OpenVas8 on CentOS7

換工作，摸索需多自己沒碰過的事物。系統及資安就是以前在SI公司最少碰的。雖然以前有摸過Linux，但是最近要碰早就不熟了，只能搜尋鳥哥及各大網路大神的文章來模仿。

OpenVas，是一個Open Source的弱點掃描工具。這套所安裝的資料庫也是會定期更新，所以針對公司內部去掃描也算是一個不錯用的工具。既然主管交代，我也順手紀錄一下，以免忘記了!!


Openvas

• 安裝環境:

          OS: CentOS-7-x86_64_Minimal-1511.iso

          CPU:2

          RAM:2G

          Disk:20G

這邊使用的Citrix XenCenter所建立的虛擬主機，以上的硬體算堪用，最多一次掃3個C網段就差不多會友覺得慢慢的了。

1. Disable SElinux

#vi /etc/selinux/config   修改紅筆的部分為disabled，然後儲存重開

2. Add required package

#yum -y install wget bzip2 texlive net-tools

3.  Add Atomicorp repo

#wget -q -O - http://www.atomicorp.com/installers/atomic | sh

就按default值(Yes)就可以了

4.  Install OpenVAS

#yum -y install openvas

5. edit /etc/redis.conf and uncomment the #

這邊就是#vi /etc/redis.conf之後，找到以下紅框內文字後，把#拿掉後存檔繼續下一個步驟。

6. Restart Redis

#systemctl enable redis && systemctl restart redis

可用#systemctl status redis.service確認服務是否是在running的狀態

7. openvas-setup

follow instructions. If rsync throws error, check that your network allows outgoing TCP 873 to internet

這邊有個重點是啟動openvas安裝的時候，有個步驟會使用rsync去更新NVT/Certificate等東西，防火牆那邊要開啟rsync所使用的port(TCP-873)，這過程需要很長的時間。

最後完成畫面如下

根據文字再去調整符合你所在的環境

Go to https://:9392 and login.

測試admin的帳號密碼登入是否正常

8.  rebuild剛安裝時更新的資料庫

#openvasmd --rebuild

這個會有一段時間，請耐心等待，更新完後就可以正常使用了，如沒有做此動作，有可能掃描會一直停滯在1%都不動了。

其他有可能造成停在1%的解決方法

*掃描時停在1%

http://s3.jles.tn.edu.tw/~pblog/blog/archives/1305

https://www.alienvault.com/forums/discussion/768/openvas-hangs-at-1-how-to-fix

It's a bug on the current version. Openvas certs has expired. There is a workaround to fix it. Please, follow this instructions:

1º Regenerate openvas server certificate:

# openvas-mkcert -f

Accept all with "intro" key

2º Regenerate openvas client certificate (in all sensors):

# openvas-mkcert-client -n om -i

3º Restart all open-face services in the server and all sensors:

# /etc/init.d/openvas-manager restart

# /etc/init.d/openvas-scanner restart

Wait some minutes and execute the scan again.  

9.  安裝可看PDF相關package

# yum -y install texlive-changepage texlive-titlesec

# mkdir -p /usr/share/texlive/texmf-local/tex/latex/comment

# cd /usr/share/texlive/texmf-local/tex/latex/comment

# wget http://mirrors.ctan.org/macros/latex/contrib/comment/comment.sty

# chmod 644 comment.sty

# texhash

10. openvas-check-setup

#openvas-check-setup

指令可確認哪個步驟有問題，基本上完成以上前九個步驟都算是完成了

[root@localhost ~]# openvas-check-setup

openvas-check-setup 2.3.2

  Test completeness and readiness of OpenVAS-8

  (add '--v6' or '--v7' or '--v9'

   if you want to check for another OpenVAS version)

  Please report us any non-detected problems and

  help us to improve this check routine:

  http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss

  Send us the log-file (/tmp/openvas-check-setup.log) to help analyze the problem.

  Use the parameter --server to skip checks for client tools

  like GSD and OpenVAS-CLI.

Step 1: Checking OpenVAS Scanner ...

        OK: OpenVAS Scanner is present in version 5.0.5.

        OK: OpenVAS Scanner CA Certificate is present as /var/lib/openvas/CA/cacert.pem.

        OK: redis-server is present in version v=2.8.21.

        OK: scanner (kb_location setting) is configured properly using the redis-server socket: /tmp/redis.sock

        OK: redis-server is running and listening on socket: /tmp/redis.sock.

        OK: redis-server configuration is OK and redis-server is running.

        OK: NVT collection in /var/lib/openvas/plugins contains 45546 NVTs.

        WARNING: Signature checking of NVTs is not enabled in OpenVAS Scanner.

        SUGGEST: Enable signature checking (see http://www.openvas.org/trusted-nvts.html).

        OK: The NVT cache in /var/cache/openvas contains 45546 files for 45546 NVTs.

Step 2: Checking OpenVAS Manager ...

        OK: OpenVAS Manager is present in version 6.0.7.

        OK: OpenVAS Manager client certificate is present as /var/lib/openvas/CA/clientcert.pem.

        OK: OpenVAS Manager database found in /var/lib/openvas/mgr/tasks.db.

        OK: Access rights for the OpenVAS Manager database are correct.

        OK: At least one user exists.

        OK: sqlite3 found, extended checks of the OpenVAS Manager installation enabled.

        OK: OpenVAS Manager database is at revision 146.

        OK: OpenVAS Manager expects database at revision 146.

        OK: Database schema is up to date.

        OK: OpenVAS Manager database contains information about 45546 NVTs.

        OK: OpenVAS SCAP database found in /var/lib/openvas/scap-data/scap.db.

        OK: OpenVAS CERT database found in /var/lib/openvas/cert-data/cert.db.

        OK: xsltproc found.

Step 3: Checking user configuration ...

        WARNING: Your password policy is empty.

        SUGGEST: Edit the /etc/openvas/pwpolicy.conf file to set a password policy.

Step 4: Checking Greenbone Security Assistant (GSA) ...

        OK: Greenbone Security Assistant is present in version 6.0.8.

Step 5: Checking OpenVAS CLI ...

        OK: OpenVAS CLI version 1.4.3.

Step 6: Checking Greenbone Security Desktop (GSD) ...

        SKIP: Skipping check for Greenbone Security Desktop.

Step 7: Checking if OpenVAS services are up and running ...

        OK: netstat found, extended checks of the OpenVAS services enabled.

        OK: OpenVAS Scanner is running and listening on all interfaces.

        OK: OpenVAS Scanner is listening on port 9391, which is the default port.

        OK: OpenVAS Manager is running and listening on all interfaces.

        OK: OpenVAS Manager is listening on port 9390, which is the default port.

        OK: Greenbone Security Assistant is listening on port 9392, which is the default port.

Step 8: Checking nmap installation ...

        WARNING: Your version of nmap is not fully supported: 6.47

        SUGGEST: You should install nmap 5.51 if you plan to use the nmap NSE NVTs.

Step 10: Checking presence of optional tools ...

        OK: pdflatex found.

        OK: PDF generation successful. The PDF report format is likely to work.

        OK: ssh-keygen found, LSC credential generation for GNU/Linux targets is likely to work.

        OK: rpm found, LSC credential package generation for RPM based targets is likely to work.

        WARNING: Could not find alien binary, LSC credential package generation for DEB based targets will not work.

        SUGGEST: Install alien.

        OK: nsis found, LSC credential package generation for Microsoft Windows targets is likely to work.

        OK: SELinux is disabled.

It seems like your OpenVAS-8 installation is OK.   ß看到這個就表示Openvas可以使用了!

If you think it is not OK, please report your observation

and help us to improve this check routine:

http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss

Please attach the log-file (/tmp/openvas-check-setup.log) to help us analyze the problem.