I haven’t done any serious security scanning since playing around with Nessus back in 2006. I decided that I needed to do this, not only on my own servers but on those that I managed for others. It would be very embarrassing to get hacked. <\/p>\n
So first I grabbed up Nessus, and discovered that it has, in the meantime, become a mostly commercial product. There is an open source spin called OpenVAS. This is about setting that up. <\/p>\n
OpenVAS itself has two parts, and it comes with a third part from a company called Greenbone Security which is a web frontend. The two parts of openvas are the scanner (openvassd) and the manager (openvasmd) while the front end is gsad. <\/p>\n
I installed them with dnf, as they are packaged with fedora. This creates a dozen bin files, an \/etc\/openvas & \/etc\/pki\/openvas, a \/var\/lib\/openvas, and systemd scripts. A good way to go through the setup process is to use openvas-check-setup, which will give clues to what you should do next. <\/p>\n
First step was openvas-mkcert which builds a self-signed cert in \/etc\/pki\/openvas. Next step was to install a \u201credis\u201d server (dnf install redis), and fix its config file with unixsocket \/tmp\/redis.sock. systemctl enable redis; systemctl start redis.sock. Another step that is needed before downloading the \u201cnvt\u201d files, is to set up a gpg key. Some of the instructions wanted the gnupg directory in \/etc\/openvas, but the fedora install creates a gnupg directory in \/var\/lib\/openvas, so I used that. Then I downloaded the nvt files (openvas-nvt-sync) and also did openvas-scapdata-sync and openvas-certdata-sync.<\/p>\n
I was unsuccessful with checking for signed nvt scripts on either tarragon or oregano. The openvassd scanner (systemctl start openvas-scanner) won’t run with the parameter in \/etc\/openvas\/openvassd.conf set to check the script sigs. <\/p>\n
When the instructions said to start the scanner, and then run the manager with the \u2013rebuild option, I started the scanner with systemctl but did the manager with openvasmd \u2013rebuild, to build the \u201ctasks\u201d database. <\/p>\n
After that I enabled and started openvas-manager and openvas-gsa (had already enabled and started openvas-scanner). <\/p>\n
To use this on tarragon I use an ssh tunnel rather than opening up another port there. It must be connected to using https. <\/p>\n","protected":false},"excerpt":{"rendered":"
I haven’t done any serious security scanning since playing around with Nessus back in 2006. I decided that I needed to do this, not only on my own servers but on those that I managed for others. It would be very embarrassing to get hacked. So first I grabbed up Nessus, and discovered that it … Continue reading Setting up OpenVAS<\/span>