2015-02-22 01:20:19 +01:00
|
|
|
greenbone-security-assistant (UI for OpenVAS)
|
|
|
|
|
|
|
|
This is the UI the Open Vulnerability Assessment System (OpenVAS).
|
|
|
|
|
|
|
|
###### Known Problems ######
|
|
|
|
|
|
|
|
- PDF report generation is broken. This may get fixed in a future slackbuild.
|
|
|
|
|
|
|
|
- All the daemons run as root. There's no (working) configuration options
|
|
|
|
or documentation to change this behavior.
|
|
|
|
|
|
|
|
- There are a number of tests that depend on other software packages that are
|
|
|
|
not available as slackbuilds at this time. Stay tuned.
|
|
|
|
|
2017-08-04 10:52:02 +02:00
|
|
|
- If you're running in a VM environment, or on a headless server, then
|
2015-04-17 03:04:33 +02:00
|
|
|
installing haveged is recommended, particularly for step 11 below.
|
|
|
|
|
|
|
|
###### Upgrade Notes ######
|
|
|
|
|
|
|
|
If you're updating from OpenVAS-7 to OpenVAS-8, please note the following.
|
|
|
|
(See: http://www.openvas.org/install-source.html if you're unsure which
|
|
|
|
version you're running.)
|
|
|
|
|
|
|
|
Openvas now uses redis as a temporary database while running scans. You will
|
|
|
|
need redis installed and running, as well as hiredis. See step 2 below on
|
|
|
|
how to configure redis.
|
|
|
|
|
|
|
|
Before running openvas-manager, you'll need to migrate the database. Simply
|
|
|
|
run:
|
|
|
|
# openvasmd --migrate
|
2015-03-12 16:01:40 +01:00
|
|
|
|
2015-02-22 01:20:19 +01:00
|
|
|
###### Installation Instructions ######
|
|
|
|
|
|
|
|
These instructions assume you're familiar with slackbuilds. If not, please
|
|
|
|
refer to http://slackbuilds.org/howto/ .
|
|
|
|
|
2015-04-17 03:04:33 +02:00
|
|
|
1. Build and install hiredis.
|
|
|
|
|
|
|
|
2. Build and install redis. You need to uncomment the following 2 lines in the
|
|
|
|
/etc/redis/redis.conf file:
|
|
|
|
#unixsocket /tmp/redis.sock
|
|
|
|
#unixsocketperm 700
|
|
|
|
Now start up redis:
|
|
|
|
# sh /etc/rc.d/rc.redis start
|
|
|
|
|
|
|
|
3. Build and install openvas-libraries.
|
2015-02-22 01:20:19 +01:00
|
|
|
|
2015-04-17 03:04:33 +02:00
|
|
|
4. Build and install openvas-scanner.
|
2015-02-22 01:20:19 +01:00
|
|
|
|
2015-04-17 03:04:33 +02:00
|
|
|
5. You need a Certificate Authority and server certificate. Run the following
|
2015-02-22 01:20:19 +01:00
|
|
|
command:
|
|
|
|
# openvas-mkcert
|
2017-08-04 10:52:02 +02:00
|
|
|
|
2015-04-17 03:04:33 +02:00
|
|
|
6. You need the NVT's (Network Vulnerability Tests). Run the following
|
2017-08-04 10:52:02 +02:00
|
|
|
command to sync. In the future, you can do this through the
|
2015-02-22 01:20:19 +01:00
|
|
|
greenbone-security-assistant interface. This will take a minute or so
|
|
|
|
with a blazing fast internet connection. YMMV.
|
|
|
|
# openvas-nvt-sync
|
|
|
|
|
2015-04-17 03:04:33 +02:00
|
|
|
7. Start the openvas-scanner daemon.
|
2015-03-12 16:01:40 +01:00
|
|
|
# sh /etc/rc.d/rc.openvassd start
|
2015-02-22 01:20:19 +01:00
|
|
|
|
2015-04-17 03:04:33 +02:00
|
|
|
8. Build and install openvas-manager.
|
2015-02-22 01:20:19 +01:00
|
|
|
|
2015-04-17 03:04:33 +02:00
|
|
|
9. You need client certificates for manager to talk to scanner. Use the
|
2015-02-22 01:20:19 +01:00
|
|
|
following command.
|
|
|
|
# openvas-mkcert-client -n -i
|
|
|
|
|
2015-04-17 03:04:33 +02:00
|
|
|
10. Initialize the manager database. This will take a while, so be patient.
|
2015-02-22 01:20:19 +01:00
|
|
|
# openvasmd --rebuild
|
|
|
|
|
2015-04-17 03:04:33 +02:00
|
|
|
11. You want encrypted credentials in the DB, so do this now.
|
2015-02-22 01:20:19 +01:00
|
|
|
# openvasmd --create-credentials-encryption-key
|
|
|
|
This may take a while, so it's best to create some entropy by skipping to
|
2015-04-17 03:04:33 +02:00
|
|
|
#13-#15 and then coming back, if needed.
|
2015-02-22 01:20:19 +01:00
|
|
|
|
2015-04-17 03:04:33 +02:00
|
|
|
12. Create a user.
|
2015-02-22 01:20:19 +01:00
|
|
|
# openvasmd --create-user=cary
|
2017-08-04 10:52:02 +02:00
|
|
|
If you find the assigned password hard to remember, you can change it
|
2015-02-22 01:20:19 +01:00
|
|
|
right now.
|
|
|
|
# openvasmd --user=cary --new-password=mekmitasdigoat
|
|
|
|
|
2015-04-17 03:04:33 +02:00
|
|
|
13. Sync SCAP data. This will take some time.
|
2015-02-22 01:20:19 +01:00
|
|
|
# openvas-scapdata-sync
|
|
|
|
|
2015-04-17 03:04:33 +02:00
|
|
|
14. Sync CERT data.
|
2015-02-22 01:20:19 +01:00
|
|
|
# openvas-certdata-sync
|
|
|
|
|
2015-04-17 03:04:33 +02:00
|
|
|
15. Update port names.
|
2015-02-22 01:20:19 +01:00
|
|
|
# wget http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xml
|
|
|
|
# openvas-portnames-update service-names-port-numbers.xml
|
|
|
|
# rm service-names-port-numbers.xml
|
|
|
|
|
2015-04-17 03:04:33 +02:00
|
|
|
16. Start the openvas-manager daemon.
|
2015-03-12 16:01:40 +01:00
|
|
|
# sh /etc/rc.d/rc.openvasmd start
|
2015-02-22 01:20:19 +01:00
|
|
|
|
2015-04-17 03:04:33 +02:00
|
|
|
17. Build and install libmicrohttpd.
|
2015-02-22 01:20:19 +01:00
|
|
|
|
2015-04-17 03:04:33 +02:00
|
|
|
18. Build and install greenbone-security-assistant.
|
2015-02-22 01:20:19 +01:00
|
|
|
|
2015-04-17 03:04:33 +02:00
|
|
|
19. Launch the greenbone-security-assistant.
|
2015-03-12 16:01:40 +01:00
|
|
|
# sh /etc/rc.d/rc.gsad start
|
2015-02-22 01:20:19 +01:00
|
|
|
|
2017-08-04 10:52:02 +02:00
|
|
|
20. Open file:///var/lib/openvas/CA/cacert.pem in your browser to import the
|
|
|
|
certificate that you created in step 5 above.
|
|
|
|
|
|
|
|
21. Point your browser at https://<YOUR HOSTNAME>:9392 and log in with your
|
|
|
|
username/password from #12.
|
2015-02-22 01:20:19 +01:00
|
|
|
|
2017-08-04 10:52:02 +02:00
|
|
|
22. [Optional] Build and install openvas-cli. You'll need this if you ever
|
2015-02-22 01:20:19 +01:00
|
|
|
want to script tests.
|
|
|
|
|
2017-08-04 10:52:02 +02:00
|
|
|
That's it! If you run into any problems, you can try running the
|
2015-02-22 01:20:19 +01:00
|
|
|
openvas-check-setup script found here:
|
|
|
|
https://svn.wald.intevation.org/svn/openvas/trunk/tools/openvas-check-setup
|
|
|
|
|
|
|
|
If you don't have a web-server running, you can edit the /etc/rc.d/rc.gsad
|
|
|
|
script to remove the "-p 9392" option, and it will run on port 443.
|
|
|
|
|
|
|
|
Please let me know if you run into any problems. Patches welcome!
|
|
|
|
|
|
|
|
Have Fun!
|
|
|
|
|
|
|
|
Kent Fritz
|
|
|
|
mailto:fritz.kent@gmail.com
|