ubuntu 14.04編譯安裝openvas 8

時間 2020-02-02

標籤 ubuntu 14.04 編譯安裝 openvas 欄目 Ubuntu 简体版

原文原文鏈接

去年在centos 6.4上面yum裝了openvas,結果掃描的時候，客戶端常常掛掉，囧。openvas對centos的支持很很差，在centos 6.4從新yum又安裝不上了，編譯也是各類依賴須要export。終於仍是放棄了centos 6.4，在ubuntu上編譯安裝。html

1、準備工做
前端

1. 系統環境linux

root@bob-Openvas:~# lsb_release -aweb

Ubuntu 14.04.4 LTSredis

2.安裝依賴包sql

root@bob-Openvas:~# apt-get update數據庫

root@bob-Openvas:~# apt-get install openssh-serverubuntu

root@bob-Openvas:~# apt-get install lrzszvim

root@bob-Openvas:~# apt-get install build-essential bison flex cmake pkg-config libglib2.0-0 libglib2.0-devwindows

root@bob-Openvas:~# apt-get install libgnutls-dev

root@bob-Openvas:~# apt-get install libgnutls28-dev

root@bob-Openvas:~# apt-get install libpcap0.8 libpcap0.8-dev libgpgme11 libgpgme11-dev doxygen libuuid1 uuid-dev sqlfairy xmltoman sqlite3

root@bob-Openvas:~# apt-get install libxml2-dev libxslt1.1 libxslt1-dev xsltproc libmicrohttpd-dev libsqlite3-dev rsync libldap2-dev libhiredis-dev

root@bob-Openvas:~# apt-get install libgcrypt-dev zlib1g-dev libssh-dev

3.openvas包下載

http://www.openvas.org/install-source.html

（1）libraries：openvas庫文件

openvas-libraries-8.0.7.tar.gz

（2）scanner：掃描器負責調用各類漏洞檢測插件，完成實際的掃描操做。

openvas-scanner-5.0.5.tar.gz

（3）manager：管理器負責分配掃描任務，並根據掃描結果生產評估報告。

openvas-manager-6.0.8.tar.gz

（4）gsa：前端web ui 負責提供訪問openvas服務層的web接口，便於經過瀏覽器來執行掃描任務，是使用最簡便的客戶層組件。

greenbone-security-assistant-6.0.10.tar.gz

（5）openvas-cli(命令行接口):負責提供從命令行訪問OpenVAS服務層程序。

openvas-cli-1.4.4.tar.gz

2、編譯安裝

1.安裝libraries

root@bob-Openvas:~# tar -xf openvas-libraries-8.0.7.tar.gz

root@bob-Openvas:~# cd openvas-libraries-8.0.7/

root@bob-Openvas:~/openvas/openvas-libraries-8.0.7# mkdir build

root@bob-Openvas:~/openvas/openvas-libraries-8.0.7# cd build/

root@bob-Openvas:~/openvas/openvas-libraries-8.0.7/build# cmake ..

root@bob-Openvas:~/openvas/openvas-libraries-8.0.7/build# make

root@bob-Openvas:~/openvas/openvas-libraries-8.0.7/build# make doc-full

root@bob-Openvas:~/openvas/openvas-libraries-8.0.7/build# make install

root@bob-Openvas:~/openvas/openvas-libraries-8.0.7/build# cd ../../

2.安裝scanner方法同上，後面安裝方法都同樣

openvas-scanner-5.0.5.tar.gz

3.建立cert

root@bob-Openvas:~# openvas-mkcert

cert存放位置

/usr/local/var/lib/openvas/private/CA

/usr/local/var/lib/openvas/CA

4.重載libraries,重載的是libopenvas_nasl.so.8

root@bob-Openvas:~# ldconfig

5.同步nvt，nvt插件目錄。NVT collection in /usr/local/var/lib/openvas/plugins contains 38966 NVTs.

root@bob-Openvas:~# openvas-nvt-sync

...

zone_alarm_local_dos.nasl

zone_alarm_local_dos.nasl.asc

[i] Download complete

[i] Checking dir: ok

[i] Checking MD5 checksum: ok

6.安裝redis-2.8.4，scanner啓動前還須要運行一個redis服務，用於緩衝

root@bob-Openvas:~# apt-get install redis-server

root@bob-Openvas:~# netstat -lanpt |grep 6379

tcp 0 0 127.0.0.1:6379 0.0.0.0:* LISTEN 3602/redis-server 1

root@bob-Openvas:~# cp /etc/redis/redis.conf{,.bak}

root@bob-Openvas:~# /etc/init.d/redis-server stop

Stopping redis-server: redis-server.

添加下面2行,不添加後面會報錯

root@bob-Openvas:~# vim /etc/redis/redis.conf

unixsocket /tmp/redis.sock

unixsocketperm 700

root@bob-Openvas:~# /etc/init.d/redis-server start

root@bob-Openvas:~# netstat -lanpt |grep 6379

tcp 0 0 127.0.0.1:6379 0.0.0.0:* LISTEN 3602/redis-server 1

7.啓動scanner命令openvassd

scanner監聽9391端口，須要說明的是scanner啓動成功後，manager能夠扮演客戶端的角色與scanner交互，對scanner進行控制，真正的客戶端如命令行cli、webui（gsa）只能與manager進行交互，不能越過manager操做scanner。

root@bob-Openvas:~# openvassd

root@bob-Openvas:~# netstat -lanpt |grep 939

tcp 0 0 0.0.0.0:9391 0.0.0.0:* LISTEN 3949/ ETA: 00:40)

8.安裝manager

openvas-manager-6.0.8.tar.gz

9.manager啓動後須要與scanner通訊，scanner是服務端，manager是客戶端，在scanner的「配置與啓動」階段，咱們已經爲scanner生成了SSL相關的證書和私鑰文件，

說明manager能夠進行服務端驗證，可是scanner也要求對manager進行客戶端驗證，因此也須要爲mananger生成SSL相關的證書和私鑰文件。

10.下載scap feed.下載時間超級長，網速快的時候80分鐘，網速慢的時候可能就要一天

root@bob-Openvas:~# openvas-scapdata-sync

11.下載cert feed

root@bob-Openvas:~# openvas-certdata-sync

12.執行下面命令生成client證書和私鑰

root@bob-Openvas:~# openvas-mkcert-client -n -i

root@bob-Openvas:~# ls -l /usr/local/var/lib/openvas/private/CA

total 12

-rw------- 1 root root 3247 7月 30 16:59 cakey.pem

-rw------- 1 root root 3247 7月 30 20:08 clientkey.pem

-rw------- 1 root root 3247 7月 30 16:59 serverkey.pem

root@bob-Openvas:~# ls -l /usr/local/var/lib/openvas/CA

total 24

-rw-r--r-- 1 root root 2451 7月 30 16:59 cacert.pem

-rw------- 1 root root 7931 7月 30 20:08 clientcert.pem

-rw-r--r-- 1 root root 8229 7月 30 16:59 servercert.pem

######################################################################################################################

上述兩步也能夠經過執行openvas-mkcert-client生成證書和私鑰：

root@bob-Openvas:~# openvas-mkcert-client

而後將證書和私鑰從臨時目錄拷貝到相應目錄下

root@bob-Openvas:~# cp /tmp/openvas-mkcert-client.4501/key_om.pem /usr/local/var/lib/openvas/private/CA/clientkey.pem

root@bob-Openvas:~# cp /tmp/openvas-mkcert-client.4501/cert_om.pem /usr/local/var/lib/openvas/CA/clientcert.pem

######################################################################################################################

13.初始化數據庫。scanner openvassd 9391端口啓動，才能重建數據庫成功。不然報錯Rebuilding NVT cache... failed.

root@bob-Openvas:~# openvasmd --rebuild --progress -v

Rebuilding NVT cache... done.

root@bob-Openvas:~# openvasmd -p 9390 -a 127.0.0.1

root@bob-Openvas:~# netstat -lanpt |grep 939

tcp 0 0 127.0.0.1:9390 0.0.0.0:* LISTEN 4836/openvasmd

tcp 0 0 0.0.0.0:9391

14.建立賬號bob

root@bob-Openvas:~# openvasmd --create-user=bob --role=Admin

User created with password '23c65192-2fa7-4aab-aa8d-6c9df701314c'.

15.更改賬號bob的密碼

root@bob-Openvas:~# openvasmd --user=bob --new-password=XXXXXXX

16.安裝cli，cli是一個命令行工具，做爲客戶端的omp，它能夠運行在windows或linux上

openvas-cli-1.4.4.tar.gz

17.安裝gsad

greenbone-security-assistant-6.0.10.tar.gz

18.啓動gsad。經過設置IP地址爲0.0.0.0使服務能夠經過其餘機器進行訪問

root@bob-Openvas:~# gsad --listen=0.0.0.0 -p 9392

root@bob-Openvas:~# netstat -lanpt |grep 939

tcp 0 0 127.0.0.1:9390 0.0.0.0:* LISTEN 4836/openvasmd

tcp 0 0 0.0.0.0:9391 0.0.0.0:* LISTEN 3949/openvassd: Wai

tcp 0 0 0.0.0.0:9392 0.0.0.0:* LISTEN 5580/gsad

19.安裝nmap-5.51.tar.bz2

gsad日誌報錯，掃描沒有任何結果。是由於nmap沒安裝

root@bob-Openvas:~# ./configure && make && make install

20.導出pdf格式報告須要安裝texlive-full

root@bob-Openvas:~# apt-get install texlive-full

21.下載腳本測試

root@bob-Openvas:~# wget https://svn.wald.intevation.org/svn/openvas/trunk/tools/openvas-check-setup --no-check-certificate

root@bob-Openvas:~# /root/openvas/openvas-check-setup --v8 --server

openvas-check-setup 2.3.3

Test completeness and readiness of OpenVAS-8

(add '--v6' or '--v7' or '--v9'

if you want to check for another OpenVAS version)

Please report us any non-detected problems and

help us to improve this check routine:

http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss

Send us the log-file (/tmp/openvas-check-setup.log) to help analyze the problem.

Step 1: Checking OpenVAS Scanner ...

OK: OpenVAS Scanner is present in version 5.0.5.

OK: OpenVAS Scanner CA Certificate is present as /usr/local/var/lib/openvas/CA/cacert.pem.

OK: redis-server is present in version v=2.8.4.

OK: scanner (kb_location setting) is configured properly using the redis-server socket: /tmp/redis.sock

OK: redis-server is running and listening on socket: /tmp/redis.sock.

OK: redis-server configuration is OK and redis-server is running.

OK: NVT collection in /usr/local/var/lib/openvas/plugins contains 38966 NVTs.

WARNING: Signature checking of NVTs is not enabled in OpenVAS Scanner.

SUGGEST: Enable signature checking (see http://www.openvas.org/trusted-nvts.html).

OK: The NVT cache in /usr/local/var/cache/openvas contains 38966 files for 38966 NVTs.

Step 2: Checking OpenVAS Manager ...

OK: OpenVAS Manager is present in version 6.0.8.

OK: OpenVAS Manager client certificate is present as /usr/local/var/lib/openvas/CA/clientcert.pem.

OK: OpenVAS Manager database found in /usr/local/var/lib/openvas/mgr/tasks.db.

OK: Access rights for the OpenVAS Manager database are correct.

OK: sqlite3 found, extended checks of the OpenVAS Manager installation enabled.

OK: OpenVAS Manager database is at revision 146.

OK: OpenVAS Manager expects database at revision 146.

OK: Database schema is up to date.

OK: OpenVAS Manager database contains information about 38966 NVTs.

OK: At least one user exists.

OK: OpenVAS SCAP database found in /usr/local/var/lib/openvas/scap-data/scap.db.

OK: OpenVAS CERT database found in /usr/local/var/lib/openvas/cert-data/cert.db.

OK: xsltproc found.

Step 3: Checking user configuration ...

WARNING: Your password policy is empty.

SUGGEST: Edit the /usr/local/etc/openvas/pwpolicy.conf file to set a password policy.

Step 4: Checking Greenbone Security Assistant (GSA) ...

OK: Greenbone Security Assistant is present in version 6.0.10.

Step 5: Checking OpenVAS CLI ...

OK: OpenVAS CLI version 1.4.4.

Step 6: Checking Greenbone Security Desktop (GSD) ...

SKIP: Skipping check for Greenbone Security Desktop.

Step 7: Checking if OpenVAS services are up and running ...

OK: netstat found, extended checks of the OpenVAS services enabled.

OK: OpenVAS Scanner is running and listening on all interfaces.

OK: OpenVAS Scanner is listening on port 9391, which is the default port.

OK: OpenVAS Manager is running and listening on all interfaces.

OK: OpenVAS Manager is listening on port 9390, which is the default port.

OK: Greenbone Security Assistant is running and listening on all interfaces.

OK: Greenbone Security Assistant is listening on port 9392, which is the default port.

Step 8: Checking nmap installation ...

OK: nmap is present in version 5.51.

Step 10: Checking presence of optional tools ...

OK: pdflatex found.

OK: PDF generation successful. The PDF report format is likely to work.

OK: ssh-keygen found, LSC credential generation for GNU/Linux targets is likely to work.

OK: rpm found, LSC credential package generation for RPM based targets is likely to work.

OK: alien found, LSC credential package generation for DEB based targets is likely to work.

OK: nsis found, LSC credential package generation for Microsoft Windows targets is likely to work.

It seems like your OpenVAS-8 installation is OK.

If you think it is not OK, please report your observation

and help us to improve this check routine:

http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss

Please attach the log-file (/tmp/openvas-check-setup.log) to help us analyze the problem.

22.web訪問openvas,ubuntu 14.04裝出來是英文界面

https://127.0.0.1:9392

3、開機自啓動openvas腳本。由於是編譯安裝的，開機不會自啓動，寫了個小腳本

openvas開機自啓動

root@bob-Openvas:~# vim /home/bob/openvas_server_start.sh

#!/bin/bash

/usr/local/sbin/openvassd

/usr/local/sbin/openvasmd -p 9390 -a 127.0.0.1

/usr/local/sbin/gsad --listen=0.0.0.0 -p 9392

4、安裝中遇到的問題以及解決辦法

問題1

root@bob-Openvas:~# /root/openvas/openvas-check-setup --v8 --server

ERROR: redis-server is not running or not listening on socket: /tmp/redis.sock

FIX: You should start the redis-server or configure it to listen on socket: /tmp/redis.sock

ERROR: The number of NVTs in the OpenVAS Manager database is too low.

FIX: Make sure OpenVAS Scanner is running with an up-to-date NVT collection and run 'openvasmd --rebuild'.

ERROR: No OpenVAS SCAP database found. (Tried: /usr/local/var/lib/openvas/scap-data/scap.db)

FIX: Run a SCAP synchronization script like openvas-scapdata-sync or greenbone-scapdata-sync.

問題2

測試rsync.openvas.org 873端口是否是通的，通了以後才能執行openvas-nvt-sync openvas-scapdata-sync greenbone-scapdata-sync

root@bob-Openvas:~# telnet rsync.openvas.org rsync

Trying 78.47.251.61...

Connected to openvas-feed.intevation.org.

Escape character is '^]'.

問題3

若是rsync.openvas.org 873端口不通，能夠離線安裝，在網上下載feed以後（直接到已經更新了資源的機器上拷貝對應的文件到本身機器上），拷貝到這些目錄便可

openvas插件庫下載，拷貝到下面目錄，重啓openvas

root@bob-Openvas:~# wget http://www.openvas.org/openvas-nvt-feed-current.tar.bz2

/usr/local/var/lib/openvas/plugins

/usr/local/var/lib/openvas/cert-data

/usr/local/var/lib/openvas/scap-data

問題4

openvas日誌目錄

root@bob-Openvas:~# ls -lh /usr/local/var/log/openvas/

total 24K

-rw-r--r-- 1 root root 1.4K 7月 29 17:39 gsad.log

-rw------- 1 root root 15K 7月 30 13:10 openvasmd.log

-rw-r--r-- 1 root root 559 7月 30 13:22 openvassd.messages

相關標籤/搜索

每日一句

每一个你不满意的现在，都有一个你没有努力的曾经。