Start-Stop Script

ayinuha · August 30, 2019, 10:12am

Hello,

after i finally setup Greenbone i want now to have a start/stop script with that i can start/stop the gsad/gvmd/openvassd with the right parameters, like gsad -p 9390 --listen IPADRESS and so on…
But i have not much experience with scripting, so i wanted to know if there already some example scripts?

Kind regards;

GVM versions

gsa: 8.0.1
gvm: 8.0.1
openvas-scanner: 6.0.1
gvm-libs: 10.0.1
gvm-tools: 2.0.0.beta1

Environment Greenbone Server

**Operating system: Ubuntu Server 18.4
**Kernel: 4.15.0-58-generic
**Installation method / source: Github

ayinuha · September 2, 2019, 12:13pm

i’m still trying to write the script, i already wrote a stop script to stopp the gvmd service, but it dont work, and i dont understand why its not working. the follow is my “test script”

#!/bin/sh

# Include functions
set -e . /lib/lsb/init-functions

stop() {
printf "Stopping GVMD’… "
pid=$(pgrep gvmd)
if [ $pid != 0 ]
then
kill $pid
fi
printf “done\n”
}
case $1 in

stop)
stop
;;
*)
exit 1
;; esac

Hope someone can help me

GVM versions

gsa: 8.0.1
gvm: 8.0.1
openvas-scanner: 6.0.1
gvm-libs: 10.0.1
gvm-tools: 2.0.0.beta1

Environment Greenbone Server

**Operating system: Ubuntu Server 18.4
**Kernel: 4.15.0-58-generic
**Installation method / source: Github

bricks · September 2, 2019, 12:24pm

Nowadays there are systemd service files.

Lukas · September 2, 2019, 12:59pm

Gentoo is providing OpenRC scritps with the ebuild for GVM.

ayinuha · September 3, 2019, 5:57am

In /install/lib/systemd/system i just have a service script for gsad, should there be one for openvassd and gvmd too?

ayinuha · September 3, 2019, 7:24am

When i trying to start gsad with the gsad.service with follow command:
systemctl start gsad.service

i got follow error:

● gsad.service - Greenbone Security Assistant
Loaded: loaded (/home/user/install/lib/systemd/system/gsad.service; bad; vendor preset: enabled)
Active: failed (Result: exit-code) since Tue 2019-09-03 09:20:23 CEST; 9s ago
Process: 3089 ExecStart=/home/user/install/sbin/gsad --listen=10.80.1.194 --port=9390 (code=exited, status=127)

Sep 03 09:20:22 greenbone systemd[1]: gsad.service: Control process exited, code=exited status=127
Sep 03 09:20:22 greenbone systemd[1]: gsad.service: Failed with result ‘exit-code’.
Sep 03 09:20:22 greenbone systemd[1]: Failed to start Greenbone Security Assistant.
Sep 03 09:20:23 greenbone systemd[1]: gsad.service: Service hold-off time over, scheduling restart.
Sep 03 09:20:23 greenbone systemd[1]: gsad.service: Scheduled restart job, restart counter is at 5.
Sep 03 09:20:23 greenbone systemd[1]: Stopped Greenbone Security Assistant.
Sep 03 09:20:23 greenbone systemd[1]: gsad.service: Start request repeated too quickly.
Sep 03 09:20:23 greenbone systemd[1]: gsad.service: Failed with result ‘exit-code’.
Sep 03 09:20:23 greenbone systemd[1]: Failed to start Greenbone Security Assistant.

the gsad.service looks like that:

[Unit]
Description=Greenbone Security Assistant
After=network.target

[Service]
User=user
Grop=user
Type=forking
EnvironmentFile=/home/user/install/etc/default/gsad
ExecStart=/home/user/install/sbin/gsad --listen=IP.IP.IP.IP --port=9390
ExecStop =/usr/bin/pkill gsad
Restart=always
TimeoutStopSec=10

[Install]
WantedBy=multi-user.target
Alias=greenbone-security-assistant.service

ayinuha · September 3, 2019, 9:47am

When i look with journalctl -f during i run the command i get this error:

/home/user/install/sbin/gsad: error while loading shared libraries: libgvm_base.so.10: cannot open shared object file: No such file or directory

but i dont understand why, cause when i start same command i get no error, is it possible that systemd start gsa as root?

#edit
After add this line in the gsad.service file

Environment=LD_LIBRARY_PATH=$LD_LIBRARY_PATH:’/home/user/install/lib/’

i get this error…

greenbone polkitd(authority=local)[898]: Unregistered Authentication Agent for unix-process:15550:1655999 (system bus name :1.1014, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
And after 5 restarts of the gsad.services its call me “Failed to start Greenbone Security Assistant”

Lukas · September 3, 2019, 4:45pm

Your installation or system is broken, i suggest you get a GCE Version if you have system issues like this.
This is total out of scope of this board. Hint: look for boot environment and ld-preload paths.

ayinuha · September 4, 2019, 5:19am

I got the installation from source over GitHub and installed it with the source code… So i think that is the GSE Version…

I fixed this Error now with putting this Line in the Script
Environment=LD_LIBRARY_PATH=$LD_LIBRARY_PATH:’/home/user/install/lib/’

the latest error i fixed with this line
PermissionsStartOnly=true
The problem was, that i use User and Group, and its wanted to do sth in /var/run.
So i had to delete the User Group so that its goes default over the root, or add this line. The finished Script for gsad look like that:

[Unit]
Description=Greenbone Security Assistant
Wants=network-online.target
After=network.target

[Service]
Type=forking
User=user
Group=user
Environment=LD_LIBRARY_PATH=$LD_LIBRARY_PATH:’/home/user/install/lib/’
EnvironmentFile=/home/user/install/etc/default/gsad
ExecStart=/home/user/install/sbin/gsad $GSA_ADDRESS $GSA_PORT
PermissionsStartOnly=true
ExecStop=/bin/kill -HUP $MAINPID
TimeoutStopSec=10

[Install]
Alias=greenbone-security-assistant.service

Lukas · September 11, 2019, 8:31am

You know this is a big security risk ?

ayinuha · September 11, 2019, 8:36am

No i dont know that… i try to change it…

bricks · September 11, 2019, 8:49am

Of course using `LD_LIBRARY_PATH is a security risk because it would allow attackers to install manipulated replacements for system libraries (like glib) into this path and the application would use it instead of the system one. Therefore you should not run such installations in production. It is only intended for development purposes.

If you want to use the source releases in production you should always run cmake with -DCMAKE_INSTALL_PREFIX=/usr and -DCMAKE_BUILD_TYPE=Release. But installing into the system prefix /usr creates a lot of additional headaches if done manually. Therefore people invented packages and tools like apt.

ayinuha · September 11, 2019, 8:54am

that i read a few min ago too…

so it would be better when i make a new vm and install it with apt… right?

bricks · September 11, 2019, 8:57am

Better … depends. Easier of course. But you have to use 3rd party packages because Greenbone doesn’t support anything besides Greenbone OS and the Greenbone Source Edition.

Lukas · September 11, 2019, 9:01am

It would be better you build your own deb packet (on your build machine) and make it correct (this is not easy). Most packets out there are insecure or do not work at all. Then you can install and update on your production machine with your own build packets.

Please read here about uncoordinated integration on this forum.

ayinuha · September 11, 2019, 9:08am

okay…
sorry if a ask newbie questions but im not very familier with this kind of configuration.
But if i want to run the service scripts i have to set the LD LIBRARY PATH… i set it in the environments as my normal user… but the problem is that i must start the scripts with sudo… and when i understand it right, it would be not secure too when i set the LD_LIBRARY_PATH as root user too right?

But i read atm that i can use the systemctl files as user when putting them in a other directory…

bricks · September 11, 2019, 9:14am

Running HTTP servers is prone to security issues. Therefore it needs a lot of background knowledge especially about running daemons on unix based systems.

Maybe you should use our community edition instead.

ayinuha · September 11, 2019, 10:46am

Is it a security risk too when i make the start the service files as normal user? with systemctl --user start gsad.service?