openvas 配置更新

配置最快源

本次环境为ubuntu 14.04 32bit 本次实验用的是mirrors.163.com

sudo vim /etc/apt/sources.list

用全部替换命令替换原有的网址

%s/mirrors.163.com/mirror.ubuntu.org/g

替换后更新下

apt-get update

安装openvas

下面全部摘抄自：这里

root模式配置安装源

echo "deb http://download.opensuse.org/repositories/security:/OpenVAS:/UNSTABLE:/v6/Debian_7.0/ ./" >> /etc/apt/sources.list
wget http://download.opensuse.org/repositories/security:/OpenVAS:/UNSTABLE:/v6/Debian_7.0/Release.key apt-key add ./Release.key
sudo apt-get update

快速安装openvas

apt-get -y install greenbone-security-assistant openvas-cli openvas-manager openvas-scanner openvas-administrator sqlite3 xsltproc rsync
apt-get -y install texlive-latex-base texlive-latex-extra texlive-latex-recommended htmldoc
apt-get -y install alien rpm nsis fakeroot

快速启动openvas

test -e /var/lib/openvas/CA/cacert.pem  || openvas-mkcert -q
openvas-nvt-sync
test -e /var/lib/openvas/users/om || openvas-mkcert-client -n om -i
/etc/init.d/openvas-manager stop
/etc/init.d/openvas-scanner stop
openvassd
openvasmd --rebuild
openvas-scapdata-sync
openvas-certdata-sync

下面是设置openvas密码的，记得输入密码

test -e /var/lib/openvas/users/admin || openvasad -c add_user -n admin -r Admin

killall openvassd
sleep 15
/etc/init.d/openvas-scanner start
/etc/init.d/openvas-manager start
/etc/init.d/openvas-administrator restart
/etc/init.d/greenbone-security-assistant restart

更新漏洞库

参照这里

支持在线以及离线更新两种模式，可根据实际情况选择，建议使用定时任务在线更新。

在线更新

使用如下命令，增量更新：

openvas-nvt-sync

该命令支持rsync，wget，curl

离线更新

只需定期下载漏洞库压缩包解压覆盖到如下目录：

/var/lib/openvas/plugins/

压缩包地址（约14.6Mb）：http://www.openvas.org/openvas-nvt-feed-current.tar.bz2

商业支持

1、opevas培训

2、openvas框架开发

3、openvas NVT漏洞库开发

4、基于openvas的扫描设备：特殊定制设备，可以在10分钟完成500~5000个ip扫描，具体可以参见：这里

其他设置

添加Slave

配置端口监听IP（old）

'注意下面设置已经被新设置替换，注意下一条New 按照以上步骤，安装一台openvas机器，需要注意的是，openvas默认是监听127.0.0.1的端口，如下所示：

/usr/sbin/openvasmd --database=/var/lib/openvas/mgr/tasks.db --listen=127.0.0.1 --port=9390 --slisten=127.0.0.1 --sport=9391
/usr/sbin/openvasad --listen=127.0.0.1 --port=9393 --users-dir=/var/lib/openvas/users --scanner-config-file=/etc/openvas/openvassd.conf --sync-script=/usr/sbin/openvas-nvt-sync
/usr/sbin/gsad --listen=127.0.0.1 --port=9392 --alisten=0.0.0.0 --aport=9393 --mlisten=127.0.0.1 --mport=9390

可以通过kill掉原有进程，然后将上述监听IP改成0.0.0.0即可（测试环境，生产环境可设置对应的监听ip）如下所示：

openvassd
/usr/sbin/openvasmd --database=/var/lib/openvas/mgr/tasks.db --listen=0.0.0.0 --port=9390 --slisten=0.0.0.0 --sport=9391
/usr/sbin/openvasad --listen=0.0.0.0 --port=9393 --users-dir=/var/lib/openvas/users --scanner-config-file=/etc/openvas/openvassd.conf --sync-script=/usr/sbin/openvas-nvt-sync
/usr/sbin/gsad --listen=0.0.0.0 --port=9392 --alisten=0.0.0.0 --aport=9393 --mlisten=0.0.0.0 --mport=9390

也可以通过编辑其服务文件中listen项为固定值，例如：

[ "$DATABASE_FILE" ]   && DAEMONOPTS="--database="$DATABASE_FILE
[ "$MANAGER_ADDRESS" ] && DAEMONOPTS="$DAEMONOPTS --listen=$MANAGER_ADDRESS"
[ "$MANAGER_PORT" ]    && DAEMONOPTS="$DAEMONOPTS --port=$MANAGER_PORT"
[ "$SCANNER_ADDRESS" ] && DAEMONOPTS="$DAEMONOPTS --slisten=$SCANNER_ADDRESS"
[ "$SCANNER_PORT" ]    && DAEMONOPTS="$DAEMONOPTS --sport=$SCANNER_PORT"

配置端口监听IP（new）

通过查找发现这里有详细说明，原来openvass的默认配置文件位于/etc/default下面：

openvas-administrator  openvas-manager  openvas-scanner  greenbone-security-assistant

共四个文件，描述如下：

/etc/default/openvas-administrator //管理员：负责管理配置信息，用户授权等相关工作，默认监听地址为127.0.0.1，端口为9393

/etc/default/openvas-manager //管理器：与接口通信，分配扫描任务，并根据扫描结果生成评估报告，默认端口为9390

/etc/default/openvas-scanner //扫描器：调用各种漏洞测试插件，执行分配的扫描操作，默认端口为9391

/etc/default/greenbone-security-assistant //访问web 端接口(gsad):访问opebvas 服务层的web 接口，默认监听地址为127.0.0.1，端口为9392

下面是各个文件的具体内容，只需要把127.0.0.1改成需要的ip即可，允许所有就使用0.0.0.0

root@ubuntu:/etc/default# grep -v "^#" openvas-manager
DATABASE_FILE=/var/lib/openvas/mgr/tasks.db
MANAGER_ADDRESS=127.0.0.1
MANAGER_PORT=9390
SCANNER_ADDRESS=127.0.0.1
SCANNER_PORT=9391

root@ubuntu:/etc/default# grep -v "^#" openvas-administrator
ADMINISTRATOR_ADDRESS=127.0.0.1
ADMINISTRATOR_PORT=9393
USER_DATA=/var/lib/openvas/users
SCANNER_CONFIG=/etc/openvas/openvassd.conf
SYNC_SCRIPT=/usr/sbin/openvas-nvt-sync

root@ubuntu:/etc/default# grep -v "^#" openvas-scanner
SCANNER_ADDRESS=127.0.0.1
SCANNER_PORT=9391

root@ubuntu:/etc/default# grep -v "^#" greenbone-security-assistant
GSA_ADDRESS=127.0.0.1
GSA_PORT=9392
ADMINISTRATOR_ADDRESS=127.0.0.1
ADMINISTRATOR_PORT=9393
MANAGER_ADDRESS=127.0.0.1
MANAGER_PORT=9390

登录web控制台添加slave

访问主服务器https://masterip:9392，登录后打开Configuration--Slaves项，然点击“五角星”标志进入添加界面，输入slave的IP、端口、账户、密码即可添加成功

具体可以参见：这里

配置slave扫描任务

Scan Management项中选择New Task，然后再Slave中选中需要的slave主机即可。

扫描结果

slave在扫描完成后，不保存扫描结果，而是在主服务器上查看。每个扫描有一个单独的扫描报告。

配置告警

在Configuration中的Alerts配置邮件等方式告警

配置定时扫描

在Configuration中的Schedules配置定时扫描任务

查看openvassd.conf配置文件

root@ubuntu:/home/aj# openvassd -s
plugins_folder = /var/lib/openvas/plugins
cache_folder = /var/cache/openvas
include_folders = /var/lib/openvas/plugins
max_hosts = 30
max_checks = 10
be_nice = no
logfile = /var/log/openvas/openvassd.messages
log_whole_attack = no
log_plugins_name_at_load = no
dumpfile = /var/log/openvas/openvassd.dump
rules = /usr/share/openvas/openvassd.rules
cgi_path = /cgi-bin:/scripts
port_range = default
optimize_test = yes
checks_read_timeout = 5
network_scan = no
non_simult_ports = 139, 445
plugins_timeout = 320
safe_checks = yes
auto_enable_dependencies = yes
silent_dependencies = no
use_mac_addr = no
save_knowledge_base = no
kb_restore = no
only_test_hosts_whose_kb_we_dont_have = no
only_test_hosts_whose_kb_we_have = no
kb_dont_replay_scanners = no
kb_dont_replay_info_gathering = no
kb_dont_replay_attacks = no
kb_dont_replay_denials = no
kb_max_age = 864000
slice_network_addresses = no
nasl_no_signature_check = yes
drop_privileges = no
unscanned_closed = yes
vhosts =
vhosts_ip =
report_host_details = yes
cert_file = /var/lib/openvas/CA/servercert.pem
key_file = /var/lib/openvas/private/CA/serverkey.pem
ca_file = /var/lib/openvas/CA/cacert.pem
reverse_lookup = no
config_file = /etc/openvas/openvassd.conf

常见问题

在这里将遇到的相关问题记录，解决方法并未确认是非常准确的。

Openvas Service Temporarily Down(503)

参见这里 503 - Service temporarily down

openvas-mkcert-client -n om -i
openvas-nvt-sync --wget
/etc/init.d/openvas-scanner stop; /etc/init.d/openvas-manager stop;
openvassd
rm /var/lib/openvas/mgr/tasks.db
openvasmd --progress --rebuild -v

SecInfo Database Missing

打开SecInfo栏，下面所有NVTs、CVEs均显示数据库丢失，如下所示：

SecInfo Management---CVEs
Warning: SecInfo Database Missing
SCAP and/or CERT database missing on OMP server.

通过官方邮件列表找到解决方法，首先下载三个文件，放到/usr/share/openvas/cert/目录下面：

sudo wget https://scm.wald.intevation.org/svn/openvas/trunk/openvas-manager/tools/cert_db_init.sql --no-check-certificate
sudo wget https://scm.wald.intevation.org/svn/openvas/trunk/openvas-manager/tools/dfn_cert_getbyname.xsl --no-check-certificate
sudo wget https://scm.wald.intevation.org/svn/openvas/trunk/openvas-manager/tools/dfn_cert_update.xsl --no-check-certificate

然后用root账户运行下面命令：

openvas-certdata-sync

更新后重启openvas-scanner服务

/etc/init.d/openvas-scannerrestart

发送邮件失败

检测openvas服务器是否安装sendmail，如未安装，请按照sendmail配置即可

附件大于1M无法发送

配置扫描完成后，自动发送pdf格式扫描报告到邮箱，若扫描报告超过1MB，则提示如下：

Note: The report exceeds the maximum attachment length of 1048576 bytes.

开始判断是sendmail问题，通过调整sendmail附件大小，问题依旧，通过grep搜索关键字，在/usr/sbin/openvasmd中搜索到相应关键字：

... (report truncated after 20000 characters)
^@Note: This report exceeds the maximum length of ^@^@^@^@^@^@^@^@Note: The report exceeds the maximum attachment length of ^@^@^@^@^@^@--=-=-=-=-=
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
Content-Disposition: inline

无具体大小修改，于是下载openvas-manager源码包，解压，查找10048576值

wget http://wald.intevation.org/frs/download.php/1795/openvas-manager-5.0.5.tar.gz tar zxvf openvas-manager-5.0.5.tar.gz
cd openvas-manager-5.0.5
grep -nr 1048576 *

然后在manage_sql.c的7661行找到最大附件值：

src/manage_sql.c:7661:#define MAX_ATTACH_LENGTH 1048576

打开查看上下文，确定是邮件附件限制参数，修改1048576增加两个零，如下：

7658 /**
7659  * @brief Default max number of bytes of reports attached to email alerts.
7660  */
7661 #define MAX_ATTACH_LENGTH 104857600
7662
7663 /**
7664  * @brief Maximum number of bytes of reports attached to email alerts.
7665  *
7666  * A value less or equal to 0 allows any size.
7667  */
7668 static int max_attach_length = MAX_ATTACH_LENGTH;

然后重新编译openvas-manager即可解决问题

附编译安装openvas-manager

编译安装openvas-libraries

apt-get install pkg-config libssh-dev libgnutls-dev libglib2.0-dev libpcap-dev libgpgme11-dev uuid-dev bison libksba-dev librarian-dev
wget http://wald.intevation.org/frs/download.php/1787/openvas-libraries-7.0.5.tar.gz tar zxvf openvas-libraries-7.0.5.tar.gz
cd openvas-libraries-7.0.5
mkdir build
cd build
export PKG_CONFIG_PATH=/usr/local/openvas/lib/pkgconfig:$PKG_CONFIG_PATH
export CFGLAGS='-L/usr/local/openvas/lib -I/usr/local/openvas/include'
cmake -DCMAKE_INSTALL_PREFIX=/usr/local/openvas -DCMAKE_INSTALL_RPATH=/usr/local/openvas/lib ..
make
make install

编译安装openvas-manager

wget http://wald.intevation.org/frs/download.php/1795/openvas-manager-5.0.5.tar.gz tar zxvf openvas-manager-5.0.5.tar.gz
cd openvas-manager-5.0.5
mkdir build
cd build
export CC='gcc -Wl,-rpath,/usr/local/openvas/lib64 -Wl,-rpath,/usr/local/openvas/lib'
export PKG_CONFIG_PATH=/usr/local/openvas/lib/pkgconfig:/usr/local/openvas/lib64/pkgconfig
export CFLAGS="-I/usr/local/openvas/include"
cmake -DCMAKE_INSTALL_PREFIX=/usr/local/openvas -DCMAKE_INSTALL_RPATH=/usr/local/openvas/lib ..
make
make install

运行omp失败

root@eqx-sec-1:~# omp
Failed to setlocale

通过配置locale解决：

locale-gen en_US en_US.UTF-8 zh_CN.UTF-8
dpkg-reconfigure locales

omp命令

创建一个扫描目标：

aj@aj:~$ omp -u admin -w ajcheng --xml='
<create_target>
<name>Test</name>
<hosts>192.168.110.09</hosts>
</create_target>
'
<create_target_response id="947faab6-bc83-44f7-927a-aa78ada3c446" status_text="OK, resource created" status="201"></create_target_response>

创建一个扫描任务： 获取扫描策略ID

aj@aj:~$ omp -u admin -w ajcheng -g
085569ce-73ed-11df-83c3-002264764cea  empty
daba56c8-73ec-11df-a475-002264764cea  Full and fast
698f691e-7489-11df-9d8c-002264764cea  Full and fast ultimate
708f25c4-7489-11df-8094-002264764cea  Full and very deep
74db13d6-7489-11df-91b9-002264764cea  Full and very deep ultimate

获取扫描目标ID（创建时候返回ID）

947faab6-bc83-44f7-927a-aa78ada3c446

创建扫描任务

aj@aj:~$ omp -u admin -w ajcheng --xml='
<create_task>
>    <name>Scan Test</name>
>    <comment>Hourly scan of Test</comment>
>    <config id="daba56c8-73ec-11df-a475-002264764cea"/>
>    <target id="947faab6-bc83-44f7-927a-aa78ada3c446"/>
>  </create_task>
> '
<create_task_response id="e013ce8b-e822-4d9a-b784-a33f56874b1c" status_text="OK, resource created" status="201"></create_task_response>

创建一个定时扫描任务：

aj@aj:~$ omp -u admin -w ajcheng --xml='
<create_schedule>
>    <name>Every night</name>
>    <first_time>
>      <day_of_month>9</day_of_month>
>      <hour>22</hour>
>      <minute>0</minute>
>      <month>12</month>
>      <year>2014</year>
>    </first_time>
>    <duration>
>      3
>      <unit>hour</unit>
>    </duration>
>    <period>
>      1
>      <unit>day</unit>
>    </period>
>  </create_schedule>
> '
<create_schedule_response id="9d85be5b-e621-41ba-a003-b974c33f0726" status_text="OK, resource created" status="201"></create_schedule_response>

开启一个扫描任务

<start_task task_id="267a3405-e84a-47da-97b2-5fa0d2e8995e"/>

获取Report

omp -u admin -w openvas@vobile --xml='<get_reports report_id="60a7e37b-fd8b-462d-9cb1-8250ed59e79b"  format_id="c402cc3e-b531-11e1-9163-406186ea4fc5"/>' |tee ip.log