Difference between revisions of "OpenVAS"

From ArchWiki
Jump to: navigation, search
m
 
(26 intermediate revisions by 10 users not shown)
Line 1: Line 1:
 
[[Category:Networking]]
 
[[Category:Networking]]
 
[[Category:Security]]
 
[[Category:Security]]
{{stub}}
+
[[ja:OpenVAS]]
==Overview==
+
 
OpenVAS stands for Open Vulnerability Assessment System and is a network security scanner with associated tools like a graphical user front-end. The core component is a server with a set of network vulnerability tests (NVTs) to detect security problems in remote systems and applications.  
 
OpenVAS stands for Open Vulnerability Assessment System and is a network security scanner with associated tools like a graphical user front-end. The core component is a server with a set of network vulnerability tests (NVTs) to detect security problems in remote systems and applications.  
  
 
==Installation==
 
==Installation==
  
Currently, [https://aur.archlinux.org/packages.php?ID=33721 OpenVAS] is available through the [[AUR]].
+
Install the {{grp|openvas}} package group from the [[official repositories]]. This group provides the {{pkg|openvas-cli}} command-line {{ic|omp}} interface and {{pkg|greenbone-security-assistant}} web interface via the  {{ic|gsad}} daemon along with other OpenVAS dependencies.
  
Installing it will also provide you with OpenVAS [https://aur.archlinux.org/packages.php?ID=22948&O=&L=&C=&K=&SB=&SO=&PP=&do_Orphans=&SeB= client] and [https://aur.archlinux.org/packages.php?ID=22944&O=&L=&C=&K=&SB=&SO=&PP=&do_Orphans=&SeB= libraries].
+
==Initial setup==
  
==Managing users==
+
Create a certificate for the server, choosing the default values if desired:
To be able to use OpenVAS you first need to make an OpenVAS user. There are two types of user authentication methods used in OpenVAS - passwords and ssl certificates.
+
  
To add a new user run the following with root privileges:
+
  # openvas-mkcert
  # openvas-adduser
+
This will prompt you to choose one of the two mentioned methods as a mean of authentification.
+
  
You can also remove a user using (also with root privileges):
+
Create a client certificate:
# openvas-rmuser
+
  
You can make a new user certificate using (with root privileges):
+
  # openvas-mkcert-client -n -i
  # openvas-mkcert
+
 
 +
Update the plugins and vulnerability data:
  
==Updating==
 
Before running OpenVAS you should fetch new plugins and the newest security checks:
 
 
  # openvas-nvt-sync
 
  # openvas-nvt-sync
 +
# openvas-scapdata-sync
 +
# openvas-certdata-sync
 +
 +
Start the scanner service:
 +
 +
# systemctl start openvas-scanner
 +
 +
Rebuild the database:
 +
 +
# openvasmd --rebuild --progress
 +
 +
Add an administrator user account, be sure to copy the password:
 +
 +
# openvasmd --create-user=admin --role=Admin
 +
 +
==Post-Install==
 +
 +
Configure {{pkg|redis}} as prescribed by the [https://svn.wald.intevation.org/svn/openvas/tags/openvas-scanner-release-5.0.3/doc/redis_config.txt OpenVAS redis configuration]. In summary, amend the following to your /etc/redis.conf
 +
 +
unixsocket /var/lib/redis/redis.sock
 +
port 0
 +
timeout 0
 +
 +
Create and add the following to /etc/openvas/openvassd.conf
 +
 +
kb_location = /var/lib/redis/redis.sock
 +
 +
Finally restart {{ic|redis}}
 +
 +
# systemctl restart redis
 +
 +
==Getting Started==
 +
 +
Start the {{ic|openvasmd}} daemon
 +
 +
# openvasmd -p 9390 -a 127.0.0.1
 +
 +
Start the [http://www.greenbone.net/technology/openvas.html Greenbone Security Assistant] WebUI (optional)
 +
 +
# gsad -f --listen=127.0.0.1 --mlisten=127.0.0.1 --mport=9390
 +
 +
Point your web browser to http://127.0.0.1 and login with your admin crendentials
 +
 +
{{Note|By default, {{ic|gsad}} will bind to port 80. If you are already running a webserver, this will obviously cause problems. Pass the {{ic|--port}} switch to {{ic|gsad}} for an alternate port. Read the {{ic|gsad}} man page for options like {{ic|--http-only}}, {{ic|--no-redirect}}, and more.}}
 +
 +
==Systemd==
 +
 +
Redhat based systemd units are in an AUR package named {{aur|openvas-systemd}}. The contain a few tweaks such as better TLS settings.
 +
 +
At the time of writing, there are no service files provided with the {{grp|openvas}} that will maintain {{ic|openvasmd}} or {{ic|gsad}}. Until they are added, consider using and customizing the following service files to ease the deployment of a streamlined OpenVAS system:
 +
 +
$ cat /usr/lib/systemd/system/openvas-manager.service
 +
[Unit]
 +
Description = OpenVAS Manager
 +
Wants = openvas-scanner.service
 +
After = network.target
 +
 +
[Service]
 +
ExecStart = /usr/bin/openvasmd --foreground -p 9390 -a 127.0.0.1
 +
 +
[Install]
 +
WantedBy = multi-user.target
 +
 +
$ cat /usr/lib/systemd/system/gsa.service
 +
[Unit]
 +
Description = Greenbone Security Assistant
 +
After = network.target
 +
 +
[Service]
 +
ExecStart = /usr/bin/gsad --foreground
 +
 +
[Install]
 +
WantedBy = multi-user.target
 +
 +
{{Note|{{ic|--foreground}} is needed and not optional.}}
 +
 +
Finally, [[Systemd|start/enable]] your newly created {{ic|openvas-manager}} and {{ic|gsa}} services in addition to {{ic|openvas-scanner}} if you haven't already started it.
  
There is a problem with openvas-nvt-sync updating (this affects the currently available version - 3.0.2-1). To fix it - edit /usr/sbin/openvas-nvt-sync and find the line containing SYNC_TMP_DIR and change it to look like:
+
{{Note|{{ic|openvas-manager}} should start immediately but will take time to load NVTs. You won't be able to start scanning until all NVTs are loaded.}}
SYNC_TMP_DIR=`mktemp -d openvas-nvt-sync.XXXXXXXXXX -t`
+
  
==Running OpenVAS==  
+
==Migration to new major versions==
To use OpenVAS, you first need to start the OpenVAS server:
+
# openvassd
+
  
To start the OpenVAS client run:
+
The database needs to be migrated when moving to a new major version:
# OpenVAS-Client &
+
  
From OpenVAS-Client you will have to connect to the OpenVAS server using the user you previously created.
+
# openvasmd --migrate --progress
  
 
==See Also==
 
==See Also==
 
* [http://www.openvas.org/ OpenVAS] Official OpenVAS website.
 
* [http://www.openvas.org/ OpenVAS] Official OpenVAS website.
* [http://www.openvas.org/compendium/openvas-compendium.html OpenVAS Compendium] A Publication of the OpenVAS Project.
 

Latest revision as of 18:43, 30 March 2016

OpenVAS stands for Open Vulnerability Assessment System and is a network security scanner with associated tools like a graphical user front-end. The core component is a server with a set of network vulnerability tests (NVTs) to detect security problems in remote systems and applications.

Installation

Install the openvas package group from the official repositories. This group provides the openvas-cli command-line omp interface and greenbone-security-assistant web interface via the gsad daemon along with other OpenVAS dependencies.

Initial setup

Create a certificate for the server, choosing the default values if desired:

# openvas-mkcert

Create a client certificate:

# openvas-mkcert-client -n -i

Update the plugins and vulnerability data:

# openvas-nvt-sync
# openvas-scapdata-sync
# openvas-certdata-sync

Start the scanner service:

# systemctl start openvas-scanner

Rebuild the database:

# openvasmd --rebuild --progress

Add an administrator user account, be sure to copy the password:

# openvasmd --create-user=admin --role=Admin

Post-Install

Configure redis as prescribed by the OpenVAS redis configuration. In summary, amend the following to your /etc/redis.conf

unixsocket /var/lib/redis/redis.sock
port 0
timeout 0

Create and add the following to /etc/openvas/openvassd.conf

kb_location = /var/lib/redis/redis.sock

Finally restart redis

# systemctl restart redis

Getting Started

Start the openvasmd daemon

# openvasmd -p 9390 -a 127.0.0.1

Start the Greenbone Security Assistant WebUI (optional)

# gsad -f --listen=127.0.0.1 --mlisten=127.0.0.1 --mport=9390

Point your web browser to http://127.0.0.1 and login with your admin crendentials

Note: By default, gsad will bind to port 80. If you are already running a webserver, this will obviously cause problems. Pass the --port switch to gsad for an alternate port. Read the gsad man page for options like --http-only, --no-redirect, and more.

Systemd

Redhat based systemd units are in an AUR package named openvas-systemdAUR. The contain a few tweaks such as better TLS settings.

At the time of writing, there are no service files provided with the openvas that will maintain openvasmd or gsad. Until they are added, consider using and customizing the following service files to ease the deployment of a streamlined OpenVAS system:

$ cat /usr/lib/systemd/system/openvas-manager.service 
[Unit]
Description = OpenVAS Manager
Wants = openvas-scanner.service
After = network.target

[Service]
ExecStart = /usr/bin/openvasmd --foreground -p 9390 -a 127.0.0.1

[Install]
WantedBy = multi-user.target
$ cat /usr/lib/systemd/system/gsa.service 
[Unit]
Description = Greenbone Security Assistant
After = network.target

[Service]
ExecStart = /usr/bin/gsad --foreground

[Install]
WantedBy = multi-user.target
Note: --foreground is needed and not optional.

Finally, start/enable your newly created openvas-manager and gsa services in addition to openvas-scanner if you haven't already started it.

Note: openvas-manager should start immediately but will take time to load NVTs. You won't be able to start scanning until all NVTs are loaded.

Migration to new major versions

The database needs to be migrated when moving to a new major version:

# openvasmd --migrate --progress

See Also