配置最快源
本次环境为ubuntu 14.04 32bit 本次实验用的是mirrors.163.com
sudo vim /etc/apt/sources.list
用全部替换命令替换原有的网址
%s/mirrors.163.com/mirror.ubuntu.org/g
替换后更新下
apt-get update
安装openvas
下面全部摘抄自:
root模式配置安装源
echo "deb http://download.opensuse.org/repositories/security:/OpenVAS:/UNSTABLE:/v6/Debian_7.0/ ./" >> /etc/apt/sources.listwget http://download.opensuse.org/repositories/security:/OpenVAS:/UNSTABLE:/v6/Debian_7.0/Release.keyapt-key add ./Release.keysudo apt-get update
快速安装openvas
apt-get -y install greenbone-security-assistant openvas-cli openvas-manager openvas-scanner openvas-administrator sqlite3 xsltproc rsyncapt-get -y install texlive-latex-base texlive-latex-extra texlive-latex-recommended htmldocapt-get -y install alien rpm nsis fakeroot
快速启动openvas
test -e /var/lib/openvas/CA/cacert.pem || openvas-mkcert -qopenvas-nvt-synctest -e /var/lib/openvas/users/om || openvas-mkcert-client -n om -i/etc/init.d/openvas-manager stop/etc/init.d/openvas-scanner stopopenvassdopenvasmd --rebuildopenvas-scapdata-syncopenvas-certdata-sync
下面是设置openvas密码的,记得输入密码
test -e /var/lib/openvas/users/admin || openvasad -c add_user -n admin -r Admin
killall openvassdsleep 15/etc/init.d/openvas-scanner start/etc/init.d/openvas-manager start/etc/init.d/openvas-administrator restart/etc/init.d/greenbone-security-assistant restart
更新漏洞库
参照
支持在线以及离线更新两种模式,可根据实际情况选择,建议使用定时任务在线更新。
在线更新
使用如下命令,增量更新:
openvas-nvt-sync
该命令支持rsync,wget,curl
离线更新
只需定期下载漏洞库压缩包解压覆盖到如下目录:
/var/lib/openvas/plugins/
压缩包地址(约14.6Mb):
商业支持
1、opevas培训
2、openvas框架开发
3、openvas NVT漏洞库开发
4、基于openvas的扫描设备:特殊定制设备,可以在10分钟完成500~5000个ip扫描,具体可以参见:
其他设置
添加Slave
配置端口监听IP(old)
'注意下面设置已经被新设置替换,注意下一条New 按照以上步骤,安装一台openvas机器,需要注意的是,openvas默认是监听127.0.0.1的端口,如下所示:
/usr/sbin/openvasmd --database=/var/lib/openvas/mgr/tasks.db --listen=127.0.0.1 --port=9390 --slisten=127.0.0.1 --sport=9391/usr/sbin/openvasad --listen=127.0.0.1 --port=9393 --users-dir=/var/lib/openvas/users --scanner-config-file=/etc/openvas/openvassd.conf --sync-script=/usr/sbin/openvas-nvt-sync/usr/sbin/gsad --listen=127.0.0.1 --port=9392 --alisten=0.0.0.0 --aport=9393 --mlisten=127.0.0.1 --mport=9390
可以通过kill掉原有进程,然后将上述监听IP改成0.0.0.0即可(测试环境,生产环境可设置对应的监听ip)如下所示:
openvassd/usr/sbin/openvasmd --database=/var/lib/openvas/mgr/tasks.db --listen=0.0.0.0 --port=9390 --slisten=0.0.0.0 --sport=9391/usr/sbin/openvasad --listen=0.0.0.0 --port=9393 --users-dir=/var/lib/openvas/users --scanner-config-file=/etc/openvas/openvassd.conf --sync-script=/usr/sbin/openvas-nvt-sync/usr/sbin/gsad --listen=0.0.0.0 --port=9392 --alisten=0.0.0.0 --aport=9393 --mlisten=0.0.0.0 --mport=9390
也可以通过编辑其服务文件中listen项为固定值,例如:
[ "$DATABASE_FILE" ] && DAEMONOPTS="--database="$DATABASE_FILE[ "$MANAGER_ADDRESS" ] && DAEMONOPTS="$DAEMONOPTS --listen=$MANAGER_ADDRESS"[ "$MANAGER_PORT" ] && DAEMONOPTS="$DAEMONOPTS --port=$MANAGER_PORT"[ "$SCANNER_ADDRESS" ] && DAEMONOPTS="$DAEMONOPTS --slisten=$SCANNER_ADDRESS"[ "$SCANNER_PORT" ] && DAEMONOPTS="$DAEMONOPTS --sport=$SCANNER_PORT"
配置端口监听IP(new)
通过查找发现有详细说明,原来openvass的默认配置文件位于/etc/default下面:
openvas-administrator openvas-manager openvas-scanner greenbone-security-assistant
共四个文件,描述如下:
/etc/default/openvas-administrator //管理员:负责管理配置信息,用户授权等相关工作,默认监听地址为127.0.0.1,端口为9393
/etc/default/openvas-manager //管理器:与接口通信,分配扫描任务,并根据扫描结果生成评估报告,默认端口为9390
/etc/default/openvas-scanner //扫描器:调用各种漏洞测试插件,执行分配的扫描操作,默认端口为9391
/etc/default/greenbone-security-assistant //访问web 端接口(gsad):访问opebvas 服务层的web 接口,默认监听地址为127.0.0.1,端口为9392
下面是各个文件的具体内容,只需要把127.0.0.1改成需要的ip即可,允许所有就使用0.0.0.0
root@ubuntu:/etc/default# grep -v "^#" openvas-managerDATABASE_FILE=/var/lib/openvas/mgr/tasks.dbMANAGER_ADDRESS=127.0.0.1MANAGER_PORT=9390SCANNER_ADDRESS=127.0.0.1SCANNER_PORT=9391
root@ubuntu:/etc/default# grep -v "^#" openvas-administratorADMINISTRATOR_ADDRESS=127.0.0.1ADMINISTRATOR_PORT=9393USER_DATA=/var/lib/openvas/usersSCANNER_CONFIG=/etc/openvas/openvassd.confSYNC_SCRIPT=/usr/sbin/openvas-nvt-sync
root@ubuntu:/etc/default# grep -v "^#" openvas-scannerSCANNER_ADDRESS=127.0.0.1SCANNER_PORT=9391
root@ubuntu:/etc/default# grep -v "^#" greenbone-security-assistantGSA_ADDRESS=127.0.0.1GSA_PORT=9392ADMINISTRATOR_ADDRESS=127.0.0.1ADMINISTRATOR_PORT=9393MANAGER_ADDRESS=127.0.0.1MANAGER_PORT=9390
登录web控制台添加slave
访问主服务器https://masterip:9392,登录后打开Configuration--Slaves项,然点击“五角星”标志进入添加界面,输入slave的IP、端口、账户、密码即可添加成功
具体可以参见:
配置slave扫描任务
Scan Management项中选择New Task,然后再Slave中选中需要的slave主机即可。
扫描结果
slave在扫描完成后,不保存扫描结果,而是在主服务器上查看。每个扫描有一个单独的扫描报告。
配置告警
在Configuration中的Alerts配置邮件等方式告警
配置定时扫描
在Configuration中的Schedules配置定时扫描任务
查看openvassd.conf配置文件
root@ubuntu:/home/aj# openvassd -splugins_folder = /var/lib/openvas/pluginscache_folder = /var/cache/openvasinclude_folders = /var/lib/openvas/pluginsmax_hosts = 30max_checks = 10be_nice = nologfile = /var/log/openvas/openvassd.messageslog_whole_attack = nolog_plugins_name_at_load = nodumpfile = /var/log/openvas/openvassd.dumprules = /usr/share/openvas/openvassd.rulescgi_path = /cgi-bin:/scriptsport_range = defaultoptimize_test = yeschecks_read_timeout = 5network_scan = nonon_simult_ports = 139, 445plugins_timeout = 320safe_checks = yesauto_enable_dependencies = yessilent_dependencies = nouse_mac_addr = nosave_knowledge_base = nokb_restore = noonly_test_hosts_whose_kb_we_dont_have = noonly_test_hosts_whose_kb_we_have = nokb_dont_replay_scanners = nokb_dont_replay_info_gathering = nokb_dont_replay_attacks = nokb_dont_replay_denials = nokb_max_age = 864000slice_network_addresses = nonasl_no_signature_check = yesdrop_privileges = nounscanned_closed = yesvhosts = vhosts_ip = report_host_details = yescert_file = /var/lib/openvas/CA/servercert.pemkey_file = /var/lib/openvas/private/CA/serverkey.pemca_file = /var/lib/openvas/CA/cacert.pemreverse_lookup = noconfig_file = /etc/openvas/openvassd.conf
常见问题
在这里将遇到的相关问题记录,解决方法并未确认是非常准确的。
Openvas Service Temporarily Down(503)
503 - Service temporarily down
openvas-mkcert-client -n om -iopenvas-nvt-sync --wget/etc/init.d/openvas-scanner stop; /etc/init.d/openvas-manager stop;openvassdrm /var/lib/openvas/mgr/tasks.dbopenvasmd --progress --rebuild -v
SecInfo Database Missing
打开SecInfo栏,下面所有NVTs、CVEs均显示数据库丢失,如下所示:
SecInfo Management---CVEsWarning: SecInfo Database MissingSCAP and/or CERT database missing on OMP server.
通过官方邮件列表找到解决方法,首先下载三个文件,放到/usr/share/openvas/cert/目录下面:
sudo wget https://scm.wald.intevation.org/svn/openvas/trunk/openvas-manager/tools/cert_db_init.sql --no-check-certificatesudo wget https://scm.wald.intevation.org/svn/openvas/trunk/openvas-manager/tools/dfn_cert_getbyname.xsl --no-check-certificatesudo wget https://scm.wald.intevation.org/svn/openvas/trunk/openvas-manager/tools/dfn_cert_update.xsl --no-check-certificate
然后用root账户运行下面命令:
openvas-certdata-sync
更新后重启openvas-scanner服务
/etc/init.d/openvas-scannerrestart
发送邮件失败
检测openvas服务器是否安装sendmail,如未安装,请按照配置即可
附件大于1M无法发送
配置扫描完成后,自动发送pdf格式扫描报告到邮箱,若扫描报告超过1MB,则提示如下:
Note: The report exceeds the maximum attachment length of 1048576 bytes.
开始判断是sendmail问题,通过调整sendmail附件大小,问题依旧,通过grep搜索关键字,在/usr/sbin/openvasmd中搜索到相应关键字:
... (report truncated after 20000 characters)^@Note: This report exceeds the maximum length of ^@^@^@^@^@^@^@^@Note: The report exceeds the maximum attachment length of ^@^@^@^@^@^@--=-=-=-=-= Content-Type: text/plain; charset=utf-8Content-Transfer-Encoding: 8bitContent-Disposition: inline
无具体大小修改,于是下载openvas-manager源码包,解压,查找10048576值
wget http://wald.intevation.org/frs/download.php/1795/openvas-manager-5.0.5.tar.gztar zxvf openvas-manager-5.0.5.tar.gz cd openvas-manager-5.0.5grep -nr 1048576 *
然后在manage_sql.c的7661行找到最大附件值:
src/manage_sql.c:7661:#define MAX_ATTACH_LENGTH 1048576
打开查看上下文,确定是邮件附件限制参数,修改1048576增加两个零,如下:
7658 /**7659 * @brief Default max number of bytes of reports attached to email alerts. 7660 */ 7661 #define MAX_ATTACH_LENGTH 104857600 7662 7663 /** 7664 * @brief Maximum number of bytes of reports attached to email alerts. 7665 * 7666 * A value less or equal to 0 allows any size. 7667 */7668 static int max_attach_length = MAX_ATTACH_LENGTH;
然后重新编译openvas-manager即可解决问题
附编译安装openvas-manager
编译安装openvas-libraries
apt-get install pkg-config libssh-dev libgnutls-dev libglib2.0-dev libpcap-dev libgpgme11-dev uuid-dev bison libksba-dev librarian-devwget http://wald.intevation.org/frs/download.php/1787/openvas-libraries-7.0.5.tar.gztar zxvf openvas-libraries-7.0.5.tar.gzcd openvas-libraries-7.0.5mkdir buildcd buildexport PKG_CONFIG_PATH=/usr/local/openvas/lib/pkgconfig:$PKG_CONFIG_PATHexport CFGLAGS='-L/usr/local/openvas/lib -I/usr/local/openvas/include'cmake -DCMAKE_INSTALL_PREFIX=/usr/local/openvas -DCMAKE_INSTALL_RPATH=/usr/local/openvas/lib ..makemake install
编译安装openvas-manager
wget http://wald.intevation.org/frs/download.php/1795/openvas-manager-5.0.5.tar.gztar zxvf openvas-manager-5.0.5.tar.gzcd openvas-manager-5.0.5mkdir buildcd buildexport CC='gcc -Wl,-rpath,/usr/local/openvas/lib64 -Wl,-rpath,/usr/local/openvas/lib'export PKG_CONFIG_PATH=/usr/local/openvas/lib/pkgconfig:/usr/local/openvas/lib64/pkgconfigexport CFLAGS="-I/usr/local/openvas/include"cmake -DCMAKE_INSTALL_PREFIX=/usr/local/openvas -DCMAKE_INSTALL_RPATH=/usr/local/openvas/lib ..makemake install
运行omp失败
root@eqx-sec-1:~# ompFailed to setlocale
通过配置locale解决:
locale-gen en_US en_US.UTF-8 zh_CN.UTF-8dpkg-reconfigure locales
omp命令
创建一个扫描目标:
aj@aj:~$ omp -u admin -w ajcheng --xml='' Test 192.168.110.09
创建一个扫描任务: 获取扫描策略ID
aj@aj:~$ omp -u admin -w ajcheng -g085569ce-73ed-11df-83c3-002264764cea emptydaba56c8-73ec-11df-a475-002264764cea Full and fast698f691e-7489-11df-9d8c-002264764cea Full and fast ultimate708f25c4-7489-11df-8094-002264764cea Full and very deep74db13d6-7489-11df-91b9-002264764cea Full and very deep ultimate
获取扫描目标ID(创建时候返回ID)
947faab6-bc83-44f7-927a-aa78ada3c446
创建扫描任务
aj@aj:~$ omp -u admin -w ajcheng --xml='> > 'Scan Test >Hourly scan of Test >> >
创建一个定时扫描任务:
aj@aj:~$ omp -u admin -w ajcheng --xml='> > 'Every night >> >9 >22 >0 >12 >2014 >> 3> >hour >> 1> >day >
开启一个扫描任务
获取Report
omp -u admin -w openvas@vobile --xml='' |tee ip.log