OpenVAS Scaled for the Enterprise: Central Web GUI Part 1

There are a lot of very good tools on the market for vulnerability scanning, but most of them cost more than $50,000 for the basic needs of most individuals or organizations. This is also true of security tools in general. The money spent on the tool(s) doesn't help fix the knowledge of those running the tools or those who need to act upon the tools findings. I've found that smart and well trained individuals, coupled with a reasonable tool set (open source), a good process, and discipline, will far exceed what spending lots of money on tools and mediocre staff can do. With this in mind, I set out to use a scaled out OpenVAS for my vulnerability scanning solution. Instead of just downloading and installing on a generic Linux distro, I decided to install it on Kali Linux so additional tools could be available when to test vulnerabilities and have other tools available while scanning wasn't running. If you follow all of the instructions, you will have:

  • a central OpenVAS node that will provide your normal OpenVAS Web GUI
  • multiple nodes to take care of the heavy scanning workloads
  • each node can handle defined target lists
  • notify your teams of start and end scanning activities so nobody responds thinking these are unauthorized scans
  • a few ways to troubleshoot or recover your OpenVAS setup

Stick with me as we will cover the basics and get into more detailed instructions. You can download your distro of choice, but for this setup, I will be using Kali Linux 64-Bit https://www.kali.org/downloads/. Use your virtualization of choice. For home use, you can use Vmware Workstation or Virtual Box. Most Enterprises will use VMware, Nutanix, or AWS. After you have downloaded and stepped through the Kali Linux installation, you will want to allow SSH to the system. It will best if you close this later, but for the rest of the setup, you won't want to use the console in your virtualization software. It can be harder to copy and paste commands or mixed results if your are connecting to global locations.

Kali Linux SSH Setup - Allow incoming SSH

For the setup phase, allow ssh connections. Open a terminal:

vi /etc/ssh/sshd_config

PermitRootLogin yes
PasswordAuthentication yes

#Enable boot and restart SSH

systemctl enable ssh
systemctl restart ssh

Get the latest updates for your system and reboot.

apt-get dist-upgrade reboot

OpenVAS installation

Install OpenVAS. The openvas-setup step will take some time as it will download all of the NVTs and other updates. It can take more than 30 minutes. Your connection can help, but it still take a bit of time even on the best of connections.

apt-get install openvas -y
openvas-setup

Set the systems hostname to the FQDN

Set Hostname to your domain.

hostnamectl set-hostname openvas.givemeit.com

OpenVAS allow remote connections to web GUI

To have OpenVAS allow remote connections, append/change the listen and allow header host options on the gsad command:

vi /lib/systemd/system/greenbone-security-assistant.service

[Unit]
Description=Greenbone Security Assistant
Documentation=man:gsad(8) http://www.openvas.org/
Wants=openvas-manager.service
[Service]
Type=simple
PIDFile=/var/run/gsad.pid
ExecStart=/usr/sbin/gsad --foreground --listen=0.0.0.0 --port=9392 --mlisten=127.0.0.1 --mport=9390 --allow-header-host "openvas.givemeit.com"
[Install]
WantedBy=multi-user.target

If you do not set the --allow-header-host option, you will see the following message in the browser window when you try to access the OpenVAS URL: "The request contained an unknown or invalid Host header. If you are trying to access GSA via its hostname or a proxy, make sure GSA is set up to allow it."

Automatically update feeds

Automatically update feeds. I've had these fail before and it will cause your scanning function to stop working, even though the scanner is responsive. We will cover how to fix this later on. Two parts are required. The feed update will download the data and the openvasmd will update the database. For the openvasmd, --rebuild could be used so it completes faster, but it will lock the database until it completes. The --update allows users to still access the database while it updates.

crontab -e

0 4 * * * /usr/bin/openvas-feed-update
0 5 * * * /var/lib/openvas/openvasmd --update

systemctl restart cron

systemctl restart cron

Email Settings for notifications and reports

OpenVAS will need to have postfix installed for any of the reports to work. I have a relay host specified, but your environment may or may not need it. It is also important to set inet_protocols to "ipv4" only. If you don't, postfix will try to use ipv6 first and if you don't have an ipv6 address, postfix will fail.

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = openvas.givemeit.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = $myhostname, openvas.givemeit.com
relayhost = relayhost.givemeit.com
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = ipv4

 

Make sure to set PostFix to start on boot and then start the service.

systemctl enable postfix
systemctl start postfix

OpenVAS User Management

If you need to set or reset the admin user password, use the following openvasmd command.

openvasmd --user=admin --new-password=yournewpassword

To see all available options:

openvasmd --help

To view all of the users:

openvasmd --get-users

Create a new user, set the new users password, and give admin role:

openvasmd --create-user=openvasuser1 --role=Admin
openvasmd --new-password=openvasuser1pass! --user=openvasuser1

Setting up OpenVAS Scanning Nodes

Check out Part 2 of the setup dedicated to Scanner Node configurations at http://www.givemeit.com/openvas-scaled-for-the-enterprise-on-kali-scann…

openvasmd help options

We will be using more of these command later in the setup process.

Usage:
  openvasmd [OPTION…] - Manager of the Open Vulnerability Assessment System

Help Options:
  -h, --help                                   Show help options

Application Options:
  --backup                                     Backup the database.
  --check-alerts                               Check SecInfo alerts.
  --client-watch-interval=<number>             Check if client connection was closed every <number> seconds. 0 to disable. Defaults to 1 seconds.
  -d, --database=<file/name>                   Use <file/name> as database for SQLite/Postgres.
  --disable-cmds=<commands>                    Disable comma-separated <commands>.
  --disable-encrypted-credentials              Do not encrypt or decrypt credentials.
  --disable-password-policy                    Do not restrict passwords to the policy.
  --disable-scheduling                         Disable task scheduling.
  --create-user=<username>                     Create admin user <username> and exit.
  --delete-user=<username>                     Delete user <username> and exit.
  --get-users                                  List users and exit.
  --create-scanner=<scanner>                   Create global scanner <scanner> and exit.
  --modify-scanner=<scanner-uuid>              Modify scanner <scanner-uuid> and exit.
  --scanner-name=<name>                        Name for --modify-scanner.
  --scanner-host=<scanner-host>                Scanner host for --create-scanner and --modify-scanner. Default is /var/run/openvassd.sock.
  --otp-scanner=<unixsocket>                   Path to scanner unix socket file. Used by --rebuild and --update
  --scanner-port=<scanner-port>                Scanner port for --create-scanner and --modify-scanner. Default is 9391.
  --scanner-type=<scanner-type>                Scanner type for --create-scanner and --mdoify-scanner. Either 'OpenVAS' or 'OSP'.
  --scanner-ca-pub=<scanner-ca-pub>            Scanner CA Certificate path for --[create|modify]-scanner.
  --scanner-key-pub=<scanner-key-public>       Scanner Certificate path for --[create|modify]-scanner.
  --scanner-key-priv=<scanner-key-private>     Scanner private key path for --[create|modify]-scanner.
  --verify-scanner=<scanner-uuid>              Verify scanner <scanner-uuid> and exit.
  --delete-scanner=<scanner-uuid>              Delete scanner <scanner-uuid> and exit.
  --get-scanners                               List scanners and exit.
  --schedule-timeout=<time>                    Time out tasks that are more than <time> minutes overdue. -1 to disable, 0 for minimum time, default: 60
  -f, --foreground                             Run in foreground.
  --inheritor=<username>                       Have <username> inherit from deleted user.
  -a, --listen=<address>                       Listen on <address>.
  --listen2=<address>                          Listen also on <address>.
  --listen-owner=<string>                      Owner of the unix socket
  --listen-group=<string>                      Group of the unix socket
  --listen-mode=<string>                       File mode of the unix socket
  --max-ips-per-target=<number>                Maximum number of IPs per target.
  --max-email-attachment-size=<number>         Maximum size of alert email attachments, in bytes.
  --max-email-include-size=<number>            Maximum size of inlined content in alert emails, in bytes.
  --max-email-message-size=<number>            Maximum size of user-defined message text in alert emails, in bytes.
  -m, --migrate                                Migrate the database and exit.
  --modify-setting=<uuid>                      Modify setting <uuid> and exit.
  --encrypt-all-credentials                    (Re-)Encrypt all credentials.
  --new-password=<password>                    Modify user's password and exit.
  --optimize=<name>                            Run an optimization: vacuum, analyze, cleanup-config-prefs, remove-open-port-results, cleanup-port-names, cleanup-result-severities, cleanup-schedule-times, rebuild-report-cache or update-report-cache.
  --password=<password>                        Password, for --create-user.
  -p, --port=<number>                          Use port number <number>.
  --port2=<number>                             Use port number <number> for address 2.
  --progress                                   Display progress during --rebuild and --update.
  --rebuild                                    Rebuild the NVT cache and exit.
  --role=<role>                                Role for --create-user and --get-users.
  -u, --update                                 Update the NVT cache and exit.
  -c, --unix-socket=<filename>                 Listen on UNIX socket at <filename>.
  --user=<username>                            User for --new-password.
  --gnutls-priorities=<priorities-string>      Sets the GnuTLS priorities for the Manager socket.
  --dh-params=<file>                           Diffie-Hellman parameters file
  --value=<value>                              Value for --modify-setting.
  -v, --verbose                                Has no effect.  See INSTALL for logging config.
  --version                                    Print version and exit.