This is a walkthough for installing and configuring OpenVAS (GVM) on CentOS 7. OpenVAS (Open Vulnerability Assessment System) is an opensource vulnerability scanner.
Brief History
OpenVAS forked from Nessus when Tenable took the previously opensource product to closed source back in 2005. That’s worth mentioning primarily because on a side note, I’ve used Nessus for many years and I remember when it was forked. Since then, Nessus became one of the leaders in the vulnerability scanning space and a fairly polished. Nessus generates nice reports and it is/was a great product for a decent price. However, in the last few years the price has really started to creep IMO. Tenable then announced they were pulling API access to Nessus Professional, which happens to be something I use quite extensively. As a result, I was left searching for alternatives. Admittedly, I tried OpenVAS years ago, but it was a bit of a mess to setup and I wasn’t exactly enamored with the interface. I’d heard good things recently so I figured I would give it another shot.Changelog
10June2018 – Originally posted
11June2018 – Added ‘Configuring PDF Reports’ section
22Oct2018 – Added ‘Automatic Feed Updates With Cron’ section
30Nov2018 – Added net-tools to yum install command
11Mar2019 – Added alternate URLs for Atomicorp (reader feedback)
21Mar2019 – Added temp fix for “Report outdated Scan Engine / Environment (local)”
20Apr2019 – Rewrite for new GVM 10 version
Installing CentOS 7
So first things first, I prefer to start with a minimal install of CentOS. The install takes less time, the filesystem takes up less space, and I despise updating packages I never use! Download the latest version of CentOS 7 and go through the standard install. If you are installing OpenVAS (GVM) virtually, I would recommend at least 2 CPUs, 3GB of memory, and 30GB of hard drive (this depends on number of scans and how much data you will retain).Configuring CentOS
OpenVAS (GVM) will complain if you leave SELinux enabled so disable it using the following command.sed -i 's/=enforcing/=disabled/' /etc/selinux/config
Open the necessary port for OpenVAS web interface right away as well.
firewall-cmd --zone=public --add-port=9392/tcp --permanent firewall-cmd --reload
As a best practice, once you have install CentOS (or any OS for that matter), you need to do updates. You can update CentOS by using ‘yum -y update’ and then reboot. We need to reboot for the SELinux changes to take effect anyway.
yum -y update && reboot
Once the system comes back up, install the wget package and then install/configure the repository from Atomic Corp. You can use the default answers when adding keys for the Atomic Corp repository. We’ll also install ‘net-tools’ specifically for the ‘netstat’ command. Adding the package here clears up some later errors when testing the setup.
yum -y install wget net-tools wget -q -O - https://updates.atomicorp.com/installers/atomic | shNote: If you have issues with ‘updates’ in the wget URL above, other readers have stated using either ‘www’ or ‘www6’ works instead. For example,
wget -q -O – https://www.atomicorp.com/installers/atomic | sh
wget -q -O – https://www6.atomicorp.com/installers/atomic | sh
Installing/Configuring OpenVAS (GVM)
Next, install OpenVAS (GVM) and related dependencies. This will install over 300MB of dependencies so be patient.yum -y install greenbone-vulnerability-managerIf you try to install ‘openvas’ instead of ‘greenbone-vulnerability-manager’ in the command above you will simply receive a message that ‘Package openvas is obsoleted by greenbone-vulnerability-manager, trying to install greenbone-vulnerability-manager-10.0.0-6947.el7.art.noarch’ instead.
When yum completes, use the ‘sed’ command below to uncomment the following 2 unixsocket-related lines in the /etc/redis.conf file. I would recommend copying/pasting that little bit of command line kung fu to make sure you don’t miss any spaces or quotation marks.
# unixsocket /tmp/redis.sock
# unixsocketperm 700
sed -i '/^#.*unixsocket/s/^# //' /etc/redis.conf
Now, we need to enable the redis service so it starts after future reboots. We’ll also start/restart the service.
systemctl enable redis && systemctl restart redis
Run ‘openvas-setup’ and accept rsync as your default. This command may seem out of place, but for some reason the developers decided not to rename it. At any rate, this can take a while so be patient. It is downloading GBs worth of data. In addition, after the feeds are downloaded, there are times where you think the installer is hung… It’s not! Just be patient and grab a soda or coffee! While I didn’t have any issues with the downloads, others have reported their rsync process stops during setup. If this happens, just run openvas-setup again. Also, just a reminder that rsync uses TCP port 873 so you may have to allow it outbound in your egress firewall rules and/or configure it to work with your proxy server.
openvas-setup -- Output -- Openvas Setup, Version: 4.01 Step 1: Update NVT, CERT, and SCAP data Please note this step could take some time. Once completed, this will be updated automatically every 24 hours Select download method * wget (NVT download only) * curl (NVT download only) * rsync Note: If rsync requires a proxy, you should define that before this step. Downloader [Default: rsync]Note: If you get the error below when running openvas-setup, go back to the very first ‘sed’ command in this tutorial to disable SELinux. Don’t forget to reboot when you’re done.
Openvas Setup, Version: 4.01 Error: Selinux is set to (Enforcing) selinux must be disabled in order to use openvas exiting....
Once openvas-setup completes and some keys are generated, you’ll receive the following prompt(s). When asked if you want to “Allow connections from any IP?” you can accept the default of ‘yes’ by simply pressing enter assuming you want to access the web interface from any IP address. You can change your username (I stayed with ‘admin’) and type in the password (twice) that you want to use to access the web interface.
-- Output -- Step 2: Configure GSAD The Greenbone Security Assistant is a Web Based front end for managing scans. By default it is configured to only allow connections from localhost. Allow connections from any IP? [Default: yes] Redirecting to /bin/systemctl restart gsad.service Step 3: Choose the GSAD admin users password. The admin user is used to configure accounts, Update NVT's manually, and manage roles. Enter administrator username [Default: admin] : Enter Administrator Password: Verify Administrator Password:
The system will build/rebuild the NVT cache. This step can also take a bit of time so be patient. Rebuilding NVT is followed with a message that you can now access the interface.
-- Output -- Rebuilding NVT cache... done. Setup complete, you can now access GSAD at: https://<IP>:9392
The only problem? OpenVAS (GVM) isn’t running on 9392 as the package states. Perhaps they will fix this at some point in the future, but for now, run the following commands.
echo 'OPTIONS="--listen=0.0.0.0 --port=9392"' > /etc/sysconfig/gsad systemctl start gsad
After running the 2 commands above, gsad is now running on port 9392.
GVM no longer has openvas-check-setup so the next paragraph is no longer helpful. <shrug> Skip ahead to “Accessing the OpenVAS (GVM) web interface.”
Accessing the OpenVAS (GVM) web interface
As mentioned in the previous message, you can now access to the web interface from any browser by going to https://<your IP address>:9392. You will receive a security prompt regarding the certificate since it is self-signed, but after that you should be able to login. Even though you can login at this point, I would highly recommend following the other sections below! It will save you time down the road!
Automatic Feed Updates With Cron
OpenVAS vulnerability scans are only as good as the information/plug-ins you’re checking against. Thus, if your feeds are out-of-date, your scans are not going to reflect the true nature of the environment because you are not testing for the most recently discovered vulnerabilities. From the web interface, you can check the status of your feeds anytime via Extras -> Feed Status.
The feeds don’t update automatically by default. You could update them manually or you can configure the feeds to update automatically via cron jobs. If you are not familiar with cron jobs, they are an easy way to tell the system to run a command at a given time. From the command line, type in ‘crontab -e’ to edit cron, which should be empty to start with. Hit the ‘i’ key to enter insert mode and then copy/paste the text in the gray box below. After your copy/paste, hit the ‘Esc’ key followed by typing in ‘:wq’ to exit. For those of you familiar with ‘vi’ that sequence of events should have been very familiar! The three commands coincide with the 3 feed types found in the Feed Status page — NVT, SCAP, and CERT. For the 3 cron jobs we just installed, the top command runs greenbone-nvt-sync at 1:35am, greenbone-scapdata-sync at 12:05am, and greenbone-certdata-sync at 1:05am.
35 1 * * * /usr/sbin/greenbone-nvt-sync > /dev/null 5 0 * * * /usr/sbin/greenbone-scapdata-sync > /dev/null 5 1 * * * /usr/sbin/greenbone-certdata-sync > /dev/null
Assuming you just installed the system (the feeds update during the install process) or your cron jobs are keeping your feeds up-to-date properly, your feed status page should appear similar to the one below. Note: It is common for the feeds to be up-to-date and still report back they are a few days old as shown in the picture. I would suggest checking this page every now and again to make sure everything is updating as expected.
Configuring PDF Reports
I found documentation for working PDF reports in OpenVAS to be lacking. I was able to pull together bits and pieces from different sites to get it working. This is what you will need to do if you create/download PDF reports in OpenVAS and the pdf files are 0 bytes.
First, install additional texlive packages for CentOS 7.
yum -y install texlive-collection-fontsrecommended texlive-collection-latexrecommended texlive-changepage texlive-titlesec
The following steps were found on blogspot. It creates a directory, downloads the comment.sty file, changes permissions on the newly downloaded file, and then recreates the database with texhash. You can copy/paste the commands below into an SSH terminal window.
mkdir -p /usr/share/texlive/texmf-local/tex/latex/comment cd /usr/share/texlive/texmf-local/tex/latex/comment wget http://mirrors.ctan.org/macros/latex/contrib/comment/comment.sty chmod 644 comment.sty texhash
Final notes
Success! From the web interface you can start a scan via Scans -> Tasks -> Task Wizard. Get comfortable with the interface! Are there some things I miss or I’m going to miss about Nessus? Of course! Nessus is like a pair of old shoes you’ve traveled a lot of miles with so it’s hard to get your feet used to something new. I have to say that so far though, I’m pretty happy with OpenVAS (GVM). Sure it’s not quite as polished and maybe it will produce some false positives others don’t, but that’s ok. Even if you already have another vulnerability scanner in your environment and you just need a second opinion, I would strongly suggest giving OpenVAS (GVM) a shot if you haven’t done so recently.Update – Override
I was greeted with high vulnerabilities yesterday on several scans that quite frankly, should never have issues. What?!?! This is what I saw…Report outdated Scan Engine / Environment (local) – 10.0 Summary This script checks and reports an outdated scan engine for the following environments: - Greenbone Source Edition (GSE) - Greenbone Community Edition (GCE) used for this scan. NOTE: While this is not, in and of itself, a security vulnerability, a severity is reported to make you aware of a possible decreased scan coverage due to e.g.: - missing functionalities - missing bugfixes - incompatibilities within the feed. Vulnerability Detection Result Installed GVM version: 9.0.1 Latest available GVM version: 9.0.3 Reference URL: https://community.greenbone.net/t/gvm-9-stable-initial-release-2017-03-07/211
Not the clearest explanation of what exactly is going on. Greenbone appears to be deprecating OpenVAS in favor of GVM-10, Greenbone Community Edition, or Greenbone Security Manager One. In the meantime, you can get rid of the false positives until you have time to update. To bypass these errors for the time being, simply go to a report with the error/vulnerability and click on ‘Add Override.’
In the new window that pops up, change the options to ‘Any’ as shown below followed by ‘Create.’ All of your previously related vulnerabilities that were 10.0 are now gone. Once again, this is a temporary solution and I would recommend looking at alternatives or updating to GVM-10.
Instalei seguindo seu manual!!! Deu super certo! OBG!!!!
ResponderExcluir