{"id":1492,"date":"2017-03-02T18:28:09","date_gmt":"2017-03-03T01:28:09","guid":{"rendered":"http:\/\/jim-zimmerman.com\/?p=1492"},"modified":"2017-03-03T12:07:40","modified_gmt":"2017-03-03T19:07:40","slug":"centos7-openvas","status":"publish","type":"post","link":"https:\/\/jim-zimmerman.com\/?p=1492","title":{"rendered":"CentOS7 OpenVAS"},"content":{"rendered":"

I decided to give OpenVAS as an alternative to Nessus thinking it would be pretty comparable since it is Nessus fork and the Nessus cost was too much for a small company. I used the following to install it on CentOS7. <\/p>\n

First the requirements. They are not clearly defined on the OpenVAS page for downloading the binary packages, which I did. You need to disable SElinux. I had mine in permissive mode and it caused some problems. The rest was pretty straight forward. This uses the Atomicorp repository.<\/p>\n

To install and perform initial configuration:<\/p>\n

# wget -q -O – http:\/\/www.atomicorp.com\/installers\/atomic |sh
\n# yum upgrade
\n# yum install openvas
\n# openvas-setup<\/p><\/blockquote>\n

To stop, start and check OpenVAS services:<\/p>\n

# systemctl stop openvas-manager
\n# systemctl status openvas-manager
\n# systemctl start openvas-manager
\n# systemctl status openvas-scanner
\n# systemctl stop openvas-scanner
\n# systemctl start openvas-scanner<\/p><\/blockquote>\n

Location of the logs:<\/p>\n

# cd \/var\/log\/openvas\/
\n# tail gsad.log
\n# tail openvassd.log
\n# tail openvasmd.log<\/p><\/blockquote>\n

This is a very useful command to very the status of you installation. It was helpful in determining that I needed to disable SElinux:<\/p>\n

# openvas-check-setup<\/p><\/blockquote>\n

This command rebuilds the database information:<\/p>\n

# openvasmd –rebuild<\/p><\/blockquote>\n

As a result of not having SElinux disabled, I found that the redis (an advanced key-value store) service was not running so the OpenVAS scanner would not work properly after I rebooted. With SElinux disabled, I restarted redis.
\n# systemctl stop redis
\n# systemctl start redis
\n# systemctl status redis<\/p>\n

And then to check the status:<\/p>\n

# openvas-check-setup
\nopenvas-check-setup 2.3.7
\n Test completeness and readiness of OpenVAS-8
\n (add ‘–v6’ or ‘–v7’ or ‘–v9’
\n if you want to check for another OpenVAS version)<\/p>\n

Please report us any non-detected problems and
\n help us to improve this check routine:
\n http:\/\/lists.wald.intevation.org\/mailman\/listinfo\/openvas-discuss<\/p>\n

Send us the log-file (\/tmp\/openvas-check-setup.log) to help analyze the problem.<\/p>\n

Use the parameter –server to skip checks for client tools
\n like GSD and OpenVAS-CLI.<\/p>\n

Step 1: Checking OpenVAS Scanner …
\n OK: OpenVAS Scanner is present in version 5.0.7.
\n OK: OpenVAS Scanner CA Certificate is present as \/var\/lib\/openvas\/CA\/cacert.pem.
\n OK: redis-server is present in version v=3.0.7.
\n OK: scanner (kb_location setting) is configured properly using the redis-server socket: \/tmp\/redis.sock
\n OK: redis-server is running and listening on socket: \/tmp\/redis.sock.
\n OK: redis-server configuration is OK and redis-server is running.
\n OK: NVT collection in \/var\/lib\/openvas\/plugins contains 51943 NVTs.
\n WARNING: Signature checking of NVTs is not enabled in OpenVAS Scanner.
\n SUGGEST: Enable signature checking (see http:\/\/www.openvas.org\/trusted-nvts.html).
\n OK: The NVT cache in \/var\/cache\/openvas contains 51943 files for 51943 NVTs.
\nStep 2: Checking OpenVAS Manager …
\n OK: OpenVAS Manager is present in version 6.0.9.
\n OK: OpenVAS Manager client certificate is present as \/var\/lib\/openvas\/CA\/clientcert.pem.
\n OK: OpenVAS Manager database found in \/var\/lib\/openvas\/mgr\/tasks.db.
\n OK: Access rights for the OpenVAS Manager database are correct.
\n OK: sqlite3 found, extended checks of the OpenVAS Manager installation enabled.
\n OK: OpenVAS Manager database is at revision 146.
\n OK: OpenVAS Manager expects database at revision 146.
\n OK: Database schema is up to date.
\n OK: OpenVAS Manager database contains information about 51943 NVTs.
\n OK: At least one user exists.
\n OK: OpenVAS SCAP database found in \/var\/lib\/openvas\/scap-data\/scap.db.
\n OK: OpenVAS CERT database found in \/var\/lib\/openvas\/cert-data\/cert.db.
\n OK: xsltproc found.
\nStep 3: Checking user configuration …
\n WARNING: Your password policy is empty.
\n SUGGEST: Edit the \/etc\/openvas\/pwpolicy.conf file to set a password policy.
\nStep 4: Checking Greenbone Security Assistant (GSA) …
\n OK: Greenbone Security Assistant is present in version 6.0.11.
\nStep 5: Checking OpenVAS CLI …
\n OK: OpenVAS CLI version 1.4.5.
\nStep 6: Checking Greenbone Security Desktop (GSD) …
\n SKIP: Skipping check for Greenbone Security Desktop.
\nStep 7: Checking if OpenVAS services are up and running …
\n OK: netstat found, extended checks of the OpenVAS services enabled.
\n OK: OpenVAS Scanner is running and listening on all interfaces.
\n OK: OpenVAS Scanner is listening on port 9391, which is the default port.
\n OK: OpenVAS Manager is running and listening on all interfaces.
\n OK: OpenVAS Manager is listening on port 9390, which is the default port.
\n OK: Greenbone Security Assistant is listening on port 80, which is the default port.
\nStep 8: Checking nmap installation …
\n WARNING: Your version of nmap is not fully supported: 6.47
\n SUGGEST: You should install nmap 5.51 if you plan to use the nmap NSE NVTs.
\nStep 10: Checking presence of optional tools …
\n OK: pdflatex found.
\n WARNING: PDF generation failed, most likely due to missing LaTeX packages. The PDF report format will not work.
\n SUGGEST: Install required LaTeX packages.
\n OK: ssh-keygen found, LSC credential generation for GNU\/Linux targets is likely to work.
\n OK: rpm found, LSC credential package generation for RPM based targets is likely to work.
\n WARNING: Could not find alien binary, LSC credential package generation for DEB based targets will not work.
\n SUGGEST: Install alien.
\n OK: nsis found, LSC credential package generation for Microsoft Windows targets is likely to work.
\n OK: SELinux is disabled.<\/p>\n

It seems like your OpenVAS-8 installation is OK.<\/p>\n

If you think it is not OK, please report your observation
\nand help us to improve this check routine:
\nhttp:\/\/lists.wald.intevation.org\/mailman\/listinfo\/openvas-discuss
\nPlease attach the log-file (\/tmp\/openvas-check-setup.log) to help us analyze the problem.<\/p><\/blockquote>\n

To update the rules or tests (Network Vulnerability Tests – NVTs), you can use the following command which is run by the setup when you run it. I believe this is the one that very clearly says that you should at most run this once a day, otherwise they will block you IP address. It looks like they usually updated once a week anyway. If so, you will get something like the following:<\/p>\n

# openvas-nvt-sync
\n[i] This script synchronizes an NVT collection with the ‘OpenVAS NVT Feed’.
\n[i] The ‘OpenVAS NVT Feed’ is provided by ‘The OpenVAS Project’.
\n[i] Online information about this feed: ‘http:\/\/www.openvas.org\/openvas-nvt-feed.html’.
\n[i] NVT dir: \/var\/lib\/openvas\/plugins
\nOpenVAS community feed server – http:\/\/www.openvas.org\/
\nThis service is hosted by Greenbone Networks – http:\/\/www.greenbone.net\/<\/p>\n

All transactions are logged.<\/p>\n

If you have any questions, please use the OpenVAS mailing lists
\nor the OpenVAS IRC chat. See http:\/\/www.openvas.org\/ for details.<\/p>\n

By using this service you agree to our terms and conditions.<\/p>\n

Only one sync per time, otherwise the source ip will be blocked.<\/p>\n

[i] Feed is already current, no synchronization necessary.<\/p><\/blockquote>\n","protected":false},"excerpt":{"rendered":"

I decided to give OpenVAS as an alternative to Nessus thinking it would be pretty comparable since it is Nessus fork and the Nessus cost was too much for a small company. I used the following to install it on CentOS7. First the requirements. They are not clearly defined on the OpenVAS page for downloading [&hellip<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[40,442,441],"class_list":["post-1492","post","type-post","status-publish","format-standard","hentry","category-documentation","tag-centos","tag-nessus","tag-openvas"],"share_on_mastodon":{"url":"","error":""},"_links":{"self":[{"href":"https:\/\/jim-zimmerman.com\/index.php?rest_route=\/wp\/v2\/posts\/1492","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jim-zimmerman.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jim-zimmerman.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jim-zimmerman.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/jim-zimmerman.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1492"}],"version-history":[{"count":3,"href":"https:\/\/jim-zimmerman.com\/index.php?rest_route=\/wp\/v2\/posts\/1492\/revisions"}],"predecessor-version":[{"id":1495,"href":"https:\/\/jim-zimmerman.com\/index.php?rest_route=\/wp\/v2\/posts\/1492\/revisions\/1495"}],"wp:attachment":[{"href":"https:\/\/jim-zimmerman.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1492"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jim-zimmerman.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1492"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jim-zimmerman.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1492"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}