Shulou(Shulou.com)06/01 Report--

Last year, yum installed openvas on centos 6.4. as a result, the client often hung up when scanning. Openvas's support for centos is very poor, re-yum in centos 6.4 can not be installed, compilation is also a variety of dependencies require export. Finally, I gave up centos 6.4and compiled and installed it on ubuntu.

I. preparatory work

1. System environment

Root@bob-Openvas:~# lsb_release-a

Ubuntu 14.04.4 LTS

two。 Install dependency packages

Root@bob-Openvas:~# apt-get update

Root@bob-Openvas:~# apt-get install openssh-server

Root@bob-Openvas:~# apt-get install lrzsz

Root@bob-Openvas:~# apt-get install build-essential bison flex cmake pkg-config libglib2.0- 0 libglib2.0-dev

Root@bob-Openvas:~# apt-get install libgnutls-dev

Root@bob-Openvas:~# apt-get install libgnutls28-dev

Root@bob-Openvas:~# apt-get install libpcap0.8 libpcap0.8-dev libgpgme11 libgpgme11-dev doxygen libuuid1 uuid-dev sqlfairy xmltoman sqlite3

Root@bob-Openvas:~# apt-get install libxml2-dev libxslt1.1 libxslt1-dev xsltproc libmicrohttpd-dev libsqlite3-dev rsync libldap2-dev libhiredis-dev

Root@bob-Openvas:~# apt-get install libgcrypt-dev zlib1g-dev libssh-dev

Download 3.openvas package

Http://www.openvas.org/install-source.html

(1) libraries:openvas library file

Openvas-libraries-8.0.7.tar.gz

(2) scanner: the scanner is responsible for calling various vulnerability detection plug-ins to complete the actual scanning operation.

Openvas-scanner-5.0.5.tar.gz

(3) manager: the manager is responsible for assigning scanning tasks and producing evaluation reports according to the scanning results.

Openvas-manager-6.0.8.tar.gz

(4) gsa: the front-end web ui is responsible for providing the web interface to access the openvas service layer, which is easy to perform scanning tasks through the browser, and is the easiest component of the client layer to use.

Greenbone-security-assistant-6.0.10.tar.gz

(5) openvas-cli (command line interface): responsible for providing access to OpenVAS service layer programs from the command line.

Openvas-cli-1.4.4.tar.gz

II. Compilation and installation

1. Install libraries

Root@bob-Openvas:~# tar-xf openvas-libraries-8.0.7.tar.gz

Root@bob-Openvas:~# cd openvas-libraries-8.0.7/

Root@bob-Openvas:~/openvas/openvas-libraries-8.0.7# mkdir build

Root@bob-Openvas:~/openvas/openvas-libraries-8.0.7# cd build/

Root@bob-Openvas:~/openvas/openvas-libraries-8.0.7/build# cmake..

Root@bob-Openvas:~/openvas/openvas-libraries-8.0.7/build# make

Root@bob-Openvas:~/openvas/openvas-libraries-8.0.7/build# make doc-full

Root@bob-Openvas:~/openvas/openvas-libraries-8.0.7/build# make install

Root@bob-Openvas:~/openvas/openvas-libraries-8.0.7/build# cd.. /.. /

two。 The installation method of scanner is the same as above, and the installation method is the same later.

Openvas-scanner-5.0.5.tar.gz

3. Create cert

Root@bob-Openvas:~# openvas-mkcert

Cert storage location

/ usr/local/var/lib/openvas/private/CA

/ usr/local/var/lib/openvas/CA

4. Overload libraries, reload libopenvas_nasl.so.8

Root@bob-Openvas:~# ldconfig

5. Synchronize the nvt,nvt plug-in directory. NVT collection in / usr/local/var/lib/openvas/plugins contains 38966 NVTs.

Root@bob-Openvas:~# openvas-nvt-sync

...

...

Zone_alarm_local_dos.nasl

Zone_alarm_local_dos.nasl.asc

[i] Download complete

[i] Checking dir: ok

[i] Checking MD5 checksum: ok

6. Before installing redis-2.8.4,scanner, you also need to run a redis service for buffering

Root@bob-Openvas:~# apt-get install redis-server

Root@bob-Openvas:~# netstat-lanpt | grep 6379

Tcp 0 0 127.0.0.1 6379 0.0.0.0 LISTEN 3602/redis-server 1

Root@bob-Openvas:~# cp / etc/redis/redis.conf {, .bak}

Root@bob-Openvas:~# / etc/init.d/redis-server stop

Stopping redis-server: redis-server.

Add the following 2 lines. If you don't add them, an error will be reported later.

Root@bob-Openvas:~# vim / etc/redis/redis.conf

Unixsocket / tmp/redis.sock

Unixsocketperm 700

Root@bob-Openvas:~# / etc/init.d/redis-server start

Root@bob-Openvas:~# netstat-lanpt | grep 6379

Tcp 0 0 127.0.0.1 6379 0.0.0.0 LISTEN 3602/redis-server 1

7. Start the scanner command openvassd

Scanner listens to port 9391. It should be noted that after scanner starts successfully, manager can act as a client to interact with scanner and control scanner. Real clients such as command line cli and webui (gsa) can only interact with manager and cannot operate scanner beyond manager.

Root@bob-Openvas:~# openvassd

Root@bob-Openvas:~# netstat-lanpt | grep 939

Tcp 00 0.0.0.0 ETA 9391 0.0.0.0 ETA * LISTEN 3949) 00:40)

8. Install manager

Openvas-manager-6.0.8.tar.gz

9.manager needs to communicate with scanner after startup. Scanner is the server and manager is the client. In the "configuration and startup" phase of scanner, we have generated SSL-related certificate and private key files for scanner.

It indicates that manager can perform server-side verification, but scanner also requires client-side verification of manager, so you also need to generate SSL-related certificates and private key files for mananger.

10. Download scap feed. The download time is super long, 80 minutes when the network speed is fast, and one day when the network speed is slow.

Root@bob-Openvas:~# openvas-scapdata-sync

11. Download cert feed

Root@bob-Openvas:~# openvas-certdata-sync

twelve。 Execute the following command to generate the client certificate and private key

Root@bob-Openvas:~# openvas-mkcert-client-n-I

Root@bob-Openvas:~# ls-1 / usr/local/var/lib/openvas/private/CA

Total 12

-rw- 1 root root 3247 July 30 16:59 cakey.pem

-rw- 1 root root 3247 July 30 20:08 clientkey.pem

-rw- 1 root root 3247 July 30 16:59 serverkey.pem

Root@bob-Openvas:~# ls-1 / usr/local/var/lib/openvas/CA

Total 24

-rw-r--r-- 1 root root 2451 July 30 16:59 cacert.pem

-rw- 1 root root 7931 July 30 20:08 clientcert.pem

-rw-r--r-- 1 root root 8229 July 30 16:59 servercert.pem

#

The above two steps can also generate certificates and private keys by executing openvas-mkcert-client:

Root@bob-Openvas:~# openvas-mkcert-client

Then copy the certificate and private key from the temporary directory to the appropriate directory

Root@bob-Openvas:~# cp / tmp/openvas-mkcert-client.4501/key_om.pem / usr/local/var/lib/openvas/private/CA/clientkey.pem

Root@bob-Openvas:~# cp / tmp/openvas-mkcert-client.4501/cert_om.pem / usr/local/var/lib/openvas/CA/clientcert.pem

#

13. Initialize the database. Scanner openvassd port 9391 starts before the database can be rebuilt successfully. Otherwise, an error Rebuilding NVT cache... is reported. Failed.

Root@bob-Openvas:~# openvasmd-rebuild-progress-v

Rebuilding NVT cache... Done.

Root@bob-Openvas:~# openvasmd-p 9390-a 127.0.0.1

Root@bob-Openvas:~# netstat-lanpt | grep 939

Tcp 0 0 127.0.0.1 9390 0.0.0.0 * LISTEN 4836/openvasmd

Tcp 0 0 0.0.0.0:9391

14. Create an account bob

Root@bob-Openvas:~# openvasmd-create-user=bob-role=Admin

User created with password '23c65192-2fa7-4aabmura8dmura6c9df701314c.

15. Change the password of the account bob

Root@bob-Openvas:~# openvasmd-user=bob-new-password=XXXXXXX

16. Install cli,cli is a command line tool, as the client omp, it can run on windows or linux

Openvas-cli-1.4.4.tar.gz

17. Install gsad

Greenbone-security-assistant-6.0.10.tar.gz

18. Start gsad. Make the service accessible through other machines by setting the IP address to 0.0.0.0

Root@bob-Openvas:~# gsad-- listen=0.0.0.0-p 9392

Root@bob-Openvas:~# netstat-lanpt | grep 939

Tcp 0 0 127.0.0.1 9390 0.0.0.0 * LISTEN 4836/openvasmd

Tcp 0 0 0.0.0.0 Wai 9391 0.0.0.0 Wai

Tcp 0 0 0.0.0 0 9392 0.0.0 0 v * LISTEN 5580/gsad

19. Install nmap-5.51.tar.bz2

The gsad log reported an error and the scan did not show any results. Because nmap is not installed.

Root@bob-Openvas:~#. / configure & & make & & make install

20. Texlive-full is required to export reports in pdf format

Root@bob-Openvas:~# apt-get install texlive-full

21. Download script test

Root@bob-Openvas:~# wget https://svn.wald.intevation.org/svn/openvas/trunk/tools/openvas-check-setup-- no-check-certificate

Root@bob-Openvas:~# / root/openvas/openvas-check-setup-v8-server

Openvas-check-setup 2.3.3

Test completeness and readiness of OpenVAS-8

(add'- v6' or'--v7' or'--v9'

If you want to check for another OpenVAS version)

Please report us any non-detected problems and

Help us to improve this check routine:

Http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss

Send us the log-file (/ tmp/openvas-check-setup.log) to help analyze the problem.

Step 1: Checking OpenVAS Scanner...

OK: OpenVAS Scanner is present in version 5.0.5.

OK: OpenVAS Scanner CA Certificate is present as/ usr/local/var/lib/openvas/CA/cacert.pem.

OK: redis-server is present in version vault 2.8.4.

OK: scanner (kb_location setting) is configured properly using the redis-server socket: / tmp/redis.sock

OK: redis-server is running and listening on socket: / tmp/redis.sock.

OK: redis-server configuration is OK and redis-server is running.

OK: NVT collection in / usr/local/var/lib/openvas/plugins contains 38966 NVTs.

WARNING: Signature checking of NVTs is not enabled in OpenVAS Scanner.

SUGGEST: Enable signature checking (see http://www.openvas.org/trusted-nvts.html).

OK: The NVT cache in / usr/local/var/cache/openvas contains 38966 files for 38966 NVTs.

Step 2: Checking OpenVAS Manager...

OK: OpenVAS Manager is present in version 6.0.8.

OK: OpenVAS Manager client certificate is present as/ usr/local/var/lib/openvas/CA/clientcert.pem.

OK: OpenVAS Manager database found in / usr/local/var/lib/openvas/mgr/tasks.db.

OK: Access rights for the OpenVAS Manager database are correct.

OK: sqlite3 found, extended checks of the OpenVAS Manager installation enabled.

OK: OpenVAS Manager database is at revision 146.

OK: OpenVAS Manager expects database at revision 146.

OK: Database schema is up to date.

OK: OpenVAS Manager database contains information about 38966 NVTs.

OK: At least one user exists.

OK: OpenVAS SCAP database found in / usr/local/var/lib/openvas/scap-data/scap.db.

OK: OpenVAS CERT database found in / usr/local/var/lib/openvas/cert-data/cert.db.

OK: xsltproc found.

Step 3: Checking user configuration...

WARNING: Your password policy is empty.

SUGGEST: Edit the / usr/local/etc/openvas/pwpolicy.conf file to set a password policy.

Step 4: Checking Greenbone Security Assistant (GSA)...

OK: Greenbone Security Assistant is present in version 6.0.10.

Step 5: Checking OpenVAS CLI...

OK: OpenVAS CLI version 1.4.4.

Step 6: Checking Greenbone Security Desktop (GSD)...

SKIP: Skipping check for Greenbone Security Desktop.

Step 7: Checking if OpenVAS services are up and running...

OK: netstat found, extended checks of the OpenVAS services enabled.

OK: OpenVAS Scanner is running and listening on all interfaces.

OK: OpenVAS Scanner is listening on port 9391, which is the default port.

OK: OpenVAS Manager is running and listening on all interfaces.

OK: OpenVAS Manager is listening on port 9390, which is the default port.

OK: Greenbone Security Assistant is running and listening on all interfaces.

OK: Greenbone Security Assistant is listening on port 9392, which is the default port.

Step 8: Checking nmap installation...

OK: nmap is present in version 5.51.

Step 10: Checking presence of optional tools...

OK: pdflatex found.

OK: PDF generation successful. The PDF report format is likely to work.

OK: ssh-keygen found, LSC credential generation for GNU/Linux targets is likely to work.

OK: rpm found, LSC credential package generation for RPM based targets is likely to work.

OK: alien found, LSC credential package generation for DEB based targets is likely to work.

OK: nsis found, LSC credential package generation for Microsoft Windows targets is likely to work.

It seems like your OpenVAS-8 installation is OK.

If you think it is not OK, please report your observation

And help us to improve this check routine:

Http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss

Please attach the log-file (/ tmp/openvas-check-setup.log) to help us analyze the problem.

22.web visits openvas,ubuntu 14.04 and pretends to have an English interface.

Https://127.0.0.1:9392

Third, boot self-startup openvas script. Because it is compiled and installed, the boot will not start itself, so I wrote a small script

Openvas boot self-startup

Root@bob-Openvas:~# vim / home/bob/openvas_server_start.sh

#! / bin/bash

/ usr/local/sbin/openvassd

/ usr/local/sbin/openvasmd-p 9390-a 127.0.0.1

/ usr/local/sbin/gsad-- listen=0.0.0.0-p 9392

IV. Problems encountered in installation and their solutions

Question 1

Root@bob-Openvas:~# / root/openvas/openvas-check-setup-v8-server

ERROR: redis-server is not running or not listening on socket: / tmp/redis.sock

FIX: You should start the redis-server or configure it to listen on socket: / tmp/redis.sock

ERROR: The number of NVTs in the OpenVAS Manager database is too low.

FIX: Make sure OpenVAS Scanner is running with an up-to-date NVT collection and run 'openvasmd-- rebuild'.

ERROR: No OpenVAS SCAP database found. (Tried: / usr/local/var/lib/openvas/scap-data/scap.db)

FIX: Run a SCAP synchronization script like openvas-scapdata-sync or greenbone-scapdata-sync.

Question 2

Test whether the rsync.openvas.org port 873 is open, and openvas-nvt-sync openvas-scapdata-sync greenbone-scapdata-sync can be executed only after it is through.

Root@bob-Openvas:~# telnet rsync.openvas.org rsync

Trying 78.47.251.61...

Connected to openvas-feed.intevation.org.

Escape character is'^]'.

Question 3

If rsync.openvas.org port 873 is not available, you can install it offline. After downloading feed on the Internet (directly to the machine where the resources have been updated and copying the corresponding files to your own machine), you can copy to these directories.

Download the openvas plug-in library, copy it to the directory below, and restart openvas

Root@bob-Openvas:~# wget http://www.openvas.org/openvas-nvt-feed-current.tar.bz2

/ usr/local/var/lib/openvas/plugins

/ usr/local/var/lib/openvas/cert-data

/ usr/local/var/lib/openvas/scap-data

Question 4

Openvas log directory

Root@bob-Openvas:~# ls-lh / usr/local/var/log/openvas/

Total 24K

-rw-r--r-- 1 root root 1.4K July 29 17:39 gsad.log

-rw- 1 root root 15K July 30 13:10 openvasmd.log

-rw-r--r-- 1 root root 559 July 30 13:22 openvassd.messages

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.