去年在centos 6.4上面yum装了openvas,结果扫描的时候,客户端经常挂掉,囧。openvas对centos的支持很不好,在centos 6.4重新yum又安装不上了,编译也是各种依赖需要export。终于还是放弃了centos 6.4,在ubuntu上编译安装。
一、准备工作
1. 系统环境root@bob-Openvas:~#lsb_release -aUbuntu 14.04.4 LTS
2.安装依赖包root@bob-Openvas:~# apt-get updateroot@bob-Openvas:~# apt-get install openssh-serverroot@bob-Openvas:~# apt-get install lrzszroot@bob-Openvas:~# apt-get install build-essential bison flex cmake pkg-config libglib2.0-0 libglib2.0-devroot@bob-Openvas:~# apt-get install libgnutls-devroot@bob-Openvas:~# apt-get install libgnutls28-devroot@bob-Openvas:~# apt-get install libpcap0.8 libpcap0.8-dev libgpgme11 libgpgme11-dev doxygen libuuid1 uuid-dev sqlfairy xmltoman sqlite3root@bob-Openvas:~# apt-get install libxml2-dev libxslt1.1 libxslt1-dev xsltproc libmicrohttpd-dev libsqlite3-dev rsync libldap2-dev libhiredis-devroot@bob-Openvas:~# apt-get install libgcrypt-dev zlib1g-dev libssh-dev
3.openvas包下载http://www.openvas.org/install-source.html
(1)libraries:openvas库文件openvas-libraries-8.0.7.tar.gz
(2)scanner:扫描器 负责调用各种漏洞检测插件,完成实际的扫描操作。openvas-scanner-5.0.5.tar.gz
(3)manager:管理器 负责分配扫描任务,并根据扫描结果生产评估报告。openvas-manager-6.0.8.tar.gz
(4)gsa:前端web ui 负责提供访问openvas服务层的web接口,便于通过浏览器来执行扫描任务,是使用最简便的客户层组件。greenbone-security-assistant-6.0.10.tar.gz
(5)openvas-cli(命令行接口):负责提供从命令行访问OpenVAS服务层程序。openvas-cli-1.4.4.tar.gz
二、编译安装1.安装librariesroot@bob-Openvas:~# tar -xf openvas-libraries-8.0.7.tar.gzroot@bob-Openvas:~# cd openvas-libraries-8.0.7/root@bob-Openvas:~/openvas/openvas-libraries-8.0.7# mkdir buildroot@bob-Openvas:~/openvas/openvas-libraries-8.0.7# cd build/root@bob-Openvas:~/openvas/openvas-libraries-8.0.7/build# cmake ..root@bob-Openvas:~/openvas/openvas-libraries-8.0.7/build# makeroot@bob-Openvas:~/openvas/openvas-libraries-8.0.7/build# make doc-fullroot@bob-Openvas:~/openvas/openvas-libraries-8.0.7/build# make installroot@bob-Openvas:~/openvas/openvas-libraries-8.0.7/build# cd ../../
2.安装scanner方法同上,后面安装方法都一样openvas-scanner-5.0.5.tar.gz
3.创建certroot@bob-Openvas:~# openvas-mkcert
cert存放位置/usr/local/var/lib/openvas/private/CA/usr/local/var/lib/openvas/CA
4.重载libraries,重载的是libopenvas_nasl.so.8root@bob-Openvas:~# ldconfig
5.同步nvt,nvt插件目录。NVT collection in /usr/local/var/lib/openvas/plugins contains 38966 NVTs.root@bob-Openvas:~# openvas-nvt-sync ……zone_alarm_local_dos.naslzone_alarm_local_dos.nasl.asc[i] Download complete[i] Checking dir: ok[i] Checking MD5 checksum: ok
6.安装redis-2.8.4,scanner启动前还需要运行一个redis服务,用于缓冲root@bob-Openvas:~# apt-get install redis-serverroot@bob-Openvas:~# netstat -lanpt |grep 6379tcp 0 0 127.0.0.1:6379 0.0.0.0:* LISTEN 3602/redis-server 1
root@bob-Openvas:~# cp /etc/redis/redis.conf{,.bak}root@bob-Openvas:~# /etc/init.d/redis-server stopStopping redis-server: redis-server.
添加下面2行,不添加后面会报错root@bob-Openvas:~# vim /etc/redis/redis.confunixsocket /tmp/redis.sockunixsocketperm 700
root@bob-Openvas:~# /etc/init.d/redis-server startroot@bob-Openvas:~# netstat -lanpt |grep 6379tcp 0 0 127.0.0.1:6379 0.0.0.0:* LISTEN 3602/redis-server 1
7.启动scanner命令openvassdscanner监听9391端口,需要说明的是scanner启动成功后,manager可以扮演客户端的角色与scanner交互,对scanner进行控制,真正的客户端如命令行cli、webui(gsa)只能与manager进行交互,不能越过manager操作scanner。root@bob-Openvas:~# openvassdroot@bob-Openvas:~# netstat -lanpt |grep 939tcp 0 0 0.0.0.0:9391 0.0.0.0:* LISTEN 3949/ ETA: 00:40)
8.安装manageropenvas-manager-6.0.8.tar.gz
9.manager启动后需要与scanner通信,scanner是服务端,manager是客户端,在scanner的“配置与启动”阶段,我们已经为scanner生成了SSL相关的证书和私钥文件,说明manager可以进行服务端验证,但是scanner也要求对manager进行客户端验证,所以也需要为mananger生成SSL相关的证书和私钥文件。
10.下载scap feed.下载时间超级长,网速快的时候80分钟,网速慢的时候可能就要一天root@bob-Openvas:~# openvas-scapdata-sync
11.下载cert feedroot@bob-Openvas:~# openvas-certdata-sync
12.执行下面命令生成client证书和私钥root@bob-Openvas:~# openvas-mkcert-client -n -iroot@bob-Openvas:~# ls -l /usr/local/var/lib/openvas/private/CAtotal 12-rw——- 1 root root 3247 7月 30 16:59 cakey.pem-rw——- 1 root root 3247 7月 30 20:08 clientkey.pem-rw——- 1 root root 3247 7月 30 16:59 serverkey.pemroot@bob-Openvas:~# ls -l /usr/local/var/lib/openvas/CAtotal 24-rw-r–r– 1 root root 2451 7月 30 16:59 cacert.pem-rw——- 1 root root 7931 7月 30 20:08 clientcert.pem-rw-r–r– 1 root root 8229 7月 30 16:59 servercert.pem
######################################################################################################################上述两步也可以通过执行openvas-mkcert-client生成证书和私钥:root@bob-Openvas:~# openvas-mkcert-client然后将证书和私钥从临时目录拷贝到相应目录下root@bob-Openvas:~# cp /tmp/openvas-mkcert-client.4501/key_om.pem /usr/local/var/lib/openvas/private/CA/clientkey.pemroot@bob-Openvas:~# cp /tmp/openvas-mkcert-client.4501/cert_om.pem /usr/local/var/lib/openvas/CA/clientcert.pem######################################################################################################################
13.初始化数据库。scanner openvassd 9391端口启动,才能重建数据库成功。否则报错Rebuilding NVT cache… failed.root@bob-Openvas:~# openvasmd –rebuild –progress -vRebuilding NVT cache… done.
root@bob-Openvas:~# openvasmd -p 9390 -a 127.0.0.1root@bob-Openvas:~# netstat -lanpt |grep 939tcp 0 0 127.0.0.1:9390 0.0.0.0:* LISTEN 4836/openvasmd tcp 0 0 0.0.0.0:9391
14.创建帐号bobroot@bob-Openvas:~# openvasmd –create-user=bob –role=Admin User created with password ’23c65192-2fa7-4aab-aa8d-6c9df701314c’.
15.更改帐号bob的密码root@bob-Openvas:~# openvasmd –user=bob –new-password=XXXXXXX
16.安装cli,cli是一个命令行工具,作为客户端的omp,它可以运行在windows或linux上openvas-cli-1.4.4.tar.gz
17.安装gsad greenbone-security-assistant-6.0.10.tar.gz
18.启动gsad。通过设置IP地址为0.0.0.0使服务可以通过其他机器进行访问root@bob-Openvas:~# gsad –listen=0.0.0.0 -p 9392root@bob-Openvas:~# netstat -lanpt |grep 939tcp 0 0 127.0.0.1:9390 0.0.0.0:* LISTEN 4836/openvasmd tcp 0 0 0.0.0.0:9391 0.0.0.0:* LISTEN 3949/openvassd: Waitcp 0 0 0.0.0.0:9392 0.0.0.0:* LISTEN 5580/gsad
19.安装nmap-5.51.tar.bz2gsad日志报错,扫描没有任何结果。是因为nmap没安装root@bob-Openvas:~#./configure && make && make install
20.导出pdf格式报告需要安装texlive-fullroot@bob-Openvas:~#apt-get install texlive-full
21.下载脚本测试root@bob-Openvas:~# wget https://svn.wald.intevation.org/svn/openvas/trunk/tools/openvas-check-setup –no-check-certificateroot@bob-Openvas:~# /root/openvas/openvas-check-setup –v8 –serveropenvas-check-setup 2.3.3 Test completeness and readiness of OpenVAS-8 (add ‘–v6’ or ‘–v7’ or ‘–v9’ if you want to check for another OpenVAS version)
Please report us any non-detected problems and help us to improve this check routine: http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Send us the log-file (/tmp/openvas-check-setup.log) to help analyze the problem.
Step 1: Checking OpenVAS Scanner … OK: OpenVAS Scanner is present in version 5.0.5. OK: OpenVAS Scanner CA Certificate is present as /usr/local/var/lib/openvas/CA/cacert.pem. OK: redis-server is present in version v=2.8.4. OK: scanner (kb_location setting) is configured properly using the redis-server socket: /tmp/redis.sock OK: redis-server is running and listening on socket: /tmp/redis.sock. OK: redis-server configuration is OK and redis-server is running. OK: NVT collection in /usr/local/var/lib/openvas/plugins contains 38966 NVTs. WARNING: Signature checking of NVTs is not enabled in OpenVAS Scanner. SUGGEST: Enable signature checking (see http://www.openvas.org/trusted-nvts.html). OK: The NVT cache in /usr/local/var/cache/openvas contains 38966 files for 38966 NVTs.Step 2: Checking OpenVAS Manager … OK: OpenVAS Manager is present in version 6.0.8. OK: OpenVAS Manager client certificate is present as /usr/local/var/lib/openvas/CA/clientcert.pem. OK: OpenVAS Manager database found in /usr/local/var/lib/openvas/mgr/tasks.db. OK: Access rights for the OpenVAS Manager database are correct. OK: sqlite3 found, extended checks of the OpenVAS Manager installation enabled. OK: OpenVAS Manager database is at revision 146. OK: OpenVAS Manager expects database at revision 146. OK: Database schema is up to date. OK: OpenVAS Manager database contains information about 38966 NVTs. OK: At least one user exists. OK: OpenVAS SCAP database found in /usr/local/var/lib/openvas/scap-data/scap.db. OK: OpenVAS CERT database found in /usr/local/var/lib/openvas/cert-data/cert.db. OK: xsltproc found.Step 3: Checking user configuration … WARNING: Your password policy is empty. SUGGEST: Edit the /usr/local/etc/openvas/pwpolicy.conf file to set a password policy.Step 4: Checking Greenbone Security Assistant (GSA) … OK: Greenbone Security Assistant is present in version 6.0.10.Step 5: Checking OpenVAS CLI … OK: OpenVAS CLI version 1.4.4.Step 6: Checking Greenbone Security Desktop (GSD) … SKIP: Skipping check for Greenbone Security Desktop.Step 7: Checking if OpenVAS services are up and running … OK: netstat found, extended checks of the OpenVAS services enabled. OK: OpenVAS Scanner is running and listening on all interfaces. OK: OpenVAS Scanner is listening on port 9391, which is the default port. OK: OpenVAS Manager is running and listening on all interfaces. OK: OpenVAS Manager is listening on port 93免费云主机域名90, which is the default port. OK: Greenbone Security Assistant is running and listening on all interfaces. OK: Greenbone Security Assistant is listening on port 9392, which is the default port.Step 8: Checking nmap installation … OK: nmap is present in version 5.51.Step 10: Checking presence of optional tools … OK: pdflatex found. OK: PDF generation successful. The PDF report format is likely to work. OK: ssh-keygen found, LSC credential generation for GNU/Linux targets is likely to work. OK: rpm found, LSC credential package generation for RPM based targets is likely to work. OK: alien found, LSC credential package generation for DEB based targets is likely to work. OK: nsis found, LSC credential package generation for Microsoft Windows targets is likely to work.
It seems like your OpenVAS-8 installation is OK.
If you think it is not OK, please report your observationand help us to improve this check routine:http://lists.wald.intevation.org/mailman/listinfo/openvas-discussPlease attach the log-file (/tmp/openvas-check-setup.log) to help us analyze the problem.
22.web访问openvas,ubuntu 14.04装出来是英文界面https://127.0.0.1:9392
三、开机自启动openvas脚本。因为是编译安装的,开机不会自启动,写了个小脚本openvas开机自启动root@bob-Openvas:~#vim /home/bob/openvas_server_start.sh#!/bin/bash/usr/local/sbin/openvassd/usr/local/sbin/openvasmd -p 9390 -a 127.0.0.1/usr/local/sbin/gsad –listen=0.0.0.0 -p 9392
四、安装中遇到的问题以及解决办法问题1root@bob-Openvas:~#/root/openvas/openvas-check-setup –v8 –server
ERROR: redis-server is not running or not listening on socket: /tmp/redis.sockFIX: You should start the redis-server or configure it to listen on socket: /tmp/redis.sock
ERROR: The number of NVTs in the OpenVAS Manager database is too low.FIX: Make sure OpenVAS Scanner is running with an up-to-date NVT collection and run ‘openvasmd –rebuild’.
ERROR: No OpenVAS SCAP database found. (Tried: /usr/local/var/lib/openvas/scap-data/scap.db)FIX: Run a SCAP synchronization script like openvas-scapdata-sync or greenbone-scapdata-sync.
问题2测试rsync.openvas.org 873端口是不是通的,通了之后才能执行openvas-nvt-sync openvas-scapdata-sync greenbone-scapdata-syncroot@bob-Openvas:~# telnet rsync.openvas.org rsyncTrying 78.47.251.61…Connected to openvas-feed.intevation.org.Escape character is ‘^]’.
问题3如果rsync.openvas.org 873端口不通,可以离线安装,在网上下载feed之后(直接到已经更新了资源的机器上拷贝对应的文件到自己机器上),拷贝到这些目录即可openvas插件库下载,拷贝到下面目录,重启openvasroot@bob-Openvas:~#wget http://www.openvas.org/openvas-nvt-feed-current.tar.bz2
/usr/local/var/lib/openvas/plugins/usr/local/var/lib/openvas/cert-data/usr/local/var/lib/openvas/scap-data
问题4openvas日志目录
root@bob-Openvas:~#ls -lh /usr/local/var/log/openvas/total 24K-rw-r–r– 1 root root 1.4K 7月 29 17:39 gsad.log-rw——- 1 root root 15K 7月 30 13:10 openvasmd.log-rw-r–r– 1 root root 559 7月 30 13:22 openvassd.messages
OSI七层模型和TCP/IP四层模型IP地址分类了解常见的网络相关协议TCP三次握手和四次挥手网络相关的调试命令实战tcpdump和tshark抓包OSI七层模型 应用层表示层会话层传输层 防火墙 网络层 三层交换机和路由器 数据链路 二层交换机和网卡 物理层…
免责声明:本站发布的图片视频文字,以转载和分享为主,文章观点不代表本站立场,本站不承担相关法律责任;如果涉及侵权请联系邮箱:360163164@qq.com举报,并提供相关证据,经查实将立刻删除涉嫌侵权内容。
微信扫一扫 
