OpenVas 4.0 was released at the end of March, I have been busy and have not had a chance to fire up the production release. Today I built it from source using one of my test VPS servers. What follows is a quick summary of the process. I think I covered all the steps, however if you are not sure what you are doing you might want to test the Virtual Server or live cd version or try building this on a test Ubuntu virtual build that takes about 10 mins to get going (VirtualBox rocks – “apt-get install virtualbox-ose”).
Lets get going, we are going to build a server version from source on Ubuntu 10.04 LTS, will give 11.04 a go in the near future. These packages should get you going.
apt-get install build-essential cmake doxygen uuid libgpgme11 libgpgme11-dev libpcap0.8-dev libpcap0.8 uuid-dev pkg-config libglib2.0* autoconf libgnutls-dev bison sqlite3 libsqlite3-dev xsltproc libxslt1-dev libmicrohttpd-dev xmltoman
Information for getting the wmi library built is here, the following is a fast summary.
wget http://www.openvas.org/download/wmi/wmi-1.3.14.tar.bz2 tar xjvf wmi-1.3.14.tar.bz2 To enable the WMI integration in OpenVAS, a patch needs to be applied to the source you just downloaded. wget http://www.openvas.org/download/wmi/openvas-wmi-1.3.14.patch Copy the patch to the wmi-1.3.14 directory you just created and apply the patch with the following command: $ patch -p1 < openvas-wmi-1.3.14.patch In the wmi-1.3.14 directory, execute the following commands: cd Samba/source ./autogen.sh ./configure make proto all make libraries bash install-libwmiclient.sh Now we should be good to go on the main application building.wget http://wald.intevation.org/frs/download.php/862/openvas-scanner-3.2.3.tar.gz wget http://wald.intevation.org/frs/download.php/871/openvas-manager-2.0.4.tar.gz wget http://wald.intevation.org/frs/download.php/853/openvas-administrator-1.1.1.tar.gz wget http://wald.intevation.org/frs/download.php/857/greenbone-security-assistant-2.0.1.tar.gz wget http://wald.intevation.org/frs/download.php/860/gsd-1.1.1.tar.gz wget http://wald.intevation.org/frs/download.php/851/openvas-cli-1.1.2.tar.gz tar zxvf openvas-cli-1.1.2.tar.gz tar zxvf openvas-libraries-4.0.5.tar.gz tar zxvf openvas-manager-2.0.4.tar.gz tar zxvf openvas-scanner-3.2.3.tar.gz tar zxvf openvas-administrator-1.1.1.tar.gz cd openvas-libraries-4.0.5 cmake . make make install cd openvas-scanner-3.2.3 cmake . make make install cd openvas-cli-1.1.2 cmake . make make install cd openvas-administrator-1.1.1 cmake . make make install cd greenbone-security-assistant-2.0.1 cmake . make make install ldconfig
Run the initial commands build your certificate and create an openvas user.
openvas-mkcert openvas-adduser openvas-nvt-sync < plugins scroll by -- snip > [i] Download complete [i] Checking dir: ok [i] Checking MD5 checksum: ok openvassd Loading the plugins... 8058 (out of 21431)
Looking good so far.
There are a lot of components to this installation. There is a handy script that checks your OpenVas configuration for problems. Download it, save as openvas-check.sh and run it.
wget http://wald.intevation.org/plugins/scmsvn/viewcvs.php/*checkout*/trunk/tools/openvas-check-setup?root=openvas -O openvas-check.sh ./openvas-check.sh openvas-check-setup 2.0.6 Test completeness and readiness of OpenVAS-4 Please report us any non-detected problems and help us to improve this check routine: http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss Send us the log-file (/tmp/openvas-check-setup.log) to help analyze the problem. Use the parameter --server to skip checks for client tools like GSD and OpenVAS-CLI. Step 1: Checking OpenVAS Scanner ... OK: OpenVAS Scanner is present in version 3.2.3. OK: OpenVAS Scanner CA Certificate is present as /usr/local/var/lib/openvas/CA/cacert.pem. OK: NVT collection in /usr/local/var/lib/openvas/plugins contains 21431 NVTs. Step 2: Checking OpenVAS Manager ... OK: OpenVAS Manager is present in version 2.0.4. OK: OpenVAS Manager client certificate is present as /usr/local/var/lib/openvas/CA/clientcert.pem. ERROR: No OpenVAS Manager database found. (Tried: /usr/local/var/lib/openvas/mgr/tasks.db) FIX: Run 'openvasmd --rebuild' while OpenVAS Scanner is running. ERROR: Your OpenVAS-4 installation is not yet complete! Please follow the instructions marked with FIX above and run this script again. If you think this result is wrong, please report your observation and help us to improve this check routine: http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss Please attach the log-file (/tmp/openvas-check-setup.log) to help us analyze the problem.
Notice how the check script detects the problem and prompts you with a fix.
We still have an error in openvas-check.sh results, but this is because we have not built the GSD (Greenbone security desktop). We are not building the desktop client as this is a remote server.
openvasd gsad openvasmd
This should start up the services. The Greenbone Security Assistant runs on 80 and 443. You can use command line options force ssl. I have done some initial testing and have to say its impressive. Fast, responsive and intuitive – unlike Nessus and its flash based web gui that I find to be clunky and difficult to manage.
Version 4.0 of OpenVas is good at this stage. I will definitely have to do more testing and look at migrating our version 3 based online scanning solution to version 4.