The Open Vulnerability Assessment System (OpenVAS) is a framework of several services and tools offering a comprehensive and powerful vulnerability scanning and vulnerability management solution. (Taken from the OpenVAS website, which is at http://www.openvas.org/ )
This blog entry will introduce OpenVAS version 3.1, walk through installation on CentOS and is intended as a "getting started" guide. I'll also do a guide for installing on Ubuntu later.
OpenVAS is an open-source alternative to using online services like "McAfee Secure" which scan your site daily for numerous vulerabilities. There is no claim that it is BETTER than those paid services (not likely to be the case), but it is actively maintained, so updates get pushed out often, so this should be a good choice for organizations that don't have the money for a commercial service, or if, like me, you are a DIY kind of person.
As is often the case, documentation is sparse, and is often the last thing to get done with open source projects. This is precisely why I am documenting things here to help the other people in the world that may not have time to "figure it out."
A word of caution: My review/documentation comes with no warranties. I didn't write OpenVAS, I'm just trying to figure it out and document it for you. Also, don't be a fool -- backup your server, or work in a development environment the first time you set this up. Don't crash a production server because you cut corners.
I haven't been able to confirm whether OpenVAS actually has feature-complete software for Windows, but clearly they are predominantly supporting linux. As such, I decided to install on one of my Linux VMs which happens to run CentOS.
The first thing to do is add the repository to yum so you can install/update packages:
wget -q -O - http://www.atomicorp.com/installers/atomic | sh
Once that is done, you can actually install the packages using yum like so:
yum install libopenvas3 openvas-scanner openvas-cli openvas-administrator openvas-manager greenbone-security-asssitant gsd libmicrohttpd10 libnet1 gpg greenbone-security-assistant libxslt gcc
Depending on what you installed on your server, yum will likely want to either update or install other packages due to dependancies in the openvas packages. You should allow this.
Generate a Client and Server SSL Certificate and "om" user
OpenVAS requires that all communication happen through secure connections, so you will need to generate an SSL certificate. They provide a utility to help:
Follow the on-screen prompts, which is a lot like generating an SSL cert for Apache.
When you are done, it generates files in a temporary location. It will say something like this:
Your client certificates are in /tmp/openvas-mkcert-client.xxxx .
You now need to copy the important files to the right places:
cp key_om.pem /var/lib/openvas/private/CA/clientkey.pem
cp cert_om.pem /var/lib/openvas/CA/clientcert.pem
Adding a User
The next step is to add a user to OpenVAS which you can use to configure and manage the system.
A script is included to assist with this as well (located in /usr/sbin):
Follow the on-screen prompts to create your user. You can require authentication using a cert or a password. I have not tried using a cert, so if you are just getting started, choose password authentication.
When asked about "User rules", you can be very restrictive or very open. For testing purposes, I entered a default rule of "default allow" so that my user can do anything. If I let others use the system, I would change this. Refer to this page for more information about how to write rules: http://www.openvas.org/compendium/adding-new-users.html. Remember to type Control-D to finish entering rules.
It will ask you to confirm your info and then will create the account.
Advanced Configuration Options
Advanced Configuration Options
I'm not going to go into this, but you can tweak a lot of settings for the configuration file. The reference to some of those settings is available online here: http://www.openvas.org/compendium/advanced-configuration-server.html
Setting up NVT Feeds
NVTs are "Network Vulnerability Tests", and an NVT feed is a source for NVT definitions and updates.
There is a command line utility that handles all the heavy lifting to synchronize the NVT definitions.
When you run it, you will see a ton of lines like this:
4922 100% 7.29kB/s 0:00:00 (xfer#7447, to-check=32263/39714)
This is all normal. Let it do it's thing.
Just run this utility periodically, or automate it with cron. There are some docs on how to do that here: http://www.openvas.org/compendium/automatically-updating-an-nvt-feed.html
Set Trust Level For NVTs
Run these commands to set default trust for the rules you just downloaded.
gpg --homedir=/etc/openvas/gnupg --import OpenVAS_TI.asc
For more documentation on how to manage the trust levels in more depth, see http://www.openvas.org/trusted-nvts.html
Side Step (sqlite)
Turns out that my CentOS5 (or RHEL 5) has sqlite 3.3.x installed, but openvas needs 3.5 or newer. In order to not break dependencies on other software, I nabbed a new sqlite from source and compiled it like so:
tar xzvf sqlite-autoconf-xxxxxxxx.tar.gz
i also added the export statement to /etc/profile so that it gets picked up after reboot, or next time I log in.
Start 'er up
/usr/sbin/openvassd -p 9390 -q
You can verify that it is running by typing this command:
ps -ef |grep openvas
Which will show you a running process if it is there.
Also, lets start the greenbone security assistant. heh, i chuckled about the name too.
Now you should be able to log into the greenbone web interface at:
https://yourhost.domain.com (note the "s" in https..)
Note: Because you created your own certificate and CA (Certificate Authority), your browser will not automatically accept the SSL certificate you are using. You can either pay for your own cert from a CA like Verisign or GoDaddy, or just add a security exception in your browser, which is what I did.
If you can't log in (i had problems the first time), make sure you check the logs in /var/logs/openvas. The openvassd log said something about needing to initialize or rebuild the database, so to do that, I ran this command:
openvasmd --sport 9390 -u --rebuild -v
and then restarted openvassd and gsad, which took care of it.