Commit f4bcb1d2 authored by Sophie Brun's avatar Sophie Brun

Merge branch 'upstream' into kali/master

parents e909d367 38702e4f
openvas-scanner 5.1.1 (2017-03-07)
This is the first maintenance release of the openvas-scanner 5.1 module
for the Open Vulnerability Assessment System 9 (OpenVAS-9).
Many thanks to everyone who has contributed to this release:
Hani Benhabiles.
Main changes compared to 5.1.0:
* The logging is now properly re-initialized when the main openvassd
process receives as SIGHUP signal.
* An issue which caused openvassd child processes to enter an infinite
busy-wait loop under certain conditions has been fixed.
* Handling of 'dead' targets has been improved.
openvas-scanner 5.1.0 (2016-11-09)
This is the first release of the openvas-scanner 5.1 module for the Open
......
......@@ -73,7 +73,7 @@ endif (NOT CMAKE_BUILD_TYPE MATCHES "Release")
# we require CMake >= 3.0
set (PROJECT_VERSION_MAJOR 5)
set (PROJECT_VERSION_MINOR 1)
set (PROJECT_VERSION_PATCH 0)
set (PROJECT_VERSION_PATCH 1)
# Set beta version if this is a beta release series,
# unset if this is a stable release series.
......
2017-03-07 Michael Wiegand <michael.wiegand@greenbone.net>
Preparing the openvas-scanner 5.1.1 release.
* CHANGES: Updated.
2017-02-03 Hani Benhabiles <hani.benhabiles@greenbone.net>
Backport r27340.
* src/attack.c (launch_plugin): Check for Host/dead and Host/ping_failed
before attempting to launch the plugin.
2017-01-03 Hani Benhabiles <hani.benhabiles@greenbone.net>
Backport r26905.
* src/comm.c (comm_wait_order): Zero str buffer. Fixes possible infinite
loop.
2016-11-29 Hani Benhabiles <hani.benhabiles@greenbone.net>
Backport r26731.
* src/openvassd.c (reload_openvassd): Reinitialize logging on scanner
reload.
2016-11-09 Michael Wiegand <michael.wiegand@greenbone.net>
Post release version bump.
* CMakeLists.txt: Set version to 5.1.1.
2016-11-09 Michael Wiegand <michael.wiegand@greenbone.net>
* CHANGES: Fix typo.
......
......@@ -2,7 +2,7 @@ INSTALLATION INSTRUCTIONS FOR OPENVAS-SCANNER
=============================================
Please note: The reference system used by most of the developers is Debian
Debian GNU/Linux 'Jessie' 8. The build might fail on any other systems.
GNU/Linux 'Jessie' 8. The build might fail on any other systems.
Also it is necessary to install dependent development packages.
......
.TH OPENVAS-MKCERT-CLIENT 1 "May 2002" "The OpenVAS Project" "User Manuals"
.SH NAME
openvas-mkcert-client \- Creates a client certificate
.sp
.SH SYNOPSIS
.BI openvas-mkcert-client
.SH DESCRIPTION
The
.B OpenVAS Security Scanner
protects the communication between the client and the server by using SSL. SSL
requires the server to present a certificate to the client, and the client can
optionally present a certificate to the server.
This script
.B openvas-mkcert-client
generates a client certificate.
.SH SEE ALSO
.BR openvassd (8),\ openvas-mkcert (8),\ openssl(1)
.SH MORE INFORMATION ABOUT THE OpenVAS PROJECT
The canonical places where you will find more information
about the OpenVAS project are:
.RS
.UR
http://www.openvas.org/
.UE
(Official site)
.br
.UR
http://cvs.openvas.org/
.UE
(Developers site)
.RE
.SH AUTHOR
.B openvas-mkcert-client
was written by Michel Arboi <arboi@bigfoot.com> based on
.B openvas-mkcert
.TH OpenVAS-MKCERT 8 "January 2011" "The OpenVAS Project" "User Manuals"
.SH NAME
openvas-mkcert \- Creates a scanner certificate
.sp
.SH SYNOPSIS
.B openvas-mkcert
.RB [ -q ]
.RB [ -f ]
.SH DESCRIPTION
The
.B OpenVAS Scanner
protects its communication with clients by using SSL. SSL
requires the scanner to present a certificate to the client, and the client can
optionally present a certificate to the scanner.
This script
.B openvas-mkcert
creates a certificate authority (if none exists already) and generates the
scanner certificate.
.SH OPTIONS
.I -q
quickly generates a new certificate, without asking any question
.I -f
force overwriting of already existing certificate files
.SH SEE ALSO
.BR openvassd (8),\ openvas-mkcert-client (1),\ openssl(1)
.SH MORE INFORMATION ABOUT THE OpenVAS PROJECT
The canonical places where you will find more information
about the OpenVAS project are:
.RS
.UR
http://www.openvas.org/
.UE
(Official site)
.br
.SH AUTHOR
.B openvas-mkcert
was derived from nessus-mkcert which is was written by Michel
Arboi <arboi@alussinan.org> and Renaud Deraison <deraison@cvs.nessus.org>
.\" Hey, EMACS: -*- nroff -*-
.TH OPENVAS-NVT-SYNC 8 "January 2014" "The OpenVAS Project" "User Manuals"
.SH NAME
openvas-nvt-sync \- updates the OpenVAS security checks from OpenVAS NVT Feed
.SH SYNOPSIS
.B openvas-nvt-sync
.SH DESCRIPTION
The
.B OpenVAS Security Scanner
performs several security checks, each of them being coded as an external
plugin coded in NASL. As new security holes are published every day, new
plugins appear on the OpenVAS site (www.openvas.org)
.br
The script
.B openvas-nvt-sync
will fetch all the newest security checks for you and install them at the proper
location. Once this is done you will need to either restart openvas-scanner(8)
or send a SIGHUP to its main process so that it loads the new checks and uses them
for new security scans.
.br
.B openvas-nvt-sync
uses rsync(1) and md5sum(1) to do its job. In order to download the
new plugins the machine where the script runs needs to have
access to rsync.openvas.org using the rsync protocol (TCP/UDP port 873).
If you are behind a web proxy you can configure rsync to use it through the
use of the RSYNC_PROXY environment variable. For more information see
rsync(1).
.SH SECURITY NOTES
.B openvas-nvt-sync
uses rsync(1) to retrieve the archive of the new plugins. The scripts
provided by the OpenVAS project might
.B not be signed.
Consequently, if somewhere where to poison your DNS server and force this
script to retrieve NASL plugins on another site he would force
your OpenVAS server to execute NASL scripts when running security tests.
Even if this might not do much harm (see the NASL reference guide
for more information on that subject) you should be very careful
when doing this.
.SH SEE ALSO
For more information see:
.BR rsync(1),
.BR openvassd(8),
.br
There is more information available at
.B /usr/share/doc/openvas-plugins
on Debian systems.
.PP
You can find additional information about the OpenVAS project in
http://www.openvas.org
.SH AUTHOR
This manual page was written by
Javier Fern\['a]ndez-Sanguino Pe\[~n]a <jfs@debian.org>
for the Debian GNU/Linux system (but may be used on other systems).
.PP
The
.B openvas-nvt-sync
script was written by various authors, mainly from Greenbone Networks GmbH.
/* OpenVAS
* $Id: attack.c 26467 2016-10-24 12:18:36Z kroosec $
* $Id: attack.c 27443 2017-02-03 07:44:45Z kroosec $
* Description: Launches the plugins, and manages multithreading.
*
* Authors: - Renaud Deraison <deraison@nessus.org> (Original pre-fork develoment)
......@@ -232,6 +232,16 @@ launch_plugin (struct arglist *globals, struct scheduler_plugin *plugin,
log_write ("Stopped scan wrap-up: Launching %s (%s)", name, oid);
}
/* Stop the test if the host is 'dead' */
if (kb_item_get_int (kb, "Host/dead") > 0
|| kb_item_get_int (kb, "Host/ping_failed") > 0)
{
log_write ("The remote host (%s) is dead", hostname);
pluginlaunch_stop (1);
plugin->running_state = PLUGIN_STATUS_DONE;
g_free (name);
return ERR_HOST_DEAD;
}
if (network_scan_status (globals) == NSS_BUSY)
network_scan = TRUE;
......@@ -302,17 +312,6 @@ launch_plugin (struct arglist *globals, struct scheduler_plugin *plugin,
if (prefs_get_bool ("log_whole_attack"))
log_write ("Launching %s (%s) against %s [%d]", name, oid, hostname,
pid);
/* Stop the test if the host is 'dead' */
if (kb_item_get_int (kb, "Host/dead") > 0
|| kb_item_get_int (kb, "Host/ping_failed") > 0)
{
log_write ("The remote host (%s) is dead", hostname);
pluginlaunch_stop (1);
plugin->running_state = PLUGIN_STATUS_DONE;
g_free (name);
return ERR_HOST_DEAD;
}
}
else /* requirements_plugin() failed */
{
......
/* OpenVAS
* $Id: comm.c 26234 2016-09-16 14:48:12Z kroosec $
* $Id: comm.c 27097 2017-01-03 13:15:54Z kroosec $
* Description: Communication manager; it manages the NTP Protocol version 1.0 and 1.1.
*
* Authors: - Renaud Deraison <deraison@nessus.org> (Original pre-fork develoment)
......@@ -318,6 +318,7 @@ comm_wait_order (struct arglist *globals)
static char str[2048];
int n;
memset (str, '\0', sizeof (str));
n = recv_line (soc, str, sizeof (str) - 1);
if (n < 0)
{
......
/* OpenVAS
* $Id: openvassd.c 26579 2016-11-09 09:15:52Z jan $
* $Id: openvassd.c 26738 2016-11-29 14:47:17Z kroosec $
* Description: Runs the OpenVAS-scanner.
*
* Authors: - Renaud Deraison <deraison@nessus.org> (Original pre-fork develoment)
......@@ -347,10 +347,13 @@ reload_openvassd ()
pid_t handler_pid;
int i, ret;
log_write ("Reloading the scanner.");
/* Ignore SIGHUP while reloading. */
openvas_signal (SIGHUP, SIG_IGN);
/* Reinitialize logging before writing to it. */
log_init (prefs_get ("logfile"));
log_write ("Reloading the scanner.");
handler_pid = loading_handler_start ();
if (handler_pid < 0)
return;
......
#!/bin/sh
#
# openvas-manage-certs.sh - Manage certificate infrastructure for an OpenVAS installation
# Copyright (C) 2014 Greenbone Networks GmbH
#
# Authors:
# - Michael Wiegand <michael.wiegand@greenbone.net>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License along
# with this program; if not, write to the Free Software Foundation, Inc.,
# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
# Set default values for certificate parameters
# Parameters:
# Lifetime
if [ -z "$OPENVAS_CERTIFICATE_LIFETIME" ]
then
OPENVAS_CERTIFICATE_LIFETIME=730
fi
# Country
if [ -z "$OPENVAS_CERTIFICATE_COUNTRY" ]
then
OPENVAS_CERTIFICATE_COUNTRY="DE"
fi
# State
if [ -z "$OPENVAS_CERTIFICATE_STATE" ]
then
OPENVAS_CERTIFICATE_STATE=""
fi
# Locality
if [ -z "$OPENVAS_CERTIFICATE_LOCALITY" ]
then
OPENVAS_CERTIFICATE_LOCALITY="Osnabrueck"
fi
# Organization
if [ -z "$OPENVAS_CERTIFICATE_ORG" ]
then
OPENVAS_CERTIFICATE_ORG="OpenVAS Users"
fi
# (Organization unit)
if [ -z "$OPENVAS_CERTIFICATE_ORG_UNIT" ]
then
OPENVAS_CERTIFICATE_ORG_UNIT=
fi
# Hostname
if [ -z "$OPENVAS_CERTIFICATE_HOSTNAME" ]
then
OPENVAS_CERTIFICATE_HOSTNAME=`hostname --fqdn`
if [ $? -ne 0 ]
then
OPENVAS_CERTIFICATE_HOSTNAME="localhost"
fi
fi
# Key size
if [ -z "$OPENVAS_CERTIFICATE_KEYSIZE" ]
then
if [ -z "$OPENVAS_CERTIFICATE_SECPARAM" ]
then
OPENVAS_CERTIFICATE_SECPARAM="high"
fi
fi
# Signature algorithm
if [ -z "$OPENVAS_CERTIFICATE_SIGNALG" ]
then
OPENVAS_CERTIFICATE_SIGNALG="SHA256"
fi
LOGFILE="./openvas-manage-certs.log"
print_help ()
{
echo "Usage:"
echo " $0 [OPTION] - Manage certificate infrastructure for an OpenVAS installation"
echo
echo "Options:"
echo " -h Print help"
echo " -s Generate a self-signed certificate"
echo " -i Install a certificate"
echo " -c <location> Install location for the certificate"
echo " -k <location> Install location for the private key"
echo " -f Force overwriting of existing files"
echo " -d Print debug output"
echo
echo "Variables:"
echo "The script honors the following environment variables to set certificate parameters:"
echo " OPENVAS_CERTIFICATE_LIFETIME Days until the certificate will expire"
echo " OPENVAS_CERTIFICATE_COUNTRY Country of certificate subject"
echo " OPENVAS_CERTIFICATE_STATE State of certificate subject"
echo " OPENVAS_CERTIFICATE_LOCALITY Locality of certificate subject"
echo " OPENVAS_CERTIFICATE_ORG Organization of certificate subject"
echo " OPENVAS_CERTIFICATE_ORG_UNIT Organizational unit of certificate subject"
echo " OPENVAS_CERTIFICATE_HOSTNAME Name to use for the certificate"
echo " OPENVAS_CERTIFICATE_SIGNALG Hash algorithm to use for signing"
echo
echo " OPENVAS_CERTIFICATE_KEYSIZE Size in bits of the generated key"
echo " or"
echo " OPENVAS_CERTIFICATE_SECPARAM GnuTLS security level [low|normal|high|ultra]"
echo
exit 0
}
# The following TODOS are features deemed desirable which have not yet been
# implemented.
# TODO: Check certificate infrastructure
# TODO: Create a certificate signing request
# TODO: Import a certificate
# Does the certificate contain a private key?
# Do we take the key generated for the signing request?
# Ensure everything is ready to run, prepare temporary directory
set_up ()
{
# Check if "certtool" binary is available
if ! type certtool > /dev/null 2>&1
then
echo "ERROR: certtool binary not found!"
exit 1
fi
CERT_DIR=`mktemp -d`
echo "Writing certificate files to $CERT_DIR."
echo
KEY_FILENAME="$CERT_DIR/key.pem"
CERT_FILENAME="$CERT_DIR/cert.pem"
TEMPLATE_FILENAME="$CERT_DIR/openvas-cert.cfg"
}
# Create a self-signed certificate
create_self_signed ()
{
umask 022
# Create template using parameters
if [ -n "$OPENVAS_CERTIFICATE_LIFETIME" ]
then
echo "expiration_days = $OPENVAS_CERTIFICATE_LIFETIME" >> $TEMPLATE_FILENAME
fi
if [ -n "$OPENVAS_CERTIFICATE_COUNTRY" ]
then
echo "country = \"$OPENVAS_CERTIFICATE_COUNTRY\"" >> $TEMPLATE_FILENAME
fi
if [ -n "$OPENVAS_CERTIFICATE_STATE" ]
then
echo "state = \"$OPENVAS_CERTIFICATE_STATE\"" >> $TEMPLATE_FILENAME
fi
if [ -n "$OPENVAS_CERTIFICATE_LOCALITY" ]
then
echo "locality = \"$OPENVAS_CERTIFICATE_LOCALITY\"" >> $TEMPLATE_FILENAME
fi
if [ -n "$OPENVAS_CERTIFICATE_ORG" ]
then
echo "organization = \"$OPENVAS_CERTIFICATE_ORG\"" >> $TEMPLATE_FILENAME
fi
if [ -n "$OPENVAS_CERTIFICATE_ORG_UNIT" ]
then
echo "unit = \"$OPENVAS_CERTIFICATE_ORG_UNIT\"" >> $TEMPLATE_FILENAME
fi
if [ -n "$OPENVAS_CERTIFICATE_HOSTNAME" ]
then
echo "cn = \"$OPENVAS_CERTIFICATE_HOSTNAME\"" >> $TEMPLATE_FILENAME
fi
if [ $DEBUG -eq 1 ]
then
echo "DEBUG: Using the following template ($TEMPLATE_FILENAME):"
cat $TEMPLATE_FILENAME
fi
if [ -z "$OPENVAS_CERTIFICATE_KEYSIZE" ]
then
CERTTOOL_PRIVKEY_PARAM="--sec-param $OPENVAS_CERTIFICATE_SECPARAM"
else
CERTTOOL_PRIVKEY_PARAM="--bits $OPENVAS_CERTIFICATE_KEYSIZE"
fi
# Create a private key
certtool --generate-privkey $CERTTOOL_PRIVKEY_PARAM --outfile "$KEY_FILENAME" >> "$LOGFILE" 2>&1
if [ $? -ne 0 ]
then
echo "ERROR: Failed to generate private key, see $LOGFILE for details. Aborting."
exit 1
fi
# TODO: Sleeping here to avoid certtool race condition
sleep 1
# Create a certificate
certtool --generate-self-signed --hash "$OPENVAS_CERTIFICATE_SIGNALG" --load-privkey "$KEY_FILENAME" --outfile "$CERT_FILENAME" --template "$TEMPLATE_FILENAME" >> "$LOGFILE" 2>&1
if [ $? -ne 0 ]
then
echo "ERROR: Failed to create self signed certificate, see $LOGFILE for details. Aborting."
exit 1
fi
}
# Install a certificate
# Where should the certificate and the key be installed to?
install_cert ()
{
if [ -f "$KEY_INSTALL" ] && [ $FORCE -ne 1 ]
then
echo "$KEY_INSTALL exists already, not overwriting."
else
[ $DEBUG -eq 1 ] && echo "DEBUG: Copying $KEY_FILENAME to $KEY_INSTALL ..."
cp "$KEY_FILENAME" "$KEY_INSTALL"
fi
if [ -f "$CERT_INSTALL" ] && [ $FORCE -ne 1 ]
then
echo "$CERT_INSTALL exists already, not overwriting."
else
[ $DEBUG -eq 1 ] && echo "DEBUG: Copying $CERT_FILENAME to $CERT_INSTALL ..."
cp "$CERT_FILENAME" "$CERT_INSTALL"
fi
}
# Clean up
clean_up ()
{
if [ "$DEBUG" -ne 1 ]
then
rm -rf $CERT_DIR
else
echo "DEBUG: Not removing $CERT_DIR in debug mode."
fi
}
# Parse command line options
if [ $# -eq 0 ]
then
print_help
fi
INSTALL=0
CREATE_SELF_SIGNED=0
DEBUG=0
FORCE=0
while getopts hsic:k:fd OPTION
do
case "$OPTION" in
h)
print_help
;;
s)
CREATE_SELF_SIGNED=1
;;
i)
INSTALL=1
;;
c)
CERT_INSTALL=$OPTARG
;;
k)
KEY_INSTALL=$OPTARG
;;
f)
FORCE=1
;;
d)
DEBUG=1
;;
\?)
print_help
;;
esac
done
if [ $CREATE_SELF_SIGNED -eq 1 ]
then
set_up
create_self_signed
# Currently installing a certificate without generating it is not yet
# supported. Once this is the case, the check for $INSTALL can be separated.
if [ $INSTALL -eq 1 ]
then
install_cert
fi
# If the files have been installed, clean up the generation directory.
if [ $INSTALL -eq 1 ]
then
clean_up
fi
fi
exit 0
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment