December 10

OpenVAS Information

OpenVAS Installation on CentOS 6.4 x64

I’ve been toying with OpenVAS for a bit and ran in to quite a few problems with it right out of the box. These are my notes for installing OpenVAS on CentOS 6.4 though it should work with any distro of CentOS 6.

Download Link – http://www.openvas.org/install-packages-v6.html

OpenVAS for CentOS via Atomic

Step 1: Configure Atomicorp Repository

(as user root, only once)

wget -q -O - http://www.atomicorp.com/installers/atomic |sh

Step 2: Quick-Install OpenVAS
(as user root, only once)

yum upgrade
yum install openvas
openvas-setup

Step 3: Quick-Start OpenVAS

( nothing to do, all is up and running directly after installation )

Step 4: Log into OpenVAS with user created in the step 2

Open https://<<server-ip-address>>:9392/.

OpenVAS Issues I’ve Come Across…

Web Interface Stops Responding

When I started to play around in the web interface, all of the sudden the web interface would die. If I was SSH’d in to the box, I’d see the following error in the console…

(process:2179): GLib-CRITICAL (recursed) **: g_string_erase: assertion `pos + len <= string->len' failed

The fix for this, believe it or not, is to disable logging. Apparently this error is caused by logging.

Run the following command to edit the log files config. I use nano, sorry to all of your hardcore vi users.

[root@openvas ~]# nano /etc/openvas/gsad_log.conf

Edit your confg file so that the level=128 line now reads level=0, as show below.

# GSA logging configuration
#
# WARNING: Setting the level of any of the library groups or the "*"
# group to include debug may reveal passwords in the logs.

[gsad main]
prepend=%t %p
prepend_time_format=%Y-%m-%d %Hh%M.%S %Z
file=/var/log/openvas/gsad.log
level=0

[gsad omp]
prepend=%t %p
prepend_time_format=%Y-%m-%d %Hh%M.%S %Z
file=/var/log/openvas/gsad.log
level=0

[*]
prepend=%t %p
prepend_time_format=%Y-%m-%d %Hh%M.%S %Z
file=/var/log/openvas/gsad.log
level=0

Once you’ve done that, restart the gsad service…

[root@openvas ~]# service gsad restart 
Stopping greenbone-security-assistant: [ OK ]
Starting greenbone-security-assistant: [ OK ]
[root@openvas ~]#

Scans Show Completed But Don’t Actually Run

This is one issue that caused quite a bit of a headache for us. We would kick off a scan and it would start, show as running, tell us it was complete after about a minute and then the report would be blank.

Because we had to turn off logging (due to the bug mentioned further up the page), there wasn’t much information available to us as to what was going on. What we figured out was this… if the device is not detected to be alive by ICMP, the scan will immediately fail assuming the host is down.

Go to Configuration -> Targets and select your target….

You will notice the Alive Test is set to “Scan Config Default”. Click the blue wrench at the top of this screen (the red arrow is pointing to it on the screenshot above) to configure this target.

Change the Alive Test from Scan Config Default to Consider Alive and then save, then restart your test. It should work now. If not, you’re on your own.

Updating OpenVAS SSL Certificate

So some versions of OpenVAS install with already expired certificates. Here’s what you need to do to fix that.

From SSH….

[root@openvas31 ~]# openvas-mkcert -f

Results should look like this:

-------------------------------------------------------------------------------
 Creation of the OpenVAS SSL Certificate
-------------------------------------------------------------------------------
This script will now ask you the relevant information to create the SSL certificate of OpenVAS.
Note that this information will *NOT* be sent to anybody (everything stays local), but anyone with the ability to connect to your OpenVAS daemon will be able to retrieve this information.
CA certificate life time in days [1460]: 
Server certificate life time in days [365]: 
Your country (two letter code) [DE]: 
Your state or province name [none]: 
Your location (e.g. town) [Berlin]: 
Your organization [OpenVAS Users United]: 
-------------------------------------------------------------------------------
 Creation of the OpenVAS SSL Certificate
-------------------------------------------------------------------------------
Congratulations. Your server certificate was properly created.
The following files were created:
. Certification authority:
 Certificate = /var/lib/openvas/CA/cacert.pem
 Private key = /var/lib/openvas/private/CA/cakey.pem
. OpenVAS Server : 
 Certificate = /var/lib/openvas/CA/servercert.pem
 Private key = /var/lib/openvas/private/CA/serverkey.pem
Press [ENTER] to exit

Next step….

[root@openvas31 ~]# openvas-mkcert-client -i -n

Results should look like this:

Generating RSA private key, 1024 bit long modulus
..++++++
..............++++++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [DE]:State or Province Name (full name) [Some-State]:Locality Name (eg, city) []:Organization Name (eg, company) [Internet Widgits Pty Ltd]:Organizational Unit Name (eg, section) []:Common Name (eg, your name or your server's hostname) []:Email Address []:Using configuration from /tmp/openvas-mkcert-client.2088/stdC.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'DE'
localityName :PRINTABLE:'Berlin'
commonName :PRINTABLE:'om'
Certificate is to be certified until Dec 10 17:30:59 2015 GMT (365 days)
Write out database with 1 new entries
Data Base Updated

Once that is done, restart the services….

[root@openvas31 ~]# /etc/init.d/openvas-manager restart
Stopping openvas-manager: [ OK ]
Starting openvas-manager: [ OK ]
[root@openvas31 ~]# /etc/init.d/openvas-scanner restart
Stopping openvas-scanner: [ OK ]
Starting openvas-scanner: [ OK ]
[root@openvas31 ~]#