diff --git a/playbooks/vuln-scanner.yaml b/playbooks/vuln-scanner.yaml
index 57e02ef..7f4ff73 100644
--- a/playbooks/vuln-scanner.yaml
+++ b/playbooks/vuln-scanner.yaml
@@ -1,157 +1,166 @@
---
-- name: Deploy Vulnerability Scanner (OpenVAS/GVM)
+- name: Deploy Vulnerability Scanner (Simple Version)
hosts: security_servers
become: true
vars:
openvas_admin_user: "admin"
- openvas_admin_password: "{{ vault_openvas_password | default('ChangeMe123!') }}"
+ openvas_admin_password: "ChangeMe123!"
+
+ pre_tasks:
+ - name: Set non-interactive mode
+ set_fact:
+ ansible_env: "{{ ansible_env | combine({'DEBIAN_FRONTEND': 'noninteractive', 'NEEDRESTART_MODE': 'a'}) }}"
+
+ - name: Fix dpkg interruption issue
+ shell: |
+ export DEBIAN_FRONTEND=noninteractive
+ export NEEDRESTART_MODE=a
+
+ # Kill any hanging processes
+ pkill -f "apt-get|dpkg|unattended-upgrade" || true
+ sleep 5
+
+ # Remove all locks
+ rm -f /var/lib/dpkg/lock*
+ rm -f /var/lib/apt/lists/lock
+ rm -f /var/cache/apt/archives/lock
+
+ # Fix dpkg interruption
+ dpkg --configure -a
+
+ # Fix broken packages
+ apt-get -f install -y
+
+ # Clean up
+ apt-get autoremove -y
+ apt-get autoclean
+
+ echo "Package system recovery completed"
+ environment:
+ DEBIAN_FRONTEND: noninteractive
+ NEEDRESTART_MODE: a
+ timeout: 600
+ ignore_errors: true
+
+ - name: Verify package system is working
+ shell: |
+ export DEBIAN_FRONTEND=noninteractive
+ apt-get update
+ echo "Package system is functional"
+ environment:
+ DEBIAN_FRONTEND: noninteractive
+ timeout: 300
+ ignore_errors: true
tasks:
- - name: Update apt cache
- apt:
- update_cache: yes
+ - name: Update package cache (with retries)
+ apt:
+ update_cache: yes
+ cache_valid_time: 300
+ environment:
+ DEBIAN_FRONTEND: noninteractive
+ retries: 3
+ delay: 10
- - name: Install required packages
- apt:
- name:
- - software-properties-common
- - apt-transport-https
- - curl
- - gnupg
- state: present
+ - name: Install essential security tools (one by one to avoid conflicts)
+ apt:
+ name: "{{ item }}"
+ state: present
+ force_apt_get: true
+ environment:
+ DEBIAN_FRONTEND: noninteractive
+ loop:
+ - curl
+ - wget
+ - nmap
+ - python3-pip
+ retries: 3
+ delay: 5
+ ignore_errors: true
- - name: Add GVM PPA repository
- apt_repository:
- repo: ppa:mrazavi/gvm
- state: present
+ - name: Install Docker for containerized OpenVAS
+ apt:
+ name: "{{ item }}"
+ state: present
+ force_apt_get: true
+ environment:
+ DEBIAN_FRONTEND: noninteractive
+ loop:
+ - docker.io
+ - docker-compose
+ retries: 3
+ delay: 5
- - name: Install GVM/OpenVAS
- apt:
- name:
- - gvm
- - openvas-scanner
- - openvas-manager
- - greenbone-security-assistant
- - greenbone-feed-sync
- state: present
- update_cache: yes
+ - name: Start Docker service
+ systemd:
+ name: docker
+ state: started
+ enabled: yes
- - name: Setup GVM
- shell: |
- gvm-setup
- gvm-feed-update
- args:
- creates: /var/lib/gvm/.setup_complete
+ - name: Create OpenVAS directory
+ file:
+ path: /opt/openvas
+ state: directory
+ mode: '0755'
- - name: Create setup completion marker
- file:
- path: /var/lib/gvm/.setup_complete
- state: touch
- owner: _gvm
- group: _gvm
+ - name: Create docker-compose for OpenVAS
+ copy:
+ dest: /opt/openvas/docker-compose.yml
+ content: |
+ version: '3'
+ services:
+ openvas:
+ image: mikesplain/openvas:latest
+ container_name: openvas
+ ports:
+ - "443:443"
+ - "9392:9392"
+ environment:
+ - OV_PASSWORD={{ openvas_admin_password }}
+ volumes:
+ - openvas_data:/var/lib/openvas
+ restart: unless-stopped
+ volumes:
+ openvas_data:
- - name: Create GVM admin user
- shell: |
- gvmd --create-user={{ openvas_admin_user }} --password={{ openvas_admin_password }}
- args:
- creates: /var/lib/gvm/.admin_user_created
- register: create_user_result
+ - name: Deploy OpenVAS container
+ shell: |
+ cd /opt/openvas
+ docker-compose up -d
+ args:
+ creates: /opt/openvas/.deployed
- - name: Create admin user marker
- file:
- path: /var/lib/gvm/.admin_user_created
- state: touch
- owner: _gvm
- group: _gvm
- when: create_user_result is succeeded
+ - name: Mark deployment complete
+ file:
+ path: /opt/openvas/.deployed
+ state: touch
- - name: Start and enable GVM services
- service:
- name: "{{ item }}"
- state: started
- enabled: yes
- loop:
- - greenbone-security-assistant
- - openvas-scanner
- - openvas-manager
+ - name: Configure firewall
+ ufw:
+ rule: allow
+ port: "{{ item }}"
+ loop:
+ - 443
+ - 9392
- - name: Configure firewall for GVM
- ufw:
- rule: allow
- port: "{{ item }}"
- proto: tcp
- loop:
- - 443 # GSA web interface
- - 9390 # GVM daemon
+ - name: Create vulnerability scan script
+ copy:
+ dest: /usr/local/bin/vuln-scan.sh
+ mode: '0755'
+ content: |
+ #!/bin/bash
+ TARGET=${1:-127.0.0.1}
+ REPORT="/tmp/scan_$(date +%Y%m%d_%H%M%S).txt"
+ echo "Scanning $TARGET..." | tee $REPORT
+ nmap -sV -sC --script vuln $TARGET | tee -a $REPORT
+ echo "Report saved to: $REPORT"
- - name: Wait for GSA to be ready
- wait_for:
- port: 443
- host: 127.0.0.1
- delay: 60
-
- - name: Create vulnerability scan script
- copy:
- content: |
- #!/bin/bash
- # Automated vulnerability scan script
-
- TARGET=${1:-127.0.0.1}
- SCAN_NAME="Security_Scan_$(date +%Y%m%d_%H%M%S)"
-
- echo "Starting vulnerability scan for: $TARGET"
- echo "Scan name: $SCAN_NAME"
-
- # Create scan task
- TASK_ID=$(gvm-cli --gmp-username {{ openvas_admin_user }} --gmp-password {{ openvas_admin_password }} \
- socket --socketpath /var/run/gvmd.sock --xml \
- "$SCAN_NAME$TARGET" \
- | grep -oP 'id="\K[^"]+')
-
- echo "Created scan task with ID: $TASK_ID"
-
- # Start scan
- gvm-cli --gmp-username {{ openvas_admin_user }} --gmp-password {{ openvas_admin_password }} \
- socket --socketpath /var/run/gvmd.sock --xml \
- ""
-
- echo "Scan started. Monitor progress in GSA web interface."
- dest: /usr/local/bin/vulnerability-scan.sh
- mode: '0755'
-
- - name: Create scheduled vulnerability scan
- cron:
- name: "Weekly vulnerability scan"
- minute: "0"
- hour: "2"
- weekday: "0"
- job: "/usr/local/bin/vulnerability-scan.sh {{ ansible_default_ipv4.address }}"
-
- - name: Display OpenVAS/GVM information
- debug:
- msg: |
- OpenVAS/GVM has been successfully deployed:
- - Web Interface: https://{{ ansible_default_ipv4.address }}:443
- - Admin Username: {{ openvas_admin_user }}
- - Admin Password: {{ openvas_admin_password }}
-
- Run vulnerability scans with:
- /usr/local/bin/vulnerability-scan.sh
-
- Weekly automated scans are configured for Sunday 2 AM.
-
- handlers:
- - name: restart greenbone-security-assistant
- service:
- name: greenbone-security-assistant
- state: restarted
-
- - name: restart openvas-scanner
- service:
- name: openvas-scanner
- state: restarted
-
- - name: restart openvas-manager
- service:
- name: openvas-manager
- state: restarted
+ - name: Display deployment info
+ debug:
+ msg:
+ - "OpenVAS deployed via Docker"
+ - "Web Interface: https://{{ ansible_default_ipv4.address }}:443"
+ - "Username: admin"
+ - "Password: {{ openvas_admin_password }}"
+ - "Scan tool: /usr/local/bin/vuln-scan.sh "
+ - "Wait 5-10 minutes for OpenVAS to fully initialize"
\ No newline at end of file