User Tools

Site Tools


os:kali:openvas

PURPOSE

Vulnerability scanner for guest systems hosted in UniFR
6CPU/16GB/32GBSSD
Default IP: 192.168.1.42/24 (kali.fortier-family.com)
OS: Kali Linux
Open ports: SSH/HTTPS

INSTALL

Iso 2021.2 from https://www.kali.org/get-kali/#kali-bare-metal
Full US install (XFCE + large collection)
One account at install (sudoers): warnaud LOL

POST-INSTALL

network

 nmtui

to put back the DNS which were not set…

apt update
apt upgrade
systemctl enable ssh

SSH

root key-only

vi /etc/ssh/sshd_config
PermitRootLogin prohibit-password
systemctl restart ssh

from some IP

IPv6/rsyslog/ntp

IPv6

sysctl -w net.ipv6.conf.all.disable_ipv6=1 && sysctl -w net.ipv6.conf.default.disable_ipv6=1 && sysctl -w net.ipv6.conf.lo.disable_ipv6=1
vi /etc/ssh/sshd_config
AddressFamily inet
systemctl restart ssh

Rsyslog

vi /etc/rsyslog.conf
# 2020-01-15 renvoi vers (r)syslog.unifr.ch
#            la nouvelle machine est  vx-ditsyslog.unifr.ch 134.21.201.50
#            l'alias syslog.unifr.ch existe
#            utiliser l'adresse IP permet de s'affranchir d'une panne de DNS
#            le choix est laissé au sysadmin.
*.*     @@IPsyslog-server

NTP

timedatectl set-timezone Europe/Zurich
apt install ntp ntpdate
vi /etc/ntp.conf
#pool 0.debian.pool.ntp.org iburst
#pool 1.debian.pool.ntp.org iburst
#pool 2.debian.pool.ntp.org iburst
#pool 3.debian.pool.ntp.org iburst
server ntp.fortier-family.com iburst
systemctl enable --now ntp
ntpq -p

OpenVAS

Check

Verify haveged is running

ps aux | grep -i have

Install/setup

apt install gvm
gvm-setup

First update takes ages…
:!: Don't forget to get the password for the admin account :!:

Update

gvm-feed-update

MANUAL WAY

  * Update NVT Feed
<code bash>sudo runuser -u _gvm -- greenbone-nvt-sync
  • Update SCAP Feed
sudo runuser -u _gvm -- greenbone-feed-sync --type SCAP
  • Update CERT Feed
sudo runuser -u _gvm -- greenbone-feed-sync --type CERT
  • Update gvmd DATA Feed
sudo runuser -u _gvm -- greenbone-feed-sync --type GVMD_DATA

</code>

crontab

0 12 * * * for optimize in vaccum analyse cleanup-report-formats cleanup-result-nvts cleanup-config-prefs cleanup-result-severities update-report-cache; do /usr/sbin/gvmd --optimize=$optimize; done
0 13 * * * sudo -u _gvm greenbone-scapdata-sync >/var/log/gvm-feed-update-SCAP.log
0 15 * * * sudo -u _gvm greenbone-feed-sync --type GVMD_DATA 2>/var/log/gvm-feed-update-GVMD.log
0 17 * * * sudo -u _gvm greenbone-certdata-sync >/var/log/gvm-feed-update-CERT.log
0 19 * * * sudo -u _gvm greenbone-nvt-sync >/var/log/gvm-feed-update-sync.log

PDF Problem

Since September https://forum.greenbone.net/t/kali-linux-cannot-create-pdf-reports/13014/4 :

vi /var/lib/gvm/gvmd/report_formats/a67ec44b-a708-445d-a6a8-29f76a6a9647/c402cc3e-b531-11e1-9163-406186ea4fc5/latex.xsl
% \usepackage[utf8x]{inputenc}

Service

systemctl enable --now gvmd ospd-openvas
systemctl enable greenbone-security-assistant
systemctl status gvmd ospd-openvas greenbone-security-assistant
 
gvm-check-setup

:!: greenbone-security-assistant doesn't need to be up

Reset password

su - _gvm -s /bin/sh -c "gvmd --user=admin --new-password mypasswd; history -c"
history -c

Xrdp

apt install xrdp
 systemctl enable --now xrdp

Fixing "xrdp Authentication is requiredto create a color managed device"

Doesn't work:

echo "polkit.addRule(function(action, subject) {
 if ((action.id == "org.freedesktop.color-manager.create-device" ||
 action.id == "org.freedesktop.color-manager.create-profile" ||
 action.id == "org.freedesktop.color-manager.delete-device" ||
 action.id == "org.freedesktop.color-manager.delete-profile" ||
 action.id == "org.freedesktop.color-manager.modify-device" ||
 action.id == "org.freedesktop.color-manager.modify-profile") &&
 subject.isInGroup("{users}")) {
 return polkit.Result.YES;
 }
 });" >  /etc/polkit-1/localauthority.conf.d/02-allow-color.d.conf
 
echo "[Allow Colord all Users] Identity=unix-user:* 
Action=org.freedesktop.color-manager.create-device;org.freedesktop.color-manager.create-profile;org.freedesktop.color-manager.delete-device;org.freedesktop.color-manager.delete-profile;org.freedesktop.color-manager.modify-device;org.freedesktop.color-manager.modify-profile; 
ResultAny=no 
ResultInactive=no 
ResultActive=yes" > /etc/polkit-1/localauthority/50-local.d/45-allow-colord.pkla

:!:

cp /usr/share/polkit-1/actions/org.freedesktop.color.policy /usr/share/polkit-1/actions/org.freedesktop.color.policy.org
rm /usr/share/polkit-1/actions/org.freedesktop.color.policy

Working solution

vi /usr/share/polkit-1/actions/org.freedesktop.color.policy

switch all values to yes

      <allow_any>yes</allow_any>
      <allow_inactive>yes</allow_inactive>
      <allow_active>yes</allow_active>

And then:

vi /etc/polkit-1/localauthority.conf.d/02-allow-color.d.conf
polkit.addRule(function(action, subject) {
 if ((action.id == "org.freedesktop.color-manager.create-device" ||
 action.id == "org.freedesktop.color-manager.create-profile" ||
 action.id == "org.freedesktop.color-manager.delete-device" ||
 action.id == "org.freedesktop.color-manager.delete-profile" ||
 action.id == "org.freedesktop.color-manager.modify-device" ||
 action.id == "org.freedesktop.color-manager.modify-profile") &&
 subject.isInGroup("{users}")) {
 return polkit.Result.YES;
 }
 });

Debug

In case of problem…

 gvm-check-setup
systemctl status gvmd ospd-openvas greenbone-security-assistant
multitail /var/log/gvm/gsad.log /var/log/gvm/gvmd.log /var/log/gvm/openvas.log /var/log/gvm/ospd-openvas.log

Upgrade

Postgresql 13 to 14

apt update
apt install postgresql-14 postgresql-server-dev-14
diff /etc/postgresql/13/main/postgresql.conf /etc/postgresql/14/main/postgresql.conf
diff /etc/postgresql/13/main/pg_hba.conf /etc/postgresql/14/main/pg_hba.conf
systemctl stop postgresql
su - postgres

as user postgres

/usr/lib/postgresql/14/bin/pg_upgrade \
  --old-datadir=/var/lib/postgresql/13/main \
  --new-datadir=/var/lib/postgresql/14/main \
  --old-bindir=/usr/lib/postgresql/13/bin \
  --new-bindir=/usr/lib/postgresql/14/bin \
  --old-options '-c config_file=/etc/postgresql/13/main/postgresql.conf' \
  --new-options '-c config_file=/etc/postgresql/14/main/postgresql.conf' \
  --check

if there is an error like “There seems to be a postmaster servicing the new cluster. Please shutdown that postmaster and try again.” re-run systemctl stop postgresql

Then migrate data:

/usr/lib/postgresql/14/bin/pg_upgrade \
  --old-datadir=/var/lib/postgresql/13/main \
  --new-datadir=/var/lib/postgresql/14/main \
  --old-bindir=/usr/lib/postgresql/13/bin \
  --new-bindir=/usr/lib/postgresql/14/bin \
  --old-options '-c config_file=/etc/postgresql/13/main/postgresql.conf' \
  --new-options '-c config_file=/etc/postgresql/14/main/postgresql.conf'
 
exit

then as root, swap the ports and relaunch service

vi /etc/postgresql/14/main/postgresql.conf
# ...and change "port = 5433" to "port = 5432"
 
vi /etc/postgresql/13/main/postgresql.conf
# ...and change "port = 5432" to "port = 5433"
 
 
systemctl disable postgresql@13-main.service
systemctl start postgresql

Postgresql 14 to 15

apt update
apt install postgresql-15 postgresql-server-dev-15
diff /etc/postgresql/14/main/postgresql.conf /etc/postgresql/15/main/postgresql.conf
diff /etc/postgresql/14/main/pg_hba.conf /etc/postgresql/15/main/pg_hba.conf
systemctl stop postgresql
su - postgres

as user postgres

/usr/lib/postgresql/15/bin/pg_upgrade \
  --old-datadir=/var/lib/postgresql/14/main \
  --new-datadir=/var/lib/postgresql/15/main \
  --old-bindir=/usr/lib/postgresql/14/bin \
  --new-bindir=/usr/lib/postgresql/15/bin \
  --old-options '-c config_file=/etc/postgresql/14/main/postgresql.conf' \
  --new-options '-c config_file=/etc/postgresql/15/main/postgresql.conf' \
  --check

if there is an error like “There seems to be a postmaster servicing the new cluster. Please shutdown that postmaster and try again.” re-run systemctl stop postgresql

Then migrate data:

/usr/lib/postgresql/15/bin/pg_upgrade \
  --old-datadir=/var/lib/postgresql/14/main \
  --new-datadir=/var/lib/postgresql/15/main \
  --old-bindir=/usr/lib/postgresql/14/bin \
  --new-bindir=/usr/lib/postgresql/15/bin \
  --old-options '-c config_file=/etc/postgresql/14/main/postgresql.conf' \
  --new-options '-c config_file=/etc/postgresql/15/main/postgresql.conf'
 
exit

then as root, swap the ports and relaunch service

vi /etc/postgresql/15/main/postgresql.conf
# ...and change "port = 5433" to "port = 5432"
 
vi /etc/postgresql/14/main/postgresql.conf
# ...and change "port = 5432" to "port = 5433"
 
 
systemctl disable postgresql@14-main.service
systemctl start postgresql

Postgresql 15 to 16

Reference: https://medium.com/@gembit.soultan/how-to-upgrade-postgresql-15-to-postgresql-16-using-pg-upgradeclusters-in-ubuntu-22-04-c9f279c5d3ab

 pg_lsclusters
Ver Cluster Port Status Owner    Data directory              Log file
15  main    5432 online postgres /var/lib/postgresql/15/main /var/log/postgresql/postgresql-15-main.log
16  main    5433 online postgres /var/lib/postgresql/16/main /var/log/postgresql/postgresql-16-main.log
pg_dropcluster 16 main --stop
pg_lsclusters
Ver Cluster Port Status Owner    Data directory              Log file
15  main    5432 online postgres /var/lib/postgresql/15/main /var/log/postgresql/postgresql-15-main.log
pg_upgradecluster 15 main
...
Success. Please check that the upgraded cluster works. If it does,
you can remove the old cluster with
    pg_dropcluster 15 main

Ver Cluster Port Status Owner    Data directory              Log file
15  main    5433 down   postgres /var/lib/postgresql/15/main /var/log/postgresql/postgresql-15-main.log
Ver Cluster Port Status Owner    Data directory              Log file
16  main    5432 online postgres /var/lib/postgresql/16/main /var/log/postgresql/postgresql-16-main.log
pg_dropcluster 15 main
apt purge postgresql-15 postgresql-client-15

Logrotate

There was an issue with /etc/logrotate.d/ files:

systemctl --failed
  UNIT              LOAD   ACTIVE SUB    DESCRIPTION
● logrotate.service loaded failed failed Rotate log files
 
LOAD   = Reflects whether the unit definition was properly loaded.
ACTIVE = The high-level unit activation state, i.e. generalization of SUB.
SUB    = The low-level unit activation state, values depend on unit type.
1 loaded units listed.
 
systemctl status logrotate
× logrotate.service - Rotate log files
     Loaded: loaded (/lib/systemd/system/logrotate.service; static)
     Active: failed (Result: exit-code) since Wed 2022-06-01 06:54:28 CEST; 2s ago
TriggeredBy: ● logrotate.timer
       Docs: man:logrotate(8)
             man:logrotate.conf(5)
    Process: 96050 ExecStart=/usr/sbin/logrotate /etc/logrotate.conf (code=exited, status=1/FAILURE)
   Main PID: 96050 (code=exited, status=1/FAILURE)
        CPU: 24ms
 
Jun 01 06:54:28 svx-vs1 systemd[1]: Starting Rotate log files...
Jun 01 06:54:28 svx-vs1 logrotate[96050]: error: gsad:1 duplicate log entry for /var/log/gvm/gsad.log
Jun 01 06:54:28 svx-vs1 logrotate[96050]: error: found error in file gsad, skipping
Jun 01 06:54:28 svx-vs1 systemd[1]: logrotate.service: Main process exited, code=exited, status=1/FAILURE
Jun 01 06:54:28 svx-vs1 systemd[1]: logrotate.service: Failed with result 'exit-code'.
Jun 01 06:54:28 svx-vs1 systemd[1]: Failed to start Rotate log files.

Indeed:

grep "/var/log/gvm/gsad.log" /etc/logrotate.d/*
/etc/logrotate.d/greenbone-security-assistant:/var/log/gvm/gsad.log {
/etc/logrotate.d/greenbone-security-assistant:    openvaslogs=`ls /var/log/gvm/gsad.log.*`
/etc/logrotate.d/gsad:/var/log/gvm/gsad.log {
/etc/logrotate.d/gsad:    openvaslogs=`ls /var/log/gvm/gsad.log.*`

let's “fix” it

mv /etc/logrotate.d/greenbone-security-assistant .
systemctl restart logrotate

postgreSQL

:! using psql works, the .conf crashes the gvmd service… :!:
Using PGTune added the following lines at the end of /etc/postgresql/14/main/postgresql.conf:

 su - postgres
psql
ALTER SYSTEM SET
 max_connections = '20';
ALTER SYSTEM SET
 shared_buffers = '4GB';
ALTER SYSTEM SET
 effective_cache_size = '12GB';
ALTER SYSTEM SET
 maintenance_work_mem = '1GB';
ALTER SYSTEM SET
 checkpoint_completion_target = '0.9';
ALTER SYSTEM SET
 wal_buffers = '16MB';
ALTER SYSTEM SET
 default_statistics_target = '100';
ALTER SYSTEM SET
 random_page_cost = '1.1';
ALTER SYSTEM SET
 effective_io_concurrency = '200';
ALTER SYSTEM SET
 work_mem = '52428kB';
ALTER SYSTEM SET
 min_wal_size = '1GB';
ALTER SYSTEM SET
 max_wal_size = '4GB';
ALTER SYSTEM SET
 max_worker_processes = '16';
ALTER SYSTEM SET
 max_parallel_workers_per_gather = '4';
ALTER SYSTEM SET
 max_parallel_workers = '16';
ALTER SYSTEM SET
 max_parallel_maintenance_workers = '4';

Optimisation

From : https://community.greenbone.net/t/optimizing-postgresql-for-gvmd/6713/17

/usr/sbin/gvmd --optimize=vacuum
/usr/sbin/gvmd --optimize=analyze
/usr/sbin/gvmd --optimize=cleanup-report-formats
/usr/sbin/gvmd --optimize=cleanup-result-nvts
/usr/sbin/gvmd --optimize=cleanup-config-prefs
/usr/sbin/gvmd --optimize=cleanup-result-severities
/usr/sbin/gvmd --optimize=update-report-cache

in the crontab:

 for optimize in vaccum analyse cleanup-report-formats cleanup-result-nvts cleanup-config-prefs cleanup-result-severities update-report-cache; do /usr/sbin/gvmd --optimize=$optimize; done

Checks after update

  • scan
  • pdf generation

Journal

  • PDF 0 Byte → edit var/lib/gvm/gvmd/report_formats/a67ec44b-a708-445d-a6a8-29f76a6a9647/c402cc3e-b531-11e1-9163-406186ea4fc5/latex.xsl (comment \usepackage[utf8x]{inputenc})
  • Redis server out of memory ⇔ task stopped ( add more ram (32GB) + 64GB swap)
    echo 1 > /proc/sys/vm/overcommit_memory
    fallocate -l 64G /mnt/64GB.swap
    dd if=/dev/zero of=/mnt/64GB.swap bs=1024 count=67108864
    echo "vm.swappiness=10" > /etc/sysctl.conf
    chmod 0600 /mnt/64GB.swap
    mkswap /mnt/64GB.swap
    swapon /mnt/64GB.swap
     
    echo "/mnt/64GB.swap  none  swap  sw 0  0" >>/etc/fstab

Services update

apt update && apt distupgrade -y
gvm-stop
su - _gvm -s /bin/sh -c "gvmd --migrate"
vi /lib/systemd/system/greenbone-security-assistant.service # check port
systemctl daemon-reload && systemctl restart gvmd.service gsad.service greenbone-security-assistant.service

Running on different port

 vi /lib/systemd/system/gsad.service
[Unit]
Description=Greenbone Security Assistant daemon (gsad)
Documentation=man:gsad(8) https://www.greenbone.net
After=network.target gvmd.service
Wants=gvmd.service
 
[Service]
Type=exec
User=_gvm
Group=_gvm
RuntimeDirectory=gsad
RuntimeDirectoryMode=2775
PIDFile=/run/gsad/gsad.pid
ExecStart=/usr/sbin/gsad --foreground --listen 127.0.0.1 --port 9392
Restart=always
TimeoutStopSec=10
 
[Install]
WantedBy=multi-user.target
Alias=greenbone-security-assistant.service

Change

 ExecStart=/usr/sbin/gsad --foreground --listen 127.0.0.1 --port 9392

to

 ExecStart=/usr/sbin/gsad --foreground --listen 0.0.0.0 --port 443

Email size

If you get the message “Note: This report exceeds the maximum length of XXXXX characters…” in your mail report:

vi /lib/systemd/system/gvmd.service
...
ExecStart=/usr/sbin/gvmd --osp-vt-update=/run/ospd/ospd.sock --listen-group=_gvm --max-email-attachment-size=-1 --max-email-include-size=-1
...
systemctl daemon-reload
systemctl restart gvmd
systemctl status gvmd
● gvmd.service - Greenbone Vulnerability Manager daemon (gvmd)
     Loaded: loaded (/lib/systemd/system/gvmd.service; enabled; preset: disabled)
     Active: active (running) since Wed 2023-11-15 09:29:51 CET; 7s ago
       Docs: man:gvmd(8)
    Process: 278417 ExecStart=/usr/sbin/gvmd --osp-vt-update=/run/ospd/ospd.sock --listen-group=_gvm --max-email-attachment-size=8000000 --max-email-include-size=8000000 --max-email-message-size=8000000 (code=exited, status=0/SUCCESS)
   Main PID: 278420 (gvmd)
      Tasks: 1 (limit: 9312)
     Memory: 184.2M
        CPU: 1.742s
     CGroup: /system.slice/gvmd.service
             └─278420 "gvmd: Waiting " --osp-vt-update=/run/ospd/ospd.sock --listen-group=_gvm --max-email-attachment-size=8000000 --max-email-include-size=8000000 --max-email-message-size=8000000
 
Nov 15 09:29:48 kali systemd[1]: Starting gvmd.service - Greenbone Vulnerability Manager daemon (gvmd)...
Nov 15 09:29:48 kali systemd[1]: gvmd.service: Can't open PID file /run/gvmd/gvmd.pid (yet?) after start: No such file or directory
Nov 15 09:29:51 kali systemd[1]: Started gvmd.service - Greenbone Vulnerability Manager daemon (gvmd).

Better:

ExecStart=/usr/sbin/gvmd --osp-vt-update=/run/ospd/ospd.sock --listen-group=_gvm --max-email-attachment-size=-1 --max-email-include-size=-1

References

os/kali/openvas.txt · Last modified: 2024/05/04 09:15 by warnaud