OpenVAS

From NST Wiki
Revision as of 16:04, 25 July 2011 by Rwh (talk | contribs) (Accessing Open VAS on an NST Probe)
Jump to navigationJump to search

Overview

The Open Vulnerability Assessment Scanner (OpenVAS) and Greenbone Security tools provide the following capabilities:

  • Scan systems on your network looking for security risks.
  • Manage and update the rule sets used for the scans.
  • Produce reports based on the scans.
  • Schedule periodic scans.
  • Interact with the system via the command line, a desktop GUI interface, or a web based front end.

The OpenVAS project is a branch of the original Nessus software. More information can be found at http://www.openvas.com/.

The OpenVAS software package was included in the NST distribution starting with the 2.15.0 release.

Warning.png You should only setup your NST system for OpenVAS after performing a hard disk installation (within a virtual machine is OK). If you attempt to setup OpenVAS on a live boot you will likely run out of memory and lock your system.

Accessing Open VAS on an NST Probe

Currently only a command line setup of Open VAS is available and described below. This is first required in order to access Open VAS. Once you have completed setting up Open VAS, one can use either of the following methods for access:

  • From the NST WUI menu system (Web-Based Interface - WUI): Security => Active Scanners => Greenbone Security WUI (OpenVAS)
  • From the Gnome or Fluxbox Desktop (X Window-Based Interface - GUI): Greenbone Security Desktop Tool

Quick Tip On Getting Started

  1. Define a target.
  2. Define a Task.
  3. Run Task.

Command Line Setup

This section outlines the general procedure for setting up OpenVAS on a NST v2.15.0 system using the command line.


First Download/Update the OpenVAS Plugins

To install (or update if you've already installed the plugins at some point in the past), use the openvas-nvt-sync command. For example:

[root@dhcp132 ~]# openvas-nvt-sync

... Lots of output as rules are updated ...

[root@dhcp132 ~]# 

WARNING: Due not try this on a Live boot of the NST, as it writes a large amount of data to disk (which consumes RAM in a live boot).

The plugins for OpenVAS will be installed under the /var/lib/openvas/plugins directory. This directory won't exist until the initial plugins are installed using the openvas-nvt-sync command shown above. The following command shows how to get a count of the currently available plugins:

[root@dhcp132 ~]# ls /var/lib/openvas/plugins | wc -l
42962
[root@dhcp132 ~]#

Next Start The openvas-scanner Service

Starting the openvas-scanner (openvassd) service takes a long time. This occurs due to the loading and processing of all of the rules. When the service is started, it reads through all of the ASCII plugins and creates cached versions under the /var/cache/openvas directory. The first time you try and start the service, systemctl may time out and report that the service failed to start even though the openvassd process is still running and parsing rules. For example:

[root@cayenne ~]# systemctl start openvas-scanner.service
Job failed. See system logs and 'systemctl status' for details.
[root@cayenne ~]# ps -fC openvassd
UID        PID  PPID  C STIME TTY          TIME CMD
root      3813  3812 48 13:30 ?        00:02:34 openvassd -q --port=9391
[root@cayenne ~]# 


It takes a very long time for the initial loading and processing of the plugins. You can try to peek at what plugins are currently being loaded (to assure yourself that progress is being made) using the lsof command (this doesn't always work and depends a bit on the start of the openvassd process):

[root@cayenne ~]# lsof | grep /var/lib/openvas/plugins 
openvassd 12858      root  cwd     4r    REG    253,1     2635   21050  /var/lib/openvas/plugins/plugins/gb_MDaemon_39857.nasl
[root@cayenne ~]# 

If you run the top command while the openvassd is processing the plugins, you should see the openvassd consuming a substantial amount of CPU.

Eventually the openvassd process will complete it's loading phase and enter into a state where it is ready to accept incoming connections. You can use the ps command to check for this.

[root@dcayenne ~]# ps -fC openvassd
UID        PID  PPID  C STIME TTY          TIME CMD
root     24529     1  0 07:13 ?        00:00:00 openvassd: waiting for incoming 
[root@dcayenne ~]# 

The systemctl command can also be used to verify that the openvassd process is ready for incoming connections:

[root@cayenne ~]# systemctl status openvas-scanner.service
openvas-scanner.service - LSB: start|stop|status|restart|condrestart|reloadplugins OpenVAS Scanner
	  Loaded: loaded (/etc/rc.d/init.d/openvas-scanner)
	  Active: failed since Wed, 15 Jun 2011 07:10:23 -0400; 7min ago 
	 Process: 2164 ExecStart=/etc/rc.d/init.d/openvas-scanner start (code=killed, signal=TERM)
	  CGroup: name=systemd:/system/openvas-scanner.service
		  └ 24529 openvassd: waiting for incoming connections
[root@cayenne ~]#

You may notice that systemctl reports the service in a failed state even though the openvassd daemon is running and accepting connections. You should be able to clear this failed state indicator by restarting the service.

[root@cayenne ~]# systemctl restart openvas-scanner.service
[root@cayenne ~]# systemctl status openvas-scanner.service
openvas-scanner.service - LSB: start|stop|status|restart|condrestart|reloadplugins OpenVAS Scanner
	  Loaded: loaded (/etc/rc.d/init.d/openvas-scanner)
	  Active: active (running) since Sat, 16 Jul 2011 13:44:52 -0400; 1min 6s ago
	 Process: 27198 ExecStart=/etc/rc.d/init.d/openvas-scanner start (code=exited, status=0/SUCCESS)
	Main PID: 27193 (openvassd)
	  CGroup: name=systemd:/system/openvas-scanner.service
		  └ 27193 openvassd: waiting for incoming connections
[root@cayenne ~]# 
[root@cayenne ~]#

To enable the openvas-scanner (openvassd) service at boot time, run the following command:

[root@cayenne ~]# systemctl enable openvas-scanner.service
openvas-scanner.service is not a native service, redirecting to /sbin/chkconfig.
Executing /sbin/chkconfig openvas-scanner on
[root@cayenne ~]#

Next Start The openvas-manager Service

Before starting the openvas-manager (openvasmd) service, you need to initialize (rebuild) it's database the first time you set up your system. Run the following command to rebuild the database:

[root@cayenne ~]# openvasmd --rebuild
[root@cayenne ~]# 

Once the database has been setup, you can start the service in the following manner:

[root@cayenne ~]# systemctl start openvas-manager.service
[root@cayenne ~]# systemctl status openvas-manager.service
openvas-manager.service - LSB: start|stop|status|restart|condrestart OpenVAS Manager
	  Loaded: loaded (/etc/rc.d/init.d/openvas-manager)
	  Active: active (running) since Sat, 16 Jul 2011 13:56:41 -0400; 5s ago
	 Process: 27445 ExecStart=/etc/rc.d/init.d/openvas-manager start (code=exited, status=0/SUCCESS)
	Main PID: 27450 (openvasmd)
	  CGroup: name=systemd:/system/openvas-manager.service
		  └ 27450 openvasmd --port=9390 --slisten=127.0.0.1 --sport=...
[root@cayenne ~]# 

To enable the openvas-manager (openvasmd) service at boot time, run the following command:

[root@cayenne ~]# systemctl enable openvas-manager.service
openvas-manager.service is not a native service, redirecting to /sbin/chkconfig.
Executing /sbin/chkconfig openvas-manager on
[root@cayenne ~]#

Next Start The openvas-administrator Service

Before starting the openvas-administrator (openvasad) service, you need to add a administrative user. The following demonstrates how to add a root user (you can choose any name you prefer):

[root@cayenne ~]# openvasad -c add_user -n root --role=Admin
Enter password: 
ad   main:MESSAGE:23822:2011-06-15 07h54.32 EDT: No rules file provided, the new user will have no restrictions.
ad   main:MESSAGE:23822:2011-06-15 07h54.32 EDT: User root has been successfully created.
[root@cayenne ~]# 

Once a administrative user has been added, you should be able to start the service as shown below

[root@cayenne ~]# systemctl start openvas-administrator.service
[root@cayenne ~]# systemctl status openvas-administrator.service
openvas-administrator.service - LSB: start|stop|status|restart|condrestart OpenVAS Manager
	  Loaded: loaded (/etc/rc.d/init.d/openvas-administrator)
	  Active: active (running) since Sat, 16 Jul 2011 13:59:17 -0400; 3s ago
	 Process: 27475 ExecStart=/etc/rc.d/init.d/openvas-administrator start (code=exited, status=0/SUCCESS)
	Main PID: 27480 (openvasad)
	  CGroup: name=systemd:/system/openvas-administrator.service
		  └ 27480 openvasad --port=9393
[root@cayenne ~]# 

To enable the openvas-administrator (openvasad) service at boot time, run the following command:

[root@cayenne ~]# systemctl enable openvas-administrator.service
openvas-administrator.service is not a native service, redirecting to /sbin/chkconfig.
Executing /sbin/chkconfig openvas-administrator on
[root@cayenne ~]#

Next Start The gsad Service

Once the OpenVAS services are set up and running, you should be able to start the Greenbone Security Assistant service as follows:

[root@cayenne ~]# systemctl start gsad.service
[root@cayenne ~]# systemctl status gsad.service
gsad.service - LSB: This starts and stops the Greenbone Security Assistant.
	  Loaded: loaded (/etc/rc.d/init.d/gsad)
	  Active: active (running) since Sat, 16 Jul 2011 14:14:30 -0400; 4s ago
	 Process: 27880 ExecStart=/etc/rc.d/init.d/gsad start (code=exited, status=0/SUCCESS)
	Main PID: 27886 (gsad)
	  CGroup: name=systemd:/system/gsad.service
		  └ 27886 /usr/sbin/gsad --port=9392 --alisten=127.0.0.1 --a...
[root@cayenne ~]# 

To enable the gsad service at boot time, run the following command:

[root@cayenne ~]# systemctl enable gsad.service
gsad.service is not a native service, redirecting to /sbin/chkconfig.
Executing /sbin/chkconfig gsad on
[root@cayenne ~]#

Finally Verify Your Setup Using openvas-check-setup

After you have all of the services set up and running, you can use the openvas-check-setup command to perform a sanity check on your system to verify that it has been setup correctly.

[root@cayenne ~]# openvas-check-setup

... Lots of output as various checks are performed.
    If not all OK, then a SUGGESTION should appear ...

It seems like your OpenVAS-4 installation is OK.
 
If you think it is not OK, please report your observation
and help us to improve this check routine:
http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Please attach the log-file (/tmp/openvas-check-setup.log) to help us analyze the problem.

[root@cayenne ~]#