From Fedora Project Wiki
No edit summary |
No edit summary |
||
Line 3: | Line 3: | ||
|description=This test case tests the ability of OpenVAS to scan a host or network for vulnerabilities. | |description=This test case tests the ability of OpenVAS to scan a host or network for vulnerabilities. | ||
|setup= | |setup= | ||
* | * For tests you will need some remote host with various network services (SSH, HTTP, DNS, SMTP ...) is required. For example: a Linux server with OpenSSH, Apache HTTPd, ISC BIND, Postfix or Sendmail. | ||
* Open ports of the scanned services | * Open ports of the scanned services on the remote host firewall. | ||
* If unsure about the past configuration, bootstrap the environment by removing | * If unsure about the past OpenVAS configuration, it is recommended to bootstrap the environment by removing all openvas* packages, removing all the application files, reinstalling the packages back and start configuring the suite from scratch: | ||
**{{ command | <nowiki>OV_RPMS=`rpm -qa|grep openvas`</nowiki> }} | **{{ command | <nowiki>OV_RPMS=`rpm -qa|grep openvas`</nowiki> }} | ||
**{{ command | rpm -e $OV_RPMS }} | **{{ command | rpm -e $OV_RPMS }} | ||
Line 13: | Line 13: | ||
* At each step you can verify the current progress with openvas-check-setup script: | * At each step you can verify the current progress with openvas-check-setup script: | ||
**{{ command | openvas-check-setup }} | **{{ command | openvas-check-setup }} | ||
* Openvas-8 requires redis-server to be configured and running: | * Openvas-8 requires redis-server to be configured and running in order to work as expected: | ||
**{{command |yum install redis}} | **{{command |yum install redis}} | ||
|actions= | |actions= | ||
# Try to start OpenVAS scanner: | # Try to start OpenVAS scanner (probably unsuccessfully without configuration): | ||
#*{{command |service openvas-scanner start}} | #*{{command |service openvas-scanner start}} | ||
# Check the logs on what is happening (as there is no server certificate it should fail to start): | # Check the logs on what is happening (as there is no server certificate it should fail to start): | ||
Line 26: | Line 26: | ||
# Download the NVTs signatures: | # Download the NVTs signatures: | ||
#*{{command |openvas-nvt-sync --wget}} | #*{{command |openvas-nvt-sync --wget}} | ||
# Install the redis-server for use with openvas: | # Install the redis-server and configure redis-server for use with openvas: | ||
#*{{command |yum install redis} | #*{{command |yum install redis}} | ||
#*{{command | sed -i -e 's|^# unixsocket|unixsocket|' /etc/redis.conf}} | #*{{command | sed -i -e 's|^# unixsocket|unixsocket|' /etc/redis.conf}} | ||
#*{{command | service redis restart}} | |||
#*{{command | service redis | # Restart OpenVAS scanner (it will take a while for the first time): | ||
# Restart OpenVAS scanner (take a while for the first time): | |||
#*{{command |service openvas-scanner restart}} | #*{{command |service openvas-scanner restart}} | ||
# Test that the OpenVAS scanner process openvassd is running: | # Test that the OpenVAS scanner process openvassd is running. Wait untill NVT signatures loaded and process is awaiting connections: | ||
#*{{ command |ps aux | grep [o]penvassd }} | #*{{command |ps aux | grep [o]penvassd }} | ||
# Test that the OpenVAS scanner listens on configured port: | # Test that the OpenVAS scanner listens on configured port: | ||
#*{{ command |sudo lsof -i -nP | grep | #*{{command |sudo lsof -i -nP | grep openvassd }} | ||
# Connect using the gnutls client to scanner port: | # Connect using the gnutls client to scanner port: | ||
#*{{ command | gnutls-cli --insecure -p 9391 127.0.0.1 }}. Start the communication with < OTP/1.0 >. Try to login with the user created above. | #*{{command | gnutls-cli --insecure -p 9391 127.0.0.1 }}. | ||
# Connect using the gnutls client to scanner port, this time passing the correct client certificate: | |||
#*{{command | gnutls-cli --insecure -p 9391 127.0.0.1 --x509keyfile=/etc/pki/openvas/private/CA/clientkey.pem --x509certfile=/etc/pki/openvas/CA/clientcert.pem}} | |||
Start the communication with < OTP/1.0 >. Try to login with the user created above. | |||
# Start OpenVAS manager: {{command |service openvas-manager start}} | # Start OpenVAS manager: {{command |service openvas-manager start}} | ||
# Generate a new client certificate for manager to connect to scanner {{command | openvas-mkcert-client -n om -i }} | # Generate a new client certificate for manager to connect to scanner {{command | openvas-mkcert-client -n om -i }} | ||
Line 46: | Line 47: | ||
# Test that the OpenVAS manager process openvasmd is running: {{ command |ps aux | grep [o]penvasmd }} | # Test that the OpenVAS manager process openvasmd is running: {{ command |ps aux | grep [o]penvasmd }} | ||
# Test that the OpenVAS manager listens on configured port: {{ command |sudo lsof -i -nP | grep [o]penvasmd }} | # Test that the OpenVAS manager listens on configured port: {{ command |sudo lsof -i -nP | grep [o]penvasmd }} | ||
# Connect using the gnutls client to manager port: {{ command | gnutls-cli --insecure -p 9390 127.0.0.1 }}. Start the communication with < OTP/ | # Connect using the gnutls client to manager port: {{ command | gnutls-cli --insecure -p 9390 127.0.0.1 }}. | ||
# Connect using the gnutls client to manager port: {{ command | gnutls-cli --insecure -p 9390 127.0.0.1 }}. | |||
Start the communication with < OTP/2.0 >. | |||
# Start OpenVAS client: {{command |openvas-client}} (or System Tools > OpenVAS Client) | # Start OpenVAS client: {{command |openvas-client}} (or System Tools > OpenVAS Client) | ||
# Connect to OpenVAS server with the user created above. | # Connect to OpenVAS server with the user created above. | ||
Line 53: | Line 56: | ||
|results= | |results= | ||
# Start of openvas-scanner without previous configuration will most probably fail. Syslog should display hint about generating certificates. | # Start of openvas-scanner without previous configuration will most probably fail. Syslog should display hint about generating certificates. | ||
# Logs should give hints on what is wrong. | |||
# Certificate should be created in /etc/pki/openvas/CA/cacert.pem, /etc/pki/openvas/CA/servercert.pem with private keys in /etc/pki/openvas/private/CA/ | # Certificate should be created in /etc/pki/openvas/CA/cacert.pem, /etc/pki/openvas/CA/servercert.pem with private keys in /etc/pki/openvas/private/CA/ | ||
# Adding of the user will create | # Adding of the user certificate will create certificate in /etc/pki/openvas/CA/clientcert.pem and key in /etc/pki/openvas/private/CA/ | ||
# openvas-nvt-sync will download plugins to /var/lib/openvas/plugins | # openvas-nvt-sync will download plugins to /var/lib/openvas/plugins | ||
# Restart of the service should result with OK. It takes longer for the first time. On Fedora 16 it is possible that the systemd will timeout thinking that the service failed to start, while actually it is still starting. Give it a while and try stop/start again. | # Redis server should be running now with unix socket ready in /tmp/redis.sock. The openvas-check-setup should no longer complain about issues with redis server. | ||
# Restart of the service should result with OK. It takes longer for the first time. On Fedora 16 it is possible that the systemd will timeout thinking that the service failed to start, while actually it is still starting. Give it a while and try stop/start again. Process list shows the progress of the loading of the database of signatures - for example "openvassd: Reloaded 5750 of 39422 NVTs (14% / ETA: 00:58)" | |||
# Process list should show openvassd process running as root "openvassd: waiting for incoming connections" | # Process list should show openvassd process running as root "openvassd: waiting for incoming connections" | ||
# lsof for openvassd should show it is listening on port 9391 | # lsof for openvassd should show it is listening on port 9391 | ||
# | # Connecting to a port 9391 without passing the user certificate should result in connection being rejected by the server. For troubleshooting the network connection gnutls-serv can be used instead of the openvas-scanner: | ||
#*{{command | gnutls-serv --x509keyfile=/etc/pki/openvas/private/CA/serverkey.pem --x509certfile=/etc/pki/openvas/CA/servercert.pem -p 9391 --echo}} | |||
# When passing the right client certificate you should be able to get response from the openvas-server. Response will be either "< OTP/2.0 >" meaning scanner is ready or it will be something like "SCANNER_LOADING <|> 36750 <|> 39422" in case it is still loading the NVT database. | |||
# Starting openvas-manager without configuration of certificate and database will fail. Check syslog for the hint. | # Starting openvas-manager without configuration of certificate and database will fail. Check syslog for the hint. | ||
# Client certificate will for manager will be generated to /etc/pki/openvas/CA/clientcert.pem and key to /etc/pki/openvas/private/CA/clientkey.pem | # Client certificate will for manager will be generated to /etc/pki/openvas/CA/clientcert.pem and key to /etc/pki/openvas/private/CA/clientkey.pem |
Revision as of 15:54, 26 June 2015
Description
This test case tests the ability of OpenVAS to scan a host or network for vulnerabilities.
Setup
- For tests you will need some remote host with various network services (SSH, HTTP, DNS, SMTP ...) is required. For example: a Linux server with OpenSSH, Apache HTTPd, ISC BIND, Postfix or Sendmail.
- Open ports of the scanned services on the remote host firewall.
- If unsure about the past OpenVAS configuration, it is recommended to bootstrap the environment by removing all openvas* packages, removing all the application files, reinstalling the packages back and start configuring the suite from scratch:
OV_RPMS=`rpm -qa|grep openvas`
rpm -e $OV_RPMS
rm -rf /etc/openvas /etc/pki/openvas /usr/share/openvas /var/log/openvas /var/lib/openvas /var/cache/openvas
- Ensure that
openvas-libraries
,openvas-scanner
,openvas-manager
,openvas-cli
,openvas-gsa
packages are installed:yum -y install openvas-libraries openvas-scanner openvas-manager openvas-cli openvas-gsa
- At each step you can verify the current progress with openvas-check-setup script:
openvas-check-setup
- Openvas-8 requires redis-server to be configured and running in order to work as expected:
yum install redis
How to test
- Try to start OpenVAS scanner (probably unsuccessfully without configuration):
service openvas-scanner start
- Check the logs on what is happening (as there is no server certificate it should fail to start):
tail -f /var/log/openvas/openvassd.log
- Create a new certificate, press "Enter" to use the defaults:
openvas-mkcert
- Add user certificate for the openvas-manager to be able to connect to scanner:
openvas-mkcert-client -n -i
- Download the NVTs signatures:
openvas-nvt-sync --wget
- Install the redis-server and configure redis-server for use with openvas:
yum install redis
sed -i -e 's
service redis restart
- Restart OpenVAS scanner (it will take a while for the first time):
service openvas-scanner restart
- Test that the OpenVAS scanner process openvassd is running. Wait untill NVT signatures loaded and process is awaiting connections:
ps aux | grep [o]penvassd
- Test that the OpenVAS scanner listens on configured port:
sudo lsof -i -nP | grep openvassd
- Connect using the gnutls client to scanner port:
gnutls-cli --insecure -p 9391 127.0.0.1
.
- Connect using the gnutls client to scanner port, this time passing the correct client certificate:
{{{1}}}
Start the communication with < OTP/1.0 >. Try to login with the user created above.
- Start OpenVAS manager:
service openvas-manager start
- Generate a new client certificate for manager to connect to scanner
openvas-mkcert-client -n om -i
- Rebuild the NVT cache database
openvasmd --rebuild
- Start OpenVAS manager:
service openvas-manager start
- Test that the OpenVAS manager process openvasmd is running:
ps aux | grep [o]penvasmd
- Test that the OpenVAS manager listens on configured port:
sudo lsof -i -nP | grep [o]penvasmd
- Connect using the gnutls client to manager port:
gnutls-cli --insecure -p 9390 127.0.0.1
. - Connect using the gnutls client to manager port:
gnutls-cli --insecure -p 9390 127.0.0.1
.
Start the communication with < OTP/2.0 >.
- Start OpenVAS client:
openvas-client
(or System Tools > OpenVAS Client) - Connect to OpenVAS server with the user created above.
- Create a new scan using the client and wait until it finishes.
- Export the report to HTML or PDF.
Expected Results
- Start of openvas-scanner without previous configuration will most probably fail. Syslog should display hint about generating certificates.
- Logs should give hints on what is wrong.
- Certificate should be created in /etc/pki/openvas/CA/cacert.pem, /etc/pki/openvas/CA/servercert.pem with private keys in /etc/pki/openvas/private/CA/
- Adding of the user certificate will create certificate in /etc/pki/openvas/CA/clientcert.pem and key in /etc/pki/openvas/private/CA/
- openvas-nvt-sync will download plugins to /var/lib/openvas/plugins
- Redis server should be running now with unix socket ready in /tmp/redis.sock. The openvas-check-setup should no longer complain about issues with redis server.
- Restart of the service should result with OK. It takes longer for the first time. On Fedora 16 it is possible that the systemd will timeout thinking that the service failed to start, while actually it is still starting. Give it a while and try stop/start again. Process list shows the progress of the loading of the database of signatures - for example "openvassd: Reloaded 5750 of 39422 NVTs (14% / ETA: 00:58)"
- Process list should show openvassd process running as root "openvassd: waiting for incoming connections"
- lsof for openvassd should show it is listening on port 9391
- Connecting to a port 9391 without passing the user certificate should result in connection being rejected by the server. For troubleshooting the network connection gnutls-serv can be used instead of the openvas-scanner:
{{{1}}}
- When passing the right client certificate you should be able to get response from the openvas-server. Response will be either "< OTP/2.0 >" meaning scanner is ready or it will be something like "SCANNER_LOADING <