OpenVAS: Difference between revisions
No edit summary |
(Undo revision 4371 by Paul Blankenbaker (Talk)) |
||
Line 1: | Line 1: | ||
= Overview = | |||
The Open Vulnerability Assessment Scanner ([http://www.openvas.com OpenVAS]) and Greenbone Security tools provide the following capabilities: | |||
* Scan systems on your network looking for security risks. | |||
* Manage and update the rule sets used for the scans. | |||
* Produce reports based on the scans. | |||
* Schedule periodic scans. | |||
* Interact with the system via the command line, a desktop GUI interface, or a web based front end. | |||
The [http://www.openvas.com OpenVAS] project is a branch of the original [http://www.nessus.org/ Nessus] software. More information can be found at http://www.openvas.com/. | |||
The [http://www.openvas.com OpenVAS] software package was included in the NST distribution starting with the 2.15.0 release. | |||
[[Image:Warning.png]] You should only setup your NST system for OpenVAS after performing a hard disk installation (within a virtual machine is OK). If you attempt to setup OpenVAS on a ''live'' boot you will likely run out of memory and lock your system. | |||
= Command Line Setup = | |||
This section outlines the general procedure for setting up OpenVAS on a NST v2.15.0 system using the command line. | |||
<!-- The nobody tweak is not required with the first official 2.15.0 release | |||
== Tweak the ''nobody'' Account == | |||
The 2.0.3 release of the openvas-manager package has a issue where the ''nobody'' account needs to have its shell set to ''/bin/bash''. This requirement was supposedly fixed in the 2.0.4 release of the openvas-manager package. Hopefully, by the time NST 2.15.0 is released, it will include the 2.0.4 release of the openvas-manager package and you will be able to skip this step. | |||
Use the following command to determine what version of the openvas-manager package is installed: | |||
[root@dhcp132 ~]# rpm -q openvas-manager | |||
openvas-manager-2.0.3-1.fc15.i686 | |||
[root@dhcp132 ~]# | |||
If you see version ''2.0.3'', then edit your ''/etc/passwd'' file and change the shell from ''/sbin/nobody'' to ''/bin/bash''. Alternatively, you can run the following ''sed'' command (the two ''grep'' commands do not need to be run, they are included below to show the change): | |||
[root@dhcp132 ~]# grep ^nobody /etc/passwd | |||
nobody:x:99:99:Nobody:/:/sbin/nologin | |||
[root@dhcp132 ~]# sed -i -e 's,^\(nobody.*\):/sbin/nologin,\1:/bin/bash,' /etc/passwd | |||
[root@dhcp132 ~]# grep ^nobody /etc/passwdnobody:x:99:99:Nobody:/:/bin/bash | |||
[root@dhcp132 ~]# | |||
--> | |||
== Download/Update the OpenVAS Plugins == | |||
To install (or update if you've already installed the plugins at some point in the past), use the ''openvas-nvt-sync'' command. For example: | |||
[root@dhcp132 ~]# openvas-nvt-sync | |||
... Lots of output as rules are updated ... | |||
[root@dhcp132 ~]# | |||
WARNING: Due not try this on a Live boot of the NST, as it writes a large amount of data to disk (which consumes RAM in a live boot). | |||
The plugins for OpenVAS will be installed under the ''/var/lib/openvas/plugins'' directory. This directory won't exist until the initial plugins are installed using the ''openvas-nvt-sync'' command shown above. The following command shows how to get a count of the currently available plugins: | |||
[root@dhcp132 ~]# ls /var/lib/openvas/plugins | wc -l | |||
42962 | |||
[root@dhcp132 ~]# | |||
== Start The openvas-scanner Service == | == Start The openvas-scanner Service == | ||
Starting the openvas-scanner (openvassd) service takes a long time. This occurs due to the loading and processing of all of the rules. When the service is started, it reads through all of the ASCII plugins and creates cached versions under the ''/var/cache/openvas'' directory. The first time you try and start the service, ''systemctl'' may time out and report that the service failed to start even though the ''openvassd'' process is still running and parsing rules. For example: | Starting the openvas-scanner (openvassd) service takes a long time. This occurs due to the loading and processing of all of the rules. When the service is started, it reads through all of the ASCII plugins and creates cached versions under the ''/var/cache/openvas'' directory. The first time you try and start the service, ''systemctl'' may time out and report that the service failed to start even though the ''openvassd'' process is still running and parsing rules. For example: | ||
[root@ | [root@dhcp132 ~]# service openvas-scanner start | ||
Job failed. See system logs and 'systemctl status' for details. | Starting openvas-scanner (via systemctl): Job failed. See system logs and 'systemctl status' for details. | ||
[root@ | [FAILED] | ||
[root@dhcp132 ~]# ps -fC openvassd | |||
UID PID PPID C STIME TTY TIME CMD | UID PID PPID C STIME TTY TIME CMD | ||
root | root 24529 1 0 07:13 ? 00:00:00 openvassd -q --port=9391 | ||
[root@ | [root@dhcp132 ~]# | ||
It takes a very long time for the initial loading and processing of the plugins. You can peek at what plugins are currently being loaded (to assure yourself that progress is being made) using the ''lsof'' command: | |||
It takes a very long time for the initial loading and processing of the plugins. You can | |||
[root@dhcp150 ~]# lsof | grep /var/lib/openvas/plugins | [root@dhcp150 ~]# lsof | grep /var/lib/openvas/plugins | ||
openvassd 12858 root cwd 4r REG 253,1 2635 21050 /var/lib/openvas/plugins/plugins/gb_MDaemon_39857.nasl | openvassd 12858 root cwd 4r REG 253,1 2635 21050 /var/lib/openvas/plugins/plugins/gb_MDaemon_39857.nasl | ||
[root@dhcp132 ~]# | [root@dhcp132 ~]# | ||
Eventually the ''openvassd'' process will complete it's loading phase and enter into a state where it is ready to accept incoming connections. You can use the ''ps'' command to check for this. | Eventually the ''openvassd'' process will complete it's loading phase and enter into a state where it is ready to accept incoming connections. You can use the ''ps'' command to check for this. | ||
Line 39: | Line 97: | ||
You may notice that ''systemctl'' reports the service in a ''failed'' state even though the ''openvassd'' daemon is running and accepting connections. You should be able to clear this ''failed'' state indicator by restarting the service. | You may notice that ''systemctl'' reports the service in a ''failed'' state even though the ''openvassd'' daemon is running and accepting connections. You should be able to clear this ''failed'' state indicator by restarting the service. | ||
[root@dhcp132 ~]# | [root@dhcp132 ~]# service openvas-scanner restart | ||
[root@ | Restarting openvas-scanner (via systemctl): [ OK ] | ||
openvas-scanner.service - LSB: start|stop|status|restart|condrestart|reloadplugins OpenVAS Scanner | [root@dhcp132 ~]# service openvas-scanner status | ||
openvas-scanner.service - LSB: start|stop|status|restart|condrestart|reloadplugins OpenVAS Scanner | |||
Loaded: loaded (/etc/rc.d/init.d/openvas-scanner) | Loaded: loaded (/etc/rc.d/init.d/openvas-scanner) | ||
Active: active (running) since Wed, 15 Jun 2011 07:48:51 -0400; 3s ago | |||
Process: | Process: 23711 ExecStart=/etc/rc.d/init.d/openvas-scanner start (code=exited, status=0/SUCCESS) | ||
Main PID: | Main PID: 23659 (openvassd) | ||
CGroup: name=systemd:/system/openvas-scanner.service | CGroup: name=systemd:/system/openvas-scanner.service | ||
└ | └ 23659 openvassd: waiting for incoming connections | ||
[root@dhcp132 ~]# | [root@dhcp132 ~]# | ||
To enable the ''openvas-scanner'' (openvassd) service at boot time, run the following command: | To enable the ''openvas-scanner'' (openvassd) service at boot time, run the following command: | ||
[root@ | [root@dhcp150 ~]# chkconfig openvas-scanner on | ||
[root@dhcp150 ~]# | [root@dhcp150 ~]# | ||
== Start The openvas-manager Service == | |||
Before starting the openvas-manager (openvasmd) service, you need to initialize (rebuild) it's database the first time you set up your system. Run the following command to rebuild the database: | |||
[root@dhcp132 ~]# openvasmd --rebuild | |||
[root@dhcp132 ~]# | |||
Once the database has been setup, you can start the service in the following manner: | |||
[root@dhcp132 ~]# service openvas-manager start | |||
Starting openvas-manager (via systemctl): [ OK ] | |||
[root@dhcp132 ~]# | |||
To enable the ''openvas-manager'' (openvasmd) service at boot time, run the following command: | |||
[root@dhcp150 ~]# chkconfig openvas-manager on | |||
[root@dhcp150 ~]# | |||
== Start The openvas-administrator Service == | |||
Before starting the openvas-administrator (openvasad) service, you need to add a administrative user. The following demonstrates how to add a ''root'' user (you can choose any name you prefer): | |||
[root@dhcp132 ~]# openvasad -c add_user -n root --role=Admin | |||
Enter password: | |||
ad main:MESSAGE:23822:2011-06-15 07h54.32 EDT: No rules file provided, the new user will have no restrictions. | |||
ad main:MESSAGE:23822:2011-06-15 07h54.32 EDT: User root has been successfully created. | |||
[root@dhcp132 ~]# | |||
Once a administrative user has been added, you should be able to start the service as shown below | |||
[root@dhcp132 ~]# service openvas-administrator start | |||
Starting openvas-administrator: | |||
[ OK ] | |||
[root@dhcp132 ~]# | |||
To enable the ''openvas-administrator'' (openvasad) service at boot time, run the following command: | |||
[root@dhcp150 ~]# chkconfig openvas-administrator on | |||
[root@dhcp150 ~]# | |||
== Start The gsad Service == | |||
Once the OpenVAS services are set up and running, you should be able to start the Greenbone Security Assistant service as follows: | |||
[root@dhcp132 ~]# service gsad start | |||
Starting greenbone-security-assistant: | |||
[root@dhcp132 ~]# | |||
To enable the ''gsad'' service at boot time, run the following command: | |||
[root@dhcp150 ~]# chkconfig gsad on | |||
[root@dhcp150 ~]# | |||
== Verify Your Setup Using openvas-check-setup == | |||
After you have all of the services set up and running, you can use the ''openvas-check-setup'' command to perform a sanity check on your system to verify that it has been setup correctly. | |||
[root@dhcp132 ~]# openvas-check-setup | |||
... Lots of output as various checks are performed. | |||
If not all OK, then a SUGGESTION should appear ... | |||
It seems like your OpenVAS-4 installation is OK. | |||
If you think it is not OK, please report your observation | |||
and help us to improve this check routine: | |||
http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss | |||
Please attach the log-file (/tmp/openvas-check-setup.log) to help us analyze the problem. | |||
[root@dhcp132 ~]# |
Revision as of 12:51, 16 July 2011
Overview
The Open Vulnerability Assessment Scanner (OpenVAS) and Greenbone Security tools provide the following capabilities:
- Scan systems on your network looking for security risks.
- Manage and update the rule sets used for the scans.
- Produce reports based on the scans.
- Schedule periodic scans.
- Interact with the system via the command line, a desktop GUI interface, or a web based front end.
The OpenVAS project is a branch of the original Nessus software. More information can be found at http://www.openvas.com/.
The OpenVAS software package was included in the NST distribution starting with the 2.15.0 release.
You should only setup your NST system for OpenVAS after performing a hard disk installation (within a virtual machine is OK). If you attempt to setup OpenVAS on a live boot you will likely run out of memory and lock your system.
Command Line Setup
This section outlines the general procedure for setting up OpenVAS on a NST v2.15.0 system using the command line.
Download/Update the OpenVAS Plugins
To install (or update if you've already installed the plugins at some point in the past), use the openvas-nvt-sync command. For example:
[root@dhcp132 ~]# openvas-nvt-sync ... Lots of output as rules are updated ... [root@dhcp132 ~]#
WARNING: Due not try this on a Live boot of the NST, as it writes a large amount of data to disk (which consumes RAM in a live boot).
The plugins for OpenVAS will be installed under the /var/lib/openvas/plugins directory. This directory won't exist until the initial plugins are installed using the openvas-nvt-sync command shown above. The following command shows how to get a count of the currently available plugins:
[root@dhcp132 ~]# ls /var/lib/openvas/plugins | wc -l 42962 [root@dhcp132 ~]#
Start The openvas-scanner Service
Starting the openvas-scanner (openvassd) service takes a long time. This occurs due to the loading and processing of all of the rules. When the service is started, it reads through all of the ASCII plugins and creates cached versions under the /var/cache/openvas directory. The first time you try and start the service, systemctl may time out and report that the service failed to start even though the openvassd process is still running and parsing rules. For example:
[root@dhcp132 ~]# service openvas-scanner start Starting openvas-scanner (via systemctl): Job failed. See system logs and 'systemctl status' for details. [FAILED] [root@dhcp132 ~]# ps -fC openvassd UID PID PPID C STIME TTY TIME CMD root 24529 1 0 07:13 ? 00:00:00 openvassd -q --port=9391 [root@dhcp132 ~]#
It takes a very long time for the initial loading and processing of the plugins. You can peek at what plugins are currently being loaded (to assure yourself that progress is being made) using the lsof command:
[root@dhcp150 ~]# lsof | grep /var/lib/openvas/plugins openvassd 12858 root cwd 4r REG 253,1 2635 21050 /var/lib/openvas/plugins/plugins/gb_MDaemon_39857.nasl [root@dhcp132 ~]#
Eventually the openvassd process will complete it's loading phase and enter into a state where it is ready to accept incoming connections. You can use the ps command to check for this.
[root@dhcp132 ~]# ps -fC openvassd UID PID PPID C STIME TTY TIME CMD root 24529 1 0 07:13 ? 00:00:00 openvassd: waiting for incoming [root@dhcp150 ~]#
The systemctl command can also be used to verify that the openvassd process is ready for incoming connections:
[root@dhcp132 ~]# systemctl status openvas-scanner.service openvas-scanner.service - LSB: start|stop|status|restart|condrestart|reloadplugins OpenVAS Scanner Loaded: loaded (/etc/rc.d/init.d/openvas-scanner) Active: failed since Wed, 15 Jun 2011 07:10:23 -0400; 7min ago Process: 2164 ExecStart=/etc/rc.d/init.d/openvas-scanner start (code=killed, signal=TERM) CGroup: name=systemd:/system/openvas-scanner.service └ 24529 openvassd: waiting for incoming connections [root@dhcp132 ~]#
You may notice that systemctl reports the service in a failed state even though the openvassd daemon is running and accepting connections. You should be able to clear this failed state indicator by restarting the service.
[root@dhcp132 ~]# service openvas-scanner restart Restarting openvas-scanner (via systemctl): [ OK ] [root@dhcp132 ~]# service openvas-scanner status openvas-scanner.service - LSB: start|stop|status|restart|condrestart|reloadplugins OpenVAS Scanner Loaded: loaded (/etc/rc.d/init.d/openvas-scanner) Active: active (running) since Wed, 15 Jun 2011 07:48:51 -0400; 3s ago Process: 23711 ExecStart=/etc/rc.d/init.d/openvas-scanner start (code=exited, status=0/SUCCESS) Main PID: 23659 (openvassd) CGroup: name=systemd:/system/openvas-scanner.service └ 23659 openvassd: waiting for incoming connections [root@dhcp132 ~]#
To enable the openvas-scanner (openvassd) service at boot time, run the following command:
[root@dhcp150 ~]# chkconfig openvas-scanner on [root@dhcp150 ~]#
Start The openvas-manager Service
Before starting the openvas-manager (openvasmd) service, you need to initialize (rebuild) it's database the first time you set up your system. Run the following command to rebuild the database:
[root@dhcp132 ~]# openvasmd --rebuild [root@dhcp132 ~]#
Once the database has been setup, you can start the service in the following manner:
[root@dhcp132 ~]# service openvas-manager start Starting openvas-manager (via systemctl): [ OK ] [root@dhcp132 ~]#
To enable the openvas-manager (openvasmd) service at boot time, run the following command:
[root@dhcp150 ~]# chkconfig openvas-manager on [root@dhcp150 ~]#
Start The openvas-administrator Service
Before starting the openvas-administrator (openvasad) service, you need to add a administrative user. The following demonstrates how to add a root user (you can choose any name you prefer):
[root@dhcp132 ~]# openvasad -c add_user -n root --role=Admin Enter password: ad main:MESSAGE:23822:2011-06-15 07h54.32 EDT: No rules file provided, the new user will have no restrictions. ad main:MESSAGE:23822:2011-06-15 07h54.32 EDT: User root has been successfully created. [root@dhcp132 ~]#
Once a administrative user has been added, you should be able to start the service as shown below
[root@dhcp132 ~]# service openvas-administrator start Starting openvas-administrator: [ OK ] [root@dhcp132 ~]#
To enable the openvas-administrator (openvasad) service at boot time, run the following command:
[root@dhcp150 ~]# chkconfig openvas-administrator on [root@dhcp150 ~]#
Start The gsad Service
Once the OpenVAS services are set up and running, you should be able to start the Greenbone Security Assistant service as follows:
[root@dhcp132 ~]# service gsad start Starting greenbone-security-assistant: [root@dhcp132 ~]#
To enable the gsad service at boot time, run the following command:
[root@dhcp150 ~]# chkconfig gsad on [root@dhcp150 ~]#
Verify Your Setup Using openvas-check-setup
After you have all of the services set up and running, you can use the openvas-check-setup command to perform a sanity check on your system to verify that it has been setup correctly.
[root@dhcp132 ~]# openvas-check-setup ... Lots of output as various checks are performed. If not all OK, then a SUGGESTION should appear ... It seems like your OpenVAS-4 installation is OK. If you think it is not OK, please report your observation and help us to improve this check routine: http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss Please attach the log-file (/tmp/openvas-check-setup.log) to help us analyze the problem. [root@dhcp132 ~]#