#!/bin/bash

# Author: Scott R. Shinn <scott@atomicorp.com>

# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2,
# or at your option any later version, as published by the
# Free Software Foundation
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.

VERSION=4.0.1

# Functions

# Input validation function 
# check_input <msg> <valid responses regex> <default>
# if <default> is passed on as null, then there is no default
# Example: check_input  "Some question (yes/no) " "yes|no"  "yes"
function check_input {
  message=$1
  validate=$2
  default=$3

  while [ $? -ne 1 ]; do
    echo -n "$message "
    read INPUTTEXT < /dev/tty
    if [ "$INPUTTEXT" == "" -a "$default" != "" ]; then
      INPUTTEXT=$default
      return 1
    fi
    echo $INPUTTEXT | egrep -q "$validate" && return 1
    echo "Invalid input"
  done
}


echo
echo "Openvas Setup, Version: $VERSION"
echo 

# Test for selinux
if [ -f /usr/sbin/getenforce ]; then
SELINUX=$(getenforce 2>/dev/null)
	if [ $? -eq 0 ] ; then
		if [ "$SELINUX" != "Disabled" ]; then
			echo "Error: Selinux is set to ($SELINUX)"
			echo "  selinux must be disabled in order to use openvas"
			echo "  exiting...."
			exit 1
		fi
	fi
fi

# redis setup
if [  -f /etc/redis.conf ]; then
	REDIS_CONF=/etc/redis.conf
elif [ -f /etc/redis/redis.conf ]; then
	REDIS_CONF=/etc/redis/redis.conf
else
	echo "Error: Redis configuration was not detected"
	exit 1
fi

if ! grep -q "^unixsocket /var/run/redis/redis.sock" $REDIS_CONF ; then
  	sed -i -e 's/^\(#.\)\?unixsocket \/.*$/unixsocket \/var\/run\/redis\/redis.sock/' $REDIS_CONF
fi


if ! grep -q ^unixsocketperm.*700 $REDIS_CONF; then
  	sed -i -e 's/^\(#.\)\?unixsocketperm.*$/unixsocketperm 700/' $REDIS_CONF
  	sed -i -e 's/^\(#.\)\?port.*$/port 0/' $REDIS_CONF
fi

# Bugfix for openvas (temporary)
sed -i "s/^save/#save/g" $REDIS_CONF
/usr/sbin/service redis restart

if grep -q ^kb_location /etc/openvas/openvassd.conf 2>/dev/null; then
	sed -i -e 's/kb_location=.*$/kb_location=\/var\/run\/redis\/redis.sock/' /etc/openvas/openvassd.conf
else
	echo "kb_location=/var/run/redis/redis.sock" >> /etc/openvas/openvassd.conf
fi


# Download NVT updates
echo
echo "Step 1: Update NVT, CERT, and SCAP data"
echo "Please note this step could take some time."
echo "Once completed, this will be updated automatically every 24 hours"
echo

echo "Select download method"
echo
echo "  * wget (NVT download only) "
echo "  * curl (NVT download only) "
echo "  * rsync"
echo
echo "  Note: If rsync requires a proxy, you should define that before this step."
echo

check_input "Downloader [Default: rsync]" "rsync|wget|curl" "rsync"

echo "Updating NVTs...." 

if [ "$INPUTTEXT" == "rsync" -o "$INPUTTEXT" == "" ]; then
	/usr/sbin/greenbone-nvt-sync || exit 1

	echo "Updating CERT data..."
	/usr/sbin/greenbone-certdata-sync  $DL_OPT
	if [ $? -ne 0 ]; then
		echo "Error: CERT data download did not complete"
	fi

	echo "Updating SCAP data..."
	#if [ ! -d /var/lib/openvas/scap-data/private ]; then
	##	mkdir -p /var/lib/openvas/scap-data/private
	#fi

	/usr/sbin/greenbone-scapdata-sync $DL_OPT
	if [ $? -ne 0 ]; then
		echo "Error: CERT data download did not complete"
	fi

else
	if [ "$INPUTTEXT" == "wget" ]; then
		DL_OPT="--wget"
	else
		DL_OPT="--curl"
	fi
	/usr/sbin/greenbone-nvt-sync $DL_OPT || exit 1
fi



# Handle certs
echo
echo -n "Updating OpenVAS Manager certificates: "
/usr/bin/openvas-manage-certs -V >/dev/null 2>&1
if [ $? -ne 0 ]; then
	/usr/bin/openvas-manage-certs -a  >/dev/null 2>&1
	echo "Complete"
else
	echo "Already Exists"
fi
echo


/usr/sbin/service openvas-scanner restart  >/dev/null 2>&1
echo -n "Pausing while openvas-scanner loads NVTs..."
sleep 10
echo "Done"

# Start openvas manager, use rngd to speed up the key process
if  [ -f /usr/sbin/rngd ]; then
	pidof rngd > /dev/null
	if [[ $? -ne 0 ]]; then
		rngd -r /dev/urandom
	fi
fi

if [  -f /var/lib/openvas/mgr/tasks.db ]; then
	/usr/sbin/openvasmd --migrate --progress 
else
	/usr/sbin/openvasmd --rebuild --progress 
fi

/usr/sbin/service openvas-manager restart  >/dev/null 2>&1



# Configure GSAD, localhost only, or  0.0.0.0
echo
echo "Step 2: Configure GSAD"
echo "The Greenbone Security Assistant is a Web Based front end"
echo "for managing scans. By default it is configured to only allow"
echo "connections from localhost."
echo

if [ -f /etc/sysconfig/gsad ]; then
	GSAD_CONF=/etc/sysconfig/gsad
elif [ -f /etc/default/greenbone-security-assistant ]; then
	GSAD_CONF=/etc/default/greenbone-security-assistant
else
	echo
	echo "Error: gsad config not found"
	echo

fi


if ! openvasmd --get-users | grep -q ^admin$ ; then

	# Configure Admin user
	echo 
	echo "Step 3: Choose the GSAD admin users password."
	echo "The admin user is used to configure accounts,"
	echo "Update NVT's manually, and manage roles."
	echo 

	echo -n "Enter administrator username [Default: admin] : "
	read USERNAME

	if [ "$USERNAME" == "" ]; then
		USERNAME=admin
	fi

	# Suppress output of password.
	if [[ -t 0 ]]; then
		stty -echo
	fi

	# Prompt the user for the desired password and verify its accuracy.  
	PASSCONFIRMED=0
	while [ $PASSCONFIRMED -lt 1 ]; do
		echo -n "Enter Administrator Password: "
		read PASSWORD 
		echo

		echo -n "Verify Administrator Password: "
		read PASSWORD2 
		echo


		if [ "$PASSWORD" == "$PASSWORD2" ]; then
			if [ "$PASSWORD" == "" ]; then
				echo "Empty password not allowed."
				PASSCONFIRMED=0
			else
				PASSCONFIRMED=1
			fi
			echo
		else
			echo "Passwords do not match"
			echo
		fi
	done
	stty echo


	# Create admin user
	/usr/sbin/openvasmd  --create-user=$USERNAME >/dev/null 2>&1
	/usr/sbin/openvasmd  --user=$USERNAME --new-password=$PASSWORD

fi

/usr/sbin/openvasmd --rebuild --progress 

echo
echo "Setup complete, you can now access GSAD at:"
echo "  https://<IP>:9392"
echo

# Stop rngd
if [ -f /usr/sbin/rngd ]; then
	killall rngd
fi

service gsad restart

# Add to startup for systemd based systems
if [ -x /bin/systemctl ]; then
	systemctl enable openvas-scanner
	systemctl enable openvas-manager
	if [ -f /lib/systemd/system/greenbone-security-assistant.service ]; then
      		systemctl enable greenbone-security-assistant
	else
      		systemctl enable gsad
	fi
		
fi

# End

