您好,登錄后才能下訂單哦!
去年在centos 6.4上面yum裝了openvas,結(jié)果掃描的時(shí)候,客戶(hù)端經(jīng)常掛掉,囧。openvas對(duì)centos的支持很不好,在centos 6.4重新yum又安裝不上了,編譯也是各種依賴(lài)需要export。終于還是放棄了centos 6.4,在ubuntu上編譯安裝。
一、準(zhǔn)備工作
1. 系統(tǒng)環(huán)境
root@bob-Openvas:~# lsb_release -a
Ubuntu 14.04.4 LTS
2.安裝依賴(lài)包
root@bob-Openvas:~# apt-get update
root@bob-Openvas:~# apt-get install openssh-server
root@bob-Openvas:~# apt-get install lrzsz
root@bob-Openvas:~# apt-get install build-essential bison flex cmake pkg-config libglib2.0-0 libglib2.0-dev
root@bob-Openvas:~# apt-get install libgnutls-dev
root@bob-Openvas:~# apt-get install libgnutls28-dev
root@bob-Openvas:~# apt-get install libpcap0.8 libpcap0.8-dev libgpgme11 libgpgme11-dev doxygen libuuid1 uuid-dev sqlfairy xmltoman sqlite3
root@bob-Openvas:~# apt-get install libxml2-dev libxslt1.1 libxslt1-dev xsltproc libmicrohttpd-dev libsqlite3-dev rsync libldap2-dev libhiredis-dev
root@bob-Openvas:~# apt-get install libgcrypt-dev zlib1g-dev libssh-dev
3.openvas包下載
http://www.openvas.org/install-source.html
(1)libraries:openvas庫(kù)文件
openvas-libraries-8.0.7.tar.gz
(2)scanner:掃描器 負(fù)責(zé)調(diào)用各種漏洞檢測(cè)插件,完成實(shí)際的掃描操作。
openvas-scanner-5.0.5.tar.gz
(3)manager:管理器 負(fù)責(zé)分配掃描任務(wù),并根據(jù)掃描結(jié)果生產(chǎn)評(píng)估報(bào)告。
openvas-manager-6.0.8.tar.gz
(4)gsa:前端web ui 負(fù)責(zé)提供訪問(wèn)openvas服務(wù)層的web接口,便于通過(guò)瀏覽器來(lái)執(zhí)行掃描任務(wù),是使用最簡(jiǎn)便的客戶(hù)層組件。
greenbone-security-assistant-6.0.10.tar.gz
(5)openvas-cli(命令行接口):負(fù)責(zé)提供從命令行訪問(wèn)OpenVAS服務(wù)層程序。
openvas-cli-1.4.4.tar.gz
二、編譯安裝
1.安裝libraries
root@bob-Openvas:~# tar -xf openvas-libraries-8.0.7.tar.gz
root@bob-Openvas:~# cd openvas-libraries-8.0.7/
root@bob-Openvas:~/openvas/openvas-libraries-8.0.7# mkdir build
root@bob-Openvas:~/openvas/openvas-libraries-8.0.7# cd build/
root@bob-Openvas:~/openvas/openvas-libraries-8.0.7/build# cmake ..
root@bob-Openvas:~/openvas/openvas-libraries-8.0.7/build# make
root@bob-Openvas:~/openvas/openvas-libraries-8.0.7/build# make doc-full
root@bob-Openvas:~/openvas/openvas-libraries-8.0.7/build# make install
root@bob-Openvas:~/openvas/openvas-libraries-8.0.7/build# cd ../../
2.安裝scanner方法同上,后面安裝方法都一樣
openvas-scanner-5.0.5.tar.gz
3.創(chuàng)建cert
root@bob-Openvas:~# openvas-mkcert
cert存放位置
/usr/local/var/lib/openvas/private/CA
/usr/local/var/lib/openvas/CA
4.重載libraries,重載的是libopenvas_nasl.so.8
root@bob-Openvas:~# ldconfig
5.同步nvt,nvt插件目錄。NVT collection in /usr/local/var/lib/openvas/plugins contains 38966 NVTs.
root@bob-Openvas:~# openvas-nvt-sync
...
...
zone_alarm_local_dos.nasl
zone_alarm_local_dos.nasl.asc
[i] Download complete
[i] Checking dir: ok
[i] Checking MD5 checksum: ok
6.安裝redis-2.8.4,scanner啟動(dòng)前還需要運(yùn)行一個(gè)redis服務(wù),用于緩沖
root@bob-Openvas:~# apt-get install redis-server
root@bob-Openvas:~# netstat -lanpt |grep 6379
tcp 0 0 127.0.0.1:6379 0.0.0.0:* LISTEN 3602/redis-server 1
root@bob-Openvas:~# cp /etc/redis/redis.conf{,.bak}
root@bob-Openvas:~# /etc/init.d/redis-server stop
Stopping redis-server: redis-server.
添加下面2行,不添加后面會(huì)報(bào)錯(cuò)
root@bob-Openvas:~# vim /etc/redis/redis.conf
unixsocket /tmp/redis.sock
unixsocketperm 700
root@bob-Openvas:~# /etc/init.d/redis-server start
root@bob-Openvas:~# netstat -lanpt |grep 6379
tcp 0 0 127.0.0.1:6379 0.0.0.0:* LISTEN 3602/redis-server 1
7.啟動(dòng)scanner命令openvassd
scanner監(jiān)聽(tīng)9391端口,需要說(shuō)明的是scanner啟動(dòng)成功后,manager可以扮演客戶(hù)端的角色與scanner交互,對(duì)scanner進(jìn)行控制,真正的客戶(hù)端如命令行cli、webui(gsa)只能與manager進(jìn)行交互,不能越過(guò)manager操作scanner。
root@bob-Openvas:~# openvassd
root@bob-Openvas:~# netstat -lanpt |grep 939
tcp 0 0 0.0.0.0:9391 0.0.0.0:* LISTEN 3949/ ETA: 00:40)
8.安裝manager
openvas-manager-6.0.8.tar.gz
9.manager啟動(dòng)后需要與scanner通信,scanner是服務(wù)端,manager是客戶(hù)端,在scanner的“配置與啟動(dòng)”階段,我們已經(jīng)為scanner生成了SSL相關(guān)的證書(shū)和私鑰文件,
說(shuō)明manager可以進(jìn)行服務(wù)端驗(yàn)證,但是scanner也要求對(duì)manager進(jìn)行客戶(hù)端驗(yàn)證,所以也需要為mananger生成SSL相關(guān)的證書(shū)和私鑰文件。
10.下載scap feed.下載時(shí)間超級(jí)長(zhǎng),網(wǎng)速快的時(shí)候80分鐘,網(wǎng)速慢的時(shí)候可能就要一天
root@bob-Openvas:~# openvas-scapdata-sync
11.下載cert feed
root@bob-Openvas:~# openvas-certdata-sync
12.執(zhí)行下面命令生成client證書(shū)和私鑰
root@bob-Openvas:~# openvas-mkcert-client -n -i
root@bob-Openvas:~# ls -l /usr/local/var/lib/openvas/private/CA
total 12
-rw------- 1 root root 3247 7月 30 16:59 cakey.pem
-rw------- 1 root root 3247 7月 30 20:08 clientkey.pem
-rw------- 1 root root 3247 7月 30 16:59 serverkey.pem
root@bob-Openvas:~# ls -l /usr/local/var/lib/openvas/CA
total 24
-rw-r--r-- 1 root root 2451 7月 30 16:59 cacert.pem
-rw------- 1 root root 7931 7月 30 20:08 clientcert.pem
-rw-r--r-- 1 root root 8229 7月 30 16:59 servercert.pem
######################################################################################################################
上述兩步也可以通過(guò)執(zhí)行openvas-mkcert-client生成證書(shū)和私鑰:
root@bob-Openvas:~# openvas-mkcert-client
然后將證書(shū)和私鑰從臨時(shí)目錄拷貝到相應(yīng)目錄下
root@bob-Openvas:~# cp /tmp/openvas-mkcert-client.4501/key_om.pem /usr/local/var/lib/openvas/private/CA/clientkey.pem
root@bob-Openvas:~# cp /tmp/openvas-mkcert-client.4501/cert_om.pem /usr/local/var/lib/openvas/CA/clientcert.pem
######################################################################################################################
13.初始化數(shù)據(jù)庫(kù)。scanner openvassd 9391端口啟動(dòng),才能重建數(shù)據(jù)庫(kù)成功。否則報(bào)錯(cuò)Rebuilding NVT cache... failed.
root@bob-Openvas:~# openvasmd --rebuild --progress -v
Rebuilding NVT cache... done.
root@bob-Openvas:~# openvasmd -p 9390 -a 127.0.0.1
root@bob-Openvas:~# netstat -lanpt |grep 939
tcp 0 0 127.0.0.1:9390 0.0.0.0:* LISTEN 4836/openvasmd
tcp 0 0 0.0.0.0:9391
14.創(chuàng)建帳號(hào)bob
root@bob-Openvas:~# openvasmd --create-user=bob --role=Admin
User created with password '23c65192-2fa7-4aab-aa8d-6c9df701314c'.
15.更改帳號(hào)bob的密碼
root@bob-Openvas:~# openvasmd --user=bob --new-password=XXXXXXX
16.安裝cli,cli是一個(gè)命令行工具,作為客戶(hù)端的omp,它可以運(yùn)行在windows或linux上
openvas-cli-1.4.4.tar.gz
17.安裝gsad
greenbone-security-assistant-6.0.10.tar.gz
18.啟動(dòng)gsad。通過(guò)設(shè)置IP地址為0.0.0.0使服務(wù)可以通過(guò)其他機(jī)器進(jìn)行訪問(wèn)
root@bob-Openvas:~# gsad --listen=0.0.0.0 -p 9392
root@bob-Openvas:~# netstat -lanpt |grep 939
tcp 0 0 127.0.0.1:9390 0.0.0.0:* LISTEN 4836/openvasmd
tcp 0 0 0.0.0.0:9391 0.0.0.0:* LISTEN 3949/openvassd: Wai
tcp 0 0 0.0.0.0:9392 0.0.0.0:* LISTEN 5580/gsad
19.安裝nmap-5.51.tar.bz2
gsad日志報(bào)錯(cuò),掃描沒(méi)有任何結(jié)果。是因?yàn)閚map沒(méi)安裝
root@bob-Openvas:~# ./configure && make && make install
20.導(dǎo)出pdf格式報(bào)告需要安裝texlive-full
root@bob-Openvas:~# apt-get install texlive-full
21.下載腳本測(cè)試
root@bob-Openvas:~# wget https://svn.wald.intevation.org/svn/openvas/trunk/tools/openvas-check-setup --no-check-certificate
root@bob-Openvas:~# /root/openvas/openvas-check-setup --v8 --server
openvas-check-setup 2.3.3
Test completeness and readiness of OpenVAS-8
(add '--v6' or '--v7' or '--v9'
if you want to check for another OpenVAS version)
Please report us any non-detected problems and
help us to improve this check routine:
http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Send us the log-file (/tmp/openvas-check-setup.log) to help analyze the problem.
Step 1: Checking OpenVAS Scanner ...
OK: OpenVAS Scanner is present in version 5.0.5.
OK: OpenVAS Scanner CA Certificate is present as /usr/local/var/lib/openvas/CA/cacert.pem.
OK: redis-server is present in version v=2.8.4.
OK: scanner (kb_location setting) is configured properly using the redis-server socket: /tmp/redis.sock
OK: redis-server is running and listening on socket: /tmp/redis.sock.
OK: redis-server configuration is OK and redis-server is running.
OK: NVT collection in /usr/local/var/lib/openvas/plugins contains 38966 NVTs.
WARNING: Signature checking of NVTs is not enabled in OpenVAS Scanner.
SUGGEST: Enable signature checking (see http://www.openvas.org/trusted-nvts.html).
OK: The NVT cache in /usr/local/var/cache/openvas contains 38966 files for 38966 NVTs.
Step 2: Checking OpenVAS Manager ...
OK: OpenVAS Manager is present in version 6.0.8.
OK: OpenVAS Manager client certificate is present as /usr/local/var/lib/openvas/CA/clientcert.pem.
OK: OpenVAS Manager database found in /usr/local/var/lib/openvas/mgr/tasks.db.
OK: Access rights for the OpenVAS Manager database are correct.
OK: sqlite3 found, extended checks of the OpenVAS Manager installation enabled.
OK: OpenVAS Manager database is at revision 146.
OK: OpenVAS Manager expects database at revision 146.
OK: Database schema is up to date.
OK: OpenVAS Manager database contains information about 38966 NVTs.
OK: At least one user exists.
OK: OpenVAS SCAP database found in /usr/local/var/lib/openvas/scap-data/scap.db.
OK: OpenVAS CERT database found in /usr/local/var/lib/openvas/cert-data/cert.db.
OK: xsltproc found.
Step 3: Checking user configuration ...
WARNING: Your password policy is empty.
SUGGEST: Edit the /usr/local/etc/openvas/pwpolicy.conf file to set a password policy.
Step 4: Checking Greenbone Security Assistant (GSA) ...
OK: Greenbone Security Assistant is present in version 6.0.10.
Step 5: Checking OpenVAS CLI ...
OK: OpenVAS CLI version 1.4.4.
Step 6: Checking Greenbone Security Desktop (GSD) ...
SKIP: Skipping check for Greenbone Security Desktop.
Step 7: Checking if OpenVAS services are up and running ...
OK: netstat found, extended checks of the OpenVAS services enabled.
OK: OpenVAS Scanner is running and listening on all interfaces.
OK: OpenVAS Scanner is listening on port 9391, which is the default port.
OK: OpenVAS Manager is running and listening on all interfaces.
OK: OpenVAS Manager is listening on port 9390, which is the default port.
OK: Greenbone Security Assistant is running and listening on all interfaces.
OK: Greenbone Security Assistant is listening on port 9392, which is the default port.
Step 8: Checking nmap installation ...
OK: nmap is present in version 5.51.
Step 10: Checking presence of optional tools ...
OK: pdflatex found.
OK: PDF generation successful. The PDF report format is likely to work.
OK: ssh-keygen found, LSC credential generation for GNU/Linux targets is likely to work.
OK: rpm found, LSC credential package generation for RPM based targets is likely to work.
OK: alien found, LSC credential package generation for DEB based targets is likely to work.
OK: nsis found, LSC credential package generation for Microsoft Windows targets is likely to work.
It seems like your OpenVAS-8 installation is OK.
If you think it is not OK, please report your observation
and help us to improve this check routine:
http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Please attach the log-file (/tmp/openvas-check-setup.log) to help us analyze the problem.
22.web訪問(wèn)openvas,ubuntu 14.04裝出來(lái)是英文界面
https://127.0.0.1:9392
三、開(kāi)機(jī)自啟動(dòng)openvas腳本。因?yàn)槭蔷幾g安裝的,開(kāi)機(jī)不會(huì)自啟動(dòng),寫(xiě)了個(gè)小腳本
openvas開(kāi)機(jī)自啟動(dòng)
root@bob-Openvas:~# vim /home/bob/openvas_server_start.sh
#!/bin/bash
/usr/local/sbin/openvassd
/usr/local/sbin/openvasmd -p 9390 -a 127.0.0.1
/usr/local/sbin/gsad --listen=0.0.0.0 -p 9392
四、安裝中遇到的問(wèn)題以及解決辦法
問(wèn)題1
root@bob-Openvas:~# /root/openvas/openvas-check-setup --v8 --server
ERROR: redis-server is not running or not listening on socket: /tmp/redis.sock
FIX: You should start the redis-server or configure it to listen on socket: /tmp/redis.sock
ERROR: The number of NVTs in the OpenVAS Manager database is too low.
FIX: Make sure OpenVAS Scanner is running with an up-to-date NVT collection and run 'openvasmd --rebuild'.
ERROR: No OpenVAS SCAP database found. (Tried: /usr/local/var/lib/openvas/scap-data/scap.db)
FIX: Run a SCAP synchronization script like openvas-scapdata-sync or greenbone-scapdata-sync.
問(wèn)題2
測(cè)試rsync.openvas.org 873端口是不是通的,通了之后才能執(zhí)行openvas-nvt-sync openvas-scapdata-sync greenbone-scapdata-sync
root@bob-Openvas:~# telnet rsync.openvas.org rsync
Trying 78.47.251.61...
Connected to openvas-feed.intevation.org.
Escape character is '^]'.
問(wèn)題3
如果rsync.openvas.org 873端口不通,可以離線安裝,在網(wǎng)上下載feed之后(直接到已經(jīng)更新了資源的機(jī)器上拷貝對(duì)應(yīng)的文件到自己機(jī)器上),拷貝到這些目錄即可
openvas插件庫(kù)下載,拷貝到下面目錄,重啟openvas
root@bob-Openvas:~# wget http://www.openvas.org/openvas-nvt-feed-current.tar.bz2
/usr/local/var/lib/openvas/plugins
/usr/local/var/lib/openvas/cert-data
/usr/local/var/lib/openvas/scap-data
問(wèn)題4
openvas日志目錄
root@bob-Openvas:~# ls -lh /usr/local/var/log/openvas/
total 24K
-rw-r--r-- 1 root root 1.4K 7月 29 17:39 gsad.log
-rw------- 1 root root 15K 7月 30 13:10 openvasmd.log
-rw-r--r-- 1 root root 559 7月 30 13:22 openvassd.messages
免責(zé)聲明:本站發(fā)布的內(nèi)容(圖片、視頻和文字)以原創(chuàng)、轉(zhuǎn)載和分享為主,文章觀點(diǎn)不代表本網(wǎng)站立場(chǎng),如果涉及侵權(quán)請(qǐng)聯(lián)系站長(zhǎng)郵箱:is@yisu.com進(jìn)行舉報(bào),并提供相關(guān)證據(jù),一經(jīng)查實(shí),將立刻刪除涉嫌侵權(quán)內(nèi)容。