Ceci est une ancienne révision du document !
Table des matières
Version : 2026.01
Dernière mise-à-jour : 2025/12/02 13:10
LRF408 - Sécurité Applicative
Contenu du Module
- LRF408 - Sécurité Applicative
- Contenu du Module
- Le Problématique
- Préparation
- Les Outils
- LAB #1 - Netwox
- 1.1 - Installation
- 1.2 - Utilisation
- 1.3 - Avertissement important
- LAB #2 - Greenbone Vulnerability Management (GVM)
- 2.1 - Présentation
- 2.2 - Préparation
- 2.3 - Installation
- 2.4 - Configuration
- 2.5 - Utilisation
- 2.6 - Analyse des Résultats
- Les Contres-Mesures
- LAB #3 - La commande chroot
Le Problématique
La plupart des failles de sécurité ne sont pas du fait du système d'exploitation mais des applications installées.
Préparation
Les Outils
LAB #1 - Netwox
Le programme netwox est un utilitaire puissant de vérification de la sécurité.
1.1 - Installation
Netwox s'installe en utilisant APT :
root@debian12:~# cd /tmp root@debian12:/tmp# cd ~ root@debian12:~# apt install netwox -y
1.2 - Utilisation
root@debian12:~# netwox Netwox toolbox version 5.39.0. Netwib library version 5.39.0. ######################## MAIN MENU ######################### 0 - leave netwox 3 - search tools 4 - display help of one tool 5 - run a tool selecting parameters on command line 6 - run a tool selecting parameters from keyboard a + information b + network protocol c + application protocol d + sniff (capture network packets) e + spoof (create and send packets) f + record (file containing captured packets) g + client h + server i + ping (check if a computer if reachable) j + traceroute (obtain list of gateways) k + scan (computer and port discovery) l + network audit m + brute force (check if passwords are weak) n + remote administration o + tools not related to network Select a node (key in 03456abcdefghijklmno):
L'utilisation de netwox en mode interactif se fait a l'aide des menus proposés. Dans notre cas, nous souhaitons utiliser un des outils de la section network audit. Il convient donc de choisir le menu l :
Select a node (key in 03456abcdefghijklmno): l ###################### network audit ####################### 0 - leave netwox 1 - go to main menu 2 - go to previous menu 3 - search tools 4 - display help of one tool 5 - run a tool selecting parameters on command line 6 - run a tool selecting parameters from keyboard a + network audit using Ethernet b + network audit using IP c + network audit using TCP d + network audit using ICMP e + network audit using ARP Select a node (key in 0123456abcde):
Choisissez ensuite le menu c :
Select a node (key in 0123456abcde): c ################# network audit using TCP ################## 0 - leave netwox 1 - go to main menu 2 - go to previous menu 3 - search tools 4 - display help of one tool 5 - run a tool selecting parameters on command line 6 - run a tool selecting parameters from keyboard a - 76:Synflood b - 77:Check if seqnum are predictible c - 78:Reset every TCP packet d - 79:Acknowledge every TCP SYN Select a node (key in 0123456abcd):
Notre choix de test s'arrête sur un test du type Synflood sur un de nos serveurs internes. Nous choisissons donc le menu a :
Select a node (key in 0123456abcd): a
################# help for tool number 76 ##################
Title: Synflood
+------------------------------------------------------------------------+
| This tool sends a lot of TCP SYN packets. |
| It permits to check how a firewall behaves when receiving packets |
| which have to be ignored. |
| Parameter --spoofip indicates how to generate link layer for spoofing. |
| Values 'best', 'link' or 'raw' are common choices for --spoofip. Here |
| is the list of accepted values: |
| - 'raw' means to spoof at IP4/IP6 level (it uses system IP stack). If |
| a firewall is installed, or on some systems, this might not work. |
| - 'linkf' means to spoof at link level (currently, only Ethernet is |
| supported). The 'f' means to Fill source Ethernet address. |
| However, if source IP address is spoofed, it might be impossible |
| to Fill it. So, linkf will not work: use linkb or linkfb instead. |
| - 'linkb' means to spoof at link level. The 'b' means to left a Blank |
| source Ethernet address (0:0:0:0:0:0, do not try to Fill it). |
| - 'linkfb' means to spoof at link level. The 'f' means to try to Fill |
| source Ethernet address, but if it is not possible, it is left |
| Blank. |
| - 'rawlinkf' means to try 'raw', then try 'linkf' |
| - 'rawlinkb' means to try 'raw', then try 'linkb' |
| - 'rawlinkfb' means to try 'raw', then try 'linkfb' |
| - 'linkfraw' means to try 'linkf', then try 'raw' |
| - 'linkbraw' means to try 'linkb', then try 'raw' |
| - 'linkfbraw' means to try 'linkfb', then try 'raw' |
| - 'link' is an alias for 'linkfb' |
| - 'rawlink' is an alias for 'rawlinkfb' |
| - 'linkraw' is an alias for 'linkfbraw' |
| - 'best' is an alias for 'linkraw'. It should work in all cases. |
| |
| This tool may need to be run with admin privilege in order to spoof. |
+------------------------------------------------------------------------+
Usage: netwox 76 -i ip -p port [-s spoofip]
Parameters:
-i|--dst-ip ip destination IP address {5.6.7.8}
-p|--dst-port port destination port number {80}
-s|--spoofip spoofip IP spoof initialization type {linkbraw}
Example: netwox 76 -i "5.6.7.8" -p "80"
Example: netwox 76 --dst-ip "5.6.7.8" --dst-port "80"
Press 'r' or 'k' to run this tool, or any other key to continue
Il convient ensuite d'appuyer sur la touche [r] ou [k] pour lancer l'utilitaire.
Il est a noter que netwox peut être utilisé sans faire appel au menus interactifs, à condition de connaître le numéro netwox du test à lancer:
# netwox 76 -i "10.0.2.3" -p "80"
1.3 - Avertissement important
netwox est un outil puissant. Il convient de noter que:
- il ne doit pas être installé sur un serveur de production mais sur le poste de l'administrateur,
- netwox existe aussi en version Windows™,
- l'utilisation de netwox à des fins autres que de test est interdite.
LAB #2 - Greenbone Vulnerability Management (GVM)
2.1 - Présentation
Greenbone Vulnerability Management (GVM), aussi connu sous le nom d'OpenVAS, est le successeur libre du scanner Nessus, devenu propriétaire. GVM, tout comme Nessus, est un scanner de vulnérabilité qui balaie un hôte ou une plage d'hôtes pour essayer de détecter des failles de sécurité.
2.2 - Préparation
Mettez SELinux en mode permissive et désactivez-le dans le fichier /etc/selinux/config :
[root@centos7 ~]# setenforce permissive [root@centos7 ~]# sed -i 's/=enforcing/=disabled/' /etc/selinux/config [root@centos7 ~]# reboot
Insérez une règle dans le pare-feu pour permettre la consultation de l'interface HTML du client OpenVAS :
[root@centos7 ~]# firewall-cmd --zone=public --add-port=9443/tcp --permanent success [root@centos7 ~]# firewall-cmd --reload success
2.3 - Installation
Téléchargez et installez epel-release-7-14.noarch.rpm :
[root@centos7 ~]# wget https://archives.fedoraproject.org/pub/archive/epel/7/x86_64/Packages/e/epel-release-7-14.noarch.rpm --2025-12-01 15:29:01-- https://archives.fedoraproject.org/pub/archive/epel/7/x86_64/Packages/e/epel-release-7-14.noarch.rpm Resolving archives.fedoraproject.org (archives.fedoraproject.org)... 38.145.32.23, 38.145.32.22, 38.145.32.24 Connecting to archives.fedoraproject.org (archives.fedoraproject.org)|38.145.32.23|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 15608 (15K) [application/x-rpm] Saving to: ‘epel-release-7-14.noarch.rpm’ 100%[========================================================================================================================================================================>] 15,608 --.-K/s in 0.03s 2025-12-01 15:29:01 (532 KB/s) - ‘epel-release-7-14.noarch.rpm’ saved [15608/15608] [root@centos7 ~]# yum localinstall epel-release-7-14.noarch.rpm --nogpgcheck
Installez ensuite openvas-scanner, openvas-manager, openvas-gsa et openvas-cli en utilisant yum :
[root@centos7 ~]# yum install openvas-scanner openvas-manager openvas-gsa openvas-cli coreutils openssl
2.4 - Configuration
Les commandes d'OpenVAS sont les suivantes :
[root@centos7 ~]# ls -l /usr/sbin/openvas* -rwxr-xr-x. 1 root root 18066 Sep 6 2016 /usr/sbin/openvas-certdata-sync -rwxr-xr-x. 1 root root 2182496 Sep 6 2016 /usr/sbin/openvasmd -rwxr-xr-x. 1 root root 37993 Sep 6 2016 /usr/sbin/openvas-migrate-to-postgres -rwxr-xr-x. 1 root root 11998 Sep 6 2016 /usr/sbin/openvas-mkcert -rwxr-xr-x. 1 root root 10976 Sep 6 2016 /usr/sbin/openvas-nvt-sync -rwxr-xr-x. 1 root root 766 Sep 6 2016 /usr/sbin/openvas-nvt-sync-cron -rwxr-xr-x. 1 root root 2555 Sep 6 2016 /usr/sbin/openvas-portnames-update -rwxr-xr-x. 1 root root 38378 Sep 6 2016 /usr/sbin/openvas-scapdata-sync -rwxr-xr-x. 1 root root 86640 Sep 6 2016 /usr/sbin/openvassd
- /usr/sbin/openvas-mkcert,
- Cette commande permet de générer un certificat SSL,
- /usr/sbin/openvas-nvt-sync,
- Cette commande permet la mise à jour des modules d'extensions de OpenVAS,
- /usr/sbin/openvasd,
- Cette commande lance le serveur OpenVAS.
Exécutez maintenant la commande openvas-check-setup :
[root@centos7 ~]# openvas-check-setup
openvas-check-setup 2.3.3
Test completeness and readiness of OpenVAS-8
(add '--v6' or '--v7' or '--v9'
if you want to check for another OpenVAS version)
Please report us any non-detected problems and
help us to improve this check routine:
http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Send us the log-file (/tmp/openvas-check-setup.log) to help analyze the problem.
Use the parameter --server to skip checks for client tools
like GSD and OpenVAS-CLI.
Step 1: Checking OpenVAS Scanner ...
OK: OpenVAS Scanner is present in version 5.0.6.
ERROR: No CA certificate file of OpenVAS Scanner found.
FIX: Run 'openvas-mkcert'.
ERROR: Your OpenVAS-8 installation is not yet complete!
Please follow the instructions marked with FIX above and run this
script again.
If you think this result is wrong, please report your observation
and help us to improve this check routine:
http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Please attach the log-file (/tmp/openvas-check-setup.log) to help us analyze the problem.
Important - Notez l'erreur ERROR: No CA certificate file of OpenVAS Scanner found.
Créez donc un certificat SSL :
[root@centos7 ~]# openvas-mkcert
-------------------------------------------------------------------------------
Creation of the OpenVAS SSL Certificate
-------------------------------------------------------------------------------
This script will now ask you the relevant information to create the SSL certificate of OpenVAS.
Note that this information will *NOT* be sent to anybody (everything stays local), but anyone with the ability to connect to your OpenVAS daemon will be able to retrieve this information.
CA certificate life time in days [1460]: 3650
Server certificate life time in days [365]: 3650
Your country (two letter code) [DE]: UK
Your state or province name [none]: SURREY
Your location (e.g. town) [Berlin]: ADDLESTONE
Your organization [OpenVAS Users United]: I2TCH LIMITED
-------------------------------------------------------------------------------
Creation of the OpenVAS SSL Certificate
-------------------------------------------------------------------------------
Congratulations. Your server certificate was properly created.
The following files were created:
. Certification authority:
Certificate = /etc/pki/openvas/CA/cacert.pem
Private key = /etc/pki/openvas/private/CA/cakey.pem
. OpenVAS Server :
Certificate = /etc/pki/openvas/CA/servercert.pem
Private key = /etc/pki/openvas/private/CA/serverkey.pem
Press [ENTER] to exit
[Entrée]
[root@centos7 ~]#
Exécutez de nouveau la commande openvas-check-setup :
[root@centos7 ~]# openvas-check-setup
openvas-check-setup 2.3.3
Test completeness and readiness of OpenVAS-8
(add '--v6' or '--v7' or '--v9'
if you want to check for another OpenVAS version)
Please report us any non-detected problems and
help us to improve this check routine:
http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Send us the log-file (/tmp/openvas-check-setup.log) to help analyze the problem.
Use the parameter --server to skip checks for client tools
like GSD and OpenVAS-CLI.
Step 1: Checking OpenVAS Scanner ...
OK: OpenVAS Scanner is present in version 5.0.6.
OK: OpenVAS Scanner CA Certificate is present as /etc/pki/openvas/CA/cacert.pem.
/bin/openvas-check-setup: line 219: redis-server: command not found
ERROR: No redis-server installation found.
FIX: You should install redis-server for improved scalability and ability to trace/debug the KB
ERROR: Your OpenVAS-8 installation is not yet complete!
Please follow the instructions marked with FIX above and run this
script again.
If you think this result is wrong, please report your observation
and help us to improve this check routine:
http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Please attach the log-file (/tmp/openvas-check-setup.log) to help us analyze the problem.
Important - Notez l'erreur ERROR: No redis-server installation found.
Installez donc redis :
[root@centos7 ~]# yum install redis
Activez les deux lignes suivantes dans le fichier /etc/redis.conf :
... # unixsocket /tmp/redis.sock # unixsocketperm 700...
[root@centos7 ~]# sed -i '/^#.*unixsocket/s/^# //' /etc/redis.conf
Ajoutez la ligne kb_location = /tmp/redis.sock dans le fichier /etc/openvas/openvassd.conf :
... # KB test replay : kb_dont_replay_scanners = no kb_dont_replay_info_gathering = no kb_dont_replay_attacks = no kb_dont_replay_denials = no kb_max_age = 864000 kb_location = /tmp/redis.sock #--- end of the KB section ...
Activez et démarrez le service redis :
[root@centos7 ~]# systemctl enable redis
Created symlink from /etc/systemd/system/multi-user.target.wants/redis.service to /usr/lib/systemd/system/redis.service.
[root@centos7 ~]# systemctl start redis
[root@centos7 ~]# systemctl status redis
● redis.service - Redis persistent key-value database
Loaded: loaded (/usr/lib/systemd/system/redis.service; enabled; vendor preset: disabled)
Drop-In: /etc/systemd/system/redis.service.d
└─limit.conf
Active: active (running) since Mon 2025-12-01 15:45:16 CET; 3s ago
Main PID: 13037 (redis-server)
CGroup: /system.slice/redis.service
└─13037 /usr/bin/redis-server 127.0.0.1:6379
Dec 01 15:45:16 centos7.fenestros.loc systemd[1]: Starting Redis persistent key-value database...
Dec 01 15:45:16 centos7.fenestros.loc systemd[1]: Started Redis persistent key-value database.
Exécutez encore une fois la commande openvas-check-setup :
[root@centos7 ~]# openvas-check-setup
...
Step 1: Checking OpenVAS Scanner ...
OK: OpenVAS Scanner is present in version 5.0.6.
OK: OpenVAS Scanner CA Certificate is present as /etc/pki/openvas/CA/cacert.pem.
OK: redis-server is present in version v=3.2.10.
OK: scanner (kb_location setting) is configured properly using the redis-server socket: /tmp/redis.sock
OK: redis-server is running and listening on socket: /tmp/redis.sock.
OK: redis-server configuration is OK and redis-server is running.
ERROR: The NVT collection is very small.
FIX: Run a synchronization script like openvas-nvt-sync or greenbone-nvt-sync.
...
Important - Notez l'erreur ERROR: The NVT collection is very small.
Téléchargez le script greenbone-nvt-sync :
[root@centos7 ~]# wget https://www.dropbox.com/scl/fi/10hf8fpdq2yhd821qb5pk/greenbone-nvt-sync?rlkey=7f4taliexlpg54pa1c1yz8czx&st=tkvnjg55 [root@centos7 ~]# mv greenbone-nvt-sync?rlkey=7f4taliexlpg54pa1c1yz8czx greenbone-nvt-sync
Si vous ne pouvez pas téléchargez le script greenbone-nvt-sync, copiez son contenu ci-dessous et créez-le :
[root@centos7 ~]# vi greenbone-nvt-sync
[root@centos7 ~]# cat greenbone-nvt-sync
#!/bin/sh
# Copyright (C) 2009-2021 Greenbone Networks GmbH
#
# SPDX-License-Identifier: GPL-2.0-or-later
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
# This script updates the local Network Vulnerability Tests (NVTs) from the
# Greenbone Security Feed (GSF) or the Greenbone Community Feed (GCF).
VERSION=@OPENVAS_VERSION@
# SETTINGS
# ========
# PRIVATE_SUBDIR defines a subdirectory of the NVT directory that is excluded
# from the feed sync. This is where to place your own NVTs.
if [ -z "$PRIVATE_SUBDIR" ]
then
PRIVATE_SUBDIR="private"
fi
# RSYNC_DELETE controls whether files which are not part of the repository will
# be removed from the local directory after synchronization. The default value
# for this setting is
# "--delete --exclude \"$PRIVATE_SUBDIR/\"",
# which means that files which are not part of the feed or private directory
# will be deleted.
RSYNC_DELETE="--delete --exclude $PRIVATE_SUBDIR/"
# RSYNC_SSH_OPTS contains options which should be passed to ssh for the rsync
# connection to the repository.
RSYNC_SSH_OPTS="-o \"UserKnownHostsFile=/dev/null\" -o \"StrictHostKeyChecking=no\""
# RSYNC_COMPRESS specifies the compression level to use for the rsync connection.
RSYNC_COMPRESS="--compress-level=9"
# RSYNC_CHMOD specifies the permissions to chmod the files to.
RSYNC_CHMOD="--perms --chmod=Fugo+r,Fug+w,Dugo-s,Dugo+rx,Dug+w"
# Verbosity flag for rsync. "-q" means a quiet rsync, "-v" a verbose rsync.
RSYNC_VERBOSE="-q"
# RSYNC_OPTIONS controls the general parameters for the rsync connection.
RSYNC_OPTIONS="--links --times --omit-dir-times $RSYNC_VERBOSE --recursive --partial --progress"
# Script and feed information which will be made available to user through
# command line options and automated tools.
# Script name which will be used for logging
SCRIPT_NAME="greenbone-nvt-sync"
# Result of selftest () is stored here. If it is not 0, the selftest has failed
# and the sync script is unlikely to work.
SELFTEST_FAIL=0
# Port to use for synchronization. Default value is 24.
PORT=24
# Directory where the OpenVAS configuration is located
OPENVAS_SYSCONF_DIR="@OPENVAS_SYSCONF_DIR@"
# Directory where the feed update lock file will be placed.
OPENVAS_FEED_LOCK_PATH="@OPENVAS_FEED_LOCK_PATH@"
# Location of the GSF Access Key
ACCESS_KEY="@GVM_ACCESS_KEY_DIR@/gsf-access-key"
# If ENABLED is set to 0, the sync script will not perform a synchronization.
ENABLED=1
# LOG_CMD defines the command to use for logging. To have logger log to stderr
# as well as syslog, add "-s" here. The logging facility is checked. In case of error
# all will be logged in the standard error and the socket error check will be
# disabled.
LOG_CMD="logger -t $SCRIPT_NAME"
check_logger () {
logger -p daemon.info -t $SCRIPT_NAME "Checking logger" --no-act 1>/dev/null 2>&1
if [ $? -gt 0 ]
then
LOG_CMD="logger -s -t $SCRIPT_NAME"
$LOG_CMD -p daemon.warning "The log facility is not working as expected. All messages will be written to the standard error stream."
fi
}
check_logger
# Source configuration file if it is readable
[ -r $OPENVAS_SYSCONF_DIR/greenbone-nvt-sync.conf ] && . $OPENVAS_SYSCONF_DIR/greenbone-nvt-sync.conf
# NVT_DIR is the place where the NVTs are located.
if [ -z "$NVT_DIR" ]
then
NVT_DIR="@OPENVAS_NVT_DIR@"
fi
log_write () {
$LOG_CMD -p daemon.notice $1
}
log_debug () {
$LOG_CMD -p daemon.debug "$1"
}
log_info () {
$LOG_CMD -p daemon.info "$1"
}
log_notice () {
$LOG_CMD -p daemon.notice "$1"
}
log_warning () {
$LOG_CMD -p daemon.warning "$1"
}
log_err () {
$LOG_CMD -p daemon.err "$1"
}
stderr_write ()
{
echo "$1" > /dev/stderr
}
# Read the general information about the feed origin from
# the file "plugin_feed_info.inc" inside the feed directory.
get_feed_info ()
{
INFOFILE="$NVT_DIR/plugin_feed_info.inc"
if [ -r $INFOFILE ] ; then
FEED_VERSION=`grep PLUGIN_SET $INFOFILE | sed -e 's/[^0-9]//g'`
FEED_NAME=`awk -F\" '/PLUGIN_FEED/ { print $2 }' $INFOFILE`
FEED_VENDOR=`awk -F\" '/FEED_VENDOR/ { print $2 }' $INFOFILE`
FEED_HOME=`awk -F\" '/FEED_HOME/ { print $2 }' $INFOFILE`
FEED_PRESENT=1
else
FEED_PRESENT=0
fi
if [ -z "$FEED_NAME" ] ; then
FEED_NAME="Unidentified Feed"
fi
if [ -z "$FEED_VENDOR" ] ; then
FEED_VENDOR="Unidentified Vendor"
fi
if [ -z "$FEED_HOME" ] ; then
FEED_HOME="Unidentified Feed Homepage"
fi
}
# Prevent that root executes this script
if [ "`id -u`" -eq "0" ]
then
stderr_write "$0 must not be executed as privileged user root"
stderr_write
stderr_write "Unlike the actual scanner the sync routine does not need privileges."
stderr_write "Accidental execution as root would prevent later overwriting of"
stderr_write "files with a non-privileged user."
log_err "Denied to run as root"
exit 1
fi
# Always try to get the information when started.
# This also ensures variables like FEED_PRESENT are set.
get_feed_info
# Determine whether a GSF access key is present. If yes,
# then use the Greenbone Security Feed. Else use the
# Greenbone Community Feed.
if [ -e $ACCESS_KEY ]
then
RESTRICTED=1
else
RESTRICTED=0
if [ -z "$COMMUNITY_NVT_RSYNC_FEED" ]; then
COMMUNITY_NVT_RSYNC_FEED=rsync://feed.community.greenbone.net:/nvt-feed
# An alternative syntax which might work if the above doesn't:
# COMMUNITY_NVT_RSYNC_FEED=rsync@feed.community.greenbone.net::/nvt-feed
fi
fi
RSYNC=`command -v rsync`
if [ -z "$TMPDIR" ]; then
SYNC_TMP_DIR=/tmp
# If we have mktemp, create a temporary dir (safer)
if [ -n "`which mktemp`" ]; then
SYNC_TMP_DIR=`mktemp -t -d greenbone-nvt-sync.XXXXXXXXXX` || { echo "ERROR: Cannot create temporary directory for file download" >&2; exit 1 ; }
trap "rm -rf $SYNC_TMP_DIR" EXIT HUP INT TRAP TERM
fi
else
SYNC_TMP_DIR="$TMPDIR"
fi
# Initialize this indicator variable with default assuming the
# feed is not up-to-date.
FEED_CURRENT=0
# This function uses gos-state-manager to get information about the settings.
# If gos-state-manager is not installed the values of the settings can not be
# retrieved.
#
# Input: option
# Output: value as string or empty String if gos-state-manager is not installed
# or option not set
get_value ()
{
value=""
key=$1
if which gos-state-manager 1>/dev/null 2>&1
then
if gos-state-manager get "$key.value" 1>/dev/null 2>&1
then
value="$(gos-state-manager get "$key.value")"
fi
fi
echo "$value"
}
# Creates a restricted access copy of the access key if necessary.
setup_temp_access_key () {
if [ -e "$ACCESS_KEY" ]
then
FILE_ACCESS=`stat -c%a "$ACCESS_KEY" | cut -c2-`
fi
if [ -n "$FILE_ACCESS" ] && [ "00" != "$FILE_ACCESS" ]
then
TEMP_ACCESS_KEY_DIR=`mktemp -d`
TEMP_ACCESS_KEY="$TEMP_ACCESS_KEY_DIR/gsf-access-key"
cp "$ACCESS_KEY" "$TEMP_ACCESS_KEY"
chmod 400 "$TEMP_ACCESS_KEY"
else
TEMP_ACCESS_KEY_DIR=""
TEMP_ACCESS_KEY="$ACCESS_KEY"
fi
}
# Deletes the read-only copy of the access key.
cleanup_temp_access_key () {
if [ -n "$TEMP_ACCESS_KEY_DIR" ]
then
rm -rf "$TEMP_ACCESS_KEY_DIR"
fi
TEMP_ACCESS_KEY_DIR=""
TEMP_ACCESS_KEY=""
}
is_feed_current () {
if [ -z "$FEED_VERSION" ]
then
log_write "Could not determine feed version."
FEED_CURRENT=0
return $FEED_CURRENT
fi
if [ -z "$RSYNC" ]
then
log_notice "rsync not available, skipping feed version test"
FEED_CURRENT=0
rm -rf $FEED_INFO_TEMP_DIR
cleanup_temp_access_key
return 0
fi
FEED_INFO_TEMP_DIR=`mktemp -d`
if [ -e $ACCESS_KEY ]
then
gsmproxy=$(get_value proxy_feed | sed -r -e 's/^.*\/\///' -e 's/:([0-9]+)$/ \1/')
syncport=$(get_value syncport)
if [ "$syncport" ]
then
PORT="$syncport"
fi
read feeduser < $ACCESS_KEY
custid=`awk -F@ 'NR > 1 { exit }; { print $1 }' $ACCESS_KEY`
if [ -z "$feeduser" ] || [ -z "$custid" ]
then
log_err "Could not determine credentials, aborting synchronization."
exit 1
fi
setup_temp_access_key
if [ "$gsmproxy" = "proxy_feed" ] || [ -z "$gsmproxy" ]
then
RSYNC_SSH_PROXY_CMD=""
else
if [ -e $OPENVAS_SYSCONF_DIR/proxyauth ] && [ -r $OPENVAS_SYSCONF_DIR/proxyauth ]
then
RSYNC_SSH_PROXY_CMD="-o \"ProxyCommand corkscrew $gsmproxy %h %p $OPENVAS_SYSCONF_DIR/proxyauth\""
else
RSYNC_SSH_PROXY_CMD="-o \"ProxyCommand corkscrew $gsmproxy %h %p\""
fi
fi
rsync -e "ssh $RSYNC_SSH_OPTS $RSYNC_SSH_PROXY_CMD -p $PORT -i $TEMP_ACCESS_KEY" $RSYNC_OPTIONS $RSYNC_DELETE $RSYNC_COMPRESS $RSYNC_CHMOD "$feeduser"plugin_feed_info.inc $FEED_INFO_TEMP_DIR
if [ $? -ne 0 ]
then
log_err "Error: rsync failed."
rm -rf "$FEED_INFO_TEMP_DIR"
exit 1
fi
else
# Sleep for five seconds (a previous feed might have been synced a few seconds before) to prevent
# IP blocking due to network equipment in between keeping the previous connection too long open.
sleep 5
log_notice "No Greenbone Security Feed access key found, falling back to Greenbone Community Feed"
eval "$RSYNC -ltvrP \"$COMMUNITY_NVT_RSYNC_FEED/plugin_feed_info.inc\" \"$FEED_INFO_TEMP_DIR\""
if [ $? -ne 0 ]
then
log_err "rsync failed, aborting synchronization."
rm -rf "$FEED_INFO_TEMP_DIR"
exit 1
fi
fi
FEED_VERSION_SERVER=`grep PLUGIN_SET $FEED_INFO_TEMP_DIR/plugin_feed_info.inc | sed -e 's/[^0-9]//g'`
if [ -z "$FEED_VERSION_SERVER" ]
then
log_err "Could not determine server feed version."
rm -rf $FEED_INFO_TEMP_DIR
cleanup_temp_access_key
exit 1
fi
# Check against FEED_VERSION
if [ $FEED_VERSION -lt $FEED_VERSION_SERVER ] ; then
FEED_CURRENT=0
else
FEED_CURRENT=1
fi
# Cleanup
rm -rf "$FEED_INFO_TEMP_DIR"
cleanup_temp_access_key
return $FEED_CURRENT
}
do_rsync_community_feed () {
# Sleep for five seconds (a previous feed might have been synced a few seconds before) to prevent
# IP blocking due to network equipment in between keeping the previous connection too long open.
sleep 5
log_notice "Configured NVT rsync feed: $COMMUNITY_NVT_RSYNC_FEED"
mkdir -p "$NVT_DIR"
eval "$RSYNC -ltvrP $RSYNC_DELETE \"$COMMUNITY_NVT_RSYNC_FEED\" \"$NVT_DIR\" --exclude=plugin_feed_info.inc"
if [ $? -ne 0 ] ; then
log_err "rsync failed."
exit 1
fi
# Sleep for five seconds (after the above rsync call) to prevent IP blocking due
# to network equipment in between keeping the previous connection too long open.
sleep 5
eval "$RSYNC -ltvrP $RSYNC_DELETE \"$COMMUNITY_NVT_RSYNC_FEED/plugin_feed_info.inc\" \"$NVT_DIR\""
if [ $? -ne 0 ] ; then
log_err "rsync failed."
exit 1
fi
}
sync_nvts(){
if [ $ENABLED -ne 1 ]
then
log_write "NVT synchronization is disabled, exiting."
exit 0
fi
if [ -e $ACCESS_KEY ]
then
log_write "Synchronizing NVTs from the Greenbone Security Feed into $NVT_DIR..."
if [ $FEED_PRESENT -eq 1 ] ; then
FEEDCOUNT=`grep -E "nasl$|inc$" $NVT_DIR/md5sums | wc -l`
log_write "Current status: Using $FEED_NAME at version $FEED_VERSION ($FEEDCOUNT NVTs)"
else
log_write "Current status: No feed installed."
fi
notsynced=1
retried=0
mkdir -p "$NVT_DIR"
read feeduser < $ACCESS_KEY
custid=`awk -F@ 'NR > 1 { exit }; { print $1 }' $ACCESS_KEY`
if [ -z "$feeduser" ] || [ -z "$custid" ]
then
log_err "Could not determine credentials, aborting synchronization."
exit 1
fi
setup_temp_access_key
while [ $notsynced -eq 1 ]
do
gsmproxy=$(get_value proxy_feed | sed -r -e 's/^.*\/\///' -e 's/:([0-9]+)$/ \1/')
syncport=$(get_value syncport)
if [ "$syncport" ]
then
PORT="$syncport"
fi
if [ "$gsmproxy" = "proxy_feed" ] || [ -z "$gsmproxy" ]
then
RSYNC_SSH_PROXY_CMD=""
else
if [ -e $OPENVAS_SYSCONF_DIR/proxyauth ] && [ -r $OPENVAS_SYSCONF_DIR/proxyauth ]; then
RSYNC_SSH_PROXY_CMD="-o \"ProxyCommand corkscrew $gsmproxy %h %p $OPENVAS_SYSCONF_DIR/proxyauth\""
else
RSYNC_SSH_PROXY_CMD="-o \"ProxyCommand corkscrew $gsmproxy %h %p\""
fi
fi
rsync -e "ssh $RSYNC_SSH_OPTS $RSYNC_SSH_PROXY_CMD -p $PORT -i $TEMP_ACCESS_KEY" --exclude=plugin_feed_info.inc $RSYNC_OPTIONS $RSYNC_DELETE $RSYNC_COMPRESS $RSYNC_CHMOD $feeduser $NVT_DIR
if [ $? -ne 0 ] ; then
log_err "rsync failed, aborting synchronization."
exit 1
fi
rsync -e "ssh $RSYNC_SSH_OPTS $RSYNC_SSH_PROXY_CMD -p $PORT -i $TEMP_ACCESS_KEY" $RSYNC_OPTIONS $RSYNC_DELETE $RSYNC_COMPRESS $RSYNC_CHMOD "$feeduser"plugin_feed_info.inc $NVT_DIR
if [ $? -ne 0 ] ; then
log_err "rsync failed, aborting synchronization."
exit 1
fi
eval "cd \"$NVT_DIR\" ; md5sum -c --status \"$NVT_DIR/md5sums\""
if [ $? -ne 0 ] ; then
if [ -n "$retried" ]
then
log_err "Feed integrity check failed twice, aborting synchronization."
cleanup_temp_access_key
exit 1
else
log_write "The feed integrity check failed. This may be due to a concurrent feed update or other temporary issues."
log_write "Sleeping 15 seconds before retrying ..."
sleep 15
retried=1
fi
else
notsynced=0
fi
done
cleanup_temp_access_key
log_write "Synchronization with the Greenbone Security Feed successful."
get_feed_info
if [ $FEED_PRESENT -eq 1 ] ; then
FEEDCOUNT=`grep -E "nasl$|inc$" $NVT_DIR/md5sums | wc -l`
log_write "Current status: Using $FEED_NAME at version $FEED_VERSION ($FEEDCOUNT NVTs)"
else
log_write "Current status: No feed installed."
fi
else
log_notice "No Greenbone Security Feed access key found, falling back to Greenbone Community Feed"
do_rsync_community_feed
fi
}
do_self_test ()
{
MD5SUM_AVAIL=`command -v md5sum`
if [ $? -ne 0 ] ; then
SELFTEST_FAIL=1
stderr_write "The md5sum binary could not be found."
fi
RSYNC_AVAIL=`command -v rsync`
if [ $? -ne 0 ] ; then
SELFTEST_FAIL=1
stderr_write "The rsync binary could not be found."
fi
}
do_describe ()
{
echo "This script synchronizes an NVT collection with the '$FEED_NAME'."
echo "The '$FEED_NAME' is provided by '$FEED_VENDOR'."
echo "Online information about this feed: '$FEED_HOME'."
}
do_feedversion () {
if [ $FEED_PRESENT -eq 1 ] ; then
echo $FEED_VERSION
else
stderr_write "The file containing the feed version could not be found."
exit 1
fi
}
do_sync ()
{
do_self_test
if [ $SELFTEST_FAIL -ne 0 ] ; then
exit $SELFTEST_FAIL
fi
if [ $FEED_CURRENT -eq 1 ]
then
log_write "Feed is already current, skipping synchronization."
else
(
chmod +660 $OPENVAS_FEED_LOCK_PATH
flock -n 9
if [ $? -eq 1 ] ; then
log_warning "Another process related to the feed update is already running"
exit 1
fi
date > $OPENVAS_FEED_LOCK_PATH
sync_nvts
echo -n $OPENVAS_FEED_LOCK_PATH
)9>>$OPENVAS_FEED_LOCK_PATH
fi
}
do_help () {
echo "$0: Sync NVT data"
echo " --describe display current feed info"
echo " --feedcurrent just check if feed is up-to-date"
echo " --feedversion display version of this feed"
echo " --help display this help"
echo " --identify display information"
echo " --nvtdir dir set dir as NVT directory"
echo " --selftest perform self-test and set exit code"
echo " --verbose makes the sync process print details"
echo " --version display version"
echo ""
echo ""
echo "Environment variables:"
echo "NVT_DIR where to extract plugins (absolute path)"
echo "PRIVATE_SUBDIR subdirectory of \$NVT_DIR to exclude from synchronization"
echo "TMPDIR temporary directory used to download the files"
echo "Note that you can use standard ones as well (e.g. RSYNC_PROXY) for rsync"
echo ""
exit 0
}
while test $# -gt 0; do
case "$1" in
--version)
echo $VERSION
exit 0
;;
--identify)
echo "NVTSYNC|$SCRIPT_NAME|$VERSION|$FEED_NAME|$RESTRICTED|NVTSYNC"
exit 0
;;
--selftest)
do_self_test
exit $SELFTEST_FAIL
;;
--describe)
do_describe
exit 0
;;
--feedversion)
do_feedversion
exit 0
;;
--help)
do_help
exit 0
;;
--nvt-dir)
NVT_DIR="$2"
shift
;;
--feedcurrent)
is_feed_current
exit $?
;;
--verbose)
RSYNC_VERBOSE="-v"
;;
esac
shift
done
do_sync
exit 0
Rendez le script exécutable :
[root@centos7 ~]# chmod +x greenbone-nvt-sync
Déplacez le script vers /usr/sbin/ :
[root@centos7 ~]# mv greenbone-nvt-sync /usr/sbin mv: overwrite ‘/usr/sbin/greenbone-nvt-sync’? y
Devenez l'utilisateur trainee et mettez à jour les modules d'extensions de OpenVAS :
[root@centos7 ~]# su - trainee
Last login: Mon Dec 1 15:30:45 CET 2025 on pts/0
[trainee@centos7 ~]$ greenbone-nvt-sync
...
Greenbone community feed server - http://feed.community.greenbone.net/
This service is hosted by Greenbone Networks - http://www.greenbone.net/
All transactions are logged.
If you have any questions, please use the Greenbone community portal.
See https://community.greenbone.net for details.
By using this service you agree to our terms and conditions.
Only one sync per time, otherwise the source ip will be temporarily blocked.
receiving incremental file list
plugin_feed_info.inc
330 100% 322.27kB/s 0:00:00 (xfr#1, to-chk=0/1)
sent 57 bytes received 436 bytes 328.67 bytes/sec
total size is 330 speedup is 0.67
[trainee@centos7 ~]$ exit
[root@centos7 ~]#
Important - En cas d'erreur, relancez simplement la commande.
Déplacez les plugins vers le répertoire /var/lib/openvas/plugins :
[root@centos7 ~]# mv /home/trainee/@OPENVAS_NVT_DIR@/* /var/lib/openvas/plugins
Vérifiez ensuite la réussite de la commande précédente :
[root@centos7 ~]# ls -l /var/lib/openvas/plugins/ | more total 41280 drwxr-xr-x. 6 trainee trainee 24576 Dec 1 11:30 2008 drwxr-xr-x. 14 trainee trainee 65536 Dec 1 11:30 2009 drwxr-xr-x. 12 trainee trainee 65536 Dec 1 11:30 2010 drwxr-xr-x. 13 trainee trainee 118784 Dec 1 11:30 2011 drwxr-xr-x. 14 trainee trainee 102400 Dec 1 11:30 2012 drwxr-xr-x. 11 trainee trainee 86016 Dec 1 11:30 2013 drwxr-xr-x. 13 trainee trainee 81920 Dec 1 11:30 2014 drwxr-xr-x. 15 trainee trainee 118784 Dec 1 11:30 2015 drwxr-xr-x. 17 trainee trainee 159744 Dec 1 11:30 2016 drwxr-xr-x. 70 trainee trainee 126976 Dec 1 11:30 2017 drwxr-xr-x. 288 trainee trainee 8192 Dec 1 11:30 2018 drwxr-xr-x. 215 trainee trainee 8192 Dec 1 11:30 2019 drwxr-xr-x. 181 trainee trainee 8192 Dec 1 11:30 2020 drwxr-xr-x. 154 trainee trainee 8192 Dec 1 11:30 2021 drwxr-xr-x. 149 trainee trainee 4096 Dec 1 11:30 2022 drwx------. 136 trainee trainee 4096 Dec 1 11:30 2023 drwx------. 127 trainee trainee 4096 Dec 1 11:30 2024 drwx------. 132 trainee trainee 4096 Dec 1 11:30 2025 -rw-r--r--. 1 trainee trainee 2311 Dec 1 11:08 adaptbb_detect.nasl -rw-r--r--. 1 trainee trainee 1786 Dec 1 11:08 afs_version.nasl -rw-r--r--. 1 trainee trainee 2448 Dec 1 11:08 amanda_detect.nasl -rw-r--r--. 1 trainee trainee 2432 Dec 1 11:08 amanda_version.nasl -rw-r--r--. 1 trainee trainee 1492 Dec 1 11:08 aol_installed.nasl -rw-r--r--. 1 trainee trainee 2746 Dec 1 11:08 apachehttp_config_defaults.nasl -rw-r--r--. 1 trainee trainee 8186 Dec 1 11:08 apache_ofbiz_http_detect.nasl -rw-r--r--. 1 trainee trainee 5553 Dec 1 11:08 apache_prds.inc -rw-r--r--. 1 trainee trainee 4210 Dec 1 11:08 apache_server_info.nasl -rw-r--r--. 1 trainee trainee 4624 Dec 1 11:08 apache_server_status.nasl -rw-r--r--. 1 trainee trainee 6726 Dec 1 11:08 apache_SSL_complain.nasl -rw-r--r--. 1 trainee trainee 2117 Dec 1 11:08 apache_tomcat_config.nasl -rw-r--r--. 1 trainee trainee 2569 Dec 1 11:08 AproxEngine_detect.nasl -rw-r--r--. 1 trainee trainee 2496 Dec 1 11:08 arcserve_backup_detect.nasl -rw-r--r--. 1 trainee trainee 1937 Dec 1 11:08 arkoon.nasl -rw-r--r--. 1 trainee trainee 6878 Dec 1 11:08 asip-status.nasl -rw-r--r--. 1 trainee trainee 3797 Dec 1 11:08 atmail_detect.nasl drwx------. 9 trainee trainee 20480 Dec 1 11:30 attic -rw-r--r--. 1 trainee trainee 1914 Dec 1 11:08 auth_enabled.nasl -rw-r--r--. 1 trainee trainee 2016 Dec 1 11:08 aventail_asap_http_detect.nasl -rw-r--r--. 1 trainee trainee 1638960 Dec 1 11:08 bad_dsa_ssh_host_keys.txt -rw-r--r--. 1 trainee trainee 1638960 Dec 1 11:08 bad_rsa_ssh_host_keys.txt -rw-r--r--. 1 trainee trainee 54323 Dec 1 11:08 bad_ssh_host_keys.inc -rw-r--r--. 1 trainee trainee 15064 Dec 1 11:08 bad_ssh_keys.inc -rw-r--r--. 1 trainee trainee 2507 Dec 1 11:08 barracuda_im_firewall_detect.nasl -rw-r--r--. 1 trainee trainee 2827 Dec 1 11:08 base_detect.nasl -rw-r--r--. 1 trainee trainee 4464 Dec 1 11:08 basilix_detect.nasl -rw-r--r--. 1 trainee trainee 3144 Dec 1 11:08 bgp_detect.nasl -rw-r--r--. 1 trainee trainee 23162 Dec 1 11:08 bin.inc -rw-r--r--. 1 trainee trainee 2745 Dec 1 11:08 bloofoxCMS_detect.nasl -rw-r--r--. 1 trainee trainee 1531 Dec 1 11:08 bluecoat_mgnt_console.nasl -rw-r--r--. 1 trainee trainee 2576 Dec 1 11:08 boastMachine_detect.nasl -rw-r--r--. 1 trainee trainee 1359 Dec 1 11:08 brother_printers.inc -rw-r--r--. 1 trainee trainee 3450 Dec 1 11:08 bugbear.nasl -rw-r--r--. 1 trainee trainee 3639 Dec 1 11:08 bugzilla_detect.nasl -rw-r--r--. 1 trainee trainee 5301 Dec 1 11:08 byte_func.inc --More--
Exécutez de nouveau la commande openvas-check-setup :
[root@centos7 ~]# openvas-check-setup
...
Step 2: Checking OpenVAS Manager ...
OK: OpenVAS Manager is present in version 6.0.9.
ERROR: No client certificate file of OpenVAS Manager found.
FIX: Run 'openvas-mkcert-client -n -i'
ERROR: Your OpenVAS-8 installation is not yet complete!
...
Important - Notez l'erreur ERROR: No client certificate file of OpenVAS Manager found.
Consultez la signification des options suggérées pour la commande openvas-mkcert-client :
[root@centos7 ~]# openvas-mkcert-client --help
/bin/openvas-mkcert-client: illegal option -- -
Usage:
openvas-mkcert-client [OPTION...] - Create SSL client certificates for OpenVAS.
Options:
-h Display help
-n Run non-interactively, create certificates
and register with the OpenVAS scanner
-i Install client certificates for use with OpenVAS manager
Exécutez donc la commande openvas-mkcert-client -i :
[root@centos7 ~]# openvas-mkcert-client -i This script will now ask you the relevant information to create the SSL client certificates for OpenVAS. Client certificates life time in days [365]: 3650 Your country (two letter code) [DE]: UK Your state or province name [none]: SURREY Your location (e.g. town) [Berlin]: ADDLESTONE Your organization [none]: I2TCH LIMITED Your organizational unit [none]: TRAINING ********** We are going to ask you some question for each client certificate. If some question has a default answer, you can force an empty answer by entering a single dot '.' ********* Client certificates life time in days [3650]: Country (two letter code) [UK]: State or province name [SURREY]: Location (e.g. town) [ADDLESTONE]: Organization [I2TCH LIMITED]: Organization unit [TRAINING]: e-Mail []: infos@i2tch.eu Generating RSA private key, 4096 bit long modulus ....++ .......++ e is 65537 (0x10001) You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [DE]:State or Province Name (full name) [Some-State]:Locality Name (eg, city) []:Organization Name (eg, company) [Internet Widgits Pty Ltd]:Organizational Unit Name (eg, section) []:Common Name (eg, your name or your server's hostname) []:Email Address []:Using configuration from /tmp/openvas-mkcert-client.13962/stdC.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'UK' stateOrProvinceName :ASN.1 12:'SURREY' localityName :ASN.1 12:'ADDLESTONE' organizationName :ASN.1 12:'I2TCH LIMITED' organizationalUnitName:ASN.1 12:'TRAINING' commonName :ASN.1 12:'om' emailAddress :IA5STRING:'infos@i2tch.eu' Certificate is to be certified until Jun 17 02:03:34 2028 GMT (3650 days) Write out database with 1 new entries Data Base Updated /bin/openvas-mkcert-client: line 370: [: argument expected
Exécutez encore une fois la commande openvas-check-setup :
[root@centos7 ~]# openvas-check-setup
...
Step 2: Checking OpenVAS Manager ...
OK: OpenVAS Manager is present in version 6.0.9.
OK: OpenVAS Manager client certificate is present as /etc/pki/openvas/CA/clientcert.pem.
ERROR: No OpenVAS Manager database found. (Tried: /var/lib/openvas/mgr/tasks.db)
FIX: Run 'openvasmd --rebuild' while OpenVAS Scanner is running.
WARNING: OpenVAS Scanner is NOT running!
SUGGEST: Start OpenVAS Scanner (openvassd).
ERROR: Your OpenVAS-8 installation is not yet complete!
...
Important - Notez l'erreur ERROR: No OpenVAS Manager database found. (Tried: /var/lib/openvas/mgr/tasks.db).
Afin de générer la base de données, OpenVAS Scanner doit être en cours d'exécution. Activez et démarrez donc le service :
[root@centos7 ~]# systemctl enable openvas-scanner
Created symlink from /etc/systemd/system/multi-user.target.wants/openvas-scanner.service to /usr/lib/systemd/system/openvas-scanner.service.
[root@centos7 ~]# systemctl start openvas-scanner
[root@centos7 ~]# systemctl status openvas-scanner
● openvas-scanner.service - OpenVAS Scanner
Loaded: loaded (/usr/lib/systemd/system/openvas-scanner.service; enabled; vendor preset: disabled)
Active: active (running) since Mon 2025-12-01 16:45:47 CET; 12s ago
Process: 8889 ExecStart=/usr/sbin/openvassd $SCANNER_PORT $SCANNER_LISTEN $SCANNER_SRCIP (code=exited, status=0/SUCCESS)
Main PID: 8890 (openvassd)
CGroup: /system.slice/openvas-scanner.service
├─8890 openvassd: Reloaded 1200 of 138097 NVTs (0% / ETA: 22:48)
└─8891 openvassd (Loading Handler)
Dec 01 16:45:47 centos7.fenestros.loc systemd[1]: Starting OpenVAS Scanner...
Dec 01 16:45:47 centos7.fenestros.loc systemd[1]: Started OpenVAS Scanner.
Construisez maintenant la base de données :
[root@centos7 ~]# openvasmd --rebuild --progress Rebuilding NVT cache... done.
Exécutez de nouveau la commande openvas-check-setup :
[root@centos7 ~]# openvas-check-setup
...
Step 2: Checking OpenVAS Manager ...
OK: OpenVAS Manager is present in version 6.0.9.
OK: OpenVAS Manager client certificate is present as /etc/pki/openvas/CA/clientcert.pem.
OK: OpenVAS Manager database found in /var/lib/openvas/mgr/tasks.db.
OK: Access rights for the OpenVAS Manager database are correct.
OK: sqlite3 found, extended checks of the OpenVAS Manager installation enabled.
OK: OpenVAS Manager database is at revision 146.
OK: OpenVAS Manager expects database at revision 146.
OK: Database schema is up to date.
OK: OpenVAS Manager database contains information about 45654 NVTs.
ERROR: No users found. You need to create at least one user to log in.
It is recommended to have at least one user with role Admin.
FIX: create a user by running 'openvasmd --create-user=<name> --role=Admin && openvasmd --user=<name> --new-password=<password>'
...
Important - Notez l'erreur ERROR: No users found. You need to create at least one user to log in.
Créez donc un utilisateur :
[root@centos7 ~]# openvasmd --create-user=fenestros --role=Admin User created with password 'a5b5eaa9-3600-4604-bf20-bc10d7e5455b'. [root@centos7 ~]# openvasmd --user=fenestros --new-password=fenestros
Exécutez encore une fois la commande openvas-check-setup :
[root@centos7 ~]# openvas-check-setup
...
Step 2: Checking OpenVAS Manager ...
OK: OpenVAS Manager is present in version 6.0.9.
OK: OpenVAS Manager client certificate is present as /etc/pki/openvas/CA/clientcert.pem.
OK: OpenVAS Manager database found in /var/lib/openvas/mgr/tasks.db.
OK: Access rights for the OpenVAS Manager database are correct.
OK: sqlite3 found, extended checks of the OpenVAS Manager installation enabled.
OK: OpenVAS Manager database is at revision 146.
OK: OpenVAS Manager expects database at revision 146.
OK: Database schema is up to date.
OK: OpenVAS Manager database contains information about 45654 NVTs.
OK: At least one user exists.
ERROR: No OpenVAS SCAP database found. (Tried: /var/lib/openvas/scap-data/scap.db)
FIX: Run a SCAP synchronization script like openvas-scapdata-sync or greenbone-scapdata-sync.
ERROR: Your OpenVAS-8 installation is not yet complete!
...
Important - Notez l'erreur ERROR: No OpenVAS SCAP database found. (Tried: /var/lib/openvas/scap-data/scap.db).
La prochaine étape donc consiste à récupérer la base SCAP (Security Content Automation Protocol).
Créez le fichier greenbone-feed-sync :
[root@centos7 ~]# vi greenbone-feed-sync
[root@centos7 ~]# cat greenbone-feed-sync
#!/bin/sh
# Copyright (C) 2011-2020 Greenbone Networks GmbH
#
# SPDX-License-Identifier: AGPL-3.0-or-later
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as
# published by the Free Software Foundation, either version 3 of the
# License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# This script synchronizes a GVM installation with the
# feed data from either the Greenbone Security Feed (in
# case a GSF access key is present) or else from the Greenbone
# Community Feed.
log_notice () {
$LOG_CMD -p daemon.notice "$1"
}
########## SETTINGS
########## ========
# PRIVATE_SUBDIR defines a subdirectory of the feed data directory
# where files not part of the feed or database will not be deleted by rsync.
if [ -z "$PRIVATE_SUBDIR" ]
then
PRIVATE_SUBDIR="private"
fi
# RSYNC_DELETE controls whether files which are not part of the repository will
# be removed from the local directory after synchronization. The default value
# for this setting is
# "--delete --exclude feed.xml --exclude $PRIVATE_SUBDIR/",
# which means that files which are not part of the feed, feed info or private
# directory will be deleted.
RSYNC_DELETE="--delete --exclude feed.xml --exclude \"$PRIVATE_SUBDIR/\""
# RSYNC_SSH_OPTS contains options which should be passed to ssh for the rsync
# connection to the repository.
RSYNC_SSH_OPTS="-o \"UserKnownHostsFile=/dev/null\" -o \"StrictHostKeyChecking=no\""
# RSYNC_COMPRESS specifies the compression level to use for the rsync connection.
RSYNC_COMPRESS="--compress-level=9"
# PORT controls the outgoing TCP port for updates. If PAT/Port-Translation is
# not used, this should be "24". For some application layer firewalls or gates
# the value 22 (Standard SSH) is useful. Only change if you know what you are
# doing.
PORT=24
# SCRIPT_NAME is the name the scripts will use to identify itself and to mark
# log messages.
SCRIPT_NAME="greenbone-feed-sync"
# LOG_CMD defines the command to use for logging. To have logger log to stderr
# as well as syslog, add "-s" here.
LOG_CMD="logger -t $SCRIPT_NAME"
# LOCK_FILE is the name of the file used to lock the feed during sync or update.
if [ -z "$LOCK_FILE" ]
then
LOCK_FILE="@GVM_FEED_LOCK_PATH@"
fi
########## GLOBAL VARIABLES
########## ================
VERSION=@GVMD_VERSION@
[ -r "@GVM_SYSCONF_DIR@/greenbone-feed-sync.conf" ] && . "@GVM_SYSCONF_DIR@/greenbone-feed-sync.conf"
if [ -z "$DROP_USER" ]; then
DROP_USER="@GVM_DEFAULT_DROP_USER@"
fi
ACCESSKEY="@GVM_ACCESS_KEY_DIR@/gsf-access-key"
# Note when running as root or restart as $DROP_USER if defined
if [ $(id -u) -eq 0 ]
then
if [ -z "$DROP_USER" ]
then
log_notice "Running as root"
else
log_notice "Started as root, restarting as $DROP_USER"
su --shell /bin/sh --command "$0 $*" "$DROP_USER"
exit $?
fi
fi
# Determine whether a GSF access key is present. If yes,
# then use the Greenbone Security Feed. Else use the
# Greenbone Community Feed.
if [ -e $ACCESSKEY ]
then
RESTRICTED=1
if [ -z "$FEED_VENDOR" ]; then
FEED_VENDOR="Greenbone Networks GmbH"
fi
if [ -z "$FEED_HOME" ]; then
FEED_HOME="https://www.greenbone.net/en/security-feed/"
fi
else
RESTRICTED=0
if [ -z "$FEED_VENDOR" ]; then
FEED_VENDOR="Greenbone Networks GmbH"
fi
if [ -z "$FEED_HOME" ]; then
FEED_HOME="https://community.greenbone.net/t/about-greenbone-community-feed-gcf/1224"
fi
fi
RSYNC=`command -v rsync`
# Current supported feed types (for --type parameter)
FEED_TYPES_SUPPORTED="CERT, SCAP or GVMD_DATA"
########## FUNCTIONS
########## =========
log_debug () {
$LOG_CMD -p daemon.debug "$1"
}
log_info () {
$LOG_CMD -p daemon.info "$1"
}
log_warning () {
$LOG_CMD -p daemon.warning "$1"
}
log_err () {
$LOG_CMD -p daemon.err "$1"
}
init_feed_type () {
if [ -z "$FEED_TYPE" ]
then
echo "No feed type given to --type parameter"
log_err "No feed type given to --type parameter"
exit 1
elif [ "CERT" = "$FEED_TYPE" ]
then
[ -r "@GVM_SYSCONF_DIR@/greenbone-certdata-sync.conf" ] && . "@GVM_SYSCONF_DIR@/greenbone-certdata-sync.conf"
FEED_TYPE_LONG="CERT data"
FEED_DIR="@GVM_CERT_DATA_DIR@"
TIMESTAMP="$FEED_DIR/timestamp"
SCRIPT_ID="CERTSYNC"
if [ -z "$COMMUNITY_CERT_RSYNC_FEED" ]; then
COMMUNITY_RSYNC_FEED="rsync://feed.community.greenbone.net:/cert-data"
# An alternative syntax which might work if the above doesn't:
# COMMUNITY_RSYNC_FEED="rsync@feed.community.greenbone.net::cert-data"
else
COMMUNITY_RSYNC_FEED="$COMMUNITY_CERT_RSYNC_FEED"
fi
GSF_RSYNC_PATH="/cert-data"
if [ -e $ACCESSKEY ]; then
if [ -z "$FEED_NAME" ]; then
FEED_NAME="Greenbone CERT Feed"
fi
else
if [ -z "$FEED_NAME" ]; then
FEED_NAME="Greenbone Community CERT Feed"
fi
fi
elif [ "SCAP" = "$FEED_TYPE" ]
then
[ -r "@GVM_SYSCONF_DIR@/greenbone-scapdata-sync.conf" ] && . "@GVM_SYSCONF_DIR@/greenbone-scapdata-sync.conf"
FEED_TYPE_LONG="SCAP data"
FEED_DIR="@GVM_SCAP_DATA_DIR@"
TIMESTAMP="$FEED_DIR/timestamp"
SCRIPT_ID="SCAPSYNC"
if [ -z "$COMMUNITY_SCAP_RSYNC_FEED" ]; then
COMMUNITY_RSYNC_FEED="rsync://feed.community.greenbone.net:/scap-data"
# An alternative syntax which might work if the above doesn't:
# COMMUNITY_RSYNC_FEED="rsync@feed.community.greenbone.net::scap-data"
else
COMMUNITY_RSYNC_FEED="$COMMUNITY_SCAP_RSYNC_FEED"
fi
GSF_RSYNC_PATH="/scap-data"
if [ -e $ACCESSKEY ]; then
if [ -z "$FEED_NAME" ]; then
FEED_NAME="Greenbone SCAP Feed"
fi
else
if [ -z "$FEED_NAME" ]; then
FEED_NAME="Greenbone Community SCAP Feed"
fi
fi
elif [ "GVMD_DATA" = "$FEED_TYPE" ]
then
[ -r "@GVM_SYSCONF_DIR@/greenbone-data-objects-sync.conf" ] && . "@GVM_SYSCONF_DIR@/greenbone-data-objects-sync.conf"
FEED_TYPE_LONG="gvmd Data"
FEED_DIR="@GVMD_FEED_DIR@"
TIMESTAMP="$FEED_DIR/timestamp"
SCRIPT_ID="GVMD_DATA_SYNC"
if [ -z "$COMMUNITY_GVMD_DATA_RSYNC_FEED" ]; then
COMMUNITY_RSYNC_FEED="rsync://feed.community.greenbone.net:/data-objects/gvmd/"
# An alternative syntax which might work if the above doesn't:
# COMMUNITY_RSYNC_FEED="rsync@feed.community.greenbone.net::data-objects/gvmd/"
else
COMMUNITY_RSYNC_FEED="$COMMUNITY_GVMD_DATA_RSYNC_FEED"
fi
GSF_RSYNC_PATH="/data-objects/gvmd/"
if [ -e $ACCESSKEY ]; then
if [ -z "$FEED_NAME" ]; then
FEED_NAME="Greenbone gvmd Data Feed"
fi
else
if [ -z "$FEED_NAME" ]; then
FEED_NAME="Greenbone Community gvmd Data Feed"
fi
fi
else
echo "Invalid feed type $FEED_TYPE given to --type parameter. Currently supported: $FEED_TYPES_SUPPORTED"
log_err "Invalid feed type $FEED_TYPE given to --type parameter. Currently supported: $FEED_TYPES_SUPPORTED"
exit 1
fi
}
write_feed_xml () {
if [ -r $TIMESTAMP ]
then
FEED_VERSION=`cat $TIMESTAMP`
else
FEED_VERSION=0
fi
mkdir -p $FEED_DIR
echo '<feed id="6315d194-4b6a-11e7-a570-28d24461215b">' > $FEED_DIR/feed.xml
echo "<type>$FEED_TYPE</type>" >> $FEED_DIR/feed.xml
echo "<name>$FEED_NAME</name>" >> $FEED_DIR/feed.xml
echo "<version>$FEED_VERSION</version>" >> $FEED_DIR/feed.xml
echo "<vendor>$FEED_VENDOR</vendor>" >> $FEED_DIR/feed.xml
echo "<home>$FEED_HOME</home>" >> $FEED_DIR/feed.xml
echo "<description>" >> $FEED_DIR/feed.xml
echo "This script synchronizes a $FEED_TYPE collection with the '$FEED_NAME'." >> $FEED_DIR/feed.xml
echo "The '$FEED_NAME' is provided by '$FEED_VENDOR'." >> $FEED_DIR/feed.xml
echo "Online information about this feed: '$FEED_HOME'." >> $FEED_DIR/feed.xml
echo "</description>" >> $FEED_DIR/feed.xml
echo "</feed>" >> $FEED_DIR/feed.xml
}
create_tmp_key () {
KEYTEMPDIR=`mktemp -d`
cp "$ACCESSKEY" "$KEYTEMPDIR"
TMPACCESSKEY="$KEYTEMPDIR/gsf-access-key"
chmod 400 "$TMPACCESSKEY"
}
remove_tmp_key () {
rm -rf "$KEYTEMPDIR"
}
set_interrupt_trap () {
trap "handle_interrupt $1" 2
}
handle_interrupt () {
echo "$1:X" >&3
}
do_describe () {
echo "This script synchronizes a $FEED_TYPE collection with the '$FEED_NAME'."
echo "The '$FEED_NAME' is provided by '$FEED_VENDOR'."
echo "Online information about this feed: '$FEED_HOME'."
}
do_feedversion () {
if [ -r $TIMESTAMP ]; then
cat $TIMESTAMP
fi
}
# This function uses gos-state-manager to get information about the settings.
# gos-state-manager is only available on a Greenbone OS.
# If gos-state-manager is missing the settings values can not be retrieved.
#
# Input: option
# Output: value as string or empty String if gos-state-manager is not installed
# or option not set
get_value ()
{
value=""
key=$1
if which gos-state-manager 1>/dev/null 2>&1
then
if gos-state-manager get "$key.value" 1>/dev/null 2>&1
then
value="$(gos-state-manager get "$key.value")"
fi
fi
echo "$value"
}
is_feed_current () {
if [ -r $TIMESTAMP ]
then
FEED_VERSION=`cat $TIMESTAMP`
fi
if [ -z "$FEED_VERSION" ]
then
log_warning "Could not determine feed version."
FEED_CURRENT=0
return $FEED_CURRENT
fi
FEED_INFO_TEMP_DIR=`mktemp -d`
if [ -e $ACCESSKEY ]
then
read feeduser < $ACCESSKEY
custid_at_host=`head -1 $ACCESSKEY | cut -d : -f 1`
if [ -z "$feeduser" ] || [ -z "$custid_at_host" ]
then
log_err "Could not determine credentials, aborting synchronization."
rm -rf "$FEED_INFO_TEMP_DIR"
exit 1
fi
gsmproxy=$(get_value proxy_feed | sed -r -e 's/^.*\/\///' -e 's/:([0-9]+)$/ \1/')
syncport=$(get_value syncport)
if [ "$syncport" ]
then
PORT="$syncport"
fi
if [ -z "$gsmproxy" ] || [ "$gsmproxy" = "proxy_feed" ]
then
RSYNC_SSH_PROXY_CMD=""
else
if [ -e $GVM_SYSCONF_DIR/proxyauth ] && [ -r $GVM_SYSCONF_DIR/proxyauth ]; then
RSYNC_SSH_PROXY_CMD="-o \"ProxyCommand corkscrew $gsmproxy %h %p $GVM_SYSCONF_DIR/proxyauth\""
else
RSYNC_SSH_PROXY_CMD="-o \"ProxyCommand corkscrew $gsmproxy %h %p\""
fi
fi
create_tmp_key
rsync -e "ssh $RSYNC_SSH_OPTS $RSYNC_SSH_PROXY_CMD -p $PORT -i $TMPACCESSKEY" -ltvrP --chmod=D+x $RSYNC_DELETE $RSYNC_COMPRESS $custid_at_host:$GSF_RSYNC_PATH/timestamp "$FEED_INFO_TEMP_DIR"
if [ $? -ne 0 ]
then
log_err "rsync failed, aborting synchronization."
rm -rf "$FEED_INFO_TEMP_DIR"
remove_tmp_key
exit 1
fi
remove_tmp_key
else
# Sleep for five seconds (a previous feed might have been synced a few seconds before) to prevent
# IP blocking due to network equipment in between keeping the previous connection too long open.
sleep 5
log_notice "No Greenbone Security Feed access key found, falling back to Greenbone Community Feed"
eval "$RSYNC -ltvrP \"$COMMUNITY_RSYNC_FEED/timestamp\" \"$FEED_INFO_TEMP_DIR\""
if [ $? -ne 0 ]
then
log_err "rsync failed, aborting synchronization."
rm -rf "$FEED_INFO_TEMP_DIR"
exit 1
fi
fi
FEED_VERSION_SERVER=`cat "$FEED_INFO_TEMP_DIR/timestamp"`
if [ -z "$FEED_VERSION_SERVER" ]
then
log_err "Could not determine server feed version."
rm -rf "$FEED_INFO_TEMP_DIR"
exit 1
fi
# Check against FEED_VERSION
if [ $FEED_VERSION -lt $FEED_VERSION_SERVER ]; then
FEED_CURRENT=0
else
FEED_CURRENT=1
fi
# Cleanup
rm -rf "$FEED_INFO_TEMP_DIR"
return $FEED_CURRENT
}
do_help () {
echo "$0: Sync feed data"
if [ -e $ACCESSKEY ]
then
echo "GSF access key found: Using Greenbone Security Feed"
else
echo "No GSF access key found: Using Community Feed"
fi
echo " --describe display current feed info"
echo " --feedversion display version of this feed"
echo " --help display this help"
echo " --identify display information"
echo " --selftest perform self-test"
echo " --type <TYPE> choose type of data to sync ($FEED_TYPES_SUPPORTED)"
echo " --version display version"
echo ""
exit 0
}
do_rsync_community_feed () {
if [ -z "$RSYNC" ]; then
log_err "rsync not found!"
else
# Sleep for five seconds (after is_feed_current) to prevent IP blocking due to
# network equipment in between keeping the previous connection too long open.
sleep 5
log_notice "Using rsync: $RSYNC"
log_notice "Configured $FEED_TYPE_LONG rsync feed: $COMMUNITY_RSYNC_FEED"
mkdir -p "$FEED_DIR"
eval "$RSYNC -ltvrP $RSYNC_DELETE \"$COMMUNITY_RSYNC_FEED\" \"$FEED_DIR\""
if [ $? -ne 0 ]; then
log_err "rsync failed. Your $FEED_TYPE_LONG might be broken now."
exit 1
fi
fi
}
do_sync_community_feed () {
if [ -z "$RSYNC" ]; then
log_err "rsync not found!"
log_err "No utility available in PATH environment variable to download Feed data"
exit 1
else
log_notice "Will use rsync"
do_rsync_community_feed
fi
}
sync_feed_data(){
if [ -e $ACCESSKEY ]
then
log_notice "Found Greenbone Security Feed subscription file, trying to synchronize with Greenbone $FEED_TYPE_LONG Repository ..."
notsynced=1
mkdir -p "$FEED_DIR"
read feeduser < $ACCESSKEY
custid_at_host=`head -1 $ACCESSKEY | cut -d : -f 1`
if [ -z "$feeduser" ] || [ -z "$custid_at_host" ]
then
log_err "Could not determine credentials, aborting synchronization."
exit 1
fi
while [ 0 -ne "$notsynced" ]
do
gsmproxy=$(get_value proxy_feed | sed -r -e 's/^.*\/\///' -e 's/:([0-9]+)$/ \1/')
syncport=$(get_value syncport)
if [ "$syncport" ]
then
PORT="$syncport"
fi
if [ -z "$gsmproxy" ] || [ "$gsmproxy" = "proxy_feed" ]
then
RSYNC_SSH_PROXY_CMD=""
else
if [ -e $GVM_SYSCONF_DIR/proxyauth ] && [ -r $GVM_SYSCONF_DIR/proxyauth ]; then
RSYNC_SSH_PROXY_CMD="-o \"ProxyCommand corkscrew $gsmproxy %h %p $GVM_SYSCONF_DIR/proxyauth\""
else
RSYNC_SSH_PROXY_CMD="-o \"ProxyCommand corkscrew $gsmproxy %h %p\""
fi
fi
create_tmp_key
rsync -e "ssh $RSYNC_SSH_OPTS $RSYNC_SSH_PROXY_CMD -p $PORT -i $ACCESSKEY" -ltvrP --chmod=D+x $RSYNC_DELETE $RSYNC_COMPRESS $custid_at_host:$GSF_RSYNC_PATH/ $FEED_DIR
if [ 0 -ne "$?" ]; then
log_err "rsync failed, aborting synchronization."
remove_tmp_key
exit 1
fi
remove_tmp_key
notsynced=0
done
log_notice "Synchronization with the Greenbone $FEED_TYPE_LONG Repository successful."
else
log_notice "No Greenbone Security Feed access key found, falling back to Greenbone Community Feed"
do_sync_community_feed
fi
write_feed_xml
}
do_self_test () {
if [ -z "$SELFTEST_STDERR" ]
then
SELFTEST_STDERR=0
fi
if [ -z "$RSYNC" ]
then
if [ 0 -ne $SELFTEST_STDERR ]
then
echo "rsync not found (required)." 1>&2
fi
log_err "rsync not found (required)."
SELFTEST_FAIL=1
fi
}
########## START
########## =====
while test $# -gt 0; do
case "$1" in
"--version"|"--identify"|"--describe"|"--feedversion"|"--selftest"|"--feedcurrent")
if [ -z "$ACTION" ]; then
ACTION="$1"
fi
;;
"--help")
do_help
exit 0
;;
"--type")
FEED_TYPE=$(echo "$2" | tr '[:lower:]-' '[:upper:]_')
shift
;;
esac
shift
done
init_feed_type
write_feed_xml
case "$ACTION" in
--version)
echo $VERSION
exit 0
;;
--identify)
echo "$SCRIPT_ID|$SCRIPT_NAME|$VERSION|$FEED_NAME|$RESTRICTED|$SCRIPT_ID"
exit 0
;;
--describe)
do_describe
exit 0
;;
--feedversion)
do_feedversion
exit 0
;;
--selftest)
SELFTEST_FAIL=0
SELFTEST_STDERR=1
do_self_test
exit $SELFTEST_FAIL
;;
--feedcurrent)
is_feed_current
exit $?
;;
esac
SELFTEST_FAIL=0
do_self_test
if [ $SELFTEST_FAIL -ne 0 ]
then
exit 1
fi
is_feed_current
if [ $FEED_CURRENT -eq 1 ]
then
log_notice "Feed is already current, skipping synchronization."
exit 0
fi
(
chmod +660 $LOCK_FILE
flock -n 9
if [ $? -eq 1 ]; then
log_notice "Sync in progress, exiting."
exit 1
fi
date > $LOCK_FILE
sync_feed_data
echo -n > $LOCK_FILE
) 9>>$LOCK_FILE
exit 0
Rendez le script exécutable :
[root@centos7 ~]# chmod +x greenbone-feed-sync
Déplacez le script vers /usr/sbin/ :
[root@centos7 ~]# mv greenbone-feed-sync /usr/sbin/
Créez le répertoire /var/lib/openvas/scap-data/ :
[root@centos7 ~]# mkdir /var/lib/openvas/scap-data/
Devenez l'utilisateur trainee et mettez à jour les modules d'extensions de OpenVAS :
[root@centos7 ~]# su - trainee
Last login: Mon Dec 1 17:30:45 CET 2025 on pts/0
[trainee@centos7 ~]$ touch /var/lib/openvas/scap-data/scap.db
[trainee@centos7 ~]$ greenbone-feed-sync --type SCAP
Greenbone community feed server - http://feed.community.greenbone.net/
This service is hosted by Greenbone Networks - http://www.greenbone.net/
All transactions are logged.
If you have any questions, please use the Greenbone community portal.
See https://community.greenbone.net for details.
By using this service you agree to our terms and conditions.
Only one sync per time, otherwise the source ip will be temporarily blocked.
receiving incremental file list
timestamp
13 100% 12.70kB/s 0:00:00 (xfr#1, to-chk=0/1)
sent 43 bytes received 108 bytes 100.67 bytes/sec
total size is 13 speedup is 0.09
Greenbone community feed server - http://feed.community.greenbone.net/
This service is hosted by Greenbone Networks - http://www.greenbone.net/
All transactions are logged.
If you have any questions, please use the Greenbone community portal.
See https://community.greenbone.net for details.
By using this service you agree to our terms and conditions.
Only one sync per time, otherwise the source ip will be temporarily blocked.
receiving incremental file list
./
COPYING
1,187 100% 1.13MB/s 0:00:00 (xfr#1, to-chk=26/28)
nvdcve-2.0-2002.xml
19,533,351 100% 62.30MB/s 0:00:00 (xfr#2, to-chk=25/28)
nvdcve-2.0-2003.xml
4,744,330 100% 13.55MB/s 0:00:00 (xfr#3, to-chk=24/28)
nvdcve-2.0-2004.xml
9,416,639 100% 24.47MB/s 0:00:00 (xfr#4, to-chk=23/28)
nvdcve-2.0-2005.xml
15,701,047 100% 23.22MB/s 0:00:00 (xfr#5, to-chk=22/28)
nvdcve-2.0-2006.xml
26,320,892 100% 28.82MB/s 0:00:00 (xfr#6, to-chk=21/28)
nvdcve-2.0-2007.xml
30,567,434 100% 22.08MB/s 0:00:01 (xfr#7, to-chk=20/28)
nvdcve-2.0-2008.xml
29,775,037 100% 37.41MB/s 0:00:00 (xfr#8, to-chk=19/28)
nvdcve-2.0-2009.xml
27,996,918 100% 17.06MB/s 0:00:01 (xfr#9, to-chk=18/28)
nvdcve-2.0-2010.xml
42,684,286 100% 65.87MB/s 0:00:00 (xfr#10, to-chk=17/28)
nvdcve-2.0-2011.xml
83,905,485 100% 51.13MB/s 0:00:01 (xfr#11, to-chk=16/28)
nvdcve-2.0-2012.xml
66,859,075 100% 152.18MB/s 0:00:00 (xfr#12, to-chk=15/28)
nvdcve-2.0-2013.xml
96,064,147 100% 48.94MB/s 0:00:01 (xfr#13, to-chk=14/28)
nvdcve-2.0-2014.xml
98,694,839 100% 48.34MB/s 0:00:01 (xfr#14, to-chk=13/28)
nvdcve-2.0-2015.xml
124,671,234 100% 227.33MB/s 0:00:00 (xfr#15, to-chk=12/28)
nvdcve-2.0-2016.xml
161,692,009 100% 172.29MB/s 0:00:00 (xfr#16, to-chk=11/28)
nvdcve-2.0-2017.xml
189,948,654 100% 141.52MB/s 0:00:01 (xfr#17, to-chk=10/28)
nvdcve-2.0-2018.xml
210,761,959 100% 156.30MB/s 0:00:01 (xfr#18, to-chk=9/28)
nvdcve-2.0-2019.xml
265,685,784 100% 172.95MB/s 0:00:01 (xfr#19, to-chk=8/28)
nvdcve-2.0-2020.xml
294,835,369 100% 134.53MB/s 0:00:02 (xfr#20, to-chk=7/28)
nvdcve-2.0-2021.xml
442,673,740 100% 155.72MB/s 0:00:02 (xfr#21, to-chk=6/28)
nvdcve-2.0-2022.xml
743,192,055 100% 111.53MB/s 0:00:06 (xfr#22, to-chk=5/28)
nvdcve-2.0-2023.xml
599,785,077 100% 67.83MB/s 0:00:08 (xfr#23, to-chk=4/28)
nvdcve-2.0-2024.xml
922,757,332 100% 73.89MB/s 0:00:11 (xfr#24, to-chk=3/28)
nvdcve-2.0-2025.xml
480,360,705 100% 127.96MB/s 0:00:03 (xfr#25, to-chk=2/28)
official-cpe-dictionary_v2.2.xml
784,852,577 100% 251.59MB/s 0:00:02 (xfr#26, to-chk=1/28)
timestamp
13 100% 12.70kB/s 0:00:00 (xfr#27, to-chk=0/28)
sent 2,186,887 bytes received 11,127,079 bytes 117,303.67 bytes/sec
total size is 5,773,481,175 speedup is 433.64
[trainee@centos7 ~]$ greenbone-scapdata-sync
[trainee@centos7 ~]$ exit
Important - En cas d'erreur, relancez simplement la commande.
Exécutez de nouveau la commande openvas-check-setup :
[root@centos7 ~]# openvas-check-setup
...
Step 2: Checking OpenVAS Manager ...
OK: OpenVAS Manager is present in version 6.0.9.
OK: OpenVAS Manager client certificate is present as /etc/pki/openvas/CA/clientcert.pem.
OK: OpenVAS Manager database found in /var/lib/openvas/mgr/tasks.db.
OK: Access rights for the OpenVAS Manager database are correct.
OK: sqlite3 found, extended checks of the OpenVAS Manager installation enabled.
OK: OpenVAS Manager database is at revision 146.
OK: OpenVAS Manager expects database at revision 146.
OK: Database schema is up to date.
OK: OpenVAS Manager database contains information about 45654 NVTs.
OK: At least one user exists.
OK: OpenVAS SCAP database found in /var/lib/openvas/scap-data/scap.db.
ERROR: No OpenVAS CERT database found. (Tried: /var/lib/openvas/cert-data/cert.db)
FIX: Run a CERT synchronization script like openvas-certdata-sync or greenbone-certdata-sync.
ERROR: Your OpenVAS-8 installation is not yet complete!
...
Important - Notez l'erreur ERROR: No OpenVAS CERT database found. (Tried: /var/lib/openvas/cert-data/cert.db).
Créez le fichier /var/lib/openvas/cert-data/cert.db :
[root@centos7 ~]# touch /var/lib/openvas/cert-data/cert.db
Exécutez la commande openvas-certdata-sync :
[root@centos7 ~]# openvas-certdata-sync
Exécutez encore une fois la commande openvas-check-setup :
[root@centos7 ~]# openvas-check-setup
openvas-check-setup 2.3.3
Test completeness and readiness of OpenVAS-8
(add '--v6' or '--v7' or '--v9'
if you want to check for another OpenVAS version)
Please report us any non-detected problems and
help us to improve this check routine:
http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Send us the log-file (/tmp/openvas-check-setup.log) to help analyze the problem.
Use the parameter --server to skip checks for client tools
like GSD and OpenVAS-CLI.
Step 1: Checking OpenVAS Scanner ...
OK: OpenVAS Scanner is present in version 5.0.6.
OK: OpenVAS Scanner CA Certificate is present as /etc/pki/openvas/CA/cacert.pem.
OK: redis-server is present in version v=3.2.12.
OK: scanner (kb_location setting) is configured properly using the redis-server socket: /tmp/redis.sock
OK: redis-server is running and listening on socket: /tmp/redis.sock.
OK: redis-server configuration is OK and redis-server is running.
OK: NVT collection in /var/lib/openvas/plugins contains 138097 NVTs.
WARNING: Signature checking of NVTs is not enabled in OpenVAS Scanner.
SUGGEST: Enable signature checking (see http://www.openvas.org/trusted-nvts.html).
OK: The NVT cache in /var/cache/openvas contains 138097 files for 138097 NVTs.
Step 2: Checking OpenVAS Manager ...
OK: OpenVAS Manager is present in version 6.0.9.
OK: OpenVAS Manager client certificate is present as /etc/pki/openvas/CA/clientcert.pem.
OK: OpenVAS Manager database found in /var/lib/openvas/mgr/tasks.db.
OK: Access rights for the OpenVAS Manager database are correct.
OK: sqlite3 found, extended checks of the OpenVAS Manager installation enabled.
OK: OpenVAS Manager database is at revision 146.
OK: OpenVAS Manager expects database at revision 146.
OK: Database schema is up to date.
OK: OpenVAS Manager database contains information about 138097 NVTs.
OK: At least one user exists.
OK: OpenVAS SCAP database found in /var/lib/openvas/scap-data/scap.db.
OK: OpenVAS CERT database found in /var/lib/openvas/cert-data/cert.db.
OK: xsltproc found.
Step 3: Checking user configuration ...
WARNING: Your password policy is empty.
SUGGEST: Edit the /etc/openvas/pwpolicy.conf file to set a password policy.
Step 4: Checking Greenbone Security Assistant (GSA) ...
OK: Greenbone Security Assistant is present in version 6.0.11.
Step 5: Checking OpenVAS CLI ...
OK: OpenVAS CLI version 1.4.4.
Step 6: Checking Greenbone Security Desktop (GSD) ...
SKIP: Skipping check for Greenbone Security Desktop.
Step 7: Checking if OpenVAS services are up and running ...
OK: netstat found, extended checks of the OpenVAS services enabled.
OK: OpenVAS Scanner is running and listening on all interfaces.
OK: OpenVAS Scanner is listening on port 9391, which is the default port.
ERROR: OpenVAS Manager is NOT running!
FIX: Start OpenVAS Manager (openvasmd).
ERROR: Greenbone Security Assistant is NOT running!
FIX: Start Greenbone Security Assistant (gsad).
ERROR: Your OpenVAS-8 installation is not yet complete!
Please follow the instructions marked with FIX above and run this
script again.
If you think this result is wrong, please report your observation
and help us to improve this check routine:
http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Please attach the log-file (/tmp/openvas-check-setup.log) to help us analyze the problem.
Important - Notez l'erreur ERROR: Greenbone Security Assistant is NOT running!.
Activer et démarrer OpenVAS Manager :
[root@centos7 ~]# systemctl enable openvas-manager
Created symlink from /etc/systemd/system/multi-user.target.wants/openvas-manager.service to /usr/lib/systemd/system/openvas-manager.service.
[root@centos7 ~]# systemctl start openvas-manager
[root@centos7 ~]# systemctl status openvas-manager
● openvas-manager.service - OpenVAS Manager
Loaded: loaded (/usr/lib/systemd/system/openvas-manager.service; enabled; vendor preset: disabled)
Active: active (running) since Tue 2025-12-02 11:51:41 CET; 10s ago
Process: 12237 ExecStart=/usr/sbin/openvasmd $MANAGER_LISTEN $MANAGER_PORT $SCANNER_LISTEN $SCANNER_PORT $MANAGER_OTP (code=exited, status=0/SUCCESS)
Main PID: 12238 (openvasmd)
CGroup: /system.slice/openvas-manager.service
└─12238 openvasmd
Dec 02 11:51:41 centos7.fenestros.loc systemd[1]: Starting OpenVAS Manager...
Dec 02 11:51:41 centos7.fenestros.loc systemd[1]: Started OpenVAS Manager.
Activer et démarrer le Greenbone Security Assistant :
[root@centos7 ~]# systemctl enable openvas-gsa
Created symlink from /etc/systemd/system/multi-user.target.wants/openvas-gsa.service to /usr/lib/systemd/system/openvas-gsa.service.
[root@centos7 ~]# systemctl start openvas-gsa
[root@centos7 ~]# systemctl status openvas-gsa
● openvas-gsa.service - OpenVAS Greenbone Security Assistant
Loaded: loaded (/usr/lib/systemd/system/openvas-gsa.service; enabled; vendor preset: disabled)
Active: active (running) since Tue 2025-12-02 11:53:08 CET; 1s ago
Process: 12948 ExecStart=/usr/sbin/gsad $GSA_LISTEN $GSA_PORT $MANAGER_LISTEN $MANAGER_PORT $GNUTLSSTRING (code=exited, status=0/SUCCESS)
Main PID: 12949 (gsad)
CGroup: /system.slice/openvas-gsa.service
├─12949 /usr/sbin/gsad --port=9443 --mlisten=127.0.0.1 --mport=9390 --gnutls-priorities=SECURE128:-AES-128-CBC:-CAMELLIA-128-CBC:-VERS-SSL3.0:-VERS-TLS1.0
└─12950 /usr/sbin/gsad --port=9443 --mlisten=127.0.0.1 --mport=9390 --gnutls-priorities=SECURE128:-AES-128-CBC:-CAMELLIA-128-CBC:-VERS-SSL3.0:-VERS-TLS1.0
Dec 02 11:53:08 centos7.fenestros.loc systemd[1]: Starting OpenVAS Greenbone Security Assistant...
Dec 02 11:53:08 centos7.fenestros.loc systemd[1]: Started OpenVAS Greenbone Security Assistant.
Exécutez encore une fois la commande openvas-check-setup :
[root@centos7 ~]# openvas-check-setup
openvas-check-setup 2.3.3
Test completeness and readiness of OpenVAS-8
(add '--v6' or '--v7' or '--v9'
if you want to check for another OpenVAS version)
Please report us any non-detected problems and
help us to improve this check routine:
http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Send us the log-file (/tmp/openvas-check-setup.log) to help analyze the problem.
Use the parameter --server to skip checks for client tools
like GSD and OpenVAS-CLI.
Step 1: Checking OpenVAS Scanner ...
OK: OpenVAS Scanner is present in version 5.0.6.
OK: OpenVAS Scanner CA Certificate is present as /etc/pki/openvas/CA/cacert.pem.
OK: redis-server is present in version v=3.2.12.
OK: scanner (kb_location setting) is configured properly using the redis-server socket: /tmp/redis.sock
OK: redis-server is running and listening on socket: /tmp/redis.sock.
OK: redis-server configuration is OK and redis-server is running.
OK: NVT collection in /var/lib/openvas/plugins contains 138097 NVTs.
WARNING: Signature checking of NVTs is not enabled in OpenVAS Scanner.
SUGGEST: Enable signature checking (see http://www.openvas.org/trusted-nvts.html).
OK: The NVT cache in /var/cache/openvas contains 138097 files for 138097 NVTs.
Step 2: Checking OpenVAS Manager ...
OK: OpenVAS Manager is present in version 6.0.9.
OK: OpenVAS Manager client certificate is present as /etc/pki/openvas/CA/clientcert.pem.
OK: OpenVAS Manager database found in /var/lib/openvas/mgr/tasks.db.
OK: Access rights for the OpenVAS Manager database are correct.
OK: sqlite3 found, extended checks of the OpenVAS Manager installation enabled.
OK: OpenVAS Manager database is at revision 146.
OK: OpenVAS Manager expects database at revision 146.
OK: Database schema is up to date.
OK: OpenVAS Manager database contains information about 138097 NVTs.
OK: At least one user exists.
OK: OpenVAS SCAP database found in /var/lib/openvas/scap-data/scap.db.
OK: OpenVAS CERT database found in /var/lib/openvas/cert-data/cert.db.
OK: xsltproc found.
Step 3: Checking user configuration ...
WARNING: Your password policy is empty.
SUGGEST: Edit the /etc/openvas/pwpolicy.conf file to set a password policy.
Step 4: Checking Greenbone Security Assistant (GSA) ...
OK: Greenbone Security Assistant is present in version 6.0.11.
Step 5: Checking OpenVAS CLI ...
OK: OpenVAS CLI version 1.4.4.
Step 6: Checking Greenbone Security Desktop (GSD) ...
SKIP: Skipping check for Greenbone Security Desktop.
Step 7: Checking if OpenVAS services are up and running ...
OK: netstat found, extended checks of the OpenVAS services enabled.
OK: OpenVAS Scanner is running and listening on all interfaces.
OK: OpenVAS Scanner is listening on port 9391, which is the default port.
OK: OpenVAS Manager is running and listening on all interfaces.
OK: OpenVAS Manager is listening on port 9390, which is the default port.
OK: Greenbone Security Assistant is listening on port 80, which is the default port.
Step 8: Checking nmap installation ...
WARNING: No nmap installation found.
SUGGEST: You should install nmap for comprehensive network scanning (see http://nmap.org)
Step 10: Checking presence of optional tools ...
WARNING: Could not find pdflatex binary, the PDF report format will not work.
SUGGEST: Install pdflatex.
OK: ssh-keygen found, LSC credential generation for GNU/Linux targets is likely to work.
OK: rpm found, LSC credential package generation for RPM based targets is likely to work.
WARNING: Could not find alien binary, LSC credential package generation for DEB based targets will not work.
SUGGEST: Install alien.
WARNING: Could not find makensis binary, LSC credential package generation for Microsoft Windows targets will not work.
SUGGEST: Install nsis.
OK: SELinux is disabled.
It seems like your OpenVAS-8 installation is OK.
If you think it is not OK, please report your observation
and help us to improve this check routine:
http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Please attach the log-file (/tmp/openvas-check-setup.log) to help us analyze the problem.
Important - Notez les WARNINGS.
Installez les paquets suggérés :
[root@centos7 ~]# yum install nmap texlive-latex-bin-bin alien -y
Exécutez de nouveau la commande openvas-check-setup :
[root@centos7 ~]# openvas-check-setup
...
Step 10: Checking presence of optional tools ...
OK: pdflatex found.
WARNING: PDF generation failed, most likely due to missing LaTeX packages. The PDF report format will not work.
SUGGEST: Install required LaTeX packages.
OK: ssh-keygen found, LSC credential generation for GNU/Linux targets is likely to work.
OK: rpm found, LSC credential package generation for RPM based targets is likely to work.
OK: alien found, LSC credential package generation for DEB based targets is likely to work.
WARNING: Could not find makensis binary, LSC credential package generation for Microsoft Windows targets will not work.
SUGGEST: Install nsis.
OK: SELinux is disabled.
It seems like your OpenVAS-8 installation is OK.
...
Important - Notez la ligne WARNING: PDF generation failed, most likely due to missing LaTeX packages. The PDF report format will not work.
Pour pouvoir utiliser les rapports au format PDF, installez les paquets suivants :
[root@centos7 ~]# yum -y install texlive-collection-fontsrecommended texlive-collection-latexrecommended texlive-changepage texlive-titlesec -y
Téléchargez ensuite le fichier comment.sty vers le répertoire /usr/share/texlive/texmf-local/tex/latex/comment et exécutez la commande texhash :
[root@centos7 ~]# mkdir -p /usr/share/texlive/texmf-local/tex/latex/comment [root@centos7 ~]# cd /usr/share/texlive/texmf-local/tex/latex/comment [root@centos7 comment]# wget http://mirrors.ctan.org/macros/latex/contrib/comment/comment.sty --2025-12-02 13:35:43-- http://mirrors.ctan.org/macros/latex/contrib/comment/comment.sty Resolving mirrors.ctan.org (mirrors.ctan.org)... 89.58.7.101, 2a03:4000:5e:d33::1 Connecting to mirrors.ctan.org (mirrors.ctan.org)|89.58.7.101|:80... connected. HTTP request sent, awaiting response... 307 Temporary Redirect Location: https://mirror.its.dal.ca/ctan/macros/latex/contrib/comment/comment.sty [following] --2025-12-02 13:35:43-- https://mirror.its.dal.ca/ctan/macros/latex/contrib/comment/comment.sty Resolving mirror.its.dal.ca (mirror.its.dal.ca)... 192.75.96.254 Connecting to mirror.its.dal.ca (mirror.its.dal.ca)|192.75.96.254|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 10197 (10.0K) [application/octet-stream] Saving to: ‘comment.sty’ 100%[========================================================================================================================================================================>] 10,197 --.-K/s in 0s 2025-12-02 13:35:43 (175 MB/s) - ‘comment.sty’ saved [10197/10197] [root@centos7 comment]# chmod 644 comment.sty [root@centos7 comment]# texhash texhash: Updating /usr/share/texlive/texmf/ls-R... texhash: Updating /usr/share/texlive/texmf-config/ls-R... texhash: Updating /usr/share/texlive/texmf-dist/ls-R... texhash: Updating /usr/share/texlive/texmf-local///ls-R... texhash: Updating /usr/share/texlive/texmf-var/ls-R... texhash: Done
Exécutez une dernière fois la commande openvas-check-setup :
[root@centos7 comment]# openvas-check-setup
...
Step 10: Checking presence of optional tools ...
OK: pdflatex found.
OK: PDF generation successful. The PDF report format is likely to work.
OK: ssh-keygen found, LSC credential generation for GNU/Linux targets is likely to work.
OK: rpm found, LSC credential package generation for RPM based targets is likely to work.
OK: alien found, LSC credential package generation for DEB based targets is likely to work.
WARNING: Could not find makensis binary, LSC credential package generation for Microsoft Windows targets will not work.
SUGGEST: Install nsis.
OK: SELinux is disabled.
It seems like your OpenVAS-8 installation is OK.
...
Important - Notez la ligne WARNING: Could not find makensis binary, LSC credential package generation for Microsoft Windows targets will not work.
Téléchargez et installez le fichier mingw32-nsis-3.01-1.el7.x86_64.rpm :
[root@centos7 ~]# cd ~
[root@centos7 ~]# wget ftp://ftp.icm.edu.pl/vol/rzm1/linux-oracle-repo/OracleLinux/OL7/developer_EPEL/x86_64/mingw32-nsis-3.01-1.el7.x86_64.rpm
--2025-12-02 13:46:26-- ftp://ftp.icm.edu.pl/vol/rzm1/linux-oracle-repo/OracleLinux/OL7/developer_EPEL/x86_64/mingw32-nsis-3.01-1.el7.x86_64.rpm
=> ‘mingw32-nsis-3.01-1.el7.x86_64.rpm’
Resolving ftp.icm.edu.pl (ftp.icm.edu.pl)... 193.219.28.2, 2001:6a0:0:31::2
Connecting to ftp.icm.edu.pl (ftp.icm.edu.pl)|193.219.28.2|:21... connected.
Logging in as anonymous ... Logged in!
==> SYST ... done. ==> PWD ... done.
==> TYPE I ... done. ==> CWD (1) /vol/rzm1/linux-oracle-repo/OracleLinux/OL7/developer_EPEL/x86_64 ... done.
==> SIZE mingw32-nsis-3.01-1.el7.x86_64.rpm ... 1379180
==> PASV ... done. ==> RETR mingw32-nsis-3.01-1.el7.x86_64.rpm ... done.
Length: 1379180 (1.3M) (unauthoritative)
100%[========================================================================================================================================================================>] 1,379,180 2.05MB/s in 0.6s
2025-12-02 13:46:28 (2.05 MB/s) - ‘mingw32-nsis-3.01-1.el7.x86_64.rpm’ saved [1379180]
[root@centos7 ~]# yum localinstall mingw32-nsis-3.01-1.el7.x86_64.rpm --nogpgcheck -y
Exécutez une dernière fois la commande openvas-check-setup :
[root@centos7 ~]# openvas-check-setup
...
Step 10: Checking presence of optional tools ...
OK: pdflatex found.
OK: PDF generation successful. The PDF report format is likely to work.
OK: ssh-keygen found, LSC credential generation for GNU/Linux targets is likely to work.
OK: rpm found, LSC credential package generation for RPM based targets is likely to work.
OK: alien found, LSC credential package generation for DEB based targets is likely to work.
OK: nsis found, LSC credential package generation for Microsoft Windows targets is likely to work.
OK: SELinux is disabled.
It seems like your OpenVAS-8 installation is OK.
...
2.5 - Utilisation
Retournez à l'accueil de Guacamole. Connectez-vous à la VM Gateway_10.0.2.40_VNC avec le compte trainee et le mot de passe a39dae707d.
Ouvrez un navigateur web dans la VM et saississez l'adresse https:>//10.0.2.51:9443. Vous obtiendrez une fenêtre similaire à celle-ci :
Créez une exception pour le Self Signed Certificate. Vous obtiendrez une fenêtre similaire à celle-ci:
Entrez le nom de votre utilisateur (fenestros) ainsi que son mot de passe (fenestros) et cliquez sur le bouton Login. Vous obtiendrez une fenêtre similaire à celle-ci :
Dans la boîte Quick start, entrez l'adresse IP 10.0.2.51 et cliquez sur le bouton Start Scan. Vous obtiendrez une fenêtre similaire à celle-ci :
Important - Vous pouvez indiquer un réseau entier de la forme 10.0.2.0/24
Analyse des Résultats
A l'issu de l'analyse, il est possible de consulter les résultats :
ainsi que les détails de celui-ci :
Vous trouverez aussi une solution ainsi qu'une évaluation du niveau de risque, Risk factor.
Les Contres-Mesures
Les contre-mesures consistent en la mise en place de chroot pour certains serveurs ainsi que le durcissement de la configuration de serveurs d'application.
LAB #3 - La commande chroot
Le chrootage permet de séparer un utilisateur ou un utilisateur système ( et donc un serveur ) du système.
Sous Debian 12 le binaire chroot est installé par défaut :
root@debian12:~# which chroot /usr/sbin/chroot
Commencez par créer un répertoire pour l'utilisateur qui sera emprisonné :
root@debian12:~# mkdir /home/prison
Le binaire /usr/sbin/chroot doit prendre le SUID bit :
root@debian12:~# mkdir /home/prison root@debian12:~# ls -l /usr/sbin/chroot -rwxr-xr-x. 1 root root 48112 Sep 20 2022 /usr/sbin/chroot root@debian12:~# chmod +s /usr/sbin/chroot root@debian12:~# ls -l /usr/sbin/chroot -rwsr-sr-x. 1 root root 48112 Sep 20 2022 /usr/sbin/chroot
Créez maintenant un script de connexion générique pour que l'utilisateur prison puisse se connecter :
root@debian12:~# vi /bin/chroot root@debian12:~# cat /bin/chroot #!/bin/bash exec -c /usr/sbin/chroot /home/$USER /bin/bash
Rendez ce script exécutable :
root@debian12:~# chmod +x /bin/chroot
Il est maintenant nécessaire de copier toutes les commandes dont l'utilisateur prison aura besoin. Dans cet exemple, nous allons nous contenter de copier /bin/bash et /bin/ls ainsi que les bibliothèques associées :
root@debian12:~# mkdir /home/prison/bin
root@debian12:~# cp /bin/bash /home/prison/bin/
root@debian12:~# ldd /bin/bash
linux-vdso.so.1 (0x00007ffd39fcf000)
libtinfo.so.6 => /lib/x86_64-linux-gnu/libtinfo.so.6 (0x00007fef082e8000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fef08106000)
/lib64/ld-linux-x86-64.so.2 (0x00007fef08471000)
root@debian12:~# mkdir /home/prison/lib64
root@debian12:~# mkdir -p /home/prison/lib/x86_64-linux-gnu/
root@debian12:~# cp /lib/x86_64-linux-gnu/libtinfo.so.6 /home/prison/lib/x86_64-linux-gnu/
root@debian12:~# cp /lib/x86_64-linux-gnu/libc.so.6 /home/prison/lib/x86_64-linux-gnu/
root@debian12:~# cp /lib64/ld-linux-x86-64.so.2 /home/prison/lib64
root@debian12:~# cp /bin/ls /home/prison/bin/
root@debian12:~# ldd /bin/ls
linux-vdso.so.1 (0x00007fff3db26000)
libselinux.so.1 => /lib/x86_64-linux-gnu/libselinux.so.1 (0x00007f8afb9a0000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f8afb7be000)
libpcre2-8.so.0 => /lib/x86_64-linux-gnu/libpcre2-8.so.0 (0x00007f8afb724000)
/lib64/ld-linux-x86-64.so.2 (0x00007f8afba0a000)
root@debian12:~# cp /lib/x86_64-linux-gnu/libselinux.so.1 /home/prison/lib/x86_64-linux-gnu/
root@debian12:~# cp /lib/x86_64-linux-gnu/libpcre2-8.so.0 /home/prison/lib/x86_64-linux-gnu/
Créez maintenant le groupe chroot :
root@debian12:~# groupadd chroot root@debian12:~# cat /etc/group | grep chroot chroot:x:1001:
Créez maintenant l'utilisateur prison :
root@debian12:~# useradd prison -c chroot_user -d /home/prison -g chroot -s /bin/chroot
Dernièrement, modifiez le propriétaire et le groupe du répertoire /home/prison :
root@debian12:~# chown -R prison:chroot /home/prison
Essayez maintenant de vous connecter en tant que l'utilisateur prison :
root@debian12:~# su - prison bash-5.2$ pwd / bash-5.2$ ls bin lib lib64 bash-5.2$ ls -la total 20 drwxr-xr-x. 5 1001 1001 4096 Dec 1 13:59 . drwxr-xr-x. 5 1001 1001 4096 Dec 1 13:59 .. drwxr-xr-x. 2 1001 1001 4096 Dec 1 13:56 bin drwxr-xr-x. 3 1001 1001 4096 Dec 1 13:59 lib drwxr-xr-x. 2 1001 1001 4096 Dec 1 13:56 lib64 bash-5.2$ exit exit root@debian12:~#
Notez que l'utilisateur prison est chrooté.
Copyright © 2025 Hugh Norris.
