20 November 2015

OpenVAS Security and Vulnerability Scanner on RHEL/CentOS 6.5

We have chosen OpenVAS(Open Vulnerability Assessment System), originally a german open source product, to scan our network environment consists of thousands of servers, both VM and physical running Linux and Windows.

OpenVAS is backed by German Federal Office for Information Security (BSI) and DFN-CERT (German Research Network) contributes their advisories to the OpenVAS Security Feed.

OpenVAS originally was a fork of Nessus and now an efficient alternate to Tenable proprietary Nessus with a free of charge daily updated feed of Network Vulnerability Tests (NVTs).

Components

Openvas vulnerability scanner suit consist of 3 major components:

openvasmd    : OpenVAS Manager running on port 9390
openvassd      : OpenVAS Scanner running on port 9391
gsad               : Greenbone Security Assistant acting as Web UI running on port 9392 

How to Install

I've installed the OpenVAS version 7 on top of RHEL 6.5. Following explains how I did it: 

1. Add the Atomicorp Repository:

# wget -q -O - http://www.atomicorp.com/installers/atomic |sh


2. Make sure SELinux is disabled:

# getenforce
Disabled

3. Make sure the iptables firewall is configured properly or it's off:

# iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination


4. Install OpenVAS:

# yum install openvas


5. Configure OpenVAS:

# openvas-setup

It will also update the vulnerability database and takes some time to complete.


6. Create Manager certificate:

# openvas-mkcert-client -n om -i


7. Login to Greenbone Web interface:

https://localhost:9392/


Notes

You will probably get the following error while try to login to Greenbone security assistance web interface for the first time:

"Login failed. OMP service is down."

Solution:
1. Make sure the scanner is running:

# ps -ef|grep openvassd

You can run the scanner via:

# openvassd


2. Then rebuild the database:

# openvasmd --rebuild -v

Which takes some time to complete. 


3. Now start the manager:

# openvasmd

and make sure it is started properly:

# ps -ef|grep open
root      1406     1  4 08:47 ?        00:00:42 openvassd: Waiting for incoming connections
root      1769     1 20 09:03 pts/0    00:00:00 openvasmd

Creating User 

During my installation, for some reasons, it didn't automatically create any user for me. However with following command we can create an user with admin privileges to login to Greenbone web interface:

# openvasmd --create-user user1
aea66054-404b-456b-b0a2-1defcc58877e

The generated hash is the password for the user to login to Web UI.



Service temporarily down

I've received the following error for some unknown reasons while I wanted to start an immediate scan for the first time:

Operation: Start Task
Status code: 503
Status message: Service temporarily down

My rough guess is that I forgot to disable SELinux during the installation for the first time. I've reinstalled the OpenVAS with SELinux off and didn't encounter this error anymore.

Check openVAS setup 

You can check your installation with openvas check setup script avalible at http://www.openvas.org/setup-and-start.html

Following is the result of my installation which is working fine:

# ./openvasSetupChk.sh --v7
openvas-check-setup 2.3.3
  Test completeness and readiness of OpenVAS-7

  Please report us any non-detected problems and
  help us to improve this check routine:
  http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss

  Send us the log-file (/tmp/openvas-check-setup.log) to help analyze the problem.

  Use the parameter --server to skip checks for client tools
  like GSD and OpenVAS-CLI.

Step 1: Checking OpenVAS Scanner ...
        OK: OpenVAS Scanner is present in version 4.0.6.
        OK: OpenVAS Scanner CA Certificate is present as /var/lib/openvas/CA/cacert.pem.
        OK: NVT collection in /var/lib/openvas/plugins contains 43955 NVTs.
        WARNING: Signature checking of NVTs is not enabled in OpenVAS Scanner.
        SUGGEST: Enable signature checking (see http://www.openvas.org/trusted-nvts.html).
        OK: The NVT cache in /var/cache/openvas contains 43955 files for 43955 NVTs.
Step 2: Checking OpenVAS Manager ...
        OK: OpenVAS Manager is present in version 5.0.9.
        OK: OpenVAS Manager client certificate is present as /var/lib/openvas/CA/clientcert.pem.
        OK: OpenVAS Manager database found in /var/lib/openvas/mgr/tasks.db.
        OK: Access rights for the OpenVAS Manager database are correct.
        OK: sqlite3 found, extended checks of the OpenVAS Manager installation enabled.
        OK: OpenVAS Manager database is at revision 123.
        OK: OpenVAS Manager expects database at revision 123.
        OK: Database schema is up to date.
        OK: OpenVAS Manager database contains information about 43955 NVTs.
        OK: At least one user exists.
        OK: OpenVAS SCAP database found in /var/lib/openvas/scap-data/scap.db.
        OK: OpenVAS CERT database found in /var/lib/openvas/cert-data/cert.db.
        OK: xsltproc found.
Step 3: Checking user configuration ...
        WARNING: Your password policy is empty.
        SUGGEST: Edit the /etc/openvas/pwpolicy.conf file to set a password policy.
Step 4: Checking Greenbone Security Assistant (GSA) ...
        OK: Greenbone Security Assistant is present in version 5.0.6.
Step 5: Checking OpenVAS CLI ...
        OK: OpenVAS CLI version 1.3.1.
Step 6: Checking Greenbone Security Desktop (GSD) ...
        SKIP: Skipping check for Greenbone Security Desktop.
Step 7: Checking if OpenVAS services are up and running ...
        OK: netstat found, extended checks of the OpenVAS services enabled.
        OK: OpenVAS Scanner is running and listening on all interfaces.
        OK: OpenVAS Scanner is listening on port 9391, which is the default port.
        OK: OpenVAS Manager is running and listening on all interfaces.
        OK: OpenVAS Manager is listening on port 9390, which is the default port.
        OK: Greenbone Security Assistant is listening on port 443, which is the default port.
Step 8: Checking nmap installation ...
        WARNING: Your version of nmap is not fully supported: 6.47
        SUGGEST: You should install nmap 5.51 if you plan to use the nmap NSE NVTs.
Step 10: Checking presence of optional tools ...
        OK: pdflatex found.
        OK: PDF generation successful. The PDF report format is likely to work.
        OK: ssh-keygen found, LSC credential generation for GNU/Linux targets is likely to work.
        OK: rpm found, LSC credential package generation for RPM based targets is likely to work.
        WARNING: Could not find alien binary, LSC credential package generation for DEB based targets will not work.
        SUGGEST: Install alien.
        OK: nsis found, LSC credential package generation for Microsoft Windows targets is likely to work.
        OK: SELinux is disabled.

It seems like your OpenVAS-7 installation is OK.

If you think it is not OK, please report your observation
and help us to improve this check routine:
http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss

Please attach the log-file (/tmp/openvas-check-setup.log) to help us analyze the problem.


Startup Scripts

Startup scripts will be automatically set during the installation. To confirm:

# chkconfig --list|grep -i openvas
openvas-manager 0:off   1:off   2:on    3:on    4:on    5:on    6:off
openvas-scanner 0:off   1:off   2:on    3:on    4:on    5:on    6:off

And for Greenbone security assistance:

# chkconfig --list|grep -i gsa
gsad            0:off   1:off   2:off   3:on    4:off   5:on    6:off


Example Report


Following is an example of OpenVAS vulnerability scanner report:

Summary
This document reports on the results of an automatic security scan. The report first summarises the results found.

Scan started: Sat Nov 14 12:00:01 2015 UTC
Scan ended: Sat Nov 14 16:42:27 2015 UTC
Task: allLUX
Host Summary
Host Start End High Medium Low Log False Positive
10.8.225.1 Nov 14, 12:00:09 Nov 14, 13:07:28 2 18 1 58 0
10.8.225.3 Nov 14, 12:00:09 Nov 14, 12:34:58 2 11 1 33 0
10.8.225.4 Nov 14, 12:00:09 Nov 14, 12:56:06 2 10 1 40 0
10.8.225.5 Nov 14, 12:00:09 Nov 14, 12:52:48 2 10 1 39 0
10.8.225.8 Nov 14, 12:00:09 Nov 14, 13:04:41 1 13 1 55 0
10.8.225.9 Nov 14, 12:00:09 Nov 14, 12:59:51 2 10 0 44 0
10.8.225.18 Nov 14, 12:00:09 Nov 14, 12:41:01 1 5 1 28 0

Results per Host
Host 10.8.225.1
Scanning of this host started at: Sat Nov 14 12:00:09 2015 UTC
Number of results: 79
Port Summary for Host 10.8.225.1
Service (Port) Threat Level
6001/tcp High
22/tcp High
5989/tcp Medium
5637/tcp Medium
11111/tcp Medium
2500/tcp Medium
8443/tcp Medium

High (CVSS: 8.5)
NVT: OpenSSH Multiple Vulnerabilities (OID: 1.3.6.1.4.1.25623.1.0.806052) 
Product detection result: cpe:/a:openbsd:openssh:5.3 by SSH Server type and version (OID: 1.3.6.1.4.1.25623.1.0.10267)
Summary
This host is running OpenSSH and is prone to multiple vulnerabilities. Vulnerability Detection Result
Installed version: 5.3
Fixed version: 7.0
Impact
Successful exploitation will allow an attacker to gain privileges, to conduct impersonation attacks, to conduct brute force attacks or cause a denial of service.
Impact Level: Application
5637/tcp
Solution
Upgrade to OpenSSH 7.0 or later. For updates refer to http://www.openssh.com 
Affected Software/OS
OpenSSH versions before 7.0
Vulnerability Insight
Multiple flaws are due to: Use after free vulnerability in the 'mm_answer_pam_free_ctx' function in monitor.c in sshd. Vulnerability in 'kbdint_next_device' function in auth2chall.c in sshd. vulnerability in the handler for the MONITOR_REQ_PAM_FREE_CTX request.
Vulnerability Detection Method
Get the installed version with the help of detect NVT and check the version is vulnerable or not.
Details: OpenSSH Multiple Vulnerabilities (OID: 1.3.6.1.4.1.25623.1.0.806052)
Version used: $Revision: 1784 $
Product Detection Result
Product: cpe:/a:openbsd:openssh:5.3
Method: SSH Server type and version (OID: 1.3.6.1.4.1.25623.1.0.10267)
References
CVE: CVE20156564,CVE20156563,CVE20155600 CERT: DFNCERT20151679
, DFNCERT20151644, DFNCERT20151632, DFNCERT20151591, DFNCERT20151443, DFNCERT20151406, DFNCERT20151263, DFNCERT20151259,DFNCERT20151252, DFNCERT20151239, DFNCERT20151161, DFNCERT20151159
Other: http://seclists.org/fulldisclosure/2015/Aug/54
http://openwall.com/lists/osssecurity/2015/07/23/4





No comments:

Post a Comment