/gvm10-docker

Non Official - Greenbone Vulnerability Management version 10 Docker image

Primary LanguageDockerfile

gvm10-docker

Docker Cloud Automated build Docker Cloud Build Status Docker Pulls

Suggestions and bugreports are always welcome, just post an issue over at falkowich/gvm10-docker

Tags and versions

This table shows what versions makes up what tags on dockerhub.
See falkowich#17

  • stable » When the latest image has been stable for some time, it merges to this branch. This is the proposed prod branch
  • latest » Latest update to the upstream release 10.0 releasetree.
  • dev » Upstream master, to test new functions and prepare for next major release.
image type upstream gvm-libs docker Tag local branch autobuild on dockerhub description
sqlite master sqlite-dev master yes sqlite and gsa
psql master psql-dev master yes psql and gsa
slave master slave-dev master yes scanner (slave) without gsa
sqlite 10.0-git sqlite-latest latest yes sqlite and gsa
psql 10.0-git psql-latest latest yes psql and gsa
slave 10.0-git slave-latest latest yes scanner (slave) without gsa
sqlite 10.0 sqlite stable no sqlite and gsa
psql 10.0 psql stable no psql and gsa
slave 10.0 slave stable no scanner (slave) without gsa

(If you can come up on a better way to handle these versions and images om, please throw me a line or create an issue on it) :)

Want to chat or have a question about the build, join up here slack invite and chat, and perhaps help others out :)

Some examples and info

I tried to do a writeup how to use these images in a (hopefully) working environment on sadsloth.net.

Sqlite3 DB backend

docker pull falkowich/gvm10:sqlite

And if you want to try out "bleeding edge", master branch

docker pull falkowich/gvm10:edge

Use with "docker run"

Start with non-persistant storage

docker run -p 443:443 falkowich/gvm10:sqlite

docker pull falkowich/gvm10:edge

Start with mounted volume

This will mount /usr/local/var/lib/gvm/ in /var/lib/docker/volumes/gvm/_data/ as docker volume gvm.
WARNING - This volume will be lost if/when container is pruned

docker run \
       -p 443:443 \
       -v gvm:/usr/local/var/lib/gvm/ \
       --name gvm10 \
       falkowich/gvm10:sqlite

To check out info about the volume

docker volume inspect gvm
[
    {
        "CreatedAt": "2019-04-13T19:22:15+02:00",
        "Driver": "local",
        "Labels": null,
        "Mountpoint": "/var/lib/docker/volumes/gvm/_data",
        "Name": "gvm",
        "Options": null,
        "Scope": "local"
    }
]
docker run \
       -p 443:443 \
       -v gvm:/usr/local/var/lib/gvm/ \
       --name gvm10 \
       falkowich/gvm10:edge

PostgrSQL DB backend

docker pull falkowich/gvm10:psql

Use with "docker run"

Start with non-persistant storage

docker run -p 443:443 falkowich/gvm10:psql

Start with mounted volume

WARNING - These volumes will be lost if/when container is pruned

docker run \
       -p 443:443 \
       -v gvm:/usr/local/var/lib/gvm \
       -v psql:/var/lib/postgresql/ \
       --name gvm10 \
       falkowich/gvm10:psql

To check out info about the volume

docker volume inspect gvm
[
    {
        "CreatedAt": "2019-04-13T19:22:15+02:00",
        "Driver": "local",
        "Labels": null,
        "Mountpoint": "/var/lib/docker/volumes/gvm/_data",
        "Name": "gvm",
        "Options": null,
        "Scope": "local"
    }
]

Use with docker-compose

Start in frontend

docker-compose up

Start in backend

docker-compose up -d

Check logs

docker-compose logs -f

Maintanance

With docker-compose

Sync SCAP data
docker-compose exec gvm10 /usr/local/sbin/greenbone-scapdata-sync

Sync CERT data
docker-compose exec gvm10 /usr/local/sbin/greenbone-certdata-sync

Sync NVT data
docker-compose exec gvm10 /usr/local/sbin/greenbone-nvt-sync

DB maintanance (vacuum, analyze, cleanup-config-prefs, cleanup-port-names, cleanup-result-severities, cleanup-schedule-times, rebuild-report-cache or update-report-cache)
docker-compose exec gvm10 /usr/local/sbin/gvmd -v --optimize=vacuum

Change admin password
docker-compose exec gvm10 /usr/local/sbin/gvmd -v --user=admin --new-password=super-secret-password

Update to "latest" image

docker-compose stop
docker-compose pull
docker-compose up -d

With docker

Sync SCAP data
docker exec -i gvm10 sh -c "/usr/local/sbin/greenbone-scapdata-sync"

Sync CERT data
docker exec -i gvm10 sh -c "/usr/local/sbin/greenbone-certdata-sync"

Sync NVT data
docker exec -i gvm10 sh -c "/usr/local/sbin/greenbone-nvt-sync"

DB maintanance (vacuum, analyze, cleanup-config-prefs, cleanup-port-names, cleanup-result-severities, cleanup-schedule-times, rebuild-report-cache or update-report-cache)
docker exec -i gvm10 sh -c "/usr/local/sbin/gvmd -v --optimize=vacuum"

Change admin password
docker exec -i gvm10 sh -c "/usr/local/sbin/gvmd -v --user=admin --new-password=super-secret-password"

GSA

user/pass - admin/admin

Master - Slave setup [take 1 :)]

I tried to do a writeup how to use these images in a (hopefully) working environment on sadsloth.net.

Master Setup

docker run \
       -p 443:443 \
       -p 9391:9391 \
       -v gvm:/usr/local/var/lib/gvm \
       -v psql:/var/lib/postgresql/ \
       --name gvm10 \
       falkowich/gvm10:psql

Slave Setup

docker run \
       -p 9391:9391 \
       -v gvm:/usr/local/var/lib/gvm/ \
       falkowich/gvm10:slave

Then on the slave (scanner):
docker exec -i gvm10 sh -c "/usr/local/sbin/gvmd -v --create-user=scanner-user"

Write down password or change to another one.
User created with password 'ca3c6307-c8d8-4b96-83c5-cdaffd803671'.

Create a scanner in GSAD on the MASTER (I will checkout the cli way): Configuration > Scanners > New Scanner:

Name: Scanner01 
Comment: Remote Scanner   
Type: GMP Scanner 
Host: IP on slave  
Credentials: New Credentials 

  Name: Slave01 Credentials  
  Comment: Foo Bar 
  Username: scanner-user 
  Password: ca3c6307-c8d8-4b96-83c5-cdaffd803671  
  [save]  
[save]

On the MASTER:
docker exec -i gvm10 sh -c "/usr/local/sbin/gvmd --get-scanners"

Then you will get the newly created Scanner01, like this:
33d23dc3-00f1-4e4a-82da-1f003303c322 Scanner01

From the SLAVE copy /var/lib/docker/volumes/gvm/_data/CA/cacert.pem to the MASTER for example to /tmp/scanner01-cacert.pem

On the MASTER:
sudo cp /tmp/scanner01-cacert.pem /var/lib/docker/volumes/gvm/_data/CA/ -arv

Then on the MASTER:
docker exec -i gvm10 sh -c "/usr/local/sbin/gvmd --modify-scanner=33d23dc3-00f1-4e4a-82da-1f003303c322 --scanner-ca-pub=/usr/local/var/lib/gvm/CA/scanner01-cacert.pem

Now you should be able to start scans from the MASTER and select scanner01 as scanner :)

This will be rewritten, with better information

Disclamer

This is an unofficial build and my try to build gvm10 docker containers.
One goal is to get a working master/slave setup, with a sane workflow.
Hopefully an usable ansible playbook that can help with the slaves.. But then, perhaps it doesn't get more interesting than this :)

Much info was learned from mikesplain/openvas-docker that makes good production ready container builds.

ToDo / Thoughts / Goals

  • better logging?
  • openvas-check-setup type of check?
  • tools like arachni etc

Done [sorta]

  • postgresql build
  • separated containers for sql? (scrapped for the moment)
  • better volume support
  • master/slave images?
  • docker-compose files.
  • Fix workflow with testing before build.. _(..Lots of PEBKAC tonight..)