ansible
/
security_ansible_playbook
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

update on vuln scanner

This commit is contained in:
areeqakbr 2025-08-15 14:11:28 +07:00
parent a3d4468cf8
commit 49963abe1e
1 changed files with 149 additions and 140 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

289
playbooks/vuln-scanner.yaml
View File

@ -1,157 +1,166 @@
--- ---
- name: Deploy Vulnerability Scanner (OpenVAS/GVM) - name: Deploy Vulnerability Scanner (Simple Version)
hosts: security_servers hosts: security_servers
become: true become: true
vars: vars:
openvas_admin_user: "admin" openvas_admin_user: "admin"
openvas_admin_password: "{{ vault_openvas_password | default('ChangeMe123!') }}" openvas_admin_password: "ChangeMe123!"
pre_tasks:
- name: Set non-interactive mode
set_fact:
ansible_env: "{{ ansible_env | combine({'DEBIAN_FRONTEND': 'noninteractive', 'NEEDRESTART_MODE': 'a'}) }}"
- name: Fix dpkg interruption issue
shell: |
export DEBIAN_FRONTEND=noninteractive
export NEEDRESTART_MODE=a
# Kill any hanging processes
pkill -f "apt-get|dpkg|unattended-upgrade" || true
sleep 5
# Remove all locks
rm -f /var/lib/dpkg/lock*
rm -f /var/lib/apt/lists/lock
rm -f /var/cache/apt/archives/lock
# Fix dpkg interruption
dpkg --configure -a
# Fix broken packages
apt-get -f install -y
# Clean up
apt-get autoremove -y
apt-get autoclean
echo "Package system recovery completed"
environment:
DEBIAN_FRONTEND: noninteractive
NEEDRESTART_MODE: a
timeout: 600
ignore_errors: true
- name: Verify package system is working
shell: |
export DEBIAN_FRONTEND=noninteractive
apt-get update
echo "Package system is functional"
environment:
DEBIAN_FRONTEND: noninteractive
timeout: 300
ignore_errors: true
tasks: tasks:
- name: Update apt cache - name: Update package cache (with retries)
apt: apt:
update_cache: yes update_cache: yes
cache_valid_time: 300
environment:
DEBIAN_FRONTEND: noninteractive
retries: 3
delay: 10
- name: Install required packages - name: Install essential security tools (one by one to avoid conflicts)
apt: apt:
name: name: "{{ item }}"
- software-properties-common state: present
- apt-transport-https force_apt_get: true
- curl environment:
- gnupg DEBIAN_FRONTEND: noninteractive
state: present loop:
- curl
- wget
- nmap
- python3-pip
retries: 3
delay: 5
ignore_errors: true
- name: Add GVM PPA repository - name: Install Docker for containerized OpenVAS
apt_repository: apt:
repo: ppa:mrazavi/gvm name: "{{ item }}"
state: present state: present
force_apt_get: true
environment:
DEBIAN_FRONTEND: noninteractive
loop:
- docker.io
- docker-compose
retries: 3
delay: 5
- name: Install GVM/OpenVAS - name: Start Docker service
apt: systemd:
name: name: docker
- gvm state: started
- openvas-scanner enabled: yes
- openvas-manager
- greenbone-security-assistant
- greenbone-feed-sync
state: present
update_cache: yes
- name: Setup GVM - name: Create OpenVAS directory
shell: | file:
gvm-setup path: /opt/openvas
gvm-feed-update state: directory
args: mode: '0755'
creates: /var/lib/gvm/.setup_complete
- name: Create setup completion marker - name: Create docker-compose for OpenVAS
file: copy:
path: /var/lib/gvm/.setup_complete dest: /opt/openvas/docker-compose.yml
state: touch content: |
owner: _gvm version: '3'
group: _gvm services:
openvas:
image: mikesplain/openvas:latest
container_name: openvas
ports:
- "443:443"
- "9392:9392"
environment:
- OV_PASSWORD={{ openvas_admin_password }}
volumes:
- openvas_data:/var/lib/openvas
restart: unless-stopped
volumes:
openvas_data:
- name: Create GVM admin user - name: Deploy OpenVAS container
shell: | shell: |
gvmd --create-user={{ openvas_admin_user }} --password={{ openvas_admin_password }} cd /opt/openvas
args: docker-compose up -d
creates: /var/lib/gvm/.admin_user_created args:
register: create_user_result creates: /opt/openvas/.deployed
- name: Create admin user marker - name: Mark deployment complete
file: file:
path: /var/lib/gvm/.admin_user_created path: /opt/openvas/.deployed
state: touch state: touch
owner: _gvm
group: _gvm
when: create_user_result is succeeded
- name: Start and enable GVM services - name: Configure firewall
service: ufw:
name: "{{ item }}" rule: allow
state: started port: "{{ item }}"
enabled: yes loop:
loop: - 443
- greenbone-security-assistant - 9392
- openvas-scanner
- openvas-manager
- name: Configure firewall for GVM - name: Create vulnerability scan script
ufw: copy:
rule: allow dest: /usr/local/bin/vuln-scan.sh
port: "{{ item }}" mode: '0755'
proto: tcp content: |
loop: #!/bin/bash
- 443 # GSA web interface TARGET=${1:-127.0.0.1}
- 9390 # GVM daemon REPORT="/tmp/scan_$(date +%Y%m%d_%H%M%S).txt"
echo "Scanning $TARGET..." | tee $REPORT
nmap -sV -sC --script vuln $TARGET | tee -a $REPORT
echo "Report saved to: $REPORT"
- name: Wait for GSA to be ready - name: Display deployment info
wait_for: debug:
port: 443 msg:
host: 127.0.0.1 - "OpenVAS deployed via Docker"
delay: 60 - "Web Interface: https://{{ ansible_default_ipv4.address }}:443"
- "Username: admin"
- name: Create vulnerability scan script - "Password: {{ openvas_admin_password }}"
copy: - "Scan tool: /usr/local/bin/vuln-scan.sh <target>"
content: | - "Wait 5-10 minutes for OpenVAS to fully initialize"
#!/bin/bash
# Automated vulnerability scan script
TARGET=${1:-127.0.0.1}
SCAN_NAME="Security_Scan_$(date +%Y%m%d_%H%M%S)"
echo "Starting vulnerability scan for: $TARGET"
echo "Scan name: $SCAN_NAME"
# Create scan task
TASK_ID=$(gvm-cli --gmp-username {{ openvas_admin_user }} --gmp-password {{ openvas_admin_password }} \
socket --socketpath /var/run/gvmd.sock --xml \
"<create_task><name>$SCAN_NAME</name><target><hosts>$TARGET</hosts></target></create_task>" \
| grep -oP 'id="\K[^"]+')
echo "Created scan task with ID: $TASK_ID"
# Start scan
gvm-cli --gmp-username {{ openvas_admin_user }} --gmp-password {{ openvas_admin_password }} \
socket --socketpath /var/run/gvmd.sock --xml \
"<start_task task_id=\"$TASK_ID\"/>"
echo "Scan started. Monitor progress in GSA web interface."
dest: /usr/local/bin/vulnerability-scan.sh
mode: '0755'
- name: Create scheduled vulnerability scan
cron:
name: "Weekly vulnerability scan"
minute: "0"
hour: "2"
weekday: "0"
job: "/usr/local/bin/vulnerability-scan.sh {{ ansible_default_ipv4.address }}"
- name: Display OpenVAS/GVM information
debug:
msg: |
OpenVAS/GVM has been successfully deployed:
- Web Interface: https://{{ ansible_default_ipv4.address }}:443
- Admin Username: {{ openvas_admin_user }}
- Admin Password: {{ openvas_admin_password }}
Run vulnerability scans with:
/usr/local/bin/vulnerability-scan.sh <target_ip>
Weekly automated scans are configured for Sunday 2 AM.
handlers:
- name: restart greenbone-security-assistant
service:
name: greenbone-security-assistant
state: restarted
- name: restart openvas-scanner
service:
name: openvas-scanner
state: restarted
- name: restart openvas-manager
service:
name: openvas-manager
state: restarted