# HG changeset patch # User Michael Schloh von Bennewitz # Date 1232141949 -3600 # Node ID 8db7071256b699ddf360d9aadbe9079a71848a2a # Parent 8dba6012721436ba90236ab9e9438ff428961e6b Import package vendor original specs for necessary manipulations. diff -r 8dba60127214 -r 8db7071256b6 nessus-tool/fsl.nessus --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/nessus-tool/fsl.nessus Fri Jan 16 22:39:09 2009 +0100 @@ -0,0 +1,16 @@ +## +## fsl.nessus -- OSSP fsl configuration +## + +ident (nessus)/.+ q{ + prefix( + prefix="%b %d %H:%M:%S %N <%L> $1[%P]: " + ) + -> { + debug: file( + path="@l_prefix@/var/nessus/logs/nessusd.log", + perm=0644, jitter=1, monitor=3600 + ) + } +}; + diff -r 8dba60127214 -r 8db7071256b6 nessus-tool/nessus-tool.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/nessus-tool/nessus-tool.patch Fri Jan 16 22:39:09 2009 +0100 @@ -0,0 +1,56 @@ +Index: nessus-core/doc/nessusd.8.in +--- nessus-core/doc/nessusd.8.in.orig 2004-10-19 17:21:05 +0200 ++++ nessus-core/doc/nessusd.8.in 2005-03-23 11:59:54 +0100 +@@ -183,7 +183,7 @@ + .SH USERS MANAGEMENT + + The utility nessus-adduser(8) creates new nessusd users. Each nessusd user +-is attributed a "home", in @NESSUS_STATEDIR@/users/. This home contains the following directories : ++is attributed a "home", in @NESSUSD_STATEDIR@/users/. This home contains the following directories : + .IP auth/ + This directory contains the authentification information for this user. It might contain the file 'dname' if the user is authenticating using a certificate, or 'hash' (or 'passwd') if the user is authenticating using a password. The file 'hash' contains a MD5 hash of the user password, as well as a random seed. The file 'password' should contain the password in clear text. + +@@ -206,7 +206,7 @@ + + + When a user attempts to log in, nessusd first checks that the directory +-@NESSUS_STATEDIR@/users/ exists, then hashes the password sent by the user with the random salt found in /auth/hash, and compares it with the password hash stored in the same file. If the users authenticates using a certificate, then nessusd checks that the certificate has been signed by a recognized authority, and makes sure that the dname of the certificate shown by the user is the same as the one in /dname. ++@NESSUSD_STATEDIR@/users/ exists, then hashes the password sent by the user with the random salt found in /auth/hash, and compares it with the password hash stored in the same file. If the users authenticates using a certificate, then nessusd checks that the certificate has been signed by a recognized authority, and makes sure that the dname of the certificate shown by the user is the same as the one in /dname. + + + To remove a given user, use the command nessus-rmuser(8). +Index: nessus-core/nessus-mkcert.in +--- nessus-core/nessus-mkcert.in.orig 2004-12-10 20:40:22 +0100 ++++ nessus-core/nessus-mkcert.in 2005-03-23 12:00:24 +0100 +@@ -407,31 +407,12 @@ + + chmod a+r $CACERT $SRVCERT #cln $CLNCERT + +- +-CF=@sysconfdir@/nessus/nessusd.conf +-egrep -v '^ *(pem_password|cert_file|key_file|ca_file|force_pubkey_auth) *=' "$CF" > "$CF.tmp" +-echo "# +-# Added by nessus-mkcert +-# +-cert_file=$SRVCERT +-key_file=$SRVKEY +-ca_file=$CACERT +-# If you decide to protect your private key with a password, +-# uncomment and change next line +-# pem_password=password +-# If you want to force the use of a client certificate, uncomment next line +-# force_pubkey_auth = yes" >> "$CF.tmp" +- +- +- +- + test -z "$QUIET" && header + + if [ -s "$CACERT" -a -s "$CAKEY" -a -s "$SRVCERT" -a -s "$SRVKEY" ]; + then + test -z "$QUIET" && echo "Congratulations. Your server certificate was properly created." + +- mv -f "$CF.tmp" "$CF" + test -z "$QUIET" && { + echo + echo "$CF updated diff -r 8dba60127214 -r 8db7071256b6 nessus-tool/nessus-tool.spec --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/nessus-tool/nessus-tool.spec Fri Jan 16 22:39:09 2009 +0100 @@ -0,0 +1,224 @@ +## +## nessus-tool.spec -- OpenPKG RPM Package Specification +## Copyright (c) 2000-2008 OpenPKG Foundation e.V. +## +## Permission to use, copy, modify, and distribute this software for +## any purpose with or without fee is hereby granted, provided that +## the above copyright notice and this permission notice appear in all +## copies. +## +## THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED +## WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +## MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. +## IN NO EVENT SHALL THE AUTHORS AND COPYRIGHT HOLDERS AND THEIR +## CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +## SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +## LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF +## USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND +## ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, +## OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT +## OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +## SUCH DAMAGE. +## + +# package information +Name: nessus-tool +Summary: Nessus Security Scanner (Tool) +URL: http://www.nessus.org/ +Vendor: Renaud Deraison +Packager: OpenPKG Foundation e.V. +Distribution: OpenPKG Community +Class: EVAL +Group: Monitoring +License: GPL +Version: 2.2.11 +Release: 20081120 + +# package options +%option with_fsl yes + +# list of sources +Source0: ftp://ftp.nessus.org/pub/nessus/nessus-%{version}/src/nessus-core-%{version}.tar.gz +Source1: ftp://ftp.nessus.org/pub/nessus/nessus-%{version}/src/nessus-plugins-GPL-%{version}.tar.gz +Source2: nessusd.conf +Source3: nessusd.rules +Source4: nessusd.users +Source5: rc.nessus +Source6: fsl.nessus +Patch0: nessus-tool.patch + +# build information +Prefix: %{l_prefix} +BuildRoot: %{l_buildroot} +BuildPreReq: OpenPKG, openpkg >= 20060823, X11, gcc, make +PreReq: OpenPKG, openpkg >= 20060823, X11 +BuildPreReq: nessus-libs, glib2, gtk2, openssl +PreReq: nessus-libs, glib2, gtk2, openssl +%if "%{with_fsl}" == "yes" +BuildPreReq: fsl >= 1.3.0 +PreReq: fsl >= 1.3.0 +%endif +AutoReq: no +AutoReqProv: no + +%description + This is the Tool package of the Nessus Security Scanner, a security + scanner which will audit remotely a given network and determine + whether attackers may break into it, or misuse it in some way. + +%track + prog nessus-tool:nessus-core = { + version = %{version} + url = ftp://ftp.nessus.org/pub/nessus/ + regex = (nessus-\d+\.\d+\.\d+[a-z]?) + url = ftp://ftp.nessus.org/pub/nessus/__NEWVER__/src/ + regex = nessus-core-(__VER__)\.tar\.gz + } + prog nessus-tool:nessus-plugins = { + version = %{version} + url = ftp://ftp.nessus.org/pub/nessus/ + regex = (nessus-\d+\.\d+\.\d+[a-z]?) + url = ftp://ftp.nessus.org/pub/nessus/__NEWVER__/src/ + regex = nessus-core-(__VER__)\.tar\.gz + } + +%prep + %setup -q -c + %setup -q -T -D -a 1 + %patch -p0 + +%build + # build nessus-core part + ( cd nessus-core + CC="%{l_cc}" \ + CFLAGS="%{l_cflags -O}" \ + CPPFLAGS="%{l_cppflags}" \ + LDFLAGS="%{l_fsl_ldflags}" \ + LIBS="%{l_fsl_libs}" \ + ./configure \ + --prefix=%{l_prefix} \ + --localstatedir=%{l_prefix}/var \ + --sharedstatedir=%{l_prefix}/var \ + --enable-unix-socket=%{l_prefix}/var/nessus/nessusd.socket \ + --disable-syslog \ + --with-x \ + --x-includes=`%{l_rc} --query x11_incdir` \ + --x-libraries=`%{l_rc} --query x11_libdir` \ + --enable-save-sessions \ + --enable-save-kb \ + --enable-release + %{l_make} %{l_mflags} + ) || exit $? + + # temporarily install nessus-core for nessus-plugins building + nessus_core=`pwd`/nessus-core + ( cd nessus-core + %{l_make} %{l_mflags} \ + install DESTDIR=${nessus_core}/tmp + ) || exit $? + + # build nessus-plugins part + ( cd nessus-plugins + CC="%{l_cc}" \ + CFLAGS="-I${nessus_core}/tmp%{l_prefix}/include/nessus %{l_cflags -O}" \ + CPPFLAGS="-I${nessus_core}/tmp%{l_prefix}/include/nessus %{l_cppflags}" \ + LDFLAGS="%{l_fsl_ldflags}" \ + LIBS="%{l_fsl_libs}" \ + ./configure \ + --prefix=%{l_prefix} \ + --enable-install="`%{l_shtool} echo -e %u`" \ + --enable-shared + %{l_shtool} subst \ + -e 's;getinterfaces;local_getinterfaces;g' \ + -e 's;routethrough;local_routethrough;g' \ + -e 's;ipaddr2devname;local_ipaddr2devname;g' \ + -e 's;islocalhost;local_islocalhost;g' \ + -e 's;get_random_bytes;local_get_random_bytes;g' \ + -e 's;getsourceip;local_getsourceip;g' \ + plugins/nmap_osfingerprint/*.[ch] + %{l_make} %{l_mflags} + ) || exit $? + +%install + rm -rf $RPM_BUILD_ROOT + + %{l_shtool} mkdir -f -p -m 755 \ + $RPM_BUILD_ROOT%{l_prefix}/bin + + # install nessus-core part + ( cd nessus-core + %{l_make} %{l_mflags} install DESTDIR=$RPM_BUILD_ROOT + ) || exit $? + + # install nessus-plugins part + ( cd nessus-plugins + %{l_make} %{l_mflags} install DESTDIR=$RPM_BUILD_ROOT + ) || exit $? + + # strip down installation + strip $RPM_BUILD_ROOT%{l_prefix}/bin/* >/dev/null 2>&1 || true + + # install default configuration + %{l_shtool} install -c -m 644 %{l_value -s -a} \ + %{SOURCE nessusd.conf} \ + %{SOURCE nessusd.rules} \ + %{SOURCE nessusd.users} \ + $RPM_BUILD_ROOT%{l_prefix}/etc/nessus/ + + # install run-command script + %{l_shtool} mkdir -f -p -m 755 \ + $RPM_BUILD_ROOT%{l_prefix}/etc/fsl \ + $RPM_BUILD_ROOT%{l_prefix}/etc/rc.d + %{l_shtool} install -c -m 755 %{l_value -s -a} \ + %{SOURCE rc.nessus} $RPM_BUILD_ROOT%{l_prefix}/etc/rc.d/ + %{l_shtool} install -c -m 644 %{l_value -s -a} \ + %{SOURCE fsl.nessus} $RPM_BUILD_ROOT%{l_prefix}/etc/fsl/ + + # determine installation files + %{l_rpmtool} files -v -ofiles -r$RPM_BUILD_ROOT \ + %{l_files_std} \ + '%config %{l_prefix}/etc/fsl/fsl.nessus' \ + '%config %{l_prefix}/etc/nessus/*' \ + '%config %attr(0600,%{l_musr},%{l_mgrp}) %{l_prefix}/etc/nessus/nessusd.conf' + +%files -f files + +%clean + rm -rf $RPM_BUILD_ROOT + +%post + # after upgrade, restart service + if [ $1 -eq 2 ]; then + eval `%{l_rc} nessus status 2>/dev/null` + [ ".$nessus_active" = .yes ] && %{l_rc} nessus restart + fi + + # on every install, announce certificate + if [ $1 -le 2 ]; then + if [ ! -f $RPM_INSTALL_PREFIX/var/nessus/CA/servercert.pem ]; then + ( echo "For the SSL/TLS based remote client/server connections" + echo "between the Nessus server and the Nessus clients, an" + echo "X.509 server certificate/key pair is needed. Run the" + echo "following command to create it once:" + echo " \$ $RPM_INSTALL_PREFIX/sbin/nessus-mkcert" + ) | %{l_rpmtool} msg -b -t info + fi + fi + + # on initial install, announce useradd + if [ $1 -eq 1 ]; then + ( echo "Each Nessus user has to be created on the Nessus server" + echo "Run the following command to create an individual user:" + echo " \$ $RPM_INSTALL_PREFIX/sbin/nessus-adduser" + ) | %{l_rpmtool} msg -b -t info + fi + exit 0 + +%preun + # before erase, stop service and remove log files + if [ $1 -eq 0 ]; then + %{l_rc} nessus stop 2>/dev/null + rm -f $RPM_INSTALL_PREFIX/var/nessus/logs/*.log* >/dev/null 2>&1 || true + fi + exit 0 + diff -r 8dba60127214 -r 8db7071256b6 nessus-tool/nessusd.conf --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/nessus-tool/nessusd.conf Fri Jan 16 22:39:09 2009 +0100 @@ -0,0 +1,38 @@ +## +## nessusd.conf -- Nessus Daemon Configuration +## + +# paths +rules = @l_prefix@/etc/nessus/nessusd.rules +users = @l_prefix@/etc/nessus/nessusd.users +logfile = @l_prefix@/var/nessus/nessusd.log +dumpfile = @l_prefix@/var/nessus/nessusd.dump +cert_file = @l_prefix@/var/nessus/CA/servercert.pem +key_file = @l_prefix@/var/nessus/CA/serverkey.pem +ca_file = @l_prefix@/var/nessus/CA/cacert.pem +plugins_folder = @l_prefix@/lib/nessus/plugins + +# options +max_hosts = 30 +max_checks = 10 +max_threads = 15 +be_nice = yes +log_whole_attack = yes +log_plugins_name_at_load = no +cgi_path = /cgi-bin:/scripts +port_range = default +optimize_test = yes +checks_read_timeout = 5 +non_simult_ports = 139, 445 +plugins_timeout = 320 +safe_checks = yes +auto_enable_dependencies = yes +use_mac_addr = no +plugin_upload = no +plugin_upload_suffixes = .nasl, .inc +admin_user = root +language = english +slice_network_addresses = no +#pem_password = password +#force_pubkey_auth = yes + diff -r 8dba60127214 -r 8db7071256b6 nessus-tool/nessusd.rules --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/nessus-tool/nessusd.rules Fri Jan 16 22:39:09 2009 +0100 @@ -0,0 +1,11 @@ +## +## nessusd.rules -- Nessus Daemon Scanning Rules +## + +accept 127.0.0.0/8 +accept client_ip/32 +#reject 192.168.1.1/32 +#reject !192.168.0.0/16 +default reject +#default accept + diff -r 8dba60127214 -r 8db7071256b6 nessus-tool/nessusd.users --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/nessus-tool/nessusd.users Fri Jan 16 22:39:09 2009 +0100 @@ -0,0 +1,4 @@ +## +## nessusd.users -- Nessus Daemon Users +## + diff -r 8dba60127214 -r 8db7071256b6 nessus-tool/rc.nessus --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/nessus-tool/rc.nessus Fri Jan 16 22:39:09 2009 +0100 @@ -0,0 +1,60 @@ +#!@l_prefix@/bin/openpkg rc +## +## rc.nessus -- Run-Commands +## + +%config + nessus_enable="$openpkg_rc_def" + nessus_listen_addr="127.0.0.1" + nessus_listen_port="1241" + nessus_source_addr="127.0.0.1" + nessus_log_prolog="true" + nessus_log_epilog="true" + nessus_log_numfiles="10" + nessus_log_minsize="1M" + nessus_log_complevel="9" + +%common + nessus_pidfile="@l_prefix@/var/nessus/nessusd.pid" + nessus_signal () { + [ -f $nessus_pidfile ] && kill -$1 `cat $nessus_pidfile` + } + +%status -u @l_susr@ -o + nessus_usable="unknown" + nessus_active="no" + rcService nessus enable yes && \ + nessus_signal 0 && nessus_active="yes" + echo "nessus_enable=\"$nessus_enable\"" + echo "nessus_usable=\"$nessus_usable\"" + echo "nessus_active=\"$nessus_active\"" + +%start -p 900 -u @l_susr@ + rcService nessus enable yes || exit 0 + rcService nessus active yes && exit 0 + @l_prefix@/sbin/nessusd \ + --listen="${nessus_listen_addr}" \ + --port="${nessus_listen_port}" \ + --src-ip="${nessus_source_addr}" \ + --background + +%stop -p 100 -u @l_susr@ + rcService nessus enable yes || exit 0 + rcService nessus active no && exit 0 + nessus_signal TERM + sleep 2 + +%restart -p 900 -u @l_susr@ + rcService nessus enable yes || exit 0 + rcService nessus active no && exit 0 + rc nessus stop start + +%daily -u @l_susr@ + rcService nessus enable yes || exit 0 + shtool rotate -f \ + -n ${nessus_log_numfiles} -s ${nessus_log_minsize} -d \ + -z ${nessus_log_complevel} -m 644 -o @l_susr@ -g @l_mgrp@ \ + -P "${nessus_log_prolog}" \ + -E "${nessus_log_epilog}; rc nessus restart" \ + @l_prefix@/var/nessus/logs/nessusd.log +