OpenVAS Scanner  7.0.1~git
openvas.c
Go to the documentation of this file.
1 /* Portions Copyright (C) 2009-2019 Greenbone Networks GmbH
2  * Portions Copyright (C) 2006 Software in the Public Interest, Inc.
3  * Based on work Copyright (C) 1998 - 2006 Tenable Network Security, Inc.
4  *
5  * SPDX-License-Identifier: GPL-2.0-only
6  *
7  * This program is free software; you can redistribute it and/or
8  * modify it under the terms of the GNU General Public License
9  * version 2 as published by the Free Software Foundation.
10  *
11  * This program is distributed in the hope that it will be useful,
12  * but WITHOUT ANY WARRANTY; without even the implied warranty of
13  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14  * GNU General Public License for more details.
15  *
16  * You should have received a copy of the GNU General Public License
17  * along with this program; if not, write to the Free Software
18  * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
19  */
20 
36 #include "../misc/plugutils.h" /* nvticache_free */
37 #include "../misc/vendorversion.h" /* for vendor_version_set */
38 #include "attack.h" /* for attack_network */
39 #include "pluginlaunch.h" /* for init_loading_shm */
40 #include "processes.h" /* for create_process */
41 #include "sighand.h" /* for openvas_signal */
42 #include "utils.h" /* for store_file */
43 
44 #include <errno.h> /* for errno() */
45 #include <fcntl.h> /* for open() */
46 #include <gcrypt.h> /* for gcry_control */
47 #include <glib.h>
48 #include <grp.h>
49 #include <gvm/base/logging.h> /* for setup_log_handler, load_log_configuration, free_log_configuration*/
50 #include <gvm/base/nvti.h> /* for prefs_get() */
51 #include <gvm/base/prefs.h> /* for prefs_get() */
52 #include <gvm/base/proctitle.h> /* for proctitle_set */
53 #include <gvm/base/version.h> /* for gvm_libs_version */
54 #include <gvm/util/kb.h> /* for KB_PATH_DEFAULT */
55 #include <gvm/util/nvticache.h> /* nvticache_free */
56 #include <gvm/util/uuidutils.h> /* gvm_uuid_make */
57 #include <netdb.h> /* for addrinfo */
58 #include <pwd.h>
59 #include <signal.h> /* for SIGTERM */
60 #include <stdio.h> /* for fflush() */
61 #include <stdlib.h> /* for atoi() */
62 #include <sys/stat.h>
63 #include <sys/un.h>
64 #include <sys/wait.h> /* for waitpid */
65 #include <unistd.h> /* for close() */
66 
67 #ifdef GIT_REV_AVAILABLE
68 #include "gitrevision.h"
69 #endif
70 
71 #if GNUTLS_VERSION_NUMBER < 0x030300
72 #include "../misc/network.h" /* openvas_SSL_init */
73 #endif
74 
75 #undef G_LOG_DOMAIN
76 
79 #define G_LOG_DOMAIN "sd main"
80 
81 #define PROCTITLE_WAITING "openvas: Waiting for incoming connections"
82 #define PROCTITLE_LOADING "openvas: Loading Handler"
83 #define PROCTITLE_RELOADING "openvas: Reloading"
84 #define PROCTITLE_SERVING "openvas: Serving %s"
85 
91 
95 GSList *log_config = NULL;
96 
97 static volatile int loading_stop_signal = 0;
98 static volatile int termination_signal = 0;
99 static char *global_scan_id = NULL;
100 
101 typedef struct
102 {
103  char *option;
104  char *value;
106 
111  {"plugins_folder", OPENVAS_NVT_DIR},
112  {"include_folders", OPENVAS_NVT_DIR},
113  {"max_hosts", "30"},
114  {"max_checks", "10"},
115  {"log_whole_attack", "no"},
116  {"log_plugins_name_at_load", "no"},
117  {"optimize_test", "yes"},
118  {"network_scan", "no"},
119  {"non_simult_ports", "139, 445, 3389, Services/irc"},
120  {"plugins_timeout", G_STRINGIFY (NVT_TIMEOUT)},
121  {"scanner_plugins_timeout", G_STRINGIFY (SCANNER_NVT_TIMEOUT)},
122  {"safe_checks", "yes"},
123  {"auto_enable_dependencies", "yes"},
124  {"drop_privileges", "no"},
125  // Empty options must be "\0", not NULL, to match the behavior of
126  // prefs_init.
127  {"report_host_details", "yes"},
128  {"db_address", KB_PATH_DEFAULT},
129  {"vendor_version", "\0"},
130  {NULL, NULL}};
131 
132 static void
134 {
135  const char *str;
136 
137  if ((str = prefs_get ("max_hosts")) != NULL)
138  {
139  global_max_hosts = atoi (str);
140  if (global_max_hosts <= 0)
141  global_max_hosts = 15;
142  }
143 
144  if ((str = prefs_get ("max_checks")) != NULL)
145  {
146  global_max_checks = atoi (str);
147  if (global_max_checks <= 0)
148  global_max_checks = 10;
149  }
150 }
151 
152 static void
153 reload_openvas (void);
154 
155 static void
157 {
158  (void) sig;
159  reload_openvas ();
160 }
161 
162 static void
164 {
165  termination_signal = sig;
166 }
167 
171 static void
173 {
178  openvas_signal (SIGCHLD, sighand_chld);
179 }
180 
181 /* Restarts the scanner by reloading the configuration. */
182 static void
184 {
185  static gchar *rc_name = NULL;
186  const char *config_file;
187  int i, ret;
188 
189  /* Ignore SIGHUP while reloading. */
190  openvas_signal (SIGHUP, SIG_IGN);
191 
192  proctitle_set (PROCTITLE_RELOADING);
193  /* Setup logging. */
194  rc_name = g_build_filename (OPENVAS_SYSCONF_DIR, "openvas_log.conf", NULL);
195  if (g_file_test (rc_name, G_FILE_TEST_EXISTS))
196  log_config = load_log_configuration (rc_name);
197  g_free (rc_name);
198  setup_log_handlers (log_config);
199  g_message ("Reloading the scanner.\n");
200 
201  /* Reload config file. */
202  config_file = prefs_get ("config_file");
203  for (i = 0; openvas_defaults[i].option != NULL; i++)
204  prefs_set (openvas_defaults[i].option, openvas_defaults[i].value);
205  prefs_config (config_file);
206 
207  /* Reload the plugins */
208  ret = plugins_init ();
210 
211  g_message ("Finished reloading the scanner.");
213  proctitle_set (PROCTITLE_WAITING);
214  if (ret)
215  exit (1);
216 }
217 
225 static int
227 {
228  char key[1024];
229  kb_t kb;
230  struct kb_item *res = NULL;
231 
232  g_debug ("Start loading scan preferences.");
233  if (!globals->scan_id)
234  return -1;
235 
236  snprintf (key, sizeof (key), "internal/%s/scanprefs", globals->scan_id);
237  kb = kb_find (prefs_get ("db_address"), key);
238  if (!kb)
239  return -1;
240 
241  res = kb_item_get_all (kb, key);
242  if (!res)
243  return -1;
244 
245  while (res)
246  {
247  gchar **pref = g_strsplit (res->v_str, "|||", 2);
248  if (pref[0])
249  {
250  gchar **pref_name = g_strsplit (pref[0], ":", 3);
251  if (pref_name[1] && pref_name[2] && !strncmp (pref_name[2], "file", 4)
252  && strcmp (pref[1], ""))
253  {
254  char *file_hash = gvm_uuid_make ();
255  int ret;
256  prefs_set (pref[0], file_hash);
257  ret = store_file (globals, pref[1], file_hash);
258  if (ret)
259  g_debug ("Load preference: Failed to upload file "
260  "for nvt %s preference.",
261  pref_name[0]);
262 
263  g_free (file_hash);
264  }
265  else
266  prefs_set (pref[0], pref[1] ?: "");
267  g_strfreev (pref_name);
268  }
269 
270  g_strfreev (pref);
271  res = res->next;
272  }
273  snprintf (key, sizeof (key), "internal/%s", globals->scan_id);
274  kb_item_set_str (kb, key, "ready", 0);
275  kb_item_set_int (kb, "internal/ovas_pid", getpid ());
276 
277  g_debug ("End loading scan preferences.");
278 
279  kb_item_free (res);
280  return 0;
281 }
282 
283 static void
284 handle_client (struct scan_globals *globals)
285 {
286  kb_t net_kb = NULL;
287 
288  /* Load preferences from Redis. Scan started with a scan_id. */
289  if (load_scan_preferences (globals))
290  {
291  g_warning ("No preferences found for the scan %s", globals->scan_id);
292  exit (0);
293  }
294 
295  attack_network (globals, &net_kb);
296  if (net_kb != NULL)
297  {
298  kb_delete (net_kb);
299  net_kb = NULL;
300  }
301 }
302 
303 static void
304 scanner_thread (struct scan_globals *globals)
305 {
306  nvticache_reset ();
307 
308  globals->scan_id = g_strdup (global_scan_id);
309 
310  handle_client (globals);
311 
312  exit (0);
313 }
314 
320 static int
321 init_openvas (const char *config_file)
322 {
323  static gchar *rc_name = NULL;
324  int i;
325 
326  for (i = 0; openvas_defaults[i].option != NULL; i++)
327  prefs_set (openvas_defaults[i].option, openvas_defaults[i].value);
328  prefs_config (config_file);
329 
330  /* Setup logging. */
331  rc_name = g_build_filename (OPENVAS_SYSCONF_DIR, "openvas_log.conf", NULL);
332  if (g_file_test (rc_name, G_FILE_TEST_EXISTS))
333  log_config = load_log_configuration (rc_name);
334  g_free (rc_name);
335  setup_log_handlers (log_config);
337 
338  return 0;
339 }
340 
341 static int
343 {
344  kb_t kb;
345  int rc;
346 
347  rc = kb_new (&kb, prefs_get ("db_address"));
348  if (rc)
349  return rc;
350 
351  rc = kb_flush (kb, NVTICACHE_STR);
352  return rc;
353 }
354 
355 static void
357 {
358  if (gcry_control (GCRYCTL_ANY_INITIALIZATION_P))
359  return;
360  gcry_check_version (NULL);
361  gcry_control (GCRYCTL_SUSPEND_SECMEM_WARN);
362  gcry_control (GCRYCTL_INIT_SECMEM, 16384, 0);
363  gcry_control (GCRYCTL_RESUME_SECMEM_WARN);
364  gcry_control (GCRYCTL_INITIALIZATION_FINISHED);
365 }
366 
367 void
369 {
370  struct scan_globals *globals;
371 
372 #if GNUTLS_VERSION_NUMBER < 0x030300
373  if (openvas_SSL_init () < 0)
374  g_message ("Could not initialize openvas SSL!");
375 #endif
376 
377 #ifdef OPENVAS_GIT_REVISION
378  g_message ("openvas %s (GIT revision %s) started", OPENVAS_VERSION,
379  OPENVAS_GIT_REVISION);
380 #else
381  g_message ("openvas %s started", OPENVAS_VERSION);
382 #endif
383 
384  if (plugins_cache_init ())
385  {
386  g_message ("Failed to initialize nvti cache.");
387  exit (1);
388  }
390 
391  globals = g_malloc0 (sizeof (struct scan_globals));
392 
393  scanner_thread (globals);
394  exit (0);
395 }
402 static void
404 {
405  char key[1024];
406  kb_t kb;
407  int pid;
408 
409  if (!global_scan_id)
410  exit (1);
411 
412  snprintf (key, sizeof (key), "internal/%s", global_scan_id);
413  kb = kb_find (prefs_get ("db_address"), key);
414  if (!kb)
415  exit (1);
416 
417  pid = kb_item_get_int (kb, "internal/ovas_pid");
418  kill (pid, SIGUSR1);
419 
420  exit (0);
421 }
422 
428 int
429 openvas (int argc, char *argv[])
430 {
431  int ret;
432 
433  proctitle_init (argc, argv);
434  gcrypt_init ();
435 
436  static gboolean display_version = FALSE;
437  static gchar *config_file = NULL;
438  static gchar *scan_id = NULL;
439  static gchar *stop_scan_id = NULL;
440  static gboolean print_specs = FALSE;
441  static gboolean print_sysconfdir = FALSE;
442  static gboolean update_vt_info = FALSE;
443  GError *error = NULL;
444  GOptionContext *option_context;
445  static GOptionEntry entries[] = {
446  {"version", 'V', 0, G_OPTION_ARG_NONE, &display_version,
447  "Display version information", NULL},
448  {"config-file", 'c', 0, G_OPTION_ARG_FILENAME, &config_file,
449  "Configuration file", "<filename>"},
450  {"cfg-specs", 's', 0, G_OPTION_ARG_NONE, &print_specs,
451  "Print configuration settings", NULL},
452  {"sysconfdir", 'y', 0, G_OPTION_ARG_NONE, &print_sysconfdir,
453  "Print system configuration directory (set at compile time)", NULL},
454  {"update-vt-info", 'u', 0, G_OPTION_ARG_NONE, &update_vt_info,
455  "Updates VT info into redis store from VT files", NULL},
456  {"scan-start", '\0', 0, G_OPTION_ARG_STRING, &scan_id,
457  "ID of scan to start. ID and related data must be stored into redis "
458  "before.",
459  "<string>"},
460  {"scan-stop", '\0', 0, G_OPTION_ARG_STRING, &stop_scan_id,
461  "ID of scan to stop", "<string>"},
462 
463  {NULL, 0, 0, 0, NULL, NULL, NULL}};
464 
465  option_context =
466  g_option_context_new ("- Open Vulnerability Assessment Scanner");
467  g_option_context_add_main_entries (option_context, entries, NULL);
468  if (!g_option_context_parse (option_context, &argc, &argv, &error))
469  {
470  g_print ("%s\n\n", error->message);
471  exit (0);
472  }
473  g_option_context_free (option_context);
474 
475  /* --sysconfdir */
476  if (print_sysconfdir)
477  {
478  g_print ("%s\n", SYSCONFDIR);
479  exit (0);
480  }
481 
482  /* --version */
483  if (display_version)
484  {
485  printf ("OpenVAS %s\n", OPENVAS_VERSION);
486 #ifdef OPENVAS_GIT_REVISION
487  printf ("GIT revision %s\n", OPENVAS_GIT_REVISION);
488 #endif
489  printf ("gvm-libs %s\n", gvm_libs_version ());
490  printf ("Most new code since 2005: (C) 2019 Greenbone Networks GmbH\n");
491  printf (
492  "Nessus origin: (C) 2004 Renaud Deraison <deraison@nessus.org>\n");
493  printf ("License GPLv2: GNU GPL version 2\n");
494  printf (
495  "This is free software: you are free to change and redistribute it.\n"
496  "There is NO WARRANTY, to the extent permitted by law.\n\n");
497  exit (0);
498  }
499 
500  /* Switch to UTC so that OTP times are always in UTC. */
501  if (setenv ("TZ", "utc 0", 1) == -1)
502  {
503  g_print ("%s\n\n", strerror (errno));
504  exit (0);
505  }
506  tzset ();
507 
508  if (!config_file)
509  config_file = OPENVAS_CONF;
510  if (update_vt_info)
511  {
512  if (init_openvas (config_file))
513  return 1;
514  if (plugins_init ())
515  return 1;
516  return 0;
517  }
518 
519  if (init_openvas (config_file))
520  return 1;
521 
522  if (prefs_get ("vendor_version") != NULL)
523  vendor_version_set (prefs_get ("vendor_version"));
524 
525  if (stop_scan_id)
526  {
527  global_scan_id = g_strdup (stop_scan_id);
529  exit (0);
530  }
531 
532  if (scan_id)
533  {
534  global_scan_id = g_strdup (scan_id);
536  exit (0);
537  }
538 
539  /* special treatment */
540  if (print_specs)
541  {
542  prefs_dump ();
543  exit (0);
544  }
545  if (flush_all_kbs ())
546  exit (1);
547 
548 #if GNUTLS_VERSION_NUMBER < 0x030300
549  if (openvas_SSL_init () < 0)
550  g_message ("Could not initialize openvas SSL!");
551 #endif
552 
553  /* Ignore SIGHUP while reloading. */
554  openvas_signal (SIGHUP, SIG_IGN);
555 
556  ret = plugins_init ();
557  if (ret)
558  return 1;
559 
560  exit (0);
561 }
void(*)(int) openvas_signal(int signum, void(*handler)(int))
Definition: sighand.c:87
static void gcrypt_init()
Definition: openvas.c:356
struct scan_globals * globals
Definition: scanneraux.h:45
static void handle_termination_signal(int sig)
Definition: openvas.c:163
static int load_scan_preferences(struct scan_globals *globals)
Read the scan preferences from redis scan_id Scan ID used as key to find the corresponding KB where ...
Definition: openvas.c:226
processes.c header.
headerfile for sighand.c.
static void handle_reload_signal(int sig)
Definition: openvas.c:156
int plugins_init(void)
Definition: pluginload.c:376
static void stop_single_task_scan()
Search in redis the process ID of a running scan and sends it the kill signal SIGUSR2, which will stop the scan. To find the process ID, it uses the scan_id passed with the –scan-stop option.
Definition: openvas.c:403
void start_single_task_scan()
Definition: openvas.c:368
#define option
GSList * log_config
Logging parameters, as passed to setup_log_handlers.
Definition: openvas.c:95
static volatile int loading_stop_signal
Definition: openvas.c:97
int global_max_checks
Definition: openvas.c:90
static pid_t pid
char * option
Definition: openvas.c:103
static char * global_scan_id
Definition: openvas.c:99
#define PROCTITLE_WAITING
Definition: openvas.c:81
int openvas_SSL_init()
Initializes SSL support.
Definition: network.c:351
utils.c headerfile.
static void scanner_thread(struct scan_globals *globals)
Definition: openvas.c:304
char * scan_id
Definition: scanneraux.h:38
void sighand_chld(pid_t pid)
Definition: sighand.c:103
attack.c header.
#define PROCTITLE_RELOADING
Definition: openvas.c:83
char * value
Definition: openvas.c:104
static void set_globals_from_preferences(void)
Definition: openvas.c:133
pluginlaunch.c header.
int openvas(int argc, char *argv[])
openvas.
Definition: openvas.c:429
static openvas_option openvas_defaults[]
Default values for scanner options. Must be NULL terminated.
Definition: openvas.c:110
static int init_openvas(const char *config_file)
Initialize everything.
Definition: openvas.c:321
void attack_network(struct scan_globals *globals, kb_t *network_kb)
Attack a whole network.
Definition: attack.c:1008
static volatile int termination_signal
Definition: openvas.c:98
static void handle_client(struct scan_globals *globals)
Definition: openvas.c:284
static int flush_all_kbs()
Definition: openvas.c:342
int global_max_hosts
Definition: openvas.c:89
void vendor_version_set(const gchar *version)
Set vendor version.
Definition: vendorversion.c:40
int store_file(struct scan_globals *globals, const char *file, const char *file_hash)
Stores a file type preference in a hash table.
Definition: utils.c:110
static void reload_openvas(void)
Definition: openvas.c:183
int plugins_cache_init(void)
Main function for nvticache initialization without loading the plugins.
Definition: pluginload.c:359
static void init_signal_handlers()
Initializes main scanner process&#39; signal handlers.
Definition: openvas.c:172