CentOS7 OpenVAS

I decided to give OpenVAS as an alternative to Nessus thinking it would be pretty comparable since it is Nessus fork and the Nessus cost was too much for a small company. I used the following to install it on CentOS7.

First the requirements. They are not clearly defined on the OpenVAS page for downloading the binary packages, which I did. You need to disable SElinux. I had mine in permissive mode and it caused some problems. The rest was pretty straight forward. This uses the Atomicorp repository.

To install and perform initial configuration:

# wget -q -O – http://www.atomicorp.com/installers/atomic |sh
# yum upgrade
# yum install openvas
# openvas-setup

To stop, start and check OpenVAS services:

# systemctl stop openvas-manager
# systemctl status openvas-manager
# systemctl start openvas-manager
# systemctl status openvas-scanner
# systemctl stop openvas-scanner
# systemctl start openvas-scanner

Location of the logs:

# cd /var/log/openvas/
# tail gsad.log
# tail openvassd.log
# tail openvasmd.log

This is a very useful command to very the status of you installation. It was helpful in determining that I needed to disable SElinux:

# openvas-check-setup

This command rebuilds the database information:

# openvasmd –rebuild

As a result of not having SElinux disabled, I found that the redis (an advanced key-value store) service was not running so the OpenVAS scanner would not work properly after I rebooted. With SElinux disabled, I restarted redis.
# systemctl stop redis
# systemctl start redis
# systemctl status redis

And then to check the status:

# openvas-check-setup
openvas-check-setup 2.3.7
Test completeness and readiness of OpenVAS-8
(add ‘–v6’ or ‘–v7’ or ‘–v9’
if you want to check for another OpenVAS version)

Please report us any non-detected problems and
help us to improve this check routine:
http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss

Send us the log-file (/tmp/openvas-check-setup.log) to help analyze the problem.

Use the parameter –server to skip checks for client tools
like GSD and OpenVAS-CLI.

Step 1: Checking OpenVAS Scanner …
OK: OpenVAS Scanner is present in version 5.0.7.
OK: OpenVAS Scanner CA Certificate is present as /var/lib/openvas/CA/cacert.pem.
OK: redis-server is present in version v=3.0.7.
OK: scanner (kb_location setting) is configured properly using the redis-server socket: /tmp/redis.sock
OK: redis-server is running and listening on socket: /tmp/redis.sock.
OK: redis-server configuration is OK and redis-server is running.
OK: NVT collection in /var/lib/openvas/plugins contains 51943 NVTs.
WARNING: Signature checking of NVTs is not enabled in OpenVAS Scanner.
SUGGEST: Enable signature checking (see http://www.openvas.org/trusted-nvts.html).
OK: The NVT cache in /var/cache/openvas contains 51943 files for 51943 NVTs.
Step 2: Checking OpenVAS Manager …
OK: OpenVAS Manager is present in version 6.0.9.
OK: OpenVAS Manager client certificate is present as /var/lib/openvas/CA/clientcert.pem.
OK: OpenVAS Manager database found in /var/lib/openvas/mgr/tasks.db.
OK: Access rights for the OpenVAS Manager database are correct.
OK: sqlite3 found, extended checks of the OpenVAS Manager installation enabled.
OK: OpenVAS Manager database is at revision 146.
OK: OpenVAS Manager expects database at revision 146.
OK: Database schema is up to date.
OK: OpenVAS Manager database contains information about 51943 NVTs.
OK: At least one user exists.
OK: OpenVAS SCAP database found in /var/lib/openvas/scap-data/scap.db.
OK: OpenVAS CERT database found in /var/lib/openvas/cert-data/cert.db.
OK: xsltproc found.
Step 3: Checking user configuration …
WARNING: Your password policy is empty.
SUGGEST: Edit the /etc/openvas/pwpolicy.conf file to set a password policy.
Step 4: Checking Greenbone Security Assistant (GSA) …
OK: Greenbone Security Assistant is present in version 6.0.11.
Step 5: Checking OpenVAS CLI …
OK: OpenVAS CLI version 1.4.5.
Step 6: Checking Greenbone Security Desktop (GSD) …
SKIP: Skipping check for Greenbone Security Desktop.
Step 7: Checking if OpenVAS services are up and running …
OK: netstat found, extended checks of the OpenVAS services enabled.
OK: OpenVAS Scanner is running and listening on all interfaces.
OK: OpenVAS Scanner is listening on port 9391, which is the default port.
OK: OpenVAS Manager is running and listening on all interfaces.
OK: OpenVAS Manager is listening on port 9390, which is the default port.
OK: Greenbone Security Assistant is listening on port 80, which is the default port.
Step 8: Checking nmap installation …
WARNING: Your version of nmap is not fully supported: 6.47
SUGGEST: You should install nmap 5.51 if you plan to use the nmap NSE NVTs.
Step 10: Checking presence of optional tools …
OK: pdflatex found.
WARNING: PDF generation failed, most likely due to missing LaTeX packages. The PDF report format will not work.
SUGGEST: Install required LaTeX packages.
OK: ssh-keygen found, LSC credential generation for GNU/Linux targets is likely to work.
OK: rpm found, LSC credential package generation for RPM based targets is likely to work.
WARNING: Could not find alien binary, LSC credential package generation for DEB based targets will not work.
SUGGEST: Install alien.
OK: nsis found, LSC credential package generation for Microsoft Windows targets is likely to work.
OK: SELinux is disabled.

It seems like your OpenVAS-8 installation is OK.

If you think it is not OK, please report your observation
and help us to improve this check routine:
http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Please attach the log-file (/tmp/openvas-check-setup.log) to help us analyze the problem.

To update the rules or tests (Network Vulnerability Tests – NVTs), you can use the following command which is run by the setup when you run it. I believe this is the one that very clearly says that you should at most run this once a day, otherwise they will block you IP address. It looks like they usually updated once a week anyway. If so, you will get something like the following:

# openvas-nvt-sync
[i] This script synchronizes an NVT collection with the ‘OpenVAS NVT Feed’.
[i] The ‘OpenVAS NVT Feed’ is provided by ‘The OpenVAS Project’.
[i] Online information about this feed: ‘http://www.openvas.org/openvas-nvt-feed.html’.
[i] NVT dir: /var/lib/openvas/plugins
OpenVAS community feed server – http://www.openvas.org/
This service is hosted by Greenbone Networks – http://www.greenbone.net/

All transactions are logged.

If you have any questions, please use the OpenVAS mailing lists
or the OpenVAS IRC chat. See http://www.openvas.org/ for details.

By using this service you agree to our terms and conditions.

Only one sync per time, otherwise the source ip will be blocked.

[i] Feed is already current, no synchronization necessary.

Nagios Log Server – notes

I have been using Nagios Log Server, and seem to be running across various issues with it. Most of it seems to be related to running out disk space where the elasticsearch indexes are stored. I highly recommend that you do not allow that to happen. Clear and concise documentation is sketchy for this flexible and powerful centralized log server. I have decided to post a few notes of things I have stumbled onto that help me to be able manage the process better.

I created several alerts, and I could get them to work by manually having the query executed in the Alerting tab. However, they did not seem to firing off at the Check Interval I had specified. None of them seem to be. Upon trying to resolve this issue, I discovered a couple troubleshooting tips to note for future reference. Note: In my case, none these revealed the cause of my issue. At lease, I don’t think they did. Nonetheless, here they are.

Check the poller:

[nagios]$ /usr/bin/php /var/www/html/nagioslogserver/www/index.php poller
Updating Cluster Hosts File
Updating Elasticsearch with instance…
Updating Cluster Hosts File
Updating Elasticsearch with instance…
Updating Cluster Hosts File
Updating Elasticsearch with instance…
Updating Cluster Hosts File
Updating Elasticsearch with instance…
Finished Polling.

Check the jobs:

[nagios]$ /usr/bin/php /var/www/html/nagioslogserver/www/index.php jobs
Processed 0 node jobs.
Processed 0 global jobs.

Look for an error in the cron log:

# grep ERROR /var/log/cron

What fixed my issue was going into the Administration tab and selecting “Command Subsystem” on the left side. From there, clicking “Reset All Jobs” resolved my issue.

Also, in the Administration tab, if you select “Audit Reports” you can some verification that the alerts are running. Before, resetting all the jobs, it was clear that were not running. After reseting, I see several regular scheduled entries regarding the returned messages from the alerts.

Another thing I was able to put together was report. In particular, I was looking to create a daily report of all IP addresses that made an attempt to login to one an externally facing server. I did this by creating an elasticsearch alert query, and then tweaking the time. I discovered that I could copy the query and execute it in a shell script using the curl command. Now, I had found references to people doing this, but they were using a curl switch of -XGET. This never worked for me, but -XPOST did and has been for a quite a while. Once you have the query copied from the dashboard query, you just need to past into a file and change the -XGET to -XPOST. Make the file executable, and then run it to get the text output. I wrapped some bash code around the query and formatted the output to create a report. Could be very useful.

This one really frustrated me and I am still not sure I am doing it right, but it seems to be working. As I said earlier, I kept running out of space. My index space was too large, so I just wanted to purge/delete the old ones to conserve space. Nothing in the UI seemed to work. The repositories in the Administration tab under “Backup & Maintenance” seem finicky and sensitive at best. Again, not really easy to find, I discovered some information about the curator command for elasticsearch. I used this with some parameters to effectively manage my index retention. I run these commands as user nagios as nightly job in cron:

To create a snapshot and save to your backup repository:

curator snapshot –repository nameofbackuprepository indices –older-than numberofdaystokeep –time-unit days –timestring %Y.%m.%d

To close the indices:

curator close indices –older-than numberofdaystokeep –time-unit days –timestring %Y.%m.%d

To delete the indices:

curator delete indices –older-than numberofdaystokeep –time-unit days –timestring %Y.%m.%d

To list your repositories via command line:

curl -XGET “localhost:9200/_snapshot?pretty”

To force the backup to run and create a snapshot:

curator snapshot –repository “RepositoryName” indices –all-indices

There are switches to curator command that you can use to get more verbose output and send that output to a log file:

Verbosity:

–loglevel level

Level options available, found on the Elastic site (https://www.elastic.co/guide/en/elasticsearch/client/curator/current/configfile.html):

CRITICAL will only display critical messages.
ERROR will only display error and critical messages.
WARN will display error, warning, and critical messages.
INFO will display informational, error, warning, and critical messages.
DEBUG will display debug messages, in addition to all of the above.

Capture output:

–logfile /tmp/test_backup.txt

Basic Exchange Rule Management via Exchange Management Shell

New-InboxRule in EMS has many options. I have just listed a very simple example here. Get-Help New-InboxRule is your friend.
This will set a rule to delete any email sent to this mailbox:

New-InboxRule -Mailbox mailbox -Name “rulename” -Delete $true

Get-Contant by itself will list all contacts. If you pass Get-Contact a contact name, it will only return that contact:

Get-Contact “contactname

To list a particular rule for a particular mailbox:

Get-InboxRule -Mailbox mailbox -Identity “rulename

To disable a rule for a mailbox:

Disable-InboxRule -Mailbox mailbox -Identity “rulename

To enable a rule for a mailbox:

Enable-InboxRule -Mailbox mailbox -Identity “rulename

To get list of your command history. This is dependent on the $MaximumHistoryCount variable. I think the default is 32.

Get-History

Filtering out unwanted/unneeded message in rsyslog

I wanted to log as much useful information as I could from a Avaya phone system to my CentOS 7.x syslog server running rsyslogd.

That was easy, as I may noted before here:

# vi /etc/rsyslog.conf

if $fromhost-ip startswith ‘aaa.bbb.ccc.ddd‘ then /var/log/mylog.log
& ~

# systemctl restart rsyslog

However, I found my log flooded with the same unneeded messages over and over. To prevent those message from being logged into any of the log files, I made the following configuration changes:

# vi /etc/rsyslog.conf

:msg, contains, “what I want to filter out” ~

# systemctl restart rsyslog

Ubuntu – resize partition when a VMware Virtual Machine.

Ubuntu: 12.04 LTS
VMware ESXi: 5.5

I wanted increase the store on one partition by 100GB to 250GB on a system and minimize down time. I was almost able to pull it off. I need one quick reboot to get the new size to show up.

With the system up, I used the vSphere client and modifed the size of the disk.

root@myhostname~:# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/vg_myhostname_subdir-lv_subdir 148G 125G 16G 90% /mountpt/subdir

root@myhostname~:# mount | grep subdir
/dev/mapper/vg_myhostname_subdir-lv_subdir on /mountpt/subdir type ext4 (rw)

root@myhostname~:# fdisk -l

Disk /dev/sde: 161.1 GB, 161061273600 bytes
255 heads, 63 sectors/track, 19581 cylinders, total 314572800 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x00000000

Disk /dev/sde doesn’t contain a valid partition table

Scan for new hardware or changes:

root@myhostname~:# echo “- – -” > /sys/class/scsi_host/host0/scan
root@myhostname~:# echo “- – -” > /sys/class/scsi_host/host1/scan
root@myhostname~:# echo “- – -” > /sys/class/scsi_host/host2/scan

Still didn’t show up with the new size:

root@myhostname~:# pvdisplay
— Physical volume —
PV Name /dev/sde
VG Name vg_myhostname_subdir
PV Size 150.00 GiB / not usable 4.00 MiB
Allocatable yes (but full)
PE Size 4.00 MiB
Total PE 38399
Free PE 0
Allocated PE 38399
PV UUID dkK9oP-XQq2-p2CM-BVBZ-pv0r-J9cP-Hnc0UB

I rebooted at this point.

root@myhostname:~# fdisk /dev/sde
Device contains neither a valid DOS partition table, nor Sun, SGI or OSF disklabel
Building a new DOS disklabel with disk identifier 0xeeb3e856.
Changes will remain in memory only, until you decide to write them.
After that, of course, the previous content won’t be recoverable.

Warning: invalid flag 0x0000 of partition table 4 will be corrected by w(rite)

Command (m for help): p

Disk /dev/sde: 268.4 GB, 268435456000 bytes
255 heads, 63 sectors/track, 32635 cylinders, total 524288000 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0xeeb3e856

Device Boot Start End Blocks Id System

Command (m for help): quit

root@myhostname:~# pvdisplay
— Physical volume —
PV Name /dev/sde
VG Name vg_myhostname_subdir
PV Size 150.00 GiB / not usable 4.00 MiB
Allocatable yes (but full)
PE Size 4.00 MiB
Total PE 38399
Free PE 0
Allocated PE 38399
PV UUID dkK9oP-XQq2-p2CM-BVBZ-pv0r-J9cP-Hnc0UB

Resize physical volume to reflect the new size:

root@myhostname:~# pvresize /dev/sde
Physical volume “/dev/sde” changed
1 physical volume(s) resized / 0 physical volume(s) not resized

root@myhostname:~# pvdisplay /dev/sde
— Physical volume —
PV Name /dev/sde
VG Name vg_myhostname_subdir
PV Size 250.00 GiB / not usable 3.81 MiB
Allocatable yes
PE Size 4.00 MiB
Total PE 63999
Free PE 25600
Allocated PE 38399
PV UUID dkK9oP-XQq2-p2CM-BVBZ-pv0r-J9cP-Hnc0UB

Interestingly, the volume group updated with the new size:

root@myhostname:~# vgdisplay
— Volume group —
VG Name vg_myhostname_subdir
System ID
Format lvm2
Metadata Areas 1
Metadata Sequence No 3
VG Access read/write
VG Status resizable
MAX LV 0
Cur LV 1
Open LV 1
Max PV 0
Cur PV 1
Act PV 1
VG Size 250.00 GiB
PE Size 4.00 MiB
Total PE 63999
Alloc PE / Size 38399 / 150.00 GiB
Free PE / Size 25600 / 100.00 GiB
VG UUID QNgKYt-ueHo-hq54-kvWB-HRcd-3Guq-yfBwhu

However, the logical volume did not:

root@myhostname:~# lvdisplay
— Logical volume —
LV Name /dev/vg_myhostname_subdir/lv_subdir
VG Name vg_myhostname_subdir
LV UUID D4xZEe-yAfH-pJoH-51Na-5l2B-Baqu-b37tOw
LV Write Access read/write
LV Status available
# open 1
LV Size 150.00 GiB
Current LE 38399
Segments 1
Allocation inherit
Read ahead sectors auto
– currently set to 256
Block device 252:1

So, I had to extend it:

root@myhostname:~# lvextend /dev/vg_myhostname_subdir/lv_subdir /dev/sde
Extending logical volume lv_subdir to 250.00 GiB
Logical volume lv_subdir successfully resized

root@myhostname:~# lvdisplay
— Logical volume —
LV Name /dev/vg_myhostname_subdir/lv_subdir
VG Name vg_myhostname_subdir
LV UUID D4xZEe-yAfH-pJoH-51Na-5l2B-Baqu-b37tOw
LV Write Access read/write
LV Status available
# open 1
LV Size 250.00 GiB
Current LE 63999
Segments 1
Allocation inherit
Read ahead sectors auto
– currently set to 256
Block device 252:1

Now, to resize the filesystem:

root@myhostname:~# resize2fs /dev/mapper/vg_myhostname_subdir-lv_subdir
resize2fs 1.42 (29-Nov-2011)
Filesystem at /dev/mapper/vg_myhostname_subdir-lv_subdir is mounted on /mountpt/subdir; on-line resizing required
old_desc_blocks = 10, new_desc_blocks = 16
The filesystem on /dev/mapper/vg_myhostname_subdir-lv_subdir is now 65534976 blocks long.

Success:

root@myhostname:~# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/vg_myhostname_subdir-lv_subdir 247G 125G 110G 54% /mountpt/subdir

Auditpol – Windows Filtering Platform – Event ID: 5157

Enough is enough. I’ll turn it on when I need it or have infinitely resources to manage the logs when I have Filtering Platform logging enabled. In my case, I was getting a lot messages for event ID 5157 (“The Windows Filtering Platform has blocked a connection.”). For now, how do you turn this off in Windows Server 2012 R2?

To list all the categories:

C:\>auditpol /list /category
Category/Subcategory
Account Logon
Account Management
Detailed Tracking
DS Access
Logon/Logoff
Object Access
Policy Change
Privilege Use
System

To get a list of any sub-categories for a category:

auditpol /get /category:”Account Logon”
auditpol /get /category:”Account Management”
auditpol /get /category:”Detailed Tracking”
auditpol /get /category:”DS Access”
auditpol /get /category:”Logon/Logoff”
auditpol /get /category:”Object Access”
auditpol /get /category:”Policy Change”
auditpol /get /category:”Privilege Use”
auditpol /get /category:”System”

I have picked on the sub-categories under the “Object Access” category, because that is where the Filtering Platform settings exist. To see the current settings for a sub-category:

auditpol /get /subcategory:”Filtering Platform Packet Drop”
auditpol /get /subcategory:”Filtering Platform Connection”
auditpol /get /subcategory:”IPsec Driver”
auditpol /get /subcategory:”IPsec Main Mode”
auditpol /get /subcategory:”IPsec Quick Mode”
auditpol /get /subcategory:”IPsec Extended Mode”

Example:

C:\>auditpol /get /subcategory:”Filtering Platform Connection”
System audit policy
Category/Subcategory Setting
Object Access
Filtering Platform Connection Success and Failure

To disable all audit logging for some sub-categories:

auditpol /set /subcategory:”Filtering Platform Packet Drop” /success:disable /failure:disable
auditpol /set /subcategory:”Filtering Platform Connection” /success:disable /failure:disable
auditpol /set /subcategory:”IPsec Driver” /success:disable /failure:disable
auditpol /set /subcategory:”IPsec Main Mode” /success:disable /failure:disable
auditpol /set /subcategory:”IPsec Quick Mode” /success:disable /failure:disable
auditpol /set /subcategory:”IPsec Extended Mode” /success:disable /failure:disable

C:\>auditpol /get /subcategory:”Filtering Platform Connection”
System audit policy
Category/Subcategory Setting
Object Access
Filtering Platform Connection No Auditing

Or to enable all audit logging for some sub-categories:

auditpol /set /subcategory:”Filtering Platform Packet Drop” /success:enable /failure:enable
auditpol /set /subcategory:”Filtering Platform Connection” /success:enable /failure:enable
auditpol /set /subcategory:”IPsec Driver” /success:enable /failure:enable
auditpol /set /subcategory:”IPsec Main Mode” /success:enable /failure:enable
auditpol /set /subcategory:”IPsec Quick Mode” /success:enable /failure:enable
auditpol /set /subcategory:”IPsec Extended Mode” /success:enable /failure:enable

Static NAT/PAT (one-to-one) Cisco ASA 8.2

Outside IP: aaa.bbb.ccc.ddd
Inside IP: www.xxx.yyy.zzz
Port: pppp
Identifier for access-list: NAME

This is a simple one to one NAT example. Traffic will go from aaa.bbb.ccc.ddd port pppp to www.xxx.yyy.zzz.

c-asa01(config)# static (inside,outside) aaa.bbb.ccc.ddd www.xxx.yyy.zzz
c-asa01(config)# access-list NAME permit tcp any host aaa.bbb.ccc.ddd eq pppp
c-asa01(config)# access-group NAME in interface outside

Or if you want to NAT and PAT:

Outside IP: aaa.bbb.ccc.ddd
Inside IP: www.xxx.yyy.zzz
Outside Port: pppp
Inside Port: qqqq
Identifier for access-list: NAME

c-asa01(config)# static (inside,outside) tcp aaa.bbb.ccc.ddd pppp www.xxx.yyy.zzz qqqq
c-asa01(config)# access-list NAME permit tcp any host aaa.bbb.ccc.ddd eq pppp
c-asa01(config)# access-group NAME in interface outside

Unable to extend a volume in Windows 2003.

Environment: VMware ESXi 5.5.x, Windows 2003 VM, Windows 2012 R2 VM.

I needed to expand the system disk of a Windows 2003 VMware virtual machine. I was able to easily extend the disk using vSphere, and Windows displayed the new size. However, I was unable to extend the filesystem using DISKPART. I would receive the following message, when I tried:
“Diskpart failed to extend the volume. Please make sure the volume is valid for extending.”

To get around this, I shutdown my Windows 2003 server. Then added the virtual disk to a Windows 2012 R2 VM. I opened up the Disk Management console via Computer Management. Made the newly added disk Online by right mousing clicking on the disk name (on the left) and selecting Online. Then, I right mouse clicked on the logical disk, in my case the C: drive, and selected Expand. Then, I took the disk offline, but right mouse clicking on the disk name (on the left again) and selecting Offline. Next, I removed the disk from my Windows 2012 R2 VM WITHOUT deleting the file from disk.

Then, all I to do was boot my Windows 2003 VM, and let the chkdsk do its thing.

Exchange Server Saved Rules

Version: Exchange 2010

To list all the rules a mailbox has saved to the Exchange server:

[PS] C:\>Get-InboxRule -Mailbox mailboxname

Reset Internet Explorer settings from command line.

The group policy can block access to reset Internet Explorer which seems to need it much more than it should. To bypass this and reset the settings back to the default:

From a command prompt:

C:\> RunDll32.exe InetCpl.cpl,ResetIEtoDefaults

This will pop up the Reset Internet Explorer Settings window. Click Reset to reset everything except you personal settings. Obviously, you can check the “Delete personal settings” box if you want to delete you personal settings as well.

Return top

INFORMATION