Re: [Openvas-discuss] Vulnerabilities OpenVAS

Tue, 20 Oct 2015 10:01:31 -0700 


Am 20.10.2015 um 18:53 schrieb Diego Gomes:

Yes, it seems..

Maybe because I am not so familiar with this method of systemd!

I will try anyway,


it is as simple as i explained


just take a systemd-unit from /usr/lib/systemd/system and copy it to 
/ect/systemd/system - the reason why you first disable it is that enable 
a service is nothing else than a symlink which is still there and links 
to /usr/lib/systemd/system



from the moment on a unit in /etc/systemd/system with the same name 
exists "systemctl enable service" will prefer that instead the one from 
the package



that's really as simple as something can be - try the same with sysvinit 
to prevent your changes overwritten by random updates and you will end 
with think about a different name for the service with all the bad 
impact changed start ordering



having a systemd-unit in /etc/systemd/system called "httpd.service" will 
be handeled exactly like the one shipped with the distribution and so 
any "After=httpd.service" or "Before=httpd-service" will work as before



the only shame is that OpenVAS needs to be secured by the user while it 
is used to find unsecure settings in any other software - i would call 
that situation pervert but that don't change the fact override a 
systemd-unit is as easy as something can be




To: [email protected]
From: [email protected]
Date: Tue, 20 Oct 2015 18:51:19 +0200
Subject: Re: [Openvas-discuss] Vulnerabilities OpenVAS



Am 20.10.2015 um 18:45 schrieb Diego Gomes:

Thanks Reindl,

It seems a little complicated, right? Does anyone applying it to secure
the own OpenVAS?


there is nothing complicated in clone and edit a systemd-unit and it
should be a regular and well known task for anybody maintaining a server


To: [email protected]
From: [email protected]
Date: Tue, 20 Oct 2015 14:35:23 +0200
Subject: Re: [Openvas-discuss] Vulnerabilities OpenVAS

Am 20.10.2015 um 14:30 schrieb Diego Gomes:

Thanks Chris,

So, I need to:

vi /usr/lib/systemd/system/openvas-scanner.service


never ever touch /usr/lib/systemd/system/

whatever you touch would be overwritten with the next update and so you
throw away one of the biggest improvements compard to sysvinit

* disable services you want to edit
* copy the systemd-unit to /etc/systemd/system/
* edit the copy there
* enable the service again
* systemctl daemon reload
* systemctl restart servicename


insert
"--gnutls-priorities="SECURE128:-AES-128-CBC:-CAMELLIA-128-CBC:-VERS-SSL3.0:-VERS-TLS1.0""
this line at the end of the file?


for sure not at the end of the systemd-unit
what should systemd do with that line?

it's a param for the ExecStart process if there is not a config file


The same for /usr/lib/systemd/system/openvas-manager.service


same as above - don't touch /usr/lib/systemd





Attachment:
signature.asc

Description: OpenPGP digital signature


_______________________________________________
Openvas-discuss mailing list
[email protected]
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss






















					Reply via email to