Bug 245992
| Summary: | security/openvas9-libraries not up to date | ||
|---|---|---|---|
| Product: | Ports & Packages | Reporter: | Jørgen Asmussen <jorgen> |
| Component: | Individual Port(s) | Assignee: | Jose Alonso Cardenas Marquez <acm> |
| Status: | Closed Overcome By Events | ||
| Severity: | Affects Only Me | CC: | knan-bfo, ltning-freebsd |
| Priority: | --- | Flags: | bugzilla:
maintainer-feedback?
(acm) |
| Version: | Latest | ||
| Hardware: | Any | ||
| OS: | Any | ||
|
Description
Jørgen Asmussen
2020-04-28 07:09:13 UTC
Patch to update OpenVAS versions to latest 8.x and 9.x: https://reviews.freebsd.org/D25209 - openvas8 and openvas9 are EoL. I'll try port latest version of openvas to FreeBSD port tree. I leave this PR open until I have news Do you need some manpower to help? We have a support agreement with Klara Systems we can draw on. For us, the port of the head node / gui is most important, we currently run the scanner nodes on linux. But running the scanners on freebsd also would be Nice(tm). (In reply to Erik Inge Bolsø from comment #3) Hi, finally I added new version of gvm ports to FreBSD ports tree security/gvm (metaport) security/gvm-libs security/gvmd security/openvas security/py-ospd-openvas security/greenbone-security-assistant security/py-python-gvm security/py-gvm-tools I did some basic tests and it seems is working fine using sockets. Maybe you could do some advanced testing and report if you found problems with these ports or if it works without problems I didn't add openvas-smb because it needs mingw tools and I decided not lose time in this port. Maybe I could try import this port in another time Enjoy it btw openvas ports were marked like DEPRECATED because EoL (In reply to Jose Alonso Cardenas Marquez from comment #4) Brilliant, thanks a lot! It's been added to our poudriere builds now, so we'll be testing it shortly. /Eirik (In reply to Jose Alonso Cardenas Marquez from comment #4) ===> Fetching all distfiles required by gvmd-20.8.0 for building ===> Extracting for gvmd-20.8.0 => SHA256 Checksum OK for greenbone-gvmd-v20.8.0_GH0.tar.gz. unzip: Unrecognized archive format ===> Failed to extract "/portdistfiles//greenbone-gvmd-v20.8.0_GH0.tar.gz". *** Error code 1 (In reply to Eirik Oeverby from comment #6) Try removing zip from USES (In reply to Eirik Oeverby from comment #6) Looks like 'zip' needs to be removed from USED in the Makefile.(In reply to Jose Alonso Cardenas Marquez from comment #7) Yeah, I was about to comment that ;) (In reply to Eirik Oeverby from comment #8) Okay that was messy. To confirm - yes, removing zip allows it to build. Now rebuilding my net-snmp with ipv6 support, hoping that fixes security/openvas build too... New issue: ===> Staging for py37-ospd-openvas-20.8.0 ** Missing /usr/ports/security/py-ospd-openvas/files/pkg-message.in for py37-ospd-openvas-20.8.0. *** Error code 1 Stop. make: stopped in /usr/ports/security/py-ospd-openvas I'll touch that file to continue here... (In reply to Eirik Oeverby from comment #10) Remove this line from Makefile SUB_FILES= pkg-message A commit references this bug: Author: acm Date: Wed Jan 6 16:52:35 UTC 2021 New revision: 560542 URL: https://svnweb.freebsd.org/changeset/ports/560542 Log: - Fix build PR: 245992 Reported by: ltning-freebsd at anduin.net Changes: head/security/py-ospd-openvas/Makefile A commit references this bug: Author: acm Date: Wed Jan 6 16:54:18 UTC 2021 New revision: 560543 URL: https://svnweb.freebsd.org/changeset/ports/560543 Log: - Fix build PR: 245992 Reported by: ltning-freebsd at anduin.net Changes: head/security/gvmd/Makefile gvm-related errors during/after install: - /var/run/gvm has wrong owner (root), causing md manage:WARNING:2021-01-06 17h37.26 utc :3129: Failed to open lock file '/var/run/gvm/gvm-checking': Permission denied md main:CRITICAL:2021-01-06 17h37.26 utc :3129: gvmd: Error trying to get checking lock - pkg_resources.DistributionNotFound: The 'defusedxml<0.7.0,>=0.6.0' distribution was not found and is required by ospd Looks like the installed defusedxml is too old. # pkg search defused py37-defusedxml-0.5.0 XML bomb protection for Python stdlib modules Confirmed, as manually updating the defusedxml port to 0.6.0 and upgrading fixes this. - "Create certificates" step should use -a, not -s, as option to gvm-manage-certs - gsad returns "URL not found" - have not found a solution to this - missing semicolon after some postgresql statements in post-installation messages - suggestion: mention that redis needs unix socket enabled and permissions changed in its config before openvas will start - suggestion: place 'sysrc' in front of rc.conf changes listed (gvm_enable, redis_enable, etc.) (In reply to Eirik Oeverby from comment #14) Is it possible some HTML is not being installed as it should? I see HTML files in the port that don't seem to be installed.. (In reply to Eirik Oeverby from comment #14) 1) About permissions problem, /var/run/gvm is created by gvmd (@dir(gvm,gvm,750) /var/run/gvm). Maybe it is being overwritten by gsad. I'll check very well where problem is 2) I forget sent a PR for update py-defusedxml (I updated it in my tree). I seems like a PR was posting here. https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=251825 I'll try committ it asap because that PR has a maintainer timeout 3) For me own configuration I used -s like I saw into manual page https://github.com/greenbone/ospd/blob/master/doc/INSTALL-ospd-scanner.md Creating certificates 4) gsad returns "URL not found" - have not found a solution to this (where? give me more info about this) 5 and 6) I will do (In reply to Eirik Oeverby from comment #15) security/gvmd right? (In reply to Jose Alonso Cardenas Marquez from comment #16) 3 - the -s parameter is from the gvm install message, and I see from the URL you provided that it's wrong even there. By using the -a option instead, it will automatically create all the requried certificates. -s seems to be a no-op, at least it is not documented anywhere. And gsad will not start with default options unless su -m gvm -c "gvm-manage-certs -a" is run. 4 - When accessing http://<ip>:9492/ after starting gsad (the web interface). (In reply to Jose Alonso Cardenas Marquez from comment #17) > security/gvmd right? Not sure what you are referring to / asking here? (In reply to Eirik Oeverby from comment #19) > Is it possible some HTML is not being installed as it should? I see HTML files > in the port that don't seem to be installed.. security/gvmd right? (In reply to Jose Alonso Cardenas Marquez from comment #20) No - security/greenbone-security-assistant (In reply to Eirik Oeverby from comment #18) > 4 - When accessing http://<ip>:9492/ after starting gsad (the web interface). What did you see into log files? gvmd and ospd-openvas are running without problems? I found the issues. I'll commit changes asap. Thanks! A commit references this bug: Author: acm Date: Thu Jan 7 03:29:21 UTC 2021 New revision: 560676 URL: https://svnweb.freebsd.org/changeset/ports/560676 Log: - Fix installation issues. It BROKEN port in runtime - Clean up PR: 245992 Reported by: jorgen at larsendata.dk Changes: head/security/greenbone-security-assistant/Makefile (In reply to commit-hook from comment #24) Nice. Testing. While I test, some nitpicking (sorry! :) - pkg-message.in now says sysrc..., but still says "add to rc.conf". For newcomers this can be confusing. - stuff gets installed/populated in /var/lib - this is not very FreeBSD-ish On our standard installations we have very limited space in /var so downloading signatures simply doesn't work. Can this (somewhat easily) be moved to /usr/local somewhere? (In reply to commit-hook from comment #24) Also, after the last updates I am unable to create certificates: [root@freebsd /tmp]# su -m gvm -c "gvm-manage-certs -s" Generated private key in /tmp/tmp.WAKGKRbc/key.pem. Jan 7 15:44:07 freebsd gvm-manage-certs[64611]: ERROR: Failed to create self signed certificate, see /tmp/tmp.WAKGKRbc/gvm-manage-certs.log for details. Aborting. ERROR: Failed to create self signed certificate, see /tmp/tmp.WAKGKRbc/gvm-manage-certs.log for details. Aborting. Content of log file below. I have no idea why this is broken now; I'm having trouble making out the differences in the port revisions, so I don't know what might have changed. It DID work on the first install. It does NOT work on a (completely) fresh installation today. Generating a 3072 bit RSA private key... Generating a self signed certificate... X.509 Certificate Information: Version: 3 Serial Number (hex): 3e68bdbbb5c49058089abf90ce3b3a34cc84301e Validity: Not Before: Thu Jan 07 14:44:07 UTC 2021 Not After: Sat Jan 07 14:44:07 UTC 2023 Subject: C=DE,L=Osnabrueck,O=GVM Users,CN=localhost Subject Public Key Algorithm: RSA Algorithm Security Level: High (3072 bits) Modulus (bits 3072): 00:db:c3:c7:e5:79:36:83:af:1d:4e:90:57:67:13:23 d6:35:25:60:4e:13:52:7e:85:77:fa:b9:45:e0:6d:7e 1c:cd:1a:39:71:08:24:03:85:6a:3d:18:fb:8a:bd:fb 69:e9:8d:2c:52:1e:7e:9c:e3:55:db:f0:18:53:dd:5e 85:5f:e2:e2:20:9a:fb:01:4f:69:48:12:14:26:bf:3c 0e:56:ee:31:37:74:fe:93:a7:07:53:d2:15:c5:ac:7f 6d:73:d8:d8:be:c7:45:02:56:db:f8:ce:ac:b6:ac:7c 29:a3:11:9c:e1:c5:8c:a1:83:8b:50:f5:b4:9d:76:ff 68:ad:ca:78:5b:56:61:58:a0:32:47:4e:09:63:61:98 e4:4e:d9:7d:e8:44:3f:2c:59:1a:17:ad:1f:79:d8:4f 71:6b:45:06:3c:4c:c1:de:c3:6b:3c:32:a3:47:54:fe 39:5c:79:e9:1b:df:26:fb:bb:6a:7f:c9:bf:07:60:89 26:39:d4:61:d5:5e:2f:b2:2a:03:2c:96:59:3b:e4:e8 75:ed:72:80:fb:d2:d3:48:74:e1:32:12:b9:74:33:38 fb:ef:0d:11:c3:46:11:a0:40:6d:62:52:48:3e:c1:23 0d:2c:4b:27:04:17:f8:47:21:b1:e4:1b:75:c9:f7:9e c6:0c:a2:8c:e6:2d:2e:c6:fb:e2:29:ea:bc:f5:e8:17 eb:a0:12:31:26:89:7c:bb:b6:c2:1e:07:38:95:68:d7 be:c4:b4:67:e7:1e:aa:bb:fd:68:8c:08:e9:6f:b8:b9 75:2b:d6:3e:4e:fe:62:f2:b6:8c:7a:01:89:ab:1d:9e 1e:56:ff:20:29:2b:69:49:17:cb:d8:79:66:84:af:04 2a:c5:54:bb:6d:91:d4:4a:24:b5:0b:5a:02:ec:53:06 2a:35:cd:c3:5e:58:a4:ca:87:09:c4:22:e7:50:f7:4c 33:19:a3:b4:a7:08:3c:99:89:60:ae:5f:0e:c7:cb:d1 a5 Exponent (bits 24): 01:00:01 Extensions: Basic Constraints (critical): Certificate Authority (CA): FALSE Subject Key Identifier (not critical): bfd9656138142de52aeb1d1ff47070fe7cf76279 Other Information: Public Key ID: sha1:bfd9656138142de52aeb1d1ff47070fe7cf76279 sha256:58fa89e41f6086214f3a1d80774fecfac4c85dafa1079a5c8ab52669ddaac83a Public Key PIN: pin-sha256:WPqJ5B9ghiFPOh2Ad0/s+sTIXa+hB5pcirUmad2qyDo= Signing certificate... crt_sign: ASN1 parser: Value is not valid. (In reply to Eirik Oeverby from comment #26) To clarify - I don't think your updates are necessarily the reason here. I've reproduced this on several systems, with and without gvm, and it's the same everywhere: certtool --generate-privkey --outfile key.pem echo "cn = localhost" > foo certtool --generate-self-signed --load-privkey key.pem --template foo --outfile cert.pem -d 9999 This worked on Jan 6th. Yesterday it did not. I can't see any relevant changes in the gvm port (/usr/local/bin/gvm-manage-certs is a shell script, and I can't see any changes there). It's a mystery of epic proportions, this. Not that it breaks (it's gnutls after all), but that it has ever worked.. Can you offer any insights? (In reply to Eirik Oeverby from comment #27) Hi Eirik, sorry for delay. I was trapped with my job. I tested gvm ports again and I didn't see errors when I tried create self signed certificate [root@colosus]:/home/acm # su -m gvm -c "gvm-manage-certs -a" Generated private key in /tmp/tmp.nNYndEwX/cakey.pem. Generated self signed certificate in /tmp/tmp.nNYndEwX/cacert.pem. Installed private key to /var/lib/gvm/private/CA/cakey.pem. Installed certificate to /var/lib/gvm/CA/cacert.pem. Generated private key in /tmp/tmp.nNYndEwX/serverkey.pem. Generated certificate request in /tmp/tmp.nNYndEwX/serverrequest.pem. Signed certificate request in /tmp/tmp.nNYndEwX/serverrequest.pem with CA certificate in /var/lib/gvm/CA/cacert.pem to generate certificate in /tmp/tmp.nNYndEwX/servercert.pem Installed private key to /var/lib/gvm/private/CA/serverkey.pem. Installed certificate to /var/lib/gvm/CA/servercert.pem. Generated private key in /tmp/tmp.nNYndEwX/clientkey.pem. Generated certificate request in /tmp/tmp.nNYndEwX/clientrequest.pem. Signed certificate request in /tmp/tmp.nNYndEwX/clientrequest.pem with CA certificate in /var/lib/gvm/CA/cacert.pem to generate certificate in /tmp/tmp.nNYndEwX/clientcert.pem Installed private key to /var/lib/gvm/private/CA/clientkey.pem. Installed certificate to /var/lib/gvm/CA/clientcert.pem. Removing temporary directory /tmp/tmp.nNYndEwX. Maybe it could be a problem with gnutls. I have installed 3.6.15 with default options (In reply to Jose Alonso Cardenas Marquez from comment #28) Hi, no problem at all. Grateful for your hard work. This was fixed in libtasn1 - there was a bug there causing it to malfunction when built with clang. My next problem is that even on a clean install it does not seem to be able to load scan definitions after fetching the feed. gvmd logs repeated failures importing the definitions. I will try to locate the logs again. Do you have this issue? /Eirik (In reply to Eirik Oeverby from comment #29) Hi, I have updated pkg-message file. did you run greenbone-nvt-sync? Also I saw some files are loaded when you log in to gsad and surf into its options (targets, task, etc) |
