greenbone-security-assistant (UI for OpenVAS) This is the UI the Open Vulnerability Assessment System (OpenVAS). ###### Known Problems ###### - PDF report generation is broken. This may get fixed in a future slackbuild. - The libssh-0.5.4 shipped with Slackware (at the time of this writing) is broken. If you need to run "credentialed" scans against targets running OpenSSH 6.7 or beyond (including Slackware), you have 2 options: 1. Enable diffie-hellman-group1-sha1 as a KexAlgorithm in the sshd_config of your targets. 2. Update your libssh to the latest. You also may have problems with targets running Dropbear SSH server. See this thread on LinuxQuestions for more information: http://www.linuxquestions.org/questions/showthread.php?t=4175533193 - All the daemons run as root. There's no (working) configuration options or documentation to change this behavior. - There are a number of tests that depend on other software packages that are not available as slackbuilds at this time. Stay tuned. ###### Installation Instructions ###### These instructions assume you're familiar with slackbuilds. If not, please refer to http://slackbuilds.org/howto/ . 1. Build and install openvas-libraries. 2. Build and install openvas-scanner. 3. You need a Certificate Authority and server certificate. Run the following command: # openvas-mkcert 4. You need the NVT's (Network Vulnerability Tests). Run the following command to sync. In the future, you can do this through the greenbone-security-assistant interface. This will take a minute or so with a blazing fast internet connection. YMMV. # openvas-nvt-sync 5. Start the openvas-scanner daemon. # /etc/rc.d/rc.openvassd start 6. Build and install openvas-manager. 7. You need client certificates for manager to talk to scanner. Use the following command. # openvas-mkcert-client -n -i 8. Initialize the manager database. This will take a while, so be patient. # openvasmd --rebuild 9. [Optional] If you want encrypted credentials in the DB, do this now. # openvasmd --create-credentials-encryption-key This may take a while, so it's best to create some entropy by skipping to #11-#13 and then coming back, if needed. 10. Create a user. # openvasmd --create-user=cary If you find the assigned password hard to remember, you can change it right now. # openvasmd --user=cary --new-password=mekmitasdigoat 11. Sync SCAP data. This will take some time. # openvas-scapdata-sync 12. Sync CERT data. # openvas-certdata-sync 13. Update port names. # wget http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xml # openvas-portnames-update service-names-port-numbers.xml # rm service-names-port-numbers.xml 14. Start the openvas-manager daemon. # /etc/rc.d/rc.openvasmd start 15. Build and install libmicrohttpd. 16. Build and install greenbone-security-assistant. 17. Launch the greenbone-security-assistant. # /etc/rc.d/rc.gsad start 18. Point your browser at https://:9392 You'll get a certificate error, of course (fixing this is left as an excercise for the reader). Log in with your username/password from #10. 19. [Optional] Build and install openvas-cli. You'll need this if you ever want to script tests. That's it! If you run into any problems, you can try running the openvas-check-setup script found here: https://svn.wald.intevation.org/svn/openvas/trunk/tools/openvas-check-setup If you don't have a web-server running, you can edit the /etc/rc.d/rc.gsad script to remove the "-p 9392" option, and it will run on port 443. Please let me know if you run into any problems. Patches welcome! Have Fun! Kent Fritz mailto:fritz.kent@gmail.com