Skip to main content

Getting Started with OpenVAS on CentOS - an open source vulnerability scanner

The Open Vulnerability Assessment System (OpenVAS) is a framework of several services and tools offering a comprehensive and powerful vulnerability scanning and vulnerability management solution. (Taken from the OpenVAS website, which is at http://www.openvas.org/ )






This blog entry will introduce OpenVAS version 3.1, walk through installation on CentOS and is intended as a "getting started" guide. I'll also do a guide for installing on Ubuntu later.


OpenVAS is an open-source alternative to using online services like "McAfee Secure" which scan your site daily for numerous vulerabilities.  There is no claim that it is BETTER than those paid services (not likely to be the case), but it is actively maintained, so updates get pushed out often, so this should be a good choice for organizations that don't have the money for a commercial service, or if, like me, you are a DIY kind of person.

As is often the case, documentation is sparse, and is often the last thing to get done with open source projects.  This is precisely why I am documenting things here to help the other people in the world that may not have time to "figure it out."

A word of caution:  My review/documentation comes with no warranties.  I didn't write OpenVAS, I'm just trying to figure it out and document it for you.  Also, don't be a fool -- backup your server, or work in a development environment the first time you set this up.  Don't crash a production server because you cut corners.

Installation

I haven't been able to confirm whether OpenVAS actually has feature-complete software for Windows, but clearly they are predominantly supporting linux.  As such, I decided to install on one of my Linux VMs which happens to run CentOS.

The first thing to do is add the repository to yum so you can install/update packages:

wget -q -O - http://www.atomicorp.com/installers/atomic | sh

Once that is done, you can actually install the packages using yum like so:

yum install libopenvas3 openvas-scanner openvas-cli openvas-administrator openvas-manager greenbone-security-asssitant gsd libmicrohttpd10 libnet1 gpg greenbone-security-assistant libxslt gcc

Depending on what you installed on your server, yum will likely want to either update or install other packages due to dependancies in the openvas packages.  You should allow this.

Generate a Client and Server SSL Certificate and "om" user

OpenVAS requires that all communication happen through secure connections, so you will need to generate an SSL certificate.  They provide a utility to help:

openvas-mkcert-client

Follow the on-screen prompts, which is a lot like generating an SSL cert for Apache.

When you are done, it generates files in a temporary location.  It will say something like this:

Your client certificates are in /tmp/openvas-mkcert-client.xxxx .

You now need to copy the important files to the right places:

cp key_om.pem /var/lib/openvas/private/CA/clientkey.pem 
cp cert_om.pem /var/lib/openvas/CA/clientcert.pem

Adding a User

The next step is to add a user to OpenVAS which you can use to configure and manage the system.

A script is included to assist with this as well (located in /usr/sbin):

openvas-adduser

Follow the on-screen prompts to create your user.  You can require authentication using a cert or a password.  I have not tried using a cert, so if you are just getting started, choose password authentication.

When asked about "User rules", you can be very restrictive or very open.  For testing purposes, I entered a default rule of "default allow" so that my user can do anything.  If I let others use the system, I would change this.  Refer to this page for more information about how to write rules: http://www.openvas.org/compendium/adding-new-users.html.  Remember to type Control-D to finish entering rules.

It will ask you to confirm your info and then will create the account.

Advanced Configuration Options

I'm not going to go into this, but you can tweak a lot of settings for the configuration file.  The reference to some of those settings is available online here: http://www.openvas.org/compendium/advanced-configuration-server.html

Setting up NVT Feeds

NVTs are "Network Vulnerability Tests", and an NVT feed is a source for NVT definitions and updates.

There is a command line utility that handles all the heavy lifting to synchronize the NVT definitions.

openvas-nvt-sync

When you run it, you will see a ton of lines like this:

fcore_2009_3893.nasl
        4922 100%    7.29kB/s    0:00:00 (xfer#7447, to-check=32263/39714)

This is all normal.  Let it do it's thing.

Just run this utility periodically, or automate it with cron.  There are some docs on how to do that here: http://www.openvas.org/compendium/automatically-updating-an-nvt-feed.html

Set Trust Level For NVTs

Run these commands to set default trust for the rules you just downloaded.

wget http://www.openvas.org/OpenVAS_TI.asc
mkdir /etc/openvas/gnupg
gpg --homedir=/etc/openvas/gnupg --import OpenVAS_TI.asc

For more documentation on how to manage the trust levels in more depth, see http://www.openvas.org/trusted-nvts.html

Side Step (sqlite)

Turns out that my CentOS5 (or RHEL 5) has sqlite 3.3.x installed, but openvas needs 3.5 or newer.  In order to not break dependencies on other software, I nabbed a new sqlite from source and compiled it like so:

wget http://www.sqlite.org/sqlite-autoconf-xxxxxxx.tar.gz
tar xzvf sqlite-autoconf-xxxxxxxx.tar.gz
cd sqlite-autoconf-xxxxxxxxx
./configure --prefix=/opt/sqlite
make
make install
export LD_LIBRARY_PATH=/opt/sqlite/lib
i also added the export statement to /etc/profile so that it gets picked up after reboot, or next time I log in.

Start 'er up

/usr/sbin/openvassd -p 9390 -q

You can verify that it is running by typing this command:

ps -ef |grep openvas

Which will show you a running process if it is there.

Also, lets start the greenbone security assistant.  heh, i chuckled about the name too.

/usr/sbin/gsad

Now you should be able to log into the greenbone web interface at:

https://yourhost.domain.com  (note the "s" in https..)

Note:  Because you created your own certificate and CA (Certificate Authority), your browser will not automatically accept the SSL certificate you are using.  You can either pay for your own cert from a CA like Verisign or GoDaddy, or just add a security exception in your browser, which is what I did.

If you can't log in (i had problems the first time), make sure you check the logs in /var/logs/openvas.  The openvassd log said something about needing to initialize or rebuild the database, so  to do that, I ran this command:

openvasmd --sport 9390 -u --rebuild -v
  
and then restarted openvassd and gsad, which took care of it.

Popular posts from this blog

Installing python 3.4.x on OSX El Capitan

I love "brew" package manager, but sometimes being too progressive breaks things.  I have several python apps that I maintain that get deployed to AWS using Elastic Beanstalk.  AWS eb can deploy with python 2.7 or 3.4.  Any recent 'brew install python3" will get 3.5.1. #annoying

Making Macbook Air with 128GB SSD usable with Bootcamp

I recently got a new Macbook Air 11" (the 2012 version) and loaded it with goodies like 8GB ram and 2GHz Core i7.  What I DIDN'T upgrade was the internal SSD.  My config came with 128GB SSD and I refused to pay $300+ to upgrade it to 256GB.  Yeah I know, some call me cheap, but SSds cost $75-$150 for 240GB, so adding another 128GB for $300 seemed way too steep for me.  I figured "ok, I'm going to make 128G work!"

Here is the story of how that went...

Election day plus 1: Social Media Nightmare

It is election day plus 1, and a very emotional day with no way to win for many.

Social media was a force to be reckoned with this election year.  No matter what position you take, the world is ready to pounce on you and tell you why YOU are evil, intolerant or a deplorable -- and the reason for all their woes.  This isn't a new problem, though...  All of the liberal vs conservative issues are causing rifts between otherwise civil people, and it seems to be the worst on Facebook and twitter.

If I say I am for Hillary:
i am part of the "corrupt system."

If I say I am against Hillary:
I am stupid and uneducated

If I say I am for Trump:
I am against women,
I am religiously intolerant,
I am a bigot

If I say I am against Trump:
I am against the 2nd amendment,
I don't have any idea how government works,
I am part of the problem with American society,
I am against the police

Stay with me now, this isn't meant to make people angry, but it is mean to shine some light on a social …