From Fedora Project Wiki
No edit summary |
No edit summary |
||
Line 7: | Line 7: | ||
* Ensure that {{package|openvas-libraries}}, {{package|openvas-scanner}}, {{package|openvas-manager}}, {{package|openvas-client}} packages are installed. | * Ensure that {{package|openvas-libraries}}, {{package|openvas-scanner}}, {{package|openvas-manager}}, {{package|openvas-client}} packages are installed. | ||
|actions= | |actions= | ||
# Start OpenVAS scanner: {{command | | # Start OpenVAS scanner: {{command |service openvas-scanner start}} | ||
# Create a new certificate: {{command |openvas-mkcert}} | # Create a new certificate: {{command |openvas-mkcert}} | ||
# Add a OpenVAS user: {{command |openvas-adduser}} | # Add a OpenVAS user: {{command |openvas-adduser}} | ||
# Update the NVTs: {{command |openvas-nvt-sync}} | # Update the NVTs: {{command |openvas-nvt-sync}} | ||
# Restart OpenVAS scanner (take a while for the first time): {{command | | # Restart OpenVAS scanner (take a while for the first time): {{command |service openvas-scanner restart}} | ||
# Test that the OpenVAS scanner process openvassd is running: {{ command |ps aux | grep [o]penvassd }} | # Test that the OpenVAS scanner process openvassd is running: {{ command |ps aux | grep [o]penvassd }} | ||
# Test that the OpenVAS scanner listens on configured port: {{ command |sudo lsof -i -nP | grep [o]penvassd }} | # Test that the OpenVAS scanner listens on configured port: {{ command |sudo lsof -i -nP | grep [o]penvassd }} | ||
# Connect using the gnutls client to scanner port: {{ command | gnutls-cli --insecure -p 9391 127.0.0.1 }}. Start the communication with < OTP/1.0 >. Try to login with the user created above. | # Connect using the gnutls client to scanner port: {{ command | gnutls-cli --insecure -p 9391 127.0.0.1 }}. Start the communication with < OTP/1.0 >. Try to login with the user created above. | ||
# Start OpenVAS manager: {{command | | # Start OpenVAS manager: {{command |service openvas-manager start}} | ||
# Generate a new client certificate for manager to connect to scanner {{command | openvas-mkcert-client -n om -i }} | # Generate a new client certificate for manager to connect to scanner {{command | openvas-mkcert-client -n om -i }} | ||
# Rebuild the NVT cache database {{command | openvasmd --rebuild }} | # Rebuild the NVT cache database {{command | openvasmd --rebuild }} | ||
# Start OpenVAS manager: {{command | | # Start OpenVAS manager: {{command |service openvas-manager start}} | ||
# Test that the OpenVAS manager process openvasmd is running: {{ command |ps aux | grep [o]penvasmd }} | # Test that the OpenVAS manager process openvasmd is running: {{ command |ps aux | grep [o]penvasmd }} | ||
# Test that the OpenVAS manager listens on configured port: {{ command |sudo lsof -i -nP | grep [o]penvasmd }} | # Test that the OpenVAS manager listens on configured port: {{ command |sudo lsof -i -nP | grep [o]penvasmd }} |
Revision as of 16:14, 18 November 2012
Description
This test case tests the ability of OpenVAS to scan a host or network for vulnerabilities.
Setup
- A remote host with various network services (SSH, HTTP, DNS, SMTP ...) is required. For example: a Linux server with OpenSSH, Apache HTTPd, ISC BIND, Postfix or Sendmail.
- Open ports of the scanned services in the remote host firewall.
- Ensure that
openvas-libraries
,openvas-scanner
,openvas-manager
,openvas-client
packages are installed.
How to test
- Start OpenVAS scanner:
service openvas-scanner start
- Create a new certificate:
openvas-mkcert
- Add a OpenVAS user:
openvas-adduser
- Update the NVTs:
openvas-nvt-sync
- Restart OpenVAS scanner (take a while for the first time):
service openvas-scanner restart
- Test that the OpenVAS scanner process openvassd is running:
ps aux | grep [o]penvassd
- Test that the OpenVAS scanner listens on configured port:
sudo lsof -i -nP | grep [o]penvassd
- Connect using the gnutls client to scanner port:
gnutls-cli --insecure -p 9391 127.0.0.1
. Start the communication with < OTP/1.0 >. Try to login with the user created above. - Start OpenVAS manager:
service openvas-manager start
- Generate a new client certificate for manager to connect to scanner
openvas-mkcert-client -n om -i
- Rebuild the NVT cache database
openvasmd --rebuild
- Start OpenVAS manager:
service openvas-manager start
- Test that the OpenVAS manager process openvasmd is running:
ps aux | grep [o]penvasmd
- Test that the OpenVAS manager listens on configured port:
sudo lsof -i -nP | grep [o]penvasmd
- Connect using the gnutls client to manager port:
gnutls-cli --insecure -p 9390 127.0.0.1
. Start the communication with < OTP/1.0 >. Try to login with the user created above. - Start OpenVAS client:
openvas-client
(or System Tools > OpenVAS Client) - Connect to OpenVAS server with the user created above.
- Create a new scan using the client and wait until it finishes.
- Export the report to HTML or PDF.
Expected Results
- Start of openvas-scanner without previous configuration will most probably fail. Syslog should display hint about generating certificates.
- Certificate should be created in /etc/pki/openvas/CA/cacert.pem, /etc/pki/openvas/CA/servercert.pem with private keys in /etc/pki/openvas/private/CA/
- Adding of the user will create the account in /var/lib/openvas/users/
- openvas-nvt-sync will download plugins to /var/lib/openvas/plugins
- Restart of the service should result with OK. It takes longer for the first time. On Fedora 16 it is possible that the systemd will timeout thinking that the service failed to start, while actually it is still starting. Give it a while and try stop/start again.
- Process list should show openvassd process running as root "openvassd: waiting for incoming connections"
- lsof for openvassd should show it is listening on port 9391
- Passing wrong credentials will print error message about unsuccessfull authentication. After passing right credentials the server will wait expecting more commands to go.
- Starting openvas-manager without configuration of certificate and database will fail. Check syslog for the hint.
- Client certificate will for manager will be generated to /etc/pki/openvas/CA/clientcert.pem and key to /etc/pki/openvas/private/CA/clientkey.pem
- Database will be generated to /var/lib/openvas/mgr/tasks.db
- Start of the openvas-manager after configuring certificate and NVT cache database should result with OK.
- Process list should show openvasmd process running as root "openvasmd --port=9390 --slisten=127.0.0.1 --sport=9391 --otp"
- lsof for openvasmd should show it is listening on port 9390
- Passing wrong credentials will disconnect immediately. After passing right credentials the server will wait expecting more commands to go.
- The scan should finish correctly.
- In the report, you should see the network services being scanned and vulnerabilities reported.