Hello,
the OpenVAS community is proud to announce the release of OpenVAS-8!
April 2nd, 2015 - OpenVAS-8 released: Charts, Quality of Detection and
PostgreSQL-Support
Following the annual release cycle, the new generation of OpenVAS [1] has been
released. The new version of the open framework for vulnerability scanning and
management, OpenVAS-8, introduces a comprehensively extended and improved
feature set. Advances and improvements were achieved in virtually all areas.
Highlights of this new release are the chart module for a variety of graphical
representation, the Quality of Detection (QoD) concept and the optional support
of PostgreSQL as database backend. Major advances were also achieved for the
access control management: more roles, group admins and super-admin to name just
a few. Notable as well is the introduction of the optional multi-scanner support
via the new protocol OSP (OpenVAS Scanner Protocol) for which a growing number
of servers is expected for the future. Last but not least, the OpenVAS Scanner
now requires less ressources and uses redis[2] for the inter-process
communication.
All in all OpenVAS-8 ships 28 new and improved features, accompanied with
countless smaller changes. The systematic improvements and reliable release of
one major update every twelve months once again underlines the position of
OpenVAS as the most advanced Open Source solution for vulnerability management.
The new version can be downloaded free and is available as Free Software under
the GNU GPL license.
The company Greenbone Networks [3] develops and uses OpenVAS as a base for its
appliance product family for vulnerability scanning and management. Together
with the company SecPod [4] and the growing community, new vulnerability tests
and feature improvements are developed on a daily basis. The German Federal
Office for Information Security (BSI) [5] supports and utilizes OpenVAS,
together with many other federal agencies, as part of their IT security
framework.
Vulnerability Management:
- Access Control:
The access control features were comprehensively extended.
* Roles can now be dynamically configured.
* New default roles "Monitor", "Guest" and "Super Admin".
* New Permissions "Super" that allows for example to define an
administrator for a group.
- Results are now an explicit part of the scan management.
The new section "Results" under menu "Scan Management" offers an object
management for all of the scan results in the database a user has
permission for. In other words, searching and filtering for results
is now possible independent of a scan report.
- Solution Type:
NVTs are now associated with a solution type like for example "VendorFix".
This allows to group or identify NVTs or results where for example a
simple solution exists or no solution is currently available.
The Feed content is updated over time to add a solution type for all of
the NVTs. At the time of writing, 3.6% of the NVTs own a Solution Type.
- Quality of Detection (QoD):
The QoD is a value between 0% and 100% describing the reliability of the
executed vulnerability detection or product detection.
One of the main reasons to introduce this concept was to handle the
challenge of potential vulnerabilities properly. The goal was to keep
such in the results database but only visible on demand.
While the QoD range allows to express the quality pretty refined, in fact
most of the test routines use a standard methodology. Therefore the QoD
Types were introduced of which each is associated with a QoD value.
The Feed content is updated over time to add a QoD for all NVTs. Any NVT
not explicitly assigned will apply 75% and therefore visible by default
in order to not change the default behavior compared to OpenVAS-7.
However, meanwhile any NVTs formerly requiring the "paranoid" setting
in the scan configuration is now reporting always but stay invisible
in the database until the user decides to view results with a lower
quality of detection.
At the time of writing, 2.7% of the NVTs own a QoD Type.
- New SecInfo object type "CERT-Bund" introduced: These are advisories
published by the German federal CERT.
Vulnerability Scanning:
- Credentials:
* The public key of SSH credentials is not required anymore because it is
extracted from the private key.
* Credentials for ESXi target systems can now be configured directly with
the Target object instead of in the Scan Configuration object.
- When a task is requested to stop, the scanner will now be advised to switch
immediately into the final phase of scanning. With OpenVAS-7 the scanner
immediately stopped activity and did not return so far collected host
details. With OpenVAS-8 this is now transferred to the the database.
- Dropped support for pausing of tasks entirely (was removed from GUI before,
now removed from OMP level).
- OpenVAS Scanning Protocol (OSP):
This new protocol allows to control a vulnerability scanner. The main
elements are to set parameters, start a scan and retrieve results.
OSP is designed in the same way as OMP, therefore it is a non-permanent
request-response connection based on XML.
It is possible to configure and control OSP-compliant Scanner via the
user interface.
OpenVAS-8 offers some pilot OSP scanners in order to provide examples for
this technology. Users and developers are encouraged to wrap more
vulnerability scanner with OSP and provide feedback on missing features
in the OSP protocol.
The OpenVAS Scanner itself is still OTP-based and the integration with
OpenVAS Manager works like before with the slight difference that it
is now possible to define more than one OpenVAS Scanner to be controlled
by OpenVAS Manager.
This new concepts introduces various changes in the user interface but
defaults are set to keep the same behavior as in OpenVAS-7 if user decides
not to deal with OSP. In other words: OSP is entirely optional.
Graphical User Interface:
- Dynamic charts are introduced, using the Javascript library "d3". The first
chart types (bar, donut, bubbles, line) are used for the SecInfo section
in order to demonstrate some of the capabilities.
The chart objects allow to download the data as CSV table or SVG graphics.
Also, a HTML table can be opened and some of the charts are interactive.
The underlying data aggregation technology is generically integrated into
the protocol OMP. This allows to add more charts during the lifecycle of
the OpenVAS release because no API changes are required.
For the SecInfo Management, a first dashboard is integrated which assembles
four of the charts and can be configured individually.
The charting feature is entirely optional: Without enabling Javascript support
in the browser no core functionality is lost. Also, the chart view can be
collapsed
so that only the traditional table view is shown.
- Bulk actions are introduced. For example this allows to remove or download
many
objects within a single action.
- The powerfilter was simplified to carry only the essential filter elements.
The
standard ones are displayed below and of course it is possible to apply any of
them in the text entry field.
- Timezones:
The configuration of timezones was changed so that now there is offered a drop
down list of available timezones instead of a entry field for specifying the
timezone in text form.
- Users are now allowed to have multiple simultaneous sessions, as long as
the sessions are on different browsers. Up-to OpenVAS-7, a second session
always invalidated the previous one regardless of which browser is used.
- For any web interface page, the duration of the backend operation will be
shown at the bottom.
- The filenames for downloads can now be configured via "My Settings".
- New wizard for modifying a task.
Protocols:
- OMP now in version 6.0
- The new OSP for controlling arbitrary scanners is at version 1.0.
- The OTP protocol was further reduced. It is not recommended to use
it to communicate with the OpenVAS Scanner because it will eventually
be dropped in favor of OSP. For the time being OMP should be used
to control a OpenVAS Scanner.
Architecture:
- redis (mandatory):
The OpenVAS Scanner now uses a redis backend to share the knwoledge base
among the scanning processes.
- PostgreSQL (optional):
OpenVAS Manager now allows to use PostgreSQL as an alternative for the
file-based SQLite. Everything should work, but this new database backend
has seen little testing so far.
The OpenVAS development team is prepared to fix any issues promptly as
it is desired to make this database eventually the new default backend.
- openvas-smb (optional):
The new module "openvas-smb" is used for WMI support.
This is the former externally maintained wmi client library.
Since it was actually not maintained anymore, the module was
cut down to the essentials and furnished with a "cmake" build
environment.
- OSP (optional):
For the new OSP, a base module "OSPd" written in Python is made available.
The actual wrappers for vulnerability scanners are collected as "osp-scanners"
and the name of the modules is prefixed with "OSPd-". "OSPd" is a mandatory
requirement for each OSP scanner module.
All sample OSP scanners are written in Python. Currently the C-library API
only supports OSP client functionality, not server functionality.
- The memory consumption of the OpenVAS Scanner was reduced by about 50%.
References:
[1] OpenVAS: http://www.openvas.org/
[2] http://redis.io/
[3] Greenbone: http://www.greenbone.net/
[4] SecPod: http://www.secpod.com/
[5] BSI: https://www.bsi.bund.de/
Best regards
Jan-Oliver Wagner
--
Dr. Jan-Oliver Wagner | +49-541-335084-0 | http://www.greenbone.net/
Greenbone Networks GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B
202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
_______________________________________________
Openvas-announce mailing list
Openvas-announce@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-announce
