12345678756n g hgh

1. #!/bin/sh
2.  
3. # OpenVAS
4. # $Id$
5. # Description: Script for checking completeness and readiness
6. # of OpenVAS.
7. #
8. # Authors:
9. # Jan-Oliver Wagner <jan-oliver.wagner@greenbone.net>
10. # Michael Wiegand <michael.wiegand@greenbone.net>
11. #
12. # Copyright:
13. # Copyright (C) 2011-2015 Greenbone Networks GmbH
14. #
15. # This program is free software; you can redistribute it and/or modify
16. # it under the terms of the GNU General Public License version 2,
17. # or at your option any later version, as published by the
18. # Free Software Foundation
19. #
20. # This program is distributed in the hope that it will be useful,
21. # but WITHOUT ANY WARRANTY; without even the implied warranty of
22. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
23. # GNU General Public License for more details.
24. #
25. # You should have received a copy of the GNU General Public License
26. # along with this program; if not, write to the Free Software
27. # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
28.  
29. LOG=/tmp/openvas-check-setup.log
30. CHECKVERSION=2.3.3
31.  
32. if [ "$1" = "--server" -o "$2" = "--server" ]
33. then
34. MODE="server"
35. else
36. MODE="desktop"
37. fi
38.  
39. # Current default is OpenVAS-8:
40. VER="8"
41. SCANNER_MAJOR="5"
42. SCANNER_MINOR="0"
43. MANAGER_MAJOR="6"
44. MANAGER_MINOR="0"
45. ADMINISTRATOR_MAJOR="0"
46. ADMINISTRATOR_MINOR="0"
47. GSA_MAJOR="6"
48. GSA_MINOR="0"
49. CLI_MAJOR="1"
50. CLI_MINOR="4"
51.  
52. if [ "$1" = "--v9" -o "$2" = "--v9" ]
53. then
54. VER="9"
55. SCANNER_MAJOR="5"
56. SCANNER_MINOR="1"
57. MANAGER_MAJOR="6"
58. MANAGER_MINOR="1"
59. ADMINISTRATOR_MAJOR="0"
60. ADMINISTRATOR_MINOR="0"
61. GSA_MAJOR="6"
62. GSA_MINOR="1"
63. CLI_MAJOR="1"
64. CLI_MINOR="4"
65. elif [ "$1" = "--v8" -o "$2" = "--v8" ]
66. then
67. VER="8"
68. SCANNER_MAJOR="5"
69. SCANNER_MINOR="0"
70. MANAGER_MAJOR="6"
71. MANAGER_MINOR="0"
72. ADMINISTRATOR_MAJOR="0"
73. ADMINISTRATOR_MINOR="0"
74. GSA_MAJOR="6"
75. GSA_MINOR="0"
76. CLI_MAJOR="1"
77. CLI_MINOR="4"
78. elif [ "$1" = "--v7" -o "$2" = "--v7" ]
79. then
80. VER="7"
81. SCANNER_MAJOR="4"
82. SCANNER_MINOR="0"
83. MANAGER_MAJOR="5"
84. MANAGER_MINOR="0"
85. ADMINISTRATOR_MAJOR="0"
86. ADMINISTRATOR_MINOR="0"
87. GSA_MAJOR="5"
88. GSA_MINOR="0"
89. CLI_MAJOR="1"
90. CLI_MINOR="3"
91. elif [ "$1" = "--v6" -o "$2" = "--v6" ]
92. then
93. VER="6"
94. SCANNER_MAJOR="3"
95. SCANNER_MINOR="4"
96. MANAGER_MAJOR="4"
97. MANAGER_MINOR="0"
98. ADMINISTRATOR_MAJOR="1"
99. ADMINISTRATOR_MINOR="3"
100. GSA_MAJOR="4"
101. GSA_MINOR="0"
102. CLI_MAJOR="1"
103. CLI_MINOR="2"
104. GSD_MAJOR="1"
105. GSD_MINOR="2"
106. fi
107.  
108. echo "openvas-check-setup $CHECKVERSION"
109. echo " Test completeness and readiness of OpenVAS-$VER"
110. if [ "$VER" = "8" ]
111. then
112. echo " (add '--v6' or '--v7' or '--v9'"
113. echo " if you want to check for another OpenVAS version)"
114. fi
115. echo ""
116. echo " Please report us any non-detected problems and"
117. echo " help us to improve this check routine:"
118. echo " http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss"
119. echo ""
120. echo " Send us the log-file ($LOG) to help analyze the problem."
121. echo ""
122.  
123. if [ "$MODE" = "desktop" ]
124. then
125. echo " Use the parameter --server to skip checks for client tools"
126. echo " like GSD and OpenVAS-CLI."
127. echo ""
128. fi
129.  
130. log_and_print ()
131. {
132. echo " " $1
133. echo " " $1 >> $LOG
134. }
135.  
136. check_failed ()
137. {
138. echo ""
139. echo " ERROR: Your OpenVAS-$VER installation is not yet complete!"
140. echo ""
141. echo "Please follow the instructions marked with FIX above and run this"
142. echo "script again."
143. echo ""
144. echo "If you think this result is wrong, please report your observation"
145. echo "and help us to improve this check routine:"
146. echo "http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss"
147. echo "Please attach the log-file ($LOG) to help us analyze the problem."
148. echo ""
149. exit 1
150. }
151.  
152.  
153. # LOG start
154. echo "openvas-check-setup $CHECKVERSION" > $LOG
155. echo " Mode: $MODE" >> $LOG
156. echo " Date: " `date -R` >> $LOG
157. echo "" >> $LOG
158.  
159.  
160. echo "Step 1: Checking OpenVAS Scanner ... "
161.  
162. echo "Checking for old OpenVAS Scanner <= 2.0 ..." >> $LOG
163. openvasd -V >> $LOG 2>&1
164. if [ $? -eq 0 ]
165. then
166. log_and_print "ERROR: Old version of OpenVAS Scanner detected."
167. log_and_print "FIX: Please remove the installation of the old OpenVAS Scanner (openvasd)."
168. check_failed
169. fi
170. echo "" >> $LOG
171.  
172. echo "Checking presence of OpenVAS Scanner ..." >> $LOG
173. openvassd --version >> $LOG 2>&1
174. if [ $? -ne 0 ]
175. then
176. log_and_print "ERROR: No OpenVAS Scanner (openvassd) found."
177. log_and_print "FIX: Please install OpenVAS Scanner."
178. check_failed
179. fi
180. echo "" >> $LOG
181.  
182. echo "Checking OpenVAS Scanner version ..." >> $LOG
183.  
184. VERSION=`openvassd --version 2>>$LOG | head -1 | sed -e "s/OpenVAS Scanner //"`
185.  
186. if [ `echo $VERSION | grep "^$SCANNER_MAJOR\.$SCANNER_MINOR" | wc -l` -ne "1" ]
187. then
188. log_and_print "ERROR: OpenVAS Scanner too old or too new: $VERSION"
189. log_and_print "FIX: Please install OpenVAS Scanner $SCANNER_MAJOR.$SCANNER_MINOR."
190. log_and_print "HINT: Please see the --v6/7/8/9 command line options to check other major versions."
191. check_failed
192. fi
193. echo "" >> $LOG
194.  
195. log_and_print "OK: OpenVAS Scanner is present in version $VERSION."
196.  
197. openvassd -s >> $LOG 2>&1
198.  
199. echo "Checking OpenVAS Scanner CA cert ..." >> $LOG
200. CAFILE=`openvassd -s 2>>$LOG | grep ca_file | sed -e "s/^ca_file = //"`
201. if [ ! -e $CAFILE ]
202. then
203. log_and_print "ERROR: No CA certificate file of OpenVAS Scanner found."
204. if [ "$VER" -ge 9 ]
205. then
206. log_and_print "FIX: Run 'openvas-manage-certs -a'."
207. else
208. log_and_print "FIX: Run 'openvas-mkcert'."
209. fi
210. check_failed
211. fi
212. echo "" >> $LOG
213.  
214. log_and_print "OK: OpenVAS Scanner CA Certificate is present as $CAFILE."
215.  
216. if [ "$VER" -ge 8 ]
217. then
218. echo "Checking presence of redis ..." >> $LOG
219. BINARY=`redis-server --version`
220.  
221. if [ $? -ne 0 ]
222. then
223. log_and_print "ERROR: No redis-server installation found."
224. log_and_print "FIX: You should install redis-server for improved scalability and ability to trace/debug the KB"
225. check_failed
226. else
227. VERSION=`redis-server --version | awk '{ print $4 }'`
228. if [ `echo $VERSION | grep sha` ]
229. then
230. VERSION=`redis-server --version | awk '{ print $3 }'`
231. fi
232. log_and_print "OK: redis-server is present in version $VERSION."
233. HAVE_REDIS=1
234. fi
235. echo "" >> $LOG
236.  
237. if [ $HAVE_REDIS -eq 1 ]
238. then
239. echo "Checking if redis-server is configured properly to run with openVAS ..." >> $LOG
240. REDISSOCKET=`openvassd -s 2>>$LOG | grep kb_location | sed -e "s/^kb_location = //"`
241. if [ -z "$REDISSOCKET" ]
242. then
243. log_and_print "ERROR: scanner is not configured to use a redis-server socket."
244. log_and_print "FIX: Configure the kb_location setting of the scanner to the path of the redis-server socket."
245. check_failed
246. else
247. log_and_print "OK: scanner (kb_location setting) is configured properly using the redis-server socket: $REDISSOCKET"
248. echo "Checking if redis-server is running ..." >> $LOG
249. if [ -e $REDISSOCKET ]
250. then
251. log_and_print "OK: redis-server is running and listening on socket: $REDISSOCKET."
252. else
253. log_and_print "ERROR: redis-server is not running or not listening on socket: $REDISSOCKET"
254. log_and_print "FIX: You should start the redis-server or configure it to listen on socket: $REDISSOCKET"
255. check_failed
256. fi
257. fi
258. log_and_print "OK: redis-server configuration is OK and redis-server is running."
259. fi
260.  
261. echo "" >> $LOG
262. fi
263.  
264. echo "Checking NVT collection ..." >> $LOG
265. PLUGINSFOLDER=`openvassd -s 2>>$LOG | grep plugins_folder | sed -e "s/^plugins_folder = //"`
266. if [ ! -d $PLUGINSFOLDER ]
267. then
268. log_and_print "ERROR: Directory containing the NVT collection not found."
269. log_and_print "FIX: Run a NVT synchronization script like openvas-nvt-sync or greenbone-nvt-sync."
270. check_failed
271. fi
272. OLDPLUGINSFOLDER=`echo "$PLUGINSFOLDER" | grep -q -v "/var/" 2>&1`
273. if [ $? -eq 0 ]
274. then
275. CONFFILE=`openvassd -s 2>>$LOG | grep config_file | sed -e "s/^config_file = //"`
276. log_and_print "ERROR: Your OpenVAS Scanner configuration seems to be from a pre-OpenVAS-4 installation and contains non-FHS compliant paths."
277. log_and_print "FIX: Delete your OpenVAS Scanner Configuration file ($CONFFILE)."
278. check_failed
279. fi
280. NVTCOUNT=`find $PLUGINSFOLDER -name "*nasl" | wc -l`
281. if [ $NVTCOUNT -lt 10 ]
282. then
283. log_and_print "ERROR: The NVT collection is very small."
284. log_and_print "FIX: Run a synchronization script like openvas-nvt-sync or greenbone-nvt-sync."
285. check_failed
286. fi
287. echo "" >> $LOG
288.  
289. log_and_print "OK: NVT collection in $PLUGINSFOLDER contains $NVTCOUNT NVTs."
290.  
291. echo "Checking status of signature checking in OpenVAS Scanner ..." >> $LOG
292. NOSIGCHECK=`openvassd -s 2>>$LOG | grep nasl_no_signature_check | sed -e "s/^nasl_no_signature_check = //"`
293. if [ $NOSIGCHECK != "no" ]
294. then
295. log_and_print "WARNING: Signature checking of NVTs is not enabled in OpenVAS Scanner."
296. log_and_print "SUGGEST: Enable signature checking (see http://www.openvas.org/trusted-nvts.html)."
297. else
298. log_and_print "OK: Signature checking of NVTs is enabled in OpenVAS Scanner."
299. fi
300. echo "" >> $LOG
301.  
302. CACHEFOLDER=`openvassd -s 2>>$LOG | grep cache_folder | sed -e "s/^cache_folder = //"`
303. CACHECOUNT=`find $CACHEFOLDER -name "*nvti" | wc -l`
304. if [ $CACHECOUNT -lt $NVTCOUNT ]
305. then
306. log_and_print "WARNING: The initial NVT cache has not yet been generated."
307. log_and_print "SUGGEST: Start OpenVAS Scanner for the first time to generate the cache."
308. else
309. log_and_print "OK: The NVT cache in $CACHEFOLDER contains $CACHECOUNT files for $NVTCOUNT NVTs."
310. fi
311. echo "" >> $LOG
312.  
313. echo "Step 2: Checking OpenVAS Manager ... "
314.  
315. echo "Checking presence of OpenVAS Manager ..." >> $LOG
316. openvasmd --version >> $LOG 2>&1
317. if [ $? -ne 0 ]
318. then
319. log_and_print "ERROR: No OpenVAS Manager (openvasmd) found."
320. log_and_print "FIX: Please install OpenVAS Manager."
321. check_failed
322. fi
323. echo "" >> $LOG
324.  
325. VERSION=`openvasmd --version | head -1 | sed -e "s/OpenVAS Manager //"`
326.  
327. if [ `echo $VERSION | grep "^$MANAGER_MAJOR\.$MANAGER_MINOR" | wc -l` -ne "1" ]
328. then
329. log_and_print "ERROR: OpenVAS Manager too old or too new: $VERSION"
330. log_and_print "FIX: Please install OpenVAS Manager $MANAGER_MAJOR.$MANAGER_MINOR."
331. log_and_print "HINT: Please see the --v6/7/8/9 command line options to check other major versions."
332. check_failed
333. fi
334. echo "" >> $LOG
335.  
336. log_and_print "OK: OpenVAS Manager is present in version $VERSION."
337.  
338. echo "Checking OpenVAS Manager client certificate ..." >> $LOG
339. CERTDIR=`dirname $CAFILE`
340. CLIENTCERTFILE="$CERTDIR/clientcert.pem"
341. if [ ! -e $CLIENTCERTFILE ]
342. then
343. log_and_print "ERROR: No client certificate file of OpenVAS Manager found."
344. if [ $VER -ge 9 ]
345. then
346. log_and_print "FIX: Run 'openvas-manage-certs -a'."
347. elif [ $VER -ge 7 ]
348. then
349. log_and_print "FIX: Run 'openvas-mkcert-client -n -i'"
350. else
351. log_and_print "FIX: Run 'openvas-mkcert-client -n om -i'"
352. fi
353. check_failed
354. fi
355. echo "" >> $LOG
356.  
357. log_and_print "OK: OpenVAS Manager client certificate is present as $CLIENTCERTFILE."
358.  
359. echo "Checking OpenVAS Manager database ..." >> $LOG
360. # Guess openvas state dir from $PLUGINSFOLDER
361. STATEDIR=`dirname $PLUGINSFOLDER`
362. TASKSDB="$STATEDIR/mgr/tasks.db"
363. if [ ! -e $TASKSDB ]
364. then
365. log_and_print "ERROR: No OpenVAS Manager database found. (Tried: $TASKSDB)"
366. log_and_print "FIX: Run 'openvasmd --rebuild' while OpenVAS Scanner is running."
367.  
368. OPENVASSD_RUNNING=`ps -Af | grep -ic "[o]penvassd: waiting for incoming connections"`
369. if [ $OPENVASSD_RUNNING -eq 0 ]
370. then
371. log_and_print "WARNING: OpenVAS Scanner is NOT running!" ;
372. log_and_print "SUGGEST: Start OpenVAS Scanner (openvassd)." ;
373. fi
374.  
375. check_failed
376. fi
377. echo "" >> $LOG
378.  
379. log_and_print "OK: OpenVAS Manager database found in $TASKSDB."
380.  
381. echo "Checking access rights of OpenVAS Manager database ..." >> $LOG
382. TASKSDBPERMS=`stat -c "%a" "$TASKSDB"`
383. if [ "$TASKSDBPERMS" != "600" ]
384. then
385. log_and_print "ERROR: The access rights of the OpenVAS Manager database are incorrect."
386. log_and_print "FIX: Run 'chmod 600 $TASKSDB'."
387. check_failed
388. fi
389. echo "" >> $LOG
390.  
391. log_and_print "OK: Access rights for the OpenVAS Manager database are correct."
392.  
393. echo "Checking sqlite3 presence ..." >> $LOG
394. SQLITE3=`type sqlite3 2> /dev/null`
395. if [ $? -ne 0 ]
396. then
397. log_and_print "WARNING: Could not find sqlite3 binary, extended manager checks of the OpenVAS Manager installation are disabled."
398. log_and_print "SUGGEST: Install sqlite3."
399. HAVE_SQLITE=0
400. else
401. log_and_print "OK: sqlite3 found, extended checks of the OpenVAS Manager installation enabled."
402. HAVE_SQLITE=1
403. fi
404. echo "" >> $LOG
405.  
406. if [ $HAVE_SQLITE -eq 1 ]
407. then
408. echo "Checking OpenVAS Manager database revision ..." >> $LOG
409. TASKSDBREV=`sqlite3 $TASKSDB "select value from meta where name='database_version';"`
410. if [ -z $TASKSDBREV ]
411. then
412. log_and_print "ERROR: Could not determine database revision, database corrupt or in invalid format."
413. log_and_print "FIX: Delete database at $TASKSDB and rebuild it."
414. check_failed
415. else
416. log_and_print "OK: OpenVAS Manager database is at revision $TASKSDBREV."
417. fi
418. echo "Checking database revision expected by OpenVAS Manager ..." >> $LOG
419. MANAGERDBREV=`openvasmd --version | grep "Manager DB revision" | sed -e "s/.*\ //"`
420. if [ -z $MANAGERDBREV ]
421. then
422. log_and_print "ERROR: Could not determine database revision expected by OpenVAS Manager."
423. log_and_print "FIX: Ensure OpenVAS Manager is installed correctly."
424. check_failed
425. else
426. log_and_print "OK: OpenVAS Manager expects database at revision $MANAGERDBREV."
427. fi
428. if [ $TASKSDBREV -lt $MANAGERDBREV ]
429. then
430. log_and_print "ERROR: Database schema is out of date."
431. log_and_print "FIX: Run 'openvasmd --migrate'."
432. check_failed
433. else
434. log_and_print "OK: Database schema is up to date."
435. fi
436. echo "Checking OpenVAS Manager database (NVT data) ..." >> $LOG
437. DBNVTCOUNT=`sqlite3 $TASKSDB "select count(*) from nvts;"`
438. if [ $DBNVTCOUNT -lt 20000 ]
439. then
440. log_and_print "ERROR: The number of NVTs in the OpenVAS Manager database is too low."
441. log_and_print "FIX: Make sure OpenVAS Scanner is running with an up-to-date NVT collection and run 'openvasmd --rebuild'."
442.  
443. OPENVASSD_RUNNING=`ps -Af | grep -ic "[o]penvassd: waiting for incoming connections"`
444. if [ $OPENVASSD_RUNNING -eq 0 ]
445. then
446. log_and_print "WARNING: OpenVAS Scanner is NOT running!" ;
447. log_and_print "SUGGEST: Start OpenVAS Scanner (openvassd)." ;
448. fi
449.  
450. check_failed
451. else
452. log_and_print "OK: OpenVAS Manager database contains information about $DBNVTCOUNT NVTs."
453. fi
454. fi
455.  
456. if [ $ADMINISTRATOR_MAJOR = "0" ]
457. then
458. echo "Checking if users exist ..." >> $LOG
459. if [ $VER != "7" ]
460. then
461. USERCOUNT=`openvasmd --get-users | sed -e "/^$/d" | wc -l`
462. else
463. USERCOUNT=`openvasmd --list-users | sed -e "/^$/d" | wc -l`
464. fi
465. if [ $USERCOUNT -eq 0 ]
466. then
467. log_and_print "ERROR: No users found. You need to create at least one user to log in."
468. log_and_print " It is recommended to have at least one user with role Admin."
469. log_and_print "FIX: create a user by running 'openvasmd --create-user=<name> --role=Admin && openvasmd --user=<name> --new-password=<password>'"
470. check_failed
471. else
472. log_and_print "OK: At least one user exists."
473. fi
474. echo "" >> $LOG
475. fi
476.  
477. # TODO: Do a check for presence of at least one Admin user.
478.  
479. echo "Checking OpenVAS SCAP database ..." >> $LOG
480. # Guess openvas state dir from $PLUGINSFOLDER
481. STATEDIR=`dirname $PLUGINSFOLDER`
482. SCAPDB="$STATEDIR/scap-data/scap.db"
483. if [ ! -e $SCAPDB ]
484. then
485. log_and_print "ERROR: No OpenVAS SCAP database found. (Tried: $SCAPDB)"
486. log_and_print "FIX: Run a SCAP synchronization script like openvas-scapdata-sync or greenbone-scapdata-sync."
487. check_failed
488. fi
489. echo "" >> $LOG
490.  
491. log_and_print "OK: OpenVAS SCAP database found in $SCAPDB."
492.  
493. if [ "$VER" -ge 6 ]
494. then
495. echo "Checking OpenVAS CERT database ..." >> $LOG
496. # Guess openvas state dir from $PLUGINSFOLDER
497. STATEDIR=`dirname $PLUGINSFOLDER`
498. CERTDB="$STATEDIR/cert-data/cert.db"
499. if [ ! -e $CERTDB ]
500. then
501. log_and_print "ERROR: No OpenVAS CERT database found. (Tried: $CERTDB)"
502. log_and_print "FIX: Run a CERT synchronization script like openvas-certdata-sync or greenbone-certdata-sync."
503. check_failed
504. fi
505. echo "" >> $LOG
506.  
507. log_and_print "OK: OpenVAS CERT database found in $CERTDB."
508. fi
509.  
510. echo "Checking xsltproc presence ..." >> $LOG
511. XSLTPROC=`type xsltproc 2> /dev/null`
512. if [ $? -ne 0 ]
513. then
514. log_and_print "WARNING: Could not find xsltproc binary, most report formats will not work."
515. log_and_print "SUGGEST: Install xsltproc."
516. else
517. log_and_print "OK: xsltproc found."
518. fi
519. echo "" >> $LOG
520.  
521.  
522. if [ $ADMINISTRATOR_MAJOR != "0" ]
523. then
524. echo "Step 3: Checking OpenVAS Administrator ... "
525.  
526. echo "Checking presence of OpenVAS Administrator ..." >> $LOG
527. openvasad --version >> $LOG 2>&1
528. if [ $? -ne 0 ]
529. then
530. log_and_print "ERROR: No OpenVAS Administrator (openvasad) found."
531. log_and_print "FIX: Please install OpenVAS Administrator."
532. check_failed
533. fi
534. echo "" >> $LOG
535.  
536. VERSION=`openvasad --version | head -1 | sed -e "s/OpenVAS Administrator //"`
537.  
538. if [ `echo $VERSION | grep "^$ADMINISTRATOR_MAJOR\.$ADMINISTRATOR_MINOR" | wc -l` -ne "1" ]
539. then
540. log_and_print "ERROR: OpenVAS Administrator too old or too new: $VERSION"
541. log_and_print "FIX: Please install OpenVAS Administrator $ADMINISTRATOR_MAJOR.$ADMINISTRATOR_MINOR."
542. log_and_print "HINT: Please see the --v6/7/8/9 command line options to check other major versions."
543. check_failed
544. fi
545. echo "" >> $LOG
546.  
547. log_and_print "OK: OpenVAS Administrator is present in version $VERSION."
548.  
549. echo "Checking if users exist ..." >> $LOG
550. USERCOUNT=`openvasad -c "list_users" | sed -e "/^$/d" | wc -l`
551. if [ $USERCOUNT -eq 0 ]
552. then
553. log_and_print "ERROR: No users found. You need to create at least one user to log in."
554. log_and_print " It is recommended to have at least one user with role Admin."
555. log_and_print "FIX: Create a user using 'openvasad -c 'add_user' -n <name> --role=Admin'"
556. check_failed
557. else
558. log_and_print "OK: At least one user exists."
559. fi
560. echo "" >> $LOG
561.  
562. echo "Checking if at least one admin user exists ..." >> $LOG
563. ADMINEXISTS=`ls $STATEDIR/users/*/isadmin 2> /dev/null`
564. if [ $? -ne 0 ]
565. then
566. log_and_print "ERROR: No admin user found. You need to create at least one admin user to log in."
567. log_and_print "FIX: Create a user using 'openvasad -c 'add_user' -n <name> -r Admin'"
568. check_failed
569. else
570. log_and_print "OK: At least one admin user exists."
571. fi
572. echo "" >> $LOG
573. else
574. echo "Step 3: Checking user configuration ... "
575. # TODO: Here we need new tests for presense of user and admin. Possibly based
576. # on sqlite3 calls (which in turn means to check for sqlite3 which isn't a runtime
577. # requirement for OpenVAS).
578. fi
579.  
580. if [ $VER -ge 6 ]
581. then
582. echo "Checking status of password policy ..." >> $LOG
583. CONFFILE=`openvassd -s 2>>$LOG | grep config_file | sed -e "s/^config_file = //"`
584. CONFDIR=`dirname $CONFFILE`
585. grep -v "^[#]" $CONFDIR/pwpolicy.conf | grep -v "^$" > /dev/null 2>&1
586. if [ $? -ne 0 ]
587. then
588. log_and_print "WARNING: Your password policy is empty."
589. log_and_print "SUGGEST: Edit the $CONFDIR/pwpolicy.conf file to set a password policy."
590. else
591. log_and_print "OK: The password policy file at $CONFDIR/pwpolicy.conf contains entries."
592. fi
593. echo "" >> $LOG
594. fi
595.  
596. echo "Step 4: Checking Greenbone Security Assistant (GSA) ... "
597.  
598. echo "Checking presence of Greenbone Security Assistant ..." >> $LOG
599. gsad --version >> $LOG 2>&1
600. if [ $? -ne 0 ]
601. then
602. log_and_print "ERROR: No Greenbone Security Assistant (gsad) found."
603. log_and_print "FIX: Please install Greenbone Security Assistant."
604. check_failed
605. fi
606. echo "" >> $LOG
607.  
608. VERSION=`gsad --version | head -1 | sed -e "s/Greenbone Security Assistant //"`
609.  
610. if [ `echo $VERSION | grep "^$GSA_MAJOR\.$GSA_MINOR" | wc -l` -ne "1" ]
611. then
612. log_and_print "ERROR: Greenbone Security Assistant too old or too new: $VERSION"
613. log_and_print "FIX: Please install Greenbone Security Assistant $GSA_MAJOR.$GSA_MINOR."
614. log_and_print "HINT: Please see the --v6/7/8/9 command line options to check other major versions."
615. check_failed
616. fi
617. echo "" >> $LOG
618.  
619. log_and_print "OK: Greenbone Security Assistant is present in version $VERSION."
620.  
621. echo "Step 5: Checking OpenVAS CLI ... "
622.  
623. if [ "$MODE" != "server" ]
624. then
625. echo "Checking presence of OpenVAS CLI ..." >> $LOG
626. omp --version >> $LOG 2>&1
627. if [ $? -ne 0 ]
628. then
629. log_and_print "ERROR: No OpenVAS CLI (omp) found."
630. log_and_print "FIX: Please install OpenVAS CLI."
631. log_and_print "HINT: Please see the --server command line option to skip this check."
632. check_failed
633. fi
634. echo "" >> $LOG
635.  
636. VERSION=`omp --version | head -1 | sed -e "s/OMP Command Line Interface //"`
637.  
638. if [ `echo $VERSION | grep "^$CLI_MAJOR\.$CLI_MINOR" | wc -l` -ne "1" ]
639. then
640. log_and_print "ERROR: OpenVAS CLI too old or too new: $VERSION"
641. log_and_print "FIX: Please install OpenVAS CLI $CLI_MAJOR.$CLI_MINOR."
642. log_and_print "HINT: Please see the --v6/7/8/9 command line options to check other major versions."
643. check_failed
644. fi
645. echo "" >> $LOG
646.  
647. log_and_print "OK: OpenVAS CLI version $VERSION."
648. else
649. log_and_print "SKIP: Skipping check for OpenVAS CLI."
650. fi
651.  
652.  
653. echo "Step 6: Checking Greenbone Security Desktop (GSD) ... "
654.  
655. if [ "$MODE" != "server" -a "$VER" -le 6 ]
656. then
657. echo "Checking presence of Greenbone Security Desktop ..." >> $LOG
658.  
659. DISPLAY=fake gsd --version >> $LOG 2>&1
660. if [ $? -ne 0 ]
661. then
662. if [ "$VER" -ge 6 ]
663. then
664. log_and_print "WARNING: No Greenbone Security Desktop (gsd) found or too old."
665. log_and_print "SUGGEST: Please install Greenbone Security Desktop $GSD_MAJOR.$GSD_MINOR."
666. else
667. log_and_print "ERROR: No Greenbone Security Desktop (gsd) found or too old."
668. log_and_print "FIX: Please install Greenbone Security Desktop $GSD_MAJOR.$GSD_MINOR."
669. check_failed
670. fi
671. log_and_print "SKIP: Skipping further check for Greenbone Security Desktop."
672. else
673. echo "" >> $LOG
674.  
675. VERSION=`gsd --version | head -1 | sed -e "s/Greenbone Security Desktop //"`
676.  
677. if [ `echo $VERSION | grep "^$GSD_MAJOR\.$GSD_MINOR" | wc -l` -ne "1" ]
678. then
679. if [ $VER -lt "6" ]
680. then
681. log_and_print "ERROR: Greenbone Security Desktop too old or too new: $VERSION"
682. log_and_print "FIX: Please install Greenbone Security Desktop $GSD_MAJOR.$GSD_MINOR."
683. log_and_print "HINT: Please see the --v6/7/8/9 command line options to check other major versions."
684. check_failed
685. else
686. log_and_print "WARNING: Greenbone Security Desktop too old or too new: $VERSION"
687. log_and_print "SUGGEST: Please install Greenbone Security Desktop $GSD_MAJOR.$GSD_MINOR."
688. log_and_print "HINT: Please see the --v6/7/8/9 command line options to check other major versions."
689. fi
690. fi
691. echo "" >> $LOG
692.  
693. log_and_print "OK: Greenbone Security Desktop is present in Version $VERSION."
694. fi
695. else
696. log_and_print "SKIP: Skipping check for Greenbone Security Desktop."
697. fi
698.  
699.  
700. echo "Step 7: Checking if OpenVAS services are up and running ... "
701.  
702. echo "Checking netstat presence ..." >> $LOG
703. NETSTAT=`type netstat 2> /dev/null`
704. if [ $? -ne 0 ]
705. then
706. log_and_print "WARNING: Could not find netstat binary, checks of the OpenVAS services are disabled."
707. log_and_print "SUGGEST: Install netstat."
708. HAVE_NETSTAT=0
709. else
710. log_and_print "OK: netstat found, extended checks of the OpenVAS services enabled."
711. HAVE_NETSTAT=1
712. fi
713. echo "" >> $LOG
714.  
715. if [ $HAVE_NETSTAT -eq 1 ]
716. then
717. netstat -A inet -A inet6 -ntlp 2> /dev/null >> $LOG
718. OPENVASSD_HOST=`netstat -A inet -A inet6 -ntlp 2> /dev/null | grep openvassd | awk -F\ '{print $4}' | awk -F: 'sub(FS $NF,x)'`
719. OPENVASSD_PORT=`netstat -A inet -A inet6 -ntlp 2> /dev/null | grep openvassd | awk -F\ '{print $4}' | awk -F: '{print $NF}'`
720. OPENVASMD_HOST=`netstat -A inet -A inet6 -ntlp 2> /dev/null | grep openvasmd | awk -F\ '{print $4}' | awk -F: 'sub(FS $NF,x)'`
721. OPENVASMD_PORT=`netstat -A inet -A inet6 -ntlp 2> /dev/null | grep openvasmd | awk -F\ '{print $4}' | awk -F: '{print $NF}'`
722. OPENVASAD_HOST=`netstat -A inet -A inet6 -ntlp 2> /dev/null | grep openvasad | awk -F\ '{print $4}' | awk -F: 'sub(FS $NF,x)'`
723. OPENVASAD_PORT=`netstat -A inet -A inet6 -ntlp 2> /dev/null | grep openvasad | awk -F\ '{print $4}' | awk -F: '{print $NF}'`
724. GSAD_HOST=`netstat -A inet -A inet6 -ntlp 2> /dev/null | grep gsad | awk -F\ '{print $4}' | awk -F: 'sub(FS $NF,x)'`
725. GSAD_PORT=`netstat -A inet -A inet6 -ntlp 2> /dev/null | grep gsad | awk -F\ '{print $4}' | awk -F: '{print $NF}' | tail -1`
726.  
727. case "$OPENVASSD_HOST" in
728. "0.0.0.0"|"::") log_and_print "OK: OpenVAS Scanner is running and listening on all interfaces." ;;
729. "127.0.0.1") log_and_print "OK: OpenVAS Scanner is running and listening only on the local interface." ;;
730. "") OPENVASSD_PROC=`ps -Af | grep -ic "[o]penvassd: waiting for incoming connections"`
731. if [ $OPENVASSD_PROC -eq 0 ]
732. then
733. log_and_print "ERROR: OpenVAS Scanner is NOT running!" ;
734. log_and_print "FIX: Start OpenVAS Scanner (openvassd)." ;
735. OPENVASSD_PORT=-1 ;
736. else
737. log_and_print "WARNING: OpenVAS Scanner seems to be run by another user!" ;
738. log_and_print "FIX: If intended this is OK (e.g. as root). But we can not determine the port." ;
739. log_and_print "FIX: You might face subsequent problems if not intended." ;
740. OPENVASSD_PORT=1 ;
741. fi
742. ;;
743. esac
744. case $OPENVASSD_PORT in
745. -1) ;;
746. 9391) log_and_print "OK: OpenVAS Scanner is listening on port 9391, which is the default port." ;;
747. *) log_and_print "WARNING: OpenVAS Scanner is listening on port $OPENVASSD_PORT, which is NOT the default port!"
748. log_and_print "SUGGEST: Ensure OpenVAS Scanner is listening on port 9391." ;;
749. esac
750.  
751. case "$OPENVASMD_HOST" in
752. "0.0.0.0"|"::") log_and_print "OK: OpenVAS Manager is running and listening on all interfaces." ;;
753. "127.0.0.1") log_and_print "WARNING: OpenVAS Manager is running and listening only on the local interface."
754. log_and_print "This means that you will not be able to access the OpenVAS Manager from the"
755. log_and_print "outside using GSD or OpenVAS CLI."
756. log_and_print "SUGGEST: Ensure that OpenVAS Manager listens on all interfaces unless you want"
757. log_and_print "a local service only." ;;
758. "") log_and_print "ERROR: OpenVAS Manager is NOT running!"
759. log_and_print "FIX: Start OpenVAS Manager (openvasmd)."
760. OPENVASMD_PORT=-1 ;;
761. esac
762. case $OPENVASMD_PORT in
763. -1) ;;
764. 9390) log_and_print "OK: OpenVAS Manager is listening on port 9390, which is the default port." ;;
765. *) log_and_print "WARNING: OpenVAS Manager is listening on port $OPENVASMD_PORT, which is NOT the default port!"
766. log_and_print "SUGGEST: Ensure OpenVAS Manager is listening on port 9390." ;;
767. esac
768.  
769. if [ $ADMINISTRATOR_MAJOR != "0" ]
770. then
771. case "$OPENVASAD_HOST" in
772. "0.0.0.0") log_and_print "OK: OpenVAS Administrator is running and listening on all interfaces." ;;
773. "127.0.0.1") log_and_print "OK: OpenVAS Administrator is running and listening only on the local interface." ;;
774. "") log_and_print "ERROR: OpenVAS Administrator is NOT running!"
775. log_and_print "FIX: Start OpenVAS Administrator (openvasad)."
776. OPENVASAD_PORT=-1 ;;
777. esac
778. case $OPENVASAD_PORT in
779. -1) ;;
780. 9393) log_and_print "OK: OpenVAS Administrator is listening on port 9393, which is the default port." ;;
781. *) log_and_print "WARNING: OpenVAS Administrator is listening on port $OPENVASAD_PORT, which is NOT the default port!"
782. log_and_print "SUGGEST: Ensure OpenVAS Administrator is listening on port 9393." ;;
783. esac
784. else
785. OPENVASAD_PORT=1; # to make this not a failure because we do not need openvasad at all
786. fi
787.  
788. case "$GSAD_HOST" in
789. "0.0.0.0"|"::") log_and_print "OK: Greenbone Security Assistant is running and listening on all interfaces." ;;
790. "127.0.0.1") log_and_print "WARNING: Greenbone Security Assistant is running and listening only on the local interface."
791. log_and_print "This means that you will not be able to access the Greenbone Security Assistant from the"
792. log_and_print "outside using a web browser."
793. log_and_print "SUGGEST: Ensure that Greenbone Security Assistant listens on all interfaces." ;;
794. "") log_and_print "ERROR: Greenbone Security Assistant is NOT running!"
795. log_and_print "FIX: Start Greenbone Security Assistant (gsad)."
796. GSAD_PORT=-1 ;;
797. esac
798. case $GSAD_PORT in
799. -1) ;;
800. 80|443|9392) log_and_print "OK: Greenbone Security Assistant is listening on port $GSAD_PORT, which is the default port." ;;
801. *) log_and_print "WARNING: Greenbone Security Assistant is listening on port $GSAD_PORT, which is NOT the default port!"
802. log_and_print "SUGGEST: Ensure Greenbone Security Assistant is listening on one of the following ports: 80, 443, 9392." ;;
803. esac
804.  
805. if [ $OPENVASSD_PORT -eq -1 ] || [ $OPENVASMD_PORT -eq -1 ] || [ $OPENVASAD_PORT -eq -1 ] || [ $GSAD_PORT -eq -1 ]
806. then
807. check_failed
808. fi
809.  
810. fi
811.  
812. echo "Step 8: Checking nmap installation ..."
813.  
814. echo "Checking presence of nmap ..." >> $LOG
815. NMAP=`type nmap 2> /dev/null`
816. if [ $? -ne 0 ]
817. then
818. log_and_print "WARNING: No nmap installation found."
819. log_and_print "SUGGEST: You should install nmap for comprehensive network scanning (see http://nmap.org)"
820. else
821. VERSION=`nmap --version | awk '/Nmap version/ { print $3 }'`
822. if [ `echo $VERSION | grep "5\.51" | wc -l` -ne "1" ]
823. then
824. log_and_print "WARNING: Your version of nmap is not fully supported: $VERSION"
825. log_and_print "SUGGEST: You should install nmap 5.51 if you plan to use the nmap NSE NVTs."
826. else
827. log_and_print "OK: nmap is present in version $VERSION."
828. fi
829. fi
830. echo "" >> $LOG
831.  
832. echo "Step 10: Checking presence of optional tools ..."
833.  
834. echo "Checking presence of pdflatex ..." >> $LOG
835. PDFLATEX=`type pdflatex 2> /dev/null`
836. if [ $? -ne 0 ]
837. then
838. log_and_print "WARNING: Could not find pdflatex binary, the PDF report format will not work."
839. log_and_print "SUGGEST: Install pdflatex."
840. HAVE_PDFLATEX=0
841. else
842. log_and_print "OK: pdflatex found."
843. HAVE_PDFLATEX=1
844. fi
845. echo "" >> $LOG
846.  
847. if [ $HAVE_PDFLATEX -eq 1 ]
848. then
849. echo "Checking presence of LaTeX packages required for PDF report generation ..." >> $LOG
850. PDFTMPDIR=`mktemp -d -t openvas-check-setup-tmp.XXXXXXXXXX`
851. TEXFILE="$PDFTMPDIR/test.tex"
852. cat <<EOT > $TEXFILE
853. \documentclass{article}
854. \pagestyle{empty}
855.  
856. %\usepackage{color}
857. \usepackage{tabularx}
858. \usepackage{geometry}
859. \usepackage{comment}
860. \usepackage{longtable}
861. \usepackage{titlesec}
862. \usepackage{chngpage}
863. \usepackage{calc}
864. \usepackage{url}
865. \usepackage[utf8x]{inputenc}
866.  
867. \DeclareUnicodeCharacter {135}{{\textascii ?}}
868. \DeclareUnicodeCharacter {129}{{\textascii ?}}
869. \DeclareUnicodeCharacter {128}{{\textascii ?}}
870.  
871. \usepackage{colortbl}
872.  
873. % must come last
874. \usepackage{hyperref}
875. \definecolor{linkblue}{rgb}{0.11,0.56,1}
876. \definecolor{inactive}{rgb}{0.56,0.56,0.56}
877. \definecolor{openvas_debug}{rgb}{0.78,0.78,0.78}
878. \definecolor{openvas_false_positive}{rgb}{0.2275,0.2275,0.2275}
879. \definecolor{openvas_log}{rgb}{0.2275,0.2275,0.2275}
880. \definecolor{openvas_hole}{rgb}{0.7960,0.1137,0.0902}
881. \definecolor{openvas_note}{rgb}{0.3255,0.6157,0.7961}
882. \definecolor{openvas_report}{rgb}{0.68,0.74,0.88}
883. \definecolor{openvas_user_note}{rgb}{1.0,1.0,0.5625}
884. \definecolor{openvas_user_override}{rgb}{1.0,1.0,0.5625}
885. \definecolor{openvas_warning}{rgb}{0.9764,0.6235,0.1922}
886. \hypersetup{colorlinks=true,linkcolor=linkblue,urlcolor=blue,bookmarks=true,bookmarksopen=true}
887. \usepackage[all]{hypcap}
888.  
889. %\geometry{verbose,a4paper,tmargin=24mm,bottom=24mm}
890. \geometry{verbose,a4paper}
891. \setlength{\parskip}{\smallskipamount}
892. \setlength{\parindent}{0pt}
893.  
894. \title{PDF Report Test}
895. \pagestyle{headings}
896. \pagenumbering{arabic}
897. \begin{document}
898. This is a test of the PDF generation capabilities of your OpenVAS installation. Please ignore.
899. \end{document}
900. EOT
901. pdflatex -interaction batchmode -output-directory $PDFTMPDIR $TEXFILE > /dev/null 2>&1
902. if [ ! -f "$PDFTMPDIR/test.pdf" ]
903. then
904. log_and_print "WARNING: PDF generation failed, most likely due to missing LaTeX packages. The PDF report format will not work."
905. log_and_print "SUGGEST: Install required LaTeX packages."
906. else
907. log_and_print "OK: PDF generation successful. The PDF report format is likely to work."
908. fi
909. if [ -f "$PDFTMPDIR/test.log" ]
910. then
911. cat $PDFTMPDIR/test.log >> $LOG
912. fi
913. rm -rf $PDFTMPDIR
914. fi
915.  
916. echo "Checking presence of ssh-keygen ..." >> $LOG
917. SSHKEYGEN=`type ssh-keygen 2> /dev/null`
918. if [ $? -ne 0 ]
919. then
920. log_and_print "WARNING: Could not find ssh-keygen binary, LSC credential generation for GNU/Linux targets will not work."
921. log_and_print "SUGGEST: Install ssh-keygen."
922. HAVE_SSHKEYGEN=0
923. else
924. log_and_print "OK: ssh-keygen found, LSC credential generation for GNU/Linux targets is likely to work."
925. HAVE_SSHKEYGEN=1
926. fi
927. echo "" >> $LOG
928.  
929. if [ $HAVE_SSHKEYGEN -eq 1 ]
930. then
931. echo "Checking presence of rpm ..." >> $LOG
932. RPM=`type rpm 2> /dev/null`
933. if [ $? -ne 0 ]
934. then
935. log_and_print "WARNING: Could not find rpm binary, LSC credential package generation for RPM and DEB based targets will not work."
936. log_and_print "SUGGEST: Install rpm."
937. HAVE_RPM=0
938. else
939. log_and_print "OK: rpm found, LSC credential package generation for RPM based targets is likely to work."
940. HAVE_RPM=1
941. fi
942. echo "" >> $LOG
943.  
944. if [ $HAVE_RPM -eq 1 ]
945. then
946. echo "Checking presence of alien ..." >> $LOG
947. ALIEN=`type alien 2> /dev/null`
948. if [ $? -ne 0 ]
949. then
950. log_and_print "WARNING: Could not find alien binary, LSC credential package generation for DEB based targets will not work."
951. log_and_print "SUGGEST: Install alien."
952. HAVE_ALIEN=0
953. else
954. log_and_print "OK: alien found, LSC credential package generation for DEB based targets is likely to work."
955. HAVE_ALIEN=1
956. fi
957. echo "" >> $LOG
958. fi
959. fi
960.  
961. echo "Checking presence of nsis ..." >> $LOG
962. NSIS=`type makensis 2> /dev/null`
963. if [ $? -ne 0 ]
964. then
965. log_and_print "WARNING: Could not find makensis binary, LSC credential package generation for Microsoft Windows targets will not work."
966. log_and_print "SUGGEST: Install nsis."
967. HAVE_NSIS=0
968. else
969. log_and_print "OK: nsis found, LSC credential package generation for Microsoft Windows targets is likely to work."
970. HAVE_NSIS=1
971. fi
972.  
973. echo "Checking for SELinux ..." >> $LOG
974. selinux=`getenforce 2>/dev/null`
975. if [ $? -eq 0 ]
976. then
977. if [ $selinux != "Disabled" ]
978. then
979. log_and_print "ERROR: SELinux is enabled. For a working OpenVAS installation you need to disable it."
980. log_and_print "FIX: Please disable SELinux."
981. check_failed
982. else
983. log_and_print "OK: SELinux is disabled."
984. fi
985. fi
986.  
987. echo "" >> $LOG
988.  
989. echo ""
990. echo "It seems like your OpenVAS-$VER installation is OK."
991. echo ""
992. echo "If you think it is not OK, please report your observation"
993. echo "and help us to improve this check routine:"
994. echo "http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss"
995. echo "Please attach the log-file ($LOG) to help us analyze the problem."
996. echo ""