Script install OpenVAS 8, DB Redis and Debian 8.1 (Jessie) x86_64

#!/bin/bash
#OpenVAS 8
#version 8.0.4
#Debian 8.1
#Script
#Mauro Risonho de Paula Assumpção aka firebits mauro.risonho@gmail.com
#11.12.2015 17:51:03

apt-get install -y build-essential devscripts dpatch libassuan-dev libglib2.0-dev libgpgme11-dev libpcre3-dev libpth-dev libwrap0-dev libgmp-dev libgmp3-dev libgpgme11-dev libpcre3-dev libpth-dev quilt cmake pkg-config libssh-dev libglib2.0-dev libpcap-dev libgpgme11-dev uuid-dev bison libksba-dev doxygen sqlfairy xmltoman sqlite3 libsqlite3-dev wamerican redis-server libhiredis-dev libsnmp-dev libmicrohttpd-dev libxml2-dev libxslt1-dev xsltproc libssh2-1-dev libldap2-dev autoconf nmap libgnutls28-dev libpopt-dev heimdal-dev heimdal-multidev libpopt-dev mingw32 texlive-full rpm alien nsis rsync python2.7 python-setuptools

cp /etc/redis/redis.conf /etc/redis/redis.orig
echo “unixsocket /tmp/redis.sock” >> /etc/redis/redis.conf
service redis-server restart

mkdir openvas8
cd openvas8/

wget –no-check-certificate http://wald.intevation.org/frs/download.php/2191/openvas-libraries-8.0.5.tar.gz
wget –no-check-certificate http://wald.intevation.org/frs/download.php/2129/openvas-scanner-5.0.4.tar.gz
wget –no-check-certificate http://wald.intevation.org/frs/download.php/2195/openvas-manager-6.0.6.tar.gz
wget –no-check-certificate http://wald.intevation.org/frs/download.php/2200/greenbone-security-assistant-6.0.6.tar.gz
wget –no-check-certificate http://wald.intevation.org/frs/download.php/2209/openvas-cli-1.4.3.tar.gz
wget –no-check-certificate http://wald.intevation.org/frs/download.php/1975/openvas-smb-1.0.1.tar.gz
wget –no-check-certificate http://wald.intevation.org/frs/download.php/2177/ospd-1.0.2.tar.gz
wget –no-check-certificate http://wald.intevation.org/frs/download.php/2005/ospd-ancor-1.0.0.tar.gz
wget –no-check-certificate http://wald.intevation.org/frs/download.php/2097/ospd-debsecan-1.0.0.tar.gz
wget –no-check-certificate http://wald.intevation.org/frs/download.php/2003/ospd-ovaldi-1.0.0.tar.gz
wget –no-check-certificate http://wald.intevation.org/frs/download.php/2149/ospd-paloalto-1.0b1.tar.gz
wget –no-check-certificate http://wald.intevation.org/frs/download.php/2004/ospd-w3af-1.0.0.tar.gz
wget –no-check-certificate http://wald.intevation.org/frs/download.php/2181/ospd-acunetix-1.0b1.tar.gz
wget –no-check-certificate http://wald.intevation.org/frs/download.php/2185/ospd-ikescan-1.0b1.tar.gz
wget –no-check-certificate http://wald.intevation.org/frs/download.php/2204/ospd-ikeprobe-1.0b1.tar.gz
wget –no-check-certificate http://wald.intevation.org/frs/download.php/2213/ospd-ssh-keyscan-1.0b1.tar.gz
wget –no-check-certificate http://wald.intevation.org/frs/download.php/2219/ospd-netstat-1.0b1.tar.gz

find | grep “.tar.gz$” | xargs -i tar zxvfp ‘{}’

###############################################

cd openvas-smb*
mkdir build
cd build/
cmake ..
make
make doc-full
make install
cd ../../

cd openvas-libraries-*
mkdir build
cd build
cmake ..
make
make doc-full
make install
cd ../../

cd openvas-scanner-*
mkdir build
cd build/
cmake ..
make
make doc-full
make install
cd ../../

cd openvas-manager-*
mkdir build
cd build/
cmake ..
make
make doc-full
make install
cd ../../

cd openvas-cli-*
mkdir build
cd build/
cmake ..
make
make doc-full
make install
cd ../../

cd greenbone-security-assistant-*
mkdir build
cd build/
cat ../src/xslt_i18n.h | sed ‘s///’ > test; cat test > ../src/xslt_i18n.h
cmake ..
make
make doc-full
make install
cd ../../

###

cd ospd-1*
python setup.py install –prefix=/usr/local
cd ../

cd ospd-ancor-*
python setup.py install –prefix=/usr/local
cd ../

cd ospd-debsecan-*
python setup.py install –prefix=/usr/local
cd ../

cd ospd-ovaldi-*
python setup.py install –prefix=/usr/local
cd ../

cd ospd-paloalto-*
python setup.py install –prefix=/usr/local
cd ../

cd ospd-w3af-*
python setup.py install –prefix=/usr/local
cd ../

cd ospd-acunetix-*
python setup.py install –prefix=/usr/local
cd ../

cd ospd-ikescan-*
python setup.py install –prefix=/usr/local
cd ../

cd ospd-ikeprobe-*
python setup.py install –prefix=/usr/local
cd ../

cd ospd-ssh-keyscan-*
python setup.py install –prefix=/usr/local
cd ../

cd ospd-netstat-&
python setup.py install –prefix=/usr/local
cd ../

#reload libraries
ldconfig

###############################################

#create cert
openvas-mkcert
openvas-mkcert-client -n -i

#create user
openvasmd –create-user=admin –role=Admin && openvasmd –user=admin –new-password=admin
#(write down the password)

####

echo ‘#!/bin/bash’ > /usr/local/sbin/openvas-update
echo ‘/usr/local/sbin/openvas-nvt-sync’ >> /usr/local/sbin/openvas-update
echo ‘/usr/local/sbin/openvas-scapdata-sync’ >> /usr/local/sbin/openvas-update
echo ‘/usr/local/sbin/openvas-certdata-sync’ >> /usr/local/sbin/openvas-update
chmod +x /usr/local/sbin/openvas-update

echo ‘#!/bin/bash’ > /usr/local/sbin/openvas-start
echo ‘/usr/local/sbin/openvasmd –rebuild’ >> /usr/local/sbin/openvas-start
echo ‘/usr/local/sbin/openvasmd’ >> /usr/local/sbin/openvas-start
echo ‘/usr/local/sbin/openvassd’ >> /usr/local/sbin/openvas-start
echo ‘/usr/local/sbin/gsad’ >> /usr/local/sbin/openvas-start
chmod +x /usr/local/sbin/openvas-start

echo ‘#!/bin/bash’ > /usr/local/sbin/openvas-kill
echo “ps aux | egrep \”(openvas.d|gsad)\” | awk ‘{print \$2}’ | xargs -i kill ‘{}'” >> /usr/local/sbin/openvas-kill
chmod +x /usr/local/sbin/openvas-kill

rclocal=`cat /etc/rc.local | grep -v “exit 0” | grep -v “openvas”`
echo “$rclocal” > /etc/rc.local
echo “date >> /var/log/openvas_init” >> /etc/rc.local
echo “echo ‘openvas init started’ >> /var/log/openvas_init” >> /etc/rc.local
echo “/usr/local/sbin/openvas-kill >> /var/log/openvas_init || /bin/true” >> /etc/rc.local
echo “/usr/local/sbin/openvas-start >> /var/log/openvas_init || /bin/true” >> /etc/rc.local
echo “echo ‘openvas init finished’ >> /var/log/openvas_init” >> /etc/rc.local
echo “exit 0” >> /etc/rc.local

####

/usr/local/sbin/openvas-kill
/usr/local/sbin/openvas-update
/usr/local/sbin/openvas-start

# check installation
wget https://svn.wald.intevation.org/svn/openvas/trunk/tools/openvas-check-setup –no-check-certificate
chmod 0755 openvas-check-setup
./openvas-check-setup –v8 –server

Anúncios

Deployment Node.js no Debian 7 x86-64 bits

Dias atrás, conheci uma galera que está iniciando um startup já um tempo e se deram bem no mundo dos negócios, criando um GW de pagamento baseado em Node.js, então achei legal pesquisar (nos próximos posts falo mais sobre Node.js e suas vantagens):

Para deployment Node.js no Debian 7 x86-64 bits

$ sudo apt-get update && apt-get install git-core curl build-essential openssl libssl-dev

$ git clone https://github.com/joyent/node.git

$ cd node

$ sudo su –

# ./configure –openssl-libpath=/usr/lib/ssl
# make
# make test (ctrl+c se demorar demais os tests.)
# make install
# node -v

root@akrivis:~/node# node -v
v0.11.7-pre

Instalando npm (um espécie de instalador de módulos que está para node.js, assim, como está rubygems para ruby, easy_install ou pip para python, cpan para perl e por ai vai…):

wget http://npmjs.org/install.sh

sh install.sh

root@akrivis:~/node# npm update
root@akrivis:~/node# npm -h

Usage: npm <command>

where <command> is one of:
add-user, adduser, apihelp, author, bin, bugs, c, cache,
completion, config, ddp, dedupe, deprecate, docs, edit,
explore, faq, find, find-dupes, get, help, help-search,
home, i, info, init, install, isntall, issues, la, link,
list, ll, ln, login, ls, outdated, owner, pack, prefix,
prune, publish, r, rb, rebuild, remove, repo, restart, rm,
root, run-script, s, se, search, set, show, shrinkwrap,
star, stars, start, stop, submodule, tag, test, tst, un,
uninstall, unlink, unpublish, unstar, up, update, v,
version, view, whoami

npm <cmd> -h quick help on <cmd>
npm -l display full usage info
npm faq commonly asked questions
npm help <term> search for help on <term>
npm help npm involved overview

Specify configs in the ini-formatted file:
/root/.npmrc
or on the command line via: npm <command> –key value
Config info can be viewed via: npm help config

npm@1.3.9 /usr/local/lib/node_modules/npm

@firebitsbr

Compilando e Instalando – OpenVAS6 packages + Debian 7

Neste post vou demonstrar como fazer uma instalação a partir do zero, sem ser por svn e sim por packages.

Antes, no entanto, é preciso concluir a instalação do Debian 7 com alguns pacotes necessários para compilar e executar OpenVAS 6.

$ sudo apt-get install nsis alien rpm texlive-latex-extra libqt4-dev g++ libmicrohttpd-dev libxml2-dev libxslt1-dev libxml2-dev libsqlite3-dev doxygen sqlfairy xmltoman sqlite3 gcc make cmake pkg-config libssh-dev gnutls-dev libglib2.0-dev libpcap-dev libgpgme11-dev uuid-dev bison libmicrohttpd5 -y

Depois, precisamos baixar os packages do Openvas6.

$ wget http://wald.intevation.org/frs/download.php/1159/openvas-libraries-5.0.3.tar.gz
$ wget http://wald.intevation.org/frs/download.php/1092/openvas-scanner-3.3.1.tar.gz
$ wget http://wald.intevation.org/frs/download.php/1112/openvas-manager-4.0+beta3.tar.gz
$ wget http://wald.intevation.org/frs/download.php/1140/openvas-administrator-1.2.1.tar.gz
$ wget http://wald.intevation.org/frs/download.php/1116/greenbone-security-assistant-4.0+beta3.tar.gz
$ wget http://wald.intevation.org/frs/download.php/1084/gsd-1.2.2.tar.gz
$ wget http://wald.intevation.org/frs/download.php/1131/openvas-cli-1.1.5.tar.gz

E na sequencia:

1 openvas-libraries
2 openvas-scanner
3 openvas-manager
4 openvas-administrator
5 gsad (greenbone-security-assistant)
6 gsd (greenbone-security-desktop)
7 openvas-cli

1 openvas-libraries

# tar xzvf openvas-libraries-5.0.3.tar.gz
# cd openvas-libraries-5.0.3/
# cmake .
– Configuring the Libraries…
– Install prefix: /usr/local
– checking for module ‘wmiclient>=1.3.14′
– package ‘wmiclient>=1.3.14′ not found
– checking for module ‘libssh>=0.4.5′
– package ‘libssh>=0.4.5′ not found
– Looking for pcap…
– Looking for pcap… /usr/lib/libpcap.so
– Looking for gpgme…
– Looking for gpgme… /usr/lib/libgpgme.so
– Looking for libldap…
– No ldap library found – ldap support disabled
– Did not find libssh via pkg-config, trying alternative approach …
– Found libssh 0.4.5.
– Looking for uuid…
– Looking for uuid… /usr/lib/libuuid.so
– Found Doxygen: /usr/bin/doxygen
– Configuring done
– Generating done
– Build files have been written to: /home/test/openvas/openvas-libraries-5.0.3

# make install
# cd ..

2 openvas-scanner

# tar xzvf openvas-scanner-3.3.1.tar.gz
# cd openvas-scanner-3.3.1/
# cmake .

– Configuring the Scanner…
– Install prefix: /usr/local
– Looking for pcap…
– Looking for pcap… /usr/lib/libpcap.so
– Looking for gpgme…
– Looking for gpgme… /usr/lib/libgpgme.so
– Found Doxygen: /usr/bin/doxygen
– Configuring done
– Generating done
– Build files have been written to: /home/test/openvas/openvas-scanner-3.3.1
# make
# make install
# cd ..

3 openvas-manager

# tar xzvf openvas-manager-4.0+beta3.tar.gz
# cmake .
– Configuring the Manager…
– Install prefix: /usr/local
– Looking for pcap…
– Looking for pcap… /usr/lib/libpcap.so
– Looking for gpgme…
– Looking for gpgme… /usr/lib/libgpgme.so
– Looking for xmltoman…
– Looking for xmltoman… /usr/bin/xmltoman
– Looking for xmlmantohtml… /usr/bin/xmlmantohtml
– Looking for SQLFairy…
– Looking for SQLFairy… /usr/bin/sqlt-diagram, /usr/bin/sqlt
– Configuring done
– Generating done
– Build files have been written to: /home/test/openvas/openvas-manager-4.0+beta3

# make
# make install
# cd ..

4 openvas-administrator

# tar xzvf openvas-administrator-1.2.1.tar.gz
# cd openvas-administrator-1.2.1/
# cmake .
– Configuring the OpenVAS Administrator…
– Install prefix: /usr/local
– Looking for pcap…
– Looking for pcap… /usr/lib/libpcap.so
– Looking for gpgme…
– Looking for gpgme… /usr/lib/libgpgme.so
– Looking for xmltoman…
– Looking for xmltoman… /usr/bin/xmltoman
– Looking for xmlmantohtml… /usr/bin/xmlmantohtml
– Configuring done
– Generating done
– Build files have been written to: /home/test/openvas/openvas-administrator-1.2.1

# make
# make install
# cd ..

5 gsad (greenbone-security-assistant)

# tar xzvf greenbone-security-assistant-4.0+beta3.tar.gz
# cd greenbone-security-assistant-4.0+beta3/
# cmake .
– Configuring greenbone-security-assistant…
– Looking for pkg-config… /usr/bin/pkg-config
– Install prefix: /usr/local
– External XSL transformations, with xsltproc.
– Looking for xmltoman…
– Looking for xmltoman… /usr/bin/xmltoman
– Looking for xmlmantohtml… /usr/bin/xmlmantohtml
– Configuring done
– Generating done
– Build files have been written to: /home/test/openvas/greenbone-security-assistant-4.0+beta3

# make
# make install
# cd ..

6 gsd (greenbone-security-desktop)

# tar gsd-1.2.2.tar.gz
# cd gsd-1.2.2
# cmake .
– Configuring gsd …
– Install prefix: /usr/local
– Looking for xmltoman…
– Looking for xmltoman… /usr/bin/xmltoman
– Looking for xmlmantohtml… /usr/bin/xmlmantohtml
– Configuring done
– Generating done
– Build files have been written to: /home/test/openvas/gsd-1.2.2
# make
# make install
# cd ..

7 openvas-cli

# tar xzvf openvas-cli-1.1.5.tar.gz
# cd openvas-cli-1.1.5
# cmake .
– Configuring openvas-cli …
– Install prefix: /usr/local
– Looking for xmltoman…
– Looking for xmltoman… /usr/bin/xmltoman
– Looking for xmlmantohtml… /usr/bin/xmlmantohtml
– Configuring done
– Generating done
– Build files have been written to: /home/test/openvas/openvas-cli-1.1.5
# make
# make install
# cd ..

Quando a instalação estiver completa, vamos configurar OpenVAS 6, atualizar primeiro o banco de dados com todos os testes e plugins de vulnerabilidades (NVT):

# openvas-nvt-sync

[i] This script synchronizes an NVT collection with the ‘OpenVAS NVT Feed’.
[i] The ‘OpenVAS NVT Feed’ is provided by ‘The OpenVAS Project’.
[i] Online information about this feed: ‘http://www.openvas.org/openvas-nvt-feed.html’.
[i] NVT dir: /usr/local/var/lib/openvas/plugins
[i] Will use rsync
[i] Using rsync: /usr/bin/rsync
[i] Configured NVT rsync feed: rsync://feed.openvas.org:/nvt-feed
OpenVAS feed server – http://openvas.org/
This service is hosted by Intevation GmbH – http://intevation.de/
All transactions are logged.
Please report problems to admin@intevation.de
receiving incremental file list
[…]

Vamos gerar um usuário com privilégios de administrador (para o OpenVAS, não do SO):

# openvasad -c ‘add_user’ -n admin –role=Admin
Enter password: <digite uma senha segura aqui>

Como OpenVAS protege a comunicação entre o scanner e o cliente usando SSL, você deve gerar os certificados usando o script openvas-mkcert que gera uma autoridade de certificação (se já não estiver lá) e o certificado do lado do scanner. Neste caso, ele vai configurar um CA da Alemanha, com informações do projeto OpenVAS e GreenBone (uma das empresas que tem serviços profissionais e pagos, além de contribuir com a comunidade open source com código-fonte e plugins).

# openvas-mkcert
/usr/local/var/lib/openvas/private/CA created
/usr/local/var/lib/openvas/CA created

——————————————————————————-
Creation of the OpenVAS SSL Certificate
——————————————————————————-

This script will now ask you the relevant information to create the SSL certificate of OpenVAS.
Note that this information will *NOT* be sent to anybody (everything stays local), but anyone with the ability to connect to your OpenVAS daemon will be able to retrieve this information.

CA certificate life time in days [1460]:
Server certificate life time in days [365]:
Your country (two letter code) [DE]:
Your state or province name [none]:
Your location (e.g. town) [Berlin]:
Your organization [OpenVAS Users United]:

——————————————————————————-
Creation of the OpenVAS SSL Certificate
——————————————————————————-

Congratulations. Your server certificate was properly created.

The following files were created:

. Certification authority:
Certificate = /usr/local/var/lib/openvas/CA/cacert.pem
Private key = /usr/local/var/lib/openvas/private/CA/cakey.pem

. OpenVAS Server :
Certificate = /usr/local/var/lib/openvas/CA/servercert.pem
Private key = /usr/local/var/lib/openvas/private/CA/serverkey.pem

Press [ENTER] to exit

Agora vamos gerar o CA no lado do client:

# openvas-mkcert-client -n om -i
Generating RSA private key, 1024 bit long modulus
……………..++++++
…….++++++
e is 65537 (0×10001)

[…]

Vamos inicializar o scanner, pode demorar alguns minutos para carregar todos os plugins de vulnerabilidades – NVT.

# openvassd

Depois de ter concluído o carregamento dos plugins, precisamos para reconstruir o banco de dados com o openvas-manager, para isso, usamos os seguintes comandos:

# touch /usr/local/var/lib/openvas/mgr/tasks.d
# openvasmd –backup
# openvasmd –rebuild

O Openvas 6 usa nmap 5.51:

# wget http://nmap.org/dist/nmap-5.51.6.tgz
# tar xzvf nmap-5.51.6.tg
# cd nmap-5.51.6
# ./configure
# make
# make install

Precisamos verificar se a versão é correta do NMAP:

# nmap -V
Nmap version 5.51.6 ( http://nmap.org )

Agora, vamos inicializar o Openvas modo Administrador:

# openvasad

E depois, vamos inicializar o Openvas modo Manager:

# openvasmd

Também vamos inicializar o GSA (greenbone-security-assistant) para administrar nossa instalação OpenVAS6:

# gsad –http-only –listen=0.0.0.0 -p 9392

Verificando se foi instalado corretamente, através deste script:

# chmod 755 openvas-check-setup
# ./openvas-check-setup –v6

[…]
Step 1: Checking OpenVAS Scanner …
OK: OpenVAS Scanner is present in version 3.3.1.
OK: OpenVAS Scanner CA Certificate is present as /usr/local/var/lib/openvas/CA/cacert.pem.
OK: NVT collection in /usr/local/var/lib/openvas/plugins contains 28194 NVTs.
WARNING: Signature checking of NVTs is not enabled in OpenVAS Scanner.
SUGGEST: Enable signature checking (see http://www.openvas.org/trusted-nvts.html).
Step 2: Checking OpenVAS Manager …
OK: OpenVAS Manager is present in version 4.0+beta3.
OK: OpenVAS Manager client certificate is present as /usr/local/var/lib/openvas/CA/clientcert.pem.
OK: OpenVAS Manager database found in /usr/local/var/lib/openvas/mgr/tasks.db.
OK: Access rights for the OpenVAS Manager database are correct.
OK: sqlite3 found, extended checks of the OpenVAS Manager installation enabled.
OK: OpenVAS Manager database is at revision 58.
OK: OpenVAS Manager expects database at revision 58.
OK: Database schema is up to date.
OK: OpenVAS Manager database contains information about 28194 NVTs.
OK: xsltproc found.
Step 3: Checking OpenVAS Administrator …
OK: OpenVAS Administrator is present in version 1.2.1.
OK: At least one user exists.
OK: At least one admin user exists.
Step 4: Checking Greenbone Security Assistant (GSA) …
OK: Greenbone Security Assistant is present in version 4.0+beta3.
Step 5: Checking OpenVAS CLI …
OK: OpenVAS CLI version 1.1.5.
Step 6: Checking Greenbone Security Desktop (GSD) …
OK: Greenbone Security Desktop is present in Version 1.2.2.
Step 7: Checking if OpenVAS services are up and running …
OK: netstat found, extended checks of the OpenVAS services enabled.
OK: OpenVAS Scanner is running and listening on all interfaces.
OK: OpenVAS Scanner is listening on port 9391, which is the default port.
OK: OpenVAS Manager is running and listening on all interfaces.
OK: OpenVAS Manager is listening on port 9390, which is the default port.
OK: OpenVAS Administrator is running and listening on all interfaces.
OK: OpenVAS Administrator is listening on port 9393, which is the default port.
OK: Greenbone Security Assistant is running and listening on all interfaces.
OK: Greenbone Security Assistant is listening on port 9392, which is the default port.
Step 8: Checking nmap installation …
OK: nmap is present in version 5.51.6.
Step 9: Checking presence of optional tools …
OK: pdflatex found.
OK: PDF generation successful. The PDF report format is likely to work.
OK: ssh-keygen found, LSC credential generation for GNU/Linux targets is likely to work.
OK: rpm found, LSC credential package generation for RPM based targets is likely to work.
OK: alien found, LSC credential package generation for DEB based targets is likely to work.
OK: nsis found, LSC credential package generation for Microsoft Windows targets is likely to work.[…]

Vamos conectar à porta 9392 via browser, através da URL http://localhost:9392:

OpenVAS6 + Debian 7

E por último, ter acesso ao nome de usuário e senha previamente criado no OpenVAS6.

OpenVAS6 - gsad

Referências:

http://www.openvas.org/
http://www.openvas.org/setup-and-start.html
http://www.debian.org/