OSVDC Series: Vulnerability Management with OpenVAS 9 on CentOS 7.3.1611 - rharmonson/richtech GitHub Wiki
OSVDC: Vulnerability Management with OpenVAS 9 on CentOS 7.3.1611
Draft: April 4, 2017
Requirements
- 2 CPU cores
- 2 GB RAM
- 10 GB storage
- 1 network interface
CentOS Installation
Complete a CentOS Minimal installation. My guide for CentOS 7 can be found here:
https://github.com/rharmonson/richtech/wiki/CentOS-7-1611-Minimal-x86_64-Base-Installation-Guide
OpenVAS Dependencies
Firewall
Using my CentOS 7.3.1611 guide, you created an ip4-default.fw that needs the addition of a policy to permit access to OpenVAS web portal.
iptables -I INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 9392 -j ACCEPT
Example of a complete firewall:
#!/bin/bash
# File: ip4-openvas.fw
#Flush current policies
iptables -F
# Set default chain policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# Allow established sessions to receive traffic
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Accept on localhost
iptables -A INPUT -i lo -j ACCEPT
#ICMP Echo (OPTIONAL)
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited
# Accept incoming SSH
iptables -I INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 22 -j ACCEPT
# Accept incoming SSH
iptables -I INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 9392 -j ACCEPT
# Save Changes
service iptables save
# Service
systemctl restart iptables
systemctl status iptables
REFERENCE
See https://github.com/rharmonson/richtech/wiki/CentOS-7-1611-Minimal-x86_64-Base-Installation-Guide#firewall-policies for additional details.
redis-server
Update /etc/redis.conf to enable socket by removing #.
# Unix socket.
#
# Specify the path for the Unix socket that will be used to listen for
# incoming connections. There is no default, so Redis will not listen
# on a unix socket when not specified.
#
unixsocket /tmp/redis.sock
unixsocketperm 700
Enable and start the redis server.
[root@vas ~]# systemctl enable redis && systemctl start redis
Created symlink from /etc/systemd/system/multi-user.target.wants/redis.service to /usr/lib/systemd/system/redis.service.
Atomic Repository
Install wget
[root@vas ~]# yum install wget
Results
================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
wget x86_64 1.14-13.el7 base 546 k
Transaction Summary
================================================================================
Install 1 Package
Total download size: 546 k
Installed size: 2.0 M
Is this ok [y/d/N]: y
Install Atomic Repository
[root@vas ~]# wget -q -O - http://www.atomicorp.com/installers/atomic | sh
Atomic Free Unsupported Archive installer, version 3.1
BY INSTALLING THIS SOFTWARE AND BY USING ANY AND ALL SOFTWARE
PROVIDED BY ATOMICORP LIMITED YOU ACKNOWLEDGE AND AGREE:
THIS SOFTWARE AND ALL SOFTWARE PROVIDED IN THIS REPOSITORY IS
PROVIDED BY ATOMICORP LIMITED AS IS, IS UNSUPPORTED AND ANY
EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL ATOMICORP LIMITED, THE
COPYRIGHT OWNER OR ANY CONTRIBUTOR TO ANY AND ALL SOFTWARE PROVIDED
BY OR PUBLISHED IN THIS REPOSITORY BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
OF THE POSSIBILITY OF SUCH DAMAGE.
For supported software packages please contact us at:
[email protected]
Do you agree to these terms? (yes/no) [Default: yes]
Configuring the [atomic] repo archive for this system
Installing the Atomic GPG keys: OK
Downloading atomic-release-1.0-21.el7.art.noarch.rpm: Preparing... ################################# [100%]
Updating / installing...
1:atomic-release-1.0-21.el7.art ################################# [100%]
OK
Enable repo by default? (yes/no) [Default: yes]: no
The Atomic repo has now been installed and configured for your system
The following channels are available:
atomic - [ACTIVATED] - contains the stable tree of ART packages
atomic-testing - [DISABLED] - contains the testing tree of ART packages
atomic-bleeding - [DISABLED] - contains the development tree of ART packages
[root@vas ~]#
Note
I entered no when prompted to enable the repository by default. This is due to the repository's history of trashing hosts. Yeah. Not exactly a warm fuzzy, so I enable only when installing or updating OpenVAS.
Install OpenVAS
[root@vas ~]# yum --enablerepo atomic install openvas
Results
================================================================================
Package Arch Version Repository
Size
================================================================================
Installing:
openvas noarch 9.0.0-1244.el7.art atomic 16 k
Installing for dependencies:
cairo x86_64 1.14.2-1.el7 base 711 k
dirb x86_64 221-2.el7.art atomic 46 k
doxygen x86_64 1:1.8.5-3.el7 base 3.6 M
fontconfig x86_64 2.10.95-10.el7 base 229 k
fontpackages-filesystem
noarch 1.44-8.el7 base 9.9 k
greenbone-security-assistant
x86_64 7.0.2-1245.el7.art atomic 1.8 M
haveged x86_64 1.9.1-2.el7.art atomic 62 k
heimdal-libs x86_64 1.6.0-0.9.20140621gita5adc06.el7.art
atomic 1.1 M
hiredis x86_64 0.12.1-1.el7.art atomic 29 k
jemalloc x86_64 3.6.0-8.el7.centos centos-ovirt40-release
110 k
lcms2 x86_64 2.6-3.el7 base 150 k
libX11 x86_64 1.6.3-3.el7 base 606 k
libX11-common noarch 1.6.3-3.el7 base 162 k
libXau x86_64 1.0.8-2.1.el7 base 29 k
libXdamage x86_64 1.1.4-4.1.el7 base 20 k
libXext x86_64 1.3.3-3.el7 base 39 k
libXfixes x86_64 5.0.1-2.1.el7 base 18 k
libXrender x86_64 0.9.8-2.1.el7 base 25 k
libXxf86vm x86_64 1.1.3-2.1.el7 base 17 k
libksba x86_64 1.3.0-5.el7 base 120 k
libmicrohttpd x86_64 0.9.33-2.el7 base 58 k
libpng x86_64 2:1.5.13-7.el7_2 base 213 k
libssh x86_64 0.7.1-2.el7 extras 194 k
libxcb x86_64 1.11-4.el7 base 189 k
libxshmfence x86_64 1.2-1.el7 base 7.2 k
mesa-libEGL x86_64 11.2.2-2.20160614.el7 base 85 k
mesa-libGL x86_64 11.2.2-2.20160614.el7 base 162 k
mesa-libgbm x86_64 11.2.2-2.20160614.el7 base 42 k
mesa-libglapi x86_64 11.2.2-2.20160614.el7 base 40 k
mingw32-nsis x86_64 3.01-1.el7 epel-7 1.3 M
ncrack x86_64 0.4-1.ALPHA.el7.art atomic 554 k
net-snmp-libs x86_64 1:5.7.2-24.el7_2.1 base 747 k
net-snmp-utils x86_64 1:5.7.2-24.el7_2.1 base 197 k
nikto noarch 1:2.1.6-1147.el7.art atomic 360 k
nmap x86_64 2:6.47-8.el7.art atomic 4.1 M
nmap-ncat x86_64 2:6.47-8.el7.art atomic 200 k
openjpeg-libs x86_64 1.5.1-16.el7_3 centos-7-updates
86 k
openldap-clients x86_64 2.4.40-13.el7 base 188 k
openvas-cli x86_64 1.4.5-1293.el7.art atomic 16 k
openvas-libraries x86_64 9.0.1-25.el7.art atomic 276 k
openvas-manager x86_64 7.0.1-1230.el7.art atomic 792 k
openvas-scanner x86_64 5.1.1-25.el7.art atomic 173 k
openvas-smb x86_64 1.0.1-0.2.el7.art atomic 3.4 M
perl x86_64 4:5.16.3-291.el7 base 8.0 M
perl-Carp noarch 1.26-244.el7 base 19 k
perl-Data-Dumper x86_64 2.145-3.el7 base 47 k
perl-Encode x86_64 2.51-7.el7 base 1.5 M
perl-Exporter noarch 5.68-3.el7 base 28 k
perl-File-Path noarch 2.09-2.el7 base 26 k
perl-File-Temp noarch 0.23.01-3.el7 base 56 k
perl-Filter x86_64 1.49-3.el7 base 76 k
perl-Getopt-Long noarch 2.40-2.el7 base 56 k
perl-HTTP-Tiny noarch 0.033-3.el7 base 38 k
perl-JSON-PP noarch 2.27202-2.el7 base 55 k
perl-PathTools x86_64 3.40-5.el7 base 82 k
perl-Pod-Escapes noarch 1:1.04-291.el7 base 51 k
perl-Pod-Perldoc noarch 3.20-4.el7 base 87 k
perl-Pod-Simple noarch 1:3.28-4.el7 base 216 k
perl-Pod-Usage noarch 1.63-3.el7 base 27 k
perl-Scalar-List-Utils x86_64 1.27-248.el7 base 36 k
perl-Socket x86_64 2.010-4.el7 base 49 k
perl-Storable x86_64 2.45-3.el7 base 77 k
perl-Text-ParseWords noarch 3.29-4.el7 base 14 k
perl-Time-HiRes x86_64 4:1.9725-3.el7 base 45 k
perl-Time-Local noarch 1.2300-2.el7 base 24 k
perl-constant noarch 1.27-2.el7 base 19 k
perl-libs x86_64 4:5.16.3-291.el7 base 688 k
perl-macros x86_64 4:5.16.3-291.el7 base 43 k
perl-parent noarch 1:0.225-244.el7 base 12 k
perl-podlators noarch 2.5.1-3.el7 base 112 k
perl-threads x86_64 1.87-4.el7 base 49 k
perl-threads-shared x86_64 1.43-6.el7 base 39 k
pixman x86_64 0.34.0-1.el7 base 248 k
pnscan x86_64 1.11-1.el7.art atomic 18 k
poppler x86_64 0.26.5-16.el7 base 783 k
poppler-data noarch 0.4.6-3.el7 base 2.2 M
python-BeautifulSoup noarch 1:3.2.1-7.el7 epel-7 44 k
python-httplib2 noarch 0.9.1-2.el7 centos-ovirt40-release
114 k
python2-pysocks noarch 1.5.7-1.el7 epel-7 22 k
redis x86_64 3.2.3-1.el7 epel-7 527 k
rsync x86_64 3.0.9-17.el7 base 360 k
socat x86_64 1.7.2.2-5.el7 base 255 k
texlive-algorithms noarch 2:svn15878.0.1-38.el7 base 21 k
texlive-amsfonts noarch 2:svn29208.3.04-38.el7 base 3.6 M
texlive-amsmath noarch 2:svn29327.2.14-38.el7 base 49 k
texlive-attachfile noarch 2:svn21866.v1.5b-38.el7 base 21 k
texlive-babel noarch 2:svn24756.3.8m-38.el7 base 129 k
texlive-babelbib noarch 2:svn25245.1.31-38.el7 base 49 k
texlive-base noarch 2:2012-38.20130427_r30134.el7 base 325 k
texlive-bera noarch 2:svn20031.0-38.el7 base 347 k
texlive-booktabs noarch 2:svn15878.1.61803-38.el7 base 19 k
texlive-breakurl noarch 2:svn15878.1.30-38.el7 base 20 k
texlive-caption noarch 2:svn29026.3.3__2013_02_03_-38.el7 base 51 k
texlive-carlisle noarch 2:svn18258.0-38.el7 base 29 k
texlive-chngcntr noarch 2:svn17157.1.0a-38.el7 base 19 k
texlive-colortbl noarch 2:svn25394.v1.0a-38.el7 base 20 k
texlive-csquotes noarch 2:svn24393.5.1d-38.el7 base 36 k
texlive-currfile noarch 2:svn29012.0.7b-38.el7 base 21 k
texlive-enumitem noarch 2:svn24146.3.5.2-38.el7 base 29 k
texlive-eso-pic noarch 2:svn21515.2.0c-38.el7 base 21 k
texlive-etex-pkg noarch 2:svn15878.2.0-38.el7 base 22 k
texlive-etoolbox noarch 2:svn20922.2.1-38.el7 base 25 k
texlive-fancyvrb noarch 2:svn18492.2.8-38.el7 base 30 k
texlive-filecontents noarch 2:svn24250.1.3-38.el7 base 19 k
texlive-filehook noarch 2:svn24280.0.5d-38.el7 base 22 k
texlive-float noarch 2:svn15878.1.3d-38.el7 base 20 k
texlive-fontspec noarch 2:svn29412.v2.3a-38.el7 base 38 k
texlive-footmisc noarch 2:svn23330.5.5b-38.el7 base 23 k
texlive-fp noarch 2:svn15878.0-38.el7 base 39 k
texlive-geometry noarch 2:svn19716.5.6-38.el7 base 26 k
texlive-graphics noarch 2:svn25405.1.0o-38.el7 base 33 k
texlive-hyperref noarch 2:svn28213.6.83m-38.el7 base 139 k
texlive-hyphen-base noarch 2:svn29197.0-38.el7 base 39 k
texlive-ifetex noarch 2:svn24853.1.2-38.el7 base 18 k
texlive-ifxetex noarch 2:svn19685.0.5-38.el7 base 18 k
texlive-index noarch 2:svn24099.4.1beta-38.el7 base 29 k
texlive-kastrup noarch 2:svn15878.0-38.el7 base 18 k
texlive-koma-script noarch 2:svn27255.3.11b-38.el7 base 5.1 M
texlive-kpathsea noarch 2:svn28792.0-38.el7 base 140 k
texlive-kpathsea-bin x86_64 2:svn27347.0-38.20130427_r30134.el7 base 40 k
texlive-kpathsea-lib x86_64 2:2012-38.20130427_r30134.el7 base 78 k
texlive-l3kernel noarch 2:svn29409.SVN_4469-38.el7 base 107 k
texlive-l3packages noarch 2:svn29361.SVN_4467-38.el7 base 36 k
texlive-latex noarch 2:svn27907.0-38.el7 base 197 k
texlive-latex-bin noarch 2:svn26689.0-38.el7 base 20 k
texlive-latex-bin-bin noarch 2:svn14050.0-38.20130427_r30134.el7 base 17 k
texlive-latex-fonts noarch 2:svn28888.0-38.el7 base 42 k
texlive-latexconfig noarch 2:svn28991.0-38.el7 base 26 k
texlive-listings noarch 2:svn15878.1.4-38.el7 base 138 k
texlive-lm noarch 2:svn28119.2.004-38.el7 base 13 M
texlive-lualatex-math noarch 2:svn29346.1.2-38.el7 base 21 k
texlive-luaotfload noarch 2:svn26718.1.26-38.el7 base 101 k
texlive-luaotfload-bin noarch 2:svn18579.0-38.20130427_r30134.el7 base 17 k
texlive-luatex noarch 2:svn26689.0.70.1-38.el7 base 37 k
texlive-luatex-bin x86_64 2:svn26912.0-38.20130427_r30134.el7 base 1.7 M
texlive-luatexbase noarch 2:svn22560.0.31-38.el7 base 27 k
texlive-marginnote noarch 2:svn25880.v1.1i-38.el7 base 20 k
texlive-memoir noarch 2:svn21638.3.6j_patch_6.0g-38.el7 base 97 k
texlive-mparhack noarch 2:svn15878.1.4-38.el7 base 20 k
texlive-ms noarch 2:svn24467.0-38.el7 base 24 k
texlive-multido noarch 2:svn18302.1.42-38.el7 base 21 k
texlive-oberdiek noarch 2:svn26725.0-38.el7 base 307 k
texlive-paralist noarch 2:svn15878.2.3b-38.el7 base 21 k
texlive-parallel noarch 2:svn15878.0-38.el7 base 21 k
texlive-pdftex noarch 2:svn29585.1.40.11-38.el7 base 140 k
texlive-pdftex-bin x86_64 2:svn27321.0-38.20130427_r30134.el7 base 360 k
texlive-pgf noarch 2:svn22614.2.10-38.el7 base 468 k
texlive-psnfss noarch 2:svn23394.9.2a-38.el7 base 45 k
texlive-pst-3d noarch 2:svn17257.1.10-38.el7 base 21 k
texlive-pst-coil noarch 2:svn24020.1.06-38.el7 base 21 k
texlive-pst-eps noarch 2:svn15878.1.0-38.el7 base 20 k
texlive-pst-fill noarch 2:svn15878.1.01-38.el7 base 21 k
texlive-pst-grad noarch 2:svn15878.1.06-38.el7 base 21 k
texlive-pst-math noarch 2:svn20176.0.61-38.el7 base 22 k
texlive-pst-node noarch 2:svn27799.1.25-38.el7 base 40 k
texlive-pst-plot noarch 2:svn28729.1.44-38.el7 base 36 k
texlive-pst-text noarch 2:svn15878.1.00-38.el7 base 21 k
texlive-pst-tree noarch 2:svn24142.1.12-38.el7 base 24 k
texlive-pstricks noarch 2:svn29678.2.39-38.el7 base 97 k
texlive-pstricks-add noarch 2:svn28750.3.59-38.el7 base 41 k
texlive-qstest noarch 2:svn15878.0-38.el7 base 22 k
texlive-sauerj noarch 2:svn15878.0-38.el7 base 23 k
texlive-setspace noarch 2:svn24881.6.7a-38.el7 base 24 k
texlive-showexpl noarch 2:svn27790.v0.3j-38.el7 base 21 k
texlive-soul noarch 2:svn15878.2.4-38.el7 base 23 k
texlive-subfig noarch 2:svn15878.1.3-38.el7 base 24 k
texlive-tetex noarch 2:svn29585.3.0-38.el7 base 88 k
texlive-tetex-bin noarch 2:svn27344.0-38.20130427_r30134.el7 base 18 k
texlive-thumbpdf noarch 2:svn26689.3.15-38.el7 base 38 k
texlive-thumbpdf-bin noarch 2:svn6898.0-38.20130427_r30134.el7 base 17 k
texlive-tipa noarch 2:svn29349.1.3-38.el7 base 2.8 M
texlive-tools noarch 2:svn26263.0-38.el7 base 62 k
texlive-underscore noarch 2:svn18261.0-38.el7 base 22 k
texlive-unicode-math noarch 2:svn29413.0.7d-38.el7 base 61 k
texlive-url noarch 2:svn16864.3.2-38.el7 base 26 k
texlive-varwidth noarch 2:svn24104.0.92-38.el7 base 21 k
texlive-xcolor noarch 2:svn15878.2.11-38.el7 base 35 k
texlive-xkeyval noarch 2:svn27995.2.6a-38.el7 base 27 k
texlive-xunicode noarch 2:svn23897.0.981-38.el7 base 44 k
wapiti noarch 2.3.0-5.el7.art atomic 290 k
zziplib x86_64 0.13.62-5.el7 base 81 k
Transaction Summary
================================================================================
Install 1 Package (+181 Dependent packages)
Total download size: 69 M
Installed size: 231 M
Is this ok [y/d/N]:
OpenVAS NVT Feed
bzip2
bzip2 is needed to install the feeds.
[root@vas ~]# yum install bzip2
Results
================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
bzip2 x86_64 1.0.6-13.el7 base 52 k
Transaction Summary
================================================================================
Install 1 Package
Total download size: 52 k
Installed size: 82 k
Is this ok [y/d/N]: y
NVT Feed
Create the initial NVT feed.
[root@vas ~]# greenbone-nvt-sync
Results
--2017-04-06 20:09:10-- http://dl.greenbone.net/community-nvt-feed-current.tar.bz2
Resolving dl.greenbone.net (dl.greenbone.net)... 89.146.224.58, 2a01:130:2000:127::d1
Connecting to dl.greenbone.net (dl.greenbone.net)|89.146.224.58|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 28863307 (28M) [application/octet-stream]
Saving to: ‘/tmp/greenbone-nvt-sync.wMhig5P5cK/openvas-feed-2017-04-06-1475.tar.bz2’
11% [===> ] 3,324,329 168KB/s eta 97s
The download will complete at 100% then you will see it be extracted.
CERT Feed
Create the initial CERT feed.
[root@vas ~]# greenbone-certdata-sync
Results
OpenVAS community feed server - http://www.openvas.org/
This service is hosted by Greenbone Networks - http://www.greenbone.net/
All transactions are logged.
If you have any questions, please use the OpenVAS mailing lists
or the OpenVAS IRC chat. See http://www.openvas.org/ for details.
By using this service you agree to our terms and conditions.
Only one sync per time, otherwise the source ip will be blocked.
receiving incremental file list
./
CB-K13.xml
1430197 100% 135.06kB/s 0:00:10 (xfer#1, to-check=34/36)
CB-K13.xml.asc
181 100% 0.51kB/s 0:00:00 (xfer#2, to-check=33/36)
CB-K14.xml
4772286 100% 242.18kB/s 0:00:19 (xfer#3, to-check=32/36)
CB-K14.xml.asc
181 100% 176.76kB/s 0:00:00 (xfer#4, to-check=31/36)
CB-K15.xml
6117922 100% 513.94kB/s 0:00:11 (xfer#5, to-check=30/36)
CB-K15.xml.asc
181 100% 176.76kB/s 0:00:00 (xfer#6, to-check=29/36)
CB-K16.xml
8266339 100% 227.51kB/s 0:00:35 (xfer#7, to-check=28/36)
CB-K16.xml.asc
181 100% 176.76kB/s 0:00:00 (xfer#8, to-check=27/36)
CB-K17.xml
563722 100% 177.07kB/s 0:00:03 (xfer#9, to-check=26/36)
CB-K17.xml.asc
181 100% 0.19kB/s 0:00:00 (xfer#10, to-check=25/36)
COPYING
1049 100% 1.12kB/s 0:00:00 (xfer#11, to-check=24/36)
COPYING.asc
181 100% 0.19kB/s 0:00:00 (xfer#12, to-check=23/36)
dfn-cert-2008.xml
3012 100% 3.20kB/s 0:00:00 (xfer#13, to-check=22/36)
dfn-cert-2008.xml.asc
181 100% 0.19kB/s 0:00:00 (xfer#14, to-check=21/36)
dfn-cert-2009.xml
677634 100% 157.90kB/s 0:00:04 (xfer#15, to-check=20/36)
dfn-cert-2009.xml.asc
181 100% 0.26kB/s 0:00:00 (xfer#16, to-check=19/36)
dfn-cert-2010.xml
1417339 100% 238.07kB/s 0:00:05 (xfer#17, to-check=18/36)
dfn-cert-2010.xml.asc
181 100% 0.52kB/s 0:00:00 (xfer#18, to-check=17/36)
dfn-cert-2011.xml
1583048 100% 490.31kB/s 0:00:03 (xfer#19, to-check=16/36)
dfn-cert-2011.xml.asc
181 100% 3.34kB/s 0:00:00 (xfer#20, to-check=15/36)
dfn-cert-2012.xml
1762198 100% 326.73kB/s 0:00:05 (xfer#21, to-check=14/36)
dfn-cert-2012.xml.asc
181 100% 176.76kB/s 0:00:00 (xfer#22, to-check=13/36)
dfn-cert-2013.xml
1622943 100% 203.14kB/s 0:00:07 (xfer#23, to-check=12/36)
dfn-cert-2013.xml.asc
181 100% 0.56kB/s 0:00:00 (xfer#24, to-check=11/36)
dfn-cert-2014.xml
1530889 100% 256.43kB/s 0:00:05 (xfer#25, to-check=10/36)
dfn-cert-2014.xml.asc
181 100% 0.26kB/s 0:00:00 (xfer#26, to-check=9/36)
dfn-cert-2015.xml
2041487 100% 490.56kB/s 0:00:04 (xfer#27, to-check=8/36)
dfn-cert-2015.xml.asc
181 100% 0.18kB/s 0:00:00 (xfer#28, to-check=7/36)
dfn-cert-2016.xml
2663313 100% 284.50kB/s 0:00:09 (xfer#29, to-check=6/36)
dfn-cert-2016.xml.asc
181 100% 0.21kB/s 0:00:00 (xfer#30, to-check=5/36)
dfn-cert-2017.xml
755764 100% 194.53kB/s 0:00:03 (xfer#31, to-check=4/36)
dfn-cert-2017.xml.asc
181 100% 0.26kB/s 0:00:00 (xfer#32, to-check=3/36)
sha1sums
2002 100% 2.83kB/s 0:00:00 (xfer#33, to-check=2/36)
timestamp
13 100% 0.02kB/s 0:00:00 (xfer#34, to-check=1/36)
timestamp.asc
181 100% 0.26kB/s 0:00:00 (xfer#35, to-check=0/36)
sent 722 bytes received 35224979 bytes 276280.01 bytes/sec
total size is 35214234 speedup is 1.00
/sbin/openvasmd
SCAP Feed
Create the initial SCAP feed.
[root@vas ~]# greenbone-scapdata-sync
Results
OpenVAS community feed server - http://www.openvas.org/
This service is hosted by Greenbone Networks - http://www.greenbone.net/
All transactions are logged.
If you have any questions, please use the OpenVAS mailing lists
or the OpenVAS IRC chat. See http://www.openvas.org/ for details.
By using this service you agree to our terms and conditions.
Only one sync per time, otherwise the source ip will be blocked.
receiving incremental file list
./
COPYING
1493 100% 1.42MB/s 0:00:00 (xfer#1, to-check=67/69)
COPYING.asc
181 100% 176.76kB/s 0:00:00 (xfer#2, to-check=66/69)
nvdcve-2.0-2002.xml
19562381 100% 323.01kB/s 0:00:59 (xfer#3, to-check=65/69)
nvdcve-2.0-2002.xml.asc
181 100% 0.27kB/s 0:00:00 (xfer#4, to-check=64/69)
nvdcve-2.0-2003.xml
5700422 100% 276.54kB/s 0:00:20 (xfer#5, to-check=63/69)
nvdcve-2.0-2003.xml.asc
181 100% 4.42kB/s 0:00:00 (xfer#6, to-check=62/69)
nvdcve-2.0-2004.xml
11819416 100% 542.25kB/s 0:00:21 (xfer#7, to-check=61/69)
nvdcve-2.0-2004.xml.asc
181 100% 0.19kB/s 0:00:00 (xfer#8, to-check=60/69)
nvdcve-2.0-2005.xml
18206789 100% 538.20kB/s 0:00:33 (xfer#9, to-check=59/69)
nvdcve-2.0-2005.xml.asc
181 100% 0.28kB/s 0:00:00 (xfer#10, to-check=58/69)
nvdcve-2.0-2006.xml
28291389 100% 323.05kB/s 0:01:25 (xfer#11, to-check=57/69)
nvdcve-2.0-2006.xml.asc
181 100% 0.50kB/s 0:00:00 (xfer#12, to-check=56/69)
nvdcve-2.0-2007.xml
25773302 100% 376.82kB/s 0:01:06 (xfer#13, to-check=55/69)
nvdcve-2.0-2007.xml.asc
181 100% 176.76kB/s 0:00:00 (xfer#14, to-check=54/69)
nvdcve-2.0-2008.xml
31563071 100% 411.71kB/s 0:01:14 (xfer#15, to-check=53/69)
nvdcve-2.0-2008.xml.asc
181 100% 0.20kB/s 0:00:00 (xfer#16, to-check=52/69)
nvdcve-2.0-2009.xml
31840370 100% 558.50kB/s 0:00:55 (xfer#17, to-check=51/69)
nvdcve-2.0-2009.xml.asc
181 100% 0.41kB/s 0:00:00 (xfer#18, to-check=50/69)
nvdcve-2.0-2010.xml
46771192 100% 500.67kB/s 0:01:31 (xfer#19, to-check=49/69)
nvdcve-2.0-2010.xml.asc
181 100% 0.19kB/s 0:00:00 (xfer#20, to-check=48/69)
nvdcve-2.0-2011.xml
113702881 100% 467.03kB/s 0:03:57 (xfer#21, to-check=47/69)
nvdcve-2.0-2011.xml.asc
181 100% 0.30kB/s 0:00:00 (xfer#22, to-check=46/69)
nvdcve-2.0-2012.xml
43996578 100% 549.11kB/s 0:01:18 (xfer#23, to-check=45/69)
nvdcve-2.0-2012.xml.asc
181 100% 0.25kB/s 0:00:00 (xfer#24, to-check=44/69)
nvdcve-2.0-2013.xml
45241911 100% 501.27kB/s 0:01:28 (xfer#25, to-check=43/69)
nvdcve-2.0-2013.xml.asc
181 100% 0.39kB/s 0:00:00 (xfer#26, to-check=42/69)
nvdcve-2.0-2014.xml
41364708 100% 486.17kB/s 0:01:23 (xfer#27, to-check=41/69)
nvdcve-2.0-2014.xml.asc
181 100% 0.18kB/s 0:00:00 (xfer#28, to-check=40/69)
nvdcve-2.0-2015.xml
32181704 100% 442.52kB/s 0:01:11 (xfer#29, to-check=39/69)
nvdcve-2.0-2015.xml.asc
181 100% 0.21kB/s 0:00:00 (xfer#30, to-check=38/69)
nvdcve-2.0-2016.xml
35318214 100% 634.55kB/s 0:00:54 (xfer#31, to-check=37/69)
nvdcve-2.0-2016.xml.asc
181 100% 0.18kB/s 0:00:00 (xfer#32, to-check=36/69)
nvdcve-2.0-2017.xml
5503205 100% 553.70kB/s 0:00:09 (xfer#33, to-check=35/69)
nvdcve-2.0-2017.xml.asc
181 100% 0.37kB/s 0:00:00 (xfer#34, to-check=34/69)
official-cpe-dictionary_v2.2.xml
37234453 100% 520.06kB/s 0:01:09 (xfer#35, to-check=33/69)
official-cpe-dictionary_v2.2.xml.asc
181 100% 0.95kB/s 0:00:00 (xfer#36, to-check=32/69)
sha1sums
3932 100% 20.53kB/s 0:00:00 (xfer#37, to-check=31/69)
status
21 100% 0.11kB/s 0:00:00 (xfer#38, to-check=30/69)
status.asc
198 100% 1.03kB/s 0:00:00 (xfer#39, to-check=29/69)
timestamp
13 100% 0.07kB/s 0:00:00 (xfer#40, to-check=28/69)
timestamp.asc
181 100% 0.95kB/s 0:00:00 (xfer#41, to-check=27/69)
oval/
oval/5.10/
oval/5.10/org.mitre.oval/
oval/5.10/org.mitre.oval/c/
oval/5.10/org.mitre.oval/c/oval.xml
268150 100% 171.15kB/s 0:00:01 (xfer#42, to-check=18/69)
oval/5.10/org.mitre.oval/c/oval.xml.asc
181 100% 0.49kB/s 0:00:00 (xfer#43, to-check=17/69)
oval/5.10/org.mitre.oval/i/
oval/5.10/org.mitre.oval/i/oval.xml
9480204 100% 526.50kB/s 0:00:17 (xfer#44, to-check=16/69)
oval/5.10/org.mitre.oval/i/oval.xml.asc
181 100% 0.18kB/s 0:00:00 (xfer#45, to-check=15/69)
oval/5.10/org.mitre.oval/m/
oval/5.10/org.mitre.oval/m/oval.xml
143834 100% 114.38kB/s 0:00:01 (xfer#46, to-check=14/69)
oval/5.10/org.mitre.oval/m/oval.xml.asc
181 100% 1.33kB/s 0:00:00 (xfer#47, to-check=13/69)
oval/5.10/org.mitre.oval/p/
oval/5.10/org.mitre.oval/p/oval.xml
90911155 100% 492.75kB/s 0:03:00 (xfer#48, to-check=12/69)
oval/5.10/org.mitre.oval/p/oval.xml.asc
181 100% 0.23kB/s 0:00:00 (xfer#49, to-check=11/69)
oval/5.10/org.mitre.oval/v/
oval/5.10/org.mitre.oval/v/family/
oval/5.10/org.mitre.oval/v/family/ios.xml
2012118 100% 378.02kB/s 0:00:05 (xfer#50, to-check=9/69)
oval/5.10/org.mitre.oval/v/family/ios.xml.asc
181 100% 0.18kB/s 0:00:00 (xfer#51, to-check=8/69)
oval/5.10/org.mitre.oval/v/family/macos.xml
453775 100% 195.04kB/s 0:00:02 (xfer#52, to-check=7/69)
oval/5.10/org.mitre.oval/v/family/macos.xml.asc
181 100% 176.76kB/s 0:00:00 (xfer#53, to-check=6/69)
oval/5.10/org.mitre.oval/v/family/pixos.xml
10014 100% 174.63kB/s 0:00:00 (xfer#54, to-check=5/69)
oval/5.10/org.mitre.oval/v/family/pixos.xml.asc
181 100% 3.10kB/s 0:00:00 (xfer#55, to-check=4/69)
oval/5.10/org.mitre.oval/v/family/unix.xml
31372831 100% 457.27kB/s 0:01:07 (xfer#56, to-check=3/69)
oval/5.10/org.mitre.oval/v/family/unix.xml.asc
181 100% 0.68kB/s 0:00:00 (xfer#57, to-check=2/69)
oval/5.10/org.mitre.oval/v/family/windows.xml
51773463 100% 412.76kB/s 0:02:02 (xfer#58, to-check=1/69)
oval/5.10/org.mitre.oval/v/family/windows.xml.asc
181 100% 0.19kB/s 0:00:00 (xfer#59, to-check=0/69)
sent 1282 bytes received 760697817 bytes 479482.57 bytes/sec
total size is 760508255 speedup is 1.00
part 0 Done
part 1 Done
/sbin/openvasmd
OpenVAS Manager Database
After the initial feed downloads, the OpenVAS Manager database needs to be rebuilt. This may take some time.
[root@vas ~]# openvasmd --rebuild
certtool
The OpenVAS setup requires certtool.
[root@vas ~]# yum install gnutls-utils
Results
================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
gnutls-utils x86_64 3.3.24-1.el7 base 233 k
Installing for dependencies:
gnutls-dane x86_64 3.3.24-1.el7 base 33 k
ldns x86_64 1.6.16-10.el7 base 476 k
unbound-libs x86_64 1.4.20-28.el7 base 296 k
Transaction Summary
================================================================================
Install 1 Package (+3 Dependent packages)
Total download size: 1.0 M
Installed size: 3.0 M
Is this ok [y/d/N]:
OpenVAS Setup
Time to execute OpenVAS' setup.
[root@vas ~]# openvas-setup
Results
[root@vas ~]# openvas-setup
Openvas Setup, Version: 2.0
Step 1: Update NVT, CERT, and SCAP data
Please note this step could take some time.
Once completed, this will be updated automatically every 24 hours
Select download method
* wget (NVT download only)
* curl (NVT download only)
* rsync
Note: If rsync requires a proxy, you should define that before this step.
Downloader [Default: rsync]
Updating NVTs....
OpenVAS community feed server - http://www.openvas.org/
This service is hosted by Greenbone Networks - http://www.greenbone.net/
All transactions are logged.
If you have any questions, please use the OpenVAS mailing lists
or the OpenVAS IRC chat. See http://www.openvas.org/ for details.
By using this service you agree to our terms and conditions.
Only one sync per time, otherwise the source ip will be blocked.
receiving incremental file list
plugin_feed_info.inc
1100 100% 1.05MB/s 0:00:00 (xfer#1, to-check=0/1)
sent 42 bytes received 1198 bytes 354.29 bytes/sec
total size is 1100 speedup is 0.89
Updating CERT data...
OpenVAS community feed server - http://www.openvas.org/
This service is hosted by Greenbone Networks - http://www.greenbone.net/
All transactions are logged.
If you have any questions, please use the OpenVAS mailing lists
or the OpenVAS IRC chat. See http://www.openvas.org/ for details.
By using this service you agree to our terms and conditions.
Only one sync per time, otherwise the source ip will be blocked.
receiving incremental file list
timestamp
13 100% 12.70kB/s 0:00:00 (xfer#1, to-check=0/1)
sent 42 bytes received 100 bytes 56.80 bytes/sec
total size is 13 speedup is 0.09
Updating SCAP data...
OpenVAS community feed server - http://www.openvas.org/
This service is hosted by Greenbone Networks - http://www.greenbone.net/
All transactions are logged.
If you have any questions, please use the OpenVAS mailing lists
or the OpenVAS IRC chat. See http://www.openvas.org/ for details.
By using this service you agree to our terms and conditions.
Only one sync per time, otherwise the source ip will be blocked.
receiving incremental file list
timestamp
13 100% 12.70kB/s 0:00:00 (xfer#1, to-check=0/1)
sent 42 bytes received 100 bytes 56.80 bytes/sec
total size is 13 speedup is 0.09
Updating OpenVAS Manager database....
Generated private key in /tmp/tmp.vDIsQccwXL/cakey.pem.
Generated self signed certificate in /tmp/tmp.vDIsQccwXL/cacert.pem.
Installed private key to /var/lib/openvas/private/CA/cakey.pem.
Installed certificate to /var/lib/openvas/CA/cacert.pem.
Generated private key in /tmp/tmp.vDIsQccwXL/serverkey.pem.
Generated certificate request in /tmp/tmp.vDIsQccwXL/serverrequest.pem.
Signed certificate request in /tmp/tmp.vDIsQccwXL/serverrequest.pem with CA certificate in /var/lib/openvas/CA/cacert.pem to generate certificate in /tmp/tmp.vDIsQccwXL/servercert.pem
Installed private key to /var/lib/openvas/private/CA/serverkey.pem.
Installed certificate to /var/lib/openvas/CA/servercert.pem.
Generated private key in /tmp/tmp.vDIsQccwXL/clientkey.pem.
Generated certificate request in /tmp/tmp.vDIsQccwXL/clientrequest.pem.
Signed certificate request in /tmp/tmp.vDIsQccwXL/clientrequest.pem with CA certificate in /var/lib/openvas/CA/cacert.pem to generate certificate in /tmp/tmp.vDIsQccwXL/clientcert.pem
Installed private key to /var/lib/openvas/private/CA/clientkey.pem.
Installed certificate to /var/lib/openvas/CA/clientcert.pem.
Removing temporary directory /tmp/tmp.vDIsQccwXL.
Redirecting to /bin/systemctl start redis.service
Pausing while openvas-scanner loads NVTs...Done
Step 2: Configure GSAD
The Greenbone Security Assistant is a Web Based front end
for managing scans. By default it is configured to only allow
connections from localhost.
Allow connections from any IP? [Default: yes]
Redirecting to /bin/systemctl restart gsad.service
Step 3: Choose the GSAD admin users password.
The admin user is used to configure accounts,
Update NVT's manually, and manage roles.
Enter administrator username [Default: admin] :
Enter Administrator Password:
Verify Administrator Password:
Updating the openvas NVT Cache
Updating NVT cache... done.
Setup complete, you can now access GSAD at:
https://<IP>:9392
Created symlink from /etc/systemd/system/multi-user.target.wants/openvas-scanner.service to /usr/lib/systemd/system/openvas-scanner.service.
Created symlink from /etc/systemd/system/multi-user.target.wants/openvas-manager.service to /usr/lib/systemd/system/openvas-manager.service.
Created symlink from /etc/systemd/system/multi-user.target.wants/gsad.service to /usr/lib/systemd/system/gsad.service.
[root@vas ~]#
Troubleshooting
If warnings or errors occur during the setup, generally, follow the instructions. However, executing openvas-check-setup --v9 may provide additional details.
Done!?
At this point, OpenVAS should be ready. The purple wand icon found, generally, in the upper-left are wizards. They are good starting point. However, work flow will look something along the lines of
- Connect to https://<hostname_or_ipaddress>:9392
- Select Configuration then Target to create targets
- Select Configuration then Port Lists to understand your options for selection later
- Select Configuration then Credentials to enter user password/key pairs
- Select Configuration then Scan Configs to understand your options for selection later
- Select Scans then Tasks to create and initiate vulnerability scans
I would advise starting off small. Select one host and experiment with the different Port Lists and Scan Configs. Experiment with scans using or not using credentials. Eventually, you will find the best balance between time to complete scans and the information obtained.
Please star to let me know you found this article useful or open an issue with questions or comments.