[Openvas-discuss] OpenVAS Setup

2017-12-07 Thread Douglas Funk 
All

I have Kali linux installed and am running into an issue installing OpenVAS.
I run the following commands from a terminal:

Apt-get install openvas.  That's ok

Openvas-setup. It hangs at oval/5.10.org.mitre.oval/p/oval.xml. so I Ctrl-c

Then when I do a openvas-check-setup I get No OpenVAS SCAP database found.
Run a SCAP sync script like greenbone-scapdata-sync.

So I run that command and nothing happens.

 

Thanks for any help.  This is my first time with Kali and OpenVAS

 

Douglas Funk

Pitbull Solutions

O: 717 699-1224

C: 717 577-0213

df...@pitbullsolutions.com  

www.pitbullsolutions.com

 

___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

[Openvas-discuss] Scanner Doesn't Start After Running Openvasmd --update

2017-12-07 Thread Tyler Doman 
I'm running openvas on a kali linux server and after running the openvasmd 
--update and --rebuild commands, I can't get the scanner to start.

Typically when the scanner won't start, I run this command which fixes it but 
this time it doesn't: redis-cli -s /var/run/redis/redis.sock flushall

I tried replacing the scanner keys using openvas-manage-certs but that didn't 
allow it to start either.

Here's what the logs say:

/var/log/openvas/openvasmd.log
openvas_scanner_connect_unix: Failed to connect to scanner 
(/var/run/openvassd.sock): Connection refused

openvas-check-setup results:

Step 1: Checking OpenVAS Scanner ...
OK: OpenVAS Scanner is present in version 5.1.1.
OK: redis-server is present in version v=4.0.1.
OK: scanner (kb_location setting) is configured properly using the 
redis-server socket: /var/run/redis/redis.sock
OK: redis-server is running and listening on socket: 
/var/run/redis/redis.sock.
OK: redis-server configuration is OK and redis-server is running.
OK: NVT collection in /var/lib/openvas/plugins contains 56761 NVTs.
OK: Signature checking of NVTs is enabled in OpenVAS Scanner.
WARNING: The initial NVT cache has not yet been generated.
SUGGEST: Start OpenVAS Scanner for the first time to generate the cache.
Step 2: Checking OpenVAS Manager ...
OK: OpenVAS Manager is present in version 7.0.2.
OK: OpenVAS Manager database found in /var/lib/openvas/mgr/tasks.db.
OK: Access rights for the OpenVAS Manager database are correct.
OK: sqlite3 found, extended checks of the OpenVAS Manager installation 
enabled.
OK: OpenVAS Manager database is at revision 184.
OK: OpenVAS Manager expects database at revision 184.
OK: Database schema is up to date.
OK: OpenVAS Manager database contains information about 55640 NVTs.
OK: At least one user exists.
OK: OpenVAS SCAP database found in /var/lib/openvas/scap-data/scap.db.
OK: OpenVAS CERT database found in /var/lib/openvas/cert-data/cert.db.
OK: xsltproc found.
Step 3: Checking user configuration ...
WARNING: Your password policy is empty.
SUGGEST: Edit the /etc/openvas/pwpolicy.conf file to set a password 
policy.
Step 4: Checking Greenbone Security Assistant (GSA) ...
OK: Greenbone Security Assistant is present in version 7.0.2.
OK: Your OpenVAS certificate infrastructure passed validation.
Step 5: Checking OpenVAS CLI ...
OK: OpenVAS CLI version 1.4.5.
Step 6: Checking Greenbone Security Desktop (GSD) ...
SKIP: Skipping check for Greenbone Security Desktop.
Step 7: Checking if OpenVAS services are up and running ...
OK: netstat found, extended checks of the OpenVAS services enabled.
ERROR: OpenVAS Scanner is NOT running!
FIX: Start OpenVAS Scanner (openvassd).
OK: OpenVAS Manager is running and listening on all interfaces.
OK: Greenbone Security Assistant is listening on port 9392, which is 
the default port.

ERROR: Your OpenVAS-9 installation is not yet complete!


___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] Produce OVAL System Characteristics

2017-12-07 Thread Christian Fischer 
Hi,

On 16.11.2017 20:51, ArkanoiD wrote:
> There are more bugs, yet this one is most significant. Took whole evening
> for me to pin it down.

i wouldn't call no support for other distributions then Debian and Red
Hat "a bug". This code probably was just tested against those two
distros back then in 2012 when it was implemented.

Testing with other Non-Red Hat/Debian based distros is more then welcome
by e.g. replacing:

if( "DEB" >< release ) {

with

if( "DEB" >< release || "UBUNTU" >< release ) {

in kb_2_sc.nasl.

Nevertheless the above point i have also updated the kb_2_sc.nasl to
fill in the system info and network interfaces when running such
currently unsupported distros.

If there is anything else missing / wrong in kb_2_sc.nasl feel free to
post a follow-up with suggestions and / or patches.

Regards,

-- 

Christian Fischer | PGP Key: 0x54F3CE5B76C597AD
Greenbone Networks GmbH | http://greenbone.net
Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] Reporting on delta's between scans on same host

2017-12-07 Thread Thijs Stuurman 
Joris,

Yes, multiple tickets for the same issue will then sit in the queue. (or not if 
they closed or moved the ticket; it’ll come right back on the next scan)
Their tickets are not my responsibility so I do not interfere with what they do 
with the tickets.
If something cannot be fixed, you (or they) can say so using a note on the 
result in question and override the result. (accepting the situation or explain 
why it is a false positive or something).
You can configure the override to be valid for all future scans of the 
particular task (or all tasks) (and for some time etc.’) which avoids new 
tickets being created.

I doubt you can or even want to keep track of their tickets. Strange things 
happen to tickets, some even get set to resolved while the issue is clearly not…
I understand you do not want to clutter the ticketing system but it only gets 
that way (which should make alarm bells ring somewhere) if they don’t do their 
job.
When you do not report a finding because the same finding was there last month 
and someone threw that ticket away… you’ll get nowhere.

(Don’t you have anything written down about how long a certain CVSS score 
vulnerability may exist when found?)

For reporting we make reports manually based on some filters to group certain 
systems and the result counts. (yes, we put the numbers in excel and make a 
nice graph)
We have too many systems to report on every task separately. Even general 
reports are not very helpful because systems and vulnerabilities (or 
non-compliances) come and go.
(We named tasks according to groups to filter ‘m out, for example the name 
would be “domain Linux – system xyz”; you cannot (easily) filter on the 
comments but we use those to quickly identify if it’s a private or public 
system and usually we have the target IP in there as well)
We can show which groups have the most issues and where improvements are 
clearly visible. Usually we manually point out the big improvements and not so 
much do any shaming; the numbers, graph(s) and tickets do enough. From my 
experience, shaming doesn’t improve much and can be quite devastating in the 
long run.

If you have so many results that it would fill queues instantly and bury people 
under work (let’s face it, this happens a lot in large organizations when you 
first start scanning); do not automatically make tickets.
(or perhaps only for very high CVSS scores)
Make some tickets manually for the major issues which require a resolution 
asap. Fix the others using a separate (dedicated) security issue team and 
enforce a baseline to avoid such findings on new systems. Then later when the 
organization is more in control you can automate the tickets.
You can also ease your organization in to it all by not starting to scan 
everything but make them onboard their systems, get admins involved. Besides 
the obvious vulnerability it also helps them for example check their firewall 
and encryption configurations.

Tickets and onboarding are not your responsibility, allow their manager do his 
or her job.


Thijs Stuurman
Security Operations Center | KPN Internedservices B.V.
thijs.stuur...@internedservices.nl | 
thijs.stuur...@kpn.com
T: +31(0)299476185 | M: +31(0)624366778
PGP Key-ID: 0x16ADC048 (https://pgp.surfnet.nl/)
Fingerprint: 2EDB 9B42 D6E8 7D4B 6E02 8BE5 6D46 8007 16AD C048

W: https://www.internedservices.nl | L: 
https://nl.linkedin.com/in/thijsstuurman

Van: Openvas-discuss [mailto:openvas-discuss-boun...@wald.intevation.org] 
Namens Joris
Verzonden: donderdag 7 december 2017 10:13
CC: openvas-discuss@wald.intevation.org
Onderwerp: Re: [Openvas-discuss] Reporting on delta's between scans on same host

Thanks Thijs!

You made me think about past results and not having to care about it: It is 
true that the tickets will be only generated on current results. On the other 
hand, does that mean that you create multiple tickets for the same issue if it 
appears in 2 consecutive scans?

We're interested in differential for 2 other reasons:
- from a security culture perspective, it would be interesting to report on 
reduction on vulnerabilities and create some noise about who is doing well and 
who is not.
- some systems will have issues which cannot be remediated per se. By 
differential reporting, we can look at new stuff and the report would not be 
cluttered by old stuff we already knew about / ticketed.

Best regards
Joris


On Thu, Dec 7, 2017 at 10:05 AM, Thijs Stuurman 
> 
wrote:
You can schedule the scans to repeat them.

Personally I wasn’t happy with the built in scheduler and automated one myself 
using python talking to the gvm-tools API.
(https://github.com/Thij/openvas_scheduler which might help you automate 
things yourself, gvm-tools also has example scripts:

Re: [Openvas-discuss] Reporting on delta's between scans on same host

2017-12-07 Thread Joris 
Thanks Thijs!

You made me think about past results and not having to care about it: It is
true that the tickets will be only generated on current results. On the
other hand, does that mean that you create multiple tickets for the same
issue if it appears in 2 consecutive scans?

We're interested in differential for 2 other reasons:
- from a security culture perspective, it would be interesting to report on
reduction on vulnerabilities and create some noise about who is doing well
and who is not.
- some systems will have issues which cannot be remediated per se. By
differential reporting, we can look at new stuff and the report would not
be cluttered by old stuff we already knew about / ticketed.

Best regards
Joris


On Thu, Dec 7, 2017 at 10:05 AM, Thijs Stuurman <
thijs.stuur...@internedservices.nl> wrote:

> You can schedule the scans to repeat them.
>
>
>
> Personally I wasn’t happy with the built in scheduler and automated one
> myself using python talking to the gvm-tools API.
>
> (https://github.com/Thij/openvas_scheduler which might help you
> automate things yourself, gvm-tools also has example scripts:
> https://bitbucket.org/greenbone/gvm-tools)
>
>
>
> I am not going for differences really; any finding with a CVSS score of >
> 4 will trigger an alert which sends an email to our ticketing system.
>
> Once a month I start my scheduler which will start any job that hasn’t run
> for 3 weeks or so. (I could leave it running in a screen forever but I
> still supervise and time it all, when it is not running I got time to
> update scan systems)
>
>
>
> If you go to tasks and click on the Reports > Total number you can see an
> overview of all the reports and quickly see if things improved or not.
>
> There is a compare button (underneath Actions, next to ‘delete’ so be
> careful), click on two and you’ll get a comparison overview.
>
>
>
> Still, why care about past results; it’s the latest scan result that
> counts in my book.
>
>
>
> Thijs Stuurman
>
> Security Operations Center | KPN Internedservices B.V.
>
> thijs.stuur...@internedservices.nl | thijs.stuur...@kpn.com
>
> T: +31(0)299476185 <+31%20299%20476%20185> | M: +31(0)624366778
> <+31%206%2024366778>
>
> PGP Key-ID: 0x16ADC048 (https://pgp.surfnet.nl/)
>
> Fingerprint: 2EDB 9B42 D6E8 7D4B 6E02 8BE5 6D46 8007 16AD C048
>
>
>
> W: https://www.internedservices.nl | L: https://nl.linkedin.com/in/
> thijsstuurman
>
>
>
> *Van:* Openvas-discuss [mailto:openvas-discuss-boun...@wald.intevation.org]
> *Namens *Joris
> *Verzonden:* donderdag 7 december 2017 09:51
> *Aan:* openvas-discuss@wald.intevation.org
> *Onderwerp:* [Openvas-discuss] Reporting on delta's between scans on same
> host
>
>
>
> Hello list,
>
>
>
> Using the scanner here and are pretty impressed with the results and the
> web GUI.
>
>
>
> Our next move is basically to identify differences between consecutive
> scans on hosts (was a vulnerability patched? was a new vulnerability
> introduced on the system?)
>
>
>
> Based on my understanding, the system does not support this natively but I
> can be wrong. How do others solve this issue? Do you build automation
> around it ?
>
>
>
> Best regards
>
> Joris
>
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] Reporting on delta's between scans on same host

2017-12-07 Thread Shekhar Aryan 
Perhaps a random question, has anyone in here been able to run scans using 
openvas cli please? If so please could you guide us?
And like me has anyone found using CLi version very cumbersome..?

> On 7 Dec 2017, at 09:05, Thijs Stuurman  
> wrote:
> 
> You can schedule the scans to repeat them.
>  
> Personally I wasn’t happy with the built in scheduler and automated one 
> myself using python talking to the gvm-tools API.
> (https://github.com/Thij/openvas_scheduler which might help you automate 
> things yourself, gvm-tools also has example scripts: 
> https://bitbucket.org/greenbone/gvm-tools)
>  
> I am not going for differences really; any finding with a CVSS score of > 4 
> will trigger an alert which sends an email to our ticketing system.
> Once a month I start my scheduler which will start any job that hasn’t run 
> for 3 weeks or so. (I could leave it running in a screen forever but I still 
> supervise and time it all, when it is not running I got time to update scan 
> systems)
>  
> If you go to tasks and click on the Reports > Total number you can see an 
> overview of all the reports and quickly see if things improved or not.
> There is a compare button (underneath Actions, next to ‘delete’ so be 
> careful), click on two and you’ll get a comparison overview.
>  
> Still, why care about past results; it’s the latest scan result that counts 
> in my book.
>  
> Thijs Stuurman
> Security Operations Center | KPN Internedservices B.V.
> thijs.stuur...@internedservices.nl | thijs.stuur...@kpn.com
> T: +31(0)299476185 | M: +31(0)624366778
> PGP Key-ID: 0x16ADC048 (https://pgp.surfnet.nl/)
> Fingerprint: 2EDB 9B42 D6E8 7D4B 6E02 8BE5 6D46 8007 16AD C048
>  
> W: https://www.internedservices.nl | L: 
> https://nl.linkedin.com/in/thijsstuurman
>  
> Van: Openvas-discuss [mailto:openvas-discuss-boun...@wald.intevation.org] 
> Namens Joris
> Verzonden: donderdag 7 december 2017 09:51
> Aan: openvas-discuss@wald.intevation.org
> Onderwerp: [Openvas-discuss] Reporting on delta's between scans on same host
>  
> Hello list,
>  
> Using the scanner here and are pretty impressed with the results and the web 
> GUI.
>  
> Our next move is basically to identify differences between consecutive scans 
> on hosts (was a vulnerability patched? was a new vulnerability introduced on 
> the system?)
>  
> Based on my understanding, the system does not support this natively but I 
> can be wrong. How do others solve this issue? Do you build automation around 
> it ?
>  
> Best regards
> Joris 
> ___
> Openvas-discuss mailing list
> Openvas-discuss@wald.intevation.org
> https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] Reporting on delta's between scans on same host

2017-12-07 Thread Thijs Stuurman 
You can schedule the scans to repeat them.

Personally I wasn’t happy with the built in scheduler and automated one myself 
using python talking to the gvm-tools API.
(https://github.com/Thij/openvas_scheduler which might help you automate 
things yourself, gvm-tools also has example scripts: 
https://bitbucket.org/greenbone/gvm-tools)

I am not going for differences really; any finding with a CVSS score of > 4 
will trigger an alert which sends an email to our ticketing system.
Once a month I start my scheduler which will start any job that hasn’t run for 
3 weeks or so. (I could leave it running in a screen forever but I still 
supervise and time it all, when it is not running I got time to update scan 
systems)

If you go to tasks and click on the Reports > Total number you can see an 
overview of all the reports and quickly see if things improved or not.
There is a compare button (underneath Actions, next to ‘delete’ so be careful), 
click on two and you’ll get a comparison overview.

Still, why care about past results; it’s the latest scan result that counts in 
my book.

Thijs Stuurman
Security Operations Center | KPN Internedservices B.V.
thijs.stuur...@internedservices.nl | 
thijs.stuur...@kpn.com
T: +31(0)299476185 | M: +31(0)624366778
PGP Key-ID: 0x16ADC048 (https://pgp.surfnet.nl/)
Fingerprint: 2EDB 9B42 D6E8 7D4B 6E02 8BE5 6D46 8007 16AD C048

W: https://www.internedservices.nl | L: 
https://nl.linkedin.com/in/thijsstuurman

Van: Openvas-discuss [mailto:openvas-discuss-boun...@wald.intevation.org] 
Namens Joris
Verzonden: donderdag 7 december 2017 09:51
Aan: openvas-discuss@wald.intevation.org
Onderwerp: [Openvas-discuss] Reporting on delta's between scans on same host

Hello list,

Using the scanner here and are pretty impressed with the results and the web 
GUI.

Our next move is basically to identify differences between consecutive scans on 
hosts (was a vulnerability patched? was a new vulnerability introduced on the 
system?)

Based on my understanding, the system does not support this natively but I can 
be wrong. How do others solve this issue? Do you build automation around it ?

Best regards
Joris
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

[Openvas-discuss] Reporting on delta's between scans on same host

2017-12-07 Thread Joris 
Hello list,

Using the scanner here and are pretty impressed with the results and the
web GUI.

Our next move is basically to identify differences between consecutive
scans on hosts (was a vulnerability patched? was a new vulnerability
introduced on the system?)

Based on my understanding, the system does not support this natively but I
can be wrong. How do others solve this issue? Do you build automation
around it ?

Best regards
Joris
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss