Setting up GVM10

From Alpine Linux
Revision as of 20:22, 9 April 2019 by Fcolista (talk | contribs) (Greenbone Vulnerability Management 10)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Greenbone Vulnerability Management (GVM) 10

Introduction

OpenVAS with version 10 has been renamed in Greenbone Vulnerability Management and it is available in community repository starting from Alpine 3.10.

This How-To will guide you to install a complete server solution for vulnerability scanning and vulnerability management solution.

Install

Enable/Add Community repository:

echo http://dl-cdn.alpinelinux.org/alpine/edge/community >> /etc/apk/repositories && apk update

apk add gvmd gnutls-utils openvas-scanner greenbone-security-assistant python3 redis

Configuration

Redis

OpenVAS relies on Redis. Redis should be configured to listen to a socket.

Modify /etc/redis.conf by setting :

unixsocket /tmp/redis.sock
unixsocketperm 700
port 0

Then start redis and add it to default runlevel:

rc-service redis start
rc-update add redis

Greenbone Vulnerability Manager

Upgrade the NVT (Network Vulnerability Tests) archives:

greenbone-nvt-sync
greenbone-scapdata-sync --rsync 
greenbone-certdata-sync

Be patient...it will take a while. If you get these errors:

rsync: failed to connect to feed.openvas.org (89.146.224.58): Connection refused (111)
rsync: failed to connect to feed.openvas.org (2a01:130:2000:127::d1): Network unreachable (101)
rsync error: error in socket IO (code 10) at clientserver.c(127) [Receiver=3.1.3]

then try to append --rsync arg, like:

greenbone-scapdata-sync --rsync 

Now, generate the certificate for gvmd.

The certificate infrastructure enables OpenVAS daemons to communicate in a secure manner and is used for authentication and authorization before establishing TLS connections between the daemons. You can setup the certificate automatically with:

gvm-manage-certs -a

Create a new user with Admin role, and take note of the generated password:

gvmd --create-user=admin --role=Admin
User created with password '18664575-7101-4ceb-8a94-429a376824e6

Note: if you want to change the password you can run:

gvmd --user=admin --new-password=MyNewVeryStrongPassword

Start Greenbone Vulnerability Manager and add it to default runlevel

rc-service gvmd start

This will take a while, since OpenVAS here is rebuilding his database with all NVT definition downloaded. You will see with ```ps aux``` the gvmd process in "Syncing SCAP" state.

rc-service gvmd restart
rc-update add gvmd

OpenVAS Scanner

Generate the OpenVAS Scanner cache:

rc-service openvassd stop
rc-service openvassd create_cache
rc-service openvassd start

Add the OpenVAS services to default runlevel:

rc-update add openvassd

Greenbone Security Assistant (GSAD)

Configure Greenbone Security Assistant (GSAD) to listen to other interfaces rather than localhost only, so it is reachable from other hosts.

Modify /etc/conf.d/gsad: with:

GSAD_LISTEN="--listen=0.0.0.0" 

Or, in one shot:

sed -i -e "s/127\.0\.0\.1/0\.0\.0\.0/g" /etc/conf.d/gsad

Start GSAD and add it to default runlevel:

rc-service gsad start
rc-update add gsad

Open the browser at the IP address where GSAD is running, on port 9392, and login with the credentials previously created.

Happy vulnerability assestment!

Misc

Configure Trusted NVTs

Sum-up: https://community.greenbone.net/t/gcf-managing-the-digital-signatures/101 :

"Signed NVTs are usually provided by NVT Feed Services. For example, the NVTs contained in the OpenVAS NVT 
Feed are signed by the "OpenVAS Transfer Integrity" key which you can find at the bottom of this page. If 
you have already installed OpenVAS, you can use the "greenbone-nvt-sync" command to synchronize your NVT 
collection with the OpenVAS NVT Feed and receive signatures for all NVTs."

Create key

 gpg --homedir=/etc/openvas/gnupg --gen-key

You need to choose Realname, Email and a Password. Example:

Realname: openvas
Email: openvas@localhost
Password: admin

Add a certificate to OpenVAS Scanner Keyring

Add the OpenVAS scanner Integrity Key:

wget https://www.greenbone.net/GBCommunitySigningKey.asc
gpg --homedir=/etc/openvas/gnupg --import GBCommunitySigningKey.asc

Set trust

To mark a certificate as trusted for your purpose, you have to sign it. The preferred way is to use local signatures that remain only in the keyring of your OpenVAS Scanner installation.

To finally sign a certificate you need to know its KEY_ID.

You either get it from the table at the bottom or via a "list-keys" command.

Then you can locally sign:

gpg --homedir=/etc/openvas/gnupg --list-keys
gpg --homedir=/etc/openvas/gnupg --lsign-key KEY_ID

For example, to express your trust in the OpenVAS Transfer Integrity you imported above, you could use the following command:

gpg --homedir=/etc/openvas/gnupg --lsign-key 0ED1E580

Before signing you should be absolutely sure that you are signing the correct certificate. You may use its fingerprint and other methods to convince yourself.

To enable NVT signing on openvassd:

sed -i -e "s/nasl_no_signature_check.*/nasl_no_signature_check = no/g" /etc/openvas/openvassd.conf

As last step, restart openvassd service:

rc-service openvassd restart