82 #include <arpa/inet.h> 87 #include <glib/gstdio.h> 88 #include <gnutls/gnutls.h> 91 #include <netinet/in.h> 92 #include <netinet/ip.h> 98 #include <sys/select.h> 99 #include <sys/socket.h> 101 #include <sys/types.h> 102 #include <sys/wait.h> 105 #include <openvas/misc/openvas_logging.h> 106 #include <openvas/misc/openvas_proctitle.h> 107 #include <openvas/misc/openvas_server.h> 108 #include <openvas/base/pidfile.h> 109 #include <openvas/base/pwpolicy.h> 118 #ifdef GIT_REV_AVAILABLE 119 #include "gitrevision.h" 126 #define G_LOG_DOMAIN "md main" 131 #ifndef OPENVASMD_VERSION 132 #define OPENVASMD_VERSION "-1" 138 #ifndef OPENVAS_OS_NAME 139 #define OPENVAS_OS_NAME "-1" 145 #define OPENVASSD_ADDRESS OPENVAS_RUN_DIR "/openvassd.sock" 151 #define SCANNERCERT "/var/lib/openvas/CA/servercert.pem" 158 #define SCANNERKEY "/var/lib/openvas/private/CA/serverkey.pem" 165 #define CACERT "/var/lib/openvas/CA/cacert.pem" 172 #define CLIENTCERT "/var/lib/openvas/CA/clientcert.pem" 179 #define CLIENTKEY "/var/lib/openvas/private/CA/clientkey.pem" 187 #define OPENVASSD_PORT 9391 194 #define OPENVASMD_PORT 9390 199 #define MAX_CONNECTIONS 512 204 #define DEFAULT_CLIENT_WATCH_INTERVAL 1 225 FILE* log_stream = NULL;
246 static gchar *database = NULL;
266 static gchar **disabled_commands = NULL;
322 set_gnutls_priority (gnutls_session_t *session,
const char *priority)
324 const char *errp = NULL;
325 if (gnutls_priority_set_direct (*session, priority, &errp)
326 == GNUTLS_E_INVALID_REQUEST)
327 g_warning (
"Invalid GnuTLS priority: %s\n", errp);
351 connection_watcher_data_new (openvas_connection_t *client_connection)
358 pthread_mutex_init (&(watcher_data->
mutex), NULL);
371 watch_client_connection (
void* data)
375 openvas_connection_t *client_connection;
377 pthread_setcancelstate (PTHREAD_CANCEL_DISABLE, NULL);
381 pthread_mutex_lock (&(watcher_data->
mutex));
383 pthread_mutex_unlock (&(watcher_data->
mutex));
387 pthread_setcancelstate (PTHREAD_CANCEL_ENABLE, NULL);
389 pthread_setcancelstate (PTHREAD_CANCEL_DISABLE, NULL);
391 pthread_mutex_lock (&(watcher_data->
mutex));
396 pthread_mutex_unlock (&(watcher_data->
mutex));
403 ret = recv (client_connection->socket, buf, 1, MSG_PEEK);
409 g_debug (
"%s: Client connection closed", __FUNCTION__);
416 pthread_mutex_unlock (&(watcher_data->
mutex));
435 serve_client (
int server_socket, openvas_connection_t *client_connection)
437 pthread_t watch_thread;
440 if (server_socket > 0)
445 if (setsockopt (server_socket,
446 SOL_SOCKET, SO_KEEPALIVE,
447 &optval,
sizeof (
int)))
449 g_critical (
"%s: failed to set SO_KEEPALIVE on scanner socket: %s\n",
458 watcher_data = connection_watcher_data_new (client_connection);
459 pthread_create (&watch_thread, NULL, watch_client_connection,
467 if (client_connection->tls
468 && openvas_server_attach (client_connection->socket, &
client_session))
470 g_debug (
"%s: failed to attach client session to socket %i\n",
472 client_connection->socket);
478 if (fcntl (client_connection->socket, F_SETFL, O_NONBLOCK) == -1)
480 g_warning (
"%s: failed to set real client socket flag: %s\n",
489 if (
serve_omp (client_connection, database, disabled_commands, NULL))
494 pthread_mutex_lock (&(watcher_data->
mutex));
496 pthread_mutex_unlock (&(watcher_data->
mutex));
497 pthread_cancel (watch_thread);
498 pthread_join (watch_thread, NULL);
499 g_free (watcher_data);
506 pthread_mutex_lock (&(watcher_data->
mutex));
507 openvas_connection_free (client_connection);
509 pthread_mutex_unlock (&(watcher_data->
mutex));
513 openvas_connection_free (client_connection);
518 pthread_mutex_lock (&(watcher_data->
mutex));
520 pthread_mutex_unlock (&(watcher_data->
mutex));
521 pthread_cancel (watch_thread);
522 pthread_join (watch_thread, NULL);
523 g_free (watcher_data);
538 accept_and_maybe_fork (
int server_socket, sigset_t *sigmask_current)
543 struct sockaddr_storage addr;
544 socklen_t addrlen =
sizeof (addr);
546 while ((client_socket = accept (server_socket, (
struct sockaddr *) &addr,
552 if (errno == EAGAIN || errno == EWOULDBLOCK)
555 g_critical (
"%s: failed to accept client connection: %s\n",
570 struct sigaction action;
571 openvas_connection_t client_connection;
576 pthread_sigmask (SIG_SETMASK, sigmask_current, NULL);
578 memset (&action,
'\0',
sizeof (action));
579 sigemptyset (&action.sa_mask);
580 action.sa_handler = SIG_DFL;
581 if (sigaction (SIGCHLD, &action, NULL) == -1)
583 g_critical (
"%s: failed to set client SIGCHLD handler: %s\n",
586 shutdown (client_socket, SHUT_RDWR);
587 close (client_socket);
594 if (fcntl (client_socket, F_SETFL, O_NONBLOCK) == -1)
596 g_critical (
"%s: failed to set client socket flag: %s\n",
599 shutdown (client_socket, SHUT_RDWR);
600 close (client_socket);
605 memset (&client_connection, 0,
sizeof (client_connection));
606 client_connection.tls =
use_tls;
607 client_connection.socket = client_socket;
617 g_warning (
"%s: failed to fork child: %s\n",
620 close (client_socket);
624 close (client_socket);
642 fork_connection_internal (openvas_connection_t *client_connection, gchar* uuid,
645 int pid, parent_client_socket, ret;
647 struct sigaction action;
661 g_warning (
"%s: fork: %s\n", __FUNCTION__, strerror (errno));
667 g_debug (
"%s: %i forked %i", __FUNCTION__, getpid (), pid);
682 if (socketpair (AF_UNIX, SOCK_STREAM, 0, sockets))
684 g_warning (
"%s: socketpair: %s\n", __FUNCTION__, strerror (errno));
699 parent_client_socket = sockets[0];
701 memset (&action,
'\0',
sizeof (action));
702 sigemptyset (&action.sa_mask);
703 action.sa_handler = SIG_DFL;
704 if (sigaction (SIGCHLD, &action, NULL) == -1)
706 g_critical (
"%s: failed to set client SIGCHLD handler: %s\n",
709 shutdown (parent_client_socket, SHUT_RDWR);
710 close (parent_client_socket);
717 if (fcntl (parent_client_socket, F_SETFL, O_NONBLOCK) == -1)
719 g_critical (
"%s: failed to set client socket flag: %s\n",
722 shutdown (parent_client_socket, SHUT_RDWR);
723 close (parent_client_socket);
740 if (openvas_server_new (GNUTLS_SERVER,
747 g_critical (
"%s: client server initialisation failed\n",
759 g_debug (
"%s: serving OMP to client on socket %i",
760 __FUNCTION__, parent_client_socket);
762 memset (client_connection, 0,
sizeof (*client_connection));
763 client_connection->tls =
use_tls;
764 client_connection->socket = parent_client_socket;
777 g_warning (
"%s: fork: %s\n", __FUNCTION__, strerror (errno));
784 g_debug (
"%s: %i forked %i", __FUNCTION__, getpid (), pid);
793 memset (client_connection, 0,
sizeof (*client_connection));
794 client_connection->tls =
use_tls;
795 client_connection->socket = sockets[1];
799 if (openvas_server_new (GNUTLS_CLIENT,
803 &client_connection->session,
804 &client_connection->credentials))
807 if (openvas_server_attach (client_connection->socket,
808 &client_connection->session))
812 g_debug (
"%s: all set to request OMP on socket %i",
813 __FUNCTION__, client_connection->socket);
832 fork_connection_for_scheduler (openvas_connection_t *client_connection, gchar* uuid)
834 return fork_connection_internal (client_connection, uuid, 1);
846 fork_connection_for_event (openvas_connection_t *client_connection, gchar* uuid)
848 return fork_connection_internal (client_connection, uuid, 0);
872 g_debug (
" Cleaning up.\n");
875 g_strfreev (disabled_commands);
879 if (log_stream != NULL)
881 if (fclose (log_stream))
882 g_critical (
"%s: failed to close log stream: %s\n",
887 g_debug (
" Exiting.\n");
891 openvas_auth_tear_down ();
894 if (
is_parent == 1) pidfile_remove (
"openvasmd");
909 struct sigaction action;
911 memset (&action,
'\0',
sizeof (action));
913 sigfillset (&action.sa_mask);
915 sigemptyset (&action.sa_mask);
916 action.sa_handler = handler;
917 if (sigaction (signal, &action, NULL) == -1)
919 g_critical (
"%s: failed to register %s handler\n",
920 __FUNCTION__, sys_siglist[signal]);
936 void (*handler) (
int, siginfo_t *,
void *),
939 struct sigaction action;
941 memset (&action,
'\0',
sizeof (action));
943 sigfillset (&action.sa_mask);
945 sigemptyset (&action.sa_mask);
946 action.sa_flags |= SA_SIGINFO;
947 action.sa_sigaction = handler;
948 if (sigaction (signal, &action, NULL) == -1)
950 g_critical (
"%s: failed to register %s handler\n",
951 __FUNCTION__, sys_siglist[signal]);
957 #include <execinfo.h> 969 static int in_sigabrt = 0;
971 if (in_sigabrt) _exit (EXIT_FAILURE);
976 int frame_count, index;
980 frame_count = backtrace (frames,
BA_SIZE);
981 frames_text = backtrace_symbols (frames, frame_count);
982 if (frames_text == NULL)
984 perror (
"backtrace symbols");
987 for (index = 0; index < frame_count; index++)
988 g_debug (
"%s\n", frames_text[index]);
996 raise (given_signal);
1041 raise (given_signal);
1055 while ((pid = waitpid (-1, &status, WNOHANG)) > 0)
1069 static char current =
'/';
1088 g_debug (
" %c\n", current);
1099 exit (EXIT_FAILURE);
1114 update_or_rebuild_nvt_cache (
int update_nvt_cache,
int register_cleanup,
1115 void (*
progress) (),
int skip_create_tables)
1118 openvas_connection_t connection;
1122 if (update_nvt_cache == 0)
1124 proctitle_set (
"openvasmd: Rebuilding");
1125 g_info (
"%s: Rebuilding NVT cache\n", __FUNCTION__);
1129 proctitle_set (
"openvasmd: Updating");
1130 g_info (
"%s: Updating NVT cache\n", __FUNCTION__);
1134 update_nvt_cache ? -1 : -2,
1142 skip_create_tables))
1147 g_critical (
"%s: database is wrong version\n", __FUNCTION__);
1149 exit (EXIT_FAILURE);
1155 g_critical (
"%s: failed to initialise OMP daemon\n", __FUNCTION__);
1157 exit (EXIT_FAILURE);
1162 if (register_cleanup && atexit (&cleanup))
1164 g_critical (
"%s: failed to register `atexit' cleanup function\n",
1167 exit (EXIT_FAILURE);
1184 connection.socket = update_nvt_cache ? -1 : -2;
1190 return EXIT_SUCCESS;
1194 g_critical (
"%s: scanner OpenVAS Default has no cert\n", __FUNCTION__);
1195 return EXIT_FAILURE;
1198 return EXIT_FAILURE;
1217 rebuild_nvt_cache_retry (
int update_or_rebuild,
int register_cleanup,
1218 void (*
progress) (),
int skip_create_tables)
1220 proctitle_set (
"openvasmd: Reloading");
1221 g_info (
"%s: Reloading NVT cache\n", __FUNCTION__);
1227 pid_t child_pid = fork ();
1232 if (waitpid (child_pid, &status, 0) > 0 && WEXITSTATUS (status) != 2)
1233 return WEXITSTATUS (status);
1235 for (i = 0; i < 10; i++)
1242 else if (child_pid == 0)
1245 int ret = update_or_rebuild_nvt_cache (update_or_rebuild,
1247 skip_create_tables);
1262 fork_update_nvt_cache ()
1265 sigset_t sigmask_all, sigmask_current;
1269 g_debug (
"%s: Update skipped because an update is in progress",
1277 if (sigemptyset (&sigmask_all))
1279 g_critical (
"%s: Error emptying signal set\n", __FUNCTION__);
1282 if (pthread_sigmask (SIG_BLOCK, &sigmask_all, &sigmask_current))
1284 g_critical (
"%s: Error setting signal mask\n", __FUNCTION__);
1296 pthread_sigmask (SIG_SETMASK, &sigmask_current, NULL);
1301 openvas_auth_tear_down ();
1305 g_info (
" internal NVT cache update\n");
1307 rebuild_nvt_cache_retry (1, 0, NULL, 1);
1312 exit (EXIT_SUCCESS);
1318 g_warning (
"%s: fork: %s\n", __FUNCTION__, strerror (errno));
1320 if (pthread_sigmask (SIG_SETMASK, &sigmask_current, NULL))
1321 g_warning (
"%s: Error resetting signal mask\n", __FUNCTION__);
1327 if (pthread_sigmask (SIG_SETMASK, &sigmask_current, NULL))
1328 g_warning (
"%s: Error resetting signal mask\n", __FUNCTION__);
1342 serve_and_schedule ()
1344 time_t last_schedule_time = 0;
1345 sigset_t sigmask_all;
1346 static sigset_t sigmask_current;
1348 if (sigfillset (&sigmask_all))
1350 g_critical (
"%s: Error filling signal set\n", __FUNCTION__);
1351 exit (EXIT_FAILURE);
1353 if (pthread_sigmask (SIG_BLOCK, &sigmask_all, &sigmask_current))
1355 g_critical (
"%s: Error setting signal mask\n", __FUNCTION__);
1356 exit (EXIT_FAILURE);
1362 fd_set readfds, exceptfds;
1363 struct timespec timeout;
1369 FD_ZERO (&exceptfds);
1380 g_debug (
"Received %s signal.\n",
1391 g_debug (
"Received %s signal.\n", sys_siglist[SIGHUP]);
1393 fork_update_nvt_cache ();
1402 exit (EXIT_FAILURE);
1404 last_schedule_time = time (NULL);
1408 timeout.tv_nsec = 0;
1409 ret = pselect (nfds, &readfds, NULL, &exceptfds, &timeout,
1417 g_critical (
"%s: select failed: %s\n",
1420 exit (EXIT_FAILURE);
1428 g_critical (
"%s: exception in select\n", __FUNCTION__);
1429 exit (EXIT_FAILURE);
1433 g_critical (
"%s: exception in select (2)\n", __FUNCTION__);
1434 exit (EXIT_FAILURE);
1445 exit (EXIT_FAILURE);
1449 g_debug (
"Received %s signal.\n",
1460 g_debug (
"Received %s signal.\n", sys_siglist[SIGHUP]);
1462 fork_update_nvt_cache ();
1465 last_schedule_time = time (NULL);
1483 manager_listen (
const char *address_str_unix,
const char *address_str_tls,
1484 const char *port_str,
const char *socket_owner,
1485 const char *socket_group,
const char *socket_mode,
int *soc)
1487 struct sockaddr *address;
1488 struct sockaddr_un address_unix;
1489 struct sockaddr_storage address_tls;
1492 memset (&address_tls, 0,
sizeof (
struct sockaddr_storage));
1493 memset (&address_unix, 0,
sizeof (
struct sockaddr_un));
1495 g_debug (
"%s: address_str_unix: %s\n", __FUNCTION__, address_str_unix);
1496 if (address_str_unix)
1502 address_unix.sun_family = AF_UNIX;
1503 strncpy (address_unix.sun_path,
1505 sizeof (address_unix.sun_path) - 1);
1507 g_debug (
"%s: address_unix.sun_path: %s\n",
1509 address_unix.sun_path);
1511 *soc = socket (AF_UNIX, SOCK_STREAM, 0);
1514 g_warning (
"Failed to create manager socket (UNIX): %s",
1519 if (stat (address_unix.sun_path, &state) == 0)
1522 unlink (address_unix.sun_path);
1525 address = (
struct sockaddr *) &address_unix;
1526 address_size =
sizeof (address_unix);
1528 else if (address_str_tls)
1530 struct sockaddr_in *addr4;
1531 struct sockaddr_in6 *addr6;
1538 port = atoi (port_str);
1539 if (port <= 0 || port >= 65536)
1541 g_warning (
"Manager port must be a number between 1 and 65535");
1545 port = htons (port);
1549 struct servent *servent = getservbyname (
"otp",
"tcp");
1551 port = servent->s_port;
1556 addr4 = (
struct sockaddr_in *) &address_tls;
1557 addr6 = (
struct sockaddr_in6 *) &address_tls;
1558 if (inet_pton (AF_INET6, address_str_tls, &addr6->sin6_addr) > 0)
1560 address_tls.ss_family = AF_INET6;
1561 addr6->sin6_port = port;
1563 else if (inet_pton (AF_INET, address_str_tls, &addr4->sin_addr) > 0)
1565 address_tls.ss_family = AF_INET;
1566 addr4->sin_port = port;
1570 g_warning (
"Failed to create manager address %s", address_str_tls);
1574 if (address_tls.ss_family == AF_INET6)
1575 *soc = socket (PF_INET6, SOCK_STREAM, 0);
1577 *soc = socket (PF_INET, SOCK_STREAM, 0);
1580 g_warning (
"Failed to create manager socket (TLS): %s",
1586 if (setsockopt (*soc, SOL_SOCKET, SO_REUSEADDR, &optval,
sizeof (
int)))
1588 g_warning (
"Failed to set SO_REUSEADDR on socket: %s",
1593 address = (
struct sockaddr *) &address_tls;
1594 address_size =
sizeof (address_tls);
1601 if (fcntl (*soc, F_SETFL, O_NONBLOCK) == -1)
1603 g_warning (
"Failed to set manager socket flag: %s", strerror (errno));
1607 if (bind (*soc, address, address_size) == -1)
1609 g_warning (
"Failed to bind manager socket: %s", strerror (errno));
1613 if (address_str_unix)
1619 struct passwd *passwd;
1621 passwd = getpwnam (socket_owner);
1624 g_warning (
"%s: User %s not found.", __FUNCTION__, socket_owner);
1627 if (chown (address_str_unix, passwd->pw_uid, -1) == -1)
1629 g_warning (
"%s: chown: %s", __FUNCTION__, strerror (errno));
1636 struct group *group;
1638 group = getgrnam (socket_group);
1641 g_warning (
"%s: Group %s not found.", __FUNCTION__, socket_group);
1644 if (chown (address_str_unix, -1, group->gr_gid) == -1)
1646 g_warning (
"%s: chown: %s", __FUNCTION__, strerror (errno));
1652 socket_mode =
"660";
1653 omode = strtol (socket_mode, 0, 8);
1654 if (omode <= 0 || omode > 4095)
1656 g_warning (
"%s: Erroneous --listen-mode value", __FUNCTION__);
1659 if (chmod (address_str_unix, omode) == -1)
1661 g_warning (
"%s: chmod: %s", __FUNCTION__, strerror (errno));
1668 g_warning (
"Failed to listen on manager socket: %s", strerror (errno));
1695 static gboolean backup_database = FALSE;
1696 static gboolean check_alerts = FALSE;
1697 static gboolean migrate_database = FALSE;
1698 static gboolean encrypt_all_credentials = FALSE;
1699 static gboolean decrypt_all_credentials = FALSE;
1700 static gboolean disable_password_policy = FALSE;
1701 static gboolean disable_scheduling = FALSE;
1702 static gboolean get_users = FALSE;
1703 static gboolean get_scanners = FALSE;
1704 static gboolean update_nvt_cache = FALSE;
1705 static gboolean rebuild_nvt_cache = FALSE;
1706 static gboolean foreground = FALSE;
1707 static gboolean print_version = FALSE;
1710 static int max_email_attachment_size = 0;
1711 static int max_email_include_size = 0;
1712 static int max_email_message_size = 0;
1713 static int verbose = 0;
1716 static gchar *inheritor = NULL;
1717 static gchar *user = NULL;
1721 static gchar *otp_scanner = NULL;
1730 static gchar *priorities =
"NORMAL";
1731 static gchar *dh_params = NULL;
1732 static gchar *listen_owner = NULL;
1733 static gchar *listen_group = NULL;
1734 static gchar *listen_mode = NULL;
1735 static gchar *new_password = NULL;
1736 static gchar *optimize = NULL;
1737 static gchar *password = NULL;
1738 static gchar *manager_address_string = NULL;
1739 static gchar *manager_address_string_2 = NULL;
1740 static gchar *manager_address_string_unix = NULL;
1741 static gchar *manager_port_string = NULL;
1742 static gchar *manager_port_string_2 = NULL;
1745 static gchar *rc_name = NULL;
1746 static gchar *role = NULL;
1747 static gchar *disable = NULL;
1748 static gchar *value = NULL;
1749 GError *error = NULL;
1750 GOptionContext *option_context;
1751 static GOptionEntry option_entries[]
1753 {
"backup",
'\0', 0, G_OPTION_ARG_NONE, &backup_database,
"Backup the database.", NULL },
1754 {
"check-alerts",
'\0', 0, G_OPTION_ARG_NONE, &check_alerts,
"Check SecInfo alerts.", NULL },
1755 {
"client-watch-interval",
'\0', 0, G_OPTION_ARG_INT,
1757 "Check if client connection was closed every <number> seconds." 1758 " 0 to disable. Defaults to " 1761 {
"database",
'd', 0, G_OPTION_ARG_STRING, &database,
"Use <file/name> as database for SQLite/Postgres.",
"<file/name>" },
1762 {
"disable-cmds",
'\0', 0, G_OPTION_ARG_STRING, &disable,
"Disable comma-separated <commands>.",
"<commands>" },
1763 {
"disable-encrypted-credentials",
'\0', 0, G_OPTION_ARG_NONE,
1765 "Do not encrypt or decrypt credentials.", NULL },
1766 {
"disable-password-policy",
'\0', 0, G_OPTION_ARG_NONE,
1767 &disable_password_policy,
"Do not restrict passwords to the policy.",
1769 {
"disable-scheduling",
'\0', 0, G_OPTION_ARG_NONE, &disable_scheduling,
"Disable task scheduling.", NULL },
1770 {
"create-user",
'\0', 0, G_OPTION_ARG_STRING, &
create_user,
"Create admin user <username> and exit.",
"<username>" },
1771 {
"delete-user",
'\0', 0, G_OPTION_ARG_STRING, &
delete_user,
"Delete user <username> and exit.",
"<username>" },
1772 {
"get-users",
'\0', 0, G_OPTION_ARG_NONE, &get_users,
"List users and exit.", NULL },
1773 {
"create-scanner",
'\0', 0, G_OPTION_ARG_STRING, &
create_scanner,
1774 "Create global scanner <scanner> and exit.",
"<scanner>" },
1775 {
"modify-scanner",
'\0', 0, G_OPTION_ARG_STRING, &
modify_scanner,
1776 "Modify scanner <scanner-uuid> and exit.",
"<scanner-uuid>" },
1777 {
"scanner-name",
'\0', 0, G_OPTION_ARG_STRING, &
scanner_name,
"Name for --modify-scanner.",
"<name>" },
1778 {
"scanner-host",
'\0', 0, G_OPTION_ARG_STRING, &
scanner_host,
1779 "Scanner host for --create-scanner and --modify-scanner. Default is " OPENVASSD_ADDRESS ".",
1781 {
"otp-scanner",
'\0', 0, G_OPTION_ARG_STRING, &otp_scanner,
1782 "Path to scanner unix socket file. Used by --rebuild and --update",
"<unixsocket>" },
1783 {
"scanner-port",
'\0', 0, G_OPTION_ARG_STRING, &
scanner_port,
1784 "Scanner port for --create-scanner and --modify-scanner. Default is " G_STRINGIFY (
OPENVASSD_PORT)
".",
1786 {
"scanner-type",
'\0', 0, G_OPTION_ARG_STRING, &
scanner_type,
1787 "Scanner type for --create-scanner and --mdoify-scanner. Either 'OpenVAS' or 'OSP'.",
1789 {
"scanner-ca-pub",
'\0', 0, G_OPTION_ARG_STRING, &
scanner_ca_pub,
1790 "Scanner CA Certificate path for --[create|modify]-scanner.",
"<scanner-ca-pub>" },
1792 "Scanner Certificate path for --[create|modify]-scanner.",
"<scanner-key-public>" },
1794 "Scanner private key path for --[create|modify]-scanner.",
"<scanner-key-private>" },
1795 {
"verify-scanner",
'\0', 0, G_OPTION_ARG_STRING, &
verify_scanner,
1796 "Verify scanner <scanner-uuid> and exit.",
"<scanner-uuid>" },
1797 {
"delete-scanner",
'\0', 0, G_OPTION_ARG_STRING, &
delete_scanner,
"Delete scanner <scanner-uuid> and exit.",
"<scanner-uuid>" },
1798 {
"get-scanners",
'\0', 0, G_OPTION_ARG_NONE, &get_scanners,
"List scanners and exit.", NULL },
1799 {
"schedule-timeout",
'\0', 0, G_OPTION_ARG_INT, &schedule_timeout,
"Time out tasks that are more than <time> minutes overdue. -1 to disable, 0 for minimum time, default: " G_STRINGIFY (
SCHEDULE_TIMEOUT_DEFAULT),
"<time>" },
1800 {
"foreground",
'f', 0, G_OPTION_ARG_NONE, &foreground,
"Run in foreground.", NULL },
1801 {
"inheritor",
'\0', 0, G_OPTION_ARG_STRING, &inheritor,
"Have <username> inherit from deleted user.",
"<username>" },
1802 {
"listen",
'a', 0, G_OPTION_ARG_STRING, &manager_address_string,
"Listen on <address>.",
"<address>" },
1803 {
"listen2",
'\0', 0, G_OPTION_ARG_STRING, &manager_address_string_2,
"Listen also on <address>.",
"<address>" },
1804 {
"listen-owner",
'\0', 0, G_OPTION_ARG_STRING, &listen_owner,
1805 "Owner of the unix socket",
"<string>" },
1806 {
"listen-group",
'\0', 0, G_OPTION_ARG_STRING, &listen_group,
1807 "Group of the unix socket",
"<string>" },
1808 {
"listen-mode",
'\0', 0, G_OPTION_ARG_STRING, &listen_mode,
1809 "File mode of the unix socket",
"<string>" },
1810 {
"max-ips-per-target",
'\0', 0, G_OPTION_ARG_INT, &max_ips_per_target,
"Maximum number of IPs per target.",
"<number>"},
1811 {
"max-email-attachment-size",
'\0', 0, G_OPTION_ARG_INT, &max_email_attachment_size,
"Maximum size of alert email attachments, in bytes.",
"<number>"},
1812 {
"max-email-include-size",
'\0', 0, G_OPTION_ARG_INT, &max_email_include_size,
"Maximum size of inlined content in alert emails, in bytes.",
"<number>"},
1813 {
"max-email-message-size",
'\0', 0, G_OPTION_ARG_INT, &max_email_message_size,
"Maximum size of user-defined message text in alert emails, in bytes.",
"<number>"},
1814 {
"migrate",
'm', 0, G_OPTION_ARG_NONE, &migrate_database,
"Migrate the database and exit.", NULL },
1815 {
"modify-setting",
'\0', 0, G_OPTION_ARG_STRING, &
modify_setting,
1816 "Modify setting <uuid> and exit.",
"<uuid>" },
1817 {
"encrypt-all-credentials",
'\0', 0, G_OPTION_ARG_NONE,
1818 &encrypt_all_credentials,
"(Re-)Encrypt all credentials.", NULL },
1819 {
"decrypt-all-credentials",
'\0',
1820 G_OPTION_FLAG_HIDDEN, G_OPTION_ARG_NONE,
1821 &decrypt_all_credentials, NULL, NULL },
1822 {
"new-password",
'\0', 0, G_OPTION_ARG_STRING, &new_password,
"Modify user's password and exit.",
"<password>" },
1823 {
"optimize",
'\0', 0, G_OPTION_ARG_STRING, &optimize,
"Run an optimization: vacuum, analyze, cleanup-config-prefs, remove-open-port-results, cleanup-port-names, cleanup-result-severities, cleanup-schedule-times, rebuild-report-cache or update-report-cache.",
"<name>" },
1824 {
"password",
'\0', 0, G_OPTION_ARG_STRING, &password,
"Password, for --create-user.",
"<password>" },
1825 {
"port",
'p', 0, G_OPTION_ARG_STRING, &manager_port_string,
"Use port number <number>.",
"<number>" },
1826 {
"port2",
'\0', 0, G_OPTION_ARG_STRING, &manager_port_string_2,
"Use port number <number> for address 2.",
"<number>" },
1827 {
"progress",
'\0', 0, G_OPTION_ARG_NONE, &
progress,
"Display progress during --rebuild and --update.", NULL },
1828 {
"rebuild",
'\0', 0, G_OPTION_ARG_NONE, &rebuild_nvt_cache,
"Rebuild the NVT cache and exit.", NULL },
1829 {
"role",
'\0', 0, G_OPTION_ARG_STRING, &role,
"Role for --create-user and --get-users.",
"<role>" },
1830 {
"update",
'u', 0, G_OPTION_ARG_NONE, &update_nvt_cache,
"Update the NVT cache and exit.", NULL },
1831 {
"unix-socket",
'c', 0, G_OPTION_ARG_STRING, &manager_address_string_unix,
"Listen on UNIX socket at <filename>.",
"<filename>" },
1832 {
"user",
'\0', 0, G_OPTION_ARG_STRING, &user,
"User for --new-password.",
"<username>" },
1833 {
"gnutls-priorities",
'\0', 0, G_OPTION_ARG_STRING, &priorities,
"Sets the GnuTLS priorities for the Manager socket.",
"<priorities-string>" },
1834 {
"dh-params",
'\0', 0, G_OPTION_ARG_STRING, &dh_params,
"Diffie-Hellman parameters file",
"<file>" },
1835 {
"value",
'\0', 0, G_OPTION_ARG_STRING, &value,
"Value for --modify-setting.",
"<value>" },
1836 {
"verbose",
'v', 0, G_OPTION_ARG_NONE, &verbose,
"Has no effect. See INSTALL for logging config.", NULL },
1837 {
"version",
'\0', 0, G_OPTION_ARG_NONE, &print_version,
"Print version and exit.", NULL },
1843 setlocale (LC_ALL,
"C.UTF-8");
1847 option_context = g_option_context_new (
"- Manager of the Open Vulnerability Assessment System");
1848 g_option_context_add_main_entries (option_context, option_entries, NULL);
1849 if (!g_option_context_parse (option_context, &argc, &argv, &error))
1851 g_option_context_free (option_context);
1852 g_critical (
"%s: g_option_context_parse: %s\n\n", __FUNCTION__,
1854 exit (EXIT_FAILURE);
1856 g_option_context_free (option_context);
1861 #ifdef OPENVASMD_GIT_REVISION 1862 printf (
"GIT revision %s\n", OPENVASMD_GIT_REVISION);
1865 printf (
"Copyright (C) 2010-2016 Greenbone Networks GmbH\n");
1866 printf (
"License GPLv2+: GNU GPL version 2 or later\n");
1868 (
"This is free software: you are free to change and redistribute it.\n" 1869 "There is NO WARRANTY, to the extent permitted by law.\n\n");
1870 exit (EXIT_SUCCESS);
1886 if (manager_address_string_unix == NULL)
1888 if (manager_address_string || manager_address_string_2)
1893 manager_address_string_unix = g_build_filename (OPENVAS_RUN_DIR,
1901 if (manager_address_string || manager_address_string_2)
1903 g_critical (
"%s: --listen or --listen2 given with --unix-socket\n",
1905 return EXIT_FAILURE;
1910 && (manager_port_string || manager_port_string_2))
1912 g_critical (
"%s: --port or --port2 given when listening on UNIX socket\n",
1914 return EXIT_FAILURE;
1919 proctitle_init (argc, argv);
1920 proctitle_set (
"openvasmd: Initializing.");
1928 if (migrate_database
1930 g_info (
"%s: leaving TZ as is, for migrator\n", __FUNCTION__);
1931 else if (setenv (
"TZ",
"utc 0", 1) == -1)
1933 g_critical (
"%s: failed to set timezone\n", __FUNCTION__);
1934 exit (EXIT_FAILURE);
1940 umask (S_IRGRP | S_IWGRP | S_IXGRP | S_IROTH | S_IWOTH | S_IXOTH);
1944 rc_name = g_build_filename (OPENVAS_SYSCONF_DIR,
1945 "openvasmd_log.conf",
1947 if (g_file_test (rc_name, G_FILE_TEST_EXISTS))
1948 log_config = load_log_configuration (rc_name);
1952 #ifdef OPENVASMD_GIT_REVISION 1953 g_message (
" OpenVAS Manager version %s (GIT revision %s) (DB revision %i)\n",
1955 OPENVASMD_GIT_REVISION,
1958 g_message (
" OpenVAS Manager version %s (DB revision %i)\n",
1963 if (backup_database)
1965 g_info (
" Backing up database.\n");
1971 g_info (
" Backup succeeded.\n");
1972 return EXIT_SUCCESS;
1974 g_critical (
"%s: database backup failed\n",
1976 return EXIT_FAILURE;
1979 g_critical (
"%s: strange return from manage_backup_db\n",
1981 return EXIT_FAILURE;
1985 if (disable_password_policy)
1986 openvas_disable_password_policy ();
1989 gchar *password_policy;
1990 password_policy = g_build_filename (OPENVAS_SYSCONF_DIR,
1993 if (g_file_test (password_policy, G_FILE_TEST_EXISTS) == FALSE)
1994 g_warning (
"%s: password policy missing: %s\n",
1997 g_free (password_policy);
2007 return EXIT_FAILURE;
2008 return EXIT_SUCCESS;
2023 if (!scanner_ca_pub)
2025 if (!scanner_key_pub)
2027 if (!scanner_key_priv)
2030 if (!scanner_type || !strcasecmp (scanner_type,
"OpenVAS"))
2032 else if (!strcasecmp (scanner_type,
"OSP"))
2036 printf (
"Invalid scanner type value.\n");
2037 return EXIT_FAILURE;
2039 stype = g_strdup_printf (
"%u", type);
2041 scanner_host, scanner_port, stype,
2042 scanner_ca_pub, scanner_key_pub,
2047 return EXIT_FAILURE;
2048 return EXIT_SUCCESS;
2062 if (strcasecmp (scanner_type,
"OpenVAS") == 0)
2064 else if (strcasecmp (scanner_type,
"OSP") == 0)
2068 g_warning (
"Invalid scanner type value.\n");
2069 return EXIT_FAILURE;
2072 stype = g_strdup_printf (
"%u", type);
2078 scanner_name, scanner_host, scanner_port,
2079 stype, scanner_ca_pub, scanner_key_pub,
2084 return EXIT_FAILURE;
2085 return EXIT_SUCCESS;
2095 return EXIT_FAILURE;
2096 return EXIT_SUCCESS;
2106 return EXIT_FAILURE;
2107 return EXIT_SUCCESS;
2117 return EXIT_FAILURE;
2118 return EXIT_SUCCESS;
2128 return EXIT_FAILURE;
2129 return EXIT_SUCCESS;
2139 return EXIT_FAILURE;
2140 return EXIT_SUCCESS;
2150 return EXIT_FAILURE;
2151 return EXIT_SUCCESS;
2161 return EXIT_FAILURE;
2162 return EXIT_SUCCESS;
2172 return EXIT_FAILURE;
2173 return EXIT_SUCCESS;
2181 modify_setting, value);
2184 return EXIT_FAILURE;
2185 return EXIT_SUCCESS;
2188 if (migrate_database)
2190 g_info (
" Migrating database.\n");
2196 g_info (
" Migration succeeded.\n");
2197 return EXIT_SUCCESS;
2199 g_warning (
"%s: databases are already at the supported version\n",
2201 return EXIT_SUCCESS;
2203 g_warning (
"%s: database migration too hard\n",
2205 return EXIT_FAILURE;
2207 g_warning (
"%s: cannot migrate SCAP database\n",
2209 return EXIT_FAILURE;
2211 g_warning (
"%s: cannot migrate CERT database\n",
2213 return EXIT_FAILURE;
2215 g_critical (
"%s: database migration failed\n",
2217 return EXIT_FAILURE;
2219 g_critical (
"%s: SCAP database migration failed\n",
2221 return EXIT_FAILURE;
2223 g_critical (
"%s: CERT database migration failed\n",
2225 return EXIT_FAILURE;
2228 g_critical (
"%s: strange return from manage_migrate\n",
2230 return EXIT_FAILURE;
2234 if (encrypt_all_credentials)
2241 return EXIT_FAILURE;
2242 return EXIT_SUCCESS;
2245 if (decrypt_all_credentials)
2252 return EXIT_FAILURE;
2253 return EXIT_SUCCESS;
2256 if (update_nvt_cache || rebuild_nvt_cache)
2269 return EXIT_FAILURE;
2274 if (update_nvt_cache)
2275 printf (
"Updating NVT cache... \\");
2277 printf (
"Rebuilding NVT cache... \\");
2280 ret = rebuild_nvt_cache_retry (update_nvt_cache, 1,
2286 if (ret == EXIT_SUCCESS)
2289 printf (
"failed.\n");
2297 if (foreground == FALSE)
2300 pid_t pid = fork ();
2308 g_critical (
"%s: failed to fork into background: %s\n",
2312 exit (EXIT_FAILURE);
2317 exit (EXIT_SUCCESS);
2325 max_email_attachment_size, max_email_include_size,
2326 max_email_message_size, NULL,
2327 fork_connection_for_event, 0))
2332 g_critical (
"%s: database is wrong version\n", __FUNCTION__);
2334 exit (EXIT_FAILURE);
2337 g_critical (
"%s: database must be initialised" 2338 " (with --update or --rebuild)\n",
2341 exit (EXIT_FAILURE);
2344 g_critical (
"%s: --max-ips-per-target out of range" 2345 " (min=1, max=%i, requested=%i)\n",
2348 max_ips_per_target);
2350 exit (EXIT_FAILURE);
2354 g_critical (
"%s: failed to initialise OMP daemon\n", __FUNCTION__);
2356 exit (EXIT_FAILURE);
2361 if (atexit (&cleanup))
2363 g_critical (
"%s: failed to register `atexit' cleanup function\n",
2366 exit (EXIT_FAILURE);
2371 if (pidfile_create (
"openvasmd")) exit (EXIT_FAILURE);
2376 disabled_commands = g_strsplit (disable,
",", 0);
2385 if (g_mkdir_with_parents (OPENVAS_LOG_DIR,
2389 g_critical (
"%s: failed to create log directory: %s\n",
2392 exit (EXIT_FAILURE);
2395 log_stream = fopen (
LOG_FILE,
"w");
2396 if (log_stream == NULL)
2398 g_critical (
"%s: failed to open log file: %s\n",
2401 exit (EXIT_FAILURE);
2419 if (openvas_server_new (GNUTLS_SERVER,
2426 g_critical (
"%s: client server initialisation failed\n",
2428 exit (EXIT_FAILURE);
2434 g_warning (
"Couldn't set DH parameters from %s\n", dh_params);
2438 g_message (
"Encryption of credentials has been disabled.");
2442 : manager_address_string_unix,
2444 ? (manager_address_string
2445 ? manager_address_string
2446 : (ipv6_is_enabled () ?
"::" :
"0.0.0.0"))
2448 manager_port_string,
2453 return EXIT_FAILURE;
2454 if (manager_listen (NULL,
2455 manager_address_string_2,
2456 manager_port_string_2,
2461 return EXIT_FAILURE;
2470 if (openvas_auth_init ())
2471 exit (EXIT_FAILURE);
2475 proctitle_set (
"openvasmd");
2476 serve_and_schedule ();
2478 return EXIT_SUCCESS;
void handle_sigsegv(int given_signal)
Handle a SIGSEGV signal.
Protos for communication between openvas-manager and openvas-server.
#define SCHEDULE_PERIOD
Seconds between calls to manage_schedule.
void init_manage_process(int, const gchar *)
Initialize the manage library for a process.
int delete_user(const char *, const char *, int, int, const char *, const char *)
Delete a user.
#define LOG_FILE
Name of log file.
void handle_sigabrt_simple(int signal)
Handle a SIGABRT signal.
GSList * log_config
Logging parameters, as passed to setup_log_handlers.
int modify_scanner(const char *, const char *, const char *, const char *, const char *, const char *, const char *, const char *)
Modify an scanner.
int use_tls
Whether to use TLS for client connections.
#define SCANNERKEY
Location of scanner certificate private key.
int manager_socket_2
The optional, second socket accepting OMP connections from clients.
int client_watch_interval
Interval in seconds to check whether client connection was closed.
int manage_verify_scanner(GSList *, const gchar *, const gchar *)
Verify the given scanner.
int verify_scanner(const char *, char **)
Verify a scanner.
int sql_cancel()
Cancels the current SQL statement.
char client_address[INET6_ADDRSTRLEN]
The OMP client's address.
int manage_get_users(GSList *, const gchar *, const gchar *)
List users.
int manage_encrypt_all_credentials(GSList *, const gchar *)
Encrypt or re-encrypt all credentials.
int create_user(const gchar *, const gchar *, const gchar *, int, const gchar *, int, const array_t *, array_t *, gchar **, array_t *, gchar **, gchar **, user_t *, int)
Adds a new user to the OpenVAS installation.
int save_tasks()
Dummy function.
int is_parent
Is this process parent or child?
int manage_modify_scanner(GSList *, const gchar *, const char *, const char *, const char *, const char *, const char *, const char *, const char *, const char *)
Modify the given scanner.
void handle_sigchld(int given_signal, siginfo_t *info, void *ucontext)
Handle a SIGCHLD signal.
int openvas_sleep(unsigned int seconds)
Sleep for some number of seconds, handling interrupts.
int delete_scanner(const char *, int)
Delete a scanner.
gnutls_session_t client_session
The client session.
int manage_optimize(GSList *, const gchar *, const gchar *)
Run one of the optimizations.
void cleanup_manage_process(gboolean)
Cleanup the manage library.
int update_in_progress
Whether a SIGHUP initiated NVT update is in progress.
int manage_max_hosts()
Get the maximum allowed number of hosts per target.
void manage_auth_allow_all(int scheduled)
Ensure that any subsequent authentications succeed.
#define MANAGE_ABSOLUTE_MAX_IPS_PER_TARGET
Absolute maximum number of IPs per target.
int main(int argc, char **argv)
Entry point to the manager.
void handle_sighup_update(int signal)
Handle a SIGHUP signal by updating the NVT cache.
void setup_signal_handler_info(int signal, void(*handler)(int, siginfo_t *, void *), int block)
Setup signal handler.
int manage_backup_db(const gchar *)
Backup the database to a file.
openvas_connection_t * client_connection
#define OPENVASSD_ADDRESS
Scanner (openvassd) address.
int manage_create_scanner(GSList *, const char *, const char *, const char *, const char *, const char *, const char *, const char *, const char *)
#define DEFAULT_CLIENT_WATCH_INTERVAL
Default value for client_watch_interval.
void(* progress)()
Function to mark progress.
gnutls_certificate_credentials_t client_credentials
The client credentials.
int manage_migrate(GSList *, const gchar *)
Migrate database to version supported by this manager.
int manage_create_user(GSList *, const gchar *, const gchar *, const gchar *, const gchar *)
Create the given user.
#define OPENVASMD_PORT
Manager port.
void handle_sigabrt(int given_signal)
Handle a SIGABRT signal.
int serve_omp(openvas_connection_t *client_connection, const gchar *database, gchar **disable, void(*progress)())
Serve the OpenVAS Management Protocol (OMP).
int manage_decrypt_all_credentials(GSList *, const gchar *)
Decrypt all credentials.
#define CLIENTCERT
Location of client certificate.
int serve_client(int server_socket, openvas_connection_t *client_connection)
Serve the client.
void set_schedule_timeout(int new_timeout)
Set the schedule timeout.
char * scanner_host(scanner_t)
Return the host of a scanner.
int scanner_port(scanner_t)
Return the port of a scanner.
void handle_termination_signal(int signal)
Handle a termination signal.
int manage_set_password(GSList *, const gchar *, const gchar *, const gchar *)
Set the password of a user.
int manage_modify_setting(GSList *, const gchar *, const gchar *, const gchar *, const char *)
Change value of a setting.
char * scanner_ca_pub(scanner_t)
Return the CA Certificate of a scanner.
#define SCANNERCERT
Location of scanner certificate.
void init_ompd_process(const gchar *database, gchar **disable)
Initialise a process forked within the OMP daemon.
gchar * dh_params_option
GnuTLS DH params file.
int openvas_scanner_connect()
Create a new connection to the scanner and set it as current scanner.
#define MAX_CONNECTIONS
Second argument to `listen'.
gboolean manage_migrate_needs_timezone(GSList *, const gchar *)
Check whether the migration needs the real timezone.
char * scanner_key_priv(scanner_t)
Return the private key of a scanner.
#define MANAGE_MAX_HOSTS
Default maximum number of hosts a target may specify.
int init_ompd(GSList *log_config, int nvt_cache_mode, const gchar *database, int max_ips_per_target, int max_email_attachment_size, int max_email_include_size, int max_email_message_size, void(*progress)(), int(*fork_connection)(openvas_connection_t *, gchar *), int skip_db_check)
Initialise the OMP library for the OMP daemon.
A printf like macro for logging communication.
int openvas_scanner_init(int cache_mode)
Initializes the already setup connection with the Scanner.
#define OPENVASMD_VERSION
The version number of this program.
int manage_db_supported_version()
Return the database version supported by this manager.
int openvas_scanner_set_unix(const char *path)
Set the scanner's unix socket path.
#define g_info(...)
Defines g_info for glib versions older than 2.40.
#define CLIENTKEY
Location of client certificate private key.
#define CACERT
Location of Certificate Authority certificate.
int manage_delete_scanner(GSList *, const gchar *, const gchar *)
Delete the given scanner.
int manage_check_alerts(GSList *, const gchar *)
Check if any SecInfo alerts are due.
sigset_t * sigmask_normal
Signal mask to restore when going from blocked to normal signaling.
volatile int sighup_update_nvt_cache
Flag for SIGHUP handler.
char * scanner_name(scanner_t)
Return the name of a scanner.
scanner_type
Scanner types.
void setup_signal_handler(int signal, void(*handler)(int), int block)
Setup signal handler.
int modify_setting(const gchar *, const gchar *, const gchar *, gchar **)
Set the value of a setting.
volatile int termination_signal
Flag for signal handlers.
gboolean scheduling_enabled
Flag indicating that task scheduling is enabled.
#define SCHEDULE_TIMEOUT_DEFAULT
Default for schedule_timeout in minutes.
void spin_progress()
Nudge the progress indicator.
enum scanner_type scanner_type_t
Scanner types.
int create_scanner(const char *, const char *, const char *, const char *, const char *, scanner_t *, const char *, const char *)
Create a scanner.
int manage_schedule(int(*fork_connection)(openvas_connection_t *, gchar *), gboolean run_tasks, sigset_t *sigmask_current)
Schedule any actions that are due.
#define OPENVASSD_PORT
Scanner port.
gboolean disable_encrypted_credentials
Flag indicating that encrypted credentials are disabled.
gchar * priorities_option
GnuTLS priorities.
int manage_get_scanners(GSList *, const gchar *)
List scanners.
int manage_delete_user(GSList *, const gchar *, const gchar *, const gchar *)
Delete the given user.
char * scanner_key_pub(scanner_t)
Return the Certificate of a scanner.
int manager_socket
The socket accepting OMP connections from clients.
void manage_cleanup_process_error(int)
Cleanup as immediately as possible.
void set_scheduled_user_uuid(gchar *user_uuid)
Set UUID of user that scheduled the current task.
int openvas_scanner_close()
Finish the connection to the Scanner and free internal buffers.