Openvas 9 - Distributed Setup

If you are responsible for a number of offices located in different regions its best to setup scanners in the regions to best utilise network bandwidth.  You can control all these scanners from a single host.  The following setup has worked well for me and I hope the following helps you in getting a distributed openvas setup up and running.

First ensure you setup openvas correctly and that it is using libssh0.7 and greater.  You can follow my post on how to do this here.

Create an admin account on the newly created remote scanner that will be used for remote administration/scanning.
  • openvasmd --create-user=newusername --role=Admin
The system will generate a unique/random password.  If you'd prefer to setup your own password,  run the following command
  • openvasmd --new-password=my_secure_password --user=newusername
We will need the CA certificate from the remote scanner in order to setup the necessary credentials on our primary scanner.  To locate the installed CA cert run the following.
  •  openvas-manage-certs -V
Openvas will list the location of the installed certificates and notify of their status. You will need the cacert.pem file which should be stored under /var/lib/openvas/private/CA

By default openvas does not listen on TCP connections and you would therefor not be able to connect to it remotely.  In order to correct this,  update the startup config for openvas-manager.
Use your favourite editor and edit /etc/init.d/openvas-manager
update the DAEMON_ARGS line to reflect the server address and a port of your chosing.
  • DAEMON_ARGS=" --listen=HOSTORIP --port=9393"
Restart the openvas-manager process.
  • /etc/init.d/openvas-manager restart

Next setup a new logon on your primary Scanner.
Go to configuration -> Credentials and use the username/password created above.

Next setup the scanner.
Go to configuration -> scanner
click on the new scanner option (small star in the top left hand corner)
Enter the necessary details,  ie hostname/ip address plus the port selected above and browse to the copied cacert.pem file mentioned above.

Create the Target host as you would normally.  When creating the task,  select the new scanner in the "Scanner" section.  When the task is run "manually" or via a scheduler it will then connect to the remote scanner which in turn will setup the target and do the necessary scanning.

If the task is stuck on "Requested" and does not change even after refreshing the page,  log on to the Primary scanner and view the scanner and manager logs.
  • tail /var/log/openvas/openvasmd.log
  • tail /var/log/openvas/openvassd.messages
If there are no logs indicating the error ,  log on to the slave scanner and view its logs.  Normally the issue is permissions or the cacert.pem is incorrect.




Comments

  1. RethuDecember 11, 2019 at 2:56 PM

    Nice post.Thanks for sharing Information.....

    Morpheus tv apk is the very free and easily designed application which streams the movies videos and tv shows with high-quality it can be used for free.
    Android Box
    smartphones

    ReplyDelete

Post a Comment

Popular posts from this blog

DSTV Now on Amazon Fire TV Stick

Hopefully this tutorial will help others in South Africa get DSTV now running on a Fire TV Stick. The latest version of DSTV Now requires a newer version of Google Play Services to work.  Im not 100% sure whether this too requires the Google Playstore to operate, but Ive included links to a newer version of this as well. There are a number of ways of installing apk files on the fire sticks.  Ive found the simplest is by using the adb options built into the fire stick tv.  Another simple way is to get the downloader app installed on your device and install the packages one by one.  In order to get the system ready for adb following the tutorial supplied by amazon here .  Once ready download the adblink software from here    There are clients for windows mac and inux. Goolge Account Manager 5.1.1743759 Short Link:   http://bit.ly/2bMbGEg Long Link :  http://www.apkmirror.com/apk/google-inc/google-account-manager/google-account-manager-5-1-1743759-release/google-account-manage
Read more

Update Openvas Feeds

To ensure openvas 9 is kept up to date and running the latest tests,  you need to sync the nvt, scap and cert data.  The best way to do this is to create a script that sync's the necessary data. Create a script under /usr/local/bin called update-openvas vi /usr/local/bin/update-openvas add the following contents to the file /usr/sbin/greenbone-nvt-sync /usr/sbin/greenbone-certdata-sync /usr/sbin/greenbone-scapdata-sync /usr/sbin/openvasmd --update --verbose --progress /etc/init.d/openvas-manager restart /etc/init.d/openvas-scanner restart save the file and make it executeable chmod a+x /usr/local/bin/update-openvas run the script to make sure it works and that there are no errors /usr/local/bin/update-openvas add the script to cron to run daily crontab -e add the following contents 1 1 * * * /usr/local/bin/update-openvas 1>/dev/null 2>/dev/null  the above cronjob will be run at 1 minute past 1 every day
Read more

Zabbix - adding apt update checks

Theres a number of articles on the internet on adding checks to package updates for Zabbix and Nagios.  I found the simplest way of doing this on Ubuntu is to use the update-notifier app-check application.   If you run /usr/lib/update-notifier/apt-check it will output the number of packages requiring updates as well as the number of security updates requiring updates. To apply this check to Zabbix add the following to a conf file within your zabbix_agentd.d directory. cd /etc/zabbix/zabbix_agentd.d vi apt_updates.conf  or something meaningfule  add the following content UnsafeUserParameters=1 Timeout=10 UserParameter=apt.available.updates,updates=$(/usr/lib/update-notifier/apt-check 2>&1);echo $updates | cut -d ";" -f 1 UserParameter=apt.security.updates,updates=$(/usr/lib/update-notifier/apt-check 2>&1);echo $updates | cut -d ";" -f 2 restart your zabbix agent The Timeout=10 is required as the script runs for a couple of seconds
Read more