1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
|
greenbone-security-assistant (UI for OpenVAS)
This is the UI the Open Vulnerability Assessment System (OpenVAS).
###### Known Problems ######
- PDF report generation is broken. This may get fixed in a future slackbuild.
- The libssh-0.5.4 shipped with Slackware (at the time of this writing) is
broken. If you need to run "credentialed" scans against targets running
OpenSSH 6.7 or beyond (including Slackware), you have 2 options:
1. Enable diffie-hellman-group1-sha1 as a KexAlgorithm in the sshd_config
of your targets.
2. Update your libssh to the latest.
You also may have problems with targets running Dropbear SSH server. See
this thread on LinuxQuestions for more information:
http://www.linuxquestions.org/questions/showthread.php?t=4175533193
- All the daemons run as root. There's no (working) configuration options
or documentation to change this behavior.
- There are a number of tests that depend on other software packages that are
not available as slackbuilds at this time. Stay tuned.
- If you're running in a VM environment, or on a headless server, then
installing haveged is recommended, particularly for step 11 below.
###### Upgrade Notes ######
If you're updating from OpenVAS-7 to OpenVAS-8, please note the following.
(See: http://www.openvas.org/install-source.html if you're unsure which
version you're running.)
Openvas now uses redis as a temporary database while running scans. You will
need redis installed and running, as well as hiredis. See step 2 below on
how to configure redis.
Before running openvas-manager, you'll need to migrate the database. Simply
run:
# openvasmd --migrate
###### Installation Instructions ######
These instructions assume you're familiar with slackbuilds. If not, please
refer to http://slackbuilds.org/howto/ .
1. Build and install hiredis.
2. Build and install redis. You need to uncomment the following 2 lines in the
/etc/redis/redis.conf file:
#unixsocket /tmp/redis.sock
#unixsocketperm 700
Now start up redis:
# sh /etc/rc.d/rc.redis start
3. Build and install openvas-libraries.
4. Build and install openvas-scanner.
5. You need a Certificate Authority and server certificate. Run the following
command:
# openvas-mkcert
6. You need the NVT's (Network Vulnerability Tests). Run the following
command to sync. In the future, you can do this through the
greenbone-security-assistant interface. This will take a minute or so
with a blazing fast internet connection. YMMV.
# openvas-nvt-sync
7. Start the openvas-scanner daemon.
# sh /etc/rc.d/rc.openvassd start
8. Build and install openvas-manager.
9. You need client certificates for manager to talk to scanner. Use the
following command.
# openvas-mkcert-client -n -i
10. Initialize the manager database. This will take a while, so be patient.
# openvasmd --rebuild
11. You want encrypted credentials in the DB, so do this now.
# openvasmd --create-credentials-encryption-key
This may take a while, so it's best to create some entropy by skipping to
#13-#15 and then coming back, if needed.
12. Create a user.
# openvasmd --create-user=cary
If you find the assigned password hard to remember, you can change it
right now.
# openvasmd --user=cary --new-password=mekmitasdigoat
13. Sync SCAP data. This will take some time.
# openvas-scapdata-sync
14. Sync CERT data.
# openvas-certdata-sync
15. Update port names.
# wget http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xml
# openvas-portnames-update service-names-port-numbers.xml
# rm service-names-port-numbers.xml
16. Start the openvas-manager daemon.
# sh /etc/rc.d/rc.openvasmd start
17. Build and install libmicrohttpd.
18. Build and install greenbone-security-assistant.
19. Launch the greenbone-security-assistant.
# sh /etc/rc.d/rc.gsad start
20. Point your browser at https://<YOUR IP OR HOSTNAME>:9392
You'll get a certificate error, of course (fixing this is left as an
excercise for the reader). Log in with your username/password from #10.
21. [Optional] Build and install openvas-cli. You'll need this if you ever
want to script tests.
That's it! If you run into any problems, you can try running the
openvas-check-setup script found here:
https://svn.wald.intevation.org/svn/openvas/trunk/tools/openvas-check-setup
If you don't have a web-server running, you can edit the /etc/rc.d/rc.gsad
script to remove the "-p 9392" option, and it will run on port 443.
Please let me know if you run into any problems. Patches welcome!
Have Fun!
Kent Fritz
mailto:fritz.kent@gmail.com
|
