OpenVAS

From NST Wiki
Jump to: navigation, search

Overview

The Open Vulnerability Assessment Scanner (OpenVAS) and Greenbone Security tools provide the following capabilities:

  • Scan systems on your network looking for security risks.
  • Manage and update the rule sets used for the scans.
  • Produce reports based on the scans.
  • Schedule periodic scans.
  • Interact with the system via the command line, a desktop GUI interface, or a web based front end.

The OpenVAS project is a branch of the original Nessus software. More information can be found at http://www.openvas.com/.

The OpenVAS software package was included in the NST distribution starting with the 2.15.0 release.

Warning.png You should only setup your NST system for OpenVAS after performing a hard disk installation (within a virtual machine is OK). If you attempt to setup OpenVAS on a live boot you will likely run out of memory and lock your system.

Quick Tip On Getting Started

  1. Define a target.
  2. Define a Task.
  3. Run Task.

NST 26 Setup

Getting OpenVAS (http://openvas.org) and Greenbone (https://www.greenbone.net/) set up and working on a NST 26 or Fedora 26 based system is a non-trivial task and involves some time (plan on 60 minutes). While the instructions below are based on a successful set up, due to the dynamic nature of all the packages and systems involved adjustments may need to be made in the future. Repeated use of the openvas-check-setup tool is highly recommended as you set up your system as it will not only indicate what is wrong, but will also provide useful instructions on what to do next to correct the issue.

Installation and Setup

Log into a terminal as root and make sure the following packages are installed (alien, nsis and texlive-collection-latexextra are optional, but you will be missing some functionality if you do not include them):

dnf install openvas-libraries openvas-scanner openvas-manager openvas-cli openvas-gsa gnutls-utils redis alien nsis texlive-collection-latexextra

Use the openvas-check-setup command as a diagnostic and guide during the installation process. We will be running this command a lot!

openvas-check-setup

Edit the /etc/redis.conf file and make certain that the following two lines are uncommented (NOTE: We are not entirely certain that this step is required):

unixsocket /tmp/redis.sock
unixsocketperm 700 

Start and enable the redis service (restart if already running and you modified the configuration file):

systemctl restart redis.service
systemctl enable redis.service
openvas-check-setup

Update the security checks using the greenbone-nvt-sync tool:

openvas-nvt-sync
openvas-check-setup

Enable signature checking of OpenVAS NVTs is optional, see http://www.openvas.org/trusted-nvts.html for details.

install -d -m 700 /etc/openvas/gnupg
gpg --homedir=/etc/openvas/gnupg --gen-key
wget http://www.openvas.org/OpenVAS_TI.asc
gpg --homedir=/etc/openvas/gnupg --import OpenVAS_TI.asc

# List keys to determine ID of imported key
gpg --homedir=/etc/openvas/gnupg --list-keys
# Substitute ID of imported key for KEY_ID shown below
gpg --homedir=/etc/openvas/gnupg --lsign-key KEY_ID

# Turn on NVT signature checking in OpenVAS configuration
sed -i -e 's,^\(nasl_no_signature_check =\).*,\1 no,' /etc/openvas/openvassd.conf
openvas-check-setup

Start and enable the OpenVAS scanner service to initialize NVT cache:

systemctl start openvas-scanner.service
systemctl enable openvas-scanner.service
# Wait for CPU to settle, eventually the following message should go
# away from the openvas-check-setup - may take a long time:
#  "NVT cache has not yet been generated" message should go away
openvas-check-setup

Create a client certificate:

openvas-mkcert-client -n -i
openvas-check-setup

Rebuild the openvas manager database:

rm -f /var/lib/openvas/mgr/tasks.db
openvasmd -f -v --rebuild
openvas-check-setup

Create a user account (admin in this example). Make sure you remember or copy/paste the password that is displayed (it will be a long string of random characters). Or, set it to a preferred password

openvasmd --create-user=admin --role=Admin
# To change the password after creation, use:
openvasmd --user=admin --new-password=PASSWORD
openvas-check-setup

Intialize the OpenVAS SCAP database (takes awhile).

openvas-scapdata-sync
openvas-check-setup

Initialize the OpenVAS CERT database.

openvas-certdata-sync
openvas-check-setup

Start and enable the OpenVAS manager service:

systemctl start openvas-manager.service
systemctl enable openvas-manager.service
openvas-check-setup

Start and enable the Greenbone Security Assistant (GSA) service:

systemctl start openvas-gsa.service
systemctl enable openvas-gsa.service
openvas-check-setup

Accessing OpenVAS on an NST Probe

You should now be able to access the Greenbone Security Assistant at https://127.0.0.1:9443 (you can substitute the IP address of your NST system for the 127.0.0.1 if accessing remotely).

You should be able to log in as admin using the initially generated password. After logging in, select User under the Administration menu and update your password (if desired).

From the main page, you can perform a quick scan on the NST system itself by entering the IPv4 address of your NST system and pressing the Start Scan button:

Openvas-quickscan.png

When the scan completes it should only include informational entries in the vulnerability report (Log issues describing things discovered that are not necessarily vulnerabilities). Also, if you scan 127.0.0.1 instead of the IPv4 address associated with your network interface, you may find more issues.

You should also be able to verify that the OpenVAS Command Line Interface (CLI) by running:

omp --ping
omp -p 9390 --username=admin --password=YOUR_PASSWORD --xml="<help/>"
...

Refer to the http://openvas.org/ web site for instructions on using OpenVAS and the Greenbone Security Assistant.

NST 22 Setup

Installation and Setup

Log into a terminal as root and make sure the following packages are installed:

dnf install openvas-libraries openvas-scanner openvas-manager openvas-cli openvas-gsa gnutls-utils

Update the security checks using the openvas-nvt-sync tool:

openvas-nvt-sync

Edit the /etc/redis.conf file and make certain that the following two lines are uncommented (NOTE: We are not entirely certain that this step is required):

unixsocket /tmp/redis.sock
unixsocketperm 777 

Start and enable the redis service (restart if already running and you modified the configuration file):

systemctl restart redis.service
systemctl enable redis.service

Start and enable the OpenVAS scanner and manager services:

systemctl start openvas-scanner.service
systemctl enable openvas-scanner.service
systemctl start openvas-manager.service
systemctl enable openvas-manager.service

Create a client certificate:

openvas-mkcert-client -n -i

To test the connection, run (you can press Control-D to end the connection):

gnutls-cli --insecure -p 9391 127.0.0.1 --x509keyfile=/etc/pki/openvas/private/CA/clientkey.pem --x509certfile=/etc/pki/openvas/CA/clientcert.pem

Instruct OpenVAS to rebuild its database:

openvasmd --rebuild

Create a user account (admin in this example). Make sure you remember or copy/paste the password that is displayed (it will be a long string of random characters).

openvasmd --create-user=admin

Restart the OpenVAS manager service:

systemctl restart openvas-manager.service

Start and enable the Greenbone Security Assistant (GSA) service:

systemctl start openvas-gsa.service
systemctl enable openvas-gsa.service

Accessing OpenVAS on an NST Probe

You should now be able to access the Greenbone Security Assistant at https://127.0.0.1:9443 (you can substitute the IP address of your NST system for the 127.0.0.1 if accessing remotely).

You should be able to log in as admin using the initially generated password. After logging in, select User under the Administration menu and update your password.

From the main page, you can perform a quick scan on the NST system itself by entering 127.0.0.1 and pressing the Start Scan button:

Openvas-quickscan.png

When the scan completes it may report a few medium severity issues related to the openvasmd process on port 9390.

You should also be able to verify that the OpenVAS Command Line Interface (CLI) by running:

omp --ping
omp -p 9390 --username=admin --password=YOUR_PASSWORD --xml="<help/>"
...

Refer to the http://www.openvas.com/ web site for instructions on using OpenVAS and the Greenbone Security Assistant.

NST 16 and NST 18 Setup

NST 2.16.0 - Preliminary Notes: Starting with Fedora 16, getting OpenVAS working with the Greenbone Security Assistant Desktop and Web interface has been a challenge. We are currently in the process of trying to figure out how to get it working. Currently only the openvas-client is available for OpenVAS control.

Steps To Get OpenVAS Started With NST 16 and NST 18

  • Add an OpenVAS client user (e.g., 'root') (Respond to all command prompts):
[root@dhcp132 ~]# openvas-adduser
  • To synchronize OpenVAS security checks, use the openvas-nvt-sync command:
[root@dhcp132 ~]# openvas-nvt-sync
  • Start the OpenVAS Scanner service. This will take minutes to hours to complete (at least the first time). If it takes too long, a failure will be reported, but the process will continue to run and parse the .nasl files out of the /var/lib/openvas/plugins directory. If you get hit with the timeout situtation, you can use the top' command to monitor the openvassd process :
[root@dhcp132 ~]# systemctl start openvas-scanner.service
  • The OpenVAS Scanner service may take many minutes to start when initially loading all of the .nasl plugins found under the /var/lib/openvas/plugins directory. It may take so long that you may see a failure message reported in the previous step due to a time out. If this occurs, you can use the top command to monitor the load of the openvassd process and wait for the load the drop. Here's an example of a high load by the openvassd process:
top - 07:30:17 up 18:33,  3 users,  load average: 1.50, 1.47, 1.25 
Tasks: 142 total,   2 running, 140 sleeping,   0 stopped,   0 zombie
Cpu0  :  7.6%us, 20.9%sy,  0.0%ni,  0.0%id,  0.8%wa, 68.9%hi,  1.8%si,  0.0%st
Mem:   1027908k total,   897168k used,   130740k free,   119148k buffers
Swap:  2064380k total,      612k used,  2063768k free,   480452k cached

  PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND            
27120 root      20   0 43092  35m 1832 S 17.9  3.6   2:04.78 openvassd          
    1 root      20   0  5688 3464 1952 S  0.5  0.3   0:08.17 systemd            
  306 root      20   0     0    0    0 S  0.1  0.0   0:00.88 jbd2/dm-1-8        
 4239 root      20   0     0    0    0 S  0.1  0.0   0:16.80 kworker/0:2        
 4262 root      20   0 57420  19m 9208 S  0.1  1.9   0:34.68 Xorg               
  • Before starting the openvas-manager (openvasmd) service, you need to initialize (rebuild) it's database the first time you set up your system. Run the following command to rebuild the database:
[root@dhcp132 ~]# openvasmd --rebuild
  • Start the OpenVAS Manager service:
[root@dhcp132 ~]# systemctl start openvas-manager.service
  • At this point both the OpenVAS Scanner (openvassd:9391) & Manager (openvasmd:9390) service should be started:
[root@dhcp132 ~]# netstat -tunap
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name   
tcp        0      0 0.0.0.0:5900                0.0.0.0:*                   LISTEN      2024/vino-server    
tcp        0      0 0.0.0.0:9390                0.0.0.0:*                   LISTEN      27395/openvasmd     
tcp        0      0 0.0.0.0:9391                0.0.0.0:*                   LISTEN      25093/openvassd     
tcp        0      0 127.0.0.1:80                0.0.0.0:*                   LISTEN      1391/httpd          
tcp        0      0 0.0.0.0:22                  0.0.0.0:*                   LISTEN      1378/sshd           
tcp        0      0 0.0.0.0:3001                0.0.0.0:*                   LISTEN      1382/ntop           
tcp        0      0 127.0.0.1:6010              0.0.0.0:*                   LISTEN      11949/sshd          
tcp        0      0 0.0.0.0:443                 0.0.0.0:*                   LISTEN      1391/httpd                     
tcp        0      0 10.222.222.10:22            10.222.222.18:49240         ESTABLISHED 11949/sshd          
tcp        0      0 10.222.222.10:5900          10.222.222.18:53555         ESTABLISHED 2024/vino-server    
tcp        0      0 :::5900                     :::*                        LISTEN      2024/vino-server    
tcp        0      0 :::22                       :::*                        LISTEN      1378/sshd           
tcp        0      0 ::1:6010                    :::*                        LISTEN      11949/sshd                 
udp        0      0 0.0.0.0:123                 0.0.0.0:*                               981/chronyd         
udp        0      0 0.0.0.0:323                 0.0.0.0:*                               981/chronyd         
udp        0      0 :::123                      :::*                                    981/chronyd         
udp        0      0 :::323                      :::*                                    981/chronyd
[root@cayenne ~]# systemctl status openvas-scanner.service
openvas-scanner.service - OpenVAS Scanner
	  Loaded: loaded (/usr/lib/systemd/system/openvas-scanner.service; disabled)
	  Active: active (running) since Fri 2013-05-10 20:43:42 EDT; 10h ago
	Main PID: 19509 (openvassd)
	  CGroup: name=systemd:/system/openvas-scanner.service
		  ├─10466 openvassd: serving 127.0.0.1
		  ├─10486 openvassd: serving 127.0.0.1
		  └─19509 openvassd: waiting for incoming connections

May 10 20:41:53 cayenne openvassd[19439]: [120B blob data]
May 10 20:42:03 cayenne openvassd[19439]: [120B blob data]
May 10 20:42:14 cayenne openvassd[19439]: [120B blob data]
May 10 20:42:26 cayenne openvassd[19439]: [120B blob data]
May 10 20:42:40 cayenne openvassd[19439]: [120B blob data]
May 10 20:42:54 cayenne openvassd[19439]: [120B blob data]
May 10 20:43:10 cayenne openvassd[19439]: [120B blob data]
May 10 20:43:28 cayenne openvassd[19439]: [120B blob data]
May 10 20:43:42 cayenne openvassd[19439]: [120B blob data]
May 10 20:43:42 cayenne systemd[1]: Started OpenVAS Scanner.
[root@cayenne ~]# systemctl status openvas-manager.service
openvas-manager.service - OpenVAS Manager
	  Loaded: loaded (/usr/lib/systemd/system/openvas-manager.service; disabled)
	  Active: active (running) since Fri 2013-05-10 20:54:37 EDT; 10h ago
	Main PID: 19571 (openvasmd)
	  CGroup: name=systemd:/system/openvas-manager.service
		  └─19571 /usr/sbin/openvasmd --port=9390 --slisten=127.0.0.1 --sport=9391 --otp

May 10 20:54:37 cayenne systemd[1]: Starting OpenVAS Manager...
May 10 20:54:37 cayenne systemd[1]: Started OpenVAS Manager.
[root@cayenne ~]# 


  • Finally, from a Gnome Desktop start up the OpenVAS client (/usr/bin/openvas-client) and login as the user added in the first step:

Applications => System Tools => OpenVAS Client

NOTE: It takes a long time to load the initial rules when using openvas-client. The application may appear to hang and you may need to be patient for a few minutes as rules are loaded.

NOTE2: When openvas-client disconnects and exits, the openvassd process that was forked to serve it may not cleanly exit and consume 100% of a CPU. You can use the top command to identify and kill this process should it occur.

Accessing OpenVAS on an NST Probe

  • From the NST WUI menu system (Web-Based Interface - WUI): Security => Active Scanners => Greenbone Security WUI (OpenVAS)
  • From the Gnome or Fluxbox Desktop (X Window-Based Interface - GUI): Greenbone Security Desktop Tool

Steps To Get OpenVAS Started With NST 15

Command Line Setup

This section outlines the general procedure for setting up OpenVAS on a NST v2.15.0 system using the command line.


First Download/Update the OpenVAS Plugins

To install (or update if you've already installed the plugins at some point in the past), use the openvas-nvt-sync command. For example:

[root@dhcp132 ~]# openvas-nvt-sync

... Lots of output as rules are updated ...

[root@dhcp132 ~]# 

WARNING: Due not try this on a Live boot of the NST, as it writes a large amount of data to disk (which consumes RAM in a live boot).

The plugins for OpenVAS will be installed under the /var/lib/openvas/plugins directory. This directory won't exist until the initial plugins are installed using the openvas-nvt-sync command shown above. The following command shows how to get a count of the currently available plugins:

[root@dhcp132 ~]# ls /var/lib/openvas/plugins | wc -l
42962
[root@dhcp132 ~]#

Next Start The openvas-scanner Service

Starting the openvas-scanner (openvassd) service takes a long time. This occurs due to the loading and processing of all of the rules. When the service is started, it reads through all of the ASCII plugins and creates cached versions under the /var/cache/openvas directory. The first time you try and start the service, systemctl may time out and report that the service failed to start even though the openvassd process is still running and parsing rules. For example:

[root@cayenne ~]# systemctl start openvas-scanner.service
Job failed. See system logs and 'systemctl status' for details.
[root@cayenne ~]# ps -fC openvassd
UID        PID  PPID  C STIME TTY          TIME CMD
root      3813  3812 48 13:30 ?        00:02:34 openvassd -q --port=9391
[root@cayenne ~]# 


It takes a very long time for the initial loading and processing of the plugins. You can try to peek at what plugins are currently being loaded (to assure yourself that progress is being made) using the lsof command (this doesn't always work and depends a bit on the start of the openvassd process):

[root@cayenne ~]# lsof | grep /var/lib/openvas/plugins 
openvassd 12858      root  cwd     4r    REG    253,1     2635   21050  /var/lib/openvas/plugins/plugins/gb_MDaemon_39857.nasl
[root@cayenne ~]# 

If you run the top command while the openvassd is processing the plugins, you should see the openvassd consuming a substantial amount of CPU.

Eventually the openvassd process will complete it's loading phase and enter into a state where it is ready to accept incoming connections. You can use the ps command to check for this.

[root@dcayenne ~]# ps -fC openvassd
UID        PID  PPID  C STIME TTY          TIME CMD
root     24529     1  0 07:13 ?        00:00:00 openvassd: waiting for incoming 
[root@dcayenne ~]# 

The systemctl command can also be used to verify that the openvassd process is ready for incoming connections:

[root@cayenne ~]# systemctl status openvas-scanner.service
openvas-scanner.service - LSB: start|stop|status|restart|condrestart|reloadplugins OpenVAS Scanner
	  Loaded: loaded (/etc/rc.d/init.d/openvas-scanner)
	  Active: failed since Wed, 15 Jun 2011 07:10:23 -0400; 7min ago 
	 Process: 2164 ExecStart=/etc/rc.d/init.d/openvas-scanner start (code=killed, signal=TERM)
	  CGroup: name=systemd:/system/openvas-scanner.service
		  └ 24529 openvassd: waiting for incoming connections
[root@cayenne ~]#

You may notice that systemctl reports the service in a failed state even though the openvassd daemon is running and accepting connections. You should be able to clear this failed state indicator by restarting the service.

[root@cayenne ~]# systemctl restart openvas-scanner.service
[root@cayenne ~]# systemctl status openvas-scanner.service
openvas-scanner.service - LSB: start|stop|status|restart|condrestart|reloadplugins OpenVAS Scanner
	  Loaded: loaded (/etc/rc.d/init.d/openvas-scanner)
	  Active: active (running) since Sat, 16 Jul 2011 13:44:52 -0400; 1min 6s ago
	 Process: 27198 ExecStart=/etc/rc.d/init.d/openvas-scanner start (code=exited, status=0/SUCCESS)
	Main PID: 27193 (openvassd)
	  CGroup: name=systemd:/system/openvas-scanner.service
		  └ 27193 openvassd: waiting for incoming connections
[root@cayenne ~]# 
[root@cayenne ~]#

To enable the openvas-scanner (openvassd) service at boot time, run the following command:

[root@cayenne ~]# systemctl enable openvas-scanner.service
openvas-scanner.service is not a native service, redirecting to /sbin/chkconfig.
Executing /sbin/chkconfig openvas-scanner on
[root@cayenne ~]#

Next Start The openvas-manager Service

Before starting the openvas-manager (openvasmd) service, you need to initialize (rebuild) it's database the first time you set up your system. Run the following command to rebuild the database:

[root@cayenne ~]# openvasmd --rebuild
[root@cayenne ~]# 

Once the database has been setup, you can start the service in the following manner:

[root@cayenne ~]# systemctl start openvas-manager.service
[root@cayenne ~]# systemctl status openvas-manager.service
openvas-manager.service - LSB: start|stop|status|restart|condrestart OpenVAS Manager
	  Loaded: loaded (/etc/rc.d/init.d/openvas-manager)
	  Active: active (running) since Sat, 16 Jul 2011 13:56:41 -0400; 5s ago
	 Process: 27445 ExecStart=/etc/rc.d/init.d/openvas-manager start (code=exited, status=0/SUCCESS)
	Main PID: 27450 (openvasmd)
	  CGroup: name=systemd:/system/openvas-manager.service
		  └ 27450 openvasmd --port=9390 --slisten=127.0.0.1 --sport=...
[root@cayenne ~]# 

To enable the openvas-manager (openvasmd) service at boot time, run the following command:

[root@cayenne ~]# systemctl enable openvas-manager.service
openvas-manager.service is not a native service, redirecting to /sbin/chkconfig.
Executing /sbin/chkconfig openvas-manager on
[root@cayenne ~]#

Next Start The openvas-administrator Service

Before starting the openvas-administrator (openvasad) service, you need to add a administrative user. The following demonstrates how to add a root user (you can choose any name you prefer):

[root@cayenne ~]# openvasad -c add_user -n root --role=Admin
Enter password: 
ad   main:MESSAGE:23822:2011-06-15 07h54.32 EDT: No rules file provided, the new user will have no restrictions.
ad   main:MESSAGE:23822:2011-06-15 07h54.32 EDT: User root has been successfully created.
[root@cayenne ~]# 

Once a administrative user has been added, you should be able to start the service as shown below

[root@cayenne ~]# systemctl start openvas-administrator.service
[root@cayenne ~]# systemctl status openvas-administrator.service
openvas-administrator.service - LSB: start|stop|status|restart|condrestart OpenVAS Manager
	  Loaded: loaded (/etc/rc.d/init.d/openvas-administrator)
	  Active: active (running) since Sat, 16 Jul 2011 13:59:17 -0400; 3s ago
	 Process: 27475 ExecStart=/etc/rc.d/init.d/openvas-administrator start (code=exited, status=0/SUCCESS)
	Main PID: 27480 (openvasad)
	  CGroup: name=systemd:/system/openvas-administrator.service
		  └ 27480 openvasad --port=9393
[root@cayenne ~]# 

To enable the openvas-administrator (openvasad) service at boot time, run the following command:

[root@cayenne ~]# systemctl enable openvas-administrator.service
openvas-administrator.service is not a native service, redirecting to /sbin/chkconfig.
Executing /sbin/chkconfig openvas-administrator on
[root@cayenne ~]#

Next Start The gsad Service

Once the OpenVAS services are set up and running, you should be able to start the Greenbone Security Assistant service as follows:

[root@cayenne ~]# systemctl start gsad.service
[root@cayenne ~]# systemctl status gsad.service
gsad.service - LSB: This starts and stops the Greenbone Security Assistant.
	  Loaded: loaded (/etc/rc.d/init.d/gsad)
	  Active: active (running) since Sat, 16 Jul 2011 14:14:30 -0400; 4s ago
	 Process: 27880 ExecStart=/etc/rc.d/init.d/gsad start (code=exited, status=0/SUCCESS)
	Main PID: 27886 (gsad)
	  CGroup: name=systemd:/system/gsad.service
		  └ 27886 /usr/sbin/gsad --port=9392 --alisten=127.0.0.1 --a...
[root@cayenne ~]# 

To enable the gsad service at boot time, run the following command:

[root@cayenne ~]# systemctl enable gsad.service
gsad.service is not a native service, redirecting to /sbin/chkconfig.
Executing /sbin/chkconfig gsad on
[root@cayenne ~]#

Finally Verify Your Setup Using openvas-check-setup

After you have all of the services set up and running, you can use the openvas-check-setup command to perform a sanity check on your system to verify that it has been setup correctly.

[root@cayenne ~]# openvas-check-setup

... Lots of output as various checks are performed.
    If not all OK, then a SUGGESTION should appear ...

It seems like your OpenVAS-4 installation is OK.
 
If you think it is not OK, please report your observation
and help us to improve this check routine:
http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Please attach the log-file (/tmp/openvas-check-setup.log) to help us analyze the problem.

[root@cayenne ~]#