Friday, June 28, 2013

openvas on ubuntu 12.04 lts recipe

Let's set up OpenVAS on Ubuntu 12.04 LTS x86_64.
lifted from: http://hackertarget.com/install-openvas-5-in-ubuntu-12-04/

root@ubuntu:~# mkdir openvas ; cd openvas

Let's wget the proper packages (circa 6/2012):

wget http://download.opensuse.org/repositories/security:/OpenVAS:/UNSTABLE:/v5/xUbuntu_12.04/amd64/greenbone-security-assistant_3.0+beta8-1_amd64.deb
wget http://download.opensuse.org/repositories/security:/OpenVAS:/UNSTABLE:/v5/xUbuntu_12.04/amd64/gsd_1.2.2-1_amd64.deb
wget http://download.opensuse.org/repositories/security:/OpenVAS:/UNSTABLE:/v5/xUbuntu_12.04/amd64/libmicrohttpd10_0.9.21-1_amd64.deb
wget http://download.opensuse.org/repositories/security:/OpenVAS:/UNSTABLE:/v5/xUbuntu_12.04/amd64/libopenvas5_5.0.4-1_amd64.deb
wget http://download.opensuse.org/repositories/security:/OpenVAS:/UNSTABLE:/v5/xUbuntu_12.04/amd64/openvas-administrator_1.2.1-1_amd64.deb
wget http://download.opensuse.org/repositories/security:/OpenVAS:/UNSTABLE:/v5/xUbuntu_12.04/amd64/openvas-cli_1.1.4-1_amd64.deb
wget http://download.opensuse.org/repositories/security:/OpenVAS:/UNSTABLE:/v5/xUbuntu_12.04/amd64/openvas-manager_3.0.5-1_amd64.deb
wget http://download.opensuse.org/repositories/security:/OpenVAS:/UNSTABLE:/v5/xUbuntu_12.04/amd64/openvas-scanner_3.3.1-1_amd64.deb

The GUI Greenbone Security Desktop (gsd) isn't needed unless we plan on running it on a client system with a GUI.

Next step is to install a couple of extra packages that are required for OpenVAS.

# apt-get install libgpgme11 libpth20 sqlite3 xsltproc nmap

Then install the different OpenVAS components that we downloaded.

root@ubuntu:~# dpkg -i greenbone-security-assistant_3.0+beta8-1_amd64.deb openvas-administrator_1.2.1-1_amd64.deb \
libmicrohttpd10_0.9.21-1_amd64.deb openvas-cli_1.1.4-1_amd64.deb libopenvas5_5.0.4-1_amd64.deb openvas-manager_3.0.5-1_amd64.deb 

Since we are building a server based system for vulnerability scanning, we will be accessing the server components over the network. To change the default listen address from 127.0.0.1 localhost to the IP address of the local network interface we will change settings in these files.

root@ubuntu:~# vi /etc/default/greenbone-security-assistant 
root@ubuntu:~# vi /etc/default/openvas-manager 
root@ubuntu:~# vi /etc/default/greenbone-security-assistant 
root@ubuntu:~# vi /etc/default/openvas-administrator 
root@ubuntu:~# vi /etc/default/openvas-scanner

The init.d start scripts use these files to get the parameters for starting of the services.

The following steps are the straight from the OpenVAS project website, it involves setting up the certificates and creating the users.
http://www.openvas.org/

root@ubuntu:~# test -e /var/lib/openvas/CA/cacert.pem  || openvas-mkcert -q
root@ubuntu:~# openvas-nvt-sync
root@ubuntu:~# test -e /var/lib/openvas/users/om || openvas-mkcert-client -n om -i
root@ubuntu:~# /etc/init.d/openvas-manager stop
root@ubuntu:~# /etc/init.d/openvas-scanner stop
root@ubuntu:~# openvassd
root@ubuntu:~# openvasmd --migrate
root@ubuntu:~# openvasmd --rebuild
root@ubuntu:~# killall openvassd
root@ubuntu:~# /etc/init.d/openvas-scanner start
root@ubuntu:~# /etc/init.d/openvas-manager start
root@ubuntu:~# /etc/init.d/openvas-administrator restart
root@ubuntu:~# /etc/init.d/greenbone-security-assistant restart
root@ubuntu:~# test -e /var/lib/openvas/users/admin || openvasad -c add_user -n admin -r Admin

It is likely that starting greenbone-security-assistant resulted in an error. This is due to a TLS issue in libmicrohttpd.  Note that GSAD is only required if you wish to use the web client, it is not necessary to run the GSD (Greenbone Security Desktop Client) and the OMP (command line client).

root@ubuntu:~# /etc/init.d/greenbone-security-assistant start

Starting Greenbone Security Assistant: ERROR.
To make this work we will disable HTTPS under gsad. Take note that this means the openvas username and password are transmitted over HTTP (unencrypted) when logging into gsad - whatever.

Edit and add --http-only to the execute command like so:

Change the line in /etc/init.d/greenbone-security-assistant from:

start_daemon() {
        start-stop-daemon --start --exec $DAEMON -- $DAEMONOPTS 2>&1 >/dev/null

to:

start_daemon() {
        start-stop-daemon --start --exec $DAEMON -- $DAEMONOPTS --http-only 2>&1 >/dev/null

Restarting greenbone security administrator, may now still result in an error but if you execute netstat -anp you will see that gsad is now running on 9392.

Run the omp command line client to authenticate against the OpenVAS manager. To do this the following command queries the manager and lists all tasks.

omp -h ubuntu -p 9390 -u admin -w admin -T -v

---- snip lots of xml -----
b493b7a8-7489-11df-a3ec-002264764cea  Localhost

Command completed successfully.

This indicates that the OpenVAS manager is working, and we have gotten past the libgnutls problem.

Now when connecting to http://ubuntu:9392/ in the browser, we are able to access the GSAD login screen. 
OpenVAS is now working and we can access the scanner via either the gsad web client, the gsd local client or the omp command line client.

A note about the OpenVAS configuration File
The openvas scanner has a configuration file /etc/openvas/openvas.conf however in a default installation of the Ubuntu packages this is not present after installation.
The file can be created from the running openvassd.

root@ubuntu:~# openvassd -s

This shows the current running configuration, so simply redirect the output from that command to a new file /etc/openvas/openvas.conf and you then have a configuration that can be modified to suit your requirements. Restart openvassd to have the configuration file read in.

root@ubuntu:~# touch /etc/openvas/openvassd.conf
root@ubuntu:~# openvassd -s >> /etc/openvas/openvassd.conf

..
addendum

check your installation:
root@ubuntu:~# wget https://svn.wald.intevation.org/svn/openvas/trunk/tools/openvas-check-setup --no-check-certificate
root@ubuntu:~# chmod +x openvas-check-setup
root@ubuntu:~# ./openvas-check-setup --server

No comments: