From 84c32cb662aa057ed3504e22c94ad22c4650b592 Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Fri, 19 Jan 2024 19:36:18 +0100 Subject: add initial version for greenbone --- chaos-at-home/ch-greenbone.yml | 18 +++ chaos-at-home/ch-mon.yml | 1 + chaos-at-home/ch-testvm-phoebe.yml | 5 + chaos-at-home/host_vars/ch-greenbone.yml | 9 ++ inventory/group_vars/chaos-at-home/network.yml | 1 + inventory/group_vars/chaos-at-home/vars.yml | 4 + inventory/host_vars/ch-greenbone.yml | 87 ++++++++++ inventory/host_vars/ch-testvm-phoebe.yml | 4 + inventory/hosts.ini | 2 + roles/greenbone/server/defaults/main.yml | 10 ++ roles/greenbone/server/tasks/main.yml | 59 +++++++ .../server/templates/docker-compose-22.4.yml.j2 | 179 +++++++++++++++++++++ roles/greenbone/target/defaults/main.yml | 5 + roles/greenbone/target/tasks/main.yml | 15 ++ 14 files changed, 399 insertions(+) create mode 100644 chaos-at-home/ch-greenbone.yml create mode 100644 chaos-at-home/host_vars/ch-greenbone.yml create mode 100644 inventory/host_vars/ch-greenbone.yml create mode 100644 roles/greenbone/server/defaults/main.yml create mode 100644 roles/greenbone/server/tasks/main.yml create mode 100644 roles/greenbone/server/templates/docker-compose-22.4.yml.j2 create mode 100644 roles/greenbone/target/defaults/main.yml create mode 100644 roles/greenbone/target/tasks/main.yml diff --git a/chaos-at-home/ch-greenbone.yml b/chaos-at-home/ch-greenbone.yml new file mode 100644 index 00000000..f04effbc --- /dev/null +++ b/chaos-at-home/ch-greenbone.yml @@ -0,0 +1,18 @@ +--- +- name: Basic Setup + hosts: ch-greenbone + roles: + - role: apt-repo/base + - role: core/base + - role: core/sshd/base + - role: core/zsh + - role: core/ntp + +- name: Payload Setup + hosts: ch-greenbone + roles: + - role: storage/lvm/base + - role: nginx/base + - role: x509/static-ca/base + - role: docker/engine + - role: greenbone/server diff --git a/chaos-at-home/ch-mon.yml b/chaos-at-home/ch-mon.yml index bb0100c7..547bd77e 100644 --- a/chaos-at-home/ch-mon.yml +++ b/chaos-at-home/ch-mon.yml @@ -14,6 +14,7 @@ - role: network/nftables/base - role: storage/lvm/base - role: nginx/base + - role: x509/static-ca/base - role: apt-repo/spreadspace - role: nginx/auth/whawty-sso/base - role: nginx/auth/whawty-sso/auth diff --git a/chaos-at-home/ch-testvm-phoebe.yml b/chaos-at-home/ch-testvm-phoebe.yml index e791839b..bcb4d92e 100644 --- a/chaos-at-home/ch-testvm-phoebe.yml +++ b/chaos-at-home/ch-testvm-phoebe.yml @@ -7,3 +7,8 @@ - role: core/sshd/base - role: core/zsh - role: core/ntp + +- name: Payload Setup + hosts: ch-testvm-phoebe + roles: + - role: greenbone/target diff --git a/chaos-at-home/host_vars/ch-greenbone.yml b/chaos-at-home/host_vars/ch-greenbone.yml new file mode 100644 index 00000000..ff72e0f5 --- /dev/null +++ b/chaos-at-home/host_vars/ch-greenbone.yml @@ -0,0 +1,9 @@ +$ANSIBLE_VAULT;1.2;AES256;chaos-at-home +32373931633332336638643137633863323734343737313464656330653064323135386638386330 +6665386131366531633637356231303630653663383832310a623766626331353038356638663562 +63643761383761313161343061323834333366353438663837323965323439633737383335393266 +6365343162303033370a613234306338346530663563363638313166336239323932333364353338 +32316237313432356566353531613638656337396333306630303231303336386239616137366335 +35646535373764343638626264393731333430643535376132306134363332613137323062343763 +37356434343666616165303930393736306537386362366536346639306239306634336538663537 +35353865633265376365 diff --git a/inventory/group_vars/chaos-at-home/network.yml b/inventory/group_vars/chaos-at-home/network.yml index a4db5907..3e007657 100644 --- a/inventory/group_vars/chaos-at-home/network.yml +++ b/inventory/group_vars/chaos-at-home/network.yml @@ -90,6 +90,7 @@ network_zones: __svc_http__: 80 __svc_imap__: 143 ch-mon: 230 + ch-greenbone: 231 ch-router-obsd: 253 ch-router: 254 ############# diff --git a/inventory/group_vars/chaos-at-home/vars.yml b/inventory/group_vars/chaos-at-home/vars.yml index 2b9cdbf9..76b1fab7 100644 --- a/inventory/group_vars/chaos-at-home/vars.yml +++ b/inventory/group_vars/chaos-at-home/vars.yml @@ -47,3 +47,7 @@ chaos_at_home_internal_ca_cert: | N+KMguLblXN36LvwTK5l4iWAfMO77F6dZUzi6VrAY1jF/Sff+V6o/vDhBFEJFzZG 5AV4fhfS7jK1Fg3k -----END CERTIFICATE----- + + +greenbone_target_user_ssh_keys: + - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDk9vk5cRy4LYRViNnmNEQ+8YY3g3DwOG7m9drHJDB6a/l1OFKx1OeRFEUMN5FFVw8uehhhRZCg/9RiGzWL24YL5Rg1BgfFWqMaih0IDlzM2Od/AgU8rTCTZKaRAejvYDY0uYJUP4A4WBt5S7QxpJWVO0c67ldTI8XxuAm3WqsNdblC3Titiz7MVpzsF08KjgyDPIetBfV8bm9AXHRe3NzUGgeSzGu10QAxe3FoAevR/VmNUTsH9t0TEhMtnAG2rtYEVi7iZUYjBGWnZ/iuC3o5pKSvVUnSsraqxTjgp234na016RTkcHM2dwDHydIrXjWzocsV5mGQ0L4qKJZXpbqYX2e4hCLi4jy0x+QviPi6kL+plDOdBFMEeRtVfT9p/zcAs3VbA/hKB0W9vRNj+JLVgDgS4Hz9nDbS/8zAsGC6dPS4VPolsr0uVFgMizDOVc//9WkUA7iz4lBmtj/OLU5wKcUCQbo8NVevnHgqiZf68nHJB7VXuZz5z6WAAST0Cgc= diff --git a/inventory/host_vars/ch-greenbone.yml b/inventory/host_vars/ch-greenbone.yml new file mode 100644 index 00000000..674b102e --- /dev/null +++ b/inventory/host_vars/ch-greenbone.yml @@ -0,0 +1,87 @@ +--- +install_jumphost: ch-jump + +install: + vm: + memory: 8G + numcpus: 4 + autostart: False + disks: + primary: /dev/sda + scsi: + sda: + type: zfs + name: root + size: 30g + properties: + 'syncoid:sync': 'false' + interfaces: + - bridge: br-svc + name: svc0 + +network: + nameservers: "{{ network_zones.svc.dns }}" + domain: "{{ host_domain }}" + systemd_link: + interfaces: "{{ install.interfaces }}" + primary: &_network_primary_ + name: svc0 + address: "{{ network_zones.svc.prefix | ansible.utils.ipaddr(network_zones.svc.offsets[inventory_hostname]) }}" + gateway: "{{ network_zones.svc.gateway }}" + static_routes: + - destination: "{{ network_zones.lan.prefix }}" + gateway: "{{ network_zones.svc.prefix | ansible.utils.ipaddr(network_zones.svc.offsets['ch-gw-lan']) | ansible.utils.ipaddr('address') }}" + interfaces: + - *_network_primary_ + +ntp_variant: systemd-timesyncd + + +docker_pkg_provider: docker-com +docker_plugins: + - compose + +docker_storage: + type: lvm + vg: "{{ host_name }}" + lv: docker + size: 20G + fs: ext4 + + +greenbone_server_version: 22.4 +greenbone_server_hostname: "{{ host_name }}.{{ host_domain }}" +greenbone_server_tls: + certificate_provider: static-ca + certificate_config: + mode: "0750" + owner: root + group: www-data + ca: + key_content: "{{ chaos_at_home_internal_ca_key }}" + cert_content: "{{ chaos_at_home_internal_ca_cert }}" + key: + mode: "0640" + owner: root + group: www-data + type: RSA + size: 4096 + cert: + mode: "0644" + owner: root + group: www-data + common_name: "{{ host_name }}" + san_extra: "{{ ['IP:'] | product(ansible_all_ipv4_addresses) | map('join') | list }}" + key_usage: + - digitalSignature + - keyAgreement + key_usage_critical: yes + extended_key_usage: + - serverAuth + extended_key_usage_critical: yes + create_subject_key_identifier: yes + not_before: +0h + not_after: +365d + renew_margin: +70d + +greenbone_server_admin_password: "{{ vault_greenbone_server_admin_password }}" diff --git a/inventory/host_vars/ch-testvm-phoebe.yml b/inventory/host_vars/ch-testvm-phoebe.yml index d15e4142..df89e810 100644 --- a/inventory/host_vars/ch-testvm-phoebe.yml +++ b/inventory/host_vars/ch-testvm-phoebe.yml @@ -39,3 +39,7 @@ network: address: "{{ network_zones.iot.prefix | ansible.utils.ipaddr(network_zones.iot.offsets[inventory_hostname]) }}" ntp_variant: systemd-timesyncd + + +#### +sshd_allowusers_host: "{{ admin_users_host + ['greenbone'] }}" diff --git a/inventory/hosts.ini b/inventory/hosts.ini index 90240b52..0bc9c91d 100644 --- a/inventory/hosts.ini +++ b/inventory/hosts.ini @@ -35,6 +35,7 @@ ch-installsmb host_name=installsmb ch-iot host_name=iot ch-vpn host_name=vpn ch-mon host_name=mon +ch-greenbone host_name=greenbone ch-epimetheus host_name=epimetheus ch-mclr host_name=mclr ch-mcbr host_name=mcbr @@ -401,6 +402,7 @@ ch-vpn ch-mon ch-k8s-ctrl ch-installsmb +ch-greenbone [vmhost-ch-prometheus] ch-prometheus [vmhost-ch-prometheus:children] diff --git a/roles/greenbone/server/defaults/main.yml b/roles/greenbone/server/defaults/main.yml new file mode 100644 index 00000000..9844fdbb --- /dev/null +++ b/roles/greenbone/server/defaults/main.yml @@ -0,0 +1,10 @@ +--- +greenbone_server_version: 22.4 + +# greenbone_server_hostname: greenbone.example.com + +# greenbone_server_tls: +# certificate_provider: ... +# ... + +# greenbone_server_admin_password: secret diff --git a/roles/greenbone/server/tasks/main.yml b/roles/greenbone/server/tasks/main.yml new file mode 100644 index 00000000..e66d0418 --- /dev/null +++ b/roles/greenbone/server/tasks/main.yml @@ -0,0 +1,59 @@ +--- +- name: create base directory + file: + path: "/var/lib/greenbone/{{ greenbone_server_hostname }}" + state: directory + +- name: copy docker compose file + template: + src: "docker-compose-{{ greenbone_server_version }}.yml.j2" + dest: "/var/lib/greenbone/{{ greenbone_server_hostname }}/docker-compose.yml" + +## TODO: replace this with proper ansible modules once the v2 modules get released +- name: get list of running compose projects + check_mode: no + command: "docker compose ls --format json --filter 'name=^{{ greenbone_server_hostname }}$'" + changed_when: False + register: greenbone_server_compose_list + +- name: initial compose setup + when: (greenbone_server_compose_list.stdout | from_json | length) == 0 + block: + - name: pull greenbone images + command: docker compose -f "/var/lib/greenbone/{{ greenbone_server_hostname }}/docker-compose.yml" -p "{{ greenbone_server_hostname | replace('.', '_') }}" pull + + - name: start greenbone + command: docker compose -f "/var/lib/greenbone/{{ greenbone_server_hostname }}/docker-compose.yml" -p "{{ greenbone_server_hostname | replace('.', '_') }}" up -d + + - name: set admin password + command: docker compose -f "/var/lib/greenbone/{{ greenbone_server_hostname }}/docker-compose.yml" -p "{{ greenbone_server_hostname | replace('.', '_') }}" exec -u gvmd gvmd gvmd --user=admin --new-password="{{ greenbone_server_admin_password }}" + register: greenbone_server_set_admin_password + until: "greenbone_server_set_admin_password is not failed" + retries: 15 + delay: 5 + +- name: compute nginx vhost config + vars: + greenbone_server_vhost_base: + name: greenbone + mode: "0600" + template: generic + hostnames: + - "{{ greenbone_server_hostname }}" + locations: + '/': + proxy_pass: "http://127.0.0.1:9392" + greenbone_server_vhost_override__yaml: | + {% if greenbone_server_tls is defined %} + tls: + {{ greenbone_server_tls | to_nice_yaml(indent=2) | indent(2) }} + {% endif %} + set_fact: + greenbone_server_vhost: "{{ greenbone_server_vhost_base | combine(greenbone_server_vhost_override__yaml | from_yaml, recursive=True) }}" + +- name: configure nginx vhost + vars: + nginx_vhost: + "{{ greenbone_server_vhost }}" + include_role: + name: nginx/vhost diff --git a/roles/greenbone/server/templates/docker-compose-22.4.yml.j2 b/roles/greenbone/server/templates/docker-compose-22.4.yml.j2 new file mode 100644 index 00000000..85742836 --- /dev/null +++ b/roles/greenbone/server/templates/docker-compose-22.4.yml.j2 @@ -0,0 +1,179 @@ +services: + vulnerability-tests: + image: greenbone/vulnerability-tests + environment: + STORAGE_PATH: /var/lib/openvas/22.04/vt-data/nasl + volumes: + - vt_data_vol:/mnt + + notus-data: + image: greenbone/notus-data + volumes: + - notus_data_vol:/mnt + + scap-data: + image: greenbone/scap-data + volumes: + - scap_data_vol:/mnt + + cert-bund-data: + image: greenbone/cert-bund-data + volumes: + - cert_data_vol:/mnt + + dfn-cert-data: + image: greenbone/dfn-cert-data + volumes: + - cert_data_vol:/mnt + depends_on: + - cert-bund-data + + data-objects: + image: greenbone/data-objects + volumes: + - data_objects_vol:/mnt + + report-formats: + image: greenbone/report-formats + volumes: + - data_objects_vol:/mnt + depends_on: + - data-objects + + gpg-data: + image: greenbone/gpg-data + volumes: + - gpg_data_vol:/mnt + + redis-server: + image: greenbone/redis-server + restart: on-failure + volumes: + - redis_socket_vol:/run/redis/ + + pg-gvm: + image: greenbone/pg-gvm:stable + restart: on-failure + volumes: + - psql_data_vol:/var/lib/postgresql + - psql_socket_vol:/var/run/postgresql + + gvmd: + image: greenbone/gvmd:stable + restart: on-failure + volumes: + - gvmd_data_vol:/var/lib/gvm + - scap_data_vol:/var/lib/gvm/scap-data/ + - cert_data_vol:/var/lib/gvm/cert-data + - data_objects_vol:/var/lib/gvm/data-objects/gvmd + - vt_data_vol:/var/lib/openvas/plugins + - psql_data_vol:/var/lib/postgresql + - gvmd_socket_vol:/run/gvmd + - ospd_openvas_socket_vol:/run/ospd + - psql_socket_vol:/var/run/postgresql + depends_on: + pg-gvm: + condition: service_started + scap-data: + condition: service_completed_successfully + cert-bund-data: + condition: service_completed_successfully + dfn-cert-data: + condition: service_completed_successfully + data-objects: + condition: service_completed_successfully + report-formats: + condition: service_completed_successfully + + gsa: + image: greenbone/gsa:stable + restart: on-failure + ports: + - 127.0.0.1:9392:80 + volumes: + - gvmd_socket_vol:/run/gvmd + depends_on: + - gvmd + + ospd-openvas: + image: greenbone/ospd-openvas:stable + restart: on-failure + hostname: ospd-openvas.local + cap_add: + - NET_ADMIN # for capturing packages in promiscuous mode + - NET_RAW # for raw sockets e.g. used for the boreas alive detection + security_opt: + - seccomp=unconfined + - apparmor=unconfined + command: + [ + "ospd-openvas", + "-f", + "--config", + "/etc/gvm/ospd-openvas.conf", + "--mqtt-broker-address", + "mqtt-broker", + "--notus-feed-dir", + "/var/lib/notus/advisories", + "-m", + "666" + ] + volumes: + - gpg_data_vol:/etc/openvas/gnupg + - vt_data_vol:/var/lib/openvas/plugins + - notus_data_vol:/var/lib/notus + - ospd_openvas_socket_vol:/run/ospd + - redis_socket_vol:/run/redis/ + depends_on: + redis-server: + condition: service_started + gpg-data: + condition: service_completed_successfully + vulnerability-tests: + condition: service_completed_successfully + + mqtt-broker: + restart: on-failure + image: greenbone/mqtt-broker + networks: + default: + aliases: + - mqtt-broker + - broker + + notus-scanner: + restart: on-failure + image: greenbone/notus-scanner:stable + volumes: + - notus_data_vol:/var/lib/notus + - gpg_data_vol:/etc/openvas/gnupg + environment: + NOTUS_SCANNER_MQTT_BROKER_ADDRESS: mqtt-broker + NOTUS_SCANNER_PRODUCTS_DIRECTORY: /var/lib/notus/products + depends_on: + - mqtt-broker + - gpg-data + - vulnerability-tests + + gvm-tools: + image: greenbone/gvm-tools + volumes: + - gvmd_socket_vol:/run/gvmd + - ospd_openvas_socket_vol:/run/ospd + depends_on: + - gvmd + - ospd-openvas + +volumes: + gpg_data_vol: + scap_data_vol: + cert_data_vol: + data_objects_vol: + gvmd_data_vol: + psql_data_vol: + vt_data_vol: + notus_data_vol: + psql_socket_vol: + gvmd_socket_vol: + ospd_openvas_socket_vol: + redis_socket_vol: diff --git a/roles/greenbone/target/defaults/main.yml b/roles/greenbone/target/defaults/main.yml new file mode 100644 index 00000000..4bb8bd24 --- /dev/null +++ b/roles/greenbone/target/defaults/main.yml @@ -0,0 +1,5 @@ +--- +greenbone_target_username: greenbone + +#greenbone_target_user_ssh_keys: +# - ssh-rsa ... diff --git a/roles/greenbone/target/tasks/main.yml b/roles/greenbone/target/tasks/main.yml new file mode 100644 index 00000000..8acc10cb --- /dev/null +++ b/roles/greenbone/target/tasks/main.yml @@ -0,0 +1,15 @@ +--- +- name: create user for greenbone local security checks + user: + name: "{{ greenbone_target_username }}" + home: /var/lib/greenbone + create_home: yes + shell: /bin/bash + system: yes + state: present + +- name: install ssh keys for greenbone local security checks + authorized_key: + user: "{{ greenbone_target_username }}" + key: "{{ greenbone_target_user_ssh_keys | join('\n') }}" + exclusive: yes -- cgit v1.2.3