Difference between revisions of "Setting up OpenVAS9"

From Alpine Linux
Jump to: navigation, search
(Replaced content with "Deprecated in favor of https://wiki.alpinelinux.org/wiki/Setting_up_GVM11")
(Tag: Replaced)
 
Line 1: Line 1:
= Introduction =
+
Deprecated in favor of https://wiki.alpinelinux.org/wiki/Setting_up_GVM11
[http://www.openvas.org/src-doc/openvas-manager/index.html OpenVAS9] is described as "The world's most advanced Open Source vulnerability scanner and manager".
 
 
 
OpenVAS in Alpine Linux is available in Community repository.
 
 
 
This How-To will guide you to install a complete server solution for vulnerability scanning and vulnerability management solution.
 
 
 
= Install =
 
Enable/Add Community repository:
 
{{Cmd|echo http://dl-cdn.alpinelinux.org/alpine/edge/community >> /etc/apk/repositories && apk update}}
 
 
 
{{Cmd|apk add openvas-manager gnutls-utils openvas-cli openvas-scanner greenbone-security-assistant python2 redis}}
 
 
 
= Configuration =
 
 
 
== Redis ==
 
 
 
OpenVAS relies on Redis. Redis should be configured to listen to a socket.
 
 
 
Modify '''/etc/redis.conf''' by uncommenting :
 
unixsocket /tmp/redis.sock
 
unixsocketperm 700
 
port 0
 
 
 
Or do it in one shot with:
 
sed -i -e "s/# \(unix.*\)/\1/" /etc/redis.conf && sed -i -e "s/port\ 6379/port\ 0/g" /etc/redis.conf
 
 
 
Then start redis and add it to default runlevel:
 
rc-service redis start
 
rc-update add redis
 
 
 
 
 
== OpenVAS Manager ==
 
 
 
Upgrade the NVT (Network Vulnerability Tests) archives:
 
greenbone-nvt-sync
 
greenbone-scapdata-sync
 
greenbone-certdata-sync
 
 
 
Be patient...it will take a while.
 
 
 
Generate the certificate for openvas-manager.
 
 
 
The certificate infrastructure enables OpenVAS daemons to communicate in a secure manner and is used for authentication and authorization before establishing TLS connections between the daemons.
 
You can setup the certificate automatically with:
 
 
 
openvas-manage-certs -a
 
 
 
Create a new user with Admin role, and take note of the generated password:
 
openvasmd --create-user=admin --role=Admin
 
 
 
User created with password '18664575-7101-4ceb-8a94-429a376824e6
 
 
 
'''Note:''' if you want to change the password you can run:
 
openvasmd --user=admin --new-password=MyNewVeryStrongPassword
 
 
 
Start OpenVAS Manager, rebuild the cache,restart it and add it to default runlevel:
 
rc-service openvasmd start
 
openvasmd --rebuild --progress
 
 
 
This will take a while, since OpenVAS here is rebuilding his database with all NVT definition downloaded.
 
 
 
rc-service openvasmd restart
 
rc-update add openvasmd
 
 
 
== OpenVAS Scanner ==
 
 
 
Generate the OpenVAS Scanner cache:
 
rc-service openvassd stop
 
rc-service openvassd create_cache
 
rc-service openvassd start
 
 
 
Add the OpenVAS services to default runlevel:
 
rc-update add openvassd
 
 
 
== Greenbone Security Assistant (GSAD) ==
 
 
 
Configure Greenbone Security Assistant (GSAD) to listen to other interfaces rather than localhost only, so it is reachable from other hosts.
 
 
 
Modify '''/etc/conf.d/gsad:''' with:
 
GSAD_LISTEN="--listen=0.0.0.0"
 
 
 
Or, in one shot:
 
sed -i -e "s/127\.0\.0\.1/0\.0\.0\.0/g" /etc/conf.d/gsad
 
 
 
Start GSAD and add it to default runlevel:
 
rc-service gsad start
 
rc-update add gsad
 
 
 
= Check =
 
 
 
If you want to check if OpenVAS is correctly installed and configured, you can use the following script: [https://gist.github.com/fcolista/185a1e392bbea3d3dc0b7861408a2b74#file-openvas-alpine-check-setup openvas-alpine-check-setup]
 
 
 
You can download and run it with:
 
  wget https://gist.githubusercontent.com/fcolista/185a1e392bbea3d3dc0b7861408a2b74/raw/7ee1074f86e5856ee3bc6446ce5b79c7cf217a7a/openvas-alpine-check-setup && chmod +x openvas-alpine-check-setup && sh openvas-alpine-check-setup
 
 
 
Probably, you'll get several '''"WARNING:".'''
 
 
This because out-of-the-box OpenVAS is not shipped with some optional packages,and is not configured to listen to other interfaces beside localhost.
 
 
 
Read what is suggested from the script to get the WARNING going away.
 
 
 
'''Note:'''
 
GSAD's reports relies on LaTex package, which is not yet complete in Alpine Linux.
 
You can use this script to get the latest LaTex version available and working: [https://gist.github.com/fcolista/f47eaf2856a637ed9cea3bcfc6b003e6 fix-latex.sh]
 
 
 
When everything is fixed, open your browser to the host ip where GSAD is running (for example: 192.168.1.10):  http://192.168.1.10:9392/login/login.html and login with the credentials previously created.
 
 
 
= Misc =
 
 
 
== Configure Trusted NVTs ==
 
 
 
Sum-up from http://www.openvas.org/trusted-nvts.html :
 
 
 
"Signed NVTs are usually provided by NVT Feed Services. For example, the NVTs contained in the OpenVAS NVT Feed are signed by the "OpenVAS Transfer Integrity" key which you can find at the bottom of this page. If you have already installed OpenVAS, you can use the "greenbone-nvt-sync" command to synchronize your NVT collection with the OpenVAS NVT Feed and receive signatures for all NVTs."
 
 
 
=== Create key ===
 
  gpg --homedir=/etc/openvas/gnupg --gen-key
 
 
 
You need to choose Realname, Email and a Password.
 
Example:
 
Realname: openvas
 
Email: openvas@localhost
 
Password: admin
 
 
 
=== Add a certificate to OpenVAS Scanner Keyring ===
 
 
 
Add the OpenVAS scanner Integrity Key:
 
 
 
wget http://www.openvas.org/OpenVAS_TI.asc
 
gpg --homedir=/etc/openvas/gnupg --import OpenVAS_TI.asc
 
 
 
=== Set trust ===
 
 
 
To mark a certificate as trusted for your purpose, you have to sign it.
 
The preferred way is to use local signatures that remain only in the keyring of your OpenVAS Scanner installation.
 
 
 
To finally sign a certificate you need to know its '''KEY_ID.'''
 
 
 
You either get it from the table at the bottom or via a "list-keys" command.
 
 
 
Then you can locally sign:
 
gpg --homedir=/etc/openvas/gnupg --list-keys
 
gpg --homedir=/etc/openvas/gnupg --lsign-key KEY_ID
 
 
 
For example, to express your trust in the OpenVAS Transfer Integrity you imported above, you could use the following command:
 
gpg --homedir=/etc/openvas/gnupg --lsign-key 48DB4530
 
 
 
Before signing you should be absolutely sure that you are signing the correct certificate. You may use its fingerprint and other methods to convince yourself.
 
 
 
To '''enable''' NVT signing on openvassd:
 
sed -i -e "s/nasl_no_signature_check.*/nasl_no_signature_check = no/g" /etc/openvas/openvassd.conf
 
 
 
As last step, restart openvassd service:
 
rc-service openvassd restart
 
 
 
== Support HTTPS for GSAD ==
 
You need to create a certificate for SSL (see https://wiki.alpinelinux.org/wiki/Generating_SSL_certs_with_ACF )
 
 
 
Then, update the '''/etc/conf.d/gsad''' file to get certificate and key.
 
 
 
This suppose that the cert is called ''cert.pem'' and private key is ''cert.key'', both in '''/etc/openvas''' :
 
GSAD_EXTRA_ARGS="--ssl-private-key=/etc/openvas/cert.key --ssl-certificate=/etc/openvas/cert.pem --timeout=90"
 
 
 
Or, in one shot:
 
sed -i -e "s/GSAD_EXTRA_ARGS=.*/GSAD_EXTRA_ARGS=\"--ssl-private-key=\/etc\/openvas\/cert.key --ssl-certificate=\/etc\/openvas\/cert.pem --timeout=90 -R\"/g" /etc/conf.d/gsad
 
 
 
Then, restart gsad:
 
  rc-service gsad restart
 
 
 
[[Category:Server]]
 
[[Category:Monitoring]]
 

Latest revision as of 08:44, 29 January 2021