差異處

這裏顯示兩個版本的差異處。

--- tech:openvas [2024/07/16 15:38] – [安裝程序] jonathan
+++ tech:openvas [2025/04/10 15:20] (目前版本) – 4. 當 pg-gvm log 出現 LOG: checkpoints are occurring too frequently jonathan
@@ 行 1: / 行 1: @@
-====== 安裝 OpenVAS (Docker Compose)  ======
+====== 安裝 OpenVAS 主機弱掃方案  ======
   * Alpine 3.19 + Docker Compose
     * vCPU : 4
@@ 行 7: / 行 7: @@
 ===== 安裝程序 =====
   * <cli>
-curl -f -L https://greenbone.github.io/docs/latest/_static/docker-compose-22.4.yml -o docker-compose.yml
+curl -f -O -L https://raw.githubusercontent.com/tryweb/docker-compose/refs/heads/main/openvas/docker-compose.yml -o docker-compose.yml
-</cli>docker-compose.yml<file>
+curl -f -O -L https://raw.githubusercontent.com/tryweb/docker-compose/refs/heads/main/openvas/.env.example -o .env
-services:
+</cli>
-  vulnerability-tests:
+  * {{repo>https://raw.githubusercontent.com/tryweb/docker-compose/refs/heads/main/openvas/docker-compose.yml | docker-compose.yml}}
-    image: greenbone/vulnerability-tests
+  * 修改符合需要設定
-    environment:
+    - gsa 將 Listen IP Port 由 127.0.0.1:9392:80(只接受本機) 改為 0.0.0.0:9392:80 (接受所有來源)
-      STORAGE_PATH: /var/lib/openvas/22.04/vt-data/nasl
+    - openvasd 開啟 API 服務 Listen IP Port: 0.0.0.0:3000:80
-    volumes:
+  * {{repo>https://raw.githubusercontent.com/tryweb/docker-compose/refs/heads/main/openvas/.env.example | .env}}
-      - vt_data_vol:/mnt
+  * 修改 .env 內的 SMTP 設定
+  * 啟動服務 <cli>
+docker compose up -d
+docker compose logs -f
+</cli>
+  * 設定管理者帳號密碼 <cli>
+docker compose exec -u gvmd gvmd gvmd --user=admin --new-password='<password>'
+</cli>
+  * 開啟網頁進入管理介面 - http://server-ip:9392 (使用 admin 與設定的密碼登入) \\ {{:tech:螢幕擷取畫面_2024-07-16_152348.png|}} \\ {{:tech:螢幕擷取畫面_2024-07-16_152453.png|}}
+  * 確認弱點資料庫更新狀況 \\ {{:tech:螢幕擷取畫面_2024-07-16_153723.png|}}
+  * 設定更新 script <cli>wget https://raw.githubusercontent.com/tryweb/docker-compose/refs/heads/main/openvas/update.sh</cli>
+  * {{repo>https://raw.githubusercontent.com/tryweb/docker-compose/refs/heads/main/openvas/update.sh | update.sh}}
+  * 設定可執行權限<cli>chmod a+x update.sh</cli>
-  notus-data:
+===== 問題與解法 =====
-    image: greenbone/notus-data
+==== 1. 手動更新弱點資料庫 ====
-    volumes:
+  * 單純更新 notus-data vulnerability-tests scap-data dfn-cert-data cert-bund-data report-formats data-objects 似乎於更新後系統無法正常運作, 但關閉重啟就可以更新後系統正常運作
-      - notus_data_vol:/mnt
+  * <cli>
+docker compose stop
+docker compose pull
+docker compose up -d
+</cli>
+  * 可以透過 gvmd 查看狀況 <cli>
+docker compose logs -f gvmd
+</cli>當出現類似以下訊息就表示已經正確更新與啟動<cli>
+:
+gvmd-1  | md manage:   INFO:2024-07-25 15h12.53 utc:73: Updating CVSS scores and CVE counts for CPEs
+gvmd-1  | md manage:   INFO:2024-07-25 15h14.21 utc:73: Updating placeholder CPEs
+gvmd-1  | md manage:   INFO:2024-07-25 15h14.34 utc:73: Updating Max CVSS for DFN-CERT
+gvmd-1  | md manage:   INFO:2024-07-25 15h14.36 utc:73: Updating DFN-CERT CVSS max succeeded.
+gvmd-1  | md manage:   INFO:2024-07-25 15h14.36 utc:73: Updating Max CVSS for CERT-Bund
+gvmd-1  | md manage:   INFO:2024-07-25 15h14.37 utc:73: Updating CERT-Bund CVSS max succeeded.
+gvmd-1  | md manage:   INFO:2024-07-25 15h14.38 utc:73: update_scap_end: Updating SCAP info succeeded
+gvmd-1  | md manage:   INFO:2024-07-25 15h14.39 utc:70: Assigning EPSS scores to VTs
+gvmd-1  | md manage:   INFO:2024-07-25 15h14.56 utc:209: OSP service has different VT status (version 202407250605) from database (version 202407240611, 141853 VTs). Starting update ...
+gvmd-1  | md manage:   INFO:2024-07-25 15h15.34 utc:209: Updating VTs in database ... 3 new VTs, 204 changed VTs
+gvmd-1  | md manage:   INFO:2024-07-25 15h15.35 utc:209: Updating VTs in database ... done (141873 VTs).
+gvmd-1  | md manage:   INFO:2024-07-25 15h15.35 utc:207: Assigning EPSS scores to VTs
+</cli>
-  scap-data:
+==== 2. 寄信 SMTP 設定與除錯 ====
-    image: greenbone/scap-data
+  * 參考 - https://greenbone.github.io/docs/latest/22.4/container/workflows.html#setting-up-a-mail-transport-agent-inside-docker-container
-    volumes:
+  * 如果透過 Test Alert 發現異常, 可以進去 gvmd 容器內 debug <cli>
-      - scap_data_vol:/mnt
+docker exec -it root-gvmd-1 bash
+</cli>
+    - 確認環境變數是否正確 Exp.<cli>
+root@1b2fce44fcf3:/# env
+MTA_PORT=587
+HOSTNAME=1b2fce44fcf3
+MTA_STARTTLS=on
+MTA_PASSWORD=xxxPasswordxxx
+MTA_TLS=on
+PWD=/
+MTA_USER=jonathan
+HOME=/root
+MTA_AUTH=on
+MTA_HOST=smtp.gmail.com
+TERM=xterm
+[email protected]
+SHLVL=1
+PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+_=/usr/bin/env
+</cli>
+    - 測試寄信看問題 Exp.<cli>
+root@1b2fce44fcf3:/# msmtp -d -f [email protected] [email protected]
+aaa
+bbb
+ccc
+.
-  cert-bund-data:
+loaded system configuration file /etc/msmtprc
-    image: greenbone/cert-bund-data
+ignoring user configuration file /root/.msmtprc: No such file or directory
-    volumes:
+falling back to default account
-      - cert_data_vol:/mnt
+:
+:
+aliases = (not set)
+reading recipients from the command line
+<-- 220 smtp.gmail.com ESMTP ready
+--> EHLO localhost
+<-- 250-smtp.gmail.com
+<-- 250-PIPELINING
+<-- 250-SIZE 50000000
+<-- 250-ETRN
+<-- 250-ENHANCEDSTATUSCODES
+<-- 250-8BITMIME
+<-- 250-DSN
+<-- 250 STARTTLS
+--> STARTTLS
+<-- 220 2.0.0 Start TLS
+msmtp: TLS certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown.
+msmtp: could not send mail (account default from /etc/msmtprc)
+</cli>
+    - 發現問題是無法驗證憑證, 透過安裝或更新信任根憑證來解決<cli>
+apt update
+apt install ca-certificates -y
+</cli>如果已經離開容器, 可以改用<cli>
+docker exec root-gvmd-1 apt update
+docker exec root-gvmd-1 apt install ca-certificates -y
+</cli>
-  dfn-cert-data:
+==== 3. 檔案空間被 openvas.log 大量使用議題 ====
-    image: greenbone/dfn-cert-data
+  * 主要會將 log 寫入 /var/lib/docker/volumes/root_openvas_log_data_vol/_data/openvas.log
-    volumes:
+  * 這紀錄檔案不特別處理, 一段時間有可能超過 100G
-      - cert_data_vol:/mnt
+  * 解決方式:
-    depends_on:
+    - 配合定期更新週期一起刪除, docker compose 啟動會自動建立 <cli>
-      - cert-bund-data
+docker compose down
+rm /var/lib/docker/volumes/root_openvas_log_data_vol/_data/openvas.log
-  data-objects:
+docker compose pull
-    image: greenbone/data-objects
+docker compose up -d
-    volumes:
+</cli>
-      - data_objects_vol:/mnt
+    - 設定環境變數 LOG_LEVEL: 1 (只紀錄 ERROR 與 WARNING)<cli>
+vi docker-compose.yml</cli><file>
-  report-formats:
+:
-    image: greenbone/report-formats
-    volumes:
-      - data_objects_vol:/mnt
-    depends_on:
-      - data-objects
-  gpg-data:
-    image: greenbone/gpg-data
-    volumes:
-      - gpg_data_vol:/mnt
-  redis-server:
-    image: greenbone/redis-server
-    restart: on-failure
-    volumes:
-      - redis_socket_vol:/run/redis/
-  pg-gvm:
-    image: greenbone/pg-gvm:stable
-    restart: on-failure
-    volumes:
-      - psql_data_vol:/var/lib/postgresql
-      - psql_socket_vol:/var/run/postgresql
-  gvmd:
-    image: greenbone/gvmd:stable
-    restart: on-failure
-    volumes:
-      - gvmd_data_vol:/var/lib/gvm
-      - scap_data_vol:/var/lib/gvm/scap-data/
-      - cert_data_vol:/var/lib/gvm/cert-data
-      - data_objects_vol:/var/lib/gvm/data-objects/gvmd
-      - vt_data_vol:/var/lib/openvas/plugins
-      - psql_data_vol:/var/lib/postgresql
-      - gvmd_socket_vol:/run/gvmd
-      - ospd_openvas_socket_vol:/run/ospd
-      - psql_socket_vol:/var/run/postgresql
-    depends_on:
-      pg-gvm:
-        condition: service_started
-      scap-data:
-        condition: service_completed_successfully
-      cert-bund-data:
-        condition: service_completed_successfully
-      dfn-cert-data:
-        condition: service_completed_successfully
-      data-objects:
-        condition: service_completed_successfully
-      report-formats:
-        condition: service_completed_successfully
-  gsa:
-    image: greenbone/gsa:stable
-    restart: on-failure
-    ports:
-      - 0.0.0.0:9392:80
-    volumes:
-      - gvmd_socket_vol:/run/gvmd
-    depends_on:
-      - gvmd
   # Sets log level of openvas to the set LOG_LEVEL within the env
   # and changes log output to /var/log/openvas instead /var/log/gvm
@@ 行 110: / 行 133: @@
   configure-openvas:
     image: greenbone/openvas-scanner:stable
+    environment:
+      LOG_LEVEL: 1
     volumes:
       - openvas_data_vol:/mnt
@@ 行 117: / 行 142: @@
       - -c
       - |
-        printf "table_driven_lsc = yes\nopenvasd_server = http://openvasd:80\n" > /mnt/openvas.conf
+:
-        sed "s/127/128/" /etc/openvas/openvas_log.conf | sed 's/gvm/openvas/' > /mnt/openvas_log.conf
+</file>重起 docker compose<cli>
-        chmod 644 /mnt/openvas.conf
+docker compose down
-        chmod 644 /mnt/openvas_log.conf
+docker compose up -d
-        touch /var/log/openvas/openvas.log
+</cli>
-        chmod 666 /var/log/openvas/openvas.log
-  # shows logs of openvas
+==== 4. 當 pg-gvm log 出現 LOG:  checkpoints are occurring too frequently ====
-  openvas:
+  * 可能是執行環境的 DiskIO 比較慢出現的訊息, 可以加大 PostgreSQL 的 max_wal_size (預設是1GB)
-    image: greenbone/openvas-scanner:stable
+  * Exp. 設定加大為 2GB
+    - 建立 max_wal.conf<file>
+max_wal_size = 2GB
+</file>
+    - 修改 docker-compose.yml <file>
+:
+  pg-gvm:
+    image: registry.community.greenbone.net/community/pg-gvm:stable
     restart: on-failure
     volumes:
-      - openvas_data_vol:/etc/openvas
+      - psql_data_vol:/var/lib/postgresql
-      - openvas_log_data_vol:/var/log/openvas
+      - psql_socket_vol:/var/run/postgresql
-    command:
+      - ./max_wal.conf:/etc/postgresql/13/main/conf.d/max_wal.conf
-      - /bin/sh
+:
-      - -c
-      - |
-        cat /etc/openvas/openvas.conf
-        tail -f /var/log/openvas/openvas.log
-    depends_on:
-      configure-openvas:
-        condition: service_completed_successfully
-  openvasd:
-    image: greenbone/openvas-scanner:stable
-    restart: on-failure
-    environment:
-      # `service_notus` is set to disable everything but notus,
-      # if you want to utilize openvasd directly removed `OPENVASD_MODE`
-      OPENVASD_MODE: service_notus
-      GNUPGHOME: /etc/openvas/gnupg
-      LISTENING: 0.0.0.0:80
-    volumes:
-      - openvas_data_vol:/etc/openvas
-      - openvas_log_data_vol:/var/log/openvas
-      - gpg_data_vol:/etc/openvas/gnupg
-      - notus_data_vol:/var/lib/notus
-    # enable port forwarding when you want to use the http api from your host machine
-    ports:
-      - 0.0.0.0:3000:80
-    depends_on:
-      vulnerability-tests:
-        condition: service_completed_successfully
-      configure-openvas:
-        condition: service_completed_successfully
-      gpg-data:
-        condition: service_completed_successfully
-    networks:
-      default:
-        aliases:
-          - openvasd
-  ospd-openvas:
-    image: greenbone/ospd-openvas:stable
-    restart: on-failure
-    hostname: ospd-openvas.local
-    cap_add:
-      - NET_ADMIN # for capturing packages in promiscuous mode
-      - NET_RAW # for raw sockets e.g. used for the boreas alive detection
-    security_opt:
-      - seccomp=unconfined
-      - apparmor=unconfined
-    command:
-      [
-        "ospd-openvas",
-        "-f",
-        "--config",
-        "/etc/gvm/ospd-openvas.conf",
-        "--notus-feed-dir",
-        "/var/lib/notus/advisories",
-        "-m",
-        "666"
-      ]
-    volumes:
-      - gpg_data_vol:/etc/openvas/gnupg
-      - vt_data_vol:/var/lib/openvas/plugins
-      - notus_data_vol:/var/lib/notus
-      - ospd_openvas_socket_vol:/run/ospd
-      - redis_socket_vol:/run/redis/
-      - openvas_data_vol:/etc/openvas/
-      - openvas_log_data_vol:/var/log/openvas
-    depends_on:
-      redis-server:
-        condition: service_started
-      gpg-data:
-        condition: service_completed_successfully
-      vulnerability-tests:
-        condition: service_completed_successfully
-      configure-openvas:
-        condition: service_completed_successfully
-  gvm-tools:
-    image: greenbone/gvm-tools
-    volumes:
-      - gvmd_socket_vol:/run/gvmd
-      - ospd_openvas_socket_vol:/run/ospd
-    depends_on:
-      - gvmd
-      - ospd-openvas
-volumes:
-  gpg_data_vol:
-  scap_data_vol:
-  cert_data_vol:
-  data_objects_vol:
-  gvmd_data_vol:
-  psql_data_vol:
-  vt_data_vol:
-  notus_data_vol:
-  psql_socket_vol:
-  gvmd_socket_vol:
-  ospd_openvas_socket_vol:
-  redis_socket_vol:
-  openvas_data_vol:
-  openvas_log_data_vol:
 </file>
-  * 啟動服務 <cli>
+    - 重起 docker compose <cli>
-docker compose -p greenbone-community-edition up -d
+docker compose down
-docker compose -p greenbone-community-edition logs -f
+docker compose up -d
 </cli>
-  * 設定管理者帳號密碼 <cli>
+    - 檢視設定是否成功 <cli>
-docker compose -p greenbone-community-edition exec -u gvmd gvmd gvmd --user=admin --new-password='<password>'
+$ docker compose exec pg-gvm psql -U gvmd -c "SHOW max_wal_size;"
+ max_wal_size
+--------------
+GB
+(1 row)
 </cli>
-  * 開啟網頁進入管理介面 - http://server-ip:9392 (使用 admin 與設定的密碼登入) \\ {{:tech:螢幕擷取畫面_2024-07-16_152348.png|}} \\ {{:tech:螢幕擷取畫面_2024-07-16_152453.png|}}
+    - 檢視 pg-gvm log 是否不再出現 LOG:  checkpoints are occurring too frequently <cli>
-  * 確認弱點資料庫更新狀況 \\ {{:tech:螢幕擷取畫面_2024-07-16_153723.png|}}
+docker compose logs -f pg-gvm
+</cli>如果還是出現, 可以考慮加大 max_wal_size Exp. 4GB
 ===== 參考網址 =====
   * https://greenbone.github.io/docs/latest/22.4/container/index.html
-{{tag>draft openvas 主機弱掃}}
+{{tag>openvas 主機弱掃}}