aboutsummaryrefslogtreecommitdiff
path: root/network/greenbone-security-assistant/README
blob: 3681cc3a2148eae90dba8ca82f5b96340e649818 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
greenbone-security-assistant (UI for OpenVAS)

This is the UI the Open Vulnerability Assessment System (OpenVAS).

###### Known Problems ######

- PDF report generation is broken.  This may get fixed in a future slackbuild.

- The libssh-0.5.4 shipped with Slackware (at the time of this writing) is
  broken. If you need to run "credentialed" scans against targets running
  OpenSSH 6.7 or beyond (including Slackware), you have 2 options:
    1. Enable diffie-hellman-group1-sha1 as a KexAlgorithm in the sshd_config
       of your targets.
    2. Update your libssh to the latest.
  You also may have problems with targets running Dropbear SSH server.  See
  this thread on LinuxQuestions for more information:
    http://www.linuxquestions.org/questions/showthread.php?t=4175533193

- All the daemons run as root.  There's no (working) configuration options
  or documentation to change this behavior.

- There are a number of tests that depend on other software packages that are
  not available as slackbuilds at this time.  Stay tuned.

- If you're running in a VM environment, or on a headless server, then 
  installing haveged is recommended, particularly for step 9 below.

###### Installation Instructions ######

These instructions assume you're familiar with slackbuilds.  If not, please
refer to http://slackbuilds.org/howto/ .

1. Build and install openvas-libraries.

2. Build and install openvas-scanner.

3. You need a Certificate Authority and server certificate. Run the following
   command:
# openvas-mkcert
      
4. You need the NVT's (Network Vulnerability Tests).  Run the following 
   command to sync.  In the future, you can do this through the 
   greenbone-security-assistant interface.  This will take a minute or so
   with a blazing fast internet connection. YMMV.
# openvas-nvt-sync

5. Start the openvas-scanner daemon.
# sh /etc/rc.d/rc.openvassd start

6. Build and install openvas-manager.

7. You need client certificates for manager to talk to scanner.  Use the 
   following command.
# openvas-mkcert-client -n -i

8. Initialize the manager database.  This will take a while, so be patient.
# openvasmd --rebuild

9. You want encrypted credentials in the DB, so do this now.
# openvasmd --create-credentials-encryption-key
   This may take a while, so it's best to create some entropy by skipping to
   #11-#13 and then coming back, if needed.

10. Create a user.
# openvasmd --create-user=cary
    If you find the assigned password hard to remember, you can change it 
    right now.
# openvasmd --user=cary --new-password=mekmitasdigoat

11. Sync SCAP data.  This will take some time.
# openvas-scapdata-sync

12. Sync CERT data.
# openvas-certdata-sync

13. Update port names.
# wget http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xml
# openvas-portnames-update service-names-port-numbers.xml
# rm service-names-port-numbers.xml

14. Start the openvas-manager daemon.
# sh /etc/rc.d/rc.openvasmd start

15. Build and install libmicrohttpd.

16. Build and install greenbone-security-assistant.

17. Launch the greenbone-security-assistant.
# sh /etc/rc.d/rc.gsad start

18. Point your browser at https://<YOUR IP OR HOSTNAME>:9392
    You'll get a certificate error, of course (fixing this is left as an 
    excercise for the reader). Log in with your username/password from #10.

19. [Optional] Build and install openvas-cli.  You'll need this if you ever
    want to script tests.

That's it!  If you run into any problems, you can try running the 
openvas-check-setup script found here:
  https://svn.wald.intevation.org/svn/openvas/trunk/tools/openvas-check-setup

If you don't have a web-server running, you can edit the /etc/rc.d/rc.gsad
script to remove the "-p 9392" option, and it will run on port 443.

Please let me know if you run into any problems.  Patches welcome!

Have Fun!

Kent Fritz
mailto:fritz.kent@gmail.com