aboutsummaryrefslogtreecommitdiff
path: root/network/greenbone-security-assistant/README
blob: 82c8f6f5bb3db728e73efde727de5ee5b8783a80 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
greenbone-security-assistant (UI for OpenVAS)

This is the UI the Open Vulnerability Assessment System (OpenVAS).

###### Known Problems ######

- PDF report generation is broken.  This may get fixed in a future slackbuild.

- The libssh-0.5.4 shipped with Slackware (at the time of this writing) is
  broken. If you need to run "credentialed" scans against targets running
  OpenSSH 6.7 or beyond (including Slackware), you have 2 options:
    1. Enable diffie-hellman-group1-sha1 as a KexAlgorithm in the sshd_config
       of your targets.
    2. Update your libssh to the latest.
  You also may have problems with targets running Dropbear SSH server.  See
  this thread on LinuxQuestions for more information:
    http://www.linuxquestions.org/questions/showthread.php?t=4175533193

- All the daemons run as root.  There's no (working) configuration options
  or documentation to change this behavior.

- There are a number of tests that depend on other software packages that are
  not available as slackbuilds at this time.  Stay tuned.

- If you're running in a VM environment, or on a headless server, then 
  installing haveged is recommended, particularly for step 11 below.

###### Upgrade Notes ######

If you're updating from OpenVAS-7 to OpenVAS-8, please note the following.
(See: http://www.openvas.org/install-source.html if you're unsure which
version you're running.)

Openvas now uses redis as a temporary database while running scans.  You will
need redis installed and running, as well as hiredis.  See step 2 below on
how to configure redis.

Before running openvas-manager, you'll need to migrate the database.  Simply
run:
# openvasmd --migrate

###### Installation Instructions ######

These instructions assume you're familiar with slackbuilds.  If not, please
refer to http://slackbuilds.org/howto/ .

1. Build and install hiredis.

2. Build and install redis.  You need to uncomment the following 2 lines in the
   /etc/redis/redis.conf file:
#unixsocket /tmp/redis.sock
#unixsocketperm 700
   Now start up redis:
# sh /etc/rc.d/rc.redis start

3. Build and install openvas-libraries.

4. Build and install openvas-scanner.

5. You need a Certificate Authority and server certificate. Run the following
   command:
# openvas-mkcert
      
6. You need the NVT's (Network Vulnerability Tests).  Run the following
   command to sync.  In the future, you can do this through the 
   greenbone-security-assistant interface.  This will take a minute or so
   with a blazing fast internet connection. YMMV.
# openvas-nvt-sync

7. Start the openvas-scanner daemon.
# sh /etc/rc.d/rc.openvassd start

8. Build and install openvas-manager.

9. You need client certificates for manager to talk to scanner.  Use the
   following command.
# openvas-mkcert-client -n -i

10. Initialize the manager database.  This will take a while, so be patient.
# openvasmd --rebuild

11. You want encrypted credentials in the DB, so do this now.
# openvasmd --create-credentials-encryption-key
   This may take a while, so it's best to create some entropy by skipping to
   #13-#15 and then coming back, if needed.

12. Create a user.
# openvasmd --create-user=cary
    If you find the assigned password hard to remember, you can change it 
    right now.
# openvasmd --user=cary --new-password=mekmitasdigoat

13. Sync SCAP data.  This will take some time.
# openvas-scapdata-sync

14. Sync CERT data.
# openvas-certdata-sync

15. Update port names.
# wget http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xml
# openvas-portnames-update service-names-port-numbers.xml
# rm service-names-port-numbers.xml

16. Start the openvas-manager daemon.
# sh /etc/rc.d/rc.openvasmd start

17. Build and install libmicrohttpd.

18. Build and install greenbone-security-assistant.

19. Launch the greenbone-security-assistant.
# sh /etc/rc.d/rc.gsad start

20. Point your browser at https://<YOUR IP OR HOSTNAME>:9392
    You'll get a certificate error, of course (fixing this is left as an 
    excercise for the reader). Log in with your username/password from #10.

21. [Optional] Build and install openvas-cli.  You'll need this if you ever
    want to script tests.

That's it!  If you run into any problems, you can try running the 
openvas-check-setup script found here:
  https://svn.wald.intevation.org/svn/openvas/trunk/tools/openvas-check-setup

If you don't have a web-server running, you can edit the /etc/rc.d/rc.gsad
script to remove the "-p 9392" option, and it will run on port 443.

Please let me know if you run into any problems.  Patches welcome!

Have Fun!

Kent Fritz
mailto:fritz.kent@gmail.com