Hello, the OpenVAS community is proud to announce the release of OpenVAS-7!
April 25th, 2014 - OpenVAS-7 released: Unified Severity Concept and Access Control Management Following the annual release cycle, the new generation of OpenVAS [1] has been released. The new version of the open framework for vulnerability scanning and management, OpenVAS-7, introduces a comprehensively extended and improved feature set. Main advances/improvements were undertaken in three domains: improvements to the user interface for power users as well as for beginners, access control and module architecture improvements. Highlights of this new release are the object tagging, replacememt of threat view by severity view and a new report browser. Another major change is the introduction of access control with groups, roles and permissions. On the architectural side two modules were dropped, the Administrator has been merged into Manager and the desktop client GSD has been dropped in favor of focussing web client advances. All in all OpenVAS-7 ships 37 new and improved features, accompanied with countless smaller changes. The systematic improvements and reliable release of one major update every twelve months once again underlines the position of OpenVAS as the most advanced Open Source solution for vulnerability management. The new version can be downloaded free and is available as Free Software under the GNU GPL license. The company Greenbone Networks [2] develops and uses OpenVAS as a base for its appliance product family for vulnerability scanning and management. Together with the company SecPod [3] and the growing community, new vulnerability tests and feature improvements are developed on a daily basis. The German Federal Office for Information Security (BSI) [4] supports and utilizes OpenVAS, together with many other federal agencies, as part of their IT security framework. OpenVAS-7 can be experienced live at the Linuxtag Conference and Exhibition in Berlin (Germany) [5] from 8th to 10th of May 2014 at the BSI booth. Access Control: * Groups: For access permissions users can now be associated with Groups. The web interface allows full management of these groups for users with Administrator role. * Roles: Roles are now freely configurable and users can be associated with roles. A new pre-configured role "Info" was added. * Permissions: Under menu "Configuration" there is now a new item "Permissions". Here the user has a comfortable overview on all of his access permissions and opportunities to manage them. Scanning: * Alive-Test (Up-Test, Ping-Test): The type of test that determines whether a system is active is now adjustable as a property of the object "Target". Which means it can be changed without the need to change Tasks or Scan Configurations. Possible methods are the same as before: ICMP, TCP and ARP. * The default setting for the Alive-Test changes from ICMP&TCP&ARP to just ICMP. Hence it can happen that results change for some of your Tasks because some systems are not regarded as alive anymore. But in most cases where larger IP ranges are scanned the scan duration will significantly drop down while getting the same results. However, you do not need to change a Scan Configuration or Task to get back to the previous state, you just need to adjust the Alive-Test method for the respective Target. * New pre-configure Scan Configuration "Host Discovery". This Scan Configuration simply searches for real systems for the given target addresses. No vulnerability tests are executed. The result is just a list of hosts that are regarded active. * New pre-configure Scan Configuration "System Discovery". This Scan Configuration applies any NVTs that discover operating system types and/or hardware device types. No vulnerability tests are executed. The main result is an overview on the found operating system and devices. * New pre-configure Scan Configuration "Discovery". This Scan Configuration applies any NVTs that discover as many details about the target system, installed services and applications, as possible. No vulnerability tests are executed. * Tasks: New class "Alterable Task" allows to change Target and Scan Config even if there are already reports for this task. This allows to have a playground task not designed to grant consistency between its reports. * Problems with DNS resolving during scan: Each failed resolving of a target system name is now listed in section "Errors" of the report browser. * The Scanner preference "silent_dependencies" was removed. It was reducing the number of reported results to only those NVTs that were explicitly selected. This is not necessary anymore because the filtering can now take care of reducing results. Furthermore, incomplete reports without log information do not offer adequate transparency. * In case you applied Scan Configurations that were using this preference, you will get more (all) results now in new reports. * Note that when using one of the pre-defined Scan Configurations you will see no changes because these were explicitly selecting all the NVTs. * The Scanner preference "host_expansion" was removed. Its purpose was to automatically expand the target hosts. This functionality should not be done by a Scanner, especially because it can lead to unforeseeable expansions. * Using one of the pre-defined Scan Configurations or derived ones, no changes of the behavior will happen. * The Scanner will not create explicit results for detected ports anymore. These results had no reference to NVTs and were redundant anyway. An overview on the detected ports is already provided by other NVTs as log information. Additionally the new user interface even offers a explicit tabular overview in identified ports as part of the new report browser. Vulnerability Management: * Severity replaces Threat: The concept of Threat Classes is extended to the Severity concept where the severity is not just a class but also contains a specific CVSS value. The CVSS value of a Severity is always the highest occurring CVSS value in the corresponding scan results. This allows a higher granularity in the view and for example improves sorting. This means comprehensive changes for the whole application: * Task Overview: In the past only the Threat level was stored for Tasks. Because old tasks covered results with only threat level and no CVSS level, the migration will use old rules of attaching a threat level and therefore insert the maximum of the respective level. This means that the Severity may show a higher CVSS value than the highest value actually present in the results. But this guarantees that the threat level will remain the same. The following values are therefore applied during the migration: High: 10.0, Medium: 5.0, Low: 2.0. Of course for new scans the exact values as occurring in the results are applied. * Task-Details: For the list of reports of a task the very same changes and migration rule are applied as for the Task Overview. * Notes: The distinction of High, Medium, Low is dropped and the migration will place all results into one class. This prevents notes from becoming invisble when NVTs are updated. * Overrides: The distinction of High, Medium, Low is dropped and the migration will place all results into one class. This prevents overrides from becoming invisible when NVTs are updated. * Furthermore, the New Severity is not anymore just a threat level but rather a CVSS value. Old overrides with just threat level are migrated with the same scheme as the Tasks and Reports (see above). * Tags: The new configuration object class "Tag" allows to attach short texts to almost any other object. These texts are available to filtering and are included in export files. This enables the user to create thematic groups or attach arbitrary attributes to objects. * Reports: Under menu "Scan Management" there is now an overview on any available scan report, regardless of the relation to a task. The powerfilter is available here as well. * This new view replaces the report list in the task details dialog. Suitable filters are set automatically. * Search interface for all objects of the SecInfo Management: Via new menu item "All SecInfo" it is possible to search for keywords and with other methods of the Powerfilter through almost 300.000 objects of various types. * Web interface is extended with multi-lingual support and translated into German. * Support for alternative faces of the web interface has been added, incuding a sample one in German (IT Schwachstellenampel). * Integrated online CVSS calculator: Under menu "Extras/CVSS Calculator" a form is available that supports calculating a CVSS value. * Reports: The browser for the report view was entirely reworked and split up into multiple sections, each with a page of its own. Many changes and extensions were applied. * Attention: The changes are significant regarding the default view and regarding the powerfilter. Older stored powerfilters for reports may not work anymore and need to be recreated. * Reports: Users can now individually configure the severity class ranges (High, Medium, Low) for the results view. * Attention: The predefined class range is now the one of NIST. Therefore the colors in the view can change for old results and filters may return different results. If you want to switch back to the old behavior, just enter "My Settings" and select "OpenVAS Classic" for severity classes. * Powerfilter: The powerfilter now offers a expand/collapse functionality in order to offer a regular dialog that is equivalent to the content of the filter string. Dialog and filter string are automatically mutually synchronized. * Target: It is now possible to reduce the selected range of target systems via some rules. This includes an exclude list, reduction of double entries via Reverse Lookup and making Reverse Lookup obligatory. * Host access rules: More opportunities to deny or allow scan of host for each user, for example hostnames, can now also be applied. * Interface access rules: This new feature allows on the one hand to specify a special interface (like "eth1") for each task. On the other hand it is possible to express rules to allow or deny access to interfaces for each user. * Reports: The port information is now extended with the current IANA service name that is registered for this port. * New predefined Report Format Plugin "CSV Results": Comma-separated text table of single results. * New pre-defined Report Format Plugin "CSV Hosts": Comma-separated text table of result overview for each target system. * Tasks: It is now possible to configure the order in which the target hosts are scanned: Sequential (like before), reverse and random. * Task Details: The list of reports is now handled via the new object management. This also adds the powerfilter to this page. * Notes/Overrides: The actual note text is now used as identifier in the list instead of the NVT name. * Web-GUI: Consistent access to object details always via identifier in first column. The redundant button for Details is therefore removed from the set of Actions. * OVAL Definitions: The overview as well as the details dialog for OVAL Definitions has been reworked. Protocols: * OMP now in version 5.0 * OAP dropped. Most functionality moved to OMP. * User management is made available via OMP. * Feed management is made available via OMP. * OTP has been cut down to essentials. This was a first step towards replacing OTP by a superior protocol "OSP" eventually. Architecture: * OpenVAS Administrator was dropped. Most functionality went into OpenVAS Manager. * No support for Greenbone Security Desktop anymore. * OpenVAS Scanner and OpenVAS Manager react on SIGHUP with reloading configs. Downloads: * Source Codes: http://www.openvas.org/install-source.html * Binary installation packages (Upcoming!): http://www.openvas.org/install- packages.html * Virtual Appliance (Upcoming!): http://www.openvas.org/vm.html Compatibility and migration: * The OpenVAS NVT Feed will be extended with tests that take advantage of the network scan feature but fully keeps the behaviour for previous releases. * The OpenVAS Manager has a migration option for updating an OpenVAS Manager 4.0 (OpenVAS-6) SQL database. But there is no support to downgrade the database back to 4.0. * It is highly recommended to test and verify a migration only with a full backup. * For updating your own OMP client applications, please refer to the OMP 5.0 documentation section about compatibility changes. * For upgrades from old OpenVAS-5, please also refer to the OpenVAS-6 announcement. References: [1] OpenVAS: http://www.openvas.org/ [2] Greenbone: http://www.greenbone.net/ [3] SecPod: http://www.secpod.com/ [4] BSI: https://www.bsi.bund.de// [5] Linuxtag: http://www.linuxtag.org/2014/en.html Best regards Jan-Oliver Wagner -- Dr. Jan-Oliver Wagner | ++49-541-335084-0 | http://www.greenbone.net/ Greenbone Networks GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 202460 Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner _______________________________________________ Openvas-announce mailing list Openvas-announce@wald.intevation.org https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-announce