From e70a72e13db86d9a3201a5782e72c170b3a65063 Mon Sep 17 00:00:00 2001 From: Scott Date: Tue, 2 Jan 2024 08:11:10 +0000 Subject: [PATCH] Moved to bookworm as base --- Dockerfile | 33 ++++---- bin/base-rebuild.sh | 9 ++- build.d/coallate.sh | 30 ++++++++ build.d/gb-feed-sync.sh | 2 +- build.d/gsad.sh | 4 +- build.d/gvm-tool.sh | 2 +- build.d/notus-scanner.sh | 4 +- build.d/ospd-openvas.sh | 10 ++- confs/pwpolicy.conf | 117 ++++++++++++++++++++++++++++ ovasbase/Dockerfile | 2 +- ovasbase/bin/rebuild-all.sh | 4 +- ovasbase/scripts/install-deps.sh | 24 +----- ovasbase/scripts/package-list | 128 +++++++++++++++---------------- update.ts | 2 +- 14 files changed, 258 insertions(+), 113 deletions(-) create mode 100644 build.d/coallate.sh create mode 100644 confs/pwpolicy.conf diff --git a/Dockerfile b/Dockerfile index 917fd20..714e553 100644 --- a/Dockerfile +++ b/Dockerfile @@ -46,7 +46,9 @@ RUN bash /build.d/gsad.sh COPY build.d/links.sh /build.d/ RUN bash /build.d/links.sh -RUN mkdir /branding +RUN mkdir /branding +COPY build.d/coallate.sh / +RUN bash /coallate.sh # Stage 1: Start again with the ovasbase. Dependancies already installed # This target is for the image with no database @@ -59,19 +61,22 @@ LABEL maintainer="scott@immauss.com" \ #EXPOSE 9392 ENV LANG=C.UTF-8 # Copy the install from stage 0 -COPY --from=0 etc/gvm/pwpolicy.conf /usr/local/etc/gvm/pwpolicy.conf -COPY --from=0 etc/logrotate.d/gvmd /etc/logrotate.d/gvmd -COPY --from=0 lib/systemd/system /lib/systemd/system -COPY --from=0 usr/local/bin /usr/local/bin -COPY --from=0 usr/local/include /usr/local/include -COPY --from=0 usr/local/lib /usr/local/lib -COPY --from=0 usr/local/sbin /usr/local/sbin -COPY --from=0 usr/local/share /usr/local/share -COPY --from=0 usr/share/postgresql /usr/share/postgresql -COPY --from=0 usr/lib/postgresql /usr/lib/postgresql - -COPY confs/gvmd_log.conf /usr/local/etc/gvm/ -COPY confs/openvas_log.conf /usr/local/etc/openvas/ +# Move all of this to a sinlge "build" folder and reduce the number of layers by copying the +# entire folder in one line to root/ +#COPY --from=0 etc/gvm/pwpolicy.conf /usr/local/etc/gvm/pwpolicy.conf +#COPY --from=0 etc/logrotate.d/gvmd /etc/logrotate.d/gvmd +#COPY --from=0 lib/systemd/system /lib/systemd/system +#COPY --from=0 usr/local/bin /usr/local/bin +#COPY --from=0 usr/local/include /usr/local/include +#COPY --from=0 usr/local/lib /usr/local/lib +#COPY --from=0 usr/local/sbin /usr/local/sbin +#COPY --from=0 usr/local/share /usr/local/share +#COPY --from=0 usr/share/postgresql /usr/share/postgresql +#COPY --from=0 usr/lib/postgresql /usr/lib/postgresql +COPY --from=0 /final . + +COPY confs/* /data/local-etc/gvm/ + COPY build.d/links.sh / RUN bash /links.sh COPY build.d/gpg-keys.sh / diff --git a/bin/base-rebuild.sh b/bin/base-rebuild.sh index 30ea165..74d8669 100755 --- a/bin/base-rebuild.sh +++ b/bin/base-rebuild.sh @@ -99,13 +99,13 @@ if [ "$tag" == "beta" ]; then RUNOPTIONS="--volume beta:/data" NOBASE=true elif [ -z $arch ]; then - arch="linux/amd64,linux/arm64,linux/arm/v7" - #arch="linux/amd64,linux/arm64" + #arch="linux/amd64,linux/arm64,linux/arm/v7" + arch="linux/amd64,linux/arm64" ARM="true" fi # Make the version # in the image meta data consistent # This will leave the -if [ "$tag" != "latest" ]; then +if [ "$tag" != "latest" ] && [ "$tag" != "beta" ]; then echo $tag > ver.current fi VER=$(cat ver.current) @@ -132,7 +132,8 @@ if [ "$NOBASE" == "false" ]; then cd $BUILDHOME/ovasbase BASESTART=$(date +%s) # Always build all archs for ovasbase. - docker buildx build --push --platform linux/amd64,linux/arm64,linux/arm/v7 -f Dockerfile -t immauss/ovasbase . + #docker buildx build --push --platform linux/amd64,linux/arm64,linux/arm/v7 -f Dockerfile -t immauss/ovasbase . + docker buildx build --push --platform linux/amd64,linux/arm64 -f Dockerfile -t immauss/ovasbase:latest . BASEFIN=$(date +%s) cd .. fi diff --git a/build.d/coallate.sh b/build.d/coallate.sh new file mode 100644 index 0000000..6535e09 --- /dev/null +++ b/build.d/coallate.sh @@ -0,0 +1,30 @@ +#!/bin/bash +# Put all the bits I need into the right place so I can move them all into +# the finall image in a single image layer + +# Create the dir structure in "/final" +mkdir -p /final/usr/local/etc/gvm /final/etc/gvm /final/etc/logrotate.d /final/usr/local/bin \ + /final/usr/local/include /final/usr/local/lib /final/usr/local/share /final/usr/share/postgresql \ + /final/usr/lib/postgresql /final/usr/local/sbin + +cp -rp /etc/gvm/* /final/etc/gvm/ +cp -rp /etc/logrotate.d/gvmd /final/etc/logrotate.d/ +#cp -rp /lib/systemd/system/* /final/lib/systemd/system/ +cp -rp /usr/local/bin/* /final/usr/local/bin/ +cp -rp /usr/local/include/* /final/usr/local/include/ +cp -rp /usr/local/lib/* /final/usr/local/lib/ +cp -rp /usr/local/sbin/* /final/usr/local/sbin/ +cp -rp /usr/local/share/* /final/usr/local/share/ +cp -rp /usr/share/postgresql/* /final/usr/share/postgresql/ +cp -rp /usr/lib/postgresql/* /final/usr/lib/postgresql/ + +#COPY --from=0 etc/gvm/pwpolicy.conf /usr/local/etc/gvm/pwpolicy.conf +#COPY --from=0 etc/logrotate.d/gvmd /etc/logrotate.d/gvmd +#COPY --from=0 lib/systemd/system /lib/systemd/system +#COPY --from=0 usr/local/bin /usr/local/bin +#COPY --from=0 usr/local/include /usr/local/include +#COPY --from=0 usr/local/lib /usr/local/lib +#COPY --from=0 usr/local/sbin /usr/local/sbin +#COPY --from=0 usr/local/share /usr/local/share +#COPY --from=0 usr/share/postgresql /usr/share/postgresql +#COPY --from=0 usr/lib/postgresql /usr/lib/postgresql \ No newline at end of file diff --git a/build.d/gb-feed-sync.sh b/build.d/gb-feed-sync.sh index ae600f7..50f7d9f 100644 --- a/build.d/gb-feed-sync.sh +++ b/build.d/gb-feed-sync.sh @@ -4,4 +4,4 @@ set -Eeuo pipefail . build.rc echo "pip install of new greenbone-feed-sync" -python3 -m pip install greenbone-feed-sync +python3 -m pip install --break-system-packages greenbone-feed-sync diff --git a/build.d/gsad.sh b/build.d/gsad.sh index 8149ee0..2edbd52 100644 --- a/build.d/gsad.sh +++ b/build.d/gsad.sh @@ -13,9 +13,11 @@ cd /build/*/ # Implement ICS GSA Mods BUILDDIR=$(pwd) echo "BUILDDIR $BUILDDIR" + + /ics-gsa/scripts/gsad-mods.sh $BUILDDIR -cmake -j$(nproc) /build/gsad-$GSAD_VERSION \ +cmake /build/gsad-$GSAD_VERSION \ -DCMAKE_INSTALL_PREFIX=$INSTALL_PREFIX \ -DCMAKE_BUILD_TYPE=Release \ -DSYSCONFDIR=/usr/local/etc \ diff --git a/build.d/gvm-tool.sh b/build.d/gvm-tool.sh index 4128b20..1e16485 100644 --- a/build.d/gvm-tool.sh +++ b/build.d/gvm-tool.sh @@ -4,4 +4,4 @@ set -Eeuo pipefail . build.rc echo "pip install GVM-tools" -python3 -m pip install gvm-tools==$gvm_tools +python3 -m pip install --break-system-packages gvm-tools==$gvm_tools diff --git a/build.d/notus-scanner.sh b/build.d/notus-scanner.sh index bc1510f..4bc6893 100644 --- a/build.d/notus-scanner.sh +++ b/build.d/notus-scanner.sh @@ -13,8 +13,8 @@ wget --no-verbose https://github.com/greenbone/notus-scanner/archive/$notus_scan tar -zxf $notus_scanner.tar.gz ls -l cd /build/*/ - python3 -m pip install . - ls -l /usr/local/bin/ | tee /local-bin.txt +python3 -m pip install --break-system-packages . +ls -l /usr/local/bin/ | tee /local-bin.txt cd /build diff --git a/build.d/ospd-openvas.sh b/build.d/ospd-openvas.sh index a50d14a..c3afebc 100644 --- a/build.d/ospd-openvas.sh +++ b/build.d/ospd-openvas.sh @@ -7,8 +7,14 @@ cd /build wget --no-verbose https://github.com/greenbone/ospd-openvas/archive/$ospd_openvas.tar.gz tar -zxf $ospd_openvas.tar.gz cd /build/*/ +echo " Find" +find . -name setup.py +echo " Found ?" pwd -ls -l -python3 -m pip install . + + + +python3 -m pip install --break-system-packages . + cd /build rm -rf * diff --git a/confs/pwpolicy.conf b/confs/pwpolicy.conf new file mode 100644 index 0000000..8737856 --- /dev/null +++ b/confs/pwpolicy.conf @@ -0,0 +1,117 @@ + pwpolicy.conf -*- coding: utf-8 -*- +# +# This is an example for a pattern file used to validate passwords. +# Passwords matching an entry in this file are considered weak and +# will be rejected. +# +# The file is line based with comment lines beginning on the *first* +# position with a '#' and followed by at least one white space. Empty +# lines and lines with only white space are ignored. The other lines +# may either be verbatim patterns and match as they are (trailing +# spaces are ignored) or Perl compatible regular expressions (pcre) +# indicated by a '/' in the first column and terminated by another '/' +# or end of line. To reverse the meaning of a regular expression +# prefix it with an exclamation mark like this: +# +# !/^.{6,}$/ +# +# This will reject a passphrase with less than 6 characters. All +# comparisons are case insensitive; utf-8 encoding must be used. A +# few processing instructions are supported: +# +# #+desc[:] A string describing the next pattern +# +# This is used to return meaningful error messages. To end a group of +# pattern with the same description either a new "#+desc:" line may be +# used or the instruction: +# +# #+nodesc +# +# To include a list of simple pattern use: +# +# #+search[:] FILENAME +# +# Note that this is a simple linear search and stops at the first +# match. Comments are not allowed in that file. A line in the +# dictionary may not be longer than 255 characters. +# +# To perform checks on the username/password combination, you should +# use: +# +# #+username +# +# Currently this checks whether the password matches or is included in +# the password. It may eventually be extended to further tests. + +############################ +# This is an example file where all lines are explicitly prefixed with +# an additional "#" to comment out anything. +# On your own decision you may activiate policies and modify them. +# Be aware: By default any password is allowed. +############################ + + +## Let's start with a simple test +##+desc: Too short (at least 8 characters are required) +#!/^.{8,}$/ +# +## Check that the user name does not match the password. +## (The desc string is not used here.) +##+username +# +##+desc: Only digits +#/^[[:digit:]]+$/ +# +##+desc: Not a mix of letters digits and control characters +#!/[[:alpha:]]+/ +#!/[[:digit:]]+/ +#!/[[:punct:]]+/ +# +##+desc: No mixed case +#!/(?-i)([[:lower:]]+.*[[:upper:]]+)|([[:upper:]]+.*[[:lower:]]+)/ +# +##+desc: Date string +## A limited check for ISO date strings +#/^[012][0-9]{3}-?[012][0-9]-?[0123][0-9]$/ +# +## Reject the usual metavariables. +##+desc: Meta variable +#foo +#bar +#baz +# +##+desc: Common test password +#password +#passwort +#passphrase +#mantra +#test +#abc +#egal +# +## Arbitrary strings +##+nodesc +#12345678 +#87654321 +#qwerty +#qwertyuiop +#asdfghjkl +#zxcvbnm +#qwertzuiop +#yxcvbnm +#no-password +#no password +# +##+desc: Test string used by RTTY hams +#the quick brown fox jumps over the lazy dogs back +# +##+desc: German number plate +#/^[A-Z]{1,3}\s*-\s*[A-Z]{1,2}\s*[0-9]+$/ +# +##+desc: Dictionary word +##+search: /usr/share/dict/words +## Note that searching a large dictionary may take some time, it might +## be better to use an offline password auditing tool instead. + + +# end of policy file diff --git a/ovasbase/Dockerfile b/ovasbase/Dockerfile index 7e5c206..5d60591 100644 --- a/ovasbase/Dockerfile +++ b/ovasbase/Dockerfile @@ -1,4 +1,4 @@ -FROM debian:bullseye +FROM debian:stable ENV DEBIAN_FRONTEND=noninteractive ENV LANG=C.UTF-8 COPY scripts /scripts diff --git a/ovasbase/bin/rebuild-all.sh b/ovasbase/bin/rebuild-all.sh index f84bb25..9cb9167 100755 --- a/ovasbase/bin/rebuild-all.sh +++ b/ovasbase/bin/rebuild-all.sh @@ -5,5 +5,5 @@ if [ -z $tag ] ; then else tag="$tag" fi -docker buildx build -t immauss/ovasbase:$tag --platform linux/arm64,linux/amd64,linux/arm/v7 --push . -#docker buildx build -t immauss/ovasbase:$tag --platform linux/arm64,linux/amd64 --push . +#docker buildx build -t immauss/ovasbase:$tag --platform linux/arm64,linux/amd64,linux/arm/v7 --push . +docker buildx build -t immauss/ovasbase:$tag --platform linux/arm64,linux/amd64 --push . diff --git a/ovasbase/scripts/install-deps.sh b/ovasbase/scripts/install-deps.sh index 649bb55..dc4da2d 100644 --- a/ovasbase/scripts/install-deps.sh +++ b/ovasbase/scripts/install-deps.sh @@ -9,33 +9,17 @@ apt-get update apt-get install -y gnupg curl wget apt-utils echo "Install the postgres repo" -echo "deb http://apt.postgresql.org/pub/repos/apt bullseye-pgdg main" > /etc/apt/sources.list.d/pgdg.list +echo "deb http://apt.postgresql.org/pub/repos/apt bookworm-pgdg main" > /etc/apt/sources.list.d/pgdg.list wget --quiet -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | apt-key add - apt-get update apt-get upgrade -y echo "install required packages" -PACKAGES=$(cat /scripts/package-list) +PACKAGES=$(cat scripts/package-list) apt-get install -yq --no-install-recommends $PACKAGES /usr/sbin/update-ca-certificates --fresh - -# Now install latest nodejs & yarn .. -export NODE_VERSION=node_18.x -export KEYRING=/usr/share/keyrings/nodesource.gpg -export DISTRIBUTION="bullseye" - -# the NodeJS apt source -curl -fsSL https://deb.nodesource.com/gpgkey/nodesource.gpg.key | gpg --dearmor | tee "$KEYRING" >/dev/null -gpg --no-default-keyring --keyring "$KEYRING" --list-keys -echo "deb [signed-by=$KEYRING] https://deb.nodesource.com/$NODE_VERSION $DISTRIBUTION main" | tee /etc/apt/sources.list.d/nodesource.list -echo "deb-src [signed-by=$KEYRING] https://deb.nodesource.com/$NODE_VERSION $DISTRIBUTION main" | tee -a /etc/apt/sources.list.d/nodesource.list -# add the yarn apt source -curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | apt-key add - -echo "deb https://dl.yarnpkg.com/debian/ stable main" | tee /etc/apt/sources.list.d/yarn.list - - apt update - apt install -y nodejs - +# Newer version of impacket than available via apt +python3 -m pip install --break-system-packages impacket #Clean up after apt rm -rf /var/lib/apt/lists/* diff --git a/ovasbase/scripts/package-list b/ovasbase/scripts/package-list index be7cebe..b50f97e 100644 --- a/ovasbase/scripts/package-list +++ b/ovasbase/scripts/package-list @@ -1,69 +1,69 @@ - bison - curl - dpkg - fakeroot +bison +curl +dpkg +fakeroot gir1.2-json-1.0 - gnupg - gnutls-bin - gpgsm - heimdal-multidev - libgcrypt20 - libglib2.0 - libgnutls30 - libgpgme11 - libhiredis0.14 - libical3 +gnupg +gnutls-bin +gpgsm +heimdal-multidev +libgcrypt20 +libglib2.0 +libgnutls30 +libgpgme11 +libhiredis0.14 +libical3 libjson-glib-1.0-0 libjson-glib-1.0-common - libksba8 - libldap-2.4-2 - libmicrohttpd12 - libnet1 +libksba8 +libldap-common +libmicrohttpd12 +libnet1 libpaho-mqtt-dev - libpcap0.8 - libpopt0 - libpq5 - libradcli4 - libsnmp40 - libssh-gcrypt-4 - libunistring2 - libxml2 - libxslt1.1 - lsof - mosquitto - nmap - nsis - openssh-client - perl-base - pkg-config - postfix - postgresql-13 - procps - python3 - python3-cffi - python3-defusedxml - python3-impacket - python3-lxml - python3-packaging +libpcap0.8 +libpopt0 +libpq5 +libradcli4 +libsnmp40 +libssh-gcrypt-4 +libunistring2 +libxml2 +libxslt1.1 +lsof +mosquitto +nmap +nsis +openssh-client +perl-base +pkg-config +postfix +postgresql-13 +procps +python3-psutil +python3 +python3-cffi +python3-defusedxml +python3-lxml +python3-packaging python3-paho-mqtt - python3-paramiko - python3-pip - python3-redis - python3-setuptools - python3-wrapt - redis-server - rpm - rsync - smbclient - snmp - socat - sshpass - texlive-fonts-recommended - texlive-latex-extra - uuid - wget - xmlstarlet - xml-twig-tools - xsltproc - xz-utils - zip \ No newline at end of file +python3-paramiko +python3-pip +python3-redis +python3-setuptools +python3-wrapt +redis-server +rpm +rsync +smbclient +snmp +socat +sshpass +texlive-fonts-recommended +texlive-latex-extra +uuid +wget +xmlstarlet +xml-twig-tools +xsltproc +xz-utils +zip diff --git a/update.ts b/update.ts index 4b5656e..d1fd7d9 100644 --- a/update.ts +++ b/update.ts @@ -1 +1 @@ -Tue Dec 19 02:30:19 UTC 2023 +Tue Jan 2 02:26:36 UTC 2024