本帖最后由 shaoping0330 于 2014-08-26 09:44 编辑
8月26日更新(总是有格式问题
debian下安装openvas.rar
(29.45 KB, 下载次数: 249)
,上传了一个附件,供参考)
1、Configure OBS Repository
(as user root, onlyonce)
echo "debhttp://download.opensuse.org/rep ... E:/v6/Debian_7.0/./" >> /etc/apt/sources.list
wgethttp://download.opensuse.org/rep ... ian_7.0/Release.key
apt-key add./Release.key
sudo apt-get update
2、Quick-Install OpenVAS
(as user root, onlyonce)
确保安装光盘可以使用:/media/cdrom 或者将iso上传mount在这个目录
apt-get -y install greenbone-security-assistant openvas-cli openvas-manageropenvas-scanner openvas-administrator sqlite3 xsltproc rsync
然后再添加其他源到/etc/apt/sources.list确保以下安装完成: sudo apt-get update
To install support packages for reportgeneration (downloads around 30 MB of additional packages,注:即pdflatex):
apt-get -yinstall texlive-latex-base texlive-latex-extra texlive-latex-recommendedhtmldoc
To install support for autogenerated LSCcredential packages:
apt-get -yinstall alien rpm nsis fakeroot
3、Quick-Start OpenVAS
(copy and paste whole block as userroot, during first time you will be asked to set a password for user"admin") test -e /var/lib/openvas/CA/cacert.pem || openvas-mkcert -q openvas-nvt-sync test -e/var/lib/openvas/users/om || openvas-mkcert-client -n om -i /etc/init.d/openvas-managerstop /etc/init.d/openvas-scannerstop openvassd openvasmd --rebuild openvas-scapdata-sync openvas-certdata-sync test -e/var/lib/openvas/users/admin || openvasad -c add_user -n admin -r Admin killall openvassd sleep 15 /etc/init.d/openvas-scannerstart /etc/init.d/openvas-managerstart /etc/init.d/openvas-administratorrestart /etc/init.d/greenbone-security-assistantrestart 注: /etc/init.d/openvas-manager start Starting OpenVAS Manager: ERROR. 通常是之前有进程没有关闭好,用kill彻底杀掉。
4、Log into OpenVAS as "admin"
默认只能本机访问,为了确保其他ip访问,需要修改监听ip地址(同时修改iptables):
/etc/default/openvas-scanner
/etc/default/openvas-administrator
/etc/default/openvas-manager
/etc/default/greenbone-security-assistant将127.0.0.1 改为网络ip,如192.168.0.88
5、下载openvas-check-setup检查
./openvas-check-setup --v6 注:该脚本可在官网上下载
6、重新安装nmap
dpkg -r nmap 到nmap官网下载对应版本,如: tar zxvf nmap-5.51.6.tgz cd nmap-5.51.6/ ./configure make make install
7、上传openvassd.conf并Enablesignature checking
修改 /etc/openvas/openvassd.conf
nasl_no_signature_check= no
说明:如果自己没有生成密钥对openvas的密钥进行签名,请不要enables,否则因各个rule没有signature而导致无法生成报告。
如果enables,请参考如下命令设置:
mkdir /etc/openvas/gnupg/ chmod 600 /etc/openvas/gnupg/ gpg --homedir=/etc/openvas/gnupg --importOpenVAS_TI.asc gpg--homedir=/etc/openvas/gnupg --gen-key (生成自己的密钥) gpg --homedir=/etc/openvas/gnupg --list-keys gpg --homedir=/etc/openvas/gnupg --lsign-key KEY_ID gpg --homedir=/etc/openvas/gnupg --lsign-key 48DB4530 (及对OpenVAS_TI.asc签名) 用生成的密钥对openvas的密钥进行签名,即可解决rule没有signature而导致无法生成报告的问题。 注1:安装后,没有发现有 /etc/openvas/openvassd.conf这个配置文件,可从其他机器上拷贝过来的(本文尾附有该文件)。 注2:OpenVAS_TI.asc 下载地址和Signature说明参考页面:http://www.openvas.org/trusted-nvts.html Signed NVTs are usually provided by NVT Feed Services. Forexample, the NVTs contained in the OpenVAS NVT Feed are signed by the "OpenVAS Transfer Integrity" keywhich you can find at the bottom of this page 注3:如果自己写了nasl,可如下进行测试: openvas-nasl -Xp test.nasl #forparsing openvas-nasl -Xt IP test.nasl #for exec
8、版本
# openvassd -V OpenVAS Scanner 3.4.0 # openvasmd --version OpenVAS Manager 4.0.2 # openvasad -V OpenVAS Administrator 1.3.0
9、openvas-certdata-sync执行时的报错
提示没有cert_db_init,sql和dfn_cert_update.xsl,这个其实是个bug,好像不影响使用。解决方法如下: 在官网下载对应源码安装版本,解压openvas-manager后手动上传缺失文件 sftp> lcdD:\openvas_check\6_sour\openvas-manager-4.0.5\openvas-manager-4.0.5\tools sftp> cd /usr/share/openvas/cert sftp> put cert_db_init.sql sftp> put dfn_cert_update.xsl
10、Greenbone Security Desktop(GSD)
这个可不安装,不影响使用。如果需要在debian系统上直接使用,可安装。
11、check日志
more/tmp/openvas-check-setup.log
12、密码规则设置
vi /etc/openvas/pwpolicy.conf
取消注释:
!/^.{6,}$/
!/^.{8,}$/
/^[[:digit:]]+$/
可根据需要,取消其他相关注释以加强密码安全设置。
13、Openvas安装相关目录
config_file = /etc/openvas/openvassd.conf rules = /usr/share/openvas/openvassd.rules cache_folder = /var/cache/openvas plugins_folder = /var/lib/openvas/plugins include_folders = /var/lib/openvas/plugins logfile = /var/log/openvas/openvassd.messages dumpfile = /var/log/openvas/openvassd.dump cert_file =/var/lib/openvas/CA/servercert.pem key_file =/var/lib/openvas/private/CA/serverkey.pem ca_file = /var/lib/openvas/CA/cacert.pem OpenVAS Manager client certificate is presentas /var/lib/openvas/CA/clientcert.pem OpenVAS Manager database found in /var/lib/openvas/mgr/tasks.db OpenVAS SCAP database found in/var/lib/openvas/scap-data/scap.db OpenVAS CERT database found in/var/lib/openvas/cert-data/cert.db The password policy file at/etc/openvas/pwpolicy.conf
14、openvassd.conf参考
#Configuration fileof the OpenVAS Security Scanner
# Every linestarting with a '#' is a comment
[Misc]
# Path to thesecurity checks folder :
plugins_folder =/var/lib/openvas/plugins
# Path to OpenVAScaching folder:
cache_folder =/var/cache/openvas
# Path to OpenVASinclude directories:
# (multiple entriesare separated with colon ':')
include_folders =/var/lib/openvas/plugins
# Maximum number ofsimultaneous hosts tested :
max_hosts = 30
# Maximum number ofsimultaneous checks against each host tested :
max_checks = 10
# Niceness. If setto 'yes', openvassd will renice itself to 10.
be_nice = no
# Log file (or'syslog') :
logfile =/var/log/openvas/openvassd.log
# Shall we logevery details of the attack ? (disk intensive)
log_whole_attack =no
# Log the name ofthe plugins that are loaded by the server ?
log_plugins_name_at_load= no
# Dump file fordebugging output, use `-' for stdout
dumpfile =/var/log/openvas/openvassd.dump
# Rules file :
rules =/etc/openvas/openvassd.rules
# CGI paths tocheck for (cgi-bin:/cgi-aws:/ can do)
cgi_path =/cgi-bin:/scripts
# Range of theports the port scanners will scan :
# 'default' meansthat OpenVAS will scan ports found in its
# services file.
port_range =default
# Optimize the test(recommended) :
optimize_test = yes
# Optimization :
# Read timeout forthe sockets of the tests :
checks_read_timeout= 5
# Ports againstwhich two plugins should not be run simultaneously :
# non_simult_ports= Services/www, 139, Services/finger
non_simult_ports =139, 445
# Maximum lifetimeof a plugin (in seconds) :
plugins_timeout =320
# Safe checks relyon banner grabbing :
safe_checks = yes
# Automaticallyactivate the plugins that are depended on
auto_enable_dependencies= yes
# Do not echo data fromplugins which have been automatically enabled
silent_dependencies= no
# Designate hostsby MAC address, not IP address (useful for DHCP networks)
use_mac_addr = no
#--- Knowledge basesaving (can be configured by the client) :
# Save theknowledge base on disk :
save_knowledge_base= no
# Restore the KBfor each test :
kb_restore = no
# Only test hostswhose KB we do not have :
only_test_hosts_whose_kb_we_dont_have= no
# Only test hostswhose KB we already have :
only_test_hosts_whose_kb_we_have= no
# KB test replay :
kb_dont_replay_scanners= no
kb_dont_replay_info_gathering= no
kb_dont_replay_attacks= no
kb_dont_replay_denials= no
kb_max_age = 864000
#--- end of the KBsection
# If this option isset, OpenVAS will not scan a network incrementally
# (10.0.0.1, then10.0.0.2, 10.0.0.3 and so on..) but will attempt to
# slice theworkload throughout the whole network (ie: it will scan
# 10.0.0.1, then10.0.0.127, then 10.0.0.2, then 10.0.0.128 and so on...
slice_network_addresses= no
# Should considerall the NASL scripts as being signed ? (unsafe if set to 'yes')
nasl_no_signature_check= no
# Certificates
#
cert_file=/var/lib/openvas/CA/servercert.pem
key_file=/var/lib/openvas/private/CA/serverkey.pem
ca_file=/var/lib/openvas/CA/cacert.pem
# If you decide toprotect your private key with a password,
# uncomment andchange next line
#pem_password=password
# If you want toforce the use of a client certificate, uncomment next line
# force_pubkey_auth= yes
#end.
15、不使用https访问GSA
提示:"Failed to receive data: A TLS packet with unexpectedlength was received."
可将/etc/init.d/greenbone-security-assistant"中的
["$GSA_ADDRESS" ] &&DAEMONOPTS="--listen=$GSA_ADDRESS"
修改为:
["$GSA_ADDRESS" ] && DAEMONOPTS="--http-only--listen=$GSA_ADDRESS"
16、GSA使用简单说明
1)我的设置
设置时区: My settings: :Asia/Shanghai #for v6 My settings: Asia/Shanghai #for v7 设置显示行数:默认是10,改为40 2)添加用户
Administration-users,添加普通用户。
3)添加Targets
建议将ip主机/网络地址作为Name添加。
4)添加Schedules
建议将ip主机/网络地址作为Name添加,并设置Period和Duration。
5)添加Task
建议将ip主机/网络地址作为Name添加,并选择对应名称的 Scan Targets 和对应名称的 Schedule,同时可填选对应的Observers用户。
之后,系统会定期扫描。若有多次扫描,还可查看漏洞变化情况。
| 
免费注册
发表于 2014-08-20 15:56
