■DebianSqueezeにOpenVASの導入
OpenVASを使ったセキュリティ監査
http://sourceforge.jp/magazine/08/10/22/0022237
OpenVAS Compendium
http://packages.bluewhite-linux.com:8080/bluewhite64-12.2/security/openvas/2.0.3/openvas-compendium-1.0.1.pdf
■パッケージチェック。
現行は3系なので、若干古い。
Windowsクライアントは1.x系なのでサーバ/クライアントを入れる。
$ apt-cache search openvas
openvas-client - Remote network security auditor, the client
libopenvasnasl2-dev - OpenVAS static libraries and headers
libopenvasnasl2 - OpenVAS shared libraries
libopenvas2-dev - remote network security auditor - static libraries and headers
libopenvas2 - remote network security auditor - shared libraries
openvas-plugins-base - remote network security auditor - basic plugins
openvas-plugins-dfsg - remote network security auditor - plugins
openvas-server-dev - remote network security auditor - static libraries and headers
openvas-server - remote network security auditor - server
■簡単にレポートまで出すには、GUIしか使えないようなので何も考えずに入れる。
$ apt-cache search openvas | awk '{print $1}' | xargs echo -n | sudo apt-get install -y `xargs`
$ apt-cache search openvas | awk '{print $1}' | xargs echo -n | sudo apt-get build-dep -y `xargs`
■とりあえず導入だけでは動かない。。。
$ sudo /etc/init.d/openvas-server status
OpenVAS daemon is not running.
$ apropos openvas
OpenVAS-Client (1) - The client part of the OpenVAS Security Scanner
libopenvas-config (1) - displays compiler/linker flags for the OpenVAS libraries
openvas-adduser (8) - add a user in the openvasd userbase
openvas-client (1) - The client part of the OpenVAS Security Scanner
openvas-libnasl-config (1) - displays compiler/linker flags for NASL library
openvas-mkcert (8) - Creates a server certificate
openvas-mkcert-client (1) - Creates a client certificate
openvas-mkrand (1) - Creates a file with random bytes
openvas-nasl (1) - Nessus Attack Scripting Language
openvas-nvt-sync (8) - updates the OpenVAS security checks
openvas-rmuser (8) - removes a user from the openvasd userbase
openvasclient-mkcert (1) - Creates a client certificate
openvasd (8) - The server part of the OpenVAS Security Scanner
openvasd-config (1) - displays compiler/linker flags for the OpenVAS server
$ dpkg -l | grep -i openvas | grep ^ii | awk '{print $2}'
libopenvas2
libopenvas2-dev
libopenvasnasl2
libopenvasnasl2-dev
openvas-client
openvas-plugins-base
openvas-plugins-dfsg
openvas-server
openvas-server-dev
■証明書はインストール時にホスト名を使って作成されている。
$ find /var/lib/openvas/CA -type f
/var/lib/openvas/CA/cacert.pem
/var/lib/openvas/CA/servercert.pem
■ユーザの作成
パスワードか、証明書かを選択できる。
「ユーザルール」という表現があるが、要はIP/ネットワーク制限。
$ sudo openvas-adduser
Login : labunix
Authentication (pass/cert) [pass] : cert
...
User rules
---------------
openvasd has a rules system which allows you to restrict the hosts that labunix has the right to test.
For instance, you may want him to be able to scan his own host only.
Please see the openvas-adduser(8) man page for the rules syntax.
Enter the rules for this user, and hit ctrl-D once you are done:
(the user can have an empty rules set)
■ユーザルールは、ファイルになるので、エディタで編集も可能。
$ sudo find /var/lib/openvas/users
/var/lib/openvas/users
/var/lib/openvas/users/labunix
/var/lib/openvas/users/labunix/auth
/var/lib/openvas/users/labunix/auth/rules
/var/lib/openvas/users/labunix/auth/dname
■ユーザを削除
$ sudo openvas-rmuser
Login to remove :
labunix
user removed.
$ sudo find /var/lib/openvas/users/ -type f | wc -l
0
■ユーザの再作成
$ sudo openvas-adduser
Using /var/tmp as a temporary file holder.
Add a new openvasd user
---------------------------------
Login : labunix
Authentication (pass/cert) [pass] : pass
Login password :
Login password (again) :
User rules
---------------
openvasd has a rules system which allows you to restrict the hosts that labunix has the right to test.
For instance, you may want him to be able to scan his own host only.
Please see the openvas-adduser(8) man page for the rules syntax.
Enter the rules for this user, and hit ctrl-D once you are done:
(the user can have an empty rules set)
Login : labunix
Password : ***********
Rules :
Is that ok? (y/n) [y] y
user added.
sudo find /var/lib/openvas/users
/var/lib/openvas/users
/var/lib/openvas/users/labunix
/var/lib/openvas/users/labunix/auth
/var/lib/openvas/users/labunix/auth/hash
/var/lib/openvas/users/labunix/auth/rules
■rsyncとmd5sumコマンドのの確認。
$ dpkg -l | grep "rsync\|coreutils" | grep ^ii | awk '{print $2}'
coreutils
rsync
$ dpkg -L coreutils | grep 'bin/md5sum'
/usr/bin/md5sum
/usr/bin/md5sum.textutils
$ dpkg -L rsync | grep 'bin/rsync'
/usr/bin/rsync
■最新のNVTの導入
※rsyncが使えない環境の方はこの項目はスキップ。
$ sudo openvas-nvt-sync
OpenVAS NVT Sync $
Configured NVT Feed: rsync://rsync.openvas.org:/nvt-feed
Synchronized into: /var/lib/openvas/plugins
Searching for required system tools ...
Synchonizing NVTs via RSYNC ...
OpenVAS feed server - http://openvas.org/
This service is hosted by Intevation GmbH - http://intevation.de/
All transactions are logged.
Please report problems to admin@intevation.de
receiving incremental file list
...
■「28418」もあると、ロードできない「.nasl」ファイルが存在する。
というか多すぎw。
$ sudo openvasd -D 2>&1 openvasd_1st.log
$ grep "\.nasl\:" openvasd_1st.log | awk -F\: '{print $1}' | sort -u
deb_2264_1.nasl
deb_2358_1.nasl
find_service_nmap.nasl
freebsd_acroread9.nasl
freebsd_chromium.nasl
freebsd_chromium1.nasl
freebsd_chromium12.nasl
freebsd_chromium15.nasl
freebsd_chromium17.nasl
freebsd_chromium2.nasl
freebsd_chromium6.nasl
freebsd_clamav17.nasl
freebsd_firefox59.nasl
freebsd_firefox61.nasl
freebsd_firefox63.nasl
freebsd_firefox65.nasl
freebsd_firefox66.nasl
freebsd_firefox67.nasl
freebsd_firefox68.nasl
freebsd_freetype25.nasl
freebsd_linux-f10-flashplugin.nasl
freebsd_linux-f10-flashplugin3.nasl
freebsd_linux-flashplugin17.nasl
freebsd_wireshark7.nasl
gb_VMSA-2010-0007.nasl
gb_VMSA-2010-0009.nasl
gb_VMSA-2011-0003.nasl
gb_VMSA-2011-0004.nasl
gb_VMSA-2011-0009.nasl
gb_VMSA-2012-0005.nasl
gb_VMSA-2012-0009.nasl
gb_apple_itunes_mult_vuln_sep12_win.nasl
gb_apple_safari_mult_vuln_jul12_macosx.nasl
gb_apple_safari_webkit_mult_vuln_mar12_macosx.nasl
gb_apple_safari_webkit_mult_vuln_mar12_win.nasl
gb_macosx_su10-007.nasl
gb_mandriva_MDVSA_2011_039.nasl
glsa_201206_03.nasl
secpod_ms_windows_sp_mult_vuln.nasl
■個別のチェックは以下でも。。。
deb_2264_1.nasl: bad or missing signature. Will not execute this script
■とりあえず「9390/tcp」がリッスンしていれば良い。
$ netstat -an | grep 9390
tcp 0 0 0.0.0.0:9390 0.0.0.0:* LISTEN
■クライアントはGUIが必要
$ sudo openvas-client &
■ローカルなので、パケットのチェックは以下のようにする。
$ sudo tcpdump -i lo -nv port 9390
■Globalのカスタマイズ(任意)
KBを保存すると、[users]のユーザは以下に「kbs」ディレクトリが出来る。
[Global Settings]->[Option]タブから以下2箇所にチェックを入れる。
[General]->[Safe Check]
[KB]->[Enable KB saving]
■以下の「unnamedtask」タスクを作成。
名前は変えても良く、[Comments]は任意で入力。
[task]->[New]->[unnamedtask]
■以下の「unnamedscope」スコープの作成
[scope]->[New]->[unnamedscope]
■Targetはlocalhostでは無いはずなので、再度接続
自動的にポートスキャンとチェックがはじまった。
[File]->[Connect]
■「nessusrc」は以下で保存しておく。
[Scope]->[Save As]
■レポートはHTML形式で保存
[Report]->[Export]->[NBE]を[HTML]に変更、名前をつける。
■「Type」で絞り込むと、以下のような評価が出る。
80(Web)、8080(Proxy)は、FWとIDS/IPS配下である必要があることが分かります。
$ w3m -dump openvas_1st.html | grep ^[IWV] | sort -k 1
Informational general/tcp Squid version 2.7.STABLE9 was
Informational http (80/tcp) A web server is running on this
Informational http (80/tcp) The following directories were
Informational http (80/tcp) The remote web server type is :
Informational ndl-aas (8080
Informational ndl-aas (8080 A web server is running on this
Informational ndl-aas (8080 An HTTP proxy is running on this
Informational ndl-aas (8080 The GET method revealed those
Informational ndl-aas (8080 The remote web server type is :
Informational otp (9390/
Vulnerability ndl-aas (8080
Vulnerability ndl-aas (8080 Overview:
Vulnerability ndl-aas (8080 The proxy allows the users to
Warning http (80/tcp) Overview:
Warning ndl-aas (8080
Warning ndl-aas (8080
Warning ndl-aas (8080 Overview:
