Help us understand the problem. What is going on with this article?

RaspberryPiをセキュリティスキャナにする(OpenVAS8 on raspbian-jessie)

More than 3 years have passed since last update.

raspbian-jessieでOpenVAS8をビルドしてインストールしてみました。
ほとんど参考サイトの通りですが、いくつか手順を追加しました。

参考 : https://www.raspberrypi.org/forums/viewtopic.php?f=36&t=57820
参考 : http://serenity-networks.com/how-to-install-openvas-8-on-ubuntu-14-04-to-run-vulnerability-scans-pen-tests/

ビルド手順の(ほぼ)生ログをこちらに保存しましたので、ご参考にどうぞ。
https://gist.github.com/moperon/624cded51a0740c7c54acc86c9707aeb

0.準備

  • 16GB以上のmicroSDカード

「RaspberryPiをセットアップしてopenmediavaultでNASにする」
http://qiita.com/moperon/items/80bab1c00791090fd6ed
こちらの手順を参照して「11.システムバックアップ」で取ったイメージを microSDカードにリストアする。

1. 必要なパッケージをインストール

$ sudo apt-get install cmake nmap

2. ソースコードをダウンロード

http://www.openvas.org/install-source.html
を参照して、最新版をダウンロードする。下記は、2016/9/26時点。

$ cd ~
$ mkdir openvas
$ cd openvas
$ wget http://wald.intevation.org/frs/download.php/2351/openvas-libraries-8.0.8.tar.gz
$ wget http://wald.intevation.org/frs/download.php/2367/openvas-scanner-5.0.7.tar.gz
$ wget http://wald.intevation.org/frs/download.php/2359/openvas-manager-6.0.9.tar.gz
$ wget http://wald.intevation.org/frs/download.php/2363/greenbone-security-assistant-6.0.11.tar.gz
$ wget http://wald.intevation.org/frs/download.php/2332/openvas-cli-1.4.4.tar.gz
$
$ tar zxvf openvas-libraries-8.0.8.tar.gz
$ tar zxvf openvas-scanner-5.0.7.tar.gz
$ tar zxvf openvas-manager-6.0.9.tar.gz
$ tar zxvf greenbone-security-assistant-6.0.11.tar.gz
$ tar zxvf openvas-cli-1.4.4.tar.gz

3. ビルド

ダウンロードしたソースコードを全部ビルドします。
ここは、さほど時間かからなかった。

3.1 openvas-libraries

$ sudo apt-get install libgnutls28-dev libglib2.0-dev libssh-dev libpcap-dev libpcap-dev libhiredis-dev libgpgme11-dev libgcrypt20-dev uuid-dev libldap2-dev bison doxygen
$ cd openvas-libraries-8.0.8
$ mkdir build
$ cd build
$ cmake ..
$ make
$ sudo make install
$ make rebuild_cache
$ sudo make install
$ cd ../../

3.2. openvas-scanner

$ cd openvas-scanner-5.0.7
$ mkdir build
$ cd build
$ cmake ..
$ make
$ sudo make install
$ make rebuild_cache
$ sudo make install
$ cd ../../

3.3. openvas-manager

$ sudo apt-get install libsqlite3-dev xmltoman
$ cd openvas-manager-6.0.9
$ mkdir build
$ cd build
$ cmake ..
$ make
$ sudo make install
$ make rebuild_cache
$ sudo make install
$ cd ../../

3.4. greenbone-security-assistant

$ apt-get install libmicrohttpd-dev libxml2-dev libxslt1-dev gettext xsltproc
$ cd greenbone-security-assistant-6.0.11
$ mkdir build
$ cd build
$ cmake ..
$ make
$ sudo make install
$ make rebuild_cache
$ sudo make install
$ cd ../../

3.5. openvas-cli

$ cd openvas-cli-1.4.4
$ mkdir build
$ cd build
$ cmake ..
$ make
$ sudo make install
$ make rebuild_cache
$ sudo make install
$ cd ../../

4. セットアップ

4.1. 証明書を作成

$ sudo openvas-mkcert

質問には適当に答える。

-------------------------------------------------------------------------------
            Creation of the OpenVAS SSL Certificate
-------------------------------------------------------------------------------

This script will now ask you the relevant information to create the SSL certificate of OpenVAS.
Note that this information will *NOT* be sent to anybody (everything stays local), but anyone with the ability to connect to your OpenVAS daemon will be able to retrieve this information.


CA certificate life time in days [1460]:36500
Server certificate life time in days [365]: 36500
Your country (two letter code) [DE]: JP
Your state or province name [none]:
Your location (e.g. town) [Berlin]: Tokyo
Your organization [OpenVAS Users United]:
-------------------------------------------------------------------------------
            Creation of the OpenVAS SSL Certificate
-------------------------------------------------------------------------------

Congratulations. Your server certificate was properly created.

The following files were created:

. Certification authority:
   Certificate = /usr/local/var/lib/openvas/CA/cacert.pem
   Private key = /usr/local/var/lib/openvas/private/CA/cakey.pem

. OpenVAS Server :
    Certificate = /usr/local/var/lib/openvas/CA/servercert.pem
    Private key = /usr/local/var/lib/openvas/private/CA/serverkey.pem

Press [ENTER] to exit

4.2. 各種データの更新とサービス起動。

ここの手順は、大量のデータをダウンロードして更新するためものすごく時間がかかります。

NVTを更新する

$ sudo openvas-nvt-sync

スキャナサービスを起動

$ sudo openvassd
$ watch 'ps -ef | grep openvas'
Every 2.0s: ps -ef | grep openvas                                                  Tue Sep 27 23:04:58 2016

root     20064     1 95 22:57 ?        00:07:07 openvassd: Reloaded 15250 of 49416 NVTs (30% / ETA: 16:39)
root     20065 20064  0 22:57 ?        00:00:00 openvassd (Loading Handler)
<snip />

"(Loading Handler)" が "Waiting for incoming connections"になるまで待つ。

root     20064     1 94 22:57 ?        00:28:47 openvassd: Waiting for incoming connections

SCAPとCERTデータをアップデートする。

$ sudo apt-get install sqlite3
$ sudo openvas-scapdata-sync
$ sudo openvas-certdata-sync

クライアント証明書を作成。

$ sudo openvas-mkcert-client -n -i
$

ユーザを作成する。パスワードは別途保存しておく。

$ sudo openvasmd --create-user=admin --role=Admin
User created with password 'なんか長い文字列'.
$

4.3. openvas-managerとWebサービスを起動

$ sudo openvasmd --rebuild --progress
Rebuilding NVT cache... done.
$ sudo openvasmd
$ sudo gsad --http-only
$

4.4. redis-serverのインストール

$ sudo apt-get install redis-server
$ sudo sh -c 'echo "unixsocket /tmp/redis.sock" >> /etc/redis/redis.conf'
$ sudo service redis-server restart

4.5. rsaキーの生成とインポート

この手順は、参考サイト にはありませんでしたが openvas-check-setup でエラーになったため追加しました。

参考1: http://www.openvas.org/trusted-nvts.html
参考2: http://www.shigemk2.com/entry/20130102/1357116371

$ sudo apt-get install rng-tools
$ sudo gpg --homedir=/usr/local/etc/openvas/gnupg --gen-key
$ wget http://www.openvas.org/OpenVAS_TI.asc
$ sudo gpg --homedir=/usr/local/etc/openvas/gnupg --import OpenVAS_TI.asc

インポートした証明書のIDを確認して署名する。

$ sudo gpg --homedir=/usr/local/etc/openvas/gnupg --list-keys
$ sudo gpg --homedir=/usr/local/etc/openvas/gnupg --lsign-key 48DB4530

4.6. セットアップ結果をチェック

openvas-check-setup を流してerrorがなければまぁOK。

$ wget https://svn.wald.intevation.org/svn/openvas/trunk/tools/openvas-check-setup --no-check-certificate
$ chmod +x openvas-check-setup
$ sudo ./openvas-check-setup
openvas-check-setup 2.3.3
  Test completeness and readiness of OpenVAS-8
  (add '--v6' or '--v7' or '--v9'
   if you want to check for another OpenVAS version)

  Please report us any non-detected problems and
  help us to improve this check routine:
  http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss

  Send us the log-file (/tmp/openvas-check-setup.log) to help analyze the problem.

  Use the parameter --server to skip checks for client tools
  like GSD and OpenVAS-CLI.

Step 1: Checking OpenVAS Scanner ...
        OK: OpenVAS Scanner is present in version 5.0.7.
        OK: OpenVAS Scanner CA Certificate is present as /usr/local/var/lib/openvas/CA/cacert.pem.
        OK: redis-server is present in version v=2.8.17.
        OK: scanner (kb_location setting) is configured properly using the redis-server socket: /tmp/redis.sock
        OK: redis-server is running and listening on socket: /tmp/redis.sock.
        OK: redis-server configuration is OK and redis-server is running.
        OK: NVT collection in /usr/local/var/lib/openvas/plugins contains 49416 NVTs.
        OK: Signature checking of NVTs is enabled in OpenVAS Scanner.
        OK: The NVT cache in /usr/local/var/cache/openvas contains 49416 files for 49416 NVTs.
Step 2: Checking OpenVAS Manager ...
        OK: OpenVAS Manager is present in version 6.0.9.
        OK: OpenVAS Manager client certificate is present as /usr/local/var/lib/openvas/CA/clientcert.pem.
        OK: OpenVAS Manager database found in /usr/local/var/lib/openvas/mgr/tasks.db.
        OK: Access rights for the OpenVAS Manager database are correct.
        OK: sqlite3 found, extended checks of the OpenVAS Manager installation enabled.
        OK: OpenVAS Manager database is at revision 146.
        OK: OpenVAS Manager expects database at revision 146.
        OK: Database schema is up to date.
        OK: OpenVAS Manager database contains information about 49416 NVTs.
        OK: At least one user exists.
        OK: OpenVAS SCAP database found in /usr/local/var/lib/openvas/scap-data/scap.db.
        OK: OpenVAS CERT database found in /usr/local/var/lib/openvas/cert-data/cert.db.
        OK: xsltproc found.
Step 3: Checking user configuration ...
        WARNING: Your password policy is empty.
        SUGGEST: Edit the /usr/local/etc/openvas/pwpolicy.conf file to set a password policy.
Step 4: Checking Greenbone Security Assistant (GSA) ...
        OK: Greenbone Security Assistant is present in version 6.0.11.
Step 5: Checking OpenVAS CLI ...
        OK: OpenVAS CLI version 1.4.4.
Step 6: Checking Greenbone Security Desktop (GSD) ...
        SKIP: Skipping check for Greenbone Security Desktop.
Step 7: Checking if OpenVAS services are up and running ...
        OK: netstat found, extended checks of the OpenVAS services enabled.
        OK: OpenVAS Scanner is running and listening only on the local interface.
        OK: OpenVAS Scanner is listening on port 9391, which is the default port.
        WARNING: OpenVAS Manager is running and listening only on the local interface.
        This means that you will not be able to access the OpenVAS Manager from the
        outside using GSD or OpenVAS CLI.
        SUGGEST: Ensure that OpenVAS Manager listens on all interfaces unless you want
        a local service only.
        OK: OpenVAS Manager is listening on port 9390, which is the default port.
        OK: Greenbone Security Assistant is running and listening on all interfaces.
        OK: Greenbone Security Assistant is listening on port 80, which is the default port.
Step 8: Checking nmap installation ...
        WARNING: Your version of nmap is not fully supported: 6.47
        SUGGEST: You should install nmap 5.51 if you plan to use the nmap NSE NVTs.
Step 10: Checking presence of optional tools ...
        OK: pdflatex found.
        OK: PDF generation successful. The PDF report format is likely to work.
        OK: ssh-keygen found, LSC credential generation for GNU/Linux targets is likely to work.
        WARNING: Could not find rpm binary, LSC credential package generation for RPM and DEB based targets will not work.
        SUGGEST: Install rpm.
        WARNING: Could not find makensis binary, LSC credential package generation for Microsoft Windows targets will not work.
        SUGGEST: Install nsis.

It seems like your OpenVAS-8 installation is OK.

If you think it is not OK, please report your observation
and help us to improve this check routine:
http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Please attach the log-file (/tmp/openvas-check-setup.log) to help us analyze the problem.

$

4.7. texlive インストール

ここに来てtex-liveをインストールする。死ぬほどたくさんextra packageがインストールされる。

$ sudo apt-get install texlive-full

4.8. 起動スクリプトを設置

$ wget http://www.serenity-networks.com/files/openvas-startupscripts-v8.tar.gz
$ tar zxvf openvas-startupscripts-v8.tar.gz
$ cd openvas-startupscripts-v8
$ sudo cp etc/* /etc/ -arvi
$ sudo chkconfig --level 2345 openvas-manager on
$ sudo chkconfig --level 2345 openvas-scanner on
$ sudo chkconfig --level 2345 greenbone-security-assistant on
$

4.9. Greenbone Security Assistantにログイン

http://\<raspiのipaddress\>/ にアクセスすると、素敵なサイトが現れるので、ログインする。
idは随分前に openvasmd --create-user コマンドで作成した人。パスワードはその際に表示されたなんか長い文字列。

無事ログインできたら、パスワードを変更しておく。

5. 感想

5.1. 構築にかかった時間

ものすごく時間がかかりました。
社畜生活をしながら自宅でやってたせいもありますが、まる6日間かかった。「もしかして私のラズパイのeth0の通信速度遅すぎ?」という事象に見舞われ、ISDNレベルの牧歌的なダウンロード速度に悩まされています。解決策知っている人がいたら教えてください。

5.2. 手順について

この手順は参考サイトを見ながらトラブルシュートしつつ作り上げたので、最適解では無いと思います。もっとスマートな手順もあると思いますが、それはそれ。

5.3. microSDの容量について

当初8GBに収まると思っていたのですが、texliveのインストール過程で8GB超えました。なので、microSDは16GBあると安心です。apt-get autoremove && apt-get clean後、最終的には以下のような容量に落ち着いています。

$ df -h
Filesystem      Size  Used Avail Use% Mounted on
/dev/root        15G  6.6G  6.8G  50% /

5.4. 起動にかかる時間

RaspberryPi を再起動した場合、openvas-scanner が起動しきるまではスキャンを開始できません。大体8分ほどで立ち上がる(RPi2の場合)のでのんびり待ってください。

5.5. openvassd が Waiting for incoming connections にならない問題

Greenbone Security Assistant でスキャンを実行しても一向に進まないという事象に出くわしました。ps aux すると

$ ps -ef | grep openvassd
root       434     1 17 20:57 ?        00:06:50 openvassd: Reloaded all the NVTs.
$

ってなってる。期待しているのは "Waiting for incoming connections" なので、正常に動作していない模様。

ggった結果、redisに接続してkeyを削除することで対策できました。詳細は参考リンクを見てください。

参考 : https://forums.kali.org/showthread.php?29682-Openvas-Reloaded-all-the-NVTs-issue

$ sudo redis-cli -s /tmp/redis.sock
[sudo] password for zodiac:
redis /tmp/redis.sock> keys *
1) "OpenVAS.__GlobalDBIndex"
redis /tmp/redis.sock> del OpenVAS.__GlobalDBIndex
(integer) 1
redis /tmp/redis.sock> keys *
(empty list or set)
redis /tmp/redis.sock> exit
$ sudo service openvas-scanner restart
$

それでは良いスキャンライフを。

Why not register and get more from Qiita?
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away
Comments
No comments
Sign up for free and join this conversation.
If you already have a Qiita account
Why do not you register as a user and use Qiita more conveniently?
You need to log in to use this function. Qiita can be used more conveniently after logging in.
You seem to be reading articles frequently this month. Qiita can be used more conveniently after logging in.
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away
ユーザーは見つかりませんでした