OpenVAS

The system

The OpenVAS is Linux-based vulnerability management system with web GUI.

Install the system

Default settings of operation system

The OpenVAS can be installed in any Linux systems, e.g. Ubuntu.

1. Upgrade operating system:

apt-get update && apt-get dist-upgrade

2. Set hostname with file:

vi /etc/hostname   <name_of_server>

3. Set hostname with a command:

hostname <name_of_server>

4. Edit hosts file:

vi /etc/hosts   <IP-address_of_server> <FQDN_of_server> <name_of_server>

5. Configure proxy:

export {http,https,ftp}_proxy=https://<IP-address_of_proxy>:<port_of_proxy>/export RSYNC_PROXY=<IP-address_of_proxy>:<port_of_proxy>vi /etc/profile.d/proxy.sh   export {http,https,ftp}_proxy=http://<IP-address_of_proxy>:<port_of_proxy>/   export RSYNC_PROXY=<IP-address_of_proxy>:<port_of_proxy>chown root:root /etc/profile.d/proxy.shvi /etc/apt/apt.conf   Acquire::http::Proxy "http://<IP-address_of_proxy>:<port_of_proxy>/";

The upgrades necessary to use rsync protocol (876 TCP port).

5. Install NTP:

apt-get install ntp

6. Set NTP:

vi /etc/ntp.conf   server <IP-address_of_NTP_server>

7. Stop NTP daemon:

service ntp stop

8. Set date with NTP sync:

ntpdate -d <IP-address_of_NTP_server>

9. Start NTP daemon:

service ntp start

Install OpenVAS

1. Install with repository:

sudo su -add-apt-repository ppa:mrazavi/openvasapt-get updateapt-get install openvas sqlite3 graphviz texlive-latex-extra libldap2-dev libldap-2.4.2 ldap-utils

2. Upgrade and start OpenVAS:

• OpenVAS 8:

openvas-nvt-syncopenvas-scapdata-syncopenvas-certdata-syncservice openvas-scanner restartservice openvas-manager restartopenvasmd --rebuild –-progress

• OpenVAS 9:

openvas-nvt-syncgreenbone-scapdata-syncgreenbone-certdata-syncservice openvas-scanner restartservice openvas-manager restartopenvasmd --rebuild –-progress

Configure and using of system

Accessing the Web GUI

• OpenVAS:

https://<IP-address_of_OpenVAS_server>:443

• OpenVAS 9:

https://<IP-address_of_OpenVAS_server>:4000The default username: admin, password: admin.

Change Admin Password

– Administration → Users → Admin → Edit User → Password: New password– Save User

Configure LDAP and RADIUS Authentication

1. Create authentication file:

vi /var/lib/openvas/openvasmd/auth.conf   [method:file]   enable=true   order=1   [method:ldap_connect]   enable=false   order=2   ldaphost=<IP-address_of_ldap_server>   authdn=uid=%s,cn=<group>,o=<domainname>,c=<end_of_domainname>   allow-plaintext=false   [method:radius_connect]   order=3   enable=false   radiushost=<IP-address_of_radius_server>   radiuskey=<password>chown root:root /var/lib/openvas/openvasmd/auth.conf

2. Configure authentication:

– Administration → Users: Select authentication type (LDAP or RADIUS), and enter the communication data!

Upgrade system

– Administration:– NVT Feed → Synchronize with…– SCAP Feed → Synchronize with…– CERT Feed → Synchronize with…

Configure Automatic Upgrade with crontab

vi /etc/cron.weekly/openvasupdate #!/bin/bash  openvas-certdata-sync  openvas-scapdata-sync  openvas-nvt-sync  openvasmd --rebuild  logger -s "OpenVAS sync"chmod ugo+x /etc/cron.weekly/openvasupdate

Configure user

Set time

– Extras → My Settings → Edit My Settings → Timezone: Enter time zone

Remove scanner wizard

– Extras → My Settings → Edit My Settings → Wizard Rows: 0

Scanning and reporting

– Scan Management → Tasks → Wizard → Advanced Task Wizard:– Task name: Name of scanning– Scan Config: Depth of scanning (e.g. Full and Fast)– Target Host(s): Enter scanned hosts with comma– Create TaskWait for end of task!– Done → PDF → Download

Add override

• In task report:

– Select task → Add Override:– Hosts: Any (or enter hosts)– Put: Any– New Severity: Enter severity (e.g. Low or False Positive)!– Text: Enter reason or puprose of severity!

• View and edit of overrides:

– Scan Management → Overrides

Automatic remove of reports

– Scan Management → Tasks → Select task! → Edit Task → Auto Delete Reports → Automatically delete oldest reports but always keep newest 5 reports

Configure alerts

– Configuration → Alerts → New Alert:Or– Select old alert! → Edit Alert– Event: New status of task– Condition: Enter conditions– Method: Method of alert– Email: Alert to e-mail– System Logger: Alert to system log– Send to host: Alert report to host– SCP: Alert report with SCP– SNMP: Alert with SNMP trap– Community: Enter communityt (default: public)– Agent: localhost– Message: $e– Create Alert (or Save Alert)

OpenVAS CLI

Install OpenVAS CLI:

add-apt-repository ppa:mrazavi/openvasapt-get updateapt-get install openvas-cli

Monitoring of host reports in Nagios-based monitoring systems (e.g. Check_MK): check_omp plugin.

Error handling

If task is not started

Scanner daemon is running?

systemctl status openvas-scanner

or

/etc/init.d/openvas-scanner status

If scanner daemon is not running, then start:

systemctl start openvas-scanner

or

/etc/init.d/openvas-scanner start

If plugin error in log

If plugin error in /var/log/openvas/openvassd.messages logfile, then delete scanner daemon cache:

rm -f /var/cache/openvas/*service openvas-scanner restart

Search error descriptions in report

1. Download XML report!

2. Error count and error description: after „<errors><count>” string.