Hello,
the OpenVAS community is proud to announce the release of OpenVAS-7!
April 25th, 2014 - OpenVAS-7 released: Unified Severity Concept and Access
Control Management
Following the annual release cycle, the new generation of OpenVAS [1] has been
released. The new version of the open framework for vulnerability scanning and
management, OpenVAS-7, introduces a comprehensively extended and improved
feature set. Main advances/improvements were undertaken in three domains:
improvements to the user interface for power users as well as for beginners,
access control and module architecture improvements.
Highlights of this new release are the object tagging, replacememt of threat
view by severity view and a new report browser. Another major change is the
introduction of access control with groups, roles and permissions. On the
architectural side two modules were dropped, the Administrator has been merged
into Manager and the desktop client GSD has been dropped in favor of focussing
web client advances.
All in all OpenVAS-7 ships 37 new and improved features, accompanied with
countless smaller changes. The systematic improvements and reliable release of
one major update every twelve months once again underlines the position of
OpenVAS as the most advanced Open Source solution for vulnerability management.
The new version can be downloaded free and is available as Free Software under
the GNU GPL license.
The company Greenbone Networks [2] develops and uses OpenVAS as a base for its
appliance product family for vulnerability scanning and management. Together
with the company SecPod [3] and the growing community, new vulnerability tests
and feature improvements are developed on a daily basis. The German Federal
Office for Information Security (BSI) [4] supports and utilizes OpenVAS,
together with many other federal agencies, as part of their IT security
framework.
OpenVAS-7 can be experienced live at the Linuxtag Conference and Exhibition in
Berlin (Germany) [5] from 8th to 10th of May 2014 at the BSI booth.
Access Control:
* Groups: For access permissions users can now be associated with Groups.
The web interface allows full management of these groups for users with
Administrator role.
* Roles: Roles are now freely configurable and users can be associated
with roles. A new pre-configured role "Info" was added.
* Permissions: Under menu "Configuration" there is now a new item
"Permissions". Here the user has a comfortable overview on all of his
access permissions and opportunities to manage them.
Scanning:
* Alive-Test (Up-Test, Ping-Test): The type of test that determines whether a
system is active is now adjustable as a property of the object "Target". Which
means it can be changed without the need to change Tasks or Scan
Configurations. Possible methods are the same as before: ICMP, TCP and ARP.
* The default setting for the Alive-Test changes from ICMP&TCP&ARP to just
ICMP. Hence it can happen that results change for some of your Tasks because
some systems are not regarded as alive anymore. But in most cases where larger
IP ranges are scanned the scan duration will significantly drop down while
getting the same results. However, you do not need to change a Scan
Configuration or Task to get back to the previous state, you just need to
adjust the Alive-Test method for the respective Target.
* New pre-configure Scan Configuration "Host Discovery". This Scan
Configuration simply searches for real systems for the given target addresses.
No vulnerability tests are executed. The result is just a list of hosts that
are regarded active.
* New pre-configure Scan Configuration "System Discovery". This Scan
Configuration applies any NVTs that discover operating system types and/or
hardware device types. No vulnerability tests are executed. The main result is
an overview on the found operating system and devices.
* New pre-configure Scan Configuration "Discovery". This Scan Configuration
applies any NVTs that discover as many details about the target system,
installed services and applications, as possible. No vulnerability tests are
executed.
* Tasks: New class "Alterable Task" allows to change Target and Scan Config
even if there are already reports for this task. This allows to have a
playground task not designed to grant consistency between its reports.
* Problems with DNS resolving during scan: Each failed resolving of a target
system name is now listed in section "Errors" of the report browser.
* The Scanner preference "silent_dependencies" was removed. It was reducing
the number of reported results to only those NVTs that were explicitly
selected. This is not necessary anymore because the filtering can now take
care
of reducing results. Furthermore, incomplete reports without log information
do
not offer adequate transparency.
* In case you applied Scan Configurations that were using this preference,
you will get more (all) results now in new reports.
* Note that when using one of the pre-defined Scan Configurations you will
see no changes because these were explicitly selecting all the NVTs.
* The Scanner preference "host_expansion" was removed. Its purpose was to
automatically expand the target hosts. This functionality should not be done
by
a Scanner, especially because it can lead to unforeseeable expansions.
* Using one of the pre-defined Scan Configurations or derived ones, no
changes of the behavior will happen.
* The Scanner will not create explicit results for detected ports anymore.
These results had no reference to NVTs and were redundant anyway. An overview
on the detected ports is already provided by other NVTs as log information.
Additionally the new user interface even offers a explicit tabular overview in
identified ports as part of the new report browser.
Vulnerability Management:
* Severity replaces Threat: The concept of Threat Classes is extended to the
Severity concept where the severity is not just a class but also contains a
specific CVSS value. The CVSS value of a Severity is always the highest
occurring CVSS value in the corresponding scan results. This allows a higher
granularity in the view and for example improves sorting.
This means comprehensive changes for the whole application:
* Task Overview: In the past only the Threat level was stored for Tasks.
Because old tasks covered results with only threat level and no CVSS level,
the
migration will use old rules of attaching a threat level and therefore
insert
the maximum of the respective level. This means that the Severity may show a
higher CVSS value than the highest value actually present in the results.
But
this guarantees that the threat level will remain the same. The following
values are therefore applied during the migration: High: 10.0, Medium: 5.0,
Low: 2.0. Of course for new scans the exact values as occurring in the
results
are applied.
* Task-Details: For the list of reports of a task the very same changes
and migration rule are applied as for the Task Overview.
* Notes: The distinction of High, Medium, Low is dropped and the
migration will place all results into one class. This prevents notes from
becoming invisble when NVTs are updated.
* Overrides: The distinction of High, Medium, Low is dropped and the
migration will place all results into one class. This prevents overrides
from
becoming invisible when NVTs are updated.
* Furthermore, the New Severity is not anymore just a threat level but
rather a CVSS value. Old overrides with just threat level are migrated with
the
same scheme as the Tasks and Reports (see above).
* Tags: The new configuration object class "Tag" allows to attach short texts
to almost any other object. These texts are available to filtering and are
included in export files. This enables the user to create thematic groups or
attach arbitrary attributes to objects.
* Reports: Under menu "Scan Management" there is now an overview on any
available scan report, regardless of the relation to a task. The powerfilter
is
available here as well.
* This new view replaces the report list in the task details dialog. Suitable
filters are set automatically.
* Search interface for all objects of the SecInfo Management: Via new menu
item "All SecInfo" it is possible to search for keywords and with other
methods
of the Powerfilter through almost 300.000 objects of various types.
* Web interface is extended with multi-lingual support and translated into
German.
* Support for alternative faces of the web interface has been added, incuding
a sample one in German (IT Schwachstellenampel).
* Integrated online CVSS calculator: Under menu "Extras/CVSS Calculator" a
form is available that supports calculating a CVSS value.
* Reports: The browser for the report view was entirely reworked and split up
into multiple sections, each with a page of its own. Many changes and
extensions were applied.
* Attention: The changes are significant regarding the default view and
regarding the powerfilter. Older stored powerfilters for reports may not work
anymore and need to be recreated.
* Reports: Users can now individually configure the severity class ranges
(High, Medium, Low) for the results view.
* Attention: The predefined class range is now the one of NIST. Therefore the
colors in the view can change for old results and filters may return different
results. If you want to switch back to the old behavior, just enter "My
Settings" and select "OpenVAS Classic" for severity classes.
* Powerfilter: The powerfilter now offers a expand/collapse functionality in
order to offer a regular dialog that is equivalent to the content of the
filter
string. Dialog and filter string are automatically mutually synchronized.
* Target: It is now possible to reduce the selected range of target systems
via some rules. This includes an exclude list, reduction of double entries via
Reverse Lookup and making Reverse Lookup obligatory.
* Host access rules: More opportunities to deny or allow scan of host for
each user, for example hostnames, can now also be applied.
* Interface access rules: This new feature allows on the one hand to specify
a special interface (like "eth1") for each task. On the other hand it is
possible to express rules to allow or deny access to interfaces for each user.
* Reports: The port information is now extended with the current IANA service
name that is registered for this port.
* New predefined Report Format Plugin "CSV Results": Comma-separated text
table of single results.
* New pre-defined Report Format Plugin "CSV Hosts": Comma-separated text
table of result overview for each target system.
* Tasks: It is now possible to configure the order in which the target hosts
are scanned: Sequential (like before), reverse and random.
* Task Details: The list of reports is now handled via the new object
management. This also adds the powerfilter to this page.
* Notes/Overrides: The actual note text is now used as identifier in the list
instead of the NVT name.
* Web-GUI: Consistent access to object details always via identifier in first
column. The redundant button for Details is therefore removed from the set of
Actions.
* OVAL Definitions: The overview as well as the details dialog for OVAL
Definitions has been reworked.
Protocols:
* OMP now in version 5.0
* OAP dropped. Most functionality moved to OMP.
* User management is made available via OMP.
* Feed management is made available via OMP.
* OTP has been cut down to essentials. This was a first step towards replacing
OTP by a superior protocol "OSP" eventually.
Architecture:
* OpenVAS Administrator was dropped. Most functionality went into OpenVAS
Manager.
* No support for Greenbone Security Desktop anymore.
* OpenVAS Scanner and OpenVAS Manager react on SIGHUP with reloading configs.
Downloads:
* Source Codes: http://www.openvas.org/install-source.html
* Binary installation packages (Upcoming!): http://www.openvas.org/install-
packages.html
* Virtual Appliance (Upcoming!): http://www.openvas.org/vm.html
Compatibility and migration:
* The OpenVAS NVT Feed will be extended with tests that take advantage of the
network scan feature but fully keeps the behaviour for previous releases.
* The OpenVAS Manager has a migration option for updating an OpenVAS Manager
4.0 (OpenVAS-6) SQL database. But there is no support to downgrade the
database
back to 4.0.
* It is highly recommended to test and verify a migration only with a full
backup.
* For updating your own OMP client applications, please refer to the OMP 5.0
documentation section about compatibility changes.
* For upgrades from old OpenVAS-5, please also refer to the OpenVAS-6
announcement.
References:
[1] OpenVAS: http://www.openvas.org/
[2] Greenbone: http://www.greenbone.net/
[3] SecPod: http://www.secpod.com/
[4] BSI: https://www.bsi.bund.de//
[5] Linuxtag: http://www.linuxtag.org/2014/en.html
Best regards
Jan-Oliver Wagner
--
Dr. Jan-Oliver Wagner | ++49-541-335084-0 | http://www.greenbone.net/
Greenbone Networks GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B
202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
_______________________________________________
Openvas-announce mailing list
Openvas-announce@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-announce
