OS: CentOS 6.2 32bit Hardware: Virtual Machine (VirtualBox 4.1.14) OpenVAS: 5
OpenVAS is an opensource vulnerability network scanner. OpenVAS let you scan your network for vulnerabilities and create a report on your network status.
vi /etc/selinux/config
...
SELINUX=disabled
...
yum install wget -y
yum update -y reboot
wget -q -O - http://www.atomicorp.com/installers/atomic |sh
Atomic Archive installer, version 2.0.3 BY INSTALLING THIS SOFTWARE AND BY USING ANY AND ALL SOFTWARE PROVIDED BY ATOMICORP LIMITED YOU ACKNOWLEDGE AND AGREE: THIS SOFTWARE AND ALL SOFTWARE PROVIDED IN THIS REPOSITORY IS PROVIDED BY ATOMICORP LIMITED AS IS, IS UNSUPPORTED AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL ATOMICORP LIMITED, THE COPYRIGHT OWNER OR ANY CONTRIBUTOR TO ANY AND ALL SOFTWARE PROVIDED BY OR PUBLISHED IN THIS REPOSITORY BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Do you agree to these terms? (yes/no) [Default: yes] ENTER
Installing the Atomic GPG key: OK Downloading atomic-release-1.0-14.el6.art.noarch.rpm: OK The Atomic Rocket Turtle archive has now been installed and configured for your system The following channels are available: atomic - [ACTIVATED] - contains the stable tree of ART packages atomic-testing - [DISABLED] - contains the testing tree of ART packages atomic-bleeding - [DISABLED] - contains the development tree of ART packages
yum install openvas -y
openvas-setup
Openvas Setup, Version: 0.1 Step 1: Update NVT's Please note this step could take some time. Once completed, NVT's will be updated automatically every 24 hours Updating NVTs.... Stopping openvas-scanner: [ OK ] Starting openvas-scanner: [ OK ] Updating OpenVAS Manager database.... Step 2: Configure GSAD The Greenbone Security Assistant is a Web Based front end for managing scans. By default it is configured to only allow connections from localhost. Allow connections from any IP? [Default: yes] Stopping gree[ OK ]curity-assistant: Starting greenbone-security-assistant: [ OK ] Step 3: Choose the GSAD admin users password. The admin user is used to configure accounts, Update NVT's manually, and manage roles. Enter password: enter password for admin user ENTER
ad main:MESSAGE:3223:2012-01-19 11h09.05 IST: No rules file provided, the new user will have no restrictions. ad main:MESSAGE:3223:2012-01-19 11h09.05 IST: User admin has been successfully created. Step 4: Create a user Using /var/tmp as a temporary file holder. Add a new openvassd user --------------------------------- Login : humus ENTER
Authentication (pass/cert) [pass] : ENTER
Login password : enter user password ENTER
Login password (again) : enter user password again ENTER
User rules --------------- openvassd has a rules system which allows you to restrict the hosts that humus has the right to test. For instance, you may want him to be able to scan his own host only. Please see the openvas-adduser(8) man page for the rules syntax. Enter the rules for this user, and hit ctrl-D once you are done: (the user can have an empty rules set) ctrl-D
Login : humus Password : *********** Rules : Is that ok? (y/n) [y] ENTER
Setup complete, you can now access GSAD at: https://:9392
/etc/init.d/openvas-administrator start
cd /usr/local/src/ wget https://svn.wald.intevation.org/svn/openvas/trunk/tools/openvas-check-setup -O openvas-check-setup.sh --no-check-certificate chmod +x openvas-check-setup.sh ./openvas-check-setup.sh --server
vi /etc/sysconfig/iptables
...
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 9392 -j ACCEPT
...
service iptables restart
That’s it. OpenVAS server installation completed. You can create new scans on your network and schdule them to run frequently and check their reports.
For more information on OpenVAS visit http://www.openvas.org