Skip to content

Commit

Permalink
Merge pull request #247 from Secure-Compliance-Solutions-LLC/dev
Browse files Browse the repository at this point in the history
v21.4.3-v1
  • Loading branch information
austinsonger authored Aug 8, 2021
2 parents fea49b6 + ca2a655 commit 45166f1
Show file tree
Hide file tree
Showing 9 changed files with 160 additions and 31 deletions.
3 changes: 3 additions & 0 deletions .github/ISSUE_TEMPLATE/bug_report.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,9 @@ assignees: Dexus, pixelsquared

---

**** Before you open a bug issue, please read the documentation. If you do not find an answer to your problem there, please look in the issues that have already been closed. Only if you still have not found an answer to your problem should you open a new issue. ****
** https://securecompliance.gitbook.io/projects/openvas-greenbone-deployment-full-guide **

**Describe the bug**
A clear and concise description of what the bug is.

Expand Down
110 changes: 100 additions & 10 deletions .github/workflows/docker-publish.yml
Original file line number Diff line number Diff line change
Expand Up @@ -23,11 +23,94 @@ permissions:
packages: write

jobs:
build_test:
name: Build and Test
build_test_trivy:
name: Build and Test - Trivy
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2

- name: PrepareReg Names
run: |
echo IMAGE_REPOSITORY_GHCR=$(echo "ghcr.io/${{ github.repository }}" | tr '[:upper:]' '[:lower:]') >> $GITHUB_ENV
echo IMAGE_TAG=$(echo ${{ github.ref }} | tr '[:upper:]' '[:lower:]' | awk '{split($0,a,"/"); print a[3]}') >> $GITHUB_ENV
- name: Set tag var
id: vars
run: echo ::set-output name=docker_tag::$(echo ${GITHUB_REF} | cut -d'/' -f3)-${GITHUB_SHA}

- name: Download artifact
uses: dawidd6/action-download-artifact@v2
with:
# Optional, GitHub token, a Personal Access Token with `public_repo` scope if needed
# Required, if artifact is from a different repo
github_token: ${{secrets.GITHUB_TOKEN}}
# Required, workflow file name or ID
workflow: build-apk.yml
# Optional, will use the branch
branch: master
# Optional, uploaded artifact name,
# will download all artifacts if not specified
# and extract them in respective subdirectories
# https://github.com/actions/download-artifact#download-all-artifacts
name: apk-builds
# Optional, directory where to extract artifact. Defaults to the artifact name (see `name` input)
path: ${{ github.workspace }}/apk-build/
# Optional, defaults to current repo
repo: Secure-Compliance-Solutions-LLC/GVM-APK-build

- name: Build the Docker image
run: docker build . --file Dockerfile --build-arg OPT_PDF=1 --tag ${{ env.IMAGE_REPOSITORY_GHCR }}:${{ github.sha }}

- uses: actions/cache@v2.1.4
with:
path: .trivy
key: ${{ runner.os }}-trivy-${{ github.run_id }}
restore-keys: |
${{ runner.os }}-trivy-
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: "${{ env.IMAGE_REPOSITORY_GHCR }}:${{ github.sha }}"
format: "table"
exit-code: "1"
ignore-unfixed: true
vuln-type: "os,library"
severity: "CRITICAL,HIGH"
cache-dir: .trivy

- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
if: always()
with:
image-ref: "${{ env.IMAGE_REPOSITORY_GHCR }}:${{ github.sha }}"
format: "template"
template: "@/contrib/sarif.tpl"
output: "trivy-results.sarif"
severity: "CRITICAL,HIGH"
cache-dir: .trivy

- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v1
if: always()
with:
sarif_file: "trivy-results.sarif"

- name: Correct Trivy cache permissions
if: always()
run: sudo chown -R $USER:$GROUP .trivy

build_test_anchore:
name: Build and Test - Anchore
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2

- name: PrepareReg Names
run: |
echo IMAGE_REPOSITORY_GHCR=$(echo "ghcr.io/${{ github.repository }}" | tr '[:upper:]' '[:lower:]') >> $GITHUB_ENV
echo IMAGE_TAG=$(echo ${{ github.ref }} | tr '[:upper:]' '[:lower:]' | awk '{split($0,a,"/"); print a[3]}') >> $GITHUB_ENV
- name: Set tag var
id: vars
run: echo ::set-output name=docker_tag::$(echo ${GITHUB_REF} | cut -d'/' -f3)-${GITHUB_SHA}
Expand All @@ -53,13 +136,20 @@ jobs:
repo: Secure-Compliance-Solutions-LLC/GVM-APK-build

- name: Build the Docker image
run: docker build . --file Dockerfile --build-arg OPT_PDF=1 --tag myapp:${{ steps.vars.outputs.docker_tag }}
run: docker build . --file Dockerfile --build-arg OPT_PDF=1 --tag ${{ env.IMAGE_REPOSITORY_GHCR }}:${{ github.sha }}

- uses: anchore/scan-action@v2
if: always()
id: scan
with:
image: "${{ env.IMAGE_REPOSITORY_GHCR }}:${{ github.sha }}"
acs-report-enable: true

- name: Scan with Phonito Security
uses: phonito/phonito-scanner-action@master
- name: upload Anchore scan SARIF report
if: always()
uses: github/codeql-action/upload-sarif@v1
with:
image: myapp:${{ steps.vars.outputs.docker_tag }}
phonito-token: ${{ secrets.PHONITO_TOKEN }}
sarif_file: ${{ steps.scan.outputs.sarif }}

build_release:
name: Build and Release
Expand Down Expand Up @@ -179,7 +269,7 @@ jobs:
latest=${{ steps.releasePreareLatestTag.outputs.latest}}
onlatest=${{ steps.releasePreareLatestTag.outputs.latest}}
prefix=
suffix=-full
suffix=-full,onlatest=${{ steps.releasePreareLatestTag.outputs.latest}}
tags: |
type=ref,event=branch
type=ref,event=tag
Expand Down Expand Up @@ -213,7 +303,7 @@ jobs:
latest=${{ steps.releasePreareLatestTag.outputs.latest}}
onlatest=${{ steps.releasePreareLatestTag.outputs.latest}}
prefix=
suffix=-data
suffix=-data,onlatest=${{ steps.releasePreareLatestTag.outputs.latest}}
tags: |
type=ref,event=branch
type=ref,event=pr
Expand Down Expand Up @@ -245,7 +335,7 @@ jobs:
latest=${{ steps.releasePreareLatestTag.outputs.latest}}
onlatest=${{ steps.releasePreareLatestTag.outputs.latest}}
prefix=
suffix=-data-full
suffix=-data-full,onlatest=${{ steps.releasePreareLatestTag.outputs.latest}}
tags: |
type=ref,event=branch
type=ref,event=pr
Expand Down
7 changes: 6 additions & 1 deletion .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -68,4 +68,9 @@ $RECYCLE.BIN/
# Windows shortcuts
*.lnk

apk-build/
# Docker Build Local
/apk-build/
/storage/
# For github.com/nektos/act local workflow testing
.env
.secrets
4 changes: 3 additions & 1 deletion Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -77,7 +77,7 @@ RUN { \
&& sleep 10 \
&& apk add --no-cache --allow-untrusted logrotate curl wget su-exec tzdata postfix mailx bash openssh supervisor openssh-client-common libxslt xmlstarlet zip sshpass socat net-snmp-tools samba-client py3-lxml py3-gvm@custcom openvas@custcom openvas-smb@custcom openvas-config@custcom gvmd@custcom gvm-libs@custcom greenbone-security-assistant@custcom ospd-openvas@custcom \
&& mkdir -p /var/log/supervisor/ \
&& su -c "mkdir /var/lib/gvm/.ssh/ && chmod 700 /var/lib/gvm/.ssh/ && touch /var/lib/gvm/.ssh/authorized_keys && chmod 644 /var/lib/gvm/.ssh/authorized_keys" gvm
&& su -c "mkdir -p /var/lib/gvm/.ssh/ && chmod 700 /var/lib/gvm/.ssh/ && touch /var/lib/gvm/.ssh/authorized_keys && chmod 644 /var/lib/gvm/.ssh/authorized_keys" gvm

COPY gvm-sync-data/gvm-sync-data.tar.xz /opt/gvm-sync-data.tar.xz
COPY scripts/* /
Expand All @@ -86,6 +86,7 @@ COPY config/supervisord.conf /etc/supervisord.conf
COPY config/logrotate-gvm.conf /etc/logrotate.d/gvm
COPY config/redis-openvas.conf /etc/redis.conf
COPY config/sshd_config /etc/ssh/sshd_config
COPY config/* /opt/config/


ARG SETUP=0
Expand All @@ -94,6 +95,7 @@ ENV SETUP=${SETUP:-0} \
OPT_PDF=${OPT_PDF:-0}

RUN env \
&& chmod +x /*.sh \
&& if [ "${SETUP}" == "1" ]; then \
ln -snf "/usr/share/zoneinfo/$TZ" /etc/localtime && echo "$TZ" >/etc/timezone \
&& /usr/bin/supervisord -c /etc/supervisord.conf || true ; \
Expand Down
33 changes: 28 additions & 5 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -11,9 +11,32 @@ apkbuild:
make build

.PHONY: build
build:
build: build_latest build_full build_data build_data_full

build_latest:
cd ${PWD} ; \
docker build -t securecompliance/gvm:no-data -t securecompliance/gvm:latest .
build_full:
cd ${PWD} ; \
docker build --build-arg OPT_PDF=1 -t securecompliance/gvm:full .
build_data:
cd ${PWD} ; \
docker build --build-arg SETUP=1 -t securecompliance/gvm:data .
build_data_full:
cd ${PWD} ; \
docker build -t securecompliance/gvm:no-data -t securecompliance/gvm:latest . ; \
docker build --build-arg OPT_PDF=1 -t securecompliance/gvm:no-data-full . ; \
docker build --build-arg SETUP=1 -t securecompliance/gvm:data . ;
docker build --build-arg SETUP=1 --build-arg OPT_PDF=1 -t securecompliance/gvm:data-full . ;
docker build --build-arg SETUP=1 --build-arg OPT_PDF=1 -t securecompliance/gvm:data-full .

run-full:
mkdir -p ${PWD}/storage/postgres-db
mkdir -p ${PWD}/storage/openvas-plugins
mkdir -p ${PWD}/storage/gvm
mkdir -p ${PWD}/storage/ssh
docker run --rm --publish 8080:9392 --publish 5432:5432 --publish 2222:22 \
--env DB_PASSWORD="postgres DB password" \
--env PASSWORD="webUI password" \
--env SSHD="true" \
--volume "${PWD}/storage/postgres-db:/opt/database" \
--volume "${PWD}/storage/openvas-plugins:/var/lib/openvas/plugins" \
--volume "${PWD}/storage/gvm:/var/lib/gvm" \
--volume "${PWD}/storage/ssh:/etc/ssh" \
--name gvm securecompliance/gvm:data-full
4 changes: 3 additions & 1 deletion scripts/add-scanner.sh
Original file line number Diff line number Diff line change
@@ -1,5 +1,7 @@
#!/usr/bin/env bash
set -Eeuo pipefail
touch /var/lib/gvm/.ssh/authorized_keys
chmod 600 /var/lib/gvm/.ssh/authorized_keys

read -p "Scanner Name: " SCANNER_NAME
read -p "Scanner ID: " SCANNER_ID
Expand All @@ -9,5 +11,5 @@ echo "Adding scanner $SCANNER_NAME..."

su -c "gvmd --create-scanner='$SCANNER_NAME' --scanner-type=OpenVAS --scanner-host='/sockets/$SCANNER_ID.sock'" gvm

echo "$SCANNER_KEY\n" >>/var/lib/gvm/.ssh/authorized_keys
echo "${SCANNER_KEY}" >>/var/lib/gvm/.ssh/authorized_keys
chown gvm:gvm -R /var/lib/gvm/.ssh
2 changes: 2 additions & 0 deletions scripts/migration_v21.4.0_ubuntu_images.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
#!/usr/bin/env bash
set -Eeuo pipefail
4 changes: 2 additions & 2 deletions scripts/reset-gvmd-admin-password.sh
100644 → 100755
Original file line number Diff line number Diff line change
Expand Up @@ -3,8 +3,8 @@ set -Eeuo pipefail

RESET_USERNAME=${USERNAME:-${GVMD_USER:-admin}}

read -pr "Reset to new password: " RESET_PASSWORD
read -pr "Repeate new password: " RESET_PASSWORD2
read -rp "Reset to new password: " RESET_PASSWORD
read -rp "Repeate new password: " RESET_PASSWORD2

if [ "${RESET_PASSWORD}" == "${RESET_PASSWORD2}" ]; then

Expand Down
24 changes: 13 additions & 11 deletions scripts/start.sh
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,7 @@ chown -R gvm:gvm /var/lib/openvas/plugins/
#echo 'never' >/sys/kernel/mm/transparent_hugepage/defrag

if [ ! -d "/run/redis" ]; then
mkdir /run/redis
mkdir -p /run/redis
fi

if [ -S /run/redis/redis.sock ]; then
Expand All @@ -53,7 +53,7 @@ fi

if [ ! -d "/run/redis-openvas" ]; then
echo "create /run/redis-openvas"
mkdir /run/redis-openvas
mkdir -p /run/redis-openvas
fi

if [ -S /run/redis-openvas/redis.sock ]; then
Expand Down Expand Up @@ -112,9 +112,10 @@ fi
until (pg_isready --username=postgres >/dev/null 2>&1 && psql --username=postgres --list >/dev/null 2>&1); do
sleep 1
done

if [[ ! -d "/etc/ssh" ]] || [[ -d "/etc/ssh/" && $(find /etc/ssh/ -maxdepth 0 -empty) ]]; then
mkdir /etc/ssh
if [[ ! -d "/etc/ssh" ]]; then
mkdir -p /etc/ssh
fi
if [[ -d "/etc/ssh/" && $(find /etc/ssh/ -maxdepth 0 -empty) ]]; then
ssh-keygen -A
fi
echo "Generate SSH-HOST Keys"
Expand Down Expand Up @@ -159,7 +160,7 @@ if [ ! -f "/opt/database/.upgrade_to_21.4.0" ]; then
fi

if [ ! -d "/run/gvmd" ]; then
mkdir /run/gvmd
mkdir -p /run/gvmd
chown gvm:gvm -R /run/gvmd/
fi

Expand All @@ -174,7 +175,7 @@ fi

echo "Creating gvmd folder..."
su -c "mkdir -p /var/lib/gvm/gvmd/report_formats" gvm
cp -r /report_formats /var/lib/gvm/gvmd/
#cp -r /report_formats /var/lib/gvm/gvmd/
chown gvm:gvm -R /var/lib/gvm
find /var/lib/gvm/gvmd/report_formats -type f -name "generate" -exec chmod +x {} \;

Expand Down Expand Up @@ -213,7 +214,7 @@ if [ -S /var/run/ospd/ospd.sock ]; then
fi

if [ ! -d /var/run/ospd ]; then
mkdir /var/run/ospd
mkdir -p /var/run/ospd
fi

echo "Starting Open Scanner Protocol daemon for OpenVAS..."
Expand Down Expand Up @@ -281,18 +282,19 @@ if [ "$SSHD" == "true" ]; then
echo "Starting OpenSSH Server..."
if [ ! -d /var/lib/gvm/.ssh ]; then
echo "Creating scanner SSH keys folder..."
mkdir /var/lib/gvm/.ssh
mkdir -p /var/lib/gvm/.ssh
chown gvm:gvm -R /var/lib/gvm/.ssh
fi
if [ ! -d /sockets ]; then
mkdir /sockets
mkdir -p /sockets
chown gvm:gvm -R /sockets
fi
echo "gvm:gvm" | chpasswd
rm -rfv /var/run/sshd
mkdir -p /var/run/sshd
if [ ! -f /etc/ssh/sshd_config ]; then
mv /sshd_config /etc/ssh/sshd_config
cp /opt/config/sshd_config /etc/ssh/sshd_config
chown root:root /etc/ssh/sshd_config
fi
${SUPVISD} start sshd
if [ "${DEBUG}" == "Y" ]; then
Expand Down

0 comments on commit 45166f1

Please sign in to comment.