官網
https://greenbone.github.io/docs/latest/index.html
docker版本
快速安裝docker
目前的docker已經自帶了docker compose工具,所以無需單獨安裝
$ docker version
Client: Docker Engine - Community
Version: 26.0.0
API version: 1.45
Go version: go1.21.8
Git commit: 2ae903e
Built: Wed Mar 20 15:17:48 2024
OS/Arch: linux/amd64
Context: default
Server: Docker Engine - Community
Engine:
Version: 26.0.0
API version: 1.45 (minimum version 1.24)
Go version: go1.21.8
Git commit: 8b79278
Built: Wed Mar 20 15:17:48 2024
OS/Arch: linux/amd64
Experimental: true
containerd:
Version: 1.6.28
GitCommit: ae07eda36dd25f8a1b98dfbf587313b99c0190bb
runc:
Version: 1.1.12
GitCommit: v1.1.12-0-g51d5e94
docker-init:
Version: 0.19.0
GitCommit: de40ad0
$ docker compose version
Docker Compose version v2.25.0
注意:因為還需要對ipv6地址的主機掃描,所以還需要讓docker支援ipv6的功能
可以參考之前的部落格 如何讓docker支援IPv6
部署
參考
Greenbone 社群容器 - Greenbone 社群文件
docker compose資源清單檔案
services:
vulnerability-tests:
image: greenbone/vulnerability-tests
networks:
- gvm-net
environment:
STORAGE_PATH: /var/lib/openvas/22.04/vt-data/nasl
volumes:
- vt_data_vol:/mnt
notus-data:
image: greenbone/notus-data
networks:
- gvm-net
volumes:
- notus_data_vol:/mnt
scap-data:
image: greenbone/scap-data
networks:
- gvm-net
volumes:
- scap_data_vol:/mnt
cert-bund-data:
image: greenbone/cert-bund-data
networks:
- gvm-net
volumes:
- cert_data_vol:/mnt
dfn-cert-data:
image: greenbone/dfn-cert-data
networks:
- gvm-net
volumes:
- cert_data_vol:/mnt
depends_on:
- cert-bund-data
data-objects:
image: greenbone/data-objects
networks:
- gvm-net
volumes:
- data_objects_vol:/mnt
report-formats:
image: greenbone/report-formats
networks:
- gvm-net
volumes:
- data_objects_vol:/mnt
depends_on:
- data-objects
gpg-data:
image: greenbone/gpg-data
networks:
- gvm-net
volumes:
- gpg_data_vol:/mnt
redis-server:
image: greenbone/redis-server
restart: on-failure
networks:
- gvm-net
volumes:
- redis_socket_vol:/run/redis/
pg-gvm:
image: greenbone/pg-gvm:stable
restart: on-failure
networks:
- gvm-net
volumes:
- psql_data_vol:/var/lib/postgresql
- psql_socket_vol:/var/run/postgresql
gvmd:
image: greenbone/gvmd:stable
restart: on-failure
networks:
- gvm-net
volumes:
- gvmd_data_vol:/var/lib/gvm
- scap_data_vol:/var/lib/gvm/scap-data/
- cert_data_vol:/var/lib/gvm/cert-data
- data_objects_vol:/var/lib/gvm/data-objects/gvmd
- vt_data_vol:/var/lib/openvas/plugins
- psql_data_vol:/var/lib/postgresql
- gvmd_socket_vol:/run/gvmd
- ospd_openvas_socket_vol:/run/ospd
- psql_socket_vol:/var/run/postgresql
depends_on:
pg-gvm:
condition: service_started
scap-data:
condition: service_completed_successfully
cert-bund-data:
condition: service_completed_successfully
dfn-cert-data:
condition: service_completed_successfully
data-objects:
condition: service_completed_successfully
report-formats:
condition: service_completed_successfully
gsa:
image: greenbone/gsa:stable
restart: on-failure
ports:
- 127.0.0.1:9392:80
networks:
- gvm-net
volumes:
- gvmd_socket_vol:/run/gvmd
depends_on:
- gvmd
ospd-openvas:
image: greenbone/ospd-openvas:stable
restart: on-failure
hostname: ospd-openvas.local
cap_add:
- NET_ADMIN # for capturing packages in promiscuous mode
- NET_RAW # for raw sockets e.g. used for the boreas alive detection
security_opt:
- seccomp=unconfined
- apparmor=unconfined
networks:
- gvm-net
command:
[
"ospd-openvas",
"-f",
"--config",
"/etc/gvm/ospd-openvas.conf",
"--mqtt-broker-address",
"mqtt-broker",
"--notus-feed-dir",
"/var/lib/notus/advisories",
"-m",
"666"
]
volumes:
- gpg_data_vol:/etc/openvas/gnupg
- vt_data_vol:/var/lib/openvas/plugins
- notus_data_vol:/var/lib/notus
- ospd_openvas_socket_vol:/run/ospd
- redis_socket_vol:/run/redis/
depends_on:
redis-server:
condition: service_started
gpg-data:
condition: service_completed_successfully
vulnerability-tests:
condition: service_completed_successfully
mqtt-broker:
restart: on-failure
image: greenbone/mqtt-broker
networks:
gvm-net:
aliases:
- mqtt-broker
- broker
notus-scanner:
restart: on-failure
image: greenbone/notus-scanner:stable
volumes:
- notus_data_vol:/var/lib/notus
- gpg_data_vol:/etc/openvas/gnupg
networks:
gvm-net:
aliases:
- mqtt-broker
- broker
environment:
NOTUS_SCANNER_MQTT_BROKER_ADDRESS: mqtt-broker
NOTUS_SCANNER_PRODUCTS_DIRECTORY: /var/lib/notus/products
depends_on:
- mqtt-broker
- gpg-data
- vulnerability-tests
gvm-tools:
image: greenbone/gvm-tools
networks:
- gvm-net
volumes:
- gvmd_socket_vol:/run/gvmd
- ospd_openvas_socket_vol:/run/ospd
depends_on:
- gvmd
- ospd-openvas
networks:
gvm-net:
driver: bridge
enable_ipv6: true
ipam:
driver: default
config:
- subnet: 2001:1111:1111:1111::/64
gateway: 2001:1111:1111:1111::1
volumes:
gpg_data_vol:
scap_data_vol:
cert_data_vol:
data_objects_vol:
gvmd_data_vol:
psql_data_vol:
vt_data_vol:
notus_data_vol:
psql_socket_vol:
gvmd_socket_vol:
ospd_openvas_socket_vol:
redis_socket_vol:
這裡是原docker compose資源清單檔案
curl -f -L https://greenbone.github.io/docs/latest/_static/docker-compose-22.4.yml -o docker-compose.yml
需要做一定的修改,可以直接用我上面貼的修改後的資源清單
執行資源清單
docker compose up -d
執行後,也無法直接開始掃漏,需要等一段時間,需要載入資源,短則幾分鐘,多則幾小時
建立使用者
docker compose exec -u gvmd gvmd gvmd --user=admin --new-password='<password>'
檢視日誌
docker compose logs -f
剛啟動檢視日誌很重要,因為,需要看到標誌性的日誌出現,才表示可以正常提供服務了
可以參考這裡
https://greenbone.github.io/docs/latest/22.4/source-build/index.html#vulnerability-tests-data
對應的服務輸出了對應的日誌,則表示初始化完成
檢視容器
$ docker compose ps
NAME IMAGE COMMAND SERVICE CREATED STATUS PORTS
gvm-gsa-1 greenbone/gsa:stable "/usr/local/bin/entr…" gsa 24 hours ago Up 24 hours 127.0.0.1:9392->80/tcp
gvm-gvmd-1 greenbone/gvmd:stable "/usr/local/bin/entr…" gvmd 24 hours ago Up 24 hours
gvm-mqtt-broker-1 greenbone/mqtt-broker "/bin/sh -c 'mosquit…" mqtt-broker 24 hours ago Up 24 hours
gvm-notus-scanner-1 greenbone/notus-scanner:stable "/usr/local/bin/entr…" notus-scanner 24 hours ago Up 24 hours
gvm-ospd-openvas-1 greenbone/ospd-openvas:stable "/usr/bin/tini -- /u…" ospd-openvas 24 hours ago Up 24 hours
gvm-pg-gvm-1 greenbone/pg-gvm:stable "/usr/local/bin/entr…" pg-gvm 24 hours ago Up 24 hours
gvm-redis-server-1 greenbone/redis-server "/bin/sh -c 'rm -f /…" redis-server 24 hours ago Up 24 hours
看資源清單檔案可以發現其實不止這些容器,還有其他容器
$ docker compose ps -a
NAME IMAGE COMMAND SERVICE CREATED STATUS PORTS
gvm-cert-bund-data-1 greenbone/cert-bund-data "/bin/init.sh" cert-bund-data 24 hours ago Exited (0) 24 hours ago
gvm-data-objects-1 greenbone/data-objects "/bin/init.sh" data-objects 24 hours ago Exited (0) 24 hours ago
gvm-dfn-cert-data-1 greenbone/dfn-cert-data "/bin/init.sh" dfn-cert-data 24 hours ago Exited (0) 24 hours ago
gvm-gpg-data-1 greenbone/gpg-data "/bin/init.sh" gpg-data 24 hours ago Exited (0) 24 hours ago
gvm-gsa-1 greenbone/gsa:stable "/usr/local/bin/entr…" gsa 24 hours ago Up 24 hours 127.0.0.1:9392->80/tcp
gvm-gvm-tools-1 greenbone/gvm-tools "/usr/local/bin/entr…" gvm-tools 24 hours ago Exited (0) 24 hours ago
gvm-gvmd-1 greenbone/gvmd:stable "/usr/local/bin/entr…" gvmd 24 hours ago Up 24 hours
gvm-mqtt-broker-1 greenbone/mqtt-broker "/bin/sh -c 'mosquit…" mqtt-broker 24 hours ago Up 24 hours
gvm-notus-data-1 greenbone/notus-data "/bin/init.sh" notus-data 24 hours ago Exited (0) 24 hours ago
gvm-notus-scanner-1 greenbone/notus-scanner:stable "/usr/local/bin/entr…" notus-scanner 24 hours ago Up 24 hours
gvm-ospd-openvas-1 greenbone/ospd-openvas:stable "/usr/bin/tini -- /u…" ospd-openvas 24 hours ago Up 24 hours
gvm-pg-gvm-1 greenbone/pg-gvm:stable "/usr/local/bin/entr…" pg-gvm 24 hours ago Up 24 hours
gvm-redis-server-1 greenbone/redis-server "/bin/sh -c 'rm -f /…" redis-server 24 hours ago Up 24 hours
gvm-report-formats-1 greenbone/report-formats "/bin/init.sh" report-formats 24 hours ago Exited (0) 24 hours ago
gvm-scap-data-1 greenbone/scap-data "/bin/init.sh" scap-data 24 hours ago Exited (0) 24 hours ago
gvm-vulnerability-tests-1 greenbone/vulnerability-tests "/bin/init.sh" vulnerability-tests 24 hours ago Exited (0) 24 hours ago
很多容器是失敗的,這個不用擔心,只有上面的七個容器時提供服務的,剩下的都是用來初始化的,初始化完成,就會停止
配置https服務
安裝nginx
$ apt install nginx
生成證書
cd /etc/nginx/
mkdir ssl
cd ssl
openssl req -new -newkey rsa:2048 -sha256 -nodes -out server.csr -keyout server.key -subj "/C=CN/ST=xxxx/L=xxxxx/O=xxxxx Inc./OU=Web Security/CN=xxx.com"
openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt
配置nginx
$ vim /etc/nginx/sites-enabled/default
server {
listen 80;
server_name 192.168.140.73;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name 192.168.140.73;
charset utf-8;
#證書 證書的位置 /etc/nginx/ssl
ssl_certificate ssl/server.crt;
ssl_certificate_key ssl/server.key;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4";
ssl_session_cache shared:SSL:10m;
#服務部分
location / {
proxy_pass http://127.0.0.1:9392;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
# 設定會話cookie
proxy_cookie_path / "/; HTTPOnly; Secure; SameSite=Strict";
}
#錯誤部分
error_page 404 /404.html;
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
啟動服務
systemctl restart nginx
systemctl enable nginx
就可以訪問了
然後使用上面建立的使用者名稱和密碼登入