION ]]; then 471 | echo -e "${LGREEN} The following package version(s) are manually forced:${NC}" 472 | elif [[ -n $FORCE_OSPD_OPENVAS_VERSION ]]; then 473 | echo -e "${LGREEN} The following package version(s) are manually forced:${NC}" 474 | elif [[ -n $FORCE_OPENVAS_DAEMON ]]; then 475 | echo -e "${LGREEN} The following package version(s) are manually forced:${NC}" 476 | fi 477 | 478 | if [[ -n $FORCE_GVM_LIBS_VERSION ]]; then 479 | GVM_LIBS_VERSION=$FORCE_GVM_LIBS_VERSION 480 | echo -e "${LYELLOW} GVM_LIBS_VERSION=$FORCE_GVM_LIBS_VERSION${NC}" 481 | fi 482 | if [[ -n $FORCE_GVMD_VERSION ]]; then 483 | GVMD_VERSION=$FORCE_GVMD_VERSION 484 | echo -e "${LYELLOW} GVMD_VERSION=$FORCE_GVMD_VERSION${NC}" 485 | fi 486 | if [[ -n $FORCE_PG_GVM_VERSION ]]; then 487 | PG_GVM_VERSION=$FORCE_PG_GVM_VERSION 488 | echo -e "${LYELLOW} PG_GVM_VERSION=$FORCE_PG_GVM_VERSION${NC}" 489 | fi 490 | if [[ -n $FORCE_GSA_VERSION ]]; then 491 | GSA_VERSION=$FORCE_GSA_VERSION 492 | echo -e "${LYELLOW} GSA_VERSION=$FORCE_GSA_VERSION${NC}" 493 | fi 494 | if [[ -n $FORCE_GSAD_VERSION ]]; then 495 | GSAD_VERSION=$FORCE_GSAD_VERSION 496 | echo -e "${LYELLOW} GSAD_VERSION=$FORCE_GSAD_VERSION${NC}" 497 | fi 498 | if [[ -n $FORCE_OPENVAS_SMB_VERSION ]]; then 499 | OPENVAS_SMB_VERSION=$FORCE_OPENVAS_SMB_VERSION 500 | echo -e "${LYELLOW} OPENVAS_SMB_VERSION=$FORCE_OPENVAS_SMB_VERSION${NC}" 501 | fi 502 | if [[ -n $FORCE_OPENVAS_SCANNER_VERSION ]]; then 503 | OPENVAS_SCANNER_VERSION=$FORCE_OPENVAS_SCANNER_VERSION 504 | echo -e "${LYELLOW} OPENVAS_SCANNER_VERSION=$FORCE_OPENVAS_SCANNER_VERSION${NC}" 505 | fi 506 | if [[ -n $FORCE_OSPD_OPENVAS_VERSION ]]; then 507 | OSPD_OPENVAS_VERSION=$FORCE_OSPD_OPENVAS_VERSION 508 | echo -e "${LYELLOW} OSPD_OPENVAS_VERSION=$FORCE_OSPD_OPENVAS_VERSION${NC}" 509 | fi 510 | if [[ -n $FORCE_OPENVAS_DAEMON ]]; then 511 | OPENVAS_DAEMON=$FORCE_OPENVAS_DAEMON 512 | echo -e "${LYELLOW} OPENVAS_DAEMON=$FORCE_OPENVAS_DAEMON${NC}" 513 | fi 514 | 515 | echo 516 | echo -e "${LGREEN}###############################################################################" 517 | echo -e " Building & installing gvm-libs $GVM_LIBS_VERSION" 518 | echo -e "###############################################################################${NC}" 519 | echo 520 | spin() { 521 | local pid=$! 522 | local delay=0.1 523 | local spinstr='|/-\' 524 | while [ "$(ps a | awk '{print $1}' | grep $pid)" ]; do 525 | local temp=${spinstr#?} 526 | printf "${LPURPLE} [%c] ${NC}" "$spinstr" 527 | local spinstr=$temp${spinstr%"$temp"} 528 | sleep $delay 529 | printf "\b\b\b\b\b\b" 530 | done 531 | printf "\b\b\b\b\b\b" 532 | printf " " 533 | printf "\b\b\b\b\b\b" 534 | echo -ne "\r" 535 | } 536 | ( 537 | # Install dependencies 538 | eval $GVMLIBS_DEPS &>/dev/null 539 | ) & 540 | spin 541 | echo "gvm-libs dependencies installed successfully..." 542 | echo 543 | 544 | # Download the gvm-libs sources 545 | export GVM_LIBS_VERSION=$GVM_LIBS_VERSION 546 | curl -f -L https://github.com/greenbone/gvm-libs/archive/refs/tags/v$GVM_LIBS_VERSION.tar.gz -o $SOURCE_DIR/gvm-libs-$GVM_LIBS_VERSION.tar.gz 547 | curl -f -L https://github.com/greenbone/gvm-libs/releases/download/v$GVM_LIBS_VERSION/gvm-libs-v$GVM_LIBS_VERSION.tar.gz.asc -o $SOURCE_DIR/gvm-libs-$GVM_LIBS_VERSION.tar.gz.asc 548 | gpg --verify $SOURCE_DIR/gvm-libs-$GVM_LIBS_VERSION.tar.gz.asc $SOURCE_DIR/gvm-libs-$GVM_LIBS_VERSION.tar.gz 549 | 550 | # Build gvm-libs 551 | echo 552 | tar -C $SOURCE_DIR -xvzf $SOURCE_DIR/gvm-libs-$GVM_LIBS_VERSION.tar.gz 553 | mkdir -p $BUILD_DIR/gvm-libs && cd $BUILD_DIR/gvm-libs 554 | cmake $SOURCE_DIR/gvm-libs-$GVM_LIBS_VERSION \ 555 | -DCMAKE_INSTALL_PREFIX=$INSTALL_PREFIX \ 556 | -DCMAKE_BUILD_TYPE=Release \ 557 | -DSYSCONFDIR=/etc \ 558 | -DLOCALSTATEDIR=/var 559 | make -j$(nproc) 560 | 561 | # Install gvm-libs 562 | mkdir -p $INSTALL_DIR/gvm-libs 563 | make DESTDIR=$INSTALL_DIR/gvm-libs install 564 | sudo cp -rv $INSTALL_DIR/gvm-libs/* / 565 | 566 | echo -e ${LGREEN} 567 | # read -p "Press enter to continue" # (use this for debugging) 568 | echo -e ${NC} 569 | echo -e "${LGREEN}###############################################################################" 570 | echo -e " Building & installing gvmd $GVMD_VERSION" 571 | echo -e "###############################################################################${NC}" 572 | echo 573 | spin() { 574 | local pid=$! 575 | local delay=0.1 576 | local spinstr='|/-\' 577 | while [ "$(ps a | awk '{print $1}' | grep $pid)" ]; do 578 | local temp=${spinstr#?} 579 | printf "${LPURPLE} [%c] ${NC}" "$spinstr" 580 | local spinstr=$temp${spinstr%"$temp"} 581 | sleep $delay 582 | printf "\b\b\b\b\b\b" 583 | done 584 | printf "\b\b\b\b\b\b" 585 | printf " " 586 | printf "\b\b\b\b\b\b" 587 | echo -ne "\r" 588 | } 589 | ( 590 | # Install dependencies 591 | eval $GVMD_DEPS1 &>/dev/null 592 | eval $GVMD_DEPS2 &>/dev/null 593 | ) & 594 | spin 595 | echo "gvmd dependencies installed successfully..." 596 | echo 597 | 598 | # Download the gvm-libs sources 599 | export GVM_LIBS_VERSION=$GVM_LIBS_VERSION 600 | curl -f -L https://github.com/greenbone/gvmd/archive/refs/tags/v$GVMD_VERSION.tar.gz -o $SOURCE_DIR/gvmd-$GVMD_VERSION.tar.gz 601 | curl -f -L https://github.com/greenbone/gvmd/releases/download/v$GVMD_VERSION/gvmd-$GVMD_VERSION.tar.gz.asc -o $SOURCE_DIR/gvmd-$GVMD_VERSION.tar.gz.asc 602 | gpg --verify $SOURCE_DIR/gvmd-$GVMD_VERSION.tar.gz.asc $SOURCE_DIR/gvmd-$GVMD_VERSION.tar.gz 603 | 604 | # Build gvmd 605 | echo 606 | tar -C $SOURCE_DIR -xvzf $SOURCE_DIR/gvmd-$GVMD_VERSION.tar.gz 607 | mkdir -p $BUILD_DIR/gvmd && cd $BUILD_DIR/gvmd 608 | cmake $SOURCE_DIR/gvmd-$GVMD_VERSION \ 609 | -DCMAKE_INSTALL_PREFIX=$INSTALL_PREFIX \ 610 | -DCMAKE_BUILD_TYPE=Release \ 611 | -DLOCALSTATEDIR=/var \ 612 | -DSYSCONFDIR=/etc \ 613 | -DGVM_DATA_DIR=/var \ 614 | -DGVMD_RUN_DIR=/run/gvmd \ 615 | -DOPENVAS_DEFAULT_SOCKET=/run/ospd/ospd-openvas.sock \ 616 | -DGVM_FEED_LOCK_PATH=/var/lib/gvm/feed-update.lock \ 617 | -DSYSTEMD_SERVICE_DIR=/lib/systemd/system \ 618 | -DLOGROTATE_DIR=/etc/logrotate.d 619 | make -j$(nproc) 620 | 621 | # Install gvmd 622 | mkdir -p $INSTALL_DIR/gvmd 623 | make DESTDIR=$INSTALL_DIR/gvmd install 624 | sudo cp -rv $INSTALL_DIR/gvmd/* / 625 | cat << EOF > $BUILD_DIR/gvmd.service 626 | [Unit] 627 | Description=Greenbone Vulnerability Manager daemon (gvmd) 628 | After=network.target networking.service postgresql.service ospd-openvas.service 629 | Wants=postgresql.service ospd-openvas.service 630 | Documentation=man:gvmd(8) 631 | ConditionKernelCommandLine=!recovery 632 | 633 | [Service] 634 | Type=exec 635 | User=gvm 636 | Group=gvm 637 | PIDFile=/run/gvmd/gvmd.pid 638 | RuntimeDirectory=gvmd 639 | RuntimeDirectoryMode=2775 640 | ExecStart=/usr/local/sbin/gvmd --foreground --osp-vt-update=/run/ospd/ospd-openvas.sock --listen-group=gvm 641 | Restart=always 642 | TimeoutStopSec=10 643 | 644 | [Install] 645 | WantedBy=multi-user.target 646 | EOF 647 | sudo cp -v $BUILD_DIR/gvmd.service /etc/systemd/system/ 648 | sudo systemctl daemon-reload 649 | sudo systemctl enable gvmd 650 | 651 | echo -e ${LGREEN} 652 | # read -p "Press enter to continue" # (use this for debugging) 653 | echo -e ${NC} 654 | echo -e "${LGREEN}###############################################################################" 655 | echo -e " Building & installing pg-gvm $PG_GVM_VERSION" 656 | echo -e "###############################################################################${NC}" 657 | echo 658 | spin() { 659 | local pid=$! 660 | local delay=0.1 661 | local spinstr='|/-\' 662 | while [ "$(ps a | awk '{print $1}' | grep $pid)" ]; do 663 | local temp=${spinstr#?} 664 | printf "${LPURPLE} [%c] ${NC}" "$spinstr" 665 | local spinstr=$temp${spinstr%"$temp"} 666 | sleep $delay 667 | printf "\b\b\b\b\b\b" 668 | done 669 | printf "\b\b\b\b\b\b" 670 | printf " " 671 | printf "\b\b\b\b\b\b" 672 | echo -ne "\r" 673 | } 674 | ( 675 | # Install dependencies 676 | eval $PGGVM_DEPS &>/dev/null 677 | ) & 678 | spin 679 | echo "pg-gvm dependencies installed successfully..." 680 | echo 681 | 682 | # Download the pg-gvm sources 683 | export PG_GVM_VERSION=$PG_GVM_VERSION 684 | curl -f -L https://github.com/greenbone/pg-gvm/archive/refs/tags/v$PG_GVM_VERSION.tar.gz -o $SOURCE_DIR/pg-gvm-$PG_GVM_VERSION.tar.gz 685 | curl -f -L https://github.com/greenbone/pg-gvm/releases/download/v$PG_GVM_VERSION/pg-gvm-$PG_GVM_VERSION.tar.gz.asc -o $SOURCE_DIR/pg-gvm-$PG_GVM_VERSION.tar.gz.asc 686 | gpg --verify $SOURCE_DIR/pg-gvm-$PG_GVM_VERSION.tar.gz.asc $SOURCE_DIR/pg-gvm-$PG_GVM_VERSION.tar.gz 687 | 688 | # Build pg-gvm 689 | echo 690 | tar -C $SOURCE_DIR -xvzf $SOURCE_DIR/pg-gvm-$PG_GVM_VERSION.tar.gz 691 | mkdir -p $BUILD_DIR/pg-gvm && cd $BUILD_DIR/pg-gvm 692 | cmake $SOURCE_DIR/pg-gvm-$PG_GVM_VERSION \ 693 | -DCMAKE_BUILD_TYPE=Release 694 | make -j$(nproc) 695 | 696 | # Install pg-gvm 697 | mkdir -p $INSTALL_DIR/pg-gvm 698 | make DESTDIR=$INSTALL_DIR/pg-gvm install 699 | sudo cp -rv $INSTALL_DIR/pg-gvm/* / 700 | 701 | echo -e ${LGREEN} 702 | # read -p "Press enter to continue" # (use this for debugging) 703 | echo -e ${NC} 704 | echo -e "${LGREEN}###############################################################################" 705 | echo -e " Building & installing gsa $GSA_VERSION" 706 | echo -e "###############################################################################${NC}" 707 | echo 708 | export GSA_VERSION=$GSA_VERSION 709 | curl -f -L https://github.com/greenbone/gsa/releases/download/v$GSA_VERSION/gsa-dist-$GSA_VERSION.tar.gz -o $SOURCE_DIR/gsa-$GSA_VERSION.tar.gz 710 | curl -f -L https://github.com/greenbone/gsa/releases/download/v$GSA_VERSION/gsa-dist-$GSA_VERSION.tar.gz.asc -o $SOURCE_DIR/gsa-$GSA_VERSION.tar.gz.asc 711 | gpg --verify $SOURCE_DIR/gsa-$GSA_VERSION.tar.gz.asc $SOURCE_DIR/gsa-$GSA_VERSION.tar.gz 712 | 713 | # Extract & install gsa 714 | echo 715 | mkdir -p $SOURCE_DIR/gsa-$GSA_VERSION 716 | tar -C $SOURCE_DIR/gsa-$GSA_VERSION -xvzf $SOURCE_DIR/gsa-$GSA_VERSION.tar.gz 717 | sudo mkdir -p $INSTALL_PREFIX/share/gvm/gsad/web/ 718 | sudo cp -rv $SOURCE_DIR/gsa-$GSA_VERSION/* $INSTALL_PREFIX/share/gvm/gsad/web/ 719 | 720 | echo -e ${LGREEN} 721 | # read -p "Press enter to continue" # (use this for debugging) 722 | echo -e ${NC} 723 | echo -e "${LGREEN}###############################################################################" 724 | echo -e "Building & installing gsad, adding certificates for https:443 console access" 725 | echo -e "###############################################################################${NC}" 726 | echo 727 | spin() { 728 | local pid=$! 729 | local delay=0.1 730 | local spinstr='|/-\' 731 | while [ "$(ps a | awk '{print $1}' | grep $pid)" ]; do 732 | local temp=${spinstr#?} 733 | printf "${LPURPLE} [%c] ${NC}" "$spinstr" 734 | local spinstr=$temp${spinstr%"$temp"} 735 | sleep $delay 736 | printf "\b\b\b\b\b\b" 737 | done 738 | printf "\b\b\b\b\b\b" 739 | printf " " 740 | printf "\b\b\b\b\b\b" 741 | echo -ne "\r" 742 | } 743 | ( 744 | # Install dependencies 745 | eval $GSAD_DEPS &>/dev/null 746 | ) & 747 | spin 748 | echo "gsad dependencies installed successfully..." 749 | echo 750 | 751 | # Start TLS certificate creation - remove this for http only 752 | DIR_TLS_CERT="/etc/gvm/certs" # GVM default certificate location 753 | DIR_TLS_KEY="/etc/gvm/private" # GVM default certificate location 754 | cd ~ 755 | sudo mkdir -p $DIR_TLS_KEY 756 | sudo mkdir -p $DIR_TLS_CERT 757 | sudo chmod -R 644 $DIR_TLS_CERT 758 | cat < $BUILD_DIR/gsad.service 822 | [Unit] 823 | Description=Greenbone Security Assistant daemon (gsad) 824 | Documentation=man:gsad(8) https://www.greenbone.net 825 | After=network.target gvmd.service 826 | Wants=gvmd.service 827 | 828 | [Service] 829 | Type=exec 830 | #User=gvm 831 | #Group=gvm 832 | RuntimeDirectory=gsad 833 | RuntimeDirectoryMode=2775 834 | PIDFile=/run/gsad/gsad.pid 835 | ExecStart=/usr/local/sbin/gsad --listen=0.0.0.0 --foreground --drop-privileges=gvm --port=443 --rport=80 -c $DIR_TLS_CERT/$CERT_DOMAIN.crt -k $DIR_TLS_KEY/$CERT_DOMAIN.key 836 | # ExecStart=/usr/local/sbin/gsad --foreground --listen=127.0.0.1 --port=9392 --http-only # Swap this line for http only. Change to 0.0.0.0 to bind with all interfaces 837 | Restart=always 838 | TimeoutStopSec=10 839 | 840 | [Install] 841 | WantedBy=multi-user.target 842 | Alias=greenbone-security-assistant.service 843 | EOF 844 | sudo cp -v $BUILD_DIR/gsad.service /etc/systemd/system/ 845 | sudo systemctl daemon-reload 846 | sudo systemctl enable gsad 847 | 848 | echo -e ${LGREEN} 849 | # read -p "Press enter to continue" # (use this for debugging) 850 | echo -e ${NC} 851 | echo -e "${LGREEN}###############################################################################" 852 | echo -e " Building & installing openvas-smb $OPENVAS_SMB_VERSION" 853 | echo -e "###############################################################################${NC}" 854 | echo 855 | spin() { 856 | local pid=$! 857 | local delay=0.1 858 | local spinstr='|/-\' 859 | while [ "$(ps a | awk '{print $1}' | grep $pid)" ]; do 860 | local temp=${spinstr#?} 861 | printf "${LPURPLE} [%c] ${NC}" "$spinstr" 862 | local spinstr=$temp${spinstr%"$temp"} 863 | sleep $delay 864 | printf "\b\b\b\b\b\b" 865 | done 866 | printf "\b\b\b\b\b\b" 867 | printf " " 868 | printf "\b\b\b\b\b\b" 869 | echo -ne "\r" 870 | } 871 | ( 872 | # Install dependencies 873 | eval $OPENVASSMB_DEPS &>/dev/null 874 | ) & 875 | spin 876 | echo "openvas-smb dependencies installed successfully..." 877 | echo 878 | 879 | # Download the openvas-smb sources 880 | export OPENVAS_SMB_VERSION=$OPENVAS_SMB_VERSION 881 | curl -f -L https://github.com/greenbone/openvas-smb/archive/refs/tags/v$OPENVAS_SMB_VERSION.tar.gz -o $SOURCE_DIR/openvas-smb-$OPENVAS_SMB_VERSION.tar.gz 882 | curl -f -L https://github.com/greenbone/openvas-smb/releases/download/v$OPENVAS_SMB_VERSION/openvas-smb-v$OPENVAS_SMB_VERSION.tar.gz.asc -o $SOURCE_DIR/openvas-smb-$OPENVAS_SMB_VERSION.tar.gz.asc 883 | gpg --verify $SOURCE_DIR/openvas-smb-$OPENVAS_SMB_VERSION.tar.gz.asc $SOURCE_DIR/openvas-smb-$OPENVAS_SMB_VERSION.tar.gz 884 | 885 | # Build openvas-smb 886 | echo 887 | tar -C $SOURCE_DIR -xvzf $SOURCE_DIR/openvas-smb-$OPENVAS_SMB_VERSION.tar.gz 888 | mkdir -p $BUILD_DIR/openvas-smb && cd $BUILD_DIR/openvas-smb 889 | cmake $SOURCE_DIR/openvas-smb-$OPENVAS_SMB_VERSION \ 890 | -DCMAKE_INSTALL_PREFIX=$INSTALL_PREFIX \ 891 | -DCMAKE_BUILD_TYPE=Release 892 | make -j$(nproc) 893 | 894 | # Install openvas-smb 895 | mkdir -p $INSTALL_DIR/openvas-smb 896 | make DESTDIR=$INSTALL_DIR/openvas-smb install 897 | sudo cp -rv $INSTALL_DIR/openvas-smb/* / 898 | 899 | echo -e ${LGREEN} 900 | # read -p "Press enter to continue" # (use this for debugging) 901 | echo -e ${NC} 902 | echo -e "${LGREEN}###############################################################################" 903 | echo -e " Building & installing openvas-scanner $OPENVAS_SCANNER_VERSION" 904 | echo -e "###############################################################################${NC}" 905 | echo 906 | spin() { 907 | local pid=$! 908 | local delay=0.1 909 | local spinstr='|/-\' 910 | while [ "$(ps a | awk '{print $1}' | grep $pid)" ]; do 911 | local temp=${spinstr#?} 912 | printf "${LPURPLE} [%c] ${NC}" "$spinstr" 913 | local spinstr=$temp${spinstr%"$temp"} 914 | sleep $delay 915 | printf "\b\b\b\b\b\b" 916 | done 917 | printf "\b\b\b\b\b\b" 918 | printf " " 919 | printf "\b\b\b\b\b\b" 920 | echo -ne "\r" 921 | } 922 | ( 923 | # Install dependencies 924 | eval $OPENVASSCAN_DEPS &>/dev/null 925 | ) & 926 | spin 927 | echo "openvas-scanner dependencies installed successfully..." 928 | echo 929 | 930 | # Download openvas-scanner sources 931 | export OPENVAS_SCANNER_VERSION=$OPENVAS_SCANNER_VERSION 932 | curl -f -L https://github.com/greenbone/openvas-scanner/archive/refs/tags/v$OPENVAS_SCANNER_VERSION.tar.gz -o $SOURCE_DIR/openvas-scanner-$OPENVAS_SCANNER_VERSION.tar.gz 933 | curl -f -L https://github.com/greenbone/openvas-scanner/releases/download/v$OPENVAS_SCANNER_VERSION/openvas-scanner-v$OPENVAS_SCANNER_VERSION.tar.gz.asc -o $SOURCE_DIR/openvas-scanner-$OPENVAS_SCANNER_VERSION.tar.gz.asc 934 | gpg --verify $SOURCE_DIR/openvas-scanner-$OPENVAS_SCANNER_VERSION.tar.gz.asc $SOURCE_DIR/openvas-scanner-$OPENVAS_SCANNER_VERSION.tar.gz 935 | 936 | # Build openvas-scanner 937 | echo 938 | tar -C $SOURCE_DIR -xvzf $SOURCE_DIR/openvas-scanner-$OPENVAS_SCANNER_VERSION.tar.gz 939 | mkdir -p $BUILD_DIR/openvas-scanner && cd $BUILD_DIR/openvas-scanner 940 | cmake $SOURCE_DIR/openvas-scanner-$OPENVAS_SCANNER_VERSION \ 941 | -DCMAKE_INSTALL_PREFIX=$INSTALL_PREFIX \ 942 | -DCMAKE_BUILD_TYPE=Release \ 943 | -DINSTALL_OLD_SYNC_SCRIPT=OFF \ 944 | -DSYSCONFDIR=/etc \ 945 | -DLOCALSTATEDIR=/var \ 946 | -DOPENVAS_FEED_LOCK_PATH=/var/lib/openvas/feed-update.lock \ 947 | -DOPENVAS_RUN_DIR=/run/ospd 948 | make -j$(nproc) 949 | 950 | # Install openvas-scanner 951 | mkdir -p $INSTALL_DIR/openvas-scanner 952 | make DESTDIR=$INSTALL_DIR/openvas-scanner install 953 | sudo cp -rv $INSTALL_DIR/openvas-scanner/* / 954 | printf "table_driven_lsc = yes\n" | sudo tee /etc/openvas/openvas.conf 955 | sudo printf "openvasd_server = http://127.0.0.1:3000\n" | sudo tee -a /etc/openvas/openvas.conf 956 | 957 | echo -e ${LGREEN} 958 | # read -p "Press enter to continue" # (use this for debugging) 959 | echo -e ${NC} 960 | echo -e "${LGREEN}###############################################################################" 961 | echo -e " Building & installing ospd-openvas $OSPD_OPENVAS_VERSION" 962 | echo -e "###############################################################################${NC}" 963 | echo 964 | spin() { 965 | local pid=$! 966 | local delay=0.1 967 | local spinstr='|/-\' 968 | while [ "$(ps a | awk '{print $1}' | grep $pid)" ]; do 969 | local temp=${spinstr#?} 970 | printf "${LPURPLE} [%c] ${NC}" "$spinstr" 971 | local spinstr=$temp${spinstr%"$temp"} 972 | sleep $delay 973 | printf "\b\b\b\b\b\b" 974 | done 975 | printf "\b\b\b\b\b\b" 976 | printf " " 977 | printf "\b\b\b\b\b\b" 978 | echo -ne "\r" 979 | } 980 | ( 981 | # Install dependencies 982 | eval $OSPD_DEPS &>/dev/null 983 | ) & 984 | spin 985 | echo "ospd-openvas dependencies installed successfully..." 986 | echo 987 | 988 | # Download ospd-openvas sources 989 | export OSPD_OPENVAS_VERSION=$OSPD_OPENVAS_VERSION 990 | curl -f -L https://github.com/greenbone/ospd-openvas/archive/refs/tags/v$OSPD_OPENVAS_VERSION.tar.gz -o $SOURCE_DIR/ospd-openvas-$OSPD_OPENVAS_VERSION.tar.gz 991 | curl -f -L https://github.com/greenbone/ospd-openvas/releases/download/v$OSPD_OPENVAS_VERSION/ospd-openvas-v$OSPD_OPENVAS_VERSION.tar.gz.asc -o $SOURCE_DIR/ospd-openvas-$OSPD_OPENVAS_VERSION.tar.gz.asc 992 | gpg --verify $SOURCE_DIR/ospd-openvas-$OSPD_OPENVAS_VERSION.tar.gz.asc $SOURCE_DIR/ospd-openvas-$OSPD_OPENVAS_VERSION.tar.gz 993 | 994 | # Install ospd-openvas 995 | echo 996 | tar -C $SOURCE_DIR -xvzf $SOURCE_DIR/ospd-openvas-$OSPD_OPENVAS_VERSION.tar.gz 997 | cd $SOURCE_DIR/ospd-openvas-$OSPD_OPENVAS_VERSION 998 | mkdir -p $INSTALL_DIR/ospd-openvas 999 | ${PIP_SUDO_OSPD} python3 -m pip install --root=$INSTALL_DIR/ospd-openvas ${PIP_OPTIONS} . 1000 | sudo cp -rv $INSTALL_DIR/ospd-openvas/* / 1001 | cat << EOF > $BUILD_DIR/ospd-openvas.service 1002 | [Unit] 1003 | Description=OSPd Wrapper for the OpenVAS Scanner (ospd-openvas) 1004 | Documentation=man:ospd-openvas(8) man:openvas(8) 1005 | After=network.target networking.service redis-server@openvas.service openvasd.service 1006 | Wants=redis-server@openvas.service openvasd.service 1007 | ConditionKernelCommandLine=!recovery 1008 | 1009 | [Service] 1010 | Type=exec 1011 | User=gvm 1012 | Group=gvm 1013 | RuntimeDirectory=ospd 1014 | RuntimeDirectoryMode=2775 1015 | PIDFile=/run/ospd/ospd-openvas.pid 1016 | ExecStart=/usr/local/bin/ospd-openvas --foreground --unix-socket /run/ospd/ospd-openvas.sock --pid-file /run/ospd/ospd-openvas.pid --log-file /var/log/gvm/ospd-openvas.log --lock-file-dir /var/lib/openvas --socket-mode 0o770 --notus-feed-dir /var/lib/notus/advisories 1017 | SuccessExitStatus=SIGKILL 1018 | Restart=always 1019 | RestartSec=60 1020 | 1021 | [Install] 1022 | WantedBy=multi-user.target 1023 | EOF 1024 | sudo cp -v $BUILD_DIR/ospd-openvas.service /etc/systemd/system/ 1025 | sudo systemctl daemon-reload 1026 | sudo systemctl enable ospd-openvas 1027 | 1028 | echo -e ${LGREEN} 1029 | # read -p "Press enter to continue" # (use this for debugging) 1030 | echo -e ${NC} 1031 | echo -e "${LGREEN}###############################################################################" 1032 | echo -e " Building & installing openvasd $OPENVAS_DAEMON" 1033 | echo -e "###############################################################################${NC}" 1034 | echo 1035 | spin() { 1036 | local pid=$! 1037 | local delay=0.1 1038 | local spinstr='|/-\' 1039 | while [ "$(ps a | awk '{print $1}' | grep $pid)" ]; do 1040 | local temp=${spinstr#?} 1041 | printf "${LPURPLE} [%c] ${NC}" "$spinstr" 1042 | local spinstr=$temp${spinstr%"$temp"} 1043 | sleep $delay 1044 | printf "\b\b\b\b\b\b" 1045 | done 1046 | printf "\b\b\b\b\b\b" 1047 | printf " " 1048 | printf "\b\b\b\b\b\b" 1049 | echo -ne "\r" 1050 | } 1051 | ( 1052 | # Install dependencies 1053 | eval $OPENVASD_DEPS &>/dev/null 1054 | ) & 1055 | spin 1056 | eval "$SOURCE_CARGO_ENV" 1057 | echo "openvasd rust dependencies installed successfully..." 1058 | echo 1059 | 1060 | # Download openvasd sources 1061 | echo 1062 | export OPENVAS_DAEMON=$OPENVAS_DAEMON 1063 | curl -f -L https://github.com/greenbone/openvas-scanner/archive/refs/tags/v$OPENVAS_DAEMON.tar.gz -o $SOURCE_DIR/openvas-scanner-$OPENVAS_DAEMON.tar.gz 1064 | curl -f -L https://github.com/greenbone/openvas-scanner/releases/download/v$OPENVAS_DAEMON/openvas-scanner-v$OPENVAS_DAEMON.tar.gz.asc -o $SOURCE_DIR/openvas-scanner-$OPENVAS_DAEMON.tar.gz.asc 1065 | gpg --verify $SOURCE_DIR/openvas-scanner-$OPENVAS_DAEMON.tar.gz.asc $SOURCE_DIR/openvas-scanner-$OPENVAS_DAEMON.tar.gz 1066 | 1067 | # Install openvasd 1068 | echo 1069 | tar -C $SOURCE_DIR -xvzf $SOURCE_DIR/openvas-scanner-$OPENVAS_DAEMON.tar.gz 1070 | mkdir -p $INSTALL_DIR/openvasd/usr/local/bin 1071 | cd $SOURCE_DIR/openvas-scanner-$OPENVAS_DAEMON/rust/src/openvasd 1072 | cargo build --release 1073 | cd $SOURCE_DIR/openvas-scanner-$OPENVAS_DAEMON/rust/src/scannerctl 1074 | cargo build --release 1075 | sudo cp -v ../../target/release/openvasd $INSTALL_DIR/openvasd/usr/local/bin/ 1076 | sudo cp -v ../../target/release/scannerctl $INSTALL_DIR/openvasd/usr/local/bin/ 1077 | sudo cp -rv $INSTALL_DIR/openvasd/* / 1078 | 1079 | # 29.9.0 and prior - build instructions reference previous source file paths 1080 | ##cd $SOURCE_DIR/openvas-scanner-$OPENVAS_DAEMON/rust/openvasd # 23.9.0 and prior 1081 | # cargo build --release 1082 | ##cd $SOURCE_DIR/openvas-scanner-$OPENVAS_DAEMON/rust/scannerctl # 23.9.0 and prior 1083 | # cargo build --release 1084 | ##sudo cp -v ../target/release/scannerctl $INSTALL_DIR/openvasd/usr/local/bin/ 1085 | ##sudo cp -rv $INSTALL_DIR/openvasd/* / 1086 | 1087 | cat << EOF > $BUILD_DIR/openvasd.service 1088 | [Unit] 1089 | Description=OpenVASD 1090 | Documentation=https://github.com/greenbone/openvas-scanner/tree/main/rust/openvasd 1091 | ConditionKernelCommandLine=!recovery 1092 | [Service] 1093 | Type=exec 1094 | User=gvm 1095 | RuntimeDirectory=openvasd 1096 | RuntimeDirectoryMode=2775 1097 | ExecStart=/usr/local/bin/openvasd --mode service_notus --products /var/lib/notus/products --advisories /var/lib/notus/advisories --listening 127.0.0.1:3000 1098 | SuccessExitStatus=SIGKILL 1099 | Restart=always 1100 | RestartSec=60 1101 | [Install] 1102 | WantedBy=multi-user.target 1103 | EOF 1104 | sudo cp -v $BUILD_DIR/openvasd.service /etc/systemd/system/ 1105 | sudo systemctl daemon-reload 1106 | sudo systemctl enable openvasd 1107 | 1108 | echo -e ${LGREEN} 1109 | # read -p "Press enter to continue" # (use this for debugging) 1110 | echo -e ${NC} 1111 | echo -e "${LGREEN}###############################################################################" 1112 | echo -e " Setting up greenbone-feed-sync" 1113 | echo -e "###############################################################################${NC}" 1114 | echo 1115 | spin() { 1116 | local pid=$! 1117 | local delay=0.1 1118 | local spinstr='|/-\' 1119 | while [ "$(ps a | awk '{print $1}' | grep $pid)" ]; do 1120 | local temp=${spinstr#?} 1121 | printf "${LPURPLE} [%c] ${NC}" "$spinstr" 1122 | local spinstr=$temp${spinstr%"$temp"} 1123 | sleep $delay 1124 | printf "\b\b\b\b\b\b" 1125 | done 1126 | printf "\b\b\b\b\b\b" 1127 | printf " " 1128 | printf "\b\b\b\b\b\b" 1129 | echo -ne "\r" 1130 | } 1131 | ( 1132 | # Install dependencies 1133 | eval $FEED_DEPS &>/dev/null 1134 | ) & 1135 | spin 1136 | echo "greenbone-feed-sync dependencies installed successfully..." 1137 | echo 1138 | 1139 | # Install greenbone-feed-sync 1140 | mkdir -p $INSTALL_DIR/greenbone-feed-sync 1141 | ${PIP_SUDO_FEED} python3 -m pip install --root=$INSTALL_DIR/greenbone-feed-sync ${PIP_OPTIONS} greenbone-feed-sync 1142 | sudo cp -rv $INSTALL_DIR/greenbone-feed-sync/* / 1143 | 1144 | echo -e ${LGREEN} 1145 | # read -p "Press enter to continue" # (use this for debugging) 1146 | echo -e ${NC} 1147 | echo -e "${LGREEN}###############################################################################" 1148 | echo -e " Setting up gvm-tools" 1149 | echo -e "###############################################################################${NC}" 1150 | echo 1151 | spin() { 1152 | local pid=$! 1153 | local delay=0.1 1154 | local spinstr='|/-\' 1155 | while [ "$(ps a | awk '{print $1}' | grep $pid)" ]; do 1156 | local temp=${spinstr#?} 1157 | printf "${LPURPLE} [%c] ${NC}" "$spinstr" 1158 | local spinstr=$temp${spinstr%"$temp"} 1159 | sleep $delay 1160 | printf "\b\b\b\b\b\b" 1161 | done 1162 | printf "\b\b\b\b\b\b" 1163 | printf " " 1164 | printf "\b\b\b\b\b\b" 1165 | echo -ne "\r" 1166 | } 1167 | ( 1168 | # Install dependencies 1169 | eval $GVMTOOLS_DEPS &>/dev/null 1170 | ) & 1171 | spin 1172 | echo "gvm-tools dependencies installed successfully..." 1173 | echo 1174 | 1175 | # Install gvm-tools 1176 | mkdir -p $INSTALL_DIR/gvm-tools 1177 | ${PIP_SUDO_TOOLS} python3 -m pip install --root=$INSTALL_DIR/gvm-tools ${PIP_OPTIONS} gvm-tools 1178 | sudo cp -rv $INSTALL_DIR/gvm-tools/* / 1179 | 1180 | echo -e ${LGREEN} 1181 | # read -p "Press enter to continue" # (use this for debugging) 1182 | echo -e ${NC} 1183 | echo -e "${LGREEN}###############################################################################" 1184 | echo -e " Setting up the Redis data store" 1185 | echo -e "###############################################################################${NC}" 1186 | echo 1187 | spin() { 1188 | local pid=$! 1189 | local delay=0.1 1190 | local spinstr='|/-\' 1191 | while [ "$(ps a | awk '{print $1}' | grep $pid)" ]; do 1192 | local temp=${spinstr#?} 1193 | printf "${LPURPLE} [%c] ${NC}" "$spinstr" 1194 | local spinstr=$temp${spinstr%"$temp"} 1195 | sleep $delay 1196 | printf "\b\b\b\b\b\b" 1197 | done 1198 | printf "\b\b\b\b\b\b" 1199 | printf " " 1200 | printf "\b\b\b\b\b\b" 1201 | echo -ne "\r" 1202 | } 1203 | ( 1204 | # Install dependencies 1205 | eval $REDIS_DEPS &>/dev/null 1206 | ) & 1207 | spin 1208 | echo "redis dependencies installed successfully..." 1209 | echo 1210 | 1211 | # Configure redis 1212 | sudo cp $SOURCE_DIR/openvas-scanner-$OPENVAS_SCANNER_VERSION/config/redis-openvas.conf /etc/redis/ 1213 | sudo chown redis:redis /etc/redis/redis-openvas.conf 1214 | echo "db_address = /run/redis-openvas/redis.sock" | sudo tee -a /etc/openvas/openvas.conf 1215 | sudo systemctl start redis-server@openvas.service 1216 | sudo systemctl enable redis-server@openvas.service 1217 | sudo usermod -aG redis gvm 1218 | 1219 | echo -e ${LGREEN} 1220 | # read -p "Press enter to continue" # (use this for debugging) 1221 | echo -e ${NC} 1222 | echo -e "${LGREEN}###############################################################################" 1223 | echo -e " Setting up Postgres db, gvm file permissions & importing feed signature." 1224 | echo -e "###############################################################################${NC}" 1225 | echo 1226 | # Setup GVM directories & permissions 1227 | sudo mkdir -p /var/lib/notus 1228 | sudo mkdir -p /run/gvmd 1229 | sudo chown -R gvm:gvm /var/lib/gvm 1230 | sudo chown -R gvm:gvm /var/lib/openvas 1231 | sudo chown -R gvm:gvm /var/lib/notus 1232 | sudo chown -R gvm:gvm /var/log/gvm 1233 | sudo chown -R gvm:gvm /run/gvmd 1234 | sudo chmod -R g+srw /var/lib/gvm 1235 | sudo chmod -R g+srw /var/lib/openvas 1236 | sudo chmod -R g+srw /var/log/gvm 1237 | 1238 | # Set gvmd executable permissions 1239 | sudo chown gvm:gvm /usr/local/sbin/gvmd 1240 | sudo chmod 6750 /usr/local/sbin/gvmd 1241 | 1242 | # Import the update feed's digital signature 1243 | curl -f -L https://www.greenbone.net/GBCommunitySigningKey.asc -o /tmp/GBCommunitySigningKey.asc 1244 | export GNUPGHOME=/tmp/openvas-gnupg 1245 | mkdir -p $GNUPGHOME 1246 | gpg --import /tmp/GBCommunitySigningKey.asc 1247 | echo "8AE4BE429B60A59B311C2E739823FAA60ED1E580:6:" | gpg --import-ownertrust 1248 | export OPENVAS_GNUPG_HOME=/etc/openvas/gnupg 1249 | sudo mkdir -p $OPENVAS_GNUPG_HOME 1250 | sudo cp -r /tmp/openvas-gnupg/* $OPENVAS_GNUPG_HOME/ 1251 | sudo chown -R gvm:gvm $OPENVAS_GNUPG_HOME 1252 | 1253 | # Set sudo permissions on the gvm service account 1254 | sudo sh -c "echo '%gvm ALL = NOPASSWD: /usr/local/sbin/openvas' >> /etc/sudoers" 1255 | 1256 | # Set up the gvm PostgreSQL user & database 1257 | sudo -Hiu postgres createuser -DRS gvm 1258 | sudo -Hiu postgres createdb -O gvm gvmd 1259 | sudo -Hiu postgres psql gvmd -c "create role dba with superuser noinherit; grant dba to gvm;" 1260 | sudo ldconfig 1261 | 1262 | # Create the GVM admin user 1263 | sudo /usr/local/sbin/gvmd --create-user=${ADMIN_USER} --password=${ADMIN_PASS} 1264 | 1265 | # Set the GVM feed import owner to the GVM admin user 1266 | sudo /usr/local/sbin/gvmd --modify-setting 78eceaec-3385-11ea-b237-28d24461215b --value $(sudo /usr/local/sbin/gvmd --get-users --verbose | grep ${ADMIN_USER} | awk '{print $2}') 1267 | 1268 | echo -e ${LGREEN} 1269 | # read -p "Press enter to continue" # (use this for debugging) 1270 | echo -e ${NC} 1271 | echo -e "${LGREEN}###############################################################################" 1272 | echo -e " Cleaning up build sources & setting firewall rules" 1273 | echo -e "###############################################################################${NC}" 1274 | echo 1275 | # Clean up GVM build files 1276 | cd ~ 1277 | sudo rm -rf $SOURCE_DIR 1278 | sudo rm -rf $INSTALL_DIR 1279 | sudo rm -rf $BUILD_DIR 1280 | rm cert_attributes.txt 1281 | sudo rm -f /tmp/GBCommunitySigningKey.asc 1282 | sudo apt autoremove -qq -y 1283 | echo 1284 | 1285 | # Update ufw rules & stop fw log chatter 1286 | sudo ufw default allow outgoing 1287 | sudo ufw default deny incoming 1288 | sudo ufw allow OpenSSH 1289 | sudo ufw allow 80/tcp 1290 | sudo ufw allow 443/tcp 1291 | echo "y" | sudo ufw enable >/dev/null 1292 | sudo ufw logging off 1293 | 1294 | echo 1295 | echo -e "${LGREEN}###############################################################################" 1296 | echo -e " Setting up a random daily cron schedule for feed updates" 1297 | echo -e "###############################################################################${NC}" 1298 | echo 1299 | # Schedule a random daily feed update time 1300 | HOUR=$(shuf -i 0-23 -n 1) 1301 | MINUTE=$(shuf -i 0-59 -n 1) 1302 | sudo crontab -l >cron_1 1303 | # Remove any previously added feed update schedules 1304 | sudo sed -i '/greenbone-feed-sync/d' cron_1 1305 | echo "${MINUTE} ${HOUR} * * * /usr/local/bin/greenbone-feed-sync" >>cron_1 1306 | sudo crontab cron_1 1307 | rm cron_1 1308 | echo -e "Feed update scheduled daily at ${HOUR}:${MINUTE}" 1309 | 1310 | echo 1311 | echo -e "${LGREEN}###############################################################################" 1312 | echo -e " A feed update is required before OpenVAS can start, THIS MAY TAKE A LONG TIME" 1313 | echo -e "###############################################################################${NC}" 1314 | 1315 | # Update GVM & start the services 1316 | # This must be a one-liner because lengthy feed updates cause sudo credentials to time out before the script can finish. 1317 | # Also includes a privs fix becasue gsad is started with --drop-privileges (allowing binding to port 443), this results in gsad.log 1318 | # being initially created with the wrong privs on 1st startup. 1319 | echo 1320 | sudo bash -c '/usr/local/bin/greenbone-feed-sync; systemctl start ospd-openvas; systemctl start gvmd; systemctl start gsad; systemctl start openvasd; sleep 15; systemctl stop gsad; chown -R gvm:gvm /var/log/gvm; systemctl start gsad' 1321 | 1322 | # Cheap hack to display in stdout client certificate configs (where special characters normally break cut/pasteable output) 1323 | SHOWASTEXT1='$mypwd' 1324 | SHOWASTEXT2='"Cert:\LocalMachine\Root"' 1325 | 1326 | # Display custom instructions for browser client certificate import 1327 | echo 1328 | printf "${LGREEN}+############################################################################################################# 1329 | ${LGREEN}+ WINDOWS CLIENT SELF SIGNED SSL BROWSER CONFIG - SAVE THIS BEFORE CONTINUING!${GREY} 1330 | + 1331 | + 1. Copy ${GREYB}$DIR_TLS_CERT/$CERT_DOMAIN.pfx${GREY} to a location accessible by Windows. 1332 | + 2. Import the PFX file into your Windows client with the below Powershell commands (as Administrator): 1333 | \n" 1334 | echo -e "${SHOWASTEXT1} = ConvertTo-SecureString -String "1234" -Force -AsPlainText" 1335 | echo -e "Import-pfxCertificate -FilePath $CERT_DOMAIN.pfx -Password "${SHOWASTEXT1}" -CertStoreLocation "${SHOWASTEXT2}"" 1336 | echo -e "(Clear your browser cache & restart your browser to test.)" 1337 | printf "${GREY}+------------------------------------------------------------------------------------------------------------- 1338 | ${LGREEN}+ LINUX CLIENT SELF SIGNED SSL BROWSER CONFIG - SAVE THIS BEFORE CONTINUING!${GREY} 1339 | + 1340 | + 1. Copy ${GREYB}$DIR_TLS_CERT/$CERT_DOMAIN.crt${GREY} to a location accessible by Linux. 1341 | + 2. Import the CRT file into your Linux client certificate store with the below command (as sudo): 1342 | \n" 1343 | echo -e "mkdir -p \$HOME/.pki/nssdb && certutil -d \$HOME/.pki/nssdb -N" 1344 | echo -e "certutil -d sql:\$HOME/.pki/nssdb -A -t "CT,C,c" -n $CERT_DOMAIN -i $CERT_DOMAIN.crt" 1345 | printf "${LGREEN}+#############################################################################################################\n" 1346 | 1347 | # Final change password message 1348 | echo 1349 | echo -e "${LGREEN}OpenVAS build complete\nManagement console = https://${CERT_DOMAIN} | username: ${ADMIN_USER} | password: ${ADMIN_PASS}\n${LPURPLEB} | You may change the admin password with:" 1350 | echo -e sudo /usr/local/sbin/gvmd --user=${DEFAULT_ADMIN_USER} --new-password=password 1351 | echo -e ${NC} 1352 | -------------------------------------------------------------------------------- /openvas-upgrade.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | ######################################################################################################################### 3 | # Greenbone Vulnerability Manager appliance upgrade script 4 | # Multi-distro support for Ubuntu, Debian & Raspbian 5 | # David Harrop 6 | # January 2025 7 | ######################################################################################################################### 8 | 9 | ######################################################################################################################### 10 | # EDIT THIS SECTION ONLY: All custom settings & dependency mgmt between distros is handled in this section ############## 11 | ######################################################################################################################### 12 | 13 | ## FORCE PACKAGE VERSIONS or use blank "" to automatically download latest 14 | FORCE_GVM_LIBS_VERSION="" # see https://github.com/greenbone/gvm-libs 15 | FORCE_GVMD_VERSION="" # see https://github.com/greenbone/gvmd 16 | FORCE_PG_GVM_VERSION="" # see https://github.com/greenbone/pg-gvm 17 | FORCE_GSA_VERSION="" # see https://github.com/greenbone/gsa 18 | FORCE_GSAD_VERSION="" # see https://github.com/greenbone/gsad 19 | FORCE_OPENVAS_SMB_VERSION="" # see https://github.com/greenbone/openvas-smb 20 | FORCE_OPENVAS_SCANNER_VERSION="" # see https://github.com/greenbone/openvas-scanner 21 | FORCE_OSPD_OPENVAS_VERSION="" # see https://github.com/greenbone/ospd-openvas 22 | FORCE_OPENVAS_DAEMON=$FORCE_OPENVAS_SCANNER_VERSION # Uses same source as scanner 23 | 24 | ## POSTGRESQL VERSION MANAGEMENT ## 25 | source /etc/os-release 26 | OFFICIAL_POSTGRESQL="false" # Default = false, true = force official Posgresql source repo 27 | case "${VERSION_CODENAME,,}" in 28 | *bookworm*) 29 | OFFICIAL_POSTGRESQL="false" 30 | POSTGRESQL="postgresql postgresql-server-dev-15" 31 | ;; 32 | 33 | *noble*|*trixie*) 34 | OFFICIAL_POSTGRESQL="false" 35 | POSTGRESQL="postgresql postgresql-server-dev-16" 36 | ;; 37 | *) 38 | OFFICIAL_POSTGRESQL="true" # Default to official source if no disto match 39 | POSTGRESQL="postgresql-16 postgresql-server-dev-16" 40 | ;; 41 | esac 42 | 43 | ## DEPENDENCY MANAGEMENT 44 | # common 45 | COMMON_DEPS="sudo apt-get install --no-install-recommends --assume-yes build-essential curl cmake pkg-config python3 python3-pip gnupg wget sudo gnupg2 ufw htop git && sudo DEBIAN_FRONTEND="noninteractive" apt-get install postfix mailutils -y && sudo service postfix restart" 46 | 47 | # gvm-libs 48 | GVMLIBS_DEPS="sudo apt-get install -y libglib2.0-dev libgpgme-dev libgnutls28-dev uuid-dev libssh-gcrypt-dev libhiredis-dev libxml2-dev libpcap-dev libnet1-dev libpaho-mqtt-dev libldap2-dev libradcli-dev doxygen xmltoman graphviz libcjson-dev lcov libcurl4-gnutls-dev libgcrypt-dev " 49 | # extras above greenbone docs: doxygen xmltoman graphviz libcjson-dev lcov (libcurl4-openssl-dev or libcurl4-gnutls-dev) libgcrypt-dev 50 | 51 | # gvmd 52 | GVMD_DEPS1="sudo apt-get install -y libglib2.0-dev libgnutls28-dev libpq-dev ${POSTGRESQL} libical-dev xsltproc rsync libbsd-dev libgpgme-dev libcjson-dev" # extras above greenbone docs: libcjson-dev 53 | GVMD_DEPS2="sudo apt-get install -y --no-install-recommends texlive-latex-extra texlive-fonts-recommended xmlstarlet zip rpm fakeroot dpkg nsis gnupg gpgsm wget sshpass openssh-client socat snmp python3 smbclient python3-lxml gnutls-bin xml-twig-tools" # extras above greenbone docs: xml-twig-tools 54 | 55 | # pg-gvm 56 | PGGVM=DEPS="sudo apt-get install -y libglib2.0-dev libical-dev ${POSTGRESQL}" 57 | 58 | # gsad 59 | GSAD_DEPS="sudo apt-get install -y libmicrohttpd-dev libxml2-dev libglib2.0-dev libgnutls28-dev libbrotli-dev doxygen xmltoman" # extras above greenbone docs: libbrotli-dev libbrotli-dev doxygen xmltoman 60 | 61 | # openvas-smb 62 | OPENVASSMB_DEPS="sudo apt-get install -y gcc-mingw-w64 libgnutls28-dev libglib2.0-dev libpopt-dev libunistring-dev heimdal-multidev perl-base" # extras above greenbone docs: substituted heimdal-dev for heimdal-multidev 63 | 64 | # openvas-scanner 65 | OPENVASSCAN_DEPS="sudo apt-get install -y bison libglib2.0-dev libgnutls28-dev libgcrypt20-dev libpcap-dev libgpgme-dev libksba-dev rsync nmap libjson-glib-dev libcurl4-gnutls-dev libbsd-dev python3-impacket libsnmp-dev pandoc pnscan krb5-multidev" # extras above greenbone docs: pandoc pnscan krb5-multidev 66 | 67 | # ospd-openvas 68 | OSPD_DEPS="sudo apt-get install -y python3 python3-pip python3-setuptools python3-packaging python3-wrapt python3-cffi python3-psutil python3-lxml python3-defusedxml python3-paramiko python3-redis python3-gnupg python3-paho-mqtt" 69 | 70 | # greenbone-feed-sync 71 | FEED_DEPS="sudo apt-get install -y python3 python3-pip" 72 | 73 | # gvm-tools 74 | GVMTOOLS_DEPS="sudo apt-get install -y python3 python3-pip python3-venv python3-setuptools python3-packaging python3-lxml python3-defusedxml python3-paramiko" 75 | 76 | # redis 77 | REDIS_DEPS="sudo apt-get install -y redis-server" 78 | 79 | # openvasd (Any changes here must be replicated in the upgrade script) 80 | case "${VERSION_CODENAME,,}" in 81 | *bookworm*|*noble*|*trixie*) # Options to handle various distros 82 | OPENVASD_DEPS="curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y && sudo apt-get install -y -qq pkg-config libssl-dev" 83 | SOURCE_CARGO_ENV=". \"$HOME/.cargo/env\"" 84 | ;; 85 | *) # Default to this if no disto match 86 | OPENVASD_DEPS="curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y && sudo apt-get install -y -qq pkg-config libssl-dev" 87 | SOURCE_CARGO_ENV=". \"$HOME/.cargo/env\"": # No specific action for other codenames either 88 | ;; 89 | esac 90 | 91 | ## PIP INSTALL MANAGMENT 92 | # Bookworm 93 | if [[ "${VERSION_CODENAME,,}" == *"bookworm"* ]]; then 94 | PIP_SUDO_OSPD="" # add "sudo" to ospd install cmd 95 | PIP_SUDO_FEED="" # add "sudo" to greenbone-feed-updates install cmd 96 | PIP_SUDO_TOOLS="" # add "sudo" to gvm-tools install cmd 97 | PIP_OPTIONS="--no-warn-script-location" # pip install arguments 98 | PIP_UNINSTALL="--break-system-packages" # pip uninstall arguments 99 | # Ubuntu 23.04 & 24.04 100 | elif [[ "${VERSION_CODENAME,,}" == *"noble"* ]]; then 101 | PIP_SUDO_OSPD="sudo" 102 | PIP_SUDO_FEED="" 103 | PIP_SUDO_TOOLS="" 104 | PIP_OPTIONS="--no-warn-script-location" 105 | PIP_UNINSTALL="--break-system-packages" 106 | else 107 | # All other distros 108 | PIP_SUDO_OSPD="" 109 | PIP_SUDO_FEED="" 110 | PIP_SUDO_TOOLS="" 111 | PIP_OPTIONS="--no-warn-script-location" 112 | PIP_UNINSTALL="--break-system-packages" 113 | fi 114 | 115 | ######################################################################################################################### 116 | # Start of script actions - NO NEED TO EDIT BELOW THIS POINT ############################################################ 117 | ######################################################################################################################### 118 | 119 | # Set colours 120 | GREY='\033[0;37m' 121 | GREYB='\033[1;37m' 122 | LGREEN='\033[0;92m' 123 | LGREENB='\033[1;92m' 124 | LRED='\033[0;91m' 125 | LPURPLE='\033[0;95m' 126 | LPURPLEB='\033[1;95m' 127 | LYELLOW='\033[0;93m' 128 | NC='\033[0m' #No Colour 129 | 130 | # Make sure the user is NOT running this script as root 131 | if [[ $EUID -eq 0 ]]; then 132 | echo 133 | echo -e "${LRED}This script must NOT be run as root, it will prompt for sudo when needed." 1>&2 134 | echo -e ${NC} 135 | exit 1 136 | fi 137 | 138 | # Check if sudo is installed. (Debian does not always include sudo by default.) 139 | if ! command -v sudo &> /dev/null; then 140 | echo "${LRED}The sudo package is not installed. Please install sudo." 141 | echo -e ${NC} 142 | exit 1 143 | fi 144 | 145 | # Make sure the user running this script is a member of the sudo group 146 | if ! id -nG "$USER" | grep -qw "sudo"; then 147 | echo 148 | echo -e "${LRED}The current user (${USER}) must be a member of the 'sudo' group & be granted sudo privilages to run this script.${NC}" 1>&2 149 | exit 1 150 | fi 151 | 152 | clear 153 | 154 | # Script branding header 155 | echo 156 | echo -e "${GREYB} Itiligent GVM/OpenVAS Appliance Upgrader" 157 | echo -e " ${LGREENB}Powered by Greenbone${GREY}" 158 | echo 159 | echo 160 | 161 | # Set global variables & paths 162 | export INSTALL_PREFIX=/usr/local 163 | export PATH=$PATH:$INSTALL_PREFIX/sbin 164 | export SOURCE_DIR=$HOME/source 165 | export BUILD_DIR=$HOME/build 166 | export INSTALL_DIR=$HOME/install 167 | 168 | # Trigger sudo prompt and stop OpenVAS services 169 | sudo systemctl stop gsad gvmd ospd-openvas openvasd 170 | 171 | echo 172 | echo -e "${LGREEN}###############################################################################" 173 | echo -e " Uninstalling OpenVAS" 174 | echo -e "###############################################################################${NC}" 175 | # Fix Python externally managed errors 176 | python_version_dir=$(python3 --version 2>&1 | grep -oP '\d+\.\d+' | head -n 1) 177 | py_file="/usr/lib/python${python_version_dir}/EXTERNALLY-MANAGED" 178 | # Check if the file exists and rename it if it does 179 | if [ -f "$py_file" ]; then 180 | sudo mv "$py_file" "${py_file}.old" 181 | fi 182 | # Uninstall OpenVAS 183 | yes | sudo python3 -m pip uninstall ${PIP_UNINSTALL} ospd-openvas greenbone-feed-sync gvm-tools 184 | 185 | # Clean up anything from previous builds that could break the upgrade 186 | cd ~ 187 | sudo rm -rf $SOURCE_DIR 188 | sudo rm -rf $INSTALL_DIR 189 | sudo rm -rf $BUILD_DIR 190 | sudo rm -f /etc/openvas/openvas.conf 191 | sudo rm -f /etc/redis/redis-openvas.conf 192 | 193 | # Re-create build directories 194 | mkdir -p $SOURCE_DIR 195 | mkdir -p $BUILD_DIR 196 | mkdir -p $INSTALL_DIR 197 | 198 | echo 199 | echo -e "${LGREEN}###############################################################################" 200 | echo -e " Updating Linux OS" 201 | echo -e "###############################################################################${NC}" 202 | echo 203 | spin() { 204 | local pid=$! 205 | local delay=0.1 206 | local spinstr='|/-\' 207 | while [ "$(ps a | awk '{print $1}' | grep $pid)" ]; do 208 | local temp=${spinstr#?} 209 | printf "${LPURPLE} [%c] ${NC}" "$spinstr" 210 | local spinstr=$temp${spinstr%"$temp"} 211 | sleep $delay 212 | printf "\b\b\b\b\b\b" 213 | done 214 | printf "\b\b\b\b\b\b" 215 | printf " " 216 | printf "\b\b\b\b\b\b" 217 | echo -ne "\r" 218 | } 219 | ( 220 | # Update Linux base 221 | sudo apt-get update &>/dev/null 222 | sudo DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" upgrade -qq 223 | ) & 224 | spin 225 | echo 226 | echo "Linux updated successfully...." 227 | 228 | echo 229 | echo -e "${LGREEN}###############################################################################" 230 | echo -e " Updating common dependencies" 231 | echo -e "###############################################################################${NC}" 232 | echo 233 | spin() { 234 | local pid=$! 235 | local delay=0.1 236 | local spinstr='|/-\' 237 | while [ "$(ps a | awk '{print $1}' | grep $pid)" ]; do 238 | local temp=${spinstr#?} 239 | printf "${LPURPLE} [%c] ${NC}" "$spinstr" 240 | local spinstr=$temp${spinstr%"$temp"} 241 | sleep $delay 242 | printf "\b\b\b\b\b\b" 243 | done 244 | printf "\b\b\b\b\b\b" 245 | printf " " 246 | printf "\b\b\b\b\b\b" 247 | echo -ne "\r" 248 | } 249 | ( 250 | # Install dependencies 251 | eval $COMMON_DEPS &>/dev/null 252 | # Import the Greenbone Community Signing Key 253 | curl -f -L https://www.greenbone.net/GBCommunitySigningKey.asc -o /tmp/GBCommunitySigningKey.asc 254 | gpg --import /tmp/GBCommunitySigningKey.asc 255 | echo "8AE4BE429B60A59B311C2E739823FAA60ED1E580:6:" | gpg --import-ownertrust 256 | ) & 257 | spin 258 | echo 259 | echo -e "Common dependencies updated successfully..." 260 | 261 | echo 262 | echo -e "${LGREEN}###############################################################################" 263 | echo -e " Checking latest OpenVAS releases - edit script to manually force a version" 264 | echo -e "###############################################################################${NC}" 265 | echo 266 | # Check for the latest OpenVAS release tags from GitHub 267 | get_latest_release() { 268 | curl --silent "https://api.github.com/repos/$1/releases/latest" | # Get latest release from GitHub API 269 | grep '"tag_name":' | # Get tag line 270 | sed -E 's/.*"v?([^"]+)".*/\1/' # Extract version 271 | } 272 | 273 | # Determine the relevant GitHub repos 274 | declare -A repos=( 275 | ["GVM_LIBS_VERSION"]="greenbone/gvm-libs" 276 | ["GVMD_VERSION"]="greenbone/gvmd" 277 | ["PG_GVM_VERSION"]="greenbone/pg-gvm" 278 | ["GSA_VERSION"]="greenbone/gsa" 279 | ["GSAD_VERSION"]="greenbone/gsad" 280 | ["OPENVAS_SMB_VERSION"]="greenbone/openvas-smb" 281 | ["OPENVAS_SCANNER_VERSION"]="greenbone/openvas-scanner" 282 | ["OSPD_OPENVAS_VERSION"]="greenbone/ospd-openvas" 283 | ) 284 | echo -e " ${LGREEN}Latest OpenVAS releases will be upgraded by default:${NC}" 285 | # Get latest OpenVAS versions 286 | for version in "${!repos[@]}"; do 287 | latest_version=$(get_latest_release "${repos[$version]}") 288 | if [[ -z $latest_version ]]; then 289 | echo -e "${LRED}Failed to retrieve the latest version for ${repos[$version]}. Exiting.${NC}" 290 | exit 1 291 | fi 292 | export $version=$latest_version 293 | echo " $version=$latest_version" 294 | done 295 | # openvasd uses the same repo as scanner 296 | export OPENVAS_DAEMON=$OPENVAS_SCANNER_VERSION 297 | echo " OPENVAS_DAEMON=$OPENVAS_SCANNER_VERSION" 298 | 299 | # Check for any version overrides 300 | echo 301 | if [[ -n $FORCE_GVM_LIBS_VERSION ]]; then 302 | echo -e "${LGREEN} The following package version(s) are manually forced:${NC}" 303 | elif [[ -n $FORCE_GVMD_VERSION ]]; then 304 | echo -e "${LGREEN} The following package version(s) are manually forced:${NC}" 305 | elif [[ -n $FORCE_PG_GVM_VERSION ]]; then 306 | echo -e "${LGREEN} The following package version(s) are manually forced:${NC}" 307 | elif [[ -n $FORCE_GSA_VERSION ]]; then 308 | echo -e "${LGREEN} The following package version(s) are manually forced:${NC}" 309 | elif [[ -n $FORCE_GSAD_VERSION ]]; then 310 | echo -e "${LGREEN} The following package version(s) are manually forced:${NC}" 311 | elif [[ -n $FORCE_OPENVAS_SMB_VERSION ]]; then 312 | echo -e "${LGREEN} The following package version(s) are manually forced:${NC}" 313 | elif [[ -n $FORCE_OPENVAS_SCANNER_VERSION ]]; then 314 | echo -e "${LGREEN} The following package version(s) are manually forced:${NC}" 315 | elif [[ -n $FORCE_OSPD_OPENVAS_VERSION ]]; then 316 | echo -e "${LGREEN} The following package version(s) are manually forced:${NC}" 317 | elif [[ -n $FORCE_OPENVAS_DAEMON ]]; then 318 | echo -e "${LGREEN} The following package version(s) are manually forced:${NC}" 319 | fi 320 | 321 | if [[ -n $FORCE_GVM_LIBS_VERSION ]]; then 322 | GVM_LIBS_VERSION=$FORCE_GVM_LIBS_VERSION 323 | echo -e "${LYELLOW} GVM_LIBS_VERSION=$FORCE_GVM_LIBS_VERSION${NC}" 324 | fi 325 | if [[ -n $FORCE_GVMD_VERSION ]]; then 326 | GVMD_VERSION=$FORCE_GVMD_VERSION 327 | echo -e "${LYELLOW} GVMD_VERSION=$FORCE_GVMD_VERSION${NC}" 328 | fi 329 | if [[ -n $FORCE_PG_GVM_VERSION ]]; then 330 | PG_GVM_VERSION=$FORCE_PG_GVM_VERSION 331 | echo -e "${LYELLOW} PG_GVM_VERSION=$FORCE_PG_GVM_VERSION${NC}" 332 | fi 333 | if [[ -n $FORCE_GSA_VERSION ]]; then 334 | GSA_VERSION=$FORCE_GSA_VERSION 335 | echo -e "${LYELLOW} GSA_VERSION=$FORCE_GSA_VERSION${NC}" 336 | fi 337 | if [[ -n $FORCE_GSAD_VERSION ]]; then 338 | GSAD_VERSION=$FORCE_GSAD_VERSION 339 | echo -e "${LYELLOW} GSAD_VERSION=$FORCE_GSAD_VERSION${NC}" 340 | fi 341 | if [[ -n $FORCE_OPENVAS_SMB_VERSION ]]; then 342 | OPENVAS_SMB_VERSION=$FORCE_OPENVAS_SMB_VERSION 343 | echo -e "${LYELLOW} OPENVAS_SMB_VERSION=$FORCE_OPENVAS_SMB_VERSION${NC}" 344 | fi 345 | if [[ -n $FORCE_OPENVAS_SCANNER_VERSION ]]; then 346 | OPENVAS_SCANNER_VERSION=$FORCE_OPENVAS_SCANNER_VERSION 347 | echo -e "${LYELLOW} OPENVAS_SCANNER_VERSION=$FORCE_OPENVAS_SCANNER_VERSION${NC}" 348 | fi 349 | if [[ -n $FORCE_OSPD_OPENVAS_VERSION ]]; then 350 | OSPD_OPENVAS_VERSION=$FORCE_OSPD_OPENVAS_VERSION 351 | echo -e "${LYELLOW} OSPD_OPENVAS_VERSION=$FORCE_OSPD_OPENVAS_VERSION${NC}" 352 | fi 353 | if [[ -n $FORCE_OPENVAS_DAEMON ]]; then 354 | OPENVAS_DAEMON=$FORCE_OPENVAS_DAEMON 355 | echo -e "${LYELLOW} OPENVAS_DAEMON=$FORCE_OPENVAS_DAEMON${NC}" 356 | fi 357 | 358 | echo 359 | echo -e "${LGREEN}###############################################################################" 360 | echo -e " Upgrading gvm-libs to $GVM_LIBS_VERSION" 361 | echo -e "###############################################################################${NC}" 362 | echo 363 | spin() { 364 | local pid=$! 365 | local delay=0.1 366 | local spinstr='|/-\' 367 | while [ "$(ps a | awk '{print $1}' | grep $pid)" ]; do 368 | local temp=${spinstr#?} 369 | printf "${LPURPLE} [%c] ${NC}" "$spinstr" 370 | local spinstr=$temp${spinstr%"$temp"} 371 | sleep $delay 372 | printf "\b\b\b\b\b\b" 373 | done 374 | printf "\b\b\b\b\b\b" 375 | printf " " 376 | printf "\b\b\b\b\b\b" 377 | echo -ne "\r" 378 | } 379 | ( 380 | # Install dependencies 381 | eval $GVMLIBS_DEPS &>/dev/null 382 | ) & 383 | spin 384 | echo "gvm-libs dependencies updated successfully..." 385 | echo 386 | 387 | # Download the gvm-libs sources 388 | export GVM_LIBS_VERSION=$GVM_LIBS_VERSION 389 | curl -f -L https://github.com/greenbone/gvm-libs/archive/refs/tags/v$GVM_LIBS_VERSION.tar.gz -o $SOURCE_DIR/gvm-libs-$GVM_LIBS_VERSION.tar.gz 390 | curl -f -L https://github.com/greenbone/gvm-libs/releases/download/v$GVM_LIBS_VERSION/gvm-libs-v$GVM_LIBS_VERSION.tar.gz.asc -o $SOURCE_DIR/gvm-libs-$GVM_LIBS_VERSION.tar.gz.asc 391 | gpg --verify $SOURCE_DIR/gvm-libs-$GVM_LIBS_VERSION.tar.gz.asc $SOURCE_DIR/gvm-libs-$GVM_LIBS_VERSION.tar.gz 392 | 393 | # Build gvm-libs 394 | echo 395 | tar -C $SOURCE_DIR -xvzf $SOURCE_DIR/gvm-libs-$GVM_LIBS_VERSION.tar.gz 396 | mkdir -p $BUILD_DIR/gvm-libs && cd $BUILD_DIR/gvm-libs 397 | cmake $SOURCE_DIR/gvm-libs-$GVM_LIBS_VERSION \ 398 | -DCMAKE_INSTALL_PREFIX=$INSTALL_PREFIX \ 399 | -DCMAKE_BUILD_TYPE=Release \ 400 | -DSYSCONFDIR=/etc \ 401 | -DLOCALSTATEDIR=/var 402 | make -j$(nproc) 403 | 404 | # Install gvm-libs 405 | mkdir -p $INSTALL_DIR/gvm-libs 406 | make DESTDIR=$INSTALL_DIR/gvm-libs install 407 | sudo cp -rvf $INSTALL_DIR/gvm-libs/* / 408 | 409 | echo -e ${LGREEN} 410 | read -p "Please check above output for any errors or issues with (new) dependencies not found. Hit enter to continue." 411 | echo -e ${NC} 412 | echo -e "${LGREEN}###############################################################################" 413 | echo -e " Upgrading gvmd to $GVMD_VERSION" 414 | echo -e "###############################################################################${NC}" 415 | echo 416 | spin() { 417 | local pid=$! 418 | local delay=0.1 419 | local spinstr='|/-\' 420 | while [ "$(ps a | awk '{print $1}' | grep $pid)" ]; do 421 | local temp=${spinstr#?} 422 | printf "${LPURPLE} [%c] ${NC}" "$spinstr" 423 | local spinstr=$temp${spinstr%"$temp"} 424 | sleep $delay 425 | printf "\b\b\b\b\b\b" 426 | done 427 | printf "\b\b\b\b\b\b" 428 | printf " " 429 | printf "\b\b\b\b\b\b" 430 | echo -ne "\r" 431 | } 432 | ( 433 | # Install dependencies 434 | eval $GVMD_DEPS1 &>/dev/null 435 | eval $GVMD_DEPS2 &>/dev/null 436 | ) & 437 | spin 438 | echo "gvmd dependencies updated successfully..." 439 | echo 440 | 441 | # Download the gvmd sources 442 | export GVMD_VERSION=$GVMD_VERSION 443 | curl -f -L https://github.com/greenbone/gvmd/archive/refs/tags/v$GVMD_VERSION.tar.gz -o $SOURCE_DIR/gvmd-$GVMD_VERSION.tar.gz 444 | curl -f -L https://github.com/greenbone/gvmd/releases/download/v$GVMD_VERSION/gvmd-$GVMD_VERSION.tar.gz.asc -o $SOURCE_DIR/gvmd-$GVMD_VERSION.tar.gz.asc 445 | gpg --verify $SOURCE_DIR/gvmd-$GVMD_VERSION.tar.gz.asc $SOURCE_DIR/gvmd-$GVMD_VERSION.tar.gz 446 | 447 | # Build gvmd 448 | echo 449 | tar -C $SOURCE_DIR -xvzf $SOURCE_DIR/gvmd-$GVMD_VERSION.tar.gz 450 | mkdir -p $BUILD_DIR/gvmd && cd $BUILD_DIR/gvmd 451 | cmake $SOURCE_DIR/gvmd-$GVMD_VERSION \ 452 | -DCMAKE_INSTALL_PREFIX=$INSTALL_PREFIX \ 453 | -DCMAKE_BUILD_TYPE=Release \ 454 | -DLOCALSTATEDIR=/var \ 455 | -DSYSCONFDIR=/etc \ 456 | -DGVM_DATA_DIR=/var \ 457 | -DGVMD_RUN_DIR=/run/gvmd \ 458 | -DOPENVAS_DEFAULT_SOCKET=/run/ospd/ospd-openvas.sock \ 459 | -DGVM_FEED_LOCK_PATH=/var/lib/gvm/feed-update.lock \ 460 | -DSYSTEMD_SERVICE_DIR=/lib/systemd/system \ 461 | -DLOGROTATE_DIR=/etc/logrotate.d 462 | make -j$(nproc) 463 | 464 | # Install gvmd 465 | mkdir -p $INSTALL_DIR/gvmd 466 | make DESTDIR=$INSTALL_DIR/gvmd install 467 | sudo cp -rvf $INSTALL_DIR/gvmd/* / 468 | cat << EOF > $BUILD_DIR/gvmd.service 469 | [Unit] 470 | Description=Greenbone Vulnerability Manager daemon (gvmd) 471 | After=network.target networking.service postgresql.service ospd-openvas.service 472 | Wants=postgresql.service ospd-openvas.service 473 | Documentation=man:gvmd(8) 474 | ConditionKernelCommandLine=!recovery 475 | 476 | [Service] 477 | Type=exec 478 | User=gvm 479 | Group=gvm 480 | PIDFile=/run/gvmd/gvmd.pid 481 | RuntimeDirectory=gvmd 482 | RuntimeDirectoryMode=2775 483 | ExecStart=/usr/local/sbin/gvmd --foreground --osp-vt-update=/run/ospd/ospd-openvas.sock --listen-group=gvm 484 | Restart=always 485 | TimeoutStopSec=10 486 | 487 | [Install] 488 | WantedBy=multi-user.target 489 | EOF 490 | sudo cp -vf $BUILD_DIR/gvmd.service /etc/systemd/system/ 491 | sudo systemctl daemon-reload 492 | sudo systemctl enable gvmd 493 | 494 | echo -e ${LGREEN} 495 | read -p "Please check above output for any errors or issues with (new) dependencies not found. Hit enter to continue." 496 | echo -e ${NC} 497 | echo -e "${LGREEN}###############################################################################" 498 | echo -e " Upgrading pg-gvm to $PG_GVM_VERSION" 499 | echo -e "###############################################################################${NC}" 500 | echo 501 | spin() { 502 | local pid=$! 503 | local delay=0.1 504 | local spinstr='|/-\' 505 | while [ "$(ps a | awk '{print $1}' | grep $pid)" ]; do 506 | local temp=${spinstr#?} 507 | printf "${LPURPLE} [%c] ${NC}" "$spinstr" 508 | local spinstr=$temp${spinstr%"$temp"} 509 | sleep $delay 510 | printf "\b\b\b\b\b\b" 511 | done 512 | printf "\b\b\b\b\b\b" 513 | printf " " 514 | printf "\b\b\b\b\b\b" 515 | echo -ne "\r" 516 | } 517 | ( 518 | # Install dependencies 519 | eval $PGGVM_DEPS &>/dev/null 520 | ) & 521 | spin 522 | echo "pg-gvm dependencies updated successfully..." 523 | echo 524 | 525 | # Download the pg-gvm sources 526 | export PG_GVM_VERSION=$PG_GVM_VERSION 527 | curl -f -L https://github.com/greenbone/pg-gvm/archive/refs/tags/v$PG_GVM_VERSION.tar.gz -o $SOURCE_DIR/pg-gvm-$PG_GVM_VERSION.tar.gz 528 | curl -f -L https://github.com/greenbone/pg-gvm/releases/download/v$PG_GVM_VERSION/pg-gvm-$PG_GVM_VERSION.tar.gz.asc -o $SOURCE_DIR/pg-gvm-$PG_GVM_VERSION.tar.gz.asc 529 | gpg --verify $SOURCE_DIR/pg-gvm-$PG_GVM_VERSION.tar.gz.asc $SOURCE_DIR/pg-gvm-$PG_GVM_VERSION.tar.gz 530 | 531 | # Build pg-gvm 532 | echo 533 | tar -C $SOURCE_DIR -xvzf $SOURCE_DIR/pg-gvm-$PG_GVM_VERSION.tar.gz 534 | mkdir -p $BUILD_DIR/pg-gvm && cd $BUILD_DIR/pg-gvm 535 | cmake $SOURCE_DIR/pg-gvm-$PG_GVM_VERSION \ 536 | -DCMAKE_BUILD_TYPE=Release 537 | make -j$(nproc) 538 | 539 | # Install pg-gvm 540 | mkdir -p $INSTALL_DIR/pg-gvm 541 | make DESTDIR=$INSTALL_DIR/pg-gvm install 542 | sudo cp -rvf $INSTALL_DIR/pg-gvm/* / 543 | 544 | echo -e ${LGREEN} 545 | read -p "Please check above output for any errors or issues with (new) dependencies not found. Hit enter to continue." 546 | echo -e ${NC} 547 | echo -e "${LGREEN}###############################################################################" 548 | echo -e " Upgrading gsa to $GSA_VERSION" 549 | echo -e "###############################################################################${NC}" 550 | echo 551 | export GSA_VERSION=$GSA_VERSION 552 | curl -f -L https://github.com/greenbone/gsa/releases/download/v$GSA_VERSION/gsa-dist-$GSA_VERSION.tar.gz -o $SOURCE_DIR/gsa-$GSA_VERSION.tar.gz 553 | curl -f -L https://github.com/greenbone/gsa/releases/download/v$GSA_VERSION/gsa-dist-$GSA_VERSION.tar.gz.asc -o $SOURCE_DIR/gsa-$GSA_VERSION.tar.gz.asc 554 | gpg --verify $SOURCE_DIR/gsa-$GSA_VERSION.tar.gz.asc $SOURCE_DIR/gsa-$GSA_VERSION.tar.gz 555 | 556 | # Extract & install gsa 557 | echo 558 | mkdir -p $SOURCE_DIR/gsa-$GSA_VERSION 559 | tar -C $SOURCE_DIR/gsa-$GSA_VERSION -xvzf $SOURCE_DIR/gsa-$GSA_VERSION.tar.gz 560 | sudo mkdir -p $INSTALL_PREFIX/share/gvm/gsad/web/ 561 | sudo cp -rvf $SOURCE_DIR/gsa-$GSA_VERSION/* $INSTALL_PREFIX/share/gvm/gsad/web/ 562 | 563 | echo -e ${LGREEN} 564 | read -p "Please check above output for any errors or issues with (new) dependencies not found. Hit enter to continue." 565 | echo -e ${NC} 566 | echo -e "${LGREEN}###############################################################################" 567 | echo -e "Upgrading gsad to $GSAD_VERSION" 568 | echo -e "###############################################################################${NC}" 569 | echo 570 | spin() { 571 | local pid=$! 572 | local delay=0.1 573 | local spinstr='|/-\' 574 | while [ "$(ps a | awk '{print $1}' | grep $pid)" ]; do 575 | local temp=${spinstr#?} 576 | printf "${LPURPLE} [%c] ${NC}" "$spinstr" 577 | local spinstr=$temp${spinstr%"$temp"} 578 | sleep $delay 579 | printf "\b\b\b\b\b\b" 580 | done 581 | printf "\b\b\b\b\b\b" 582 | printf " " 583 | printf "\b\b\b\b\b\b" 584 | echo -ne "\r" 585 | } 586 | ( 587 | # Install dependencies 588 | eval $GSAD_DEPS &>/dev/null 589 | ) & 590 | spin 591 | echo "gsad dependencies updated successfully..." 592 | echo 593 | 594 | # Download gsad sources 595 | echo 596 | export GSAD_VERSION=$GSAD_VERSION 597 | curl -f -L https://github.com/greenbone/gsad/archive/refs/tags/v$GSAD_VERSION.tar.gz -o $SOURCE_DIR/gsad-$GSAD_VERSION.tar.gz 598 | curl -f -L https://github.com/greenbone/gsad/releases/download/v$GSAD_VERSION/gsad-$GSAD_VERSION.tar.gz.asc -o $SOURCE_DIR/gsad-$GSAD_VERSION.tar.gz.asc 599 | gpg --verify $SOURCE_DIR/gsad-$GSAD_VERSION.tar.gz.asc $SOURCE_DIR/gsad-$GSAD_VERSION.tar.gz 600 | 601 | # Build gsad 602 | echo 603 | tar -C $SOURCE_DIR -xvzf $SOURCE_DIR/gsad-$GSAD_VERSION.tar.gz 604 | mkdir -p $BUILD_DIR/gsad && cd $BUILD_DIR/gsad 605 | cmake $SOURCE_DIR/gsad-$GSAD_VERSION \ 606 | -DCMAKE_INSTALL_PREFIX=$INSTALL_PREFIX \ 607 | -DCMAKE_BUILD_TYPE=Release \ 608 | -DSYSCONFDIR=/etc \ 609 | -DLOCALSTATEDIR=/var \ 610 | -DGVMD_RUN_DIR=/run/gvmd \ 611 | -DGSAD_RUN_DIR=/run/gsad \ 612 | -DLOGROTATE_DIR=/etc/logrotate.d 613 | make -j$(nproc) 614 | 615 | # Install gsad 616 | mkdir -p $INSTALL_DIR/gsad 617 | make DESTDIR=$INSTALL_DIR/gsad install 618 | sudo cp -rvf $INSTALL_DIR/gsad/* / 619 | 620 | # Get pre-existing gsad https certificate names 621 | DIR_TLS_CERT="/etc/gvm/certs" # GVM default certificate location 622 | DIR_TLS_KEY="/etc/gvm/private" # GVM default certificate location 623 | TLS_CERT=$(ls "$DIR_TLS_CERT" | grep -E "\.crt$|\.pem$|\.key$|\.cert$") 624 | TLS_KEY=$(ls "$DIR_TLS_KEY" | grep -E "\.crt$|\.pem$|\.key$|\.cert$") 625 | 626 | cat << EOF > $BUILD_DIR/gsad.service 627 | [Unit] 628 | Description=Greenbone Security Assistant daemon (gsad) 629 | Documentation=man:gsad(8) https://www.greenbone.net 630 | After=network.target gvmd.service 631 | Wants=gvmd.service 632 | 633 | [Service] 634 | Type=exec 635 | #User=gvm 636 | #Group=gvm 637 | RuntimeDirectory=gsad 638 | RuntimeDirectoryMode=2775 639 | PIDFile=/run/gsad/gsad.pid 640 | ExecStart=/usr/local/sbin/gsad --listen=0.0.0.0 --foreground --drop-privileges=gvm --port=443 --rport=80 -c $DIR_TLS_CERT/$TLS_CERT -k $DIR_TLS_KEY/$TLS_KEY 641 | # ExecStart=/usr/local/sbin/gsad --foreground --listen=127.0.0.1 --port=9392 --http-only # Swap this line for http only. Change to 0.0.0.0 to bind with all interfaces 642 | Restart=always 643 | TimeoutStopSec=10 644 | 645 | [Install] 646 | WantedBy=multi-user.target 647 | Alias=greenbone-security-assistant.service 648 | EOF 649 | sudo cp -vf $BUILD_DIR/gsad.service /etc/systemd/system/ 650 | sudo systemctl daemon-reload 651 | sudo systemctl enable gsad 652 | 653 | echo -e ${LGREEN} 654 | read -p "Please check above output for any errors or issues with (new) dependencies not found. Hit enter to continue." 655 | echo -e ${NC} 656 | echo -e "${LGREEN}###############################################################################" 657 | echo -e " Upgrading openvas-smb to $OPENVAS_SMB_VERSION" 658 | echo -e "###############################################################################${NC}" 659 | echo 660 | spin() { 661 | local pid=$! 662 | local delay=0.1 663 | local spinstr='|/-\' 664 | while [ "$(ps a | awk '{print $1}' | grep $pid)" ]; do 665 | local temp=${spinstr#?} 666 | printf "${LPURPLE} [%c] ${NC}" "$spinstr" 667 | local spinstr=$temp${spinstr%"$temp"} 668 | sleep $delay 669 | printf "\b\b\b\b\b\b" 670 | done 671 | printf "\b\b\b\b\b\b" 672 | printf " " 673 | printf "\b\b\b\b\b\b" 674 | echo -ne "\r" 675 | } 676 | ( 677 | # Install dependencies 678 | eval $OPENVASSMB_DEPS &>/dev/null 679 | ) & 680 | spin 681 | echo "openvas-smb dependencies updated successfully..." 682 | echo 683 | 684 | # Download the openvas-smb sources 685 | export OPENVAS_SMB_VERSION=$OPENVAS_SMB_VERSION 686 | curl -f -L https://github.com/greenbone/openvas-smb/archive/refs/tags/v$OPENVAS_SMB_VERSION.tar.gz -o $SOURCE_DIR/openvas-smb-$OPENVAS_SMB_VERSION.tar.gz 687 | curl -f -L https://github.com/greenbone/openvas-smb/releases/download/v$OPENVAS_SMB_VERSION/openvas-smb-v$OPENVAS_SMB_VERSION.tar.gz.asc -o $SOURCE_DIR/openvas-smb-$OPENVAS_SMB_VERSION.tar.gz.asc 688 | gpg --verify $SOURCE_DIR/openvas-smb-$OPENVAS_SMB_VERSION.tar.gz.asc $SOURCE_DIR/openvas-smb-$OPENVAS_SMB_VERSION.tar.gz 689 | 690 | # Build openvas-smb 691 | echo 692 | tar -C $SOURCE_DIR -xvzf $SOURCE_DIR/openvas-smb-$OPENVAS_SMB_VERSION.tar.gz 693 | mkdir -p $BUILD_DIR/openvas-smb && cd $BUILD_DIR/openvas-smb 694 | cmake $SOURCE_DIR/openvas-smb-$OPENVAS_SMB_VERSION \ 695 | -DCMAKE_INSTALL_PREFIX=$INSTALL_PREFIX \ 696 | -DCMAKE_BUILD_TYPE=Release 697 | make -j$(nproc) 698 | 699 | # Install openvas-smb 700 | mkdir -p $INSTALL_DIR/openvas-smb 701 | make DESTDIR=$INSTALL_DIR/openvas-smb install 702 | sudo cp -rvf $INSTALL_DIR/openvas-smb/* / 703 | 704 | echo -e ${LGREEN} 705 | read -p "Please check above output for any errors or issues with (new) dependencies not found. Hit enter to continue." 706 | echo -e ${NC} 707 | echo -e "${LGREEN}###############################################################################" 708 | echo -e " Upgrading openvas-scanner to $OPENVAS_SCANNER_VERSION" 709 | echo -e "###############################################################################${NC}" 710 | echo 711 | spin() { 712 | local pid=$! 713 | local delay=0.1 714 | local spinstr='|/-\' 715 | while [ "$(ps a | awk '{print $1}' | grep $pid)" ]; do 716 | local temp=${spinstr#?} 717 | printf "${LPURPLE} [%c] ${NC}" "$spinstr" 718 | local spinstr=$temp${spinstr%"$temp"} 719 | sleep $delay 720 | printf "\b\b\b\b\b\b" 721 | done 722 | printf "\b\b\b\b\b\b" 723 | printf " " 724 | printf "\b\b\b\b\b\b" 725 | echo -ne "\r" 726 | } 727 | ( 728 | # Install dependencies 729 | eval $OPENVASSCAN_DEPS &>/dev/null 730 | ) & 731 | spin 732 | echo "openvas-scanner dependencies updated successfully..." 733 | echo 734 | 735 | # Download openvas-scanner sources 736 | export OPENVAS_SCANNER_VERSION=$OPENVAS_SCANNER_VERSION 737 | curl -f -L https://github.com/greenbone/openvas-scanner/archive/refs/tags/v$OPENVAS_SCANNER_VERSION.tar.gz -o $SOURCE_DIR/openvas-scanner-$OPENVAS_SCANNER_VERSION.tar.gz 738 | curl -f -L https://github.com/greenbone/openvas-scanner/releases/download/v$OPENVAS_SCANNER_VERSION/openvas-scanner-v$OPENVAS_SCANNER_VERSION.tar.gz.asc -o $SOURCE_DIR/openvas-scanner-$OPENVAS_SCANNER_VERSION.tar.gz.asc 739 | gpg --verify $SOURCE_DIR/openvas-scanner-$OPENVAS_SCANNER_VERSION.tar.gz.asc $SOURCE_DIR/openvas-scanner-$OPENVAS_SCANNER_VERSION.tar.gz 740 | 741 | # Build openvas-scanner 742 | echo 743 | tar -C $SOURCE_DIR -xvzf $SOURCE_DIR/openvas-scanner-$OPENVAS_SCANNER_VERSION.tar.gz 744 | mkdir -p $BUILD_DIR/openvas-scanner && cd $BUILD_DIR/openvas-scanner 745 | cmake $SOURCE_DIR/openvas-scanner-$OPENVAS_SCANNER_VERSION \ 746 | -DCMAKE_INSTALL_PREFIX=$INSTALL_PREFIX \ 747 | -DCMAKE_BUILD_TYPE=Release \ 748 | -DINSTALL_OLD_SYNC_SCRIPT=OFF \ 749 | -DSYSCONFDIR=/etc \ 750 | -DLOCALSTATEDIR=/var \ 751 | -DOPENVAS_FEED_LOCK_PATH=/var/lib/openvas/feed-update.lock \ 752 | -DOPENVAS_RUN_DIR=/run/ospd 753 | make -j$(nproc) 754 | 755 | # Install openvas-scanner 756 | mkdir -p $INSTALL_DIR/openvas-scanner 757 | make DESTDIR=$INSTALL_DIR/openvas-scanner install 758 | sudo cp -rvf $INSTALL_DIR/openvas-scanner/* / 759 | printf "table_driven_lsc = yes\n" | sudo tee /etc/openvas/openvas.conf 760 | sudo printf "openvasd_server = http://127.0.0.1:3000\n" | sudo tee -a /etc/openvas/openvas.conf 761 | 762 | echo -e ${LGREEN} 763 | read -p "Please check above output for any errors or issues with (new) dependencies not found. Hit enter to continue." 764 | echo -e ${NC} 765 | echo -e "${LGREEN}###############################################################################" 766 | echo -e " Upgrading ospd-openvas to $OSPD_OPENVAS_VERSION" 767 | echo -e "###############################################################################${NC}" 768 | echo 769 | spin() { 770 | local pid=$! 771 | local delay=0.1 772 | local spinstr='|/-\' 773 | while [ "$(ps a | awk '{print $1}' | grep $pid)" ]; do 774 | local temp=${spinstr#?} 775 | printf "${LPURPLE} [%c] ${NC}" "$spinstr" 776 | local spinstr=$temp${spinstr%"$temp"} 777 | sleep $delay 778 | printf "\b\b\b\b\b\b" 779 | done 780 | printf "\b\b\b\b\b\b" 781 | printf " " 782 | printf "\b\b\b\b\b\b" 783 | echo -ne "\r" 784 | } 785 | ( 786 | # Install dependencies 787 | eval $OSPD_DEPS &>/dev/null 788 | ) & 789 | spin 790 | echo "ospd-openvas dependencies updated successfully..." 791 | echo 792 | 793 | # Download ospd-openvas sources 794 | export OSPD_OPENVAS_VERSION=$OSPD_OPENVAS_VERSION 795 | curl -f -L https://github.com/greenbone/ospd-openvas/archive/refs/tags/v$OSPD_OPENVAS_VERSION.tar.gz -o $SOURCE_DIR/ospd-openvas-$OSPD_OPENVAS_VERSION.tar.gz 796 | curl -f -L https://github.com/greenbone/ospd-openvas/releases/download/v$OSPD_OPENVAS_VERSION/ospd-openvas-v$OSPD_OPENVAS_VERSION.tar.gz.asc -o $SOURCE_DIR/ospd-openvas-$OSPD_OPENVAS_VERSION.tar.gz.asc 797 | gpg --verify $SOURCE_DIR/ospd-openvas-$OSPD_OPENVAS_VERSION.tar.gz.asc $SOURCE_DIR/ospd-openvas-$OSPD_OPENVAS_VERSION.tar.gz 798 | 799 | # Install ospd-openvas 800 | echo 801 | tar -C $SOURCE_DIR -xvzf $SOURCE_DIR/ospd-openvas-$OSPD_OPENVAS_VERSION.tar.gz 802 | cd $SOURCE_DIR/ospd-openvas-$OSPD_OPENVAS_VERSION 803 | mkdir -p $INSTALL_DIR/ospd-openvas 804 | ${PIP_SUDO_OSPD} python3 -m pip install --root=$INSTALL_DIR/ospd-openvas ${PIP_OPTIONS} . 805 | sudo cp -rvf $INSTALL_DIR/ospd-openvas/* / 806 | cat << EOF > $BUILD_DIR/ospd-openvas.service 807 | [Unit] 808 | Description=OSPd Wrapper for the OpenVAS Scanner (ospd-openvas) 809 | Documentation=man:ospd-openvas(8) man:openvas(8) 810 | After=network.target networking.service redis-server@openvas.service openvasd.service 811 | Wants=redis-server@openvas.service openvasd.service 812 | ConditionKernelCommandLine=!recovery 813 | 814 | [Service] 815 | Type=exec 816 | User=gvm 817 | Group=gvm 818 | RuntimeDirectory=ospd 819 | RuntimeDirectoryMode=2775 820 | PIDFile=/run/ospd/ospd-openvas.pid 821 | ExecStart=/usr/local/bin/ospd-openvas --foreground --unix-socket /run/ospd/ospd-openvas.sock --pid-file /run/ospd/ospd-openvas.pid --log-file /var/log/gvm/ospd-openvas.log --lock-file-dir /var/lib/openvas --socket-mode 0o770 --notus-feed-dir /var/lib/notus/advisories 822 | SuccessExitStatus=SIGKILL 823 | Restart=always 824 | RestartSec=60 825 | 826 | [Install] 827 | WantedBy=multi-user.target 828 | EOF 829 | sudo cp -vf $BUILD_DIR/ospd-openvas.service /etc/systemd/system/ 830 | sudo systemctl daemon-reload 831 | sudo systemctl enable ospd-openvas 832 | 833 | echo -e ${LGREEN} 834 | read -p "Please check above output for any errors or issues with (new) dependencies not found. Hit enter to continue." 835 | echo -e ${NC} 836 | echo -e "${LGREEN}###############################################################################" 837 | echo -e " Upgrading openvasd to $OPENVAS_DAEMON" 838 | echo -e "###############################################################################${NC}" 839 | echo 840 | spin() { 841 | local pid=$! 842 | local delay=0.1 843 | local spinstr='|/-\' 844 | while [ "$(ps a | awk '{print $1}' | grep $pid)" ]; do 845 | local temp=${spinstr#?} 846 | printf "${LPURPLE} [%c] ${NC}" "$spinstr" 847 | local spinstr=$temp${spinstr%"$temp"} 848 | sleep $delay 849 | printf "\b\b\b\b\b\b" 850 | done 851 | printf "\b\b\b\b\b\b" 852 | printf " " 853 | printf "\b\b\b\b\b\b" 854 | echo -ne "\r" 855 | } 856 | ( 857 | # Install dependencies 858 | eval $OPENVASD_DEPS &>/dev/null 859 | eval "$SOURCE_CARGO_ENV" 860 | ) & 861 | spin 862 | eval "$SOURCE_CARGO_ENV" 863 | echo "openvasd rust dependencies updated successfully..." 864 | echo 865 | 866 | # Download openvasd sources 867 | echo 868 | export OPENVAS_DAEMON=$OPENVAS_DAEMON 869 | curl -f -L https://github.com/greenbone/openvas-scanner/archive/refs/tags/v$OPENVAS_DAEMON.tar.gz -o $SOURCE_DIR/openvas-scanner-$OPENVAS_DAEMON.tar.gz 870 | curl -f -L https://github.com/greenbone/openvas-scanner/releases/download/v$OPENVAS_DAEMON/openvas-scanner-v$OPENVAS_DAEMON.tar.gz.asc -o $SOURCE_DIR/openvas-scanner-$OPENVAS_DAEMON.tar.gz.asc 871 | gpg --verify $SOURCE_DIR/openvas-scanner-$OPENVAS_DAEMON.tar.gz.asc $SOURCE_DIR/openvas-scanner-$OPENVAS_DAEMON.tar.gz 872 | 873 | # Install openvasd 874 | echo 875 | tar -C $SOURCE_DIR -xvzf $SOURCE_DIR/openvas-scanner-$OPENVAS_DAEMON.tar.gz 876 | mkdir -p $INSTALL_DIR/openvasd/usr/local/bin 877 | cd $SOURCE_DIR/openvas-scanner-$OPENVAS_DAEMON/rust/src 878 | cargo build --release 879 | sudo cp -v ../target/release/openvasd $INSTALL_DIR/openvasd/usr/local/bin/ 880 | cd $SOURCE_DIR/openvas-scanner-$OPENVAS_DAEMON/rust/src/scannerctl 881 | cargo build --release 882 | sudo cp -v ../target/release/scannerctl $INSTALL_DIR/openvasd/usr/local/bin/ 883 | sudo cp -rv $INSTALL_DIR/openvasd/* / 884 | cat << EOF > $BUILD_DIR/openvasd.service 885 | [Unit] 886 | Description=OpenVASD 887 | Documentation=https://github.com/greenbone/openvas-scanner/tree/main/rust/openvasd 888 | ConditionKernelCommandLine=!recovery 889 | [Service] 890 | Type=exec 891 | User=gvm 892 | RuntimeDirectory=openvasd 893 | RuntimeDirectoryMode=2775 894 | ExecStart=/usr/local/bin/openvasd --mode service_notus --products /var/lib/notus/products --advisories /var/lib/notus/advisories --listening 127.0.0.1:3000 895 | SuccessExitStatus=SIGKILL 896 | Restart=always 897 | RestartSec=60 898 | [Install] 899 | WantedBy=multi-user.target 900 | EOF 901 | sudo cp -vf $BUILD_DIR/openvasd.service /etc/systemd/system/ 902 | sudo systemctl daemon-reload 903 | sudo systemctl enable openvasd 904 | 905 | echo -e ${LGREEN} 906 | read -p "Please check above output for any errors or issues with (new) dependencies not found. Hit enter to continue." 907 | echo -e ${NC} 908 | echo -e "${LGREEN}###############################################################################" 909 | echo -e " Upgrading greenbone-feed-sync" 910 | echo -e "###############################################################################${NC}" 911 | echo 912 | spin() { 913 | local pid=$! 914 | local delay=0.1 915 | local spinstr='|/-\' 916 | while [ "$(ps a | awk '{print $1}' | grep $pid)" ]; do 917 | local temp=${spinstr#?} 918 | printf "${LPURPLE} [%c] ${NC}" "$spinstr" 919 | local spinstr=$temp${spinstr%"$temp"} 920 | sleep $delay 921 | printf "\b\b\b\b\b\b" 922 | done 923 | printf "\b\b\b\b\b\b" 924 | printf " " 925 | printf "\b\b\b\b\b\b" 926 | echo -ne "\r" 927 | } 928 | ( 929 | # Install dependencies 930 | eval $FEED_DEPS &>/dev/null 931 | ) & 932 | spin 933 | echo "greenbone-feed-sync dependencies updated successfully..." 934 | echo 935 | 936 | # Install greenbone-feed-sync 937 | mkdir -p $INSTALL_DIR/greenbone-feed-sync 938 | ${PIP_SUDO_FEED} python3 -m pip install --root=$INSTALL_DIR/greenbone-feed-sync ${PIP_OPTIONS} greenbone-feed-sync 939 | sudo cp -rvf $INSTALL_DIR/greenbone-feed-sync/* / 940 | 941 | echo -e ${LGREEN} 942 | read -p "Please check above output for any errors or issues with (new) dependencies not found. Hit enter to continue." 943 | echo -e ${NC} 944 | echo -e "${LGREEN}###############################################################################" 945 | echo -e " Upgrading gvm-tools" 946 | echo -e "###############################################################################${NC}" 947 | echo 948 | spin() { 949 | local pid=$! 950 | local delay=0.1 951 | local spinstr='|/-\' 952 | while [ "$(ps a | awk '{print $1}' | grep $pid)" ]; do 953 | local temp=${spinstr#?} 954 | printf "${LPURPLE} [%c] ${NC}" "$spinstr" 955 | local spinstr=$temp${spinstr%"$temp"} 956 | sleep $delay 957 | printf "\b\b\b\b\b\b" 958 | done 959 | printf "\b\b\b\b\b\b" 960 | printf " " 961 | printf "\b\b\b\b\b\b" 962 | echo -ne "\r" 963 | } 964 | ( 965 | # Install dependencies 966 | eval $GVMTOOLS_DEPS &>/dev/null 967 | ) & 968 | spin 969 | echo "gvm-tools dependencies updated successfully..." 970 | echo 971 | 972 | # Install gvm-tools 973 | mkdir -p $INSTALL_DIR/gvm-tools 974 | ${PIP_SUDO_TOOLS} python3 -m pip install --root=$INSTALL_DIR/gvm-tools ${PIP_OPTIONS} gvm-tools 975 | sudo cp -rvf $INSTALL_DIR/gvm-tools/* / 976 | 977 | echo -e ${LGREEN} 978 | read -p "Please check above output for any errors or issues with (new) dependencies not found. Hit enter to continue." 979 | echo -e ${NC} 980 | echo -e "${LGREEN}###############################################################################" 981 | echo -e " Upgrading the Redis data store" 982 | echo -e "###############################################################################${NC}" 983 | echo 984 | spin() { 985 | local pid=$! 986 | local delay=0.1 987 | local spinstr='|/-\' 988 | while [ "$(ps a | awk '{print $1}' | grep $pid)" ]; do 989 | local temp=${spinstr#?} 990 | printf "${LPURPLE} [%c] ${NC}" "$spinstr" 991 | local spinstr=$temp${spinstr%"$temp"} 992 | sleep $delay 993 | printf "\b\b\b\b\b\b" 994 | done 995 | printf "\b\b\b\b\b\b" 996 | printf " " 997 | printf "\b\b\b\b\b\b" 998 | echo -ne "\r" 999 | } 1000 | ( 1001 | # Install dependencies 1002 | eval $REDIS_DEPS &>/dev/null 1003 | ) & 1004 | spin 1005 | echo "redis dependencies updated successfully..." 1006 | echo 1007 | 1008 | # Configure redis 1009 | sudo cp -f $SOURCE_DIR/openvas-scanner-$OPENVAS_SCANNER_VERSION/config/redis-openvas.conf /etc/redis/ 1010 | sudo chown redis:redis /etc/redis/redis-openvas.conf 1011 | echo "db_address = /run/redis-openvas/redis.sock" | sudo tee -a /etc/openvas/openvas.conf 1012 | sudo systemctl start redis-server@openvas.service 1013 | sudo systemctl enable redis-server@openvas.service 1014 | sudo usermod -aG redis gvm 1015 | 1016 | echo -e ${LGREEN} 1017 | read -p "Please check above output for any errors or issues with (new) dependencies not found. Hit enter to continue." 1018 | echo -e ${NC} 1019 | echo -e "${LGREEN}###############################################################################" 1020 | echo -e " Setting gvm privs, importing feed signature & migrating database, BE PATIENT!" 1021 | echo -e "###############################################################################${NC}" 1022 | echo 1023 | 1024 | # Set gvmd executable permissions 1025 | sudo chown gvm:gvm /usr/local/sbin/gvmd 1026 | sudo chmod 6750 /usr/local/sbin/gvmd 1027 | 1028 | # Import the update feed's digital signature 1029 | curl -f -L https://www.greenbone.net/GBCommunitySigningKey.asc -o /tmp/GBCommunitySigningKey.asc 1030 | export GNUPGHOME=/tmp/openvas-gnupg 1031 | mkdir -p $GNUPGHOME 1032 | gpg --import /tmp/GBCommunitySigningKey.asc 1033 | echo "8AE4BE429B60A59B311C2E739823FAA60ED1E580:6:" | gpg --import-ownertrust 1034 | export OPENVAS_GNUPG_HOME=/etc/openvas/gnupg 1035 | sudo mkdir -p $OPENVAS_GNUPG_HOME 1036 | sudo cp -rf /tmp/openvas-gnupg/* $OPENVAS_GNUPG_HOME/ 1037 | sudo chown -R gvm:gvm $OPENVAS_GNUPG_HOME 1038 | echo 1039 | spin() { 1040 | local pid=$! 1041 | local delay=0.1 1042 | local spinstr='|/-\' 1043 | while [ "$(ps a | awk '{print $1}' | grep $pid)" ]; do 1044 | local temp=${spinstr#?} 1045 | printf "${LPURPLE} [%c] ${NC}" "$spinstr" 1046 | local spinstr=$temp${spinstr%"$temp"} 1047 | sleep $delay 1048 | printf "\b\b\b\b\b\b" 1049 | done 1050 | printf "\b\b\b\b\b\b" 1051 | printf " " 1052 | printf "\b\b\b\b\b\b" 1053 | echo -ne "\r" 1054 | } 1055 | ( 1056 | # Migrate database schema if needed 1057 | /usr/local/sbin/gvmd --migrate 1058 | sudo ldconfig 1059 | ) & 1060 | spin 1061 | echo 1062 | echo "Database migrated successfully...." 1063 | 1064 | echo -e "${LGREEN}###############################################################################" 1065 | echo -e " Cleaning up build sources & re-setting firewall rules" 1066 | echo -e "###############################################################################${NC}" 1067 | echo 1068 | # Clean up GVM build files 1069 | cd ~ 1070 | sudo rm -rf $SOURCE_DIR 1071 | sudo rm -rf $INSTALL_DIR 1072 | sudo rm -rf $BUILD_DIR 1073 | sudo rm -f /tmp/GBCommunitySigningKey.asc 1074 | sudo apt autoremove -qq -y 1075 | echo 1076 | 1077 | # Update ufw rules & stop fw log chatter 1078 | sudo ufw default allow outgoing 1079 | sudo ufw default deny incoming 1080 | sudo ufw allow OpenSSH 1081 | sudo ufw allow 80/tcp 1082 | sudo ufw allow 443/tcp 1083 | echo "y" | sudo ufw enable >/dev/null 1084 | sudo ufw logging off 1085 | 1086 | echo -e "${LGREEN}###############################################################################" 1087 | echo -e " A feed update is required before OpenVAS can start, THIS MAY TAKE A LONG TIME" 1088 | echo -e "###############################################################################${NC}" 1089 | 1090 | # Update GVM & start the services 1091 | # This must be a one-liner because lengthy feed updates cause sudo credentials to time out before the script can finish. 1092 | # Also includes a privs fix becasue gsad is started with --drop-privileges (allowing binding to port 443), this results in gsad.log 1093 | # being initially created with the wrong privs on 1st startup. 1094 | echo 1095 | sudo bash -c '/usr/local/bin/greenbone-feed-sync; systemctl start ospd-openvas; systemctl start gvmd; systemctl start gsad; systemctl start openvasd; sleep 15; systemctl stop gsad; chown -R gvm:gvm /var/log/gvm; systemctl start gsad' 1096 | 1097 | # Final change password message 1098 | echo -e "${LGREEN}OpenVAS upgrade complete" 1099 | echo -e ${NC} 1100 | 1101 | 1102 | -------------------------------------------------------------------------------- /prepare-smb-cred-scan.ps1: -------------------------------------------------------------------------------- 1 | ################################################################################### 2 | # Windows client setup script for GVM Community Edition credential scans 3 | # David Harrop 4 | # August 2022 5 | ################################################################################### 6 | 7 | # Requires: 8 | # Set-ExecutionPolicy Unrestricted -Scope CurrentUser 9 | # Then set it back with: 10 | # Set-ExecutionPolicy RemoteSigned -Scope CurrentUser 11 | 12 | # Turn On Remote Registry 13 | Set-Service -Name RemoteRegistry -StartupType Automatic 14 | Set-Service -Name RemoteRegistry -Status Running -PassThru 15 | 16 | # Turn on firewall rules for Windows ports 17 | netsh advfirewall firewall add rule dir=in name ="WMI" program=%systemroot%\system32\svchost.exe service=winmgmt action=allow protocol=TCP localport=any profile=private,domain remoteip=localSubnet 18 | netsh advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes 19 | netsh advfirewall firewall add rule name="ICMP Allow incoming V4 echo request" protocol=icmpv4:8,any dir=in action=allow 20 | 21 | # Set Registry token 22 | If (!(Test-Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System")) { 23 | New-Item -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" | Out-Null 24 | } 25 | Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "LocalAccountTokenFilterPolicy" -Type DWord -Value 1 26 | 27 | -------------------------------------------------------------------------------- /update-certificates.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | ######################################################################################################################### 3 | # Greenbone Vulnerability Manager appliance https certificate update script 4 | # David Harrop 5 | # June 2024 6 | # Use this script if:# 7 | # Changing the dns name of your OpenVAS appliance 8 | # Changing the IP adddress or your OpenVAS appliance 9 | # Certificates have expired/about to expire 10 | ######################################################################################################################### 11 | 12 | CERT_DOMAIN="" # Force a TLS certificate dns domain (defaults to hostname.dns-suffix if left blank) 13 | CERT_COUNTRY="AU" # For RSA SSL cert, 2 character country code only, must not be blank 14 | CERT_STATE="Victoria" # For RSA SSL cert, Optional to change, must not be blank 15 | CERT_LOCATION="Melbourne" # For RSA SSL cert, Optional to change, must not be blank 16 | CERT_ORG="Itiligent" # For RSA SSL cert, Optional to change, must not be blank 17 | CERT_OU="SecOps" # For RSA SSL cert, Optional to change, must not be blank 18 | CERT_DAYS="3650" # For RSA SSL cert, number of days until self signed certificate expiry 19 | DIR_TLS_CERT="/etc/gvm/certs" # GVM default certificate location 20 | DIR_TLS_KEY="/etc/gvm/private" # GVM default certificate location 21 | KEYSIZE=2048 # RSA certificate encryption strength 22 | 23 | # Set colours 24 | GREY='\033[0;37m' 25 | GREYB='\033[1;37m' 26 | LGREEN='\033[0;92m' 27 | LGREENB='\033[1;92m' 28 | LRED='\033[0;91m' 29 | LPURPLE='\033[0;95m' 30 | LPURPLEB='\033[1;95m' 31 | LYELLOW='\033[0;93m' 32 | NC='\033[0m' #No Colour 33 | 34 | # Check if user is root or sudo 35 | if ! [[ $(id -u) = 0 ]]; then 36 | echo 37 | echo -e "${LRED}Please run this script as sudo or root${NC}" 1>&2 38 | echo 39 | exit 1 40 | fi 41 | 42 | echo 43 | Clear 44 | echo 45 | 46 | # Get the default route interface IP address as we need this for TLS certificate creation later 47 | DEFAULT_IP=$(ip addr show $(ip route | awk '/default/ { print $5 }') | grep "inet" | head -n 1 | awk '/inet/ {print $2}' | cut -d'/' -f1) 48 | 49 | # An intitial dns suffix is needed as a starting value for the script prompts. 50 | get_domain_suffix() { 51 | echo "$1" | awk '{print $2}' 52 | } 53 | # Search for "search" & "domain" entries in /etc/resolv.conf 54 | search_line=$(grep -E '^search[[:space:]]+' /etc/resolv.conf) 55 | domain_line=$(grep -E '^domain[[:space:]]+' /etc/resolv.conf) 56 | # Check if both "search" & "domain" lines exist 57 | if [[ -n "$search_line" ]] && [[ -n "$domain_line" ]]; then 58 | # Both "search" & "domain" lines exist, extract the domain suffix from both 59 | search_suffix=$(get_domain_suffix "$search_line") 60 | domain_suffix=$(get_domain_suffix "$domain_line") 61 | # Print the domain suffix that appears first 62 | if [[ ${#search_suffix} -lt ${#domain_suffix} ]]; then 63 | DOMAIN_SUFFIX=$search_suffix 64 | else 65 | DOMAIN_SUFFIX=$domain_suffix 66 | fi 67 | elif [[ -n "$search_line" ]]; then 68 | # If only "search" line exists 69 | DOMAIN_SUFFIX=$(get_domain_suffix "$search_line") 70 | elif [[ -n "$domain_line" ]]; then 71 | # If only "domain" line exists 72 | DOMAIN_SUFFIX=$(get_domain_suffix "$domain_line") 73 | else 74 | # If no "search" or "domain" lines found 75 | DOMAIN_SUFFIX="local" 76 | fi 77 | # System name change prompts 78 | SERVER_NAME="" 79 | # Ensure SERVER_NAME is consistent with local host entries 80 | if [[ -z ${SERVER_NAME} ]]; then 81 | echo -e "${LPURPLEB} Update Linux system HOSTNAME [Enter to keep: ${HOSTNAME}]${GREYB}" 82 | read -p " Enter new HOSTNAME : " SERVER_NAME 83 | # If hit enter making no SERVER_NAME change, assume the existing hostname as current 84 | if [[ "${SERVER_NAME}" = "" ]]; then 85 | SERVER_NAME=$HOSTNAME 86 | fi 87 | echo 88 | # A SERVER_NAME was derived via the prompt 89 | # Apply the SERVER_NAME value & remove & update any old 127.0.1.1 localhost references 90 | $(sudo hostnamectl set-hostname $SERVER_NAME &>/dev/null &) &>/dev/null 91 | sleep 1 92 | sudo sed -i '/127.0.1.1/d' /etc/hosts &>>/dev/null 93 | echo '127.0.1.1 '${SERVER_NAME}'' | sudo tee -a /etc/hosts &>>/dev/null 94 | $(sudo systemctl restart systemd-hostnamed &>/dev/null &) &>/dev/null 95 | else 96 | echo 97 | # A SERVER_NAME value was derived from a pre-set script variable 98 | # Apply the SERVER_NAME value & remove & update any old 127.0.1.1 localhost references 99 | $(sudo hostnamectl set-hostname $SERVER_NAME &>/dev/null &) &>/dev/null 100 | sleep 1 101 | sudo sed -i '/127.0.1.1/d' /etc/hosts &>>/dev/null 102 | echo '127.0.1.1 '${SERVER_NAME}'' | sudo tee -a /etc/hosts &>>/dev/null 103 | $(sudo systemctl restart systemd-hostnamed &>/dev/null &) &>/dev/null 104 | fi 105 | 106 | LOCAL_DOMAIN="" 107 | # Ensure LOCAL_DOMAIN suffix & localhost entries are consistent 108 | if [[ -z ${LOCAL_DOMAIN} ]]; then 109 | echo -e "${LPURPLEB} Update Linux LOCAL DNS DOMAIN [Enter to keep: ${DOMAIN_SUFFIX}]${GREYB}" 110 | read -p " Enter FULL LOCAL DOMAIN NAME: " LOCAL_DOMAIN 111 | # If hit enter making no LOCAL_DOMAIN name change, assume the existing domain suffix as current 112 | if [[ "${LOCAL_DOMAIN}" = "" ]]; then 113 | LOCAL_DOMAIN=$DOMAIN_SUFFIX 114 | fi 115 | echo 116 | # A LOCAL_DOMAIN value was derived via the prompt 117 | # Remove any old localhost & resolv file values & update these with the new LOCAL_DOMAIN value 118 | $(sudo systemctl restart systemd-hostnamed &>/dev/null &) &>/dev/null 119 | sleep 1 120 | sudo sed -i "/${DEFAULT_IP}/d" /etc/hosts 121 | sudo sed -i '/domain/d' /etc/resolv.conf 122 | sudo sed -i '/search/d' /etc/resolv.conf 123 | # Refresh the /etc/hosts file with the server name & new local domain value 124 | echo ''${DEFAULT_IP}' '${SERVER_NAME}.${LOCAL_DOMAIN} ${SERVER_NAME}'' | sudo tee -a /etc/hosts &>>/dev/null 125 | # Refresh /etc/resolv.conf with new domain & search suffix values 126 | echo 'domain '${LOCAL_DOMAIN}'' | sudo tee -a /etc/resolv.conf &>>/dev/null 127 | echo 'search '${LOCAL_DOMAIN}'' | sudo tee -a /etc/resolv.conf &>>/dev/null 128 | $(sudo systemctl restart systemd-hostnamed &>/dev/null &) &>/dev/null 129 | else 130 | echo 131 | # A LOCAL_DOMIN value was derived from a pre-set script variable 132 | # Remove any old localhost & resolv file values & update these with the new LOCAL_DOMAIN value 133 | $(sudo systemctl restart systemd-hostnamed &>/dev/null &) &>/dev/null 134 | sleep 1 135 | sudo sed -i "/${DEFAULT_IP}/d" /etc/hosts 136 | sudo sed -i '/domain/d' /etc/resolv.conf 137 | sudo sed -i '/search/d' /etc/resolv.conf 138 | # Refresh the /etc/hosts file with the server name & new local domain value 139 | echo ''${DEFAULT_IP}' '${SERVER_NAME}.${LOCAL_DOMAIN} ${SERVER_NAME}'' | sudo tee -a /etc/hosts &>>/dev/null 140 | # Refresh /etc/resolv.conf with new domain & search suffix values 141 | echo 'domain '${LOCAL_DOMAIN}'' | sudo tee -a /etc/resolv.conf &>>/dev/null 142 | echo 'search '${LOCAL_DOMAIN}'' | sudo tee -a /etc/resolv.conf &>>/dev/null 143 | $(sudo systemctl restart systemd-hostnamed &>/dev/null &) &>/dev/null 144 | fi 145 | 146 | # Now that $SERVER_NAME & $LOCAL_DOMAIN values are updated, both values are merged to create 147 | # a local FQDN value (used in the default TLS certificate config & file name) 148 | DEFAULT_FQDN=$SERVER_NAME.$LOCAL_DOMAIN 149 | 150 | # If the TLS domain name is not manually overridden at the prompt, keep the default FQDN as the TLS domain name 151 | if [ -z "${CERT_DOMAIN}" ]; then 152 | CERT_DOMAIN="${DEFAULT_FQDN}" 153 | fi 154 | 155 | # Remove old https certificate 156 | sudo rm -f $DIR_TLS_CERT/*.* 157 | sudo rm -f $DIR_TLS_KEY/*.* 158 | 159 | # Create new TLS certificates 160 | cd ~ 161 | cat < /dev/null << EOF 199 | [Unit] 200 | Description=Greenbone Security Assistant daemon (gsad) 201 | Documentation=man:gsad(8) https://www.greenbone.net 202 | After=network.target gvmd.service 203 | Wants=gvmd.service 204 | 205 | [Service] 206 | Type=exec 207 | #User=gvm 208 | #Group=gvm 209 | RuntimeDirectory=gsad 210 | RuntimeDirectoryMode=2775 211 | PIDFile=/run/gsad/gsad.pid 212 | ExecStart=/usr/local/sbin/gsad --listen=0.0.0.0 --foreground --drop-privileges=gvm --port=443 --rport=80 -c $DIR_TLS_CERT/$CERT_DOMAIN.crt -k $DIR_TLS_KEY/$CERT_DOMAIN.key 213 | #ExecStart=/usr/local/sbin/gsad --foreground --listen=127.0.0.1 --port=9392 --http-only 214 | Restart=always 215 | TimeoutStopSec=10 216 | 217 | [Install] 218 | WantedBy=multi-user.target 219 | Alias=greenbone-security-assistant.service 220 | EOF 221 | 222 | sudo systemctl daemon-reload 223 | sudo systemctl restart gsad 224 | rm cert_attributes.txt 225 | 226 | # Cheap hack to display in stdout client certificate configs (where special characters normally break cut/pasteable output) 227 | SHOWASTEXT1='$mypwd' 228 | SHOWASTEXT2='"Cert:\LocalMachine\Root"' 229 | 230 | # Display custom instructions for browser client certificate import 231 | echo 232 | printf "${LGREEN}+############################################################################################################# 233 | ${LGREEN}+ WINDOWS CLIENT SELF SIGNED SSL BROWSER CONFIG - SAVE THIS BEFORE CONTINUING!${GREY} 234 | + 235 | + 1. Copy ${GREYB}$DIR_TLS_CERT/$CERT_DOMAIN.pfx${GREY} to a location accessible by Windows. 236 | + 2. Import the PFX file into your Windows client with the below Powershell commands (as Administrator): 237 | \n" 238 | echo -e "${SHOWASTEXT1} = ConvertTo-SecureString -String "1234" -Force -AsPlainText" 239 | echo -e "Import-pfxCertificate -FilePath $CERT_DOMAIN.pfx -Password "${SHOWASTEXT1}" -CertStoreLocation "${SHOWASTEXT2}"" 240 | echo -e "(Clear your browser cache & restart your browser to test.)" 241 | printf "${GREY}+------------------------------------------------------------------------------------------------------------- 242 | ${LGREEN}+ LINUX CLIENT SELF SIGNED SSL BROWSER CONFIG - SAVE THIS BEFORE CONTINUING!${GREY} 243 | + 244 | + 1. Copy ${GREYB}$DIR_TLS_CERT/$CERT_DOMAIN.crt${GREY} to a location accessible by Linux. 245 | + 2. Import the CRT file into your Linux client certificate store with the below command (as sudo): 246 | \n" 247 | echo -e "mkdir -p \$HOME/.pki/nssdb && certutil -d \$HOME/.pki/nssdb -N" 248 | echo -e "certutil -d sql:\$HOME/.pki/nssdb -A -t "CT,C,c" -n $CERT_DOMAIN -i $CERT_DOMAIN.crt" 249 | printf "${LGREEN}+#############################################################################################################\n" --------------------------------------------------------------------------------