Difference between revisions of "OpenVAS"

From ArchWiki
Jump to: navigation, search
(flag for style)
 
(28 intermediate revisions by 11 users not shown)
Line 1: Line 1:
 
[[Category:Networking]]
 
[[Category:Networking]]
 
[[Category:Security]]
 
[[Category:Security]]
{{stub}}
+
[[ja:OpenVAS]]
==Overview==
+
{{Style|Various [[Help:Style]] issues}}
 
OpenVAS stands for Open Vulnerability Assessment System and is a network security scanner with associated tools like a graphical user front-end. The core component is a server with a set of network vulnerability tests (NVTs) to detect security problems in remote systems and applications.  
 
OpenVAS stands for Open Vulnerability Assessment System and is a network security scanner with associated tools like a graphical user front-end. The core component is a server with a set of network vulnerability tests (NVTs) to detect security problems in remote systems and applications.  
  
 
==Installation==
 
==Installation==
  
Currently, [https://aur.archlinux.org/packages.php?ID=33721 OpenVAS] is available through the [[AUR]].
+
Install the {{grp|openvas}} package group from the [[official repositories]]. This group provides the {{pkg|openvas-cli}} command-line {{ic|omp}} interface and {{pkg|greenbone-security-assistant}} web interface via the  {{ic|gsad}} daemon along with other OpenVAS dependencies.
  
Installing it will also provide you with OpenVAS [https://aur.archlinux.org/packages.php?ID=22948&O=&L=&C=&K=&SB=&SO=&PP=&do_Orphans=&SeB= client] and [https://aur.archlinux.org/packages.php?ID=22944&O=&L=&C=&K=&SB=&SO=&PP=&do_Orphans=&SeB= libraries].
+
==Initial setup==
  
==Managing users==
+
Create a certificate for the server, choosing the default values if desired:
To be able to use OpenVAS you first need to make an OpenVAS user. There are two types of user authentication methods used in OpenVAS - passwords and ssl certificates.
+
  
To add a new user run the following with root privileges:
+
  # openvas-mkcert
  # openvas-adduser
+
This will prompt you to choose one of the two mentioned methods as a mean of authentification.
+
  
You can also remove a user using (also with root privileges):
+
Create a client certificate:
# openvas-rmuser
+
  
You can make a new user certificate using (with root privileges):
+
  # openvas-mkcert-client -n -i
  # openvas-mkcert
+
 
 +
Update the plugins and vulnerability data:
  
==Updating==
 
Before running OpenVAS you should fetch new plugins and the newest security checks:
 
 
  # openvas-nvt-sync
 
  # openvas-nvt-sync
 +
# openvas-scapdata-sync
 +
# openvas-certdata-sync
 +
 +
Start the scanner service:
 +
 +
# systemctl start openvas-scanner
 +
 +
Rebuild the database:
 +
 +
# openvasmd --rebuild --progress
 +
 +
Add an administrator user account, be sure to copy the password:
 +
 +
# openvasmd --create-user=admin --role=Admin
 +
 +
==Post-Install==
 +
 +
Configure {{pkg|redis}} as prescribed by the [https://svn.wald.intevation.org/svn/openvas/tags/openvas-scanner-release-5.0.3/doc/redis_config.txt OpenVAS redis configuration]. In summary, amend the following to your /etc/redis.conf
 +
 +
unixsocket /var/lib/redis/redis.sock
 +
port 0
 +
timeout 0
 +
 +
Create and add the following to /etc/openvas/openvassd.conf
 +
 +
kb_location = /var/lib/redis/redis.sock
 +
 +
Finally restart {{ic|redis}}
 +
 +
# systemctl restart redis
 +
 +
==Getting Started==
 +
 +
Start the {{ic|openvasmd}} daemon
 +
 +
# openvasmd -p 9390 -a 127.0.0.1
 +
 +
Start the [http://www.greenbone.net/technology/openvas.html Greenbone Security Assistant] WebUI (optional)
 +
 +
# gsad -f --listen=127.0.0.1 --mlisten=127.0.0.1 --mport=9390
 +
 +
Point your web browser to http://127.0.0.1 and login with your admin crendentials
 +
 +
{{Note|By default, {{ic|gsad}} will bind to port 80. If you are already running a webserver, this will obviously cause problems. Pass the {{ic|--port}} switch to {{ic|gsad}} for an alternate port. Read the {{ic|gsad}} man page for options like {{ic|--http-only}}, {{ic|--no-redirect}}, and more.}}
 +
 +
==Systemd==
  
There is a problem with openvas-nvt-sync updating (this affects the currently available version - 3.0.2-1). To fix it - edit /usr/sbin/openvas-nvt-sync and find the line containing SYNC_TMP_DIR and change it to look like:
+
Redhat based systemd units are in an AUR package named {{aur|openvas-systemd}}. The contain a few tweaks such as better TLS settings.
SYNC_TMP_DIR=`mktemp -d openvas-nvt-sync.XXXXXXXXXX -t`
+
  
==Running OpenVAS==  
+
==Migration to new major versions==
To use OpenVAS, you first need to start the OpenVAS server:
+
# openvassd
+
  
To start the OpenVAS client run:
+
The database needs to be migrated when moving to a new major version:
# OpenVAS-Client &
+
  
From OpenVAS-Client you will have to connect to the OpenVAS server using the user you previously created.
+
# openvasmd --migrate --progress
  
 
==See Also==
 
==See Also==
 
* [http://www.openvas.org/ OpenVAS] Official OpenVAS website.
 
* [http://www.openvas.org/ OpenVAS] Official OpenVAS website.
* [http://www.openvas.org/compendium/openvas-compendium.html OpenVAS Compendium] A Publication of the OpenVAS Project.
 

Latest revision as of 13:02, 13 September 2016

Tango-edit-clear.pngThis article or section needs language, wiki syntax or style improvements.Tango-edit-clear.png

Reason: Various Help:Style issues (Discuss in Talk:OpenVAS#)

OpenVAS stands for Open Vulnerability Assessment System and is a network security scanner with associated tools like a graphical user front-end. The core component is a server with a set of network vulnerability tests (NVTs) to detect security problems in remote systems and applications.

Installation

Install the openvas package group from the official repositories. This group provides the openvas-cli command-line omp interface and greenbone-security-assistant web interface via the gsad daemon along with other OpenVAS dependencies.

Initial setup

Create a certificate for the server, choosing the default values if desired:

# openvas-mkcert

Create a client certificate:

# openvas-mkcert-client -n -i

Update the plugins and vulnerability data:

# openvas-nvt-sync
# openvas-scapdata-sync
# openvas-certdata-sync

Start the scanner service:

# systemctl start openvas-scanner

Rebuild the database:

# openvasmd --rebuild --progress

Add an administrator user account, be sure to copy the password:

# openvasmd --create-user=admin --role=Admin

Post-Install

Configure redis as prescribed by the OpenVAS redis configuration. In summary, amend the following to your /etc/redis.conf

unixsocket /var/lib/redis/redis.sock
port 0
timeout 0

Create and add the following to /etc/openvas/openvassd.conf

kb_location = /var/lib/redis/redis.sock

Finally restart redis

# systemctl restart redis

Getting Started

Start the openvasmd daemon

# openvasmd -p 9390 -a 127.0.0.1

Start the Greenbone Security Assistant WebUI (optional)

# gsad -f --listen=127.0.0.1 --mlisten=127.0.0.1 --mport=9390

Point your web browser to http://127.0.0.1 and login with your admin crendentials

Note: By default, gsad will bind to port 80. If you are already running a webserver, this will obviously cause problems. Pass the --port switch to gsad for an alternate port. Read the gsad man page for options like --http-only, --no-redirect, and more.

Systemd

Redhat based systemd units are in an AUR package named openvas-systemdAUR. The contain a few tweaks such as better TLS settings.

Migration to new major versions

The database needs to be migrated when moving to a new major version:

# openvasmd --migrate --progress

See Also