OpenVAS: Difference between revisions

From MediaWiki
Jump to navigationJump to search
(Verified that instructions work on NST 30)
 
(48 intermediate revisions by 2 users not shown)
Line 15: Line 15:
[[Image:Warning.png‎]] You should only setup your NST system for OpenVAS after performing a hard disk installation (within a virtual machine is OK). If you attempt to setup OpenVAS on a ''live'' boot you will likely run out of memory and lock your system.
[[Image:Warning.png‎]] You should only setup your NST system for OpenVAS after performing a hard disk installation (within a virtual machine is OK). If you attempt to setup OpenVAS on a ''live'' boot you will likely run out of memory and lock your system.


= Accessing Open VAS on an NST Probe =
== Quick Tip On Getting Started ==


Currently only a command line setup of '''Open VAS''' is available and described below. This is first ''required'' in order to access '''Open VAS'''. Once you have completed setting up '''Open VAS''', one can use either of the following methods for access:
# Define a target.
# Define a Task.
# Run Task.
 
= '''NST 30, NST 28 and NST 26 Setup''' =
 
Getting OpenVAS (http://openvas.org) and Greenbone (https://www.greenbone.net/) set up and working on a NST 26 or Fedora 26 based system is a non-trivial task and involves some time (plan on 60 minutes). While the instructions below are based on a successful set up, due to the dynamic nature of all the packages and systems involved adjustments may need to be made in the future. Repeated use of the ''openvas-check-setup'' tool is highly recommended as you set up your system as it will not only indicate what is wrong, but will also provide useful instructions on what to do next to correct the issue.
 
 
== Installation and Setup ==
 
NOTE: After NST 26 was release, the openvas packages were updated to version 9. The steps below assume that unix sockets (not TCP connections) will be preferred when communicating between the scanner (openvas-scanner service), manager (openvas-manager) and web interface (gsa-service). The main TCP port open should be 9443 after setup for the web interface. In order to accomplish this you will need to edit (comment) several lines in the /etc/sysconfig/openvas-* files.
 
Log into a terminal as ''root'' and make sure the following packages are installed (alien, nsis and texlive-collection-latexextra are optional, but you will be missing some functionality if you do not include them):
 
dnf install openvas-libraries openvas-scanner openvas-manager openvas-cli openvas-gsa gnutls-utils redis alien nsis texlive-collection-latexextra
 
Edit the file /etc/sysconfig/openvas-manager and comment out the TCP connection to the scanner so that unix sockets are used by the manager when talking to the scanner:
 
#Manager listens on given address - by default manager listens on all addresses                                             
MANAGER_LISTEN=--listen=127.0.0.1                                                                                         
#Manager listens on given port - by default 9390                                                                           
MANAGER_PORT=--port=9390                                                                                                   
#Contact scanner on given address                                                                                           
#SCANNER_LISTEN=--scanner-host=127.0.0.1                                                                                   
#Scanner listens on given port - by default 9391                                                                           
#SCANNER_PORT=--scanner-port=9391                                                                                       
 
Edit the file /etc/sysconfig/openvas-gsa and make sure it looks similar to the following:
 
#GSA listens on given address - by default GSA listens on all addresses                                                     
#GSA_LISTEN=--listen=127.0.0.1                                                                                             
#GSA listens on given port - by default 443                                                                                 
GSA_PORT=--port=9443
#Contact manager on given address                                                                                           
MANAGER_LISTEN=--mlisten=127.0.0.1
#Manager listens on given port - by default 9390                                                                           
MANAGER_PORT=--mport=9390
#GNUTLSSTRING                                                                                                               
GNUTLSSTRING=--gnutls-priorities=SECURE128:-AES-128-CBC:-CAMELLIA-128-CBC:-VERS-SSL3.0:-VERS-TLS1.0 
 
Add a symlink so that the manager will be able to find certificates when accepting connections on port 9390 (you only need to do this if the symbolic link is missing):
 
  ln -s /var/lib/openvas /etc/pki
 
Use the openvas-check-setup command as a diagnostic and guide during the installation process. We will be running this command a lot and it will report an ERROR until we complete the setup!
 
openvas-check-setup --v9
 
Edit the ''/etc/redis.conf'' file and make certain that the following two lines are uncommented (NOTE: We are not entirely certain that this step is required):
 
unixsocket /tmp/redis.sock
unixsocketperm 700
 
Start and enable the ''redis'' service (restart if already running and you modified the configuration file):
 
systemctl restart redis.service
systemctl enable redis.service # To enable at boot
openvas-check-setup --v9
 
Update the security checks using the ''greenbone'' tools:
 
greenbone-nvt-sync
greenbone-scapdata-sync
greenbone-certdata-sync
openvas-check-setup --v9
 
Start and enable the OpenVAS scanner service to initialize NVT cache:
 
systemctl start openvas-scanner.service
systemctl enable openvas-scanner.service # To enable at boot
# NOTE: It takes a LONG TIME for the openvas-scanner.service to start
# up the first time dues to loading of a large number of NVTs.
# You can do a status request to get an idea of how far along it is in
# the process (look for the Reload ETA).
systemctl status openvas-scanner.service
● openvas-scanner.service - OpenVAS Scanner
    Loaded: loaded (/usr/lib/systemd/system/openvas-scanner.service; disabled; v>
    Active: active (running) since Sun 2018-05-27 10:38:52 EDT; 24s ago
  Process: 4112 ExecStart=/usr/sbin/openvassd $SCANNER_SOCKET $SCANNER_MODE $SC>
  Main PID: 4113 (openvassd)
    Tasks: 2 (limit: 4915)
    Memory: 30.6M
    CGroup: /system.slice/openvas-scanner.service
            ├─4113 openvassd: Reloaded 3650 of 45101 NVTs (8% / ETA: 04:32)
            └─4114 openvassd (Loading Handler)
# Eventually the NVTs to should load and you can check where you
# are at in the setup process.
openvas-check-setup --v9
 
Rebuild the openvas manager database:
 
install -D -d -m 755 /var/lib/openvas/openvasmd/gnupg
rm -f /var/lib/openvas/mgr/tasks.db
openvasmd -f -v --rebuild
openvas-check-setup --v9
 
Create a user account (''admin'' in this example). Make sure you remember or copy/paste the password that is displayed (it will be a long string of random characters). Or, set it to a preferred password
 
openvasmd --create-user=admin --role=Admin
# To change the password after creation, use:
openvasmd --user=admin --new-password=PASSWORD
openvas-check-setup --v9
 
Update the certificates:
 
openvas-manage-certs -a
openvas-check-setup --v9
 
Start and enable the OpenVAS manager service:
 
systemctl start openvas-manager.service
systemctl enable openvas-manager.service # To enable at boot
openvas-check-setup --v9
 
Start and enable the Greenbone Security Assistant (GSA) service:
 
systemctl start openvas-gsa.service
systemctl enable openvas-gsa.service # To enable at boot
openvas-check-setup --v9
 
== Accessing OpenVAS on an NST Probe ==
 
You should now be able to access the Greenbone Security Assistant at https://127.0.0.1:9443 (you can substitute the IP address of your NST system for the ''127.0.0.1'' if accessing remotely).
 
You should be able to log in as ''admin'' using the initially generated password. After logging in, select ''User'' under the ''Administration'' menu and update your password (if desired).
 
You should also be able to verify that the OpenVAS Command Line Interface (CLI) by running:
 
omp --ping
omp -p 9390 --username=admin --password=YOUR_PASSWORD --xml="<help/>"
...
 
Refer to the http://openvas.org/ web site for instructions on using OpenVAS and the Greenbone Security Assistant.
 
= '''NST 22 Setup''' =
 
== Installation and Setup ==
 
Log into a terminal as ''root'' and make sure the following packages are installed:
 
dnf install openvas-libraries openvas-scanner openvas-manager openvas-cli openvas-gsa gnutls-utils
 
Update the security checks using the ''openvas-nvt-sync'' tool:
 
openvas-nvt-sync
 
Edit the ''/etc/redis.conf'' file and make certain that the following two lines are uncommented (NOTE: We are not entirely certain that this step is required):
 
unixsocket /tmp/redis.sock
unixsocketperm 777
 
Start and enable the ''redis'' service (restart if already running and you modified the configuration file):
 
systemctl restart redis.service
systemctl enable redis.service
 
Start and enable the OpenVAS scanner and manager services:
 
systemctl start openvas-scanner.service
systemctl enable openvas-scanner.service
systemctl start openvas-manager.service
systemctl enable openvas-manager.service
 
Create a client certificate:
 
openvas-mkcert-client -n -i
 
To test the connection, run (you can press ''Control-D'' to end the connection):
gnutls-cli --insecure -p 9391 127.0.0.1 --x509keyfile=/etc/pki/openvas/private/CA/clientkey.pem --x509certfile=/etc/pki/openvas/CA/clientcert.pem
 
Instruct OpenVAS to rebuild its database:
 
openvasmd --rebuild
 
Create a user account (''admin'' in this example). Make sure you remember or copy/paste the password that is displayed (it will be a long string of random characters).
 
openvasmd --create-user=admin
 
Restart the OpenVAS manager service:
 
systemctl restart openvas-manager.service
 
Start and enable the Greenbone Security Assistant (GSA) service:
 
systemctl start openvas-gsa.service
systemctl enable openvas-gsa.service
 
== Accessing OpenVAS on an NST Probe ==
 
You should now be able to access the Greenbone Security Assistant at https://127.0.0.1:9443 (you can substitute the IP address of your NST system for the ''127.0.0.1'' if accessing remotely).
 
You should be able to log in as ''admin'' using the initially generated password. After logging in, select ''User'' under the ''Administration'' menu and update your password.
 
From the main page, you can perform a quick scan on the NST system itself by entering ''127.0.0.1'' and pressing the ''Start Scan'' button:
 
[[Image:openvas-quickscan.png]]
 
When the scan completes it may report a few medium severity issues related to the ''openvasmd'' process on port 9390.
 
You should also be able to verify that the OpenVAS Command Line Interface (CLI) by running:
 
omp --ping
omp -p 9390 --username=admin --password=YOUR_PASSWORD --xml="<help/>"
...
 
Refer to the http://www.openvas.com/ web site for instructions on using OpenVAS and the Greenbone Security Assistant.
 
= '''NST 16  and NST 18 Setup''' =
 
<div class="centerBlock"><div class="noteMessage">'''NST 2.16.0 - Preliminary Notes: '''Starting with Fedora 16, getting '''OpenVAS''' working with the '''Greenbone Security Assistant''' Desktop and Web interface has been a challenge. We are currently in the process of trying to figure out how to get it working. Currently only the '''openvas-client''' is available for '''OpenVAS''' control.</div></div>
 
== '''Steps To Get OpenVAS Started With NST 16 and NST 18''' ==
* Add an OpenVAS client user (e.g., 'root') (Respond to all command prompts):
 
[root@dhcp132 ~]# '''openvas-adduser'''
 
* To synchronize OpenVAS security checks, use the ''openvas-nvt-sync'' command:
 
[root@dhcp132 ~]# '''openvas-nvt-sync'''
 
* Start the OpenVAS Scanner service. This will take minutes to hours to complete (at least the first time). If it takes too long, a failure will be reported, but the process will continue to run and parse the ''.nasl'' files out of the ''/var/lib/openvas/plugins'' directory. If you get hit with the timeout situtation, you can use the '''top''' command to monitor the '''openvassd'' process :
 
[root@dhcp132 ~]# '''systemctl start openvas-scanner.service'''
 
* The OpenVAS Scanner service may take many minutes to start when initially loading all of the ''.nasl'' plugins found under the ''/var/lib/openvas/plugins'' directory. It may take so long that you may see a failure message reported in the previous step due to a time out. If this occurs, you can use the '''top''' command to monitor the load of the '''openvassd''' process and wait for the load the drop. Here's an example of a high load by the '''openvassd''' process:
 
top - 07:30:17 up 18:33,  3 users,  load average: 1.50, 1.47, 1.25
Tasks: 142 total,  2 running, 140 sleeping,  0 stopped,  0 zombie
Cpu0  :  7.6%us, 20.9%sy,  0.0%ni,  0.0%id,  0.8%wa, 68.9%hi,  1.8%si,  0.0%st
Mem:  1027908k total,  897168k used,  130740k free,  119148k buffers
Swap:  2064380k total,      612k used,  2063768k free,  480452k cached
  PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND           
27120 root      20  0 43092  35m 1832 S 17.9  3.6  2:04.78 openvassd         
    1 root      20  0  5688 3464 1952 S  0.5  0.3  0:08.17 systemd           
  306 root      20  0    0    0    0 S  0.1  0.0  0:00.88 jbd2/dm-1-8       
  4239 root      20  0    0    0    0 S  0.1  0.0  0:16.80 kworker/0:2       
  4262 root      20  0 57420  19m 9208 S  0.1  1.9  0:34.68 Xorg             
 
* Before starting the openvas-manager (openvasmd) service, you need to initialize (rebuild) it's database the first time you set up your system. Run the following command to rebuild the database:
 
[root@dhcp132 ~]# '''openvasmd --rebuild'''
 
* Start the OpenVAS Manager service:
 
[root@dhcp132 ~]# '''systemctl start openvas-manager.service'''
 
* At this point both the OpenVAS Scanner (openvassd:9391) & Manager (openvasmd:9390) service should be started:
 
[root@dhcp132 ~]# '''netstat -tunap'''
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address              Foreign Address            State      PID/Program name 
tcp        0      0 0.0.0.0:5900                0.0.0.0:*                  LISTEN      2024/vino-server   
tcp        0      0 0.0.0.0:9390                0.0.0.0:*                  LISTEN      27395/openvasmd   
tcp        0      0 0.0.0.0:9391                0.0.0.0:*                  LISTEN      25093/openvassd   
tcp        0      0 127.0.0.1:80                0.0.0.0:*                  LISTEN      1391/httpd         
tcp        0      0 0.0.0.0:22                  0.0.0.0:*                  LISTEN      1378/sshd         
tcp        0      0 0.0.0.0:3001                0.0.0.0:*                  LISTEN      1382/ntop         
tcp        0      0 127.0.0.1:6010              0.0.0.0:*                  LISTEN      11949/sshd         
tcp        0      0 0.0.0.0:443                0.0.0.0:*                  LISTEN      1391/httpd                   
tcp        0      0 10.222.222.10:22            10.222.222.18:49240        ESTABLISHED 11949/sshd         
tcp        0      0 10.222.222.10:5900          10.222.222.18:53555        ESTABLISHED 2024/vino-server   
tcp        0      0 :::5900                    :::*                        LISTEN      2024/vino-server   
tcp        0      0 :::22                      :::*                        LISTEN      1378/sshd         
tcp        0      0 ::1:6010                    :::*                        LISTEN      11949/sshd               
udp        0      0 0.0.0.0:123                0.0.0.0:*                              981/chronyd       
udp        0      0 0.0.0.0:323                0.0.0.0:*                              981/chronyd       
udp        0      0 :::123                      :::*                                    981/chronyd       
udp        0      0 :::323                      :::*                                    981/chronyd
[root@cayenne ~]# '''systemctl status openvas-scanner.service'''
openvas-scanner.service - OpenVAS Scanner
  Loaded: loaded (/usr/lib/systemd/system/openvas-scanner.service; disabled)
  Active: active (running) since Fri 2013-05-10 20:43:42 EDT; 10h ago
Main PID: 19509 (openvassd)
  CGroup: name=systemd:/system/openvas-scanner.service
  ├─10466 openvassd: serving 127.0.0.1
  ├─10486 openvassd: serving 127.0.0.1
  └─19509 openvassd: waiting for incoming connections
May 10 20:41:53 cayenne openvassd[19439]: [120B blob data]
May 10 20:42:03 cayenne openvassd[19439]: [120B blob data]
May 10 20:42:14 cayenne openvassd[19439]: [120B blob data]
May 10 20:42:26 cayenne openvassd[19439]: [120B blob data]
May 10 20:42:40 cayenne openvassd[19439]: [120B blob data]
May 10 20:42:54 cayenne openvassd[19439]: [120B blob data]
May 10 20:43:10 cayenne openvassd[19439]: [120B blob data]
May 10 20:43:28 cayenne openvassd[19439]: [120B blob data]
May 10 20:43:42 cayenne openvassd[19439]: [120B blob data]
May 10 20:43:42 cayenne systemd[1]: Started OpenVAS Scanner.
[root@cayenne ~]# '''systemctl status openvas-manager.service'''
openvas-manager.service - OpenVAS Manager
  Loaded: loaded (/usr/lib/systemd/system/openvas-manager.service; disabled)
  Active: active (running) since Fri 2013-05-10 20:54:37 EDT; 10h ago
Main PID: 19571 (openvasmd)
  CGroup: name=systemd:/system/openvas-manager.service
  └─19571 /usr/sbin/openvasmd --port=9390 --slisten=127.0.0.1 --sport=9391 --otp
May 10 20:54:37 cayenne systemd[1]: Starting OpenVAS Manager...
May 10 20:54:37 cayenne systemd[1]: Started OpenVAS Manager.
[root@cayenne ~]#
 
 
* Finally, from a Gnome Desktop start up the '''OpenVAS''' client ('''/usr/bin/openvas-client''') and login as the user added in the first step:
'''Applications => System Tools => OpenVAS Client'''
 
'''NOTE''': It takes a long time to load the initial rules when using ''openvas-client''. The application may appear to hang and you may need to be patient for a few minutes as rules are loaded.
 
'''NOTE2''': When ''openvas-client'' disconnects and exits, the ''openvassd'' process that was forked to serve it may not cleanly exit and consume 100% of a CPU. You can use the '''top''' command to identify and kill this process should it occur.
 
== Accessing OpenVAS on an NST Probe ==


* From the NST WUI menu system (Web-Based Interface - WUI): '''Security''' => '''Active Scanners''' => '''Greenbone Security WUI (OpenVAS)'''
* From the NST WUI menu system (Web-Based Interface - WUI): '''Security''' => '''Active Scanners''' => '''Greenbone Security WUI (OpenVAS)'''
Line 23: Line 343:
* From the Gnome or Fluxbox Desktop (X Window-Based Interface - GUI): '''Greenbone Security Desktop Tool'''
* From the Gnome or Fluxbox Desktop (X Window-Based Interface - GUI): '''Greenbone Security Desktop Tool'''


= Command Line Setup =
= '''Steps To Get OpenVAS Started With NST 15''' =
== Command Line Setup ==


This section outlines the general procedure for setting up OpenVAS on a NST v2.15.0 system using the command line.
This section outlines the general procedure for setting up OpenVAS on a NST v2.15.0 system using the command line.


<!-- The nobody tweak is not required with the first official 2.15.0 release
<!-- The nobody tweak is not required with the first official 2.15.0 release
== Tweak the ''nobody'' Account ==
=== Tweak the ''nobody'' Account ===


The 2.0.3 release of the openvas-manager package has a issue where the ''nobody'' account needs to have its shell set to ''/bin/bash''. This requirement was supposedly fixed in the 2.0.4 release of the openvas-manager package. Hopefully, by the time NST 2.15.0 is released, it will include the 2.0.4 release of the openvas-manager package and you will be able to skip this step.
The 2.0.3 release of the openvas-manager package has a issue where the ''nobody'' account needs to have its shell set to ''/bin/bash''. This requirement was supposedly fixed in the 2.0.4 release of the openvas-manager package. Hopefully, by the time NST 2.15.0 is released, it will include the 2.0.4 release of the openvas-manager package and you will be able to skip this step.
Line 48: Line 369:
-->
-->


== First Download/Update the OpenVAS Plugins ==
=== First Download/Update the OpenVAS Plugins ===


To install (or update if you've already installed the plugins at some point in the past), use the ''openvas-nvt-sync'' command. For example:
To install (or update if you've already installed the plugins at some point in the past), use the ''openvas-nvt-sync'' command. For example:
Line 66: Line 387:
  [root@dhcp132 ~]#
  [root@dhcp132 ~]#


== Next Start The openvas-scanner Service ==
=== Next Start The openvas-scanner Service ===


Starting the openvas-scanner (openvassd) service takes a long time. This occurs due to the loading and processing of all of the rules. When the service is started, it reads through all of the ASCII plugins and creates cached versions under the ''/var/cache/openvas'' directory. The first time you try and start the service, ''systemctl'' may time out and report that the service failed to start even though the ''openvassd'' process is still running and parsing rules. For example:
Starting the openvas-scanner (openvassd) service takes a long time. This occurs due to the loading and processing of all of the rules. When the service is started, it reads through all of the ASCII plugins and creates cached versions under the ''/var/cache/openvas'' directory. The first time you try and start the service, ''systemctl'' may time out and report that the service failed to start even though the ''openvassd'' process is still running and parsing rules. For example:
Line 120: Line 441:
To enable the ''openvas-scanner'' (openvassd) service at boot time, run the following command:
To enable the ''openvas-scanner'' (openvassd) service at boot time, run the following command:


  [root@cayenne ~]# systemctl disable openvas-scanner.service
  [root@cayenne ~]# systemctl enable openvas-scanner.service
  openvas-scanner.service is not a native service, redirecting to /sbin/chkconfig.
  openvas-scanner.service is not a native service, redirecting to /sbin/chkconfig.
  Executing /sbin/chkconfig openvas-scanner off
  Executing /sbin/chkconfig openvas-scanner on
  [root@cayenne ~]#
  [root@cayenne ~]#


== Start The openvas-manager Service ==
=== Next Start The openvas-manager Service ===


Before starting the openvas-manager (openvasmd) service, you need to initialize (rebuild) it's database the first time you set up your system. Run the following command to rebuild the database:
Before starting the openvas-manager (openvasmd) service, you need to initialize (rebuild) it's database the first time you set up your system. Run the following command to rebuild the database:
Line 152: Line 473:
  [root@cayenne ~]#
  [root@cayenne ~]#


== Start The openvas-administrator Service ==
=== Next Start The openvas-administrator Service ===


Before starting the openvas-administrator (openvasad) service, you need to add a administrative user. The following demonstrates how to add a ''root'' user (you can choose any name you prefer):
Before starting the openvas-administrator (openvasad) service, you need to add a administrative user. The following demonstrates how to add a ''root'' user (you can choose any name you prefer):
Line 182: Line 503:
  [root@cayenne ~]#
  [root@cayenne ~]#


== Start The gsad Service ==
=== Next Start The gsad Service ===


Once the OpenVAS services are set up and running, you should be able to start the Greenbone Security Assistant service as follows:
Once the OpenVAS services are set up and running, you should be able to start the Greenbone Security Assistant service as follows:
Line 204: Line 525:
  [root@cayenne ~]#
  [root@cayenne ~]#


== Verify Your Setup Using openvas-check-setup ==
=== Finally Verify Your Setup Using openvas-check-setup ===


After you have all of the services set up and running, you can use the ''openvas-check-setup'' command to perform a sanity check on your system to verify that it has been setup correctly.
After you have all of the services set up and running, you can use the ''openvas-check-setup'' command to perform a sanity check on your system to verify that it has been setup correctly.

Latest revision as of 05:28, 19 July 2019

Overview

The Open Vulnerability Assessment Scanner (OpenVAS) and Greenbone Security tools provide the following capabilities:

  • Scan systems on your network looking for security risks.
  • Manage and update the rule sets used for the scans.
  • Produce reports based on the scans.
  • Schedule periodic scans.
  • Interact with the system via the command line, a desktop GUI interface, or a web based front end.

The OpenVAS project is a branch of the original Nessus software. More information can be found at http://www.openvas.com/.

The OpenVAS software package was included in the NST distribution starting with the 2.15.0 release.

You should only setup your NST system for OpenVAS after performing a hard disk installation (within a virtual machine is OK). If you attempt to setup OpenVAS on a live boot you will likely run out of memory and lock your system.

Quick Tip On Getting Started

  1. Define a target.
  2. Define a Task.
  3. Run Task.

NST 30, NST 28 and NST 26 Setup

Getting OpenVAS (http://openvas.org) and Greenbone (https://www.greenbone.net/) set up and working on a NST 26 or Fedora 26 based system is a non-trivial task and involves some time (plan on 60 minutes). While the instructions below are based on a successful set up, due to the dynamic nature of all the packages and systems involved adjustments may need to be made in the future. Repeated use of the openvas-check-setup tool is highly recommended as you set up your system as it will not only indicate what is wrong, but will also provide useful instructions on what to do next to correct the issue.


Installation and Setup

NOTE: After NST 26 was release, the openvas packages were updated to version 9. The steps below assume that unix sockets (not TCP connections) will be preferred when communicating between the scanner (openvas-scanner service), manager (openvas-manager) and web interface (gsa-service). The main TCP port open should be 9443 after setup for the web interface. In order to accomplish this you will need to edit (comment) several lines in the /etc/sysconfig/openvas-* files.

Log into a terminal as root and make sure the following packages are installed (alien, nsis and texlive-collection-latexextra are optional, but you will be missing some functionality if you do not include them): 

dnf install openvas-libraries openvas-scanner openvas-manager openvas-cli openvas-gsa gnutls-utils redis alien nsis texlive-collection-latexextra

Edit the file /etc/sysconfig/openvas-manager and comment out the TCP connection to the scanner so that unix sockets are used by the manager when talking to the scanner: 

#Manager listens on given address - by default manager listens on all addresses                                              
MANAGER_LISTEN=--listen=127.0.0.1                                                                                           

#Manager listens on given port - by default 9390                                                                             
MANAGER_PORT=--port=9390                                                                                                    

#Contact scanner on given address                                                                                            
#SCANNER_LISTEN=--scanner-host=127.0.0.1                                                                                     

#Scanner listens on given port - by default 9391                                                                             
#SCANNER_PORT=--scanner-port=9391

Edit the file /etc/sysconfig/openvas-gsa and make sure it looks similar to the following: 

#GSA listens on given address - by default GSA listens on all addresses                                                      
#GSA_LISTEN=--listen=127.0.0.1                                                                                               

#GSA listens on given port - by default 443                                                                                  
GSA_PORT=--port=9443

#Contact manager on given address                                                                                            
MANAGER_LISTEN=--mlisten=127.0.0.1

#Manager listens on given port - by default 9390                                                                             
MANAGER_PORT=--mport=9390 

#GNUTLSSTRING                                                                                                                
GNUTLSSTRING=--gnutls-priorities=SECURE128:-AES-128-CBC:-CAMELLIA-128-CBC:-VERS-SSL3.0:-VERS-TLS1.0

Add a symlink so that the manager will be able to find certificates when accepting connections on port 9390 (you only need to do this if the symbolic link is missing): 

 ln -s /var/lib/openvas /etc/pki

Use the openvas-check-setup command as a diagnostic and guide during the installation process. We will be running this command a lot and it will report an ERROR until we complete the setup! 

openvas-check-setup --v9

Edit the /etc/redis.conf file and make certain that the following two lines are uncommented (NOTE: We are not entirely certain that this step is required): 

unixsocket /tmp/redis.sock
unixsocketperm 700

Start and enable the redis service (restart if already running and you modified the configuration file): 

systemctl restart redis.service
systemctl enable redis.service # To enable at boot
openvas-check-setup --v9

Update the security checks using the greenbone tools: 

greenbone-nvt-sync
greenbone-scapdata-sync
greenbone-certdata-sync
openvas-check-setup --v9

Start and enable the OpenVAS scanner service to initialize NVT cache: 

systemctl start openvas-scanner.service
systemctl enable openvas-scanner.service # To enable at boot
# NOTE: It takes a LONG TIME for the openvas-scanner.service to start
# up the first time dues to loading of a large number of NVTs.
# You can do a status request to get an idea of how far along it is in
# the process (look for the Reload ETA).

systemctl status openvas-scanner.service
● openvas-scanner.service - OpenVAS Scanner
   Loaded: loaded (/usr/lib/systemd/system/openvas-scanner.service; disabled; v>
   Active: active (running) since Sun 2018-05-27 10:38:52 EDT; 24s ago
  Process: 4112 ExecStart=/usr/sbin/openvassd $SCANNER_SOCKET $SCANNER_MODE $SC>
 Main PID: 4113 (openvassd)
    Tasks: 2 (limit: 4915)
   Memory: 30.6M
   CGroup: /system.slice/openvas-scanner.service
           ├─4113 openvassd: Reloaded 3650 of 45101 NVTs (8% / ETA: 04:32)
           └─4114 openvassd (Loading Handler)

# Eventually the NVTs to should load and you can check where you
# are at in the setup process.
openvas-check-setup --v9

Rebuild the openvas manager database: 

install -D -d -m 755 /var/lib/openvas/openvasmd/gnupg
rm -f /var/lib/openvas/mgr/tasks.db
openvasmd -f -v --rebuild
openvas-check-setup --v9

Create a user account (admin in this example). Make sure you remember or copy/paste the password that is displayed (it will be a long string of random characters). Or, set it to a preferred password 

openvasmd --create-user=admin --role=Admin
# To change the password after creation, use:
openvasmd --user=admin --new-password=PASSWORD
openvas-check-setup --v9

Update the certificates: 

openvas-manage-certs -a
openvas-check-setup --v9

Start and enable the OpenVAS manager service: 

systemctl start openvas-manager.service
systemctl enable openvas-manager.service # To enable at boot
openvas-check-setup --v9

Start and enable the Greenbone Security Assistant (GSA) service: 

systemctl start openvas-gsa.service
systemctl enable openvas-gsa.service # To enable at boot
openvas-check-setup --v9

Accessing OpenVAS on an NST Probe

You should now be able to access the Greenbone Security Assistant at https://127.0.0.1:9443 (you can substitute the IP address of your NST system for the 127.0.0.1 if accessing remotely).

You should be able to log in as admin using the initially generated password. After logging in, select User under the Administration menu and update your password (if desired).

You should also be able to verify that the OpenVAS Command Line Interface (CLI) by running: 

omp --ping
omp -p 9390 --username=admin --password=YOUR_PASSWORD --xml="<help/>"
...

Refer to the http://openvas.org/ web site for instructions on using OpenVAS and the Greenbone Security Assistant.

NST 22 Setup

Installation and Setup

Log into a terminal as root and make sure the following packages are installed: 

dnf install openvas-libraries openvas-scanner openvas-manager openvas-cli openvas-gsa gnutls-utils

Update the security checks using the openvas-nvt-sync tool: 

openvas-nvt-sync

Edit the /etc/redis.conf file and make certain that the following two lines are uncommented (NOTE: We are not entirely certain that this step is required): 

unixsocket /tmp/redis.sock
unixsocketperm 777

Start and enable the redis service (restart if already running and you modified the configuration file): 

systemctl restart redis.service
systemctl enable redis.service

Start and enable the OpenVAS scanner and manager services: 

systemctl start openvas-scanner.service
systemctl enable openvas-scanner.service
systemctl start openvas-manager.service
systemctl enable openvas-manager.service

Create a client certificate: 

openvas-mkcert-client -n -i

To test the connection, run (you can press Control-D to end the connection): 

gnutls-cli --insecure -p 9391 127.0.0.1 --x509keyfile=/etc/pki/openvas/private/CA/clientkey.pem --x509certfile=/etc/pki/openvas/CA/clientcert.pem

Instruct OpenVAS to rebuild its database: 

openvasmd --rebuild

Create a user account (admin in this example). Make sure you remember or copy/paste the password that is displayed (it will be a long string of random characters). 

openvasmd --create-user=admin

Restart the OpenVAS manager service: 

systemctl restart openvas-manager.service

Start and enable the Greenbone Security Assistant (GSA) service: 

systemctl start openvas-gsa.service
systemctl enable openvas-gsa.service

Accessing OpenVAS on an NST Probe

You should now be able to access the Greenbone Security Assistant at https://127.0.0.1:9443 (you can substitute the IP address of your NST system for the 127.0.0.1 if accessing remotely).

You should be able to log in as admin using the initially generated password. After logging in, select User under the Administration menu and update your password.

From the main page, you can perform a quick scan on the NST system itself by entering 127.0.0.1 and pressing the Start Scan button:

When the scan completes it may report a few medium severity issues related to the openvasmd process on port 9390.

You should also be able to verify that the OpenVAS Command Line Interface (CLI) by running: 

omp --ping
omp -p 9390 --username=admin --password=YOUR_PASSWORD --xml="<help/>"
...

Refer to the http://www.openvas.com/ web site for instructions on using OpenVAS and the Greenbone Security Assistant.

NST 16 and NST 18 Setup

NST 2.16.0 - Preliminary Notes: Starting with Fedora 16, getting OpenVAS working with the Greenbone Security Assistant Desktop and Web interface has been a challenge. We are currently in the process of trying to figure out how to get it working. Currently only the openvas-client is available for OpenVAS control.

Steps To Get OpenVAS Started With NST 16 and NST 18

  • Add an OpenVAS client user (e.g., 'root') (Respond to all command prompts):
[root@dhcp132 ~]# openvas-adduser
  • To synchronize OpenVAS security checks, use the openvas-nvt-sync command:
[root@dhcp132 ~]# openvas-nvt-sync
  • Start the OpenVAS Scanner service. This will take minutes to hours to complete (at least the first time). If it takes too long, a failure will be reported, but the process will continue to run and parse the .nasl files out of the /var/lib/openvas/plugins directory. If you get hit with the timeout situtation, you can use the top' command to monitor the openvassd process :
[root@dhcp132 ~]# systemctl start openvas-scanner.service
  • The OpenVAS Scanner service may take many minutes to start when initially loading all of the .nasl plugins found under the /var/lib/openvas/plugins directory. It may take so long that you may see a failure message reported in the previous step due to a time out. If this occurs, you can use the top command to monitor the load of the openvassd process and wait for the load the drop. Here's an example of a high load by the openvassd process:
top - 07:30:17 up 18:33,  3 users,  load average: 1.50, 1.47, 1.25 
Tasks: 142 total,   2 running, 140 sleeping,   0 stopped,   0 zombie
Cpu0  :  7.6%us, 20.9%sy,  0.0%ni,  0.0%id,  0.8%wa, 68.9%hi,  1.8%si,  0.0%st
Mem:   1027908k total,   897168k used,   130740k free,   119148k buffers
Swap:  2064380k total,      612k used,  2063768k free,   480452k cached

  PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND            
27120 root      20   0 43092  35m 1832 S 17.9  3.6   2:04.78 openvassd          
    1 root      20   0  5688 3464 1952 S  0.5  0.3   0:08.17 systemd            
  306 root      20   0     0    0    0 S  0.1  0.0   0:00.88 jbd2/dm-1-8        
 4239 root      20   0     0    0    0 S  0.1  0.0   0:16.80 kworker/0:2        
 4262 root      20   0 57420  19m 9208 S  0.1  1.9   0:34.68 Xorg
  • Before starting the openvas-manager (openvasmd) service, you need to initialize (rebuild) it's database the first time you set up your system. Run the following command to rebuild the database:
[root@dhcp132 ~]# openvasmd --rebuild
  • Start the OpenVAS Manager service:
[root@dhcp132 ~]# systemctl start openvas-manager.service
  • At this point both the OpenVAS Scanner (openvassd:9391) & Manager (openvasmd:9390) service should be started:
[root@dhcp132 ~]# netstat -tunap
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name   
tcp        0      0 0.0.0.0:5900                0.0.0.0:*                   LISTEN      2024/vino-server    
tcp        0      0 0.0.0.0:9390                0.0.0.0:*                   LISTEN      27395/openvasmd     
tcp        0      0 0.0.0.0:9391                0.0.0.0:*                   LISTEN      25093/openvassd     
tcp        0      0 127.0.0.1:80                0.0.0.0:*                   LISTEN      1391/httpd          
tcp        0      0 0.0.0.0:22                  0.0.0.0:*                   LISTEN      1378/sshd           
tcp        0      0 0.0.0.0:3001                0.0.0.0:*                   LISTEN      1382/ntop           
tcp        0      0 127.0.0.1:6010              0.0.0.0:*                   LISTEN      11949/sshd          
tcp        0      0 0.0.0.0:443                 0.0.0.0:*                   LISTEN      1391/httpd                     
tcp        0      0 10.222.222.10:22            10.222.222.18:49240         ESTABLISHED 11949/sshd          
tcp        0      0 10.222.222.10:5900          10.222.222.18:53555         ESTABLISHED 2024/vino-server    
tcp        0      0 :::5900                     :::*                        LISTEN      2024/vino-server    
tcp        0      0 :::22                       :::*                        LISTEN      1378/sshd           
tcp        0      0 ::1:6010                    :::*                        LISTEN      11949/sshd                 
udp        0      0 0.0.0.0:123                 0.0.0.0:*                               981/chronyd         
udp        0      0 0.0.0.0:323                 0.0.0.0:*                               981/chronyd         
udp        0      0 :::123                      :::*                                    981/chronyd         
udp        0      0 :::323                      :::*                                    981/chronyd
[root@cayenne ~]# systemctl status openvas-scanner.service
openvas-scanner.service - OpenVAS Scanner
	  Loaded: loaded (/usr/lib/systemd/system/openvas-scanner.service; disabled)
	  Active: active (running) since Fri 2013-05-10 20:43:42 EDT; 10h ago
	Main PID: 19509 (openvassd)
	  CGroup: name=systemd:/system/openvas-scanner.service
		  ├─10466 openvassd: serving 127.0.0.1
		  ├─10486 openvassd: serving 127.0.0.1
		  └─19509 openvassd: waiting for incoming connections

May 10 20:41:53 cayenne openvassd[19439]: [120B blob data]
May 10 20:42:03 cayenne openvassd[19439]: [120B blob data]
May 10 20:42:14 cayenne openvassd[19439]: [120B blob data]
May 10 20:42:26 cayenne openvassd[19439]: [120B blob data]
May 10 20:42:40 cayenne openvassd[19439]: [120B blob data]
May 10 20:42:54 cayenne openvassd[19439]: [120B blob data]
May 10 20:43:10 cayenne openvassd[19439]: [120B blob data]
May 10 20:43:28 cayenne openvassd[19439]: [120B blob data]
May 10 20:43:42 cayenne openvassd[19439]: [120B blob data]
May 10 20:43:42 cayenne systemd[1]: Started OpenVAS Scanner.
[root@cayenne ~]# systemctl status openvas-manager.service
openvas-manager.service - OpenVAS Manager
	  Loaded: loaded (/usr/lib/systemd/system/openvas-manager.service; disabled)
	  Active: active (running) since Fri 2013-05-10 20:54:37 EDT; 10h ago
	Main PID: 19571 (openvasmd)
	  CGroup: name=systemd:/system/openvas-manager.service
		  └─19571 /usr/sbin/openvasmd --port=9390 --slisten=127.0.0.1 --sport=9391 --otp

May 10 20:54:37 cayenne systemd[1]: Starting OpenVAS Manager...
May 10 20:54:37 cayenne systemd[1]: Started OpenVAS Manager.
[root@cayenne ~]#


  • Finally, from a Gnome Desktop start up the OpenVAS client (/usr/bin/openvas-client) and login as the user added in the first step:

Applications => System Tools => OpenVAS Client

NOTE: It takes a long time to load the initial rules when using openvas-client. The application may appear to hang and you may need to be patient for a few minutes as rules are loaded.

NOTE2: When openvas-client disconnects and exits, the openvassd process that was forked to serve it may not cleanly exit and consume 100% of a CPU. You can use the top command to identify and kill this process should it occur.

Accessing OpenVAS on an NST Probe

  • From the NST WUI menu system (Web-Based Interface - WUI): Security => Active Scanners => Greenbone Security WUI (OpenVAS)
  • From the Gnome or Fluxbox Desktop (X Window-Based Interface - GUI): Greenbone Security Desktop Tool

Steps To Get OpenVAS Started With NST 15

Command Line Setup

This section outlines the general procedure for setting up OpenVAS on a NST v2.15.0 system using the command line.


First Download/Update the OpenVAS Plugins

To install (or update if you've already installed the plugins at some point in the past), use the openvas-nvt-sync command. For example: 

[root@dhcp132 ~]# openvas-nvt-sync

... Lots of output as rules are updated ...

[root@dhcp132 ~]#

WARNING: Due not try this on a Live boot of the NST, as it writes a large amount of data to disk (which consumes RAM in a live boot).

The plugins for OpenVAS will be installed under the /var/lib/openvas/plugins directory. This directory won't exist until the initial plugins are installed using the openvas-nvt-sync command shown above. The following command shows how to get a count of the currently available plugins: 

[root@dhcp132 ~]# ls /var/lib/openvas/plugins | wc -l
42962
[root@dhcp132 ~]#

Next Start The openvas-scanner Service

Starting the openvas-scanner (openvassd) service takes a long time. This occurs due to the loading and processing of all of the rules. When the service is started, it reads through all of the ASCII plugins and creates cached versions under the /var/cache/openvas directory. The first time you try and start the service, systemctl may time out and report that the service failed to start even though the openvassd process is still running and parsing rules. For example: 

[root@cayenne ~]# systemctl start openvas-scanner.service
Job failed. See system logs and 'systemctl status' for details.
[root@cayenne ~]# ps -fC openvassd
UID        PID  PPID  C STIME TTY          TIME CMD
root      3813  3812 48 13:30 ?        00:02:34 openvassd -q --port=9391
[root@cayenne ~]#


It takes a very long time for the initial loading and processing of the plugins. You can try to peek at what plugins are currently being loaded (to assure yourself that progress is being made) using the lsof command (this doesn't always work and depends a bit on the start of the openvassd process): 

[root@cayenne ~]# lsof | grep /var/lib/openvas/plugins 
openvassd 12858      root  cwd     4r    REG    253,1     2635   21050  /var/lib/openvas/plugins/plugins/gb_MDaemon_39857.nasl
[root@cayenne ~]#

If you run the top command while the openvassd is processing the plugins, you should see the openvassd consuming a substantial amount of CPU.

Eventually the openvassd process will complete it's loading phase and enter into a state where it is ready to accept incoming connections. You can use the ps command to check for this. 

[root@dcayenne ~]# ps -fC openvassd
UID        PID  PPID  C STIME TTY          TIME CMD
root     24529     1  0 07:13 ?        00:00:00 openvassd: waiting for incoming 
[root@dcayenne ~]#

The systemctl command can also be used to verify that the openvassd process is ready for incoming connections: 

[root@cayenne ~]# systemctl status openvas-scanner.service
openvas-scanner.service - LSB: start|stop|status|restart|condrestart|reloadplugins OpenVAS Scanner
	  Loaded: loaded (/etc/rc.d/init.d/openvas-scanner)
	  Active: failed since Wed, 15 Jun 2011 07:10:23 -0400; 7min ago 
	 Process: 2164 ExecStart=/etc/rc.d/init.d/openvas-scanner start (code=killed, signal=TERM)
	  CGroup: name=systemd:/system/openvas-scanner.service
		  └ 24529 openvassd: waiting for incoming connections
[root@cayenne ~]#

You may notice that systemctl reports the service in a failed state even though the openvassd daemon is running and accepting connections. You should be able to clear this failed state indicator by restarting the service. 

[root@cayenne ~]# systemctl restart openvas-scanner.service
[root@cayenne ~]# systemctl status openvas-scanner.service
openvas-scanner.service - LSB: start|stop|status|restart|condrestart|reloadplugins OpenVAS Scanner
	  Loaded: loaded (/etc/rc.d/init.d/openvas-scanner)
	  Active: active (running) since Sat, 16 Jul 2011 13:44:52 -0400; 1min 6s ago
	 Process: 27198 ExecStart=/etc/rc.d/init.d/openvas-scanner start (code=exited, status=0/SUCCESS)
	Main PID: 27193 (openvassd)
	  CGroup: name=systemd:/system/openvas-scanner.service
		  └ 27193 openvassd: waiting for incoming connections
[root@cayenne ~]# 
[root@cayenne ~]#

To enable the openvas-scanner (openvassd) service at boot time, run the following command: 

[root@cayenne ~]# systemctl enable openvas-scanner.service
openvas-scanner.service is not a native service, redirecting to /sbin/chkconfig.
Executing /sbin/chkconfig openvas-scanner on
[root@cayenne ~]#

Next Start The openvas-manager Service

Before starting the openvas-manager (openvasmd) service, you need to initialize (rebuild) it's database the first time you set up your system. Run the following command to rebuild the database: 

[root@cayenne ~]# openvasmd --rebuild
[root@cayenne ~]#

Once the database has been setup, you can start the service in the following manner: 

[root@cayenne ~]# systemctl start openvas-manager.service
[root@cayenne ~]# systemctl status openvas-manager.service
openvas-manager.service - LSB: start|stop|status|restart|condrestart OpenVAS Manager
	  Loaded: loaded (/etc/rc.d/init.d/openvas-manager)
	  Active: active (running) since Sat, 16 Jul 2011 13:56:41 -0400; 5s ago
	 Process: 27445 ExecStart=/etc/rc.d/init.d/openvas-manager start (code=exited, status=0/SUCCESS)
	Main PID: 27450 (openvasmd)
	  CGroup: name=systemd:/system/openvas-manager.service
		  └ 27450 openvasmd --port=9390 --slisten=127.0.0.1 --sport=...
[root@cayenne ~]#

To enable the openvas-manager (openvasmd) service at boot time, run the following command: 

[root@cayenne ~]# systemctl enable openvas-manager.service
openvas-manager.service is not a native service, redirecting to /sbin/chkconfig.
Executing /sbin/chkconfig openvas-manager on
[root@cayenne ~]#

Next Start The openvas-administrator Service

Before starting the openvas-administrator (openvasad) service, you need to add a administrative user. The following demonstrates how to add a root user (you can choose any name you prefer): 

[root@cayenne ~]# openvasad -c add_user -n root --role=Admin
Enter password: 
ad   main:MESSAGE:23822:2011-06-15 07h54.32 EDT: No rules file provided, the new user will have no restrictions.
ad   main:MESSAGE:23822:2011-06-15 07h54.32 EDT: User root has been successfully created.
[root@cayenne ~]#

Once a administrative user has been added, you should be able to start the service as shown below 

[root@cayenne ~]# systemctl start openvas-administrator.service
[root@cayenne ~]# systemctl status openvas-administrator.service
openvas-administrator.service - LSB: start|stop|status|restart|condrestart OpenVAS Manager
	  Loaded: loaded (/etc/rc.d/init.d/openvas-administrator)
	  Active: active (running) since Sat, 16 Jul 2011 13:59:17 -0400; 3s ago
	 Process: 27475 ExecStart=/etc/rc.d/init.d/openvas-administrator start (code=exited, status=0/SUCCESS)
	Main PID: 27480 (openvasad)
	  CGroup: name=systemd:/system/openvas-administrator.service
		  └ 27480 openvasad --port=9393
[root@cayenne ~]#

To enable the openvas-administrator (openvasad) service at boot time, run the following command: 

[root@cayenne ~]# systemctl enable openvas-administrator.service
openvas-administrator.service is not a native service, redirecting to /sbin/chkconfig.
Executing /sbin/chkconfig openvas-administrator on
[root@cayenne ~]#

Next Start The gsad Service

Once the OpenVAS services are set up and running, you should be able to start the Greenbone Security Assistant service as follows: 

[root@cayenne ~]# systemctl start gsad.service
[root@cayenne ~]# systemctl status gsad.service
gsad.service - LSB: This starts and stops the Greenbone Security Assistant.
	  Loaded: loaded (/etc/rc.d/init.d/gsad)
	  Active: active (running) since Sat, 16 Jul 2011 14:14:30 -0400; 4s ago
	 Process: 27880 ExecStart=/etc/rc.d/init.d/gsad start (code=exited, status=0/SUCCESS)
	Main PID: 27886 (gsad)
	  CGroup: name=systemd:/system/gsad.service
		  └ 27886 /usr/sbin/gsad --port=9392 --alisten=127.0.0.1 --a...
[root@cayenne ~]#

To enable the gsad service at boot time, run the following command: 

[root@cayenne ~]# systemctl enable gsad.service
gsad.service is not a native service, redirecting to /sbin/chkconfig.
Executing /sbin/chkconfig gsad on
[root@cayenne ~]#

Finally Verify Your Setup Using openvas-check-setup

After you have all of the services set up and running, you can use the openvas-check-setup command to perform a sanity check on your system to verify that it has been setup correctly. 

[root@cayenne ~]# openvas-check-setup

... Lots of output as various checks are performed.
    If not all OK, then a SUGGESTION should appear ...

It seems like your OpenVAS-4 installation is OK.
 
If you think it is not OK, please report your observation
and help us to improve this check routine:
http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Please attach the log-file (/tmp/openvas-check-setup.log) to help us analyze the problem.

[root@cayenne ~]#
Retrieved from "https://wiki.networksecuritytoolkit.org/nstwiki/index.php?title=OpenVAS&oldid=9180"