First, some background – in a recent attempt to get a better handle on Internet privacy I began to look at various areas from mobile operating systems, browsers to the network I was connecting to the Internet from, and the various risks all entailed. In terms of my local network I was intrigued to better understand the “health” of devices on that network, and any risks they exposed.
I started to re-visit the use of Linux, and initially rediscovered Kali Linux “2016.2.” This proved to be a nightmare within a Hyper-V machine – a memory leak consumed all available host memory (12GB) in a couple of days, plus an “apt-get dist-upgrade” resulted in a failure of Xfce on boot… all I wanted was a vulnerability scanner, not a headache! Sadly, getting OpenVas running on Kali is very easy – see here.
My next port of call was Ubuntu, however, from a privacy perspective this proved less than ideal, so I opted for a distro I had not used for many years in its original form, Debian – specifically Debian 8, or Jessie.
Firstly confirm your Debian 8 installation is up-to-date:
apt-get update apt-get dist-upgrade
Install the necessary pre-requisites for OpenVAS using the command below.
sudo apt-get install -y build-essential cmake bison flex libpcap-dev pkg-config libglib2.0-dev libgpgme11-dev uuid-dev sqlfairy xmltoman doxygen libssh-dev libksba-dev libldap2-dev libsqlite3-dev libmicrohttpd-dev libxml2-dev libxslt1-dev xsltproc clang rsync rpm nsis alien sqlite3 libhiredis-dev libgcrypt11-dev libgnutls28-dev redis-server texlive-latex-base texlive-latex-recommended linux-headers-$(uname -r)
Download, Compile and Install OpenVAS
Use the command below to create required directories and download / compile and install the various software packages needed for this installation.
Run the commands below as root (sudo -i), or alter the script to include a sudo infront of all make install comamnds plus the ldconfig command.
Note the older version of nmap is what is required by OpenVAS, hence not using apt-get to install this.
# Make temporary directory to d/l source, extract and compile cd ~ mkdir openvas cd openvas # Download Source wget http://wald.intevation.org/frs/download.php/2351/openvas-libraries-8.0.8.tar.gz wget http://wald.intevation.org/frs/download.php/2367/openvas-scanner-5.0.7.tar.gz wget http://wald.intevation.org/frs/download.php/2359/openvas-manager-6.0.9.tar.gz wget http://wald.intevation.org/frs/download.php/2363/greenbone-security-assistant-6.0.11.tar.gz wget http://wald.intevation.org/frs/download.php/2332/openvas-cli-1.4.4.tar.gz wget http://nmap.org/dist/nmap-5.51.6.tgz # Extract packages tar xvf greenbone-security-assistant-6.0.11.tar.gz tar xvf openvas-libraries-8.0.8.tar.gz tar xvf openvas-scanner-5.0.7.tar.gz tar xvf openvas-manager-6.0.9.tar.gz tar xvf openvas-cli-1.4.4.tar.gz tar xvf nmap-5.51.6.tgz # Compile and install packages cd openvas-libraries-8.0.8 cmake . make make doc make install cd .. cd openvas-manager-6.0.9/ cmake . make make doc make install cd .. cd openvas-scanner-5.0.7/ cmake . make make doc make install cd .. cd openvas-cli-1.4.4/ cmake . make make doc make install cd .. cd greenbone-security-assistant-6.0.11/ cmake . make make doc make install cd .. cd nmap-5.51.6 ./configure make make install cd .. ldconfig
Setup OpenVas via Script
So this is where Kali has it nailed down, and rather than re-invent the wheel I have copied and modified the distributions “openvas-setup” script to suit Debian 8, as below – create the script ad chmod +x, then run as root, or using sudo.
#!/bin/bash if ! grep -q "^unixsocket /tmp/redis.sock" /etc/redis/redis.conf ; then sed -i -e 's/^\(#.\)\?port.*$/port 0/' /etc/redis/redis.conf sed -i -e 's/^\(#.\)\?unixsocket \/.*$/unixsocket \/tmp\/redis.sock/' /etc/redis/redis.conf sed -i -e 's/^\(#.\)\?unixsocketperm.*$/unixsocketperm 700/' /etc/redis/redis.conf fi service redis-server restart test -e /usr/local/var/lib/openvas/CA/cacert.pem || openvas-mkcert -q if (openssl verify -CAfile /usr/local/var/lib/openvas/CA/cacert.pem \ /usr/local/var/lib/openvas/CA/servercert.pem | grep -q ^error); then openvas-mkcert -q -f fi openvas-nvt-sync openvas-scapdata-sync openvas-certdata-sync if ! test -e /usr/local/var/lib/openvas/CA/clientcert.pem || \ ! test -e /usr/local/var/lib/openvas/private/CA/clientkey.pem; then openvas-mkcert-client -n -i fi if (openssl verify -CAfile /usr/local/var/lib/openvas/CA/cacert.pem \ /usr/local/var/lib/openvas/CA/clientcert.pem |grep -q ^error); then openvas-mkcert-client -n -i fi openvassd openvasmd --migrate openvasmd --progress --rebuild openvassd openvasmd gsad if ! openvasmd --get-users | grep -q ^admin$ ; then openvasmd --create-user=admin fi
Once the above script has executed, ensure you capture and save the output password associated witht he user “admin.”
Create Update Script
Create a new script “/usr/local/sbin/openvas-feed-update” as below, ensure you chmod+x to ensure it is executable.
#!/bin/bash echo "Updating OpenVas Feeds" openvas-nvt-sync openvas-scapdata-sync openvas-certdata-sync
I wanted to make running the service under Debian as easy as possible, so embraced the systemctl approach by creating a service file for the relevant component parts of OpenVAS / GSA. These are all modified copies of the files used in Kali.
Create /etc/systemd/system/openvas-manager.service, chmod +x to ensure it is executable by root.
[Unit] Description=Open Vulnerability Assessment System Manager Daemon Documentation=man:openvasmd(8) http://www.openvas.org/ Wants=openvas-scanner.service [Service] Type=forking PIDFile=/usr/local/var/run/openvasmd.pid ExecStart=/usr/local/sbin/openvasmd --database=/usr/local/var/lib/openvas/mgr/tasks.db ExecReload=/bin/kill -HUP $MAINPID # Kill the main process with SIGTERM and after TimeoutStopSec (defaults to # 1m30) kill remaining processes with SIGKILL KillMode=mixed [Install] WantedBy=multi-user.target
Create /etc/systemd/system/openvas-scanner.service, chmod +x to ensure it is executable by root.
[Unit] Description=Open Vulnerability Assessment System Scanner Daemon Documentation=man:openvassd(8) http://www.openvas.org/ After=redis-server.service Requires=redis-server.service [Install] WantedBy=multi-user.target [Service] Type=forking PIDFile=/usr/local/var/run/openvassd.pid ExecStart=/usr/local/sbin/openvassd ExecReload=/bin/kill -HUP $MAINPID # Kill the main process with SIGTERM and after TimeoutStopSec (defaults to # 1m30) kill remaining processes with SIGKILL KillMode=mixed
Create /etc/systemd/system/greenbone-security-assistant.service, chmod +x to ensure it is executable by root.
[Unit] Description=Greenbone Security Assistant Documentation=man:gsad(8) http://www.openvas.org/ Wants=openvas-manager.service [Service] Type=simple PIDFile=/usr/local/var/run/gsad.pid ExecStart=/usr/local/sbin/gsad --foreground [Install] WantedBy=multi-user.target
Check you OpenVAS Installation
Use the command below to check your OpenVAS deployment, either run as root (sudo -i) or adding sudo where to the execution stage.
cd ~ && wget --no-check-certificate https://svn.wald.intevation.org/svn/openvas/trunk/tools/openvas-check-setup chmod +x openvas-check-setup ./openvas-check-setup
Hopefully the setup checks will come back clean/with no issues…
Cycle OpenVAS and Start vis Systemctl
Now to confirm our service scripts are working; firslty lets kill of any OpenVAS / GSA related processes.
killall -9 gsad killall -9 openvasds killall -9 openvasmd
Now we’ll start the “services” using sytemctl, as below:
systemctl start openvas-manager.service systemctl start openvas-scanner.service systemctl start greenbone-security-assistant.service
Check the status of each service using these commands:
systemctl status openvas-manager.service systemctl status openvas-scanner.service systemctl status greenbone-security-assistant.service
Login to GSA
Using Firefox, browse to https://127.0.0.1 – you’ll be able to login using the username “admin” and password output and captured above (unique to your deployment).