I have built several OpenVAS boxes since the project took off and every version comes with some interesting ins-and-outs when getting the packages to build the right way. Recently I was asked by a friend to run a scan on their site and I decided to build the newest version of OpenVAS 9 on my favorite version of Linux Debian. The people on the OpenVAS project and working at Greenbone Networks have really outdone themselves with this version. I will save you the run down but you can check out the release notes if you’d like.
I started off this project by building a Digital Ocean $20 a month 64bit Debian Droplet. You may be able to use something smaller but these specs seem to work from the start and I didn’t have any performance issues with the project.
A bit of a warning there were a bunch of different write-ups on how to deploy OpenVAS 8 on Debian but the documentation on OpenVAS 9 was lacking. I hope this helps and prevents you from getting as discouraged as I was at times during the deployment.
Once you have your Debian server up and running go ahead and install the needed packages for the build.
apt-get install build-essential cmake bison flex libpcap-dev pkg-config libglib2.0-dev libgpgme11-dev uuid-dev sqlfairy xmltoman doxygen libssh-dev libksba-dev libldap2-dev libsqlite3-dev libmicrohttpd-dev libxml2-dev libxslt1-dev xsltproc clang rsync rpm nsis alien sqlite3 libhiredis-dev libgcrypt11-dev libgnutls28-dev redis-server texlive-latex-base gnutls-bin
Next I built a directory to store all of the install packages. Also I don’t know why a group of guys that are hosting a security project on a public download site are doing it using an invalid SSL cert but the “–no-check-certificate” option for wget bypasses it.
mkdir ~/openvas && cd ~/openvas wget --no-check-certificate https://wald.intevation.org/frs/download.php/2429/greenbone-security-assistant-7.0.2.tar.gz wget --no-check-certificate https://wald.intevation.org/frs/download.php/2420/openvas-libraries-9.0.1.tar.gz wget --no-check-certificate https://wald.intevation.org/frs/download.php/2423/openvas-scanner-5.1.1.tar.gz wget --no-check-certificate https://wald.intevation.org/frs/download.php/2426/openvas-manager-7.0.1.tar.gz wget --no-check-certificate https://wald.intevation.org/frs/download.php/2397/openvas-cli-1.4.5.tar.gz
Once you have the packages downloaded uncompress and untar them in the directory they are in.
for filename in *.tar.gz do tar zxf $filename done
That should give you 5 new directories for each package. Now lets get to building OpenVAS 9. The next part of this is going to be pretty repetitive and boring but just follow along and we will get there.
cd openvas-libraries-9.0.1 cmake . makemake docmake install cd ../openvas-manager-7.0.1 cmake . make make doc make install cd ../openvas-scanner-5.1.1 cmake . make make doc make install cd ../openvas-cli-1.4.5 cmake . make make doc make install cd ../greenbone-security-assistant-7.0.2 cmake . make make doc make install
Once you get all of those package built on your system you should be ready to start down the path of configuring OpenVAS. Lucky us those working on the OpenVAS project built a hand script you can use to tell you where you are at in the setup process. You can pull that script down using this command and giving it a run.
cd ~ && wget --no-check-certificate https://svn.wald.intevation.org/svn/openvas/trunk/tools/openvas-check-setup && chmod +x openvas-check-setup && sudo ./openvas-check-setup --v9
This should start dumping you out information on your build looking for. The first issue I ran up against is openvas not having /usr/local/lib in its search path and it presented me with this issue.
Step 1: Checking OpenVAS Scanner ... ERROR: No OpenVAS Scanner (openvassd) found. FIX: Please install OpenVAS Scanner.
When trying to run the scanner you maybe met with this issue.
[email protected]:~# openvassd openvassd: error while loading shared libraries: libopenvas_nasl.so.9: cannot open shared object file: No such file or directory
You can verify this issue by running “LD_LIBRARY_PATH=/usr/local/lib openvassd –help” if this gives you the scanners help information you have a pathing issue. Fix it by doing the following.
echo "/usr/local/lib" > /etc/ld.so.conf.d/openvas.conf ldconfig
Once this has run you should be able to start the scanner just by using the “openvassd” command. At this point if you run the openvas-check-setup script you are just going to get an error about your Redis server not running. Edit your /etc/redis/redis.conf file and remove the comments in front of these two lines.
unixsocket /tmp/redis.sock unixsocketperm 700
Then start your redis server and set it to start at boot time
systemctl start redis-serversystemctl enable redis-server
Now when running the check setup script we will notice our NVT signatures aren’t up to date on the scanner.
Step 1: Checking OpenVAS Scanner ... OK: OpenVAS Scanner is present in version 5.1.1. OK: redis-server is present in version v=2.8.17. OK: scanner (kb_location setting) is configured properly using the redis-server socket: /tmp/redis.sock OK: redis-server is running and listening on socket: /tmp/redis.sock. OK: redis-server configuration is OK and redis-server is running. ERROR: The NVT collection is very small. FIX: Run a synchronization script like greenbone-nvt-sync.
Let’s run the “greenbone-nvt-sync” command and let the server update all of its signatures. This will download a bunch of NVTs and produce a ton of sprawl on the screen. While we are at it lets just update the scapdata and certdata as well for those databases. This is going to take a while so start it in tmux if you would like and grab a cup of coffee.
greenbone-nvt-sync greenbone-scapdata-sync greenbone-certdata-sync
Once its done you can run the check setup script again.. (notice a pattern here?). All of you OpenVAS scanner issues should be handled and the next output you should get will tell you to rebuild the OpenVAS Manager’s Database using ‘openvasmd –rebuild’ I recommend running ‘openvasmd –rebuild –progress’ to keep you from loosing your mind while wondering if its actually working.
Step 1: Checking OpenVAS Scanner ... OK: OpenVAS Scanner is present in version 5.1.1. OK: redis-server is present in version v=2.8.17. OK: scanner (kb_location setting) is configured properly using the redis-server socket: /tmp/redis.sock OK: redis-server is running and listening on socket: /tmp/redis.sock. OK: redis-server configuration is OK and redis-server is running. OK: NVT collection in /usr/local/var/lib/openvas/plugins contains 53561 NVTs. WARNING: Signature checking of NVTs is not enabled in OpenVAS Scanner. SUGGEST: Enable signature checking (see http://www.openvas.org/trusted-nvts.html). WARNING: The initial NVT cache has not yet been generated. SUGGEST: Start OpenVAS Scanner for the first time to generate the cache. Step 2: Checking OpenVAS Manager ... OK: OpenVAS Manager is present in version 7.0.1. ERROR: No OpenVAS Manager database found. (Tried: /usr/local/var/lib/openvas/mgr/tasks.db) FIX: Run 'openvasmd --rebuild' while OpenVAS Scanner is running. WARNING: OpenVAS Scanner is NOT running! SUGGEST: Start OpenVAS Scanner (openvassd).
Here is where you run..
openvasmd --rebuild --progress
Once that has completed you need to add an initial admin user to access the system. The second command with the –new-password option will give you a long UUID for a password COPY IT DOWN it is how you will access the server!
openvasmd --create-user=adminuser --role=Admin openvasmd --user=adminuser --new-password=1
Now OpenVAS Check Setup will ask you to generate a cert with their certificate utility.
Once this done you can start the Greenbone Security Assistant and OpenVAS Security Manager.
And you should be able to now hit your server at https://SERVERSIP/login/login.html
Login as “adminuser” plus the UUID I told you to copy above and you should be off and running.
A couple of extra packages will be needed for the day-to-day running of reports and scanning. You can load nmap plus some of the latex packages for generating PDF reports of the scans. Here is the apt-get string I used for the rest of the dependencies.
apt-get install texlive-base texlive-extra-utils texlive-fonts-extra texlive-lang-english texlive-math-extra texlive-latex-base texlive-latex-extra texlive-latex-recommended nmap
Your setup script may complain about nmaps version numbers but this isn’t a big deal and I haven’t noticed any issues with running the default nmap in the Debian repos. Once that is done your setup script should look something like this.
[email protected]:~# ./openvas-check-setup --v9 openvas-check-setup 2.3.7 Test completeness and readiness of OpenVAS-9 Please report us any non-detected problems and help us to improve this check routine: http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss Send us the log-file (/tmp/openvas-check-setup.log) to help analyze the problem. Use the parameter --server to skip checks for client tools like GSD and OpenVAS-CLI. Step 1: Checking OpenVAS Scanner ... OK: OpenVAS Scanner is present in version 5.1.1. OK: redis-server is present in version v=2.8.17. OK: scanner (kb_location setting) is configured properly using the redis-server socket: /tmp/redis.sock OK: redis-server is running and listening on socket: /tmp/redis.sock. OK: redis-server configuration is OK and redis-server is running. OK: NVT collection in /usr/local/var/lib/openvas/plugins contains 53561 NVTs. WARNING: Signature checking of NVTs is not enabled in OpenVAS Scanner. SUGGEST: Enable signature checking (see http://www.openvas.org/trusted-nvts.html). OK: The NVT cache in /usr/local/var/cache/openvas contains 53561 files for 53561 NVTs. Step 2: Checking OpenVAS Manager ... OK: OpenVAS Manager is present in version 7.0.1. OK: OpenVAS Manager database found in /usr/local/var/lib/openvas/mgr/tasks.db. OK: Access rights for the OpenVAS Manager database are correct. OK: sqlite3 found, extended checks of the OpenVAS Manager installation enabled. OK: OpenVAS Manager database is at revision 184. OK: OpenVAS Manager expects database at revision 184. OK: Database schema is up to date. OK: OpenVAS Manager database contains information about 53559 NVTs. OK: At least one user exists. OK: OpenVAS SCAP database found in /usr/local/var/lib/openvas/scap-data/scap.db. OK: OpenVAS CERT database found in /usr/local/var/lib/openvas/cert-data/cert.db. OK: xsltproc found. Step 3: Checking user configuration ... WARNING: Your password policy is empty. SUGGEST: Edit the /usr/local/etc/openvas/pwpolicy.conf file to set a password policy. Step 4: Checking Greenbone Security Assistant (GSA) ... OK: Greenbone Security Assistant is present in version 7.0.2. OK: Your OpenVAS certificate infrastructure passed validation. Step 5: Checking OpenVAS CLI ... OK: OpenVAS CLI version 1.4.5. Step 6: Checking Greenbone Security Desktop (GSD) ... SKIP: Skipping check for Greenbone Security Desktop. Step 7: Checking if OpenVAS services are up and running ... OK: netstat found, extended checks of the OpenVAS services enabled. OK: OpenVAS Scanner is running and listening on a Unix domain socket. OK: OpenVAS Manager is running and listening on a Unix domain socket. OK: Greenbone Security Assistant is listening on port 80, which is the default port. Step 8: Checking nmap installation ... WARNING: Your version of nmap is not fully supported: 6.47 SUGGEST: You should install nmap 5.51 if you plan to use the nmap NSE NVTs. Step 10: Checking presence of optional tools ... OK: pdflatex found. OK: PDF generation successful. The PDF report format is likely to work. OK: ssh-keygen found, LSC credential generation for GNU/Linux targets is likely to work. OK: rpm found, LSC credential package generation for RPM based targets is likely to work. OK: alien found, LSC credential package generation for DEB based targets is likely to work. OK: nsis found, LSC credential package generation for Microsoft Windows targets is likely to work. It seems like your OpenVAS-9 installation is OK.
Enjoy…. A couple of last notices.. If you reboot the server you will have to manually restart the scanner, manager, and Greenbone Security Assistant. You may also want to setup a cron job to update your signatures every once in a while. Do not be too aggressive with this as Greenbone provides this as a free service and doesn’t need to world using up their resources over and over again.
Take care and happy scanning.