Commit 8282086c authored by Javier Fernandez-Sanguino Pen~a's avatar Javier Fernandez-Sanguino Pen~a Committed by Lock Lin

Import Debian patch 3.0.2-1

parent 068737f7
OpenVAS in Debian
+---------------+
How to use OpenVAS?
-------------------
As the root user:
* Check that you have proper SSL certificates at /var/lib/openvas/CA,
if the directory is empty set up the server certificate with
`openvas-mkcert'. (Note: certificates are generated automatically
when the openvas-scanner package is installed)
* Set up a user with `openvas-adduser'.
- If you wish to setup certificate-based authentication: set up the client
certificate with `openvas-mkcert-client' and save the private key.
* Run either '/etc/init.d/openvas-scanner start' or `openvassd' in order to
* start the daemon.
As a normal user in either the system were OpenVAS (the server) is installed:
* If using certificates for authentication, copy over the private
key generated before to your HOME directory.
* In an X session start the OpenVAS-Client program (you need to have the
`openvas-client' package installed the system you are workin on)
by executing `openvas-client' from a shell or from your Desktop's
menu (it should be available at Applications --> System tools)
* Setup a connection to the machine where OpenVAS (the server) is
running. If you are running both in the same machine select 'localhost'. If
you are running the server in a different system:
- verify that there are no firewall rules blocking the client from
connecting to the OpenVAS server (TCP port 4391)
- verify that the TCP wrappers configuration (/etc/hosts.{allow,deny})
allow the client to connect to the server (be careful if
'ALL: PARANOID' is defined in /etc/hosts.deny and the client has no
reverse name resolution)
* Depending on how you setup the user using `openvas-adduser' you have
to either use a username/password or select the private key of the
certificate generate using 'openvas-mkcert-client'
* Setup a test security analysis run against a server.
OpenVAS has a test to detect if the program itself is running, because it is a
potential security problem, so it wouldn't seem wise to automatically start it
on boot-up.
Remember to `killall openvassd' (as root) after you finish with `openvassd'.
The package installs an init script for openvassd at /etc/init.d/openvas-scanner,
courtesy of Luca Andreucci <andrew@andrew.org> and others. By default, this
init script will not be run when the system starts up, it is only configured
to stop openvassd when the system stops (to prevent it from being killed and
give it a chance to stop graciously)
If you want to use that init script to start up openvassd you just have to
execute '/etc/init.d/openvas-scanner start' and you are done.
If you want to have the init-scripts run on system startup then either run:
# update-rc.d -f remove openvas-scanner
# update-rc.d openvas-scanner defaults
or run:
# for rc in 3 4 5 ; do cd /etc/rc${rc}.d/ && ln -s ../init.d/openvas-scanner S20openvas-scanner; done
to setup the symbolic links properly.
Debian defaults
---------------
Before you change Debian's openvassd.conf file (available at
/etc/openvas/) consider this:
0.- signature checks (nasl_no_signature_check) only apply to "trusted"
plugins, and those are the plugins that do remote local security checks
(through SSH connections that need to be preconfigured by the OpenVAS admin)
1.- you shouldn't give access to the OpenVAS daemon to users you don't trust,
or allow them to upload plugins. Giving access to users is equivalent to
allowing them to launch remote attacks to any system your OpenVAS server is
connected to. If you have local security checks it's equivalente to granting
them SSH access to the remote hosts you have configured (if any)
2.- The openvas-plugins package does _not_ automatically run
openvas-update-plugins, you have to do this manually. Review the plugins
retrieved by this before you run your OpenVAS server
3.- Be careful when setting up remote SSH access so that OpenVAS can run
local security checks since you are (effectively) given console access
to remote servers. Always use a non-root account for this.
4.- Also be aware that by default openvassd only listens on port 9390 on
127.0.0.1. If you wish to change this, then check out /etc/default/openvas-scanner.
-------------------------------
Sun, 12 Oct 2008 12:54:51 +0100
Tim Brown <timb@nth-dimension.org.uk>
We use dpatch for patch handling inside our package(s). Please see
/usr/share/doc/dpatch/README.source.gz (if you have installed dpatch) for
documentation about dpatch.
- Just in case, if upgrading from openvas-server, copy over the contents
from old configuration files:
- /etc/default/openvas-server to /etc/default/openvas-scanner
- /etc/logrotate.d/openvas-server to /etc/logrotate.d/openvas-scanner
- /etc/openvas/openvasd.conf to /etc/openvas/openvassd.conf
in the preinst
This diff is collapsed.
Source: openvas-scanner
Section: admin
Priority: optional
Maintainer: Debian OpenVAS Maintainers <openvas-distro-deb@wald.intevation.org>
Uploaders: Tim Brown <timb@nth-dimension.org.uk>, Javier Fernandez-Sanguino Pen~a <jfs@debian.org>, Jan Wagner <waja@cyconet.org>, Joey Schulze <joey@infodrom.org>
Build-Depends: debhelper (>= 5), autotools-dev, libgcrypt11-dev, libglib2.0-dev, libgnutls-dev, libopenvas3-dev (>= 3.0.0), libpcap-dev, libwrap0-dev, pkg-config, po-debconf, devscripts, dpatch, hardening-wrapper
Homepage: http://www.openvas.org/
Vcs-Browser: https://wald.intevation.org/plugins/scmsvn/viewcvs.php/trunk/openvas-packaging/openvas-scanner/debian/trunk/debian/?root=openvas
Vcs-Svn: https://svn.wald.intevation.org/svn/openvas/trunk/openvas-packaging/openvas-scanner/debian/trunk/debian/
Standards-Version: 3.8.3
Package: openvas-scanner
Section: net
Architecture: any
Depends: ${shlibs:Depends}, ${misc:Depends}, openssl
Replaces: openvas-server, openvas-plugins
Conflicts: openvas-server, openvas-plugins, openvas-plugins-base, openvas-plugins-dfsg (<= 1.0.7-6+svn20100320)
Recommends: rsync, nmap
Suggests: openvas-client, snmp, pnscan, strobe, ike-scan
Description: remote network security auditor - scanner
The Open Vulnerability Assessment System is a modular security auditing
tool, used for testing remote systems for vulnerabilities that should be
fixed.
.
It is made up of two parts: a scan server, and a client. The scanner/daemon,
openvassd, is in charge of the attacks, whereas the client,
OpenVAS-Client, provides an X11/GTK+ user interface.
.
This package provides the scanner.
This is the prepackaged version of the Open Vulnerability Assessment
System server for Debian GNU/Linux from sources obtained from:
http://www.openvas.org/
This software has been packaged for Debian by
* Tim Brown <timb@nth-dimension.org.uk>
* Javier Fernandez-Sanguino Pen~a <jfs@debian.org>
* Joey Schulze <joey@infodrom.org>
Copyright:
- OpenVAS server:
* Portions Copyright (C) 2006 Software in the Public Interest, Inc.
* Based on work Copyright (C) 1998 - 2006 Tenable Network Security, Inc.
* Copyright (C) 1998 - 2004 Renaud Deraison <deraison@nessus.org>
* Based on work Copyright (C) 2001 Michel Arboi [ssl]
* Portions Copyright (C) 2007, 2008, 2009 Greenbone Networks GmbH
- OpenVAS documentation:
* Copyright (C) 2004 Tenable Network Security
* Copyright (C) mjh-EDV Beratung, 1996-1999
- Include files
* Portions Copyright (C) 2006 Software in the Public Interest, Inc.
* Based on work Copyright (C) 1998 - 2006 Tenable Network Security, Inc.
- Translations
* Boris Wolf
* Miroslav Kure
* Matthias Julius
* Javier Fernandez-Sanguino
* Christophe Masson
* Jacobo Tarrio
* Kurt De Bree
* Pedro Ribeiro
* Eder L. Marques
* Daniel Nylander
* Martin Bagge
Other copyrights:
- Autoconf:
Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999,
2000, 2001, 2002, 2003, 2004, 2005, 2006 Free Software Foundation,
Inc.
Authors:
- OpenVAS server:
* Renaud Deraison
* Michael Arboi [ssl]
* Alexis de Bernis
* Axel Nennker
* Beirne Kornarksi
* Benoit Brodard
* Boris Wolf
* Brian
* Christoph Puppe
* Cyril Leclerc
* Devin Kowatch
* Dion Stempfley
* Erik Anderson
* Frank Migge
* Gabriel L. Somlo
* Georges Dagousset
* Guillaume Valadon
* H D Moore
* Iouri Pletnev
* Isaac Dawson
* Javier Fernandez-Sanguino
* Jay
* Jenni Scott
* Jordan Hrycaj
* Julien Bordet
* Laurent FACQ
* Loren Bandiera
* Michael Scheidell
* Michael Slifcak
* Michel Arboi
* Michel Scheidell
* Nicolas Dubee
* Nicolas Pouvesle
* Pasi Eronen
* Pavel Kankovky
* Pavel Kankovsky
* Peter Gr�ndl
* Renaud Deraison
* Rodolfo Baader
* Simon Law
* Stephen Friedl
* Xueyong Zhi
* Zorgon
License:
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License version 2,
as published by the Free Software Foundation
This package is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this package; if not, write to the Free Software
Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
On Debian systems, the complete text of the GNU General
Public License version 2 can be found in `/usr/share/common-licenses/GPL-2'.
The Debian packaging is licensed under the GPL-3, and
(c) 2008, Tim Brown <timb@nth-dimension.org.uk>
(c) 2008, Javier Fernandez-Sanguino Pen~a <jfs@debian.org>
(c) 2008, Joey Schulze <joey@infodrom.org>
(c) 2008, 2009 Jan Wagner <waja@cyconet.org>
On Debian systems, the complete text of the GNU General
Public License version 3 can be found in `/usr/share/common-licenses/GPL-3'.
Portions of the Debian packing are heavily based on the packaging of
nessusd which includes scripts which is licensed under the GPL written
by
* Miquel van Smoorenburg <miquels@drinkel.ow.org>
* Ian Murdock <imurdock@gnu.ai.mit.edu>
* Luca Andreucci <andrew@andrew.org>
* Javier Fernandez-Sanguino Pen~a <jfs@debian.org>
#!/bin/sh -e
# Only ask debconf questions if no certificate is present
if [ ! -f /var/lib/openvas/CA/cacert.pem ] || [ ! -f /var/lib/openvas/CA/servercert.pem ]; then
. /usr/share/debconf/confmodule
db_input low openvassd/certificate || true
# TODO: All these fields (specially numeric fields should be
# reviewed to make sure that the data is sane)
# Numeric:
db_input medium openvassd/califetime || true
db_input medium openvassd/srvlifetime || true
# Set a default
if [ ! -z "$LANG" ]; then
DC=`echo $LANG | sed -n 's/^..*_\(..\)$/\1/p'`
fi
[ -n "$DC" ] && db_set openvassd/country $DC
# Two letter code:
db_input medium openvassd/country || true
# Free text: (i.e. no validation needed) but might need
# to be limited to a given size
db_input medium openvassd/province || true
db_input medium openvassd/location || true
db_input medium openvassd/organization || true
db_go
fi
#DEBHELPER#
exit 0
# Additional options for the daemon
# -q prevents OpenVAS scanner from listing all the plugins it loads
DAEMONOPTS="-q -p 9390"
# Time to wait for the daemon to die before restarting it
# (in seconds)
# DODTIME=5
usr/bin
usr/sbin
usr/share/man/man1
usr/share/man/man8
var/run
var/lib/openvas
var/lib/openvas/CA
var/lib/openvas/private/CA
usr/lib/openvas/plugins
var/lib/openvas/plugins
var/log/openvas
var/cache/openvas
etc/openvas
etc/openvas/gnupg
#!/bin/sh -e
#
# /etc/init.d/openvassd
#
# Originally written by Miquel van Smoorenburg <miquels@drinkel.ow.org>.
# Modified for Debian GNU/Linux by Ian Murdock <imurdock@gnu.ai.mit.edu>.
# Modified for nessusd by Luca Andreucci <andrew@andrew.org>
# Further changes by Javier Fernandez-Sanguino <jfs@debian.org> for the
# Debian GNU/Linux distribution
# Even more changes for Debian GNU/Linux openvas-scanner package by
# Tim Brown <timb@nth-dimension.org.uk>
#
### BEGIN INIT INFO
# Provides: openvas-scanner
# Required-Start: $remote_fs
# Required-Stop: $remote_fs
# Should-Start:
# Should-Stop:
# Default-Start:
# Default-Stop: 0 6
# Short-Description: Start and stop the OpenVAS daemon
# Description: Controls the main OpenVAS daemon "openvassd".
### END INIT INFO
# daemon options
DAEMONOPTS="-q"
# time to wait for daemons death, in seconds
# don't set it too low or you might not let openvassd die gracefully
DODTIME=5
[ -r /etc/default/openvas-scanner ] && . /etc/default/openvas-scanner
DAEMON=/usr/sbin/openvassd
PIDFILE=/var/run/openvassd.pid
NAME=openvassd
LABEL="OpenVAS Scanner"
test -x $DAEMON || exit 0
running()
{
# No pidfile, probably no daemon present
#
[ ! -f "$PIDFILE" ] && return 1
pid=`cat $PIDFILE`
# No pid, probably no daemon present
[ -z "$pid" ] && return 1
[ ! -d /proc/$pid ] && return 1
cmd=`cat /proc/$pid/cmdline | tr "\000" "\n"|head -n 1 |cut -d : -f 1`
# No openvassd?
[ "$cmd" != "$NAME" ] && return 1
return 0
}
warn_cert_file() {
echo -n "WARN: The (expected) certificate file $1 is not available." >&2
echo -n "The OpenVAS daemon might not start up." >&2
}
check_certs() {
if [ -z "`grep ^ca_file /etc/openvas/openvassd.conf`" ] ; then
echo -n "WARN: The openvassd configuration file does not contain certificate settings. Have you run openvas-mkcert? (openvassd might not start)" >&2
fi
CERTDIR=/var/lib/openvas/CA/
PRIVCERTDIR=/var/lib/openvas/private/CA/
for cert in cacert.pem servercert.pem; do
[ ! -r "$CERTDIR/$cert" ] && warn_cert_file "$CERTDIR/$cert"
done
for cert in cakey.pem serverkey.pem; do
[ ! -r "$PRIVCERTDIR/$cert" ] && warn_cert_file "$CERTDIR/$cert"
done
}
openvas_start() {
if [ ! -r /etc/openvas/openvassd.conf ] ; then
echo -n "ERROR: Cannot read openvas configuration file, are you root?" >&2
return 1
fi
check_certs
start-stop-daemon --start --exec $DAEMON -- $DAEMONOPTS 2>&1 >/dev/null
errcode=$?
# If we don't sleep then running() might not see the pidfile
sleep $DODTIME
return $errcode
}
force_stop() {
[ ! -e "$PIDFILE" ] && return
if running ; then
kill -15 $pid
# Is it really dead?
sleep "$DODTIME"s
if running ; then
kill -9 $pid
sleep "$DODTIME"s
if running ; then
echo "Cannot kill $LABEL (pid=$pid)!"
exit 1
fi
fi
fi
rm -f $PIDFILE
}
case "$1" in
start)
echo -n "Starting $LABEL: "
if openvas_start && running ; then
echo "openvassd."
else
echo "ERROR."
exit 1
fi
;;
stop)
echo -n "Stopping $LABEL: "
if running ; then
start-stop-daemon --stop --pidfile $PIDFILE --quiet --oknodo --exec $DAEMON
sleep "$DODTIME"s
fi
if running; then
force_stop
fi
echo "openvassd."
;;
restart)
echo -n "Restarting $LABEL: "
if running; then
start-stop-daemon --stop --pidfile $PIDFILE --quiet --oknodo --exec $DAEMON
sleep "$DODTIME"s
fi
if running; then
force_stop
fi
if openvas_start && running ; then
echo "openvassd."
else
echo "ERROR."
exit 1
fi
;;
reload|force-reload)
echo -n "Reloading $LABEL configuration files: "
start-stop-daemon --stop --pidfile $PIDFILE --signal 1 --exec $DAEMON
sleep "$DODTIME"s
if running ; then
echo "done."
else
echo "ERROR."
exit 1
fi
;;
status)
echo -n "$LABEL is "
if running ; then
echo "running"
else
echo " not running."
exit 1
fi
;;
*)
echo "Usage: /etc/init.d/$NAME {start|stop|restart|reload|status}"
exit 1
;;
esac
exit 0
usr/bin/*
usr/sbin/*
usr/share/man/man1/*
usr/share/man/man8/*
var/lib/openvas/openvas-services
usr/lib/openvas/plugins/*
etc/openvas/openvassd.conf
usr/lib/openvas/plugins/find_service.nes var/lib/openvas/plugins/find_service.nes
usr/lib/openvas/plugins/openvas_tcp_scanner.nes var/lib/openvas/plugins/openvas_tcp_scanner.nes
usr/lib/openvas/plugins/ssl_ciphers.nes var/lib/openvas/plugins/ssl_ciphers.nes
usr/lib/openvas/plugins/synscan.nes var/lib/openvas/plugins/synscan.nes
/var/log/openvas/openvassd.messages {
missingok
notifempty
create 640 root adm
daily
rotate 7
compress
postrotate
if [ -s /var/lib/openvas/openvassd.pid ]; then kill -1 `cat /var/lib/openvas/openvassd.pid`; fi
if [ -s /var/run/openvassd.pid ]; then kill -1 `cat /var/run/openvassd.pid`; fi
openvaslogs=`ls /var/log/openvas/openvassd.messages.*`
if [ -n "$openvaslogs" ]; then
chown root:adm $openvaslogs
chmod 640 $openvaslogs
fi
endscript
}
#! /bin/bash
# Postinst script for OpenVAS, written by Javier Fernandez-Sanguino
# Uses code from openvas-mkcert, which was written by Renaud Deraison
# <deraison@cvs.nessus.org> and Michel Arboi <arboi@alussinan.org>
#
# This script is distributed under the Gnu General Public License (GPL)
#
set -e
. /usr/share/debconf/confmodule
test $DEBIAN_SCRIPT_DEBUG && set -v -x
# Location of the certificates
OPENVASPRIV="/var/lib/openvas/private/CA"
OPENVASPUB="/var/lib/openvas/CA"
CAKEY=$OPENVASPRIV/cakey.pem
CACERT=$OPENVASPUB/cacert.pem
#
SRVKEY=$OPENVASPRIV/serverkey.pem
SRVCERT=$OPENVASPUB/servercert.pem
# Our umask for all files
umask 077
openvas_mkcert ()
{
RANDFLAG=""
PATH=/usr/sbin:/usr/bin:/bin:/sbin
if [ ! -d "$OPENVASPRIV" ]; then
mkdir -p "$OPENVASPRIV"
chmod 0700 "$OPENVASPRIV"
echo "$OPENVASPRIV created"
fi
if [ ! -d "$OPENVASPUB" ]; then
mkdir -p "$OPENVASPUB"
chmod a+rx "$OPENVASPUB"
echo "$OPENVASPUB created"
fi
# Set environment
BASEDIR=`mktemp -d -t openvas-mkcert.XXXXXX` || { echo "$program: Cannot create temporary dir!" >&2 ; exit 1; }
trap " [ -d \"$BASEDIR\" ] && rm -rf -- \"$BASEDIR\"" 0 1 2 3 13 15
SRVREQ=$BASEDIR/serverreq.pem
# Defaults
[ -n "$CACERT_LIFETIME" ] && CACERT_LIFETIME=1460
[ -n "$SRVCERT_LIFETIME" ] && SRVCERT_LIFETIME=365
if [ ! -z "$LANG" ]; then
DC=`echo $LANG | sed -n 's/^..*_\(..\).*$/\1/p'`
fi
[ -z "$DC" ] && DC="??"
[ -z "$COUNTRY" ] && COUNTRY=$DC
[ -z "$PROVINCE" ] && PROVINCE=""
[ -z "$LOCATION" ] && LOCATION=""
[ -z "$ORGANIZATION" ] && ORGANIZATION="OpenVAS"
cat <<EOF>$BASEDIR/std000.cnf
RANDFILE = $HOME/.rnd
#
[ ca ]
default_ca = OpenVASCA
[ OpenVASCA ]
dir = $BASEDIR # Where everything is kept
certs = \$dir # Where the issued certs are kept
crl_dir = \$dir # Where the issued crl are kept
database = \$dir/index.txt # database index file.
new_certs_dir = \$dir # default place for new certs.
certificate = $CACERT # The CA certificate
serial = \$dir/serial # The current serial number
crl = \$dir/crl.pem # The current CRL
private_key = $CAKEY # The private key
x509_extensions = usr_cert # The extentions to add to the cert
crl_extensions = crl_ext
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = sha1 # which md to use.
preserve = no # keep passed DN ordering
policy = policy_anything
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
default_bits = 1024
distinguished_name = req_distinguished_name
# attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = FR
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Some-State
localityName = Locality Name (eg, city)
0.organizationName = Organization Name (eg, company)
0.organizationName_default = Internet Widgits Pty Ltd
# we can do this but it is not needed normally :-)
#1.organizationName = Second Organization Name (eg, company)
#1.organizationName_default = World Wide Web Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
#organizationalUnitName_default =
commonName = Common Name (eg, your name or your server\'s hostname)
commonName_max = 255
emailAddress = Email Address
emailAddress_max = 255
# SET-ex3 = SET extension number 3
[ usr_cert ]
# These extensions are added when 'ca' signs a request.
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
#basicConstraints=CA:FALSE
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
# This is OK for an SSL server.
# nsCertType = nsCertType
# For normal client use this is typical
# nsCertType = client, email
nsCertType = NSCERTTYPE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# This will be displayed in Netscape's comment listbox.
nsComment = "OpenSSL Generated Certificate"
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
subjectAltName=email:copy
# Copy subject details
issuerAltName=issuer:copy
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
[ v3_ca ]
# PKIX recommendation.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
# This is what PKIX recommends but some broken software chokes on critical
# extensions.
basicConstraints = critical,CA:true
# So we do this instead.
#basicConstraints = CA:true
# Key usage: this is typical for a CA certificate. However since it will
# prevent it being used as an test self-signed certificate it is best
# left out by default.
keyUsage = cRLSign, keyCertSign
nsCertType = sslCA
EOF
#####
sed 's/NSCERTTYPE/server/g' < $BASEDIR/std000.cnf > $BASEDIR/std.cnf
sed 's/NSCERTTYPE/client/g' < $BASEDIR/std000.cnf > $BASEDIR/stdC.cnf
hostname=`hostname`
if [ -z "$hostname" ];
then
echo "An error occured while trying to determine hostname !"
exit 1
fi
# The value for organizationalUnitName must be 64 chars or less;
# thus, hostname must be 36 chars or less. If it's too big,
# try removing domain.