|Summary:||security/openvas9-libraries not up to date|
|Product:||Ports & Packages||Reporter:||Jørgen Asmussen <jorgen>|
|Component:||Individual Port(s)||Assignee:||Jose Alonso Cardenas Marquez <acm>|
|Status:||Closed Overcome By Events|
|Severity:||Affects Only Me||CC:||knan-bfo, ltning-freebsd|
Description Jørgen Asmussen 2020-04-28 07:09:13 UTC
security/openvas9-libraries is 9.0.1, newest release is 9.0.3 according to Greenbone/OpenVAS site and https://github.com/greenbone/gvm-libs/releases/tag/v9.0.3 Since it's not updated, the OpenVAS scanner will report a Severity Level of 10 on every scan with NVT and not do much more. Regards.
Comment 1 Erik Inge Bolsø 2020-06-10 14:14:11 UTC
Patch to update OpenVAS versions to latest 8.x and 9.x: https://reviews.freebsd.org/D25209
Comment 2 Jose Alonso Cardenas Marquez 2020-12-15 07:12:15 UTC
- openvas8 and openvas9 are EoL. I'll try port latest version of openvas to FreeBSD port tree. I leave this PR open until I have news
Comment 3 Erik Inge Bolsø 2020-12-16 13:48:35 UTC
Do you need some manpower to help? We have a support agreement with Klara Systems we can draw on. For us, the port of the head node / gui is most important, we currently run the scanner nodes on linux. But running the scanners on freebsd also would be Nice(tm).
Comment 4 Jose Alonso Cardenas Marquez 2021-01-06 09:32:04 UTC
(In reply to Erik Inge Bolsø from comment #3) Hi, finally I added new version of gvm ports to FreBSD ports tree security/gvm (metaport) security/gvm-libs security/gvmd security/openvas security/py-ospd-openvas security/greenbone-security-assistant security/py-python-gvm security/py-gvm-tools I did some basic tests and it seems is working fine using sockets. Maybe you could do some advanced testing and report if you found problems with these ports or if it works without problems I didn't add openvas-smb because it needs mingw tools and I decided not lose time in this port. Maybe I could try import this port in another time Enjoy it btw openvas ports were marked like DEPRECATED because EoL
Comment 5 Eirik Oeverby 2021-01-06 12:17:06 UTC
(In reply to Jose Alonso Cardenas Marquez from comment #4) Brilliant, thanks a lot! It's been added to our poudriere builds now, so we'll be testing it shortly. /Eirik
Comment 6 Eirik Oeverby 2021-01-06 16:15:45 UTC
(In reply to Jose Alonso Cardenas Marquez from comment #4) ===> Fetching all distfiles required by gvmd-20.8.0 for building ===> Extracting for gvmd-20.8.0 => SHA256 Checksum OK for greenbone-gvmd-v20.8.0_GH0.tar.gz. unzip: Unrecognized archive format ===> Failed to extract "/portdistfiles//greenbone-gvmd-v20.8.0_GH0.tar.gz". *** Error code 1
Comment 7 Jose Alonso Cardenas Marquez 2021-01-06 16:18:41 UTC
(In reply to Eirik Oeverby from comment #6) Try removing zip from USES
Comment 8 Eirik Oeverby 2021-01-06 16:31:07 UTC
(In reply to Eirik Oeverby from comment #6) Looks like 'zip' needs to be removed from USED in the Makefile.(In reply to Jose Alonso Cardenas Marquez from comment #7) Yeah, I was about to comment that ;)
Comment 9 Eirik Oeverby 2021-01-06 16:32:02 UTC
(In reply to Eirik Oeverby from comment #8) Okay that was messy. To confirm - yes, removing zip allows it to build. Now rebuilding my net-snmp with ipv6 support, hoping that fixes security/openvas build too...
Comment 10 Eirik Oeverby 2021-01-06 16:39:46 UTC
New issue: ===> Staging for py37-ospd-openvas-20.8.0 ** Missing /usr/ports/security/py-ospd-openvas/files/pkg-message.in for py37-ospd-openvas-20.8.0. *** Error code 1 Stop. make: stopped in /usr/ports/security/py-ospd-openvas I'll touch that file to continue here...
Comment 11 Jose Alonso Cardenas Marquez 2021-01-06 16:48:47 UTC
(In reply to Eirik Oeverby from comment #10) Remove this line from Makefile SUB_FILES= pkg-message
Comment 12 commit-hook 2021-01-06 16:53:22 UTC
A commit references this bug: Author: acm Date: Wed Jan 6 16:52:35 UTC 2021 New revision: 560542 URL: https://svnweb.freebsd.org/changeset/ports/560542 Log: - Fix build PR: 245992 Reported by: ltning-freebsd at anduin.net Changes: head/security/py-ospd-openvas/Makefile
Comment 13 commit-hook 2021-01-06 16:54:24 UTC
A commit references this bug: Author: acm Date: Wed Jan 6 16:54:18 UTC 2021 New revision: 560543 URL: https://svnweb.freebsd.org/changeset/ports/560543 Log: - Fix build PR: 245992 Reported by: ltning-freebsd at anduin.net Changes: head/security/gvmd/Makefile
Comment 14 Eirik Oeverby 2021-01-06 19:26:39 UTC
gvm-related errors during/after install: - /var/run/gvm has wrong owner (root), causing md manage:WARNING:2021-01-06 17h37.26 utc :3129: Failed to open lock file '/var/run/gvm/gvm-checking': Permission denied md main:CRITICAL:2021-01-06 17h37.26 utc :3129: gvmd: Error trying to get checking lock - pkg_resources.DistributionNotFound: The 'defusedxml<0.7.0,>=0.6.0' distribution was not found and is required by ospd Looks like the installed defusedxml is too old. # pkg search defused py37-defusedxml-0.5.0 XML bomb protection for Python stdlib modules Confirmed, as manually updating the defusedxml port to 0.6.0 and upgrading fixes this. - "Create certificates" step should use -a, not -s, as option to gvm-manage-certs - gsad returns "URL not found" - have not found a solution to this - missing semicolon after some postgresql statements in post-installation messages - suggestion: mention that redis needs unix socket enabled and permissions changed in its config before openvas will start - suggestion: place 'sysrc' in front of rc.conf changes listed (gvm_enable, redis_enable, etc.)
Comment 15 Eirik Oeverby 2021-01-06 19:35:08 UTC
(In reply to Eirik Oeverby from comment #14) Is it possible some HTML is not being installed as it should? I see HTML files in the port that don't seem to be installed..
Comment 16 Jose Alonso Cardenas Marquez 2021-01-06 22:00:14 UTC
(In reply to Eirik Oeverby from comment #14) 1) About permissions problem, /var/run/gvm is created by gvmd (@dir(gvm,gvm,750) /var/run/gvm). Maybe it is being overwritten by gsad. I'll check very well where problem is 2) I forget sent a PR for update py-defusedxml (I updated it in my tree). I seems like a PR was posting here. https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=251825 I'll try committ it asap because that PR has a maintainer timeout 3) For me own configuration I used -s like I saw into manual page https://github.com/greenbone/ospd/blob/master/doc/INSTALL-ospd-scanner.md Creating certificates 4) gsad returns "URL not found" - have not found a solution to this (where? give me more info about this) 5 and 6) I will do
Comment 17 Jose Alonso Cardenas Marquez 2021-01-06 22:02:43 UTC
(In reply to Eirik Oeverby from comment #15) security/gvmd right?
Comment 18 Eirik Oeverby 2021-01-06 22:52:23 UTC
(In reply to Jose Alonso Cardenas Marquez from comment #16) 3 - the -s parameter is from the gvm install message, and I see from the URL you provided that it's wrong even there. By using the -a option instead, it will automatically create all the requried certificates. -s seems to be a no-op, at least it is not documented anywhere. And gsad will not start with default options unless su -m gvm -c "gvm-manage-certs -a" is run. 4 - When accessing http://<ip>:9492/ after starting gsad (the web interface).
Comment 19 Eirik Oeverby 2021-01-06 22:52:54 UTC
(In reply to Jose Alonso Cardenas Marquez from comment #17) > security/gvmd right? Not sure what you are referring to / asking here?
Comment 20 Jose Alonso Cardenas Marquez 2021-01-06 23:20:58 UTC
(In reply to Eirik Oeverby from comment #19) > Is it possible some HTML is not being installed as it should? I see HTML files > in the port that don't seem to be installed.. security/gvmd right?
Comment 21 Eirik Oeverby 2021-01-06 23:28:48 UTC
(In reply to Jose Alonso Cardenas Marquez from comment #20) No - security/greenbone-security-assistant
Comment 22 Jose Alonso Cardenas Marquez 2021-01-06 23:37:46 UTC
(In reply to Eirik Oeverby from comment #18) > 4 - When accessing http://<ip>:9492/ after starting gsad (the web interface). What did you see into log files? gvmd and ospd-openvas are running without problems?
Comment 23 Jose Alonso Cardenas Marquez 2021-01-07 00:17:37 UTC
I found the issues. I'll commit changes asap. Thanks!
Comment 24 commit-hook 2021-01-07 03:29:35 UTC
A commit references this bug: Author: acm Date: Thu Jan 7 03:29:21 UTC 2021 New revision: 560676 URL: https://svnweb.freebsd.org/changeset/ports/560676 Log: - Fix installation issues. It BROKEN port in runtime - Clean up PR: 245992 Reported by: jorgen at larsendata.dk Changes: head/security/greenbone-security-assistant/Makefile
Comment 25 Eirik Oeverby 2021-01-07 12:47:35 UTC
(In reply to commit-hook from comment #24) Nice. Testing. While I test, some nitpicking (sorry! :) - pkg-message.in now says sysrc..., but still says "add to rc.conf". For newcomers this can be confusing. - stuff gets installed/populated in /var/lib - this is not very FreeBSD-ish On our standard installations we have very limited space in /var so downloading signatures simply doesn't work. Can this (somewhat easily) be moved to /usr/local somewhere?
Comment 26 Eirik Oeverby 2021-01-07 14:46:01 UTC
(In reply to commit-hook from comment #24) Also, after the last updates I am unable to create certificates: [root@freebsd /tmp]# su -m gvm -c "gvm-manage-certs -s" Generated private key in /tmp/tmp.WAKGKRbc/key.pem. Jan 7 15:44:07 freebsd gvm-manage-certs: ERROR: Failed to create self signed certificate, see /tmp/tmp.WAKGKRbc/gvm-manage-certs.log for details. Aborting. ERROR: Failed to create self signed certificate, see /tmp/tmp.WAKGKRbc/gvm-manage-certs.log for details. Aborting. Content of log file below. I have no idea why this is broken now; I'm having trouble making out the differences in the port revisions, so I don't know what might have changed. It DID work on the first install. It does NOT work on a (completely) fresh installation today. Generating a 3072 bit RSA private key... Generating a self signed certificate... X.509 Certificate Information: Version: 3 Serial Number (hex): 3e68bdbbb5c49058089abf90ce3b3a34cc84301e Validity: Not Before: Thu Jan 07 14:44:07 UTC 2021 Not After: Sat Jan 07 14:44:07 UTC 2023 Subject: C=DE,L=Osnabrueck,O=GVM Users,CN=localhost Subject Public Key Algorithm: RSA Algorithm Security Level: High (3072 bits) Modulus (bits 3072): 00:db:c3:c7:e5:79:36:83:af:1d:4e:90:57:67:13:23 d6:35:25:60:4e:13:52:7e:85:77:fa:b9:45:e0:6d:7e 1c:cd:1a:39:71:08:24:03:85:6a:3d:18:fb:8a:bd:fb 69:e9:8d:2c:52:1e:7e:9c:e3:55:db:f0:18:53:dd:5e 85:5f:e2:e2:20:9a:fb:01:4f:69:48:12:14:26:bf:3c 0e:56:ee:31:37:74:fe:93:a7:07:53:d2:15:c5:ac:7f 6d:73:d8:d8:be:c7:45:02:56:db:f8:ce:ac:b6:ac:7c 29:a3:11:9c:e1:c5:8c:a1:83:8b:50:f5:b4:9d:76:ff 68:ad:ca:78:5b:56:61:58:a0:32:47:4e:09:63:61:98 e4:4e:d9:7d:e8:44:3f:2c:59:1a:17:ad:1f:79:d8:4f 71:6b:45:06:3c:4c:c1:de:c3:6b:3c:32:a3:47:54:fe 39:5c:79:e9:1b:df:26:fb:bb:6a:7f:c9:bf:07:60:89 26:39:d4:61:d5:5e:2f:b2:2a:03:2c:96:59:3b:e4:e8 75:ed:72:80:fb:d2:d3:48:74:e1:32:12:b9:74:33:38 fb:ef:0d:11:c3:46:11:a0:40:6d:62:52:48:3e:c1:23 0d:2c:4b:27:04:17:f8:47:21:b1:e4:1b:75:c9:f7:9e c6:0c:a2:8c:e6:2d:2e:c6:fb:e2:29:ea:bc:f5:e8:17 eb:a0:12:31:26:89:7c:bb:b6:c2:1e:07:38:95:68:d7 be:c4:b4:67:e7:1e:aa:bb:fd:68:8c:08:e9:6f:b8:b9 75:2b:d6:3e:4e:fe:62:f2:b6:8c:7a:01:89:ab:1d:9e 1e:56:ff:20:29:2b:69:49:17:cb:d8:79:66:84:af:04 2a:c5:54:bb:6d:91:d4:4a:24:b5:0b:5a:02:ec:53:06 2a:35:cd:c3:5e:58:a4:ca:87:09:c4:22:e7:50:f7:4c 33:19:a3:b4:a7:08:3c:99:89:60:ae:5f:0e:c7:cb:d1 a5 Exponent (bits 24): 01:00:01 Extensions: Basic Constraints (critical): Certificate Authority (CA): FALSE Subject Key Identifier (not critical): bfd9656138142de52aeb1d1ff47070fe7cf76279 Other Information: Public Key ID: sha1:bfd9656138142de52aeb1d1ff47070fe7cf76279 sha256:58fa89e41f6086214f3a1d80774fecfac4c85dafa1079a5c8ab52669ddaac83a Public Key PIN: pin-sha256:WPqJ5B9ghiFPOh2Ad0/s+sTIXa+hB5pcirUmad2qyDo= Signing certificate... crt_sign: ASN1 parser: Value is not valid.
Comment 27 Eirik Oeverby 2021-01-08 12:25:36 UTC
(In reply to Eirik Oeverby from comment #26) To clarify - I don't think your updates are necessarily the reason here. I've reproduced this on several systems, with and without gvm, and it's the same everywhere: certtool --generate-privkey --outfile key.pem echo "cn = localhost" > foo certtool --generate-self-signed --load-privkey key.pem --template foo --outfile cert.pem -d 9999 This worked on Jan 6th. Yesterday it did not. I can't see any relevant changes in the gvm port (/usr/local/bin/gvm-manage-certs is a shell script, and I can't see any changes there). It's a mystery of epic proportions, this. Not that it breaks (it's gnutls after all), but that it has ever worked.. Can you offer any insights?
Comment 28 Jose Alonso Cardenas Marquez 2021-01-13 04:34:11 UTC
(In reply to Eirik Oeverby from comment #27) Hi Eirik, sorry for delay. I was trapped with my job. I tested gvm ports again and I didn't see errors when I tried create self signed certificate [root@colosus]:/home/acm # su -m gvm -c "gvm-manage-certs -a" Generated private key in /tmp/tmp.nNYndEwX/cakey.pem. Generated self signed certificate in /tmp/tmp.nNYndEwX/cacert.pem. Installed private key to /var/lib/gvm/private/CA/cakey.pem. Installed certificate to /var/lib/gvm/CA/cacert.pem. Generated private key in /tmp/tmp.nNYndEwX/serverkey.pem. Generated certificate request in /tmp/tmp.nNYndEwX/serverrequest.pem. Signed certificate request in /tmp/tmp.nNYndEwX/serverrequest.pem with CA certificate in /var/lib/gvm/CA/cacert.pem to generate certificate in /tmp/tmp.nNYndEwX/servercert.pem Installed private key to /var/lib/gvm/private/CA/serverkey.pem. Installed certificate to /var/lib/gvm/CA/servercert.pem. Generated private key in /tmp/tmp.nNYndEwX/clientkey.pem. Generated certificate request in /tmp/tmp.nNYndEwX/clientrequest.pem. Signed certificate request in /tmp/tmp.nNYndEwX/clientrequest.pem with CA certificate in /var/lib/gvm/CA/cacert.pem to generate certificate in /tmp/tmp.nNYndEwX/clientcert.pem Installed private key to /var/lib/gvm/private/CA/clientkey.pem. Installed certificate to /var/lib/gvm/CA/clientcert.pem. Removing temporary directory /tmp/tmp.nNYndEwX. Maybe it could be a problem with gnutls. I have installed 3.6.15 with default options
Comment 29 Eirik Oeverby 2021-01-23 22:54:25 UTC
(In reply to Jose Alonso Cardenas Marquez from comment #28) Hi, no problem at all. Grateful for your hard work. This was fixed in libtasn1 - there was a bug there causing it to malfunction when built with clang. My next problem is that even on a clean install it does not seem to be able to load scan definitions after fetching the feed. gvmd logs repeated failures importing the definitions. I will try to locate the logs again. Do you have this issue? /Eirik