Difference between revisions of "OpenVAS"

From ArchWiki
Jump to: navigation, search
(Not on optionally install haveged to gather more entropy. Ref: https://github.com/greenbone/gvm/issues/98#issuecomment-395438797)
 
(41 intermediate revisions by 20 users not shown)
Line 1: Line 1:
 
[[Category:Networking]]
 
[[Category:Networking]]
 
[[Category:Security]]
 
[[Category:Security]]
{{stub}}
+
[[ja:OpenVAS]]
==Overview==
+
{{Style|Various [[Help:Style]] issues}}
OpenVAS stands for Open Vulnerability Assessment System and is a network security scanner with associated tools like a graphical user front-end. The core component is a server with a set of network vulnerability tests (NVTs) to detect security problems in remote systems and applications.  
+
[http://www.openvas.org/ OpenVAS] stands for Open Vulnerability Assessment System and is a network security scanner with associated tools like a graphical user front-end. The core component is a server with a set of network vulnerability tests (NVTs) to detect security problems in remote systems and applications.  
  
==Installation==
+
== Pre-install ==
  
Currently, [https://aur.archlinux.org/packages.php?ID=33721 OpenVAS] is available through the [[AUR]].
+
=== Redis ===
  
Installing it will also provide you with OpenVAS [https://aur.archlinux.org/packages.php?ID=22948&O=&L=&C=&K=&SB=&SO=&PP=&do_Orphans=&SeB= client] and [https://aur.archlinux.org/packages.php?ID=22944&O=&L=&C=&K=&SB=&SO=&PP=&do_Orphans=&SeB= libraries].
+
Configure {{pkg|redis}} as prescribed by the [https://github.com/greenbone/openvas-scanner/blob/v5.0.9/doc/redis_config.txt OpenVAS redis configuration]. In summary, amend the following to your /etc/redis.conf
  
==Managing users==
+
unixsocket /var/lib/redis/redis.sock
To be able to use OpenVAS you first need to make an OpenVAS user. There are two types of user authentication methods used in OpenVAS - passwords and ssl certificates.
+
unixsocketperm 700
 +
port 0
 +
timeout 0
 +
databases 128
  
To add a new user run the following with root privileges:
+
''Note'': See the previous {{ic|OpenVAS redis configuration}} document on how to calculate the {{ic|databases}} number.
# openvas-adduser
 
This will prompt you to choose one of the two mentioned methods as a mean of authentification.
 
  
You can also remove a user using (also with root privileges):
+
Additionally comment out the following (and similar) {{ic|save}} lines if present to avoid a stuck connection of the {{ic|openvas-scanner}} to {{ic|redis}}:
# openvas-rmuser
 
  
You can make a new user certificate using (with root privileges):
+
save 900 1
  # openvas-mkcert
+
save 300 10
 +
  save 60 10000
  
==Updating==
+
Create and add the following to /etc/openvas/openvassd.conf
Before running OpenVAS you should fetch new plugins and the newest security checks:
 
# openvas-nvt-sync
 
  
There is a problem with openvas-nvt-sync updating (this affects the currently available version - 3.0.2-1). To fix it - edit /usr/sbin/openvas-nvt-sync and find the line containing SYNC_TMP_DIR and change it to look like:
+
kb_location = /var/lib/redis/redis.sock
SYNC_TMP_DIR=`mktemp -d openvas-nvt-sync.XXXXXXXXXX -t`
 
  
==Running OpenVAS==
+
Finally restart {{ic|redis}}
To use OpenVAS, you first need to start the OpenVAS server:
 
# openvassd
 
  
To start the OpenVAS client run:
+
  # systemctl restart redis
  # OpenVAS-Client &
 
  
From OpenVAS-Client you will have to connect to the OpenVAS server using the user you previously created.
+
=== haveged (optional) ===
  
==See Also==
+
If running OpenVAS in a virtual machine or any other system having a low entropy install {{pkg|haveged}} to gather more entropy. This is required for e.g. the key material used for the encrypted credentials saved within the {{ic|openvas-manager}} database.
 +
 
 +
== Installation ==
 +
 
 +
Install the {{grp|openvas}} package group from the [[official repositories]]. This group provides the {{pkg|openvas-cli}} command-line {{ic|omp}} interface and {{pkg|greenbone-security-assistant}} web interface via the  {{ic|gsad}} daemon along with other OpenVAS dependencies.
 +
 
 +
== Initial setup ==
 +
 
 +
Create certificates for the server+client, default values were used
 +
 
 +
# openvas-manage-certs -a
 +
 
 +
Update the plugins and vulnerability data:
 +
 
 +
# greenbone-nvt-sync
 +
# greenbone-scapdata-sync
 +
# greenbone-certdata-sync
 +
 
 +
''Note'': If GSA complains that the scapdata database is missing, it may be necessary to use greenbone-scapdata-sync --refresh
 +
 
 +
 
 +
Start the scanner service:
 +
 
 +
# systemctl start openvas-scanner
 +
 
 +
Rebuild the database:
 +
 
 +
# openvasmd --rebuild --progress
 +
 
 +
Add an administrator user account, be sure to copy the password:
 +
 
 +
# openvasmd --create-user=admin --role=Admin
 +
 
 +
 
 +
== Getting started ==
 +
 
 +
Start the {{ic|openvasmd}} daemon
 +
 
 +
# openvasmd -p 9390 -a 127.0.0.1
 +
 
 +
Start the [http://www.greenbone.net/technology/openvas.html Greenbone Security Assistant] WebUI (optional)
 +
 
 +
# gsad -f --listen=127.0.0.1 --mlisten=127.0.0.1 --mport=9390
 +
 
 +
Point your web browser to http://127.0.0.1 and login with your admin crendentials
 +
 
 +
{{Note|By default, {{ic|gsad}} will bind to port 80. If you are already running a webserver, this will obviously cause problems. Pass the {{ic|--port}} switch to {{ic|gsad}} for an alternate port. Read the {{ic|gsad}} man page for options like {{ic|--http-only}}, {{ic|--no-redirect}}, and more.}}
 +
{{Note|The [http://www.greenbone.net/technology/openvas.html Greenbone Security Assistant] WebUI requires the {{grp|texlive-most}} package in order to provide PDF downloads of the reports.}}
 +
 
 +
== Systemd ==
 +
 
 +
Redhat based systemd units are in an AUR package named {{aur|openvas-systemd}}. The contain a few tweaks such as better TLS settings.
 +
 
 +
== Migration to new major versions ==
 +
 
 +
The database needs to be migrated when moving to a new major version:
 +
 
 +
# openvasmd --migrate --progress
 +
 
 +
== See also ==
 +
 
 +
* [[Wikipedia:OpenVAS]]
 
* [http://www.openvas.org/ OpenVAS] Official OpenVAS website.
 
* [http://www.openvas.org/ OpenVAS] Official OpenVAS website.
* [http://www.openvas.org/compendium/openvas-compendium.html OpenVAS Compendium] A Publication of the OpenVAS Project.
 

Latest revision as of 15:57, 7 June 2018

Tango-edit-clear.pngThis article or section needs language, wiki syntax or style improvements.Tango-edit-clear.png

Reason: Various Help:Style issues (Discuss in Talk:OpenVAS#)

OpenVAS stands for Open Vulnerability Assessment System and is a network security scanner with associated tools like a graphical user front-end. The core component is a server with a set of network vulnerability tests (NVTs) to detect security problems in remote systems and applications.

Pre-install

Redis

Configure redis as prescribed by the OpenVAS redis configuration. In summary, amend the following to your /etc/redis.conf

unixsocket /var/lib/redis/redis.sock
unixsocketperm 700
port 0
timeout 0
databases 128

Note: See the previous OpenVAS redis configuration document on how to calculate the databases number.

Additionally comment out the following (and similar) save lines if present to avoid a stuck connection of the openvas-scanner to redis:

save 900 1
save 300 10
save 60 10000

Create and add the following to /etc/openvas/openvassd.conf

kb_location = /var/lib/redis/redis.sock

Finally restart redis

# systemctl restart redis

haveged (optional)

If running OpenVAS in a virtual machine or any other system having a low entropy install haveged to gather more entropy. This is required for e.g. the key material used for the encrypted credentials saved within the openvas-manager database.

Installation

Install the openvas package group from the official repositories. This group provides the openvas-cli command-line omp interface and greenbone-security-assistant web interface via the gsad daemon along with other OpenVAS dependencies.

Initial setup

Create certificates for the server+client, default values were used

# openvas-manage-certs -a

Update the plugins and vulnerability data:

# greenbone-nvt-sync
# greenbone-scapdata-sync
# greenbone-certdata-sync

Note: If GSA complains that the scapdata database is missing, it may be necessary to use greenbone-scapdata-sync --refresh


Start the scanner service:

# systemctl start openvas-scanner

Rebuild the database:

# openvasmd --rebuild --progress

Add an administrator user account, be sure to copy the password:

# openvasmd --create-user=admin --role=Admin


Getting started

Start the openvasmd daemon

# openvasmd -p 9390 -a 127.0.0.1

Start the Greenbone Security Assistant WebUI (optional)

# gsad -f --listen=127.0.0.1 --mlisten=127.0.0.1 --mport=9390

Point your web browser to http://127.0.0.1 and login with your admin crendentials

Note: By default, gsad will bind to port 80. If you are already running a webserver, this will obviously cause problems. Pass the --port switch to gsad for an alternate port. Read the gsad man page for options like --http-only, --no-redirect, and more.
Note: The Greenbone Security Assistant WebUI requires the texlive-most package in order to provide PDF downloads of the reports.

Systemd

Redhat based systemd units are in an AUR package named openvas-systemdAUR. The contain a few tweaks such as better TLS settings.

Migration to new major versions

The database needs to be migrated when moving to a new major version:

# openvasmd --migrate --progress

See also