diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md index 9d044037..c890c4ed 100644 --- a/.github/ISSUE_TEMPLATE/bug_report.md +++ b/.github/ISSUE_TEMPLATE/bug_report.md @@ -7,6 +7,9 @@ assignees: Dexus, pixelsquared --- +**** Before you open a bug issue, please read the documentation. If you do not find an answer to your problem there, please look in the issues that have already been closed. Only if you still have not found an answer to your problem should you open a new issue. **** +** https://securecompliance.gitbook.io/projects/openvas-greenbone-deployment-full-guide ** + **Describe the bug** A clear and concise description of what the bug is. diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml index 0d2fd817..04612f25 100644 --- a/.github/workflows/docker-publish.yml +++ b/.github/workflows/docker-publish.yml @@ -23,11 +23,94 @@ permissions: packages: write jobs: - build_test: - name: Build and Test + build_test_trivy: + name: Build and Test - Trivy runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 + + - name: PrepareReg Names + run: | + echo IMAGE_REPOSITORY_GHCR=$(echo "ghcr.io/${{ github.repository }}" | tr '[:upper:]' '[:lower:]') >> $GITHUB_ENV + echo IMAGE_TAG=$(echo ${{ github.ref }} | tr '[:upper:]' '[:lower:]' | awk '{split($0,a,"/"); print a[3]}') >> $GITHUB_ENV + + - name: Set tag var + id: vars + run: echo ::set-output name=docker_tag::$(echo ${GITHUB_REF} | cut -d'/' -f3)-${GITHUB_SHA} + + - name: Download artifact + uses: dawidd6/action-download-artifact@v2 + with: + # Optional, GitHub token, a Personal Access Token with `public_repo` scope if needed + # Required, if artifact is from a different repo + github_token: ${{secrets.GITHUB_TOKEN}} + # Required, workflow file name or ID + workflow: build-apk.yml + # Optional, will use the branch + branch: master + # Optional, uploaded artifact name, + # will download all artifacts if not specified + # and extract them in respective subdirectories + # https://github.com/actions/download-artifact#download-all-artifacts + name: apk-builds + # Optional, directory where to extract artifact. Defaults to the artifact name (see `name` input) + path: ${{ github.workspace }}/apk-build/ + # Optional, defaults to current repo + repo: Secure-Compliance-Solutions-LLC/GVM-APK-build + + - name: Build the Docker image + run: docker build . --file Dockerfile --build-arg OPT_PDF=1 --tag ${{ env.IMAGE_REPOSITORY_GHCR }}:${{ github.sha }} + + - uses: actions/cache@v2.1.4 + with: + path: .trivy + key: ${{ runner.os }}-trivy-${{ github.run_id }} + restore-keys: | + ${{ runner.os }}-trivy- + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@master + with: + image-ref: "${{ env.IMAGE_REPOSITORY_GHCR }}:${{ github.sha }}" + format: "table" + exit-code: "1" + ignore-unfixed: true + vuln-type: "os,library" + severity: "CRITICAL,HIGH" + cache-dir: .trivy + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@master + if: always() + with: + image-ref: "${{ env.IMAGE_REPOSITORY_GHCR }}:${{ github.sha }}" + format: "template" + template: "@/contrib/sarif.tpl" + output: "trivy-results.sarif" + severity: "CRITICAL,HIGH" + cache-dir: .trivy + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v1 + if: always() + with: + sarif_file: "trivy-results.sarif" + + - name: Correct Trivy cache permissions + if: always() + run: sudo chown -R $USER:$GROUP .trivy + + build_test_anchore: + name: Build and Test - Anchore + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + + - name: PrepareReg Names + run: | + echo IMAGE_REPOSITORY_GHCR=$(echo "ghcr.io/${{ github.repository }}" | tr '[:upper:]' '[:lower:]') >> $GITHUB_ENV + echo IMAGE_TAG=$(echo ${{ github.ref }} | tr '[:upper:]' '[:lower:]' | awk '{split($0,a,"/"); print a[3]}') >> $GITHUB_ENV + - name: Set tag var id: vars run: echo ::set-output name=docker_tag::$(echo ${GITHUB_REF} | cut -d'/' -f3)-${GITHUB_SHA} @@ -53,13 +136,20 @@ jobs: repo: Secure-Compliance-Solutions-LLC/GVM-APK-build - name: Build the Docker image - run: docker build . --file Dockerfile --build-arg OPT_PDF=1 --tag myapp:${{ steps.vars.outputs.docker_tag }} + run: docker build . --file Dockerfile --build-arg OPT_PDF=1 --tag ${{ env.IMAGE_REPOSITORY_GHCR }}:${{ github.sha }} + + - uses: anchore/scan-action@v2 + if: always() + id: scan + with: + image: "${{ env.IMAGE_REPOSITORY_GHCR }}:${{ github.sha }}" + acs-report-enable: true - - name: Scan with Phonito Security - uses: phonito/phonito-scanner-action@master + - name: upload Anchore scan SARIF report + if: always() + uses: github/codeql-action/upload-sarif@v1 with: - image: myapp:${{ steps.vars.outputs.docker_tag }} - phonito-token: ${{ secrets.PHONITO_TOKEN }} + sarif_file: ${{ steps.scan.outputs.sarif }} build_release: name: Build and Release @@ -179,7 +269,7 @@ jobs: latest=${{ steps.releasePreareLatestTag.outputs.latest}} onlatest=${{ steps.releasePreareLatestTag.outputs.latest}} prefix= - suffix=-full + suffix=-full,onlatest=${{ steps.releasePreareLatestTag.outputs.latest}} tags: | type=ref,event=branch type=ref,event=tag @@ -213,7 +303,7 @@ jobs: latest=${{ steps.releasePreareLatestTag.outputs.latest}} onlatest=${{ steps.releasePreareLatestTag.outputs.latest}} prefix= - suffix=-data + suffix=-data,onlatest=${{ steps.releasePreareLatestTag.outputs.latest}} tags: | type=ref,event=branch type=ref,event=pr @@ -245,7 +335,7 @@ jobs: latest=${{ steps.releasePreareLatestTag.outputs.latest}} onlatest=${{ steps.releasePreareLatestTag.outputs.latest}} prefix= - suffix=-data-full + suffix=-data-full,onlatest=${{ steps.releasePreareLatestTag.outputs.latest}} tags: | type=ref,event=branch type=ref,event=pr diff --git a/.gitignore b/.gitignore index 08d9da80..852637cb 100644 --- a/.gitignore +++ b/.gitignore @@ -68,4 +68,9 @@ $RECYCLE.BIN/ # Windows shortcuts *.lnk -apk-build/ +# Docker Build Local +/apk-build/ +/storage/ +# For github.com/nektos/act local workflow testing +.env +.secrets diff --git a/Dockerfile b/Dockerfile index 67a3ef95..fcf0d975 100644 --- a/Dockerfile +++ b/Dockerfile @@ -77,7 +77,7 @@ RUN { \ && sleep 10 \ && apk add --no-cache --allow-untrusted logrotate curl wget su-exec tzdata postfix mailx bash openssh supervisor openssh-client-common libxslt xmlstarlet zip sshpass socat net-snmp-tools samba-client py3-lxml py3-gvm@custcom openvas@custcom openvas-smb@custcom openvas-config@custcom gvmd@custcom gvm-libs@custcom greenbone-security-assistant@custcom ospd-openvas@custcom \ && mkdir -p /var/log/supervisor/ \ - && su -c "mkdir /var/lib/gvm/.ssh/ && chmod 700 /var/lib/gvm/.ssh/ && touch /var/lib/gvm/.ssh/authorized_keys && chmod 644 /var/lib/gvm/.ssh/authorized_keys" gvm + && su -c "mkdir -p /var/lib/gvm/.ssh/ && chmod 700 /var/lib/gvm/.ssh/ && touch /var/lib/gvm/.ssh/authorized_keys && chmod 644 /var/lib/gvm/.ssh/authorized_keys" gvm COPY gvm-sync-data/gvm-sync-data.tar.xz /opt/gvm-sync-data.tar.xz COPY scripts/* / @@ -86,6 +86,7 @@ COPY config/supervisord.conf /etc/supervisord.conf COPY config/logrotate-gvm.conf /etc/logrotate.d/gvm COPY config/redis-openvas.conf /etc/redis.conf COPY config/sshd_config /etc/ssh/sshd_config +COPY config/* /opt/config/ ARG SETUP=0 @@ -94,6 +95,7 @@ ENV SETUP=${SETUP:-0} \ OPT_PDF=${OPT_PDF:-0} RUN env \ + && chmod +x /*.sh \ && if [ "${SETUP}" == "1" ]; then \ ln -snf "/usr/share/zoneinfo/$TZ" /etc/localtime && echo "$TZ" >/etc/timezone \ && /usr/bin/supervisord -c /etc/supervisord.conf || true ; \ diff --git a/Makefile b/Makefile index c7e41a4d..366ec61d 100644 --- a/Makefile +++ b/Makefile @@ -11,9 +11,32 @@ apkbuild: make build .PHONY: build -build: +build: build_latest build_full build_data build_data_full + +build_latest: + cd ${PWD} ; \ + docker build -t securecompliance/gvm:no-data -t securecompliance/gvm:latest . +build_full: + cd ${PWD} ; \ + docker build --build-arg OPT_PDF=1 -t securecompliance/gvm:full . +build_data: + cd ${PWD} ; \ + docker build --build-arg SETUP=1 -t securecompliance/gvm:data . +build_data_full: cd ${PWD} ; \ - docker build -t securecompliance/gvm:no-data -t securecompliance/gvm:latest . ; \ - docker build --build-arg OPT_PDF=1 -t securecompliance/gvm:no-data-full . ; \ - docker build --build-arg SETUP=1 -t securecompliance/gvm:data . ; - docker build --build-arg SETUP=1 --build-arg OPT_PDF=1 -t securecompliance/gvm:data-full . ; + docker build --build-arg SETUP=1 --build-arg OPT_PDF=1 -t securecompliance/gvm:data-full . + +run-full: + mkdir -p ${PWD}/storage/postgres-db + mkdir -p ${PWD}/storage/openvas-plugins + mkdir -p ${PWD}/storage/gvm + mkdir -p ${PWD}/storage/ssh + docker run --rm --publish 8080:9392 --publish 5432:5432 --publish 2222:22 \ + --env DB_PASSWORD="postgres DB password" \ + --env PASSWORD="webUI password" \ + --env SSHD="true" \ + --volume "${PWD}/storage/postgres-db:/opt/database" \ + --volume "${PWD}/storage/openvas-plugins:/var/lib/openvas/plugins" \ + --volume "${PWD}/storage/gvm:/var/lib/gvm" \ + --volume "${PWD}/storage/ssh:/etc/ssh" \ + --name gvm securecompliance/gvm:data-full \ No newline at end of file diff --git a/scripts/add-scanner.sh b/scripts/add-scanner.sh index 7497e57e..8f5a9708 100755 --- a/scripts/add-scanner.sh +++ b/scripts/add-scanner.sh @@ -1,5 +1,7 @@ #!/usr/bin/env bash set -Eeuo pipefail +touch /var/lib/gvm/.ssh/authorized_keys +chmod 600 /var/lib/gvm/.ssh/authorized_keys read -p "Scanner Name: " SCANNER_NAME read -p "Scanner ID: " SCANNER_ID @@ -9,5 +11,5 @@ echo "Adding scanner $SCANNER_NAME..." su -c "gvmd --create-scanner='$SCANNER_NAME' --scanner-type=OpenVAS --scanner-host='/sockets/$SCANNER_ID.sock'" gvm -echo "$SCANNER_KEY\n" >>/var/lib/gvm/.ssh/authorized_keys +echo "${SCANNER_KEY}" >>/var/lib/gvm/.ssh/authorized_keys chown gvm:gvm -R /var/lib/gvm/.ssh diff --git a/scripts/migration_v21.4.0_ubuntu_images.sh b/scripts/migration_v21.4.0_ubuntu_images.sh new file mode 100644 index 00000000..45c33d0f --- /dev/null +++ b/scripts/migration_v21.4.0_ubuntu_images.sh @@ -0,0 +1,2 @@ +#!/usr/bin/env bash +set -Eeuo pipefail diff --git a/scripts/reset-gvmd-admin-password.sh b/scripts/reset-gvmd-admin-password.sh old mode 100644 new mode 100755 index fc30193a..9cdd9d7a --- a/scripts/reset-gvmd-admin-password.sh +++ b/scripts/reset-gvmd-admin-password.sh @@ -3,8 +3,8 @@ set -Eeuo pipefail RESET_USERNAME=${USERNAME:-${GVMD_USER:-admin}} -read -pr "Reset to new password: " RESET_PASSWORD -read -pr "Repeate new password: " RESET_PASSWORD2 +read -rp "Reset to new password: " RESET_PASSWORD +read -rp "Repeate new password: " RESET_PASSWORD2 if [ "${RESET_PASSWORD}" == "${RESET_PASSWORD2}" ]; then diff --git a/scripts/start.sh b/scripts/start.sh index 0b685371..9db509b1 100755 --- a/scripts/start.sh +++ b/scripts/start.sh @@ -44,7 +44,7 @@ chown -R gvm:gvm /var/lib/openvas/plugins/ #echo 'never' >/sys/kernel/mm/transparent_hugepage/defrag if [ ! -d "/run/redis" ]; then - mkdir /run/redis + mkdir -p /run/redis fi if [ -S /run/redis/redis.sock ]; then @@ -53,7 +53,7 @@ fi if [ ! -d "/run/redis-openvas" ]; then echo "create /run/redis-openvas" - mkdir /run/redis-openvas + mkdir -p /run/redis-openvas fi if [ -S /run/redis-openvas/redis.sock ]; then @@ -112,9 +112,10 @@ fi until (pg_isready --username=postgres >/dev/null 2>&1 && psql --username=postgres --list >/dev/null 2>&1); do sleep 1 done - -if [[ ! -d "/etc/ssh" ]] || [[ -d "/etc/ssh/" && $(find /etc/ssh/ -maxdepth 0 -empty) ]]; then - mkdir /etc/ssh +if [[ ! -d "/etc/ssh" ]]; then + mkdir -p /etc/ssh +fi +if [[ -d "/etc/ssh/" && $(find /etc/ssh/ -maxdepth 0 -empty) ]]; then ssh-keygen -A fi echo "Generate SSH-HOST Keys" @@ -159,7 +160,7 @@ if [ ! -f "/opt/database/.upgrade_to_21.4.0" ]; then fi if [ ! -d "/run/gvmd" ]; then - mkdir /run/gvmd + mkdir -p /run/gvmd chown gvm:gvm -R /run/gvmd/ fi @@ -174,7 +175,7 @@ fi echo "Creating gvmd folder..." su -c "mkdir -p /var/lib/gvm/gvmd/report_formats" gvm -cp -r /report_formats /var/lib/gvm/gvmd/ +#cp -r /report_formats /var/lib/gvm/gvmd/ chown gvm:gvm -R /var/lib/gvm find /var/lib/gvm/gvmd/report_formats -type f -name "generate" -exec chmod +x {} \; @@ -213,7 +214,7 @@ if [ -S /var/run/ospd/ospd.sock ]; then fi if [ ! -d /var/run/ospd ]; then - mkdir /var/run/ospd + mkdir -p /var/run/ospd fi echo "Starting Open Scanner Protocol daemon for OpenVAS..." @@ -281,18 +282,19 @@ if [ "$SSHD" == "true" ]; then echo "Starting OpenSSH Server..." if [ ! -d /var/lib/gvm/.ssh ]; then echo "Creating scanner SSH keys folder..." - mkdir /var/lib/gvm/.ssh + mkdir -p /var/lib/gvm/.ssh chown gvm:gvm -R /var/lib/gvm/.ssh fi if [ ! -d /sockets ]; then - mkdir /sockets + mkdir -p /sockets chown gvm:gvm -R /sockets fi echo "gvm:gvm" | chpasswd rm -rfv /var/run/sshd mkdir -p /var/run/sshd if [ ! -f /etc/ssh/sshd_config ]; then - mv /sshd_config /etc/ssh/sshd_config + cp /opt/config/sshd_config /etc/ssh/sshd_config + chown root:root /etc/ssh/sshd_config fi ${SUPVISD} start sshd if [ "${DEBUG}" == "Y" ]; then