ansible
/
security_ansible_playbook
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

update on vuln scanner

This commit is contained in:
areeqakbr 2025-08-15 14:11:28 +07:00
parent a3d4468cf8
commit 49963abe1e
1 changed files with 149 additions and 140 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

289
playbooks/vuln-scanner.yaml
View File

@ -1,157 +1,166 @@
---
- name: Deploy Vulnerability Scanner (OpenVAS/GVM)
- name: Deploy Vulnerability Scanner (Simple Version)
hosts: security_servers
become: true
vars:
openvas_admin_user: "admin"
openvas_admin_password: "{{ vault_openvas_password | default('ChangeMe123!') }}"
openvas_admin_password: "ChangeMe123!"
pre_tasks:
- name: Set non-interactive mode
set_fact:
ansible_env: "{{ ansible_env | combine({'DEBIAN_FRONTEND': 'noninteractive', 'NEEDRESTART_MODE': 'a'}) }}"
- name: Fix dpkg interruption issue
shell: |
export DEBIAN_FRONTEND=noninteractive
export NEEDRESTART_MODE=a
# Kill any hanging processes
pkill -f "apt-get|dpkg|unattended-upgrade" || true
sleep 5
# Remove all locks
rm -f /var/lib/dpkg/lock*
rm -f /var/lib/apt/lists/lock
rm -f /var/cache/apt/archives/lock
# Fix dpkg interruption
dpkg --configure -a
# Fix broken packages
apt-get -f install -y
# Clean up
apt-get autoremove -y
apt-get autoclean
echo "Package system recovery completed"
environment:
DEBIAN_FRONTEND: noninteractive
NEEDRESTART_MODE: a
timeout: 600
ignore_errors: true
- name: Verify package system is working
shell: |
export DEBIAN_FRONTEND=noninteractive
apt-get update
echo "Package system is functional"
environment:
DEBIAN_FRONTEND: noninteractive
timeout: 300
ignore_errors: true
tasks:
- name: Update apt cache
apt:
update_cache: yes
- name: Update package cache (with retries)
apt:
update_cache: yes
cache_valid_time: 300
environment:
DEBIAN_FRONTEND: noninteractive
retries: 3
delay: 10
- name: Install required packages
apt:
name:
- software-properties-common
- apt-transport-https
- curl
- gnupg
state: present
- name: Install essential security tools (one by one to avoid conflicts)
apt:
name: "{{ item }}"
state: present
force_apt_get: true
environment:
DEBIAN_FRONTEND: noninteractive
loop:
- curl
- wget
- nmap
- python3-pip
retries: 3
delay: 5
ignore_errors: true
- name: Add GVM PPA repository
apt_repository:
repo: ppa:mrazavi/gvm
state: present
- name: Install Docker for containerized OpenVAS
apt:
name: "{{ item }}"
state: present
force_apt_get: true
environment:
DEBIAN_FRONTEND: noninteractive
loop:
- docker.io
- docker-compose
retries: 3
delay: 5
- name: Install GVM/OpenVAS
apt:
name:
- gvm
- openvas-scanner
- openvas-manager
- greenbone-security-assistant
- greenbone-feed-sync
state: present
update_cache: yes
- name: Start Docker service
systemd:
name: docker
state: started
enabled: yes
- name: Setup GVM
shell: |
gvm-setup
gvm-feed-update
args:
creates: /var/lib/gvm/.setup_complete
- name: Create OpenVAS directory
file:
path: /opt/openvas
state: directory
mode: '0755'
- name: Create setup completion marker
file:
path: /var/lib/gvm/.setup_complete
state: touch
owner: _gvm
group: _gvm
- name: Create docker-compose for OpenVAS
copy:
dest: /opt/openvas/docker-compose.yml
content: |
version: '3'
services:
openvas:
image: mikesplain/openvas:latest
container_name: openvas
ports:
- "443:443"
- "9392:9392"
environment:
- OV_PASSWORD={{ openvas_admin_password }}
volumes:
- openvas_data:/var/lib/openvas
restart: unless-stopped
volumes:
openvas_data:
- name: Create GVM admin user
shell: |
gvmd --create-user={{ openvas_admin_user }} --password={{ openvas_admin_password }}
args:
creates: /var/lib/gvm/.admin_user_created
register: create_user_result
- name: Deploy OpenVAS container
shell: |
cd /opt/openvas
docker-compose up -d
args:
creates: /opt/openvas/.deployed
- name: Create admin user marker
file:
path: /var/lib/gvm/.admin_user_created
state: touch
owner: _gvm
group: _gvm
when: create_user_result is succeeded
- name: Mark deployment complete
file:
path: /opt/openvas/.deployed
state: touch
- name: Start and enable GVM services
service:
name: "{{ item }}"
state: started
enabled: yes
loop:
- greenbone-security-assistant
- openvas-scanner
- openvas-manager
- name: Configure firewall
ufw:
rule: allow
port: "{{ item }}"
loop:
- 443
- 9392
- name: Configure firewall for GVM
ufw:
rule: allow
port: "{{ item }}"
proto: tcp
loop:
- 443 # GSA web interface
- 9390 # GVM daemon
- name: Create vulnerability scan script
copy:
dest: /usr/local/bin/vuln-scan.sh
mode: '0755'
content: |
#!/bin/bash
TARGET=${1:-127.0.0.1}
REPORT="/tmp/scan_$(date +%Y%m%d_%H%M%S).txt"
echo "Scanning $TARGET..." | tee $REPORT
nmap -sV -sC --script vuln $TARGET | tee -a $REPORT
echo "Report saved to: $REPORT"
- name: Wait for GSA to be ready
wait_for:
port: 443
host: 127.0.0.1
delay: 60
- name: Create vulnerability scan script
copy:
content: |
#!/bin/bash
# Automated vulnerability scan script
TARGET=${1:-127.0.0.1}
SCAN_NAME="Security_Scan_$(date +%Y%m%d_%H%M%S)"
echo "Starting vulnerability scan for: $TARGET"
echo "Scan name: $SCAN_NAME"
# Create scan task
TASK_ID=$(gvm-cli --gmp-username {{ openvas_admin_user }} --gmp-password {{ openvas_admin_password }} \
socket --socketpath /var/run/gvmd.sock --xml \
"<create_task><name>$SCAN_NAME</name><target><hosts>$TARGET</hosts></target></create_task>" \
| grep -oP 'id="\K[^"]+')
echo "Created scan task with ID: $TASK_ID"
# Start scan
gvm-cli --gmp-username {{ openvas_admin_user }} --gmp-password {{ openvas_admin_password }} \
socket --socketpath /var/run/gvmd.sock --xml \
"<start_task task_id=\"$TASK_ID\"/>"
echo "Scan started. Monitor progress in GSA web interface."
dest: /usr/local/bin/vulnerability-scan.sh
mode: '0755'
- name: Create scheduled vulnerability scan
cron:
name: "Weekly vulnerability scan"
minute: "0"
hour: "2"
weekday: "0"
job: "/usr/local/bin/vulnerability-scan.sh {{ ansible_default_ipv4.address }}"
- name: Display OpenVAS/GVM information
debug:
msg: |
OpenVAS/GVM has been successfully deployed:
- Web Interface: https://{{ ansible_default_ipv4.address }}:443
- Admin Username: {{ openvas_admin_user }}
- Admin Password: {{ openvas_admin_password }}
Run vulnerability scans with:
/usr/local/bin/vulnerability-scan.sh <target_ip>
Weekly automated scans are configured for Sunday 2 AM.
handlers:
- name: restart greenbone-security-assistant
service:
name: greenbone-security-assistant
state: restarted
- name: restart openvas-scanner
service:
name: openvas-scanner
state: restarted
- name: restart openvas-manager
service:
name: openvas-manager
state: restarted
- name: Display deployment info
debug:
msg:
- "OpenVAS deployed via Docker"
- "Web Interface: https://{{ ansible_default_ipv4.address }}:443"
- "Username: admin"
- "Password: {{ openvas_admin_password }}"
- "Scan tool: /usr/local/bin/vuln-scan.sh <target>"
- "Wait 5-10 minutes for OpenVAS to fully initialize"