[atomic] Openvas 4.x Updates

hostingguy · **Joined:** Mon Oct 29, 2007 6:51 pm **Posts:** 606

is openvas-nvt-sync-cron supposed to take a long time?
Its been running for about 20 minutes so far....

Is there also some instructions for CLI usage for scanning and emailing reports for those of us who don't use a GUI or dont want to use a web based manager?

scott · **Posted:** Mon Apr 25, 2011 9:40 pm

Yes, its grabbing all the NVT's from upstream. That can take a while, depending on how loaded the servers are.

I havent used omp myself (I use GSA), you'd have to check on the openvas website for more information on that.

hostingguy · **Joined:** Mon Oct 29, 2007 6:51 pm **Posts:** 606

well it was at 2 hours last I checked - its on a server with no cusotmers, no traffic and no load so I expected it to be quite a bit faster starting the scanner.....

scott · **Posted:** Tue Apr 26, 2011 8:26 am

Yeah but how many people are hitting the openvas update server right now?

hostingguy · **Joined:** Mon Oct 29, 2007 6:51 pm **Posts:** 606

If i do it manually it takes for ever loading all the plugins

[edit]
I came back this morning and it had started, but I still do see this never working

Code:

# ./openvas-check-setup
openvas-check-setup 2.0.6
  Test completeness and readiness of OpenVAS-4

  Please report us any non-detected problems and
  help us to improve this check routine:
  http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss

  Send us the log-file (/tmp/openvas-check-setup.log) to help analyze the problem.

  Use the parameter --server to skip checks for client tools
  like GSD and OpenVAS-CLI.

Step 1: Checking OpenVAS Scanner ...
        OK: OpenVAS Scanner is present in version 3.2.3.
        OK: OpenVAS Scanner CA Certificate is present as /var/lib/openvas/CA/cacert.pem.
        OK: NVT collection in /var/lib/openvas/plugins contains 21019 NVTs.
Step 2: Checking OpenVAS Manager ...
        OK: OpenVAS Manager is present in version 2.0.3.
        OK: OpenVAS Manager client certificate is present as /var/lib/openvas/CA/clientcert.pem.
        ERROR: No OpenVAS Manager database found. (Tried: /var/lib/openvas/mgr/tasks.db)
        FIX: Run 'openvasmd --rebuild' while OpenVAS Scanner is running.

 ERROR: Your OpenVAS-4 installation is not yet complete!

Please follow the instructions marked with FIX above and run this
script again.

If you think this result is wrong, please report your observation
and help us to improve this check routine:
http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Please attach the log-file (/tmp/openvas-check-setup.log) to help us analyze the problem.

# openvasmd --rebuild
Aborted
# service openvas-scanner status
openvassd (pid  813200) is running...

# service openvas-manager status
-l is stopped

# service openvas-manager start
Starting openvas-manager:
                                                           [  OK  ]

# service openvas-manager status
-l is stopped

So apparently it didnt like that it didnt create the db file, so I created an empty one and now that all is ok

Code:

# touch /var/lib/openvas/mgr/tasks.db
# openvasmd --backup
# openvasmd --rebuild
# service openvas-manager status
-l is stopped

# service openvas-manager start
Starting openvas-manager:
                                                           [  OK  ]

# service openvas-manager status
-l (pid  463527) is running...

Now the setup verification script is complaining about something else

Code:

# ./openvas-check-setup --server
openvas-check-setup 2.0.6
  Test completeness and readiness of OpenVAS-4

  Please report us any non-detected problems and
  help us to improve this check routine:
  http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss

  Send us the log-file (/tmp/openvas-check-setup.log) to help analyze the problem.

Step 1: Checking OpenVAS Scanner ...
        OK: OpenVAS Scanner is present in version 3.2.3.
        OK: OpenVAS Scanner CA Certificate is present as /var/lib/openvas/CA/cacert.pem.
        OK: NVT collection in /var/lib/openvas/plugins contains 21019 NVTs.
Step 2: Checking OpenVAS Manager ...
        OK: OpenVAS Manager is present in version 2.0.3.
        OK: OpenVAS Manager client certificate is present as /var/lib/openvas/CA/clientcert.pem.
        OK: OpenVAS Manager database found in /var/lib/openvas/mgr/tasks.db.
        OK: Access rights for the OpenVAS Manager database are correct.
        OK: sqlite3 found, extended checks of the OpenVAS Manager installation enabled.
        OK: OpenVAS Manager database is at revision 41.
        OK: OpenVAS Manager expects database at revision 41.
        OK: Database schema is up to date.
        OK: OpenVAS Manager database contains information about 21019 NVTs.
        OK: xsltproc found.
[b]Step 3: Checking OpenVAS Administrator ...
        ERROR: No OpenVAS Administrator (openvasad) found.
        FIX: Please install OpenVAS Administrator.[/b]

 ERROR: Your OpenVAS-4 installation is not yet complete!

Please follow the instructions marked with FIX above and run this
script again.

If you think this result is wrong, please report your observation
and help us to improve this check routine:
http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Please attach the log-file (/tmp/openvas-check-setup.log) to help us analyze the problem.

So it wanted me to install openvas-administrator which didnt auto install with the yum install openvas command previously.

and even though I did this from the start, it now wants me to create a user

Code:

Step 3: Checking OpenVAS Administrator ...
        OK: OpenVAS Administrator is present in version 1.1.1.
        OK: At least one user exists.
        ERROR: No admin user found. You need to create at least one admin user to log in.
        FIX: Create a user using 'openvasad -c 'add_user' -n <name> -r Admin'


# openvasad -c 'add_user' -n ovAdmin -r Admin
Enter password:
ad   main:MESSAGE:465416:2011-04-26 09h22.41 PDT: No rules file provided, the new user will have no restrictions.
ad   main:MESSAGE:465416:2011-04-26 09h22.41 PDT: User ovAdmin has been successfully created.

it also didnt start the openvas administrator, so I had to start that manually as well.
Now it seems to be "ok" except that it always complains that the GSA is not bound to anything other than the local interface, and says it fixes it, but it says this every time - how can I make that permanent?

Code:

Step 7: Checking if OpenVAS services are up and running ...
        OK: netstat found, extended checks of the OpenVAS services enabled.
        OK: OpenVAS Scanner is running and listening on all interfaces.
        OK: OpenVAS Scanner is listening on port 9391, which is the default port.
        OK: OpenVAS Manager is running and listening on all interfaces.
        OK: OpenVAS Manager is listening on port 9390, which is the default port.
        OK: OpenVAS Administrator is running and listening on all interfaces.
        OK: OpenVAS Administrator is listening on port 9393, which is the default port.
        [b]WARNING: Greenbone Security Assistant is running and listening only on the local interface. This means that you will not be able to access the Greenbone Security Assistant from the outside using a web browser.
        SUGGEST: Ensure that Greenbone Security Assistant listens on all interfaces.
        OK: Greenbone Security Assistant is listening on port 9392, which is the default port.[/b]
It seems like your OpenVAS-4 installation is OK.

Code:

# netstat -an | grep 939
tcp        0      0 0.0.0.0:9390                0.0.0.0:*                   LISTEN
tcp        0      0 0.0.0.0:9391                0.0.0.0:*                   LISTEN
tcp        0      0 127.0.0.1:9392              0.0.0.0:*                   LISTEN
tcp        0      0 0.0.0.0:9393                0.0.0.0:*                   LISTEN

scott · **Posted:** Tue Apr 26, 2011 2:44 pm

The setup check script still needs some work as you see. I'd report that to upstream, since its not even part of the distribution yet. They could definitely use the feedback.

hostingguy · **Joined:** Mon Oct 29, 2007 6:51 pm **Posts:** 606

how do I tell it to bind to the private IP on the box instead of 0.0.0.0/127.0.0.1 so I can access the gui from outside of the local machine?

scott · **Posted:** Tue Apr 26, 2011 4:34 pm

it uses the same sysconfig system as other daemons, so you can modify scanner/administrator/gsad/manager from there respective /etc/sysconfig/ files. 0.0.0.0 should be all interfaces though, are there firewall rules blocking it?

hostingguy · **Joined:** Mon Oct 29, 2007 6:51 pm **Posts:** 606

I dont think so but its possible. It may be an upstream firewall - I'll check.

Is there a way to initiate a scan from the command line and send the results via email instead of using the web gui?

scott · **Posted:** Fri Apr 29, 2011 4:25 pm

I don't know about OMP, but you can create scheduled scans through GSA and create events (called "Escalators") around scans & scan targets. That event can be send an email, execute something, SNMP Trap, etc. So if you're trying to create a regularly scheduled test for your environment Id probably start with that.

Also you do not need to run GSA on the same system you scan from. Its basically just a client to openvas-manager. I run mine on my desktop, and then have it set to connect to remote scanners, which will let you view your reports while the scans are running, stop/start/pause, configure false positives & false negatives, etc.

Funboy · **Joined:** Wed Aug 05, 2009 4:33 am **Posts:** 54

Attn hostingguy or Scott

RE: can access the gui from outside of the local machine?

Did you ever get this working? I have installed Openvas on a Centos 5 64bit system and would also like to access it from outside, I have punched a hole in my firewall but nothing works using my server IP on port :9392 so just wondered if you ever got it going and could point me in the right direction as to what might need changing, everything my end so far is as per default installation.

Thanks.

hostingguy · **Joined:** Mon Oct 29, 2007 6:51 pm **Posts:** 606

I only spent another 5 minutes on this so far to confirm it wasnt a upstream firewall issue, but after that got sidetracked on other stuff and havent made it back to this yet unfortunately, so I dont think I will be much help in the short term.

scott · **Posted:** Thu May 05, 2011 8:35 am

I didnt have to do anything other than allow that port through the host firewall rules.

xmichielx · **Joined:** Thu Nov 12, 2009 9:01 am **Posts:** 39

Hi,

I am having a similair problem with OpenVAS 4.* and gasd.
When I run the '/usr/local/sbin/openvas-check-setup' script I get:

ERROR: The number of NVTs in the OpenVAS Manager database is too low.
FIX: Make sure OpenVAS Scanner is running with an up-to-date NVT collection and run 'openvasmd --rebuild'.

ERROR: Your OpenVAS-4 installation is not yet complete!

I did the following to create the openvas-manager db:

touch /var/lib/openvas/mgr/tasks.db
openvasmd --backup
openvasmd --rebuild
service openvas-manager status
-l is stopped
service openvas-manager start
Starting openvas-manager:
[ OK ]
service openvas-manager status
-l is stopped

Then I check the database:
sqlite3 tasks.db "select count(*) from nvts;"
0

So it seems the NVT's are being uploaded in the database.
I can run the cron script fine and when I run openvas-nvt-sync --wget manually it gets all files.
user is created, new cert has been made.

Distro: CentOS 5.6 64 bit

What can be wrong with putting the NVT in the task.db file?

scott · **Posted:** Fri May 06, 2011 3:47 pm

Ok looks like that is a bug in openvas-manager, its not letting it create the tasks db. Go ahead and upgrade to 2.0.3-3, delete that tasks.db and try running rebuild again.

For new users, just skip all the above and use the documented method:
1. yum install openvas
2. openvas-nvt-sync-cron
3. openvas-adduser

[atomic] Openvas 4.x Updates

Who is online