Open Vulnerability Assessment System
Posted by Jeff Rangel | | Posted on 1:37 PM
OpenVAS stands for Open Vulnerability Assessment System and is a complete tool for network security scanning including a graphical user front-end. I is used to detect security problems in remote systems and applications. The OpenVAS development team consists of various interested parties from academia and commercial entities as well as individuals.
OpenVAS derives from the Nessus project which turned into a commercial product. All OpenVAS products are Free Software under the GNU General Public License (GNU GPL).
Additionally OpenVAS-Client Packages for Microsoft Windows XP SP2 are available on the OpenVAS website.
Please notice that there are currently two different series available for download: the stable 1.0 series and the upcoming 2.0 series. The OpenVAS developers recently have announced the release of the 2.0-rc1 versions of openvas-libraries, openvas-libnasl, openvas-server and openvas-client.
In this step by step workshop we’ll describe how to compile, install and use OpenVAS on a Mandriva 2009 server and client. The workshop configuration could look like this:
Step 1: Installing Mandriva 2009 server
We think it is not necessary to explain how to install Mandriva 2009 and recommend reading the articles below in case of problems:
http://www.howtoforge.com/perfect-server-mandriva-2009.0-i386
http://www.howtoforge.com/perfect-server-mandriva-2009.0-x86_64
We recommend using the following website to add official media and latest update recourses:
http://easyurpmi.zarb.org
The automatic media setup usually works perfect and will help you to get an up-to-date system quickly.
Make sure to have the following packages available on your system. We’ll later need them to compile OpenVAS. Use the urpmi command like described in this article.
gcc
make
libglib2.0-devel
bison
libopenssl0.9.8-devel
libgtk+2.0_0-devel
Depending on your installation, you may need the following packages also. Watch for error messages during the pre-configuration process in the next step:
libgnutls-devel
libpcap-devel
libgpgme-devel
Step 2: Compiling OpenVAS from source
After downloading the source code please be aware that the installation process might copy files to places different from the ones expected by you or the distribution you are using. This may lead to unexpected results, especially if you install releases from different series or try to remove old copies of OpenVAS if you are not careful. Because of this, you should use a prefix (i.e. ./configure prefix=/opt/openvas). In this case you can easily isolate all the files belonging to this particular OpenVAS version. You can also later uninstall OpenVAS from your machine by removing the related subdirectory.
You have to compile and install the packages in the following order:
1. openvas-libraries
2. openvas-libnasl
3. openvas-server
4. openvas-plugins
5. openvas-client
We recommend reading the files INSTALL and README inside the respective packages.
Let’s start with the libraries and end with the openvas-plugins:
On your client machine just compile the following package like this:
Change the path variable like this:
Edit the root profile using your favourite editor as root and reboot your machine.
vi ~/.bash_profile
Add the following line at the end:
export PATH=$PATH:/opt/openvas/bin:/opt/openvas/sbin
To avoid problems with the openvas libraries, we need to create this symbolic link:
ln –s /opt/openvas/lib/libopenvasnasl.so.2 /lib
Step 3: Prepare OpenVAS for the first run
After installing OpenVAS-Server some additional steps are needed to get your OpenVAS installation up and running. For security reasons, communication between the OpenVAS server and client is only possible through SSL encrypted connections. In order to establish an SSL encrypted connection, the server needs to have an SSL certificate. We’ll use the command openvas-mkcert to generate it.
In addition, a client needs to have a user account on the server. The OpenVASServer
package provides the openvas-adduser script to simplify the creation of user accounts.
You are able to restricted user access rights by implementing different rule. Please read the documentation for more details.
Just open your favourite console and use the following commands as root. If you have problems to run it, please make sure to configure the PATH and library settings like mentioned in step 2. See the screenshots below:
openvas-mkcert
openvas-adduser
Step 5: Running the first scan using your Linux OpenVAS client
Please use your client machine and open the OpenVAS Client using the following command:
OpenVAS-Client
We recommend using the Scan Assistant like shown in the pictures below. It will guide you step by step and will help you to understand the procedure. At the end, you need to connect to the OpenVAS server. Use the server hostname (or IP address) and the username and password you have created in step 3 using the openvas-adduser command.
Once you are connected to the server, you will receive all new plug-ins available and start the scan process on the selected target.
The system will need some time to discover security holes and will give you appropriate references to remove them. Please use the possibility to export the reports in different formats.
Step 6: Troubleshooting and additional help
Please use the following log files to discover problems. The tail command in a separate console will help you to keep an eye on your system:
tail –f /opt/openvas/var/log/openvas/openvasd.messages
tail –f /opt/openvas/var/log/openvas/openvasd.dump
The OpenVAS developers providing a mailing list you can use. To see the collection of prior postings to the list, visit the Openvas-discuss archives.
http://lists.wald.intevation.org/pipermail/openvas-discuss/
[Good Stuff to know for those Linux admins out there.]
OpenVAS derives from the Nessus project which turned into a commercial product. All OpenVAS products are Free Software under the GNU General Public License (GNU GPL).
The OpenVAS software consists of five different parts which are provided and maintained by the OpenVAS projects. These parts are:
- OpenVAS-Server
- OpenVAS-Libraries
- OpenVAS-LibNASL
- OpenVAS-Plugins
- OpenVAS-Client
Additionally OpenVAS-Client Packages for Microsoft Windows XP SP2 are available on the OpenVAS website.
Please notice that there are currently two different series available for download: the stable 1.0 series and the upcoming 2.0 series. The OpenVAS developers recently have announced the release of the 2.0-rc1 versions of openvas-libraries, openvas-libnasl, openvas-server and openvas-client.
In this step by step workshop we’ll describe how to compile, install and use OpenVAS on a Mandriva 2009 server and client. The workshop configuration could look like this:
Step 1: Installing Mandriva 2009 server
We think it is not necessary to explain how to install Mandriva 2009 and recommend reading the articles below in case of problems:
http://www.howtoforge.com/perfect-server-mandriva-2009.0-i386
http://www.howtoforge.com/perfect-server-mandriva-2009.0-x86_64
We recommend using the following website to add official media and latest update recourses:
http://easyurpmi.zarb.org
The automatic media setup usually works perfect and will help you to get an up-to-date system quickly.
Make sure to have the following packages available on your system. We’ll later need them to compile OpenVAS. Use the urpmi command like described in this article.
gcc
make
libglib2.0-devel
bison
libopenssl0.9.8-devel
libgtk+2.0_0-devel
Depending on your installation, you may need the following packages also. Watch for error messages during the pre-configuration process in the next step:
libgnutls-devel
libpcap-devel
libgpgme-devel
Step 2: Compiling OpenVAS from source
After downloading the source code please be aware that the installation process might copy files to places different from the ones expected by you or the distribution you are using. This may lead to unexpected results, especially if you install releases from different series or try to remove old copies of OpenVAS if you are not careful. Because of this, you should use a prefix (i.e. ./configure prefix=/opt/openvas). In this case you can easily isolate all the files belonging to this particular OpenVAS version. You can also later uninstall OpenVAS from your machine by removing the related subdirectory.
You have to compile and install the packages in the following order:
1. openvas-libraries
2. openvas-libnasl
3. openvas-server
4. openvas-plugins
5. openvas-client
We recommend reading the files INSTALL and README inside the respective packages.
Let’s start with the libraries and end with the openvas-plugins:
| mkdir /opt/openvas tar xzf openvas-libraries-2.0.0.rc1.tar.gz cd openvas-libraries-2.0.0.rc1 ./configure prefix=/opt/openvas make make install tar xzf openvas-libnasl-2.0.0.rc1.tar.gz cd openvas-libnasl-2.0.0.rc1 ./configure prefix=/opt/openvas make make install tar xzf openvas-server-2.0.0.rc1.tar.gz cd openvas-server-2.0.0.rc1 ./configure prefix=/opt/openvas make make install tar xzf openvas-plugins-1.0.5.tar.gz cd openvas-plugins-1.0.5 ./configure prefix=/opt/openvas make make install |
On your client machine just compile the following package like this:
| tar xzf openvas-client-2.0.0.rc1.tar.gz cd openvas-client-2.0.0.rc1 ./configure prefix=/opt/openvas make make install |
Change the path variable like this:
Edit the root profile using your favourite editor as root and reboot your machine.
vi ~/.bash_profile
Add the following line at the end:
export PATH=$PATH:/opt/openvas/bin:/opt/openvas/sbin
To avoid problems with the openvas libraries, we need to create this symbolic link:
ln –s /opt/openvas/lib/libopenvasnasl.so.2 /lib
Step 3: Prepare OpenVAS for the first run
After installing OpenVAS-Server some additional steps are needed to get your OpenVAS installation up and running. For security reasons, communication between the OpenVAS server and client is only possible through SSL encrypted connections. In order to establish an SSL encrypted connection, the server needs to have an SSL certificate. We’ll use the command openvas-mkcert to generate it.
In addition, a client needs to have a user account on the server. The OpenVASServer
package provides the openvas-adduser script to simplify the creation of user accounts.
You are able to restricted user access rights by implementing different rule. Please read the documentation for more details.
Just open your favourite console and use the following commands as root. If you have problems to run it, please make sure to configure the PATH and library settings like mentioned in step 2. See the screenshots below:
openvas-mkcert
openvas-adduser
Step 4: Performing a synchronization with a OpenVAS NVT Feed
The OpenVAS project offers a public feed of Network Vulnerability Tests (NVTs). The feed contains all NASL plugins available in the OpenVAS source code repository and now contains more than 6000 plugins. The feed is usually updated every weekday.
http://www.openvas.org/nvt-feeds.html
The following command will connect to the currently only available NVT feed. At the end, it will verify the md5 checksums of all synchronized files. If any of them fails, an error is reported. In this case you should retry a couple of minutes later:
openvas-nvt-sync
Start the sever using the following command:
openvasd -D
Step 5: Running the first scan using your Linux OpenVAS client
Please use your client machine and open the OpenVAS Client using the following command:
OpenVAS-Client
We recommend using the Scan Assistant like shown in the pictures below. It will guide you step by step and will help you to understand the procedure. At the end, you need to connect to the OpenVAS server. Use the server hostname (or IP address) and the username and password you have created in step 3 using the openvas-adduser command.
Once you are connected to the server, you will receive all new plug-ins available and start the scan process on the selected target.
The system will need some time to discover security holes and will give you appropriate references to remove them. Please use the possibility to export the reports in different formats.
Step 6: Troubleshooting and additional help
Please use the following log files to discover problems. The tail command in a separate console will help you to keep an eye on your system:
tail –f /opt/openvas/var/log/openvas/openvasd.messages
tail –f /opt/openvas/var/log/openvas/openvasd.dump
The OpenVAS developers providing a mailing list you can use. To see the collection of prior postings to the list, visit the Openvas-discuss archives.
http://lists.wald.intevation.org/pipermail/openvas-discuss/
Read a complete OpenVAS Compendium here:
http://www.openvas.org/compendium/openvas-compendium.html[Good Stuff to know for those Linux admins out there.]
Jeff
Comments (0)
Post a Comment