User Tools

Site Tools


os:kali:openvas

PURPOSE

Vulnerability scanner for guest systems hosted in UniFR
6CPU/16GB/32GBSSD
Default IP: 192.168.1.42/24 (kali.fortier-family.com)
OS: Kali Linux
Open ports: SSH/HTTPS

INSTALL

Iso 2021.2 from https://www.kali.org/get-kali/#kali-bare-metal
Full US install (XFCE + large collection)
One account at install (sudoers): warnaud LOL

POST-INSTALL

network

 nmtui

to put back the DNS which were not set…

apt update
apt upgrade
systemctl enable ssh

SSH

root key-only

vi /etc/ssh/sshd_config
PermitRootLogin prohibit-password
systemctl restart ssh

from some IP

IPv6/rsyslog/ntp

IPv6

sysctl -w net.ipv6.conf.all.disable_ipv6=1 && sysctl -w net.ipv6.conf.default.disable_ipv6=1 && sysctl -w net.ipv6.conf.lo.disable_ipv6=1
vi /etc/ssh/sshd_config
AddressFamily inet
systemctl restart ssh

Rsyslog

vi /etc/rsyslog.conf
# 2020-01-15 renvoi vers (r)syslog.unifr.ch
#            la nouvelle machine est  vx-ditsyslog.unifr.ch 134.21.201.50
#            l'alias syslog.unifr.ch existe
#            utiliser l'adresse IP permet de s'affranchir d'une panne de DNS
#            le choix est laissé au sysadmin.
*.*     @@134.21.201.50

NTP

timedatectl set-timezone Europe/Zurich
apt install ntp ntpdate
vi /etc/ntp.conf
#pool 0.debian.pool.ntp.org iburst
#pool 1.debian.pool.ntp.org iburst
#pool 2.debian.pool.ntp.org iburst
#pool 3.debian.pool.ntp.org iburst
server time.unifr.ch iburst
systemctl enable --now ntp
ntpq -p

OpenVAS

Check

Verify haveged is running

ps aux | grep -i have

Install/setup

apt install gvm
gvm-setup

First update takes ages…
:!: Don't forget to get the password for the admin account :!:

Update

gvm-feed-update
 
############MANUAL WAY
1. Update NVT Feed
sudo runuser -u _gvm -- greenbone-nvt-sync
 
2. Update SCAP Feed
sudo runuser -u _gvm -- greenbone-feed-sync --type SCAP
 
3. Update CERT Feed
sudo runuser -u _gvm -- greenbone-feed-sync --type CERT
 
4. Update gvmd DATA Feed
sudo runuser -u _gvm -- greenbone-feed-sync --type GVMD_DATA

PDF Problem

Since September https://forum.greenbone.net/t/kali-linux-cannot-create-pdf-reports/13014/4 :

vi /var/lib/gvm/gvmd/report_formats/a67ec44b-a708-445d-a6a8-29f76a6a9647/c402cc3e-b531-11e1-9163-406186ea4fc5/latex.xsl
% \usepackage[utf8x]{inputenc}

Service

systemctl enable --now gvmd ospd-openvas
systemctl enable greenbone-security-assistant
systemctl status gvmd ospd-openvas greenbone-security-assistant
 
gvm-check-setup

:!: greenbone-security-assistant doesn't need to be up

Reset password

su - _gvm -s /bin/sh -c "gvmd --user=admin --new-password mypasswd; history -c"
history -c

Xrdp

apt install xrdp
 systemctl enable --now xrdp

Fixing "xrdp Authentication is requiredto create a color managed device"

Doesn't work:

echo "polkit.addRule(function(action, subject) {
 if ((action.id == "org.freedesktop.color-manager.create-device" ||
 action.id == "org.freedesktop.color-manager.create-profile" ||
 action.id == "org.freedesktop.color-manager.delete-device" ||
 action.id == "org.freedesktop.color-manager.delete-profile" ||
 action.id == "org.freedesktop.color-manager.modify-device" ||
 action.id == "org.freedesktop.color-manager.modify-profile") &&
 subject.isInGroup("{users}")) {
 return polkit.Result.YES;
 }
 });" >  /etc/polkit-1/localauthority.conf.d/02-allow-color.d.conf
 
echo "[Allow Colord all Users] Identity=unix-user:* 
Action=org.freedesktop.color-manager.create-device;org.freedesktop.color-manager.create-profile;org.freedesktop.color-manager.delete-device;org.freedesktop.color-manager.delete-profile;org.freedesktop.color-manager.modify-device;org.freedesktop.color-manager.modify-profile; 
ResultAny=no 
ResultInactive=no 
ResultActive=yes" > /etc/polkit-1/localauthority/50-local.d/45-allow-colord.pkla

:!:

cp /usr/share/polkit-1/actions/org.freedesktop.color.policy /usr/share/polkit-1/actions/org.freedesktop.color.policy.org
rm /usr/share/polkit-1/actions/org.freedesktop.color.policy

Working solution

vi /usr/share/polkit-1/actions/org.freedesktop.color.policy

switch all values to yes

      <allow_any>yes</allow_any>
      <allow_inactive>yes</allow_inactive>
      <allow_active>yes</allow_active>

And then:

vi /etc/polkit-1/localauthority.conf.d/02-allow-color.d.conf
polkit.addRule(function(action, subject) {
 if ((action.id == "org.freedesktop.color-manager.create-device" ||
 action.id == "org.freedesktop.color-manager.create-profile" ||
 action.id == "org.freedesktop.color-manager.delete-device" ||
 action.id == "org.freedesktop.color-manager.delete-profile" ||
 action.id == "org.freedesktop.color-manager.modify-device" ||
 action.id == "org.freedesktop.color-manager.modify-profile") &&
 subject.isInGroup("{users}")) {
 return polkit.Result.YES;
 }
 });

Debug

In case of problem…

 gvm-check-setup
systemctl status gvmd ospd-openvas greenbone-security-assistant
multitail /var/log/gvm/gsad.log /var/log/gvm/gvmd.log /var/log/gvm/openvas.log /var/log/gvm/ospd-openvas.log

Upgrade

Postgresql 13 to 14

apt update
apt install postgresql-14 postgresql-server-dev-14
diff /etc/postgresql/13/main/postgresql.conf /etc/postgresql/14/main/postgresql.conf
diff /etc/postgresql/13/main/pg_hba.conf /etc/postgresql/14/main/pg_hba.conf
systemctl stop postgresql
su - postgres

as user postgres

/usr/lib/postgresql/14/bin/pg_upgrade \
  --old-datadir=/var/lib/postgresql/13/main \
  --new-datadir=/var/lib/postgresql/14/main \
  --old-bindir=/usr/lib/postgresql/13/bin \
  --new-bindir=/usr/lib/postgresql/14/bin \
  --old-options '-c config_file=/etc/postgresql/13/main/postgresql.conf' \
  --new-options '-c config_file=/etc/postgresql/14/main/postgresql.conf' \
  --check

if there is an error like “There seems to be a postmaster servicing the new cluster. Please shutdown that postmaster and try again.” re-run systemctl stop postgresql

Then migrate data:

/usr/lib/postgresql/14/bin/pg_upgrade \
  --old-datadir=/var/lib/postgresql/13/main \
  --new-datadir=/var/lib/postgresql/14/main \
  --old-bindir=/usr/lib/postgresql/13/bin \
  --new-bindir=/usr/lib/postgresql/14/bin \
  --old-options '-c config_file=/etc/postgresql/13/main/postgresql.conf' \
  --new-options '-c config_file=/etc/postgresql/14/main/postgresql.conf'
 
exit

then as root, swap the ports and relaunch service

vi /etc/postgresql/14/main/postgresql.conf
# ...and change "port = 5433" to "port = 5432"
 
vi /etc/postgresql/13/main/postgresql.conf
# ...and change "port = 5432" to "port = 5433"
 
 
systemctl disable postgresql@13-main.service
systemctl start postgresql

Postgresql 14 to 15

apt update
apt install postgresql-15 postgresql-server-dev-15
diff /etc/postgresql/14/main/postgresql.conf /etc/postgresql/15/main/postgresql.conf
diff /etc/postgresql/14/main/pg_hba.conf /etc/postgresql/15/main/pg_hba.conf
systemctl stop postgresql
su - postgres

as user postgres

/usr/lib/postgresql/15/bin/pg_upgrade \
  --old-datadir=/var/lib/postgresql/14/main \
  --new-datadir=/var/lib/postgresql/15/main \
  --old-bindir=/usr/lib/postgresql/14/bin \
  --new-bindir=/usr/lib/postgresql/15/bin \
  --old-options '-c config_file=/etc/postgresql/14/main/postgresql.conf' \
  --new-options '-c config_file=/etc/postgresql/15/main/postgresql.conf' \
  --check

if there is an error like “There seems to be a postmaster servicing the new cluster. Please shutdown that postmaster and try again.” re-run systemctl stop postgresql

Then migrate data:

/usr/lib/postgresql/15/bin/pg_upgrade \
  --old-datadir=/var/lib/postgresql/14/main \
  --new-datadir=/var/lib/postgresql/15/main \
  --old-bindir=/usr/lib/postgresql/14/bin \
  --new-bindir=/usr/lib/postgresql/15/bin \
  --old-options '-c config_file=/etc/postgresql/14/main/postgresql.conf' \
  --new-options '-c config_file=/etc/postgresql/15/main/postgresql.conf'
 
exit

then as root, swap the ports and relaunch service

vi /etc/postgresql/15/main/postgresql.conf
# ...and change "port = 5433" to "port = 5432"
 
vi /etc/postgresql/14/main/postgresql.conf
# ...and change "port = 5432" to "port = 5433"
 
 
systemctl disable postgresql@14-main.service
systemctl start postgresql

Postgresql 15 to 16

Reference: https://medium.com/@gembit.soultan/how-to-upgrade-postgresql-15-to-postgresql-16-using-pg-upgradeclusters-in-ubuntu-22-04-c9f279c5d3ab

 pg_lsclusters
Ver Cluster Port Status Owner    Data directory              Log file
15  main    5432 online postgres /var/lib/postgresql/15/main /var/log/postgresql/postgresql-15-main.log
16  main    5433 online postgres /var/lib/postgresql/16/main /var/log/postgresql/postgresql-16-main.log
pg_dropcluster 16 main --stop
pg_lsclusters
Ver Cluster Port Status Owner    Data directory              Log file
15  main    5432 online postgres /var/lib/postgresql/15/main /var/log/postgresql/postgresql-15-main.log
pg_upgradecluster 15 main
...
Success. Please check that the upgraded cluster works. If it does,
you can remove the old cluster with
    pg_dropcluster 15 main

Ver Cluster Port Status Owner    Data directory              Log file
15  main    5433 down   postgres /var/lib/postgresql/15/main /var/log/postgresql/postgresql-15-main.log
Ver Cluster Port Status Owner    Data directory              Log file
16  main    5432 online postgres /var/lib/postgresql/16/main /var/log/postgresql/postgresql-16-main.log
pg_dropcluster 15 main
apt purge postgresql-15 postgresql-client-15

Feed update auto

By default:

crontab -e
0 3 * * * sudo -u _gvm greenbone-nvt-sync && sudo -u _gvm greenbone-feed-sync --type SCAP && sudo -u _gvm greenbone-feed-sync --type CERT && sudo -u _gvm greenbone-feed-sync --type GVMD_DATA && sudo -u _gvm openvas -u 2&1> /var/log/gvm-feed-update-cron.log

Logrotate

There was an issue with /etc/logrotate.d/ files:

systemctl --failed
  UNIT              LOAD   ACTIVE SUB    DESCRIPTION
● logrotate.service loaded failed failed Rotate log files
 
LOAD   = Reflects whether the unit definition was properly loaded.
ACTIVE = The high-level unit activation state, i.e. generalization of SUB.
SUB    = The low-level unit activation state, values depend on unit type.
1 loaded units listed.
 
systemctl status logrotate
× logrotate.service - Rotate log files
     Loaded: loaded (/lib/systemd/system/logrotate.service; static)
     Active: failed (Result: exit-code) since Wed 2022-06-01 06:54:28 CEST; 2s ago
TriggeredBy: ● logrotate.timer
       Docs: man:logrotate(8)
             man:logrotate.conf(5)
    Process: 96050 ExecStart=/usr/sbin/logrotate /etc/logrotate.conf (code=exited, status=1/FAILURE)
   Main PID: 96050 (code=exited, status=1/FAILURE)
        CPU: 24ms
 
Jun 01 06:54:28 svx-vs1 systemd[1]: Starting Rotate log files...
Jun 01 06:54:28 svx-vs1 logrotate[96050]: error: gsad:1 duplicate log entry for /var/log/gvm/gsad.log
Jun 01 06:54:28 svx-vs1 logrotate[96050]: error: found error in file gsad, skipping
Jun 01 06:54:28 svx-vs1 systemd[1]: logrotate.service: Main process exited, code=exited, status=1/FAILURE
Jun 01 06:54:28 svx-vs1 systemd[1]: logrotate.service: Failed with result 'exit-code'.
Jun 01 06:54:28 svx-vs1 systemd[1]: Failed to start Rotate log files.

Indeed:

grep "/var/log/gvm/gsad.log" /etc/logrotate.d/*
/etc/logrotate.d/greenbone-security-assistant:/var/log/gvm/gsad.log {
/etc/logrotate.d/greenbone-security-assistant:    openvaslogs=`ls /var/log/gvm/gsad.log.*`
/etc/logrotate.d/gsad:/var/log/gvm/gsad.log {
/etc/logrotate.d/gsad:    openvaslogs=`ls /var/log/gvm/gsad.log.*`

let's “fix” it

mv /etc/logrotate.d/greenbone-security-assistant .
systemctl restart logrotate

postgreSQL

:! using psql works, the .conf crashes the gvmd service… :!:
Using PGTune added the following lines at the end of /etc/postgresql/14/main/postgresql.conf:

 su - postgres
psql
ALTER SYSTEM SET
 max_connections = '20';
ALTER SYSTEM SET
 shared_buffers = '4GB';
ALTER SYSTEM SET
 effective_cache_size = '12GB';
ALTER SYSTEM SET
 maintenance_work_mem = '1GB';
ALTER SYSTEM SET
 checkpoint_completion_target = '0.9';
ALTER SYSTEM SET
 wal_buffers = '16MB';
ALTER SYSTEM SET
 default_statistics_target = '100';
ALTER SYSTEM SET
 random_page_cost = '1.1';
ALTER SYSTEM SET
 effective_io_concurrency = '200';
ALTER SYSTEM SET
 work_mem = '52428kB';
ALTER SYSTEM SET
 min_wal_size = '1GB';
ALTER SYSTEM SET
 max_wal_size = '4GB';
ALTER SYSTEM SET
 max_worker_processes = '16';
ALTER SYSTEM SET
 max_parallel_workers_per_gather = '4';
ALTER SYSTEM SET
 max_parallel_workers = '16';
ALTER SYSTEM SET
 max_parallel_maintenance_workers = '4';

Optimisation

From : https://community.greenbone.net/t/optimizing-postgresql-for-gvmd/6713/17

/usr/sbin/gvmd --optimize=vacuum
/usr/sbin/gvmd --optimize=analyze
/usr/sbin/gvmd --optimize=cleanup-report-formats
/usr/sbin/gvmd --optimize=cleanup-result-nvts
/usr/sbin/gvmd --optimize=cleanup-config-prefs
/usr/sbin/gvmd --optimize=cleanup-result-severities
/usr/sbin/gvmd --optimize=update-report-cache

in the crontab:

 for optimize in vaccum analyse cleanup-report-formats cleanup-result-nvts cleanup-config-prefs cleanup-result-severities update-report-cache; do /usr/sbin/gvmd --optimize=$optimize; done

Crontab

# m h  dom mon dow   command
0 12 * * * for optimize in vaccum analyse cleanup-report-formats cleanup-result-nvts cleanup-config-prefs cleanup-result-severities update-report-cache; do /usr/sbin/gvmd --optimize=$optimize; done
0 13 * * * sudo -u _gvm greenbone-scapdata-sync >/var/log/gvm-feed-update-SCAP.log
0 15 * * * sudo -u _gvm greenbone-feed-sync --type GVMD_DATA 2>/var/log/gvm-feed-update-GVMD.log
0 17 * * * sudo -u _gvm greenbone-certdata-sync >/var/log/gvm-feed-update-CERT.log
0 19 * * * sudo -u _gvm greenbone-nvt-sync >/var/log/gvm-feed-update-sync.log
# up all eth before scan
55 0 1 * * /root/upeth.sh
# down all eth after scans
0 0 15 * * /root/downeth.sh

Multiple IPs/Nics

VLAN IP MAC Gateway NIC Profile
85 134.21.85.200/24 00:50:56:a7:e6:84 134.21.85.1 eth2 VLAN85 - eth2
82 134.21.82.200/24 00:50:56:a7:c0:ea 134.21.82.1 eth4 VLAN82 - eth4
80 134.21.80.204/24 00:50:56:a7:98:93 134.21.80.1 eth6 VLAN80 - eth6
83 134.21.83.200/24 00:50:56:a7:1d:5c 134.21.83.1 eth0 VLAN83 - eth0
84 134.21.84.200/24 00:50:56:a7:38:f9 134.21.84.1 eth3 VLAN84 - eth3
86 134.21.86.200/24 00:50:56:a7:23:8c 134.21.86.1 eth5 VLAN86 - eth5
213 134.21.213.170/26 00:50:56:a7:eb:96 134.21.213.129 eth7 VLAN487 - eth7
420 134.21.203.119/27 00:50:56:a7:38:30 134.21.203.97 eth1 VLAN420 - eth1
198 not needed
199 not needed
201 not needed
202 not needed
203 not needed
208 not needed
39 not needed
57 not needed
23 not needed
75 not needed
99 not needed

Use nmtui to setup / activate Ethernet Profiles

Interfaces up/down

for i in 0 1 2 3 4 5; do ip link set up eth$i; done

2 scripts are available in /root to up/down interfaces:

  • upeth.sh to up all eth ( 0 to 6 )
  • downeth.sh to down all eth :!: except eth1 (VLAN85)

Checks after update

  • scan
  • pdf generation

Journal

  • PDF 0 Byte → edit var/lib/gvm/gvmd/report_formats/a67ec44b-a708-445d-a6a8-29f76a6a9647/c402cc3e-b531-11e1-9163-406186ea4fc5/latex.xsl (comment \usepackage[utf8x]{inputenc})
  • Redis server out of memory ⇔ task stopped ( add more ram (32GB) + 64GB swap)
    echo 1 > /proc/sys/vm/overcommit_memory
    fallocate -l 64G /mnt/64GB.swap
    dd if=/dev/zero of=/mnt/64GB.swap bs=1024 count=67108864
    echo "vm.swappiness=10" > /etc/sysctl.conf
    chmod 0600 /mnt/64GB.swap
    mkswap /mnt/64GB.swap
    swapon /mnt/64GB.swap
     
    echo "/mnt/64GB.swap  none  swap  sw 0  0" >>/etc/fstab

Services update

apt update && apt distupgrade -y
gvm-stop
su - _gvm -s /bin/sh -c "gvmd --migrate"
vi /lib/systemd/system/greenbone-security-assistant.service # check port
systemctl daemon-reload && systemctl restart gvmd.service gsad.service greenbone-security-assistant.service

Running on different port

 vi /lib/systemd/system/gsad.service
[Unit]
Description=Greenbone Security Assistant daemon (gsad)
Documentation=man:gsad(8) https://www.greenbone.net
After=network.target gvmd.service
Wants=gvmd.service
 
[Service]
Type=exec
User=_gvm
Group=_gvm
RuntimeDirectory=gsad
RuntimeDirectoryMode=2775
PIDFile=/run/gsad/gsad.pid
ExecStart=/usr/sbin/gsad --foreground --listen 127.0.0.1 --port 9392
Restart=always
TimeoutStopSec=10
 
[Install]
WantedBy=multi-user.target
Alias=greenbone-security-assistant.service

Change

 ExecStart=/usr/sbin/gsad --foreground --listen 127.0.0.1 --port 9392

to

 ExecStart=/usr/sbin/gsad --foreground --listen 0.0.0.0 --port 443

Email size

If you get the message “Note: This report exceeds the maximum length of XXXXX characters…” in your mail report:

vi /lib/systemd/system/gvmd.service
...
ExecStart=/usr/sbin/gvmd --osp-vt-update=/run/ospd/ospd.sock --listen-group=_gvm --max-email-attachment-size=-1 --max-email-include-size=-1
...
systemctl daemon-reload
systemctl restart gvmd
systemctl status gvmd
● gvmd.service - Greenbone Vulnerability Manager daemon (gvmd)
     Loaded: loaded (/lib/systemd/system/gvmd.service; enabled; preset: disabled)
     Active: active (running) since Wed 2023-11-15 09:29:51 CET; 7s ago
       Docs: man:gvmd(8)
    Process: 278417 ExecStart=/usr/sbin/gvmd --osp-vt-update=/run/ospd/ospd.sock --listen-group=_gvm --max-email-attachment-size=8000000 --max-email-include-size=8000000 --max-email-message-size=8000000 (code=exited, status=0/SUCCESS)
   Main PID: 278420 (gvmd)
      Tasks: 1 (limit: 9312)
     Memory: 184.2M
        CPU: 1.742s
     CGroup: /system.slice/gvmd.service
             └─278420 "gvmd: Waiting " --osp-vt-update=/run/ospd/ospd.sock --listen-group=_gvm --max-email-attachment-size=8000000 --max-email-include-size=8000000 --max-email-message-size=8000000
 
Nov 15 09:29:48 kali systemd[1]: Starting gvmd.service - Greenbone Vulnerability Manager daemon (gvmd)...
Nov 15 09:29:48 kali systemd[1]: gvmd.service: Can't open PID file /run/gvmd/gvmd.pid (yet?) after start: No such file or directory
Nov 15 09:29:51 kali systemd[1]: Started gvmd.service - Greenbone Vulnerability Manager daemon (gvmd).

Better:

ExecStart=/usr/sbin/gvmd --osp-vt-update=/run/ospd/ospd.sock --listen-group=_gvm --max-email-attachment-size=-1 --max-email-include-size=-1

References

os/kali/openvas.txt · Last modified: 2023/11/29 08:03 by warnaud