openvas安装经验

shaoping0330

8月26日更新（总是有格式问题 debian下安装openvas.rar (29.45 KB, 下载次数: 228)

2014-08-26 09:44 上传

点击文件名下载附件 ，上传了一个附件，供参考）
1、Configure OBS Repository

(as user root, onlyonce)
echo "debhttp://download.opensuse.org/rep ... E:/v6/Debian_7.0/./" >> /etc/apt/sources.list
wgethttp://download.opensuse.org/rep ... ian_7.0/Release.key
apt-key add./Release.key
sudo apt-get update


2、Quick-Install OpenVAS

(as user root, onlyonce)
确保安装光盘可以使用：/media/cdrom 或者将iso上传mount在这个目录
apt-get -y install greenbone-security-assistant openvas-cli openvas-manageropenvas-scanner openvas-administrator sqlite3 xsltproc rsync

然后再添加其他源到/etc/apt/sources.list确保以下安装完成：

deb http://mirrors.163.com/debian/stable main #contrib non-free

deb-src http://mirrors.163.com/debian/stable main #contrib non-free

deb http://security.debian.org/ stable/updatesmain

sudo apt-get update

To install support packages for reportgeneration (downloads around 30 MB of additional packages，注：即pdflatex):
apt-get -yinstall texlive-latex-base texlive-latex-extra texlive-latex-recommendedhtmldoc

To install support for autogenerated LSCcredential packages:
apt-get -yinstall alien rpm nsis fakeroot


3、Quick-Start OpenVAS

(copy and paste whole block as userroot, during first time you will be asked to set a password for user"admin")

test -e /var/lib/openvas/CA/cacert.pem  || openvas-mkcert -q

openvas-nvt-sync

test -e/var/lib/openvas/users/om || openvas-mkcert-client -n om -i

/etc/init.d/openvas-managerstop

/etc/init.d/openvas-scannerstop

openvassd

openvasmd --rebuild

openvas-scapdata-sync

openvas-certdata-sync

test -e/var/lib/openvas/users/admin || openvasad -c add_user -n admin -r Admin

killall openvassd

sleep 15

/etc/init.d/openvas-scannerstart

/etc/init.d/openvas-managerstart

/etc/init.d/openvas-administratorrestart

/etc/init.d/greenbone-security-assistantrestart

注：

/etc/init.d/openvas-manager start

Starting OpenVAS Manager: ERROR.

通常是之前有进程没有关闭好，用kill彻底杀掉。

4、Log into OpenVAS as "admin"

Open https://localhost:9392/

默认只能本机访问，为了确保其他ip访问，需要修改监听ip地址（同时修改iptables）：
/etc/default/openvas-scanner
/etc/default/openvas-administrator
/etc/default/openvas-manager
/etc/default/greenbone-security-assistant将127.0.0.1 改为网络ip，如192.168.0.88

5、下载openvas-check-setup检查

./openvas-check-setup --v6

注：该脚本可在官网上下载

6、重新安装nmap

dpkg -r nmap

到nmap官网下载对应版本，如：

tar zxvf nmap-5.51.6.tgz

cd nmap-5.51.6/

./configure

make

make install

7、上传openvassd.conf并Enablesignature checking

修改 /etc/openvas/openvassd.conf
nasl_no_signature_check= no

说明：如果自己没有生成密钥对openvas的密钥进行签名，请不要enables，否则因各个rule没有signature而导致无法生成报告。

如果enables，请参考如下命令设置：

mkdir /etc/openvas/gnupg/  

chmod 600 /etc/openvas/gnupg/  

wget http://www.openvas.org/OpenVAS_TI.asc

gpg --homedir=/etc/openvas/gnupg --importOpenVAS_TI.asc

gpg--homedir=/etc/openvas/gnupg --gen-key                   （生成自己的密钥）

gpg --homedir=/etc/openvas/gnupg --list-keys gpg --homedir=/etc/openvas/gnupg --lsign-key KEY_ID gpg --homedir=/etc/openvas/gnupg --lsign-key 48DB4530                 （及对OpenVAS_TI.asc签名）

用生成的密钥对openvas的密钥进行签名，即可解决rule没有signature而导致无法生成报告的问题。

注1：安装后，没有发现有 /etc/openvas/openvassd.conf这个配置文件，可从其他机器上拷贝过来的（本文尾附有该文件）。

注2：OpenVAS_TI.asc 下载地址和Signature说明参考页面：http://www.openvas.org/trusted-nvts.html

Signed NVTs are usually provided by NVT Feed Services. Forexample, the NVTs contained in the OpenVAS NVT Feed are signed by the "OpenVAS Transfer Integrity" keywhich you can find at the bottom of this page

注3：如果自己写了nasl，可如下进行测试：

openvas-nasl -Xp test.nasl                #forparsing

openvas-nasl -Xt IP test.nasl             #for exec

8、版本

# openvassd -V

OpenVAS Scanner 3.4.0

# openvasmd --version

OpenVAS Manager 4.0.2

# openvasad -V

OpenVAS Administrator 1.3.0

9、openvas-certdata-sync执行时的报错

提示没有cert_db_init,sql和dfn_cert_update.xsl，这个其实是个bug，好像不影响使用。解决方法如下：

在官网下载对应源码安装版本，解压openvas-manager后手动上传缺失文件

sftp> lcdD:\openvas_check\6_sour\openvas-manager-4.0.5\openvas-manager-4.0.5\tools

sftp> cd /usr/share/openvas/cert

sftp> put cert_db_init.sql

sftp> put dfn_cert_update.xsl

10、Greenbone Security Desktop（GSD）

这个可不安装，不影响使用。如果需要在debian系统上直接使用，可安装。


11、check日志

more/tmp/openvas-check-setup.log

12、密码规则设置

vi  /etc/openvas/pwpolicy.conf
取消注释：
!/^.{6,}$/
!/^.{8,}$/
/^[[:digit:]]+$/
可根据需要，取消其他相关注释以加强密码安全设置。


13、Openvas安装相关目录

config_file = /etc/openvas/openvassd.conf

rules = /usr/share/openvas/openvassd.rules

cache_folder = /var/cache/openvas

plugins_folder = /var/lib/openvas/plugins

include_folders = /var/lib/openvas/plugins

logfile = /var/log/openvas/openvassd.messages

dumpfile = /var/log/openvas/openvassd.dump

cert_file =/var/lib/openvas/CA/servercert.pem

key_file =/var/lib/openvas/private/CA/serverkey.pem

ca_file = /var/lib/openvas/CA/cacert.pem

OpenVAS Manager client certificate is presentas /var/lib/openvas/CA/clientcert.pem

OpenVAS Manager database found in /var/lib/openvas/mgr/tasks.db

OpenVAS SCAP database found in/var/lib/openvas/scap-data/scap.db

OpenVAS CERT database found in/var/lib/openvas/cert-data/cert.db

The password policy file at/etc/openvas/pwpolicy.conf

14、openvassd.conf参考

#Configuration fileof the OpenVAS Security Scanner
# Every linestarting with a '#' is a comment
[Misc]
# Path to thesecurity checks folder :
plugins_folder =/var/lib/openvas/plugins

# Path to OpenVAScaching folder:
cache_folder =/var/cache/openvas

# Path to OpenVASinclude directories:
# (multiple entriesare separated with colon ':')
include_folders =/var/lib/openvas/plugins

# Maximum number ofsimultaneous hosts tested :
max_hosts = 30

# Maximum number ofsimultaneous checks against each host tested :
max_checks = 10

# Niceness. If setto 'yes', openvassd will renice itself to 10.
be_nice = no

# Log file (or'syslog') :
logfile =/var/log/openvas/openvassd.log

# Shall we logevery details of the attack ? (disk intensive)
log_whole_attack =no

# Log the name ofthe plugins that are loaded by the server ?
log_plugins_name_at_load= no

# Dump file fordebugging output, use `-' for stdout
dumpfile =/var/log/openvas/openvassd.dump

# Rules file :
rules =/etc/openvas/openvassd.rules

# CGI paths tocheck for (cgi-bin:/cgi-aws:/ can do)
cgi_path =/cgi-bin:/scripts

# Range of theports the port scanners will scan :
# 'default' meansthat OpenVAS will scan ports found in its
# services file.
port_range =default

# Optimize the test(recommended) :
optimize_test = yes

# Optimization :
# Read timeout forthe sockets of the tests :
checks_read_timeout= 5
# Ports againstwhich two plugins should not be run simultaneously :
# non_simult_ports= Services/www, 139, Services/finger
non_simult_ports =139, 445
# Maximum lifetimeof a plugin (in seconds) :
plugins_timeout =320

# Safe checks relyon banner grabbing :
safe_checks = yes

# Automaticallyactivate the plugins that are depended on
auto_enable_dependencies= yes

# Do not echo data fromplugins which have been automatically enabled
silent_dependencies= no

# Designate hostsby MAC address, not IP address (useful for DHCP networks)
use_mac_addr = no

#--- Knowledge basesaving (can be configured by the client) :
# Save theknowledge base on disk :
save_knowledge_base= no
# Restore the KBfor each test :
kb_restore = no
# Only test hostswhose KB we do not have :
only_test_hosts_whose_kb_we_dont_have= no
# Only test hostswhose KB we already have :
only_test_hosts_whose_kb_we_have= no
# KB test replay :
kb_dont_replay_scanners= no
kb_dont_replay_info_gathering= no
kb_dont_replay_attacks= no
kb_dont_replay_denials= no
kb_max_age = 864000
#--- end of the KBsection

# If this option isset, OpenVAS will not scan a network incrementally
# (10.0.0.1, then10.0.0.2, 10.0.0.3 and so on..) but will attempt to
# slice theworkload throughout the whole network (ie: it will scan
# 10.0.0.1, then10.0.0.127, then 10.0.0.2, then 10.0.0.128 and so on...
slice_network_addresses= no

# Should considerall the NASL scripts as being signed ? (unsafe if set to 'yes')
nasl_no_signature_check= no

# Certificates
#
cert_file=/var/lib/openvas/CA/servercert.pem
key_file=/var/lib/openvas/private/CA/serverkey.pem
ca_file=/var/lib/openvas/CA/cacert.pem
# If you decide toprotect your private key with a password,
# uncomment andchange next line
#pem_password=password
# If you want toforce the use of a client certificate, uncomment next line
# force_pubkey_auth= yes
#end.


15、不使用https访问GSA

提示："Failed to receive data: A TLS packet with unexpectedlength was received."

可将/etc/init.d/greenbone-security-assistant"中的
["$GSA_ADDRESS" ] &&DAEMONOPTS="--listen=$GSA_ADDRESS"
修改为：
["$GSA_ADDRESS" ] && DAEMONOPTS="--http-only--listen=$GSA_ADDRESS"


16、GSA使用简单说明

1）我的设置

设置时区：

My settings：  :Asia/Shanghai            #for v6

My settings：  Asia/Shanghai             #for v7

设置显示行数：默认是10，改为40

2）添加用户
Administration-users，添加普通用户。
3）添加Targets
建议将ip主机/网络地址作为Name添加。
4）添加Schedules
建议将ip主机/网络地址作为Name添加，并设置Period和Duration。
5）添加Task
建议将ip主机/网络地址作为Name添加，并选择对应名称的 Scan Targets 和对应名称的 Schedule，同时可填选对应的Observers用户。
之后，系统会定期扫描。若有多次扫描，还可查看漏洞变化情况。

chenzhiquan2000

谢谢分享，有空试试，先留名

lanwei86e

楼主辛苦了，顶一下

zengkun_2008

root@kali:~# openvas-check-setup
openvas-check-setup 2.2.3
  Test completeness and readiness of OpenVAS-6
  (add '--v4', '--v5' or '--v7'
   if you want to check for another OpenVAS version)

  Please report us any non-detected problems and
  help us to improve this check routine:
  http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss

  Send us the log-file (/tmp/openvas-check-setup.log) to help analyze the problem.

  Use the parameter --server to skip checks for client tools
  like GSD and OpenVAS-CLI.

Step 1: Checking OpenVAS Scanner ...
        OK: OpenVAS Scanner is present in version 3.4.0.
        OK: OpenVAS Scanner CA Certificate is present as /var/lib/openvas/CA/cacert.pem.
        OK: NVT collection in /var/lib/openvas/plugins contains 35972 NVTs.
        WARNING: Signature checking of NVTs is not enabled in OpenVAS Scanner.
        SUGGEST: Enable signature checking (see http://www.openvas.org/trusted-nvts.html).
        OK: The NVT cache in /var/cache/openvas contains 35972 files for 35972 NVTs.
Step 2: Checking OpenVAS Manager ...
        OK: OpenVAS Manager is present in version 4.0.4.
        OK: OpenVAS Manager client certificate is present as /var/lib/openvas/CA/clientcert.pem.
        OK: OpenVAS Manager database found in /var/lib/openvas/mgr/tasks.db.
        OK: Access rights for the OpenVAS Manager database are correct.
        OK: sqlite3 found, extended checks of the OpenVAS Manager installation enabled.
        OK: OpenVAS Manager database is at revision 74.
        OK: OpenVAS Manager expects database at revision 74.
        OK: Database schema is up to date.
        OK: OpenVAS Manager database contains information about 35972 NVTs.
        OK: OpenVAS SCAP database found in /var/lib/openvas/scap-data/scap.db.
        ERROR: No OpenVAS CERT database found. (Tried: /var/lib/openvas/cert-data/cert.db)
        FIX: Run a CERT synchronization script like openvas-certdata-sync or greenbone-certdata-sync.

ERROR: Your OpenVAS-6 installation is not yet complete!

Please follow the instructions marked with FIX above and run this
script again.

If you think this result is wrong, please report your observation
and help us to improve this check routine:
http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Please attach the log-file (/tmp/openvas-check-setup.log) to help us analyze the problem.


我按照提示 运行 openvas-certdata-sync这个命令，提示错误！
root@kali:~#  openvas-certdata-sync
This script synchronizes a CERT advisory directory with the OpenVAS one.
CERT dir: /var/lib/openvas/cert-data
Will use rsync
Using rsync: /usr/bin/rsync
Configured CERT data rsync feed: rsync://feed.openvas.org:/cert-data
rsync: getaddrinfo: feed.openvas.org 873: Name or service not known
rsync error: error in socket IO (code 10) at clientserver.c(122) [Receiver=3.0.9]
Error: rsync failed. Your CERT data might be broken now.



rsync: getaddrinfo: feed.openvas.org 873: Name or service not known 网站打不开？？

shaoping0330

rsync: getaddrinfo: feed.openvas.org 873: Name or service not known
看起来像是网络问题或者你的DNS解析问题。
你可以手动测试看看

我这边如下：
# telnet feed.openvas.org 873
Trying 78.47.251.61...
Connected to openvas-feed.intevation.org.
Escape character is '^]'.

圣钰佳泰

收藏了，给公司工程师看看

圣钰佳泰

本人就是喜欢Open的东西。

bun

为什么只能添加4个扫描任务？

bun

弄清楚了。

需要先通过向导创建一个快速扫描

shangrilawyx

很好,支持!!!