FreeBSD に OpenVAS をインストールする

このドキュメントの内容は、以下の通りです。

• openvas-server インストール
• openvas-client インストール
• openvas-pluings インストール
• 設定
• openvasd の起動
• openvasd.conf を生成する
• ユーザの追加
• Plugin の更新

OpenVAS は、Nessus の後継的なソフトウェアです。
Nessus が GPL を放棄し、商用向けに方向転換をしました。
そのため、OpenVAS が生まれました。

OpenVAS は、ネットワーク脆弱性テストを行うことができます。
検査をするためのテストをプラグインという形で実装します。
Nessus Attack Scripting Language (NASL) と呼ばれるスクリプトで
テストを記述されています。

openvas-server インストール

openvas-server をインストールします。

cd /usr/ports/security/openvas-server
sudo make install clean

portinstallコマンドでインストールする場合

sudo portinstall /usr/ports/security/openvas-server

portmasterコマンドでインストールする場合

sudo portmaster /usr/ports/security/openvas-server

openvas-client インストール

Client を利用して、server を利用します。

cd /usr/ports/security/openvas-client/
sudo make install clean

portinstallコマンドでインストールする場合

sudo portinstall /usr/ports/security/openvas-client/

portmasterコマンドでインストールする場合

sudo portmaster /usr/ports/security/openvas-client/

openvas-pluings

openvas-pluings インストール

脆弱性テストのプラグインをインストールします。

cd /usr/ports/security/openvas-plugins/
sudo make install clean

portinstallコマンドでインストールする場合

sudo portinstall /usr/ports/security/openvas-plugins/

portmasterコマンドでインストールする場合

sudo portmaster /usr/ports/security/openvas-plugins/

設定

/etc/rc.conf に以下の設定を加えます。

openvasd_enable="YES"

openvasd の起動

OpenVAS のサーバアプリケーションを起動します。

sudo /usr/local/etc/rc.d/openvasd start
/usr/local/etc/rc.d/openvasd: WARNING: /usr/local/etc/openvas/openvasd.conf is not readable.
/usr/local/etc/rc.d/openvasd: WARNING: failed precmd routine for openvasd

openvasd.conf を生成する

openvasd は、 /usr/local/etc/openvas/openvasd.conf を使います。
FreeBSD の場合、 openvasd.conf がインストールしただけでは
ありません。
openvasd コマンドで openvasd.conf を生成できます。

sudo openvasd -s

実行例

plugins_folder = /usr/local/lib/openvas/plugins
cache_folder = /usr/local/openvas/cache/openvas
include_folders = /usr/local/lib/openvas/plugins
max_hosts = 30
max_checks = 10
be_nice = no
logfile = /usr/local/openvas/log/openvas/openvasd.messages
log_whole_attack = no
log_plugins_name_at_load = no
dumpfile = /usr/local/openvas/log/openvas/openvasd.dump
rules = /usr/local/etc/openvas/openvasd.rules
users = /usr/local/etc/openvas/openvasd.users
cgi_path = /cgi-bin:/scripts
port_range = default
optimize_test = yes
language = english
checks_read_timeout = 5
non_simult_ports = 139, 445
plugins_timeout = 320
safe_checks = yes
auto_enable_dependencies = yes
silent_dependencies = no
use_mac_addr = no
save_knowledge_base = no
kb_restore = no
only_test_hosts_whose_kb_we_dont_have = no
only_test_hosts_whose_kb_we_have = no
kb_dont_replay_scanners = no
kb_dont_replay_info_gathering = no
kb_dont_replay_attacks = no
kb_dont_replay_denials = no
kb_max_age = 864000
slice_network_addresses = no
nasl_no_signature_check = yes
config_file = /usr/local/etc/openvas/openvasd.conf

生成された openvasd.conf

# Configuration file of the OpenVAS Security Scanner



# Every line starting with a '#' is a comment

# Path to the security checks folder : 
plugins_folder = /usr/local/lib/openvas/plugins

# Path to OpenVAS caching folder: 
cache_folder = /usr/local/openvas/cache/openvas

# Path to OpenVAS include directories: 
# (multiple entries are separated with colon ':')
include_folders = /usr/local/lib/openvas/plugins

# Maximum number of simultaneous hosts tested : 
max_hosts = 30

# Maximum number of simultaneous checks against each host tested : 
max_checks = 10

# Niceness. If set to 'yes', openvasd will renice itself to 10.
be_nice = no

# Log file (or 'syslog') : 
logfile = /usr/local/openvas/log/openvas/openvasd.messages

# Shall we log every details of the attack ? (disk intensive)
log_whole_attack = no

# Log the name of the plugins that are loaded by the server ?
log_plugins_name_at_load = no

# Dump file for debugging output, use `-' for stdout
dumpfile = /usr/local/openvas/log/openvas/openvasd.dump

# Rules file : 
rules = /usr/local/etc/openvas/openvasd.rules

# Users database : 
users = /usr/local/etc/openvas/openvasd.users

# CGI paths to check for (cgi-bin:/cgi-aws:/ can do)
cgi_path = /cgi-bin:/scripts

# Range of the ports the port scanners will scan : 
# 'default' means that OpenVAS will scan ports found in its
# services file.
port_range = default

# Optimize the test (recommanded) : 
optimize_test = yes

# Language of the plugins :
language = english



# Optimization : 
# Read timeout for the sockets of the tests : 
checks_read_timeout = 5
# Ports against which two plugins should not be run simultaneously :
# non_simult_ports = Services/www, 139, Services/finger
non_simult_ports = 139, 445
# Maximum lifetime of a plugin (in seconds) : 
plugins_timeout = 320


# Safe checks rely on banner grabbing :
safe_checks = yes


# Automatically activate the plugins that are depended on
auto_enable_dependencies = yes


# Do not echo data from plugins which have been automatically enabled
silent_dependencies = no


# Designate hosts by MAC address, not IP address (useful for DHCP networks)
use_mac_addr = no


#--- Knowledge base saving (can be configured by the client) :
# Save the knowledge base on disk : 
save_knowledge_base = no
# Restore the KB for each test :
kb_restore = no
# Only test hosts whose KB we do not have :
only_test_hosts_whose_kb_we_dont_have = no
# Only test hosts whose KB we already have :
only_test_hosts_whose_kb_we_have = no
# KB test replay :
kb_dont_replay_scanners = no
kb_dont_replay_info_gathering = no
kb_dont_replay_attacks = no
kb_dont_replay_denials = no
kb_max_age = 864000
#--- end of the KB section



# If this option is set, OpenVAS will not scan a network incrementally
# (10.0.0.1, then 10.0.0.2, 10.0.0.3 and so on..) but will attempt to
# slice the workload throughout the whole network (ie: it will scan
# 10.0.0.1, then 10.0.0.127, then 10.0.0.2, then 10.0.0.128 and so on...
slice_network_addresses = no

# Should consider all the NASL scripts as being signed ? (unsafe if set to 'yes')
nasl_no_signature_check = yes

#end.

sudo openvas-mkcert

Congratulations. Your server certificate was properly created.

/usr/local/etc/openvas/openvasd.conf updated
The following files were created:

. Certification authority:
Certificate = /usr/local/openvas/lib/openvas/CA/cacert.pem
Private key = /usr/local/openvas/lib/openvas/private/CA/cakey.pem

. OpenVAS Server :
Certificate = /usr/local/openvas/lib/openvas/CA/servercert.pem
Private key = /usr/local/openvas/lib/openvas/private/CA/serverkey.pem

Press [ENTER] to exit

ユーザの追加

ユーザを追加するコマンド。

sudo openvas-adduser

% sudo openvas-adduser
0: not found
Using /var/tmp as a temporary file holder.

Add a new openvasd user
---------------------------------


Login : kaworu
Authentication (pass/cert) [pass] :
Login password :
Login password (again) :

User rules
---------------
openvasd has a rules system which allows you to restrict the hosts that kaworu has the right to test.
For instance, you may want him to be able to scan his own host only.

Please see the openvas-adduser(8) man page for the rules syntax.

Enter the rules for this user, and hit ctrl-D once you are done:
(the user can have an empty rules set)

^D

Login             : kaworu
Password          : ***********

Rules             :




Is that ok? (y/n) [y] y
user added.

Plugin の更新

sudo openvas-nvt-sync

OpenVAS-Client -p -q localhost 9390 user passwd

---