158 lines
4.0 KiB
YAML
158 lines
4.0 KiB
YAML
---
|
|
- name: Deploy Vulnerability Scanner (OpenVAS/GVM)
|
|
hosts: security_servers
|
|
become: true
|
|
vars:
|
|
openvas_admin_user: "admin"
|
|
openvas_admin_password: "{{ vault_openvas_password | default('ChangeMe123!') }}"
|
|
|
|
tasks:
|
|
- name: Update apt cache
|
|
apt:
|
|
update_cache: yes
|
|
|
|
- name: Install required packages
|
|
apt:
|
|
name:
|
|
- software-properties-common
|
|
- apt-transport-https
|
|
- curl
|
|
- gnupg
|
|
state: present
|
|
|
|
- name: Add GVM PPA repository
|
|
apt_repository:
|
|
repo: ppa:mrazavi/gvm
|
|
state: present
|
|
|
|
- name: Install GVM/OpenVAS
|
|
apt:
|
|
name:
|
|
- gvm
|
|
- openvas-scanner
|
|
- openvas-manager
|
|
- greenbone-security-assistant
|
|
- greenbone-feed-sync
|
|
state: present
|
|
update_cache: yes
|
|
|
|
- name: Setup GVM
|
|
shell: |
|
|
gvm-setup
|
|
gvm-feed-update
|
|
args:
|
|
creates: /var/lib/gvm/.setup_complete
|
|
|
|
- name: Create setup completion marker
|
|
file:
|
|
path: /var/lib/gvm/.setup_complete
|
|
state: touch
|
|
owner: _gvm
|
|
group: _gvm
|
|
|
|
- name: Create GVM admin user
|
|
shell: |
|
|
gvmd --create-user={{ openvas_admin_user }} --password={{ openvas_admin_password }}
|
|
args:
|
|
creates: /var/lib/gvm/.admin_user_created
|
|
register: create_user_result
|
|
|
|
- name: Create admin user marker
|
|
file:
|
|
path: /var/lib/gvm/.admin_user_created
|
|
state: touch
|
|
owner: _gvm
|
|
group: _gvm
|
|
when: create_user_result is succeeded
|
|
|
|
- name: Start and enable GVM services
|
|
service:
|
|
name: "{{ item }}"
|
|
state: started
|
|
enabled: yes
|
|
loop:
|
|
- greenbone-security-assistant
|
|
- openvas-scanner
|
|
- openvas-manager
|
|
|
|
- name: Configure firewall for GVM
|
|
ufw:
|
|
rule: allow
|
|
port: "{{ item }}"
|
|
proto: tcp
|
|
loop:
|
|
- 443 # GSA web interface
|
|
- 9390 # GVM daemon
|
|
|
|
- name: Wait for GSA to be ready
|
|
wait_for:
|
|
port: 443
|
|
host: 127.0.0.1
|
|
delay: 60
|
|
|
|
- name: Create vulnerability scan script
|
|
copy:
|
|
content: |
|
|
#!/bin/bash
|
|
# Automated vulnerability scan script
|
|
|
|
TARGET=${1:-127.0.0.1}
|
|
SCAN_NAME="Security_Scan_$(date +%Y%m%d_%H%M%S)"
|
|
|
|
echo "Starting vulnerability scan for: $TARGET"
|
|
echo "Scan name: $SCAN_NAME"
|
|
|
|
# Create scan task
|
|
TASK_ID=$(gvm-cli --gmp-username {{ openvas_admin_user }} --gmp-password {{ openvas_admin_password }} \
|
|
socket --socketpath /var/run/gvmd.sock --xml \
|
|
"<create_task><name>$SCAN_NAME</name><target><hosts>$TARGET</hosts></target></create_task>" \
|
|
| grep -oP 'id="\K[^"]+')
|
|
|
|
echo "Created scan task with ID: $TASK_ID"
|
|
|
|
# Start scan
|
|
gvm-cli --gmp-username {{ openvas_admin_user }} --gmp-password {{ openvas_admin_password }} \
|
|
socket --socketpath /var/run/gvmd.sock --xml \
|
|
"<start_task task_id=\"$TASK_ID\"/>"
|
|
|
|
echo "Scan started. Monitor progress in GSA web interface."
|
|
dest: /usr/local/bin/vulnerability-scan.sh
|
|
mode: '0755'
|
|
|
|
- name: Create scheduled vulnerability scan
|
|
cron:
|
|
name: "Weekly vulnerability scan"
|
|
minute: "0"
|
|
hour: "2"
|
|
weekday: "0"
|
|
job: "/usr/local/bin/vulnerability-scan.sh {{ ansible_default_ipv4.address }}"
|
|
|
|
- name: Display OpenVAS/GVM information
|
|
debug:
|
|
msg: |
|
|
OpenVAS/GVM has been successfully deployed:
|
|
- Web Interface: https://{{ ansible_default_ipv4.address }}:443
|
|
- Admin Username: {{ openvas_admin_user }}
|
|
- Admin Password: {{ openvas_admin_password }}
|
|
|
|
Run vulnerability scans with:
|
|
/usr/local/bin/vulnerability-scan.sh <target_ip>
|
|
|
|
Weekly automated scans are configured for Sunday 2 AM.
|
|
|
|
handlers:
|
|
- name: restart greenbone-security-assistant
|
|
service:
|
|
name: greenbone-security-assistant
|
|
state: restarted
|
|
|
|
- name: restart openvas-scanner
|
|
service:
|
|
name: openvas-scanner
|
|
state: restarted
|
|
|
|
- name: restart openvas-manager
|
|
service:
|
|
name: openvas-manager
|
|
state: restarted
|