Install OpenVAS open source Vulnerability scanning system offline in CentOS 5.8

Source: Internet
Author: User
Tags openvas

Install OpenVAS open source Vulnerability scanning system offline in CentOS 5.8

OpenVAS open-source Vulnerability scanning system is mainly used to scan system vulnerabilities (such as port vulnerabilities, service tool Version vulnerabilities, system configuration vulnerabilities, and service reinforcement risks) and present a system evaluation report, you can repair the system as instructed in the report.

There are too many features, and OpenVAS won't be mentioned in the tracking points of many Miss scanning tools. There are a lot of introductions about it on the Internet. Next we will directly go to offline installation...

I. System Environment
Server -- CentOS 5.8 x86_64
Client-Windows 7
Vulnerability Scanning System Tool-OpenVAS 6.0

Disable the selinux service on the server
Disable the local firewall of the server (optional, do not disable the firewall policy)
Disable the NetworkManager service

Ii. Openvas server layer components
Openvas-manager // communicates with the client's Greebone program, completes scanning tasks, and submits detection reports.
The default port is 9390.
Openvas-Internal // main service for which the scan is actually performed (Agent library scan is called). The default port is 9391.
Gsad // provides the Web access interface. The default listening address is 127.0.0.1 and the port is 9392.
Openvas-administrator // communicates with openvas-manager and gsad to complete user and configuration management.
The listening address is 127.0.0.1 and the port is 9393.
Openvas-manager and openvas-manager are automatically enabled after installation, and the other two services are manually started as needed.
By default, gsad only listens to 127.0.0.1. To access gsad from the client browser, we recommend that you change it to 0.0.0.0 and then start the service.

Iii. Client tools
Here we will talk about Web access and Greenbone-Desktop-Suite tool access
You can directly perform remote operations by entering the Web site.
Greenbone-Desktop-Suite (Desktop Suite) is responsible for providing graphical program interfaces for accessing the OpenVAS service layer, mainly in Windows clients.

4. Install OpenVAS offline
1) Configure yum
Before installation, download the openvas package and dependency package. There are many dependency packages (about 90). To facilitate the use of yum to download all packages, you can also provide materials for offline installation.
# Vim/etc/yum. conf
Keepcache = 1 // You Can cache the yum downloaded package and store it under/var/cache/yum/. After downloading the package, you can search for it.


Back up the yum source in the/etc/yum. repos. d/directory as follows:
# Mv/etc/yum. repos. d/CenOS-Base.repo CenOS-Base.repo.backup


Download and update the yum source of atomicorp. repo.
# W get-q-O-http://www.atomicorp.com/installers/atomic | sh
# Yum update

# Cd/etc/yum. repos. d/; ls // The downloaded YUM source of atomicorp. repo is displayed.

Download the YUM source for updating the CentOS6-Base-163.repo, mainly providing dependency packages
# Wget http://mirrors.163.com/.help/CentOS6-Base-163.repo
# Yum makecache
# Yum clean all // clear and recreate the yum Cache

Check whether it is successful:
# Yum list | grep-I openvas // print the following package.
Openvas. noarch 1.0-9. el6.art atomic
Openvas-administrator.x86_64 1.3.2-5. el6.art atomic
Openvas-cli.x86_64 1.2.0-4. el6.art atomic
Openvas-libraries.x86_64 6.0.1-7. el6.art atomic
Openvas-libraries-devel.x86_64 6.0.1-7. el6.art atomic
Openvas-manager.x86_64 4.0.4-13. el6.art atomic
Openvas-scanner.x86_64 3.4.0-7. el6.art atomic

2) offline Installation

# Rpm-Uvh/root/OpenVAS-rpms /*. rpm -- force // install the downloaded package. A total of 90 packages, including various dependency packages and important components, are installed using U upgrade and force to avoid interruptions due to dependency problems in the middle.
3) Deploy the scanning plug-in
# Cd/var/lib/openvas/plugins/
# Wget http://www.openvas.org/openvas-nvt-feed-current.tar.bz2 // download plug-in
# Tar xf openvas-nvt-feed-current.tar // decompressed scan plug-ins around 57826
4) Start Service Components

It takes a long time to start the openvas-plugin plug-in for the first time.
Locate ......" , "Undefined function ......" And other prompts can be ignored.
#/Etc/init. d/openvas-startup start // it takes a long time to load the plug-in for the first time during the startup process. wait patiently...
Startingopenvas-plugin: [OK]
#/Etc/init. d/openvas-administrator start
Startingopenvas-administrator: [OK]
#/Etc/init. d/openvas-manager start
Startingopenvas-manager: [OK]
Note: In this case, openvas-manager is not started successfully. You need to perform the following operations to fix the problem:
# Openvas-mkcert-client-n om-I
# Openvasmd-rebuild
# Service openvas-manager restart

Check the listening status after all the four services are started:
# Netstat-anpt | grep: 939
Tcp 0 0 0.0.0.0: 9390 0.0.0.0: * LISTEN 25540/openvasmd
Tcp 0 0 0.0.0.0: 9391 0.0.0.0: * LISTEN 25361/openvassd
Tcp 0 0 127.0.0.1: 9392 0.0.0.0: * LISTEN 25442/gsad
Tcp 0 0 127.0.0.1: 9393 0.0.0.0: * LISTEN 25399/openvasad

5) Start the customer layer component
By default, gsad only listens to 127.0.0.1. To access the service from the client browser, we recommend that you change it to 0.0.0.0 and then start the service.
# Vim/etc/sysconfig/gsad
GSA_ADDRESS = 0.0.0.0 // you must change it to 0.0.0.0.
GSA_PORT = 9392
#/Etc/init. d/gsad restart
# Netstat-anpt | grep-I gsad
Tcp 0 00.0.0.0: 9392 0.0.0.0: * LISTEN 2074/gsad

5. Add common users and administrator users

Openvas-adduser // create a user
Openvas-rmuser // delete a user

1) Add normal user yy
# Openvas-adduser
Using/var/tmp as a temporary file holder.
Add anew openvassd user
-------------------------
Login: yy // enter the name of the scan user to be added
Authentication (pass/cert) [pass]: // press enter to use the default password Authentication method.
Loginpassword: // set the password
Loginpassword (again): // set the password (OK)
 
Userrules
------------
Openvassdhas a rules system which allows you to restrict the hosts that tsengyia has theright to test.
Forinstance, you may want him to be able to scan his own host only.
Pleasesee the openvas-adduser (8) man page for the rules syntax.
Enterthe rules for this user, and hit ctrl-D once you are done.
(Theuser can have an empty rules set)
Accept192.168.10.0/24 // configure authorization rules (which network segments or hosts can be scanned)
Accept10.0.0.0/24
Defaultdeny // sets the default authorization rules (if no rules are specified, any host or network can be scanned by default)
Note: after entering the default authorization rules here, Ctrl + d is required to submit and proceed to the next step.
 
Login yy
Password ************
 
Rules
Accept192.168.4.0/24
Accept10.0.0.0/24
Defaultdeny
 
Isthat OK? (Y/n) [y] // press enter to accept the preceding settings.
Useradded.
 
2) create an admin account
First, use the openvas-adduser tool to add the common scan user admin, and then create an isadmin file in the configuration directory to set the role as administrator.
# Openvas-adduser
Using/var/tmp as a temporary file holder.
Adda new openvassd user
-------------------------
Login: admin
...... // Omitting the process of creating a common user
# Touch/var/lib/openvas/users/admin/isadmin // set admin as Administrator

6. Access OpenVAS from the client

Browser access https: // 192.168.134.small: 9392 Note: encrypted transmission https

Note: If the logon fails and "Login failed. OMP service is down" is displayed, you can perform the following operations to fix the problem (the troubleshooting ideas and procedures are attached ):
# Openvas-mkcert-client-n om-I
# Openvasmd-rebuild
# Service openvas-manager restart
# Netstat-anpt | grep openvasmd
Tcp 0 0 0.0.0.0: 9390 0.0.0.0: * LISTEN 33097/openvasmd

If you can access the Internet, perform the following operations:
#/Etc/init. d/openvas-managerstop // close the openvas Management Service
#/Etc/init. d/openvas-scannerstop // close the openvas Browser Service
# Openvas-scapdata-sync // import data to the database. The import process is slow. It takes about half an hour, and the import process is slow for one day. Check the network environment.
# Mkdir/var/lib/openvas/scap-data/private
# Openvas-certdata-sync // synchronize certificate data
# Openvasmd-rebuild // recreate the database
#/Etc/init. d/openvas-scannerrestart // restart the openvas Browser Service
#/Etc/init. d/openvas-manager restart // restart openvas Management Service
If openvas-manager fails to restart, run
# Openvas-mkcert-client-n om-I
# Openvasmd -- rebuild
# Service openvas-manager restart

# Netstat-anptu | grep: 939
Tcp 0 0 0.0.0.0: 9390 0.0.0.0: * LISTEN 3224/openvasmd
Tcp 0 0 0.0.0.0: 9391 0.0.0.0: * LISTEN 3356/openvassd
Tcp 0 0 0.0.0.0: 9392 0.0.0.0: * LISTEN 2064/gsad
Tcp 0 0 127.0.0.1: 9393 0.0.0.0: * LISTEN 1953/openvasad

You can use the openvas-check-setup command to check whether OpenVAS has been installed successfully. If a FIX error is reported, follow the prompts to FIX or install it...

Note: You can use the openvas-check-setup command to check whether OpenVAS is successfully installed.
If the FIX keyword segment is incorrect, perform the operation as prompted.
FIX: indicates the error field.

VII. Update the scanning plug-in Library
You can update the plug-in library online and offline during subsequent maintenance.
Online update:
# Openvas-nvt-sync // execute the online update script, which is slow

Offline update:
Http://www.openvas.org/openvas-nvt-feed-current.tar.bz2download new release package
# Cp openvas-nvt-feed-current.tar.bz2/var/lib/openvas/plugins/
# Tarxf openvas-nvt-feed-current.tar.bz2
#/Etc/init. d/openvas-restart // restart the service after the update. wait patiently


8. Basic usage
Access https: // 192.168.134.20.: 9392
1) create a scan target
· Click Configuration à Targets.

· Set the target name, target address, and port range
2) create a scan task

· Click Scan Management à New Task
· Set the task name, scan configuration type, and scan target
3) Start scanning

· Click ScanManagement à Tasks (you can return to the main interface)

If you don't want to use it, study it yourself...

The most important thing is to disable selinux. Otherwise, no function can be implemented. Selinux = 0 must be set in/etc/sysconfig/selinux.

Install the vulnerability scan tool OpenVAS

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.