Author: jan Date: 2007-11-07 16:15:42 +0100 (Wed, 07 Nov 2007) New Revision: 545
Added: trunk/doc/website/nvt-feeds.htm4 trunk/doc/website/performing_lsc.htm4 Modified: trunk/doc/website/index.htm4 trunk/doc/website/roadmap.htm4 trunk/doc/website/template_header.m4 trunk/doc/website/trusted-nvts.htm4 Log: Updating Status on main page. Updating Roadmap. Added infoHowto pages: "Local Security Checks" and "NVT Feed Services". Modified: trunk/doc/website/index.htm4 =================================================================== --- trunk/doc/website/index.htm4 2007-11-07 13:25:37 UTC (rev 544) +++ trunk/doc/website/index.htm4 2007-11-07 15:15:42 UTC (rev 545) @@ -32,8 +32,8 @@ OpenVAS stands for Open Vulnerability Assessment System and is a network security scanner with associated tools like a graphical user fontend. The core is -a server component with a set of plugins to test -various vulnerabilities in remote systems and applications. +a server component with a set of network vulnerability tests +(NVTs) to detect security problems in remote systems and applications. </p> <p> @@ -44,15 +44,20 @@ <img src="pix/OpenVAS-Structure.png"/> <p> -<b>Status:</b> The forked code basis has reworked primarily -with the focus to reduce the code base (i.e. remove unused -or unneeded code) and to clean up license situation (e.g. -OpenSSL has been replaced by GNUTLS due -to the lack of a OpenSSL exception for distribution). -The 0.9.x series is intended for testing packaging and identifying -missing changes. It works, but it lacks an updated mechanism for -plugins. +<b>Status:</b> All necessary cleanups (due to the fork from Nessus) +of OpenVAS client and server have been completed. +The current set of released modules is ready to execute scans using +a secure connection between client and server. +A sample NVT Feed Service offers to download signed scripts, but is +not yet in operation to deliver daily updates. +Several NVTs are broken because they depend on a non-free component. +As a start, for the group of Debian Local security Checks any such +issues have been resolved. See the <a href="roadmap.html">Roadmap</a> for further details. +To be informed about OpenVAS news, you should +<a href="http://lists.wald.intevation.org/mailman/listinfo/openvas-announce";>subscribe</a> +to the announcement mailing list. + </p> <h2>Contact</h2> Added: trunk/doc/website/nvt-feeds.htm4 =================================================================== --- trunk/doc/website/nvt-feeds.htm4 2007-11-07 13:25:37 UTC (rev 544) +++ trunk/doc/website/nvt-feeds.htm4 2007-11-07 15:15:42 UTC (rev 545) @@ -0,0 +1,137 @@ +m4_dnl -*-html-*- +m4_include(`template.m4') + +m4_dnl OpenVAS +m4_dnl $Id$ +m4_dnl Description: Description on the OpenVAS NVT feeds: how they work. which are available. +m4_dnl +m4_dnl Authors: +m4_dnl Jan-Oliver Wagner <[EMAIL PROTECTED]> +m4_dnl +m4_dnl Copyright: +m4_dnl Copyright (C) 2007 Intevation GmbH +m4_dnl +m4_dnl This program is free software; you can redistribute it and/or modify +m4_dnl it under the terms of the GNU General Public License version 2, +m4_dnl as published by the Free Software Foundation. +m4_dnl +m4_dnl This program is distributed in the hope that it will be useful, +m4_dnl but WITHOUT ANY WARRANTY; without even the implied warranty of +m4_dnl MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +m4_dnl GNU General Public License for more details. +m4_dnl +m4_dnl You should have received a copy of the GNU General Public License +m4_dnl along with this program; if not, write to the Free Software +m4_dnl Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + +PAGE_START + +<h2>OpenVAS NVT Feed Services</h2> + +<p> +This text explains how NVT Feed Services work in general and +how to use one for updating your set of NVTs. +</p> + +<p> +Note: If you experience problems or think the description should +be more detailed on some items, please give feedback on the +<a href="http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss";>OpenVAS +discussion mailing list</a>. +</p> + +<h3>Overview</h3> + +<p> +A OpenVAS NVT Feed Service provides a set of NVTs (i.e. ".nasl" and ".inc" +files) which can be downloaded to your OpenVAS server installation. +</p> + +<p> +In fact, only changed and new NVTs will be downloaded along with their +signature files (".asc") and an overall "md5sums". This synchronization +process uses the RSYNC technology. The signatures get only relevant +for you if you configure OpenVAS to execute only +<a href="trusted-nvts.html">trusted NVTs</a>. +</p> + +<h3>Prerequisits</h3> + +<p> +Apart from openvas-plugins minimum version 0.9.1 which contains +"openvas-nvt-sync", you need to have the standard tools "rsync" and "md5sum" +installed on your OpenVAS server system. If you installed a packaged +OpenVAS, the package management should have taken care to meet these +dependencies already. +</p> + +<h3>Performing a synchronization with a OpenVAS NVT Feed</h3> + +<p> +You need to follow these steps: +</p> + +<ol> +<li> Check the configuration of the synchronization command: + + <p>Usually you will find this shell script installed as + "/usr/sbin/openvas-nvt-sync".</p> + + <p> + You should verify that the variables "NVT_DIR" and "FEED" + are correct. This should be the case for NVT_DIR if you + did not deviate from the standard build and install routine. + For FEED there is currently only the pre-configured one available + anyway. So, just don't change it. + </p> + +<li> Run the synchronization command: + + <pre> + # openvas-nvt-sync + </pre> + + <p> + It will connect to the currently only available NVT feed. + At the end, it will verify the md5 checksums of all synchronized + files. If any fails, an error is reported. In this case you + should retry a couple of minutes later (reasons for failures could + be network lags or that feed was updated at the same time.) + If the problem occurs again, please report to the + <a href="http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss";>OpenVAS + discussion mailing list</a>. + </p> + +<li> Restart the OpenVAS server (openvasd): + + <pre> + # kill -1 PID + </pre> + + <p> + Where PID is the process ID of the main openvasd. + You may see in the "openvas-nvt-sync" script how this + should work ideally, but currently does not work. + You might consider using the "killall openvasd" command + if you very well know what this means. + </p> +</ol> + +<h3>Available NVT Feed Services</h3> + +<p> +For demonstration purposes, the OpenVAS project +offers a simple NVT feed under +rsync://rsync.openvas.org:/nvt-feed. +It is the pre-configured in the "openvas-nvt-sync" +tool. +</p> + +<p> +This feed is not updated at a regular basis. +It only contains NVTs that have been tested +to at least not be worthless due to unmet dependencies +to missing ".inc" or ".nasl" files. +However, the <a href="trusted-nvts.html">NVTs are signed</a> with +the OpenVAS Tansfer Integrity certificate. +</p> Added: trunk/doc/website/performing_lsc.htm4 =================================================================== --- trunk/doc/website/performing_lsc.htm4 2007-11-07 13:25:37 UTC (rev 544) +++ trunk/doc/website/performing_lsc.htm4 2007-11-07 15:15:42 UTC (rev 545) @@ -0,0 +1,114 @@ +m4_dnl -*-html-*- +m4_include(`template.m4') + +m4_dnl OpenVAS +m4_dnl $Id$ +m4_dnl Description: Howto for doing local security checks with OpenVAS. +m4_dnl +m4_dnl Authors: +m4_dnl Jan-Oliver Wagner <[EMAIL PROTECTED]> +m4_dnl +m4_dnl Copyright: +m4_dnl Copyright (C) 2007 Intevation GmbH +m4_dnl +m4_dnl This program is free software; you can redistribute it and/or modify +m4_dnl it under the terms of the GNU General Public License version 2, +m4_dnl as published by the Free Software Foundation. +m4_dnl +m4_dnl This program is distributed in the hope that it will be useful, +m4_dnl but WITHOUT ANY WARRANTY; without even the implied warranty of +m4_dnl MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +m4_dnl GNU General Public License for more details. +m4_dnl +m4_dnl You should have received a copy of the GNU General Public License +m4_dnl along with this program; if not, write to the Free Software +m4_dnl Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + +PAGE_START + +<h2>Howto: Perform local security checks</h2> + +<p> +This text explains how you run local security checks with OpenVAS. +Currently, this procedure is only tested with Debian local security checks. +</p> + +<h3>Prerequisits (if you don't have a running OpenVAS Server yet)</h3> + +<p>You need to compile and install at least these +packages (minimum versions given):</p> + +<p> +openvas-libraries 1.0.0, +openvas-libnasl 0.9.2, +openvas-server 0.9.2, +openvas-plugins 0.9.1 +</p> + +<p> +and have a certificate and a user: +</p> + +<pre> +# openvas-mkcert +# openvas-adduser +</pre> + +<p> +See <a href="openvas-server.html">OpenVAS Server</a> for more on installation. +</p> + +<h3>Create users for local security checks</h3> + +<p>First, you need a key with certificate:</p> + +<pre> +$ ssh-keygen -t rsa -f ~/.ssh/id_rsa_sshovas -C "OpenVAS-Local-Security-Checks-Key" +$ openssl pkcs8 -topk8 -v2 des3 -in ~/.ssh/id_rsa_sshovas -out sshovas_rsa.p8 +</pre> + +<p> +Note: The comment (here: "OpenVAS-Local-Security-Checks-Key") should not contain spaces.<br> +Currently, you need a rsa pkcs8 key for OpenVAS local security checks. +</p> + +<p>Now, for each target system:</p> + +<pre> +# adduser --disabled-password sshovas + Name: OpenVAS Local Security Checks +# su - sshovas +$ mkdir .ssh +$ cp /some/path/id_rsa_sshovas.pub .ssh/authorized_keys +$ chmod 500 .ssh +$ chmod 400 .ssh/authorized_keys +</pre> + +<h3>Configure the local security checks in OpenVAS-Clients</h3> + +<p> +In Preferences, configure SSH Authorization: +</p> + +<pre> +SSH login name: sshovas +SSH private key: ~/.ssh/sshovas_rsa.p8 +SSH key passphrase: ******** +SSH public key: ssh/id_rsa_sshovas.pub +</pre> + +<p>Note: Acutally it is not necessary to submit the public key, +but currently this is necessary due to a bug inherited from Nessus.</p> + +<p>Next, make sure you select at least these plugins:</p> + +<pre> +Debian Local Security Checks/* +Misc/Determine List of installed packages via SSH login +Service Detection/Services +Settings/Global variable settings +Settings/SSH Authorization +</pre> + +<p>or ensure dependencies are met at runtime (see checkboxes) +if you only select some local security checks.</p> Modified: trunk/doc/website/roadmap.htm4 =================================================================== --- trunk/doc/website/roadmap.htm4 2007-11-07 13:25:37 UTC (rev 544) +++ trunk/doc/website/roadmap.htm4 2007-11-07 15:15:42 UTC (rev 545) @@ -29,32 +29,35 @@ <h2>Roadmap of OpenVAS project</h2> <p> -This is the current (June 2007) status of the -planned roadmap for OpenVAS. +This is the current (November 2007) status of the +roadmap for OpenVAS. <p> -<h3>OpenVAS Release 0.9 (ca. August 2007)</h3> +<h3>OpenVAS component "openvas-libnasl" Release 1.0 (ca. December 2007)</h3> <p> -A first deveopment release for testing purposes. +The necessary functionality of this component (mainly GNU/TLS support replacing +OpenSSL) has been completed with release 0.9.2. It is now in a beta-phase. No +problems have been reported so far. If no or only minor issues need to be fixed, +version 1.0 will be released in december 2007. </p> -<h3>OpenVAS-Client Release 1.0 (ca. August 2007)</h3> +<h3>OpenVAS component "openvas-server" Release 1.0 (ca. January 2008)</h3> <p> -The first stable release of the GUI client with some -enhanced features compared to NessusClient 1.X. +The necessary functionality of this component (mainly GNU/TLS support replacing +OpenSSL) has been completed with release 0.9.2. It is now in a beta-phase. No +problems have been reported so far. If no or only minor issues need to be fixed, +version 1.0 will be released in january 2008. </p> -<h3>OpenVAS Release 1.0 (ca. October 2007)</h3> +<h3>OpenVAS component "openvas-plugins" Release 1.0 (ca. Feburary 2007)</h3> <p> -More or less same functionality -as Nessus-2, but with OpenSSL replaced by GNU/TLS to resolve -license conflict (OpenVAS 1.0 may then be distributed -in binary form even compiled with SSL support which is not -allowed for Nessus. This is regarded relevant at least for -many GNU/Linux distributions). +The necessary cleanup and functionality of this component ) has been completed +with release 0.9.1. It is now in a beta-phase. No +problems have been reported so far. If no or only minor issues need to be fixed, +version 1.0 will be released in febuary 2008. </p> <h2>Ideas for future OpenVAS functionalities</h2> Modified: trunk/doc/website/template_header.m4 =================================================================== --- trunk/doc/website/template_header.m4 2007-11-07 13:25:37 UTC (rev 544) +++ trunk/doc/website/template_header.m4 2007-11-07 15:15:42 UTC (rev 545) @@ -64,11 +64,13 @@ </div> <div class="box"> - <h1>Information</h1> + <h1>Information/Howto's</h1> <p> <a href="sources-for-security-issues-information.html">Security info sources</a><br> <a href="creation-process-nvt.html">NVT creation process</a><br> <a href="trusted-nvts.html">Trusted NVTs</a><br> + <a href="performing_lsc.html">Local Security Checks</a><br> + <a href="nvt-feeds.html">NVT Feed Services</a><br> </p> </div> Modified: trunk/doc/website/trusted-nvts.htm4 =================================================================== --- trunk/doc/website/trusted-nvts.htm4 2007-11-07 13:25:37 UTC (rev 544) +++ trunk/doc/website/trusted-nvts.htm4 2007-11-07 15:15:42 UTC (rev 545) @@ -28,6 +28,19 @@ <h2>Trusted NVTs (how to manage NVT signatures)</h2> +<p> +This text explains what you need to do to allo your OpenVAS +server to execute only signed NVTs with a trust level you +decide. +</p> + +<p> +Currently, you get some signed NVTs by using the command +"openvas-nvt-sync" which is included in openvas-plugins since +release 0.9.1. The signatures correspond to the certificate +"OpenVAS Transfer Integrity" given at the bottom. +</p> + <h3>What is a signature (in simple words)?</h3> <p> _______________________________________________ Openvas-commits mailing list [email protected] http://lists.wald.intevation.org/mailman/listinfo/openvas-commits
