Install OpenVAS internal weak scan to meet PCI-DSS compliance requirements
安裝步驟
依照慣例先上官方教學
第一步:抓docker-compose腳本回來
curl -f -L https://greenbone.github.io/docs/latest/_static/docker-compose-22.4.yml -o docker-compose.yml
預覽一下,沒有什麼必須要改的
services:
vulnerability-tests:
image: greenbone/vulnerability-tests
environment:
STORAGE_PATH: /var/lib/openvas/22.04/vt-data/nasl
volumes:
- vt_data_vol:/mnt
notus-data:
image: greenbone/notus-data
volumes:
- notus_data_vol:/mnt
scap-data:
image: greenbone/scap-data
volumes:
- scap_data_vol:/mnt
cert-bund-data:
image: greenbone/cert-bund-data
volumes:
- cert_data_vol:/mnt
dfn-cert-data:
image: greenbone/dfn-cert-data
volumes:
- cert_data_vol:/mnt
depends_on:
- cert-bund-data
data-objects:
image: greenbone/data-objects
volumes:
- data_objects_vol:/mnt
report-formats:
image: greenbone/report-formats
volumes:
- data_objects_vol:/mnt
depends_on:
- data-objects
gpg-data:
image: greenbone/gpg-data
volumes:
- gpg_data_vol:/mnt
redis-server:
image: greenbone/redis-server
restart: on-failure
volumes:
- redis_socket_vol:/run/redis/
pg-gvm:
image: greenbone/pg-gvm:stable
restart: on-failure
volumes:
- psql_data_vol:/var/lib/postgresql
- psql_socket_vol:/var/run/postgresql
gvmd:
image: greenbone/gvmd:stable
restart: on-failure
volumes:
- gvmd_data_vol:/var/lib/gvm
- scap_data_vol:/var/lib/gvm/scap-data/
- cert_data_vol:/var/lib/gvm/cert-data
- data_objects_vol:/var/lib/gvm/data-objects/gvmd
- vt_data_vol:/var/lib/openvas/plugins
- psql_data_vol:/var/lib/postgresql
- gvmd_socket_vol:/run/gvmd
- ospd_openvas_socket_vol:/run/ospd
- psql_socket_vol:/var/run/postgresql
depends_on:
pg-gvm:
condition: service_started
scap-data:
condition: service_completed_successfully
cert-bund-data:
condition: service_completed_successfully
dfn-cert-data:
condition: service_completed_successfully
data-objects:
condition: service_completed_successfully
report-formats:
condition: service_completed_successfully
gsa:
image: greenbone/gsa:stable
restart: on-failure
ports:
- 127.0.0.1:9392:80
volumes:
- gvmd_socket_vol:/run/gvmd
depends_on:
- gvmd
# Sets log level of openvas to the set LOG_LEVEL within the env
# and changes log output to /var/log/openvas instead /var/log/gvm
# to reduce likelyhood of unwanted log interferences
configure-openvas:
image: greenbone/openvas-scanner:stable
volumes:
- openvas_data_vol:/mnt
- openvas_log_data_vol:/var/log/openvas
command:
- /bin/sh
- -c
- |
printf "table_driven_lsc = yes\nopenvasd_server = http://openvasd:80\n" > /mnt/openvas.conf
sed "s/127/128/" /etc/openvas/openvas_log.conf | sed 's/gvm/openvas/' > /mnt/openvas_log.conf
chmod 644 /mnt/openvas.conf
chmod 644 /mnt/openvas_log.conf
touch /var/log/openvas/openvas.log
chmod 666 /var/log/openvas/openvas.log
# shows logs of openvas
openvas:
image: greenbone/openvas-scanner:stable
restart: on-failure
volumes:
- openvas_data_vol:/etc/openvas
- openvas_log_data_vol:/var/log/openvas
command:
- /bin/sh
- -c
- |
cat /etc/openvas/openvas.conf
tail -f /var/log/openvas/openvas.log
depends_on:
configure-openvas:
condition: service_completed_successfully
openvasd:
image: greenbone/openvas-scanner:stable
restart: on-failure
environment:
# `service_notus` is set to disable everything but notus,
# if you want to utilize openvasd directly removed `OPENVASD_MODE`
OPENVASD_MODE: service_notus
GNUPGHOME: /etc/openvas/gnupg
LISTENING: 0.0.0.0:80
volumes:
- openvas_data_vol:/etc/openvas
- openvas_log_data_vol:/var/log/openvas
- gpg_data_vol:/etc/openvas/gnupg
- notus_data_vol:/var/lib/notus
# enable port forwarding when you want to use the http api from your host machine
# ports:
# - 127.0.0.1:3000:80
depends_on:
vulnerability-tests:
condition: service_completed_successfully
configure-openvas:
condition: service_completed_successfully
gpg-data:
condition: service_completed_successfully
networks:
default:
aliases:
- openvasd
ospd-openvas:
image: greenbone/ospd-openvas:stable
restart: on-failure
hostname: ospd-openvas.local
cap_add:
- NET_ADMIN # for capturing packages in promiscuous mode
- NET_RAW # for raw sockets e.g. used for the boreas alive detection
security_opt:
- seccomp=unconfined
- apparmor=unconfined
command:
[
"ospd-openvas",
"-f",
"--config",
"/etc/gvm/ospd-openvas.conf",
"--notus-feed-dir",
"/var/lib/notus/advisories",
"-m",
"666"
]
volumes:
- gpg_data_vol:/etc/openvas/gnupg
- vt_data_vol:/var/lib/openvas/plugins
- notus_data_vol:/var/lib/notus
- ospd_openvas_socket_vol:/run/ospd
- redis_socket_vol:/run/redis/
- openvas_data_vol:/etc/openvas/
- openvas_log_data_vol:/var/log/openvas
depends_on:
redis-server:
condition: service_started
gpg-data:
condition: service_completed_successfully
vulnerability-tests:
condition: service_completed_successfully
configure-openvas:
condition: service_completed_successfully
gvm-tools:
image: greenbone/gvm-tools
volumes:
- gvmd_socket_vol:/run/gvmd
- ospd_openvas_socket_vol:/run/ospd
depends_on:
- gvmd
- ospd-openvas
volumes:
gpg_data_vol:
scap_data_vol:
cert_data_vol:
data_objects_vol:
gvmd_data_vol:
psql_data_vol:
vt_data_vol:
notus_data_vol:
psql_socket_vol:
gvmd_socket_vol:
ospd_openvas_socket_vol:
redis_socket_vol:
openvas_data_vol:
openvas_log_data_vol:第二步:運行docker-compose
查看容器運行中(有些一次性設置會自動Exited是正常的)
開啟網頁訪問預設端口 :9392
預設帳號密碼皆為admin
更換密碼
docker compose -f $DOWNLOAD_DIR/docker-compose.yml -p greenbone-community-edition \
exec -u gvmd gvmd gvmd --user=admin --new-password='<password>'進入之後的主畫面
開始掃描
首先到 Configuration > Credentials 裡面新增驗證訊息
例如:Username + Password or Username + SSH key…等
再到 Configuration > Targets 裡面配置需要被掃描的目標主機
回到 Scans > Tasks
點擊左上角白紙星星圖案新增 New Task
Scan Targets 下拉選中剛才配置好的目標主機
再來點開始按鈕稍等一下就會開始掃描(一開始會停在0%一陣子要等)
掃描途中也能查看當前進度
掃描完成到 Scans > Reports 查看報告
也可以同時多台排程進去掃
點日期可以進入報告詳細
並根據不同分類(例如Hosts, Ports, App…查看各個類別底下的風險)
並且在上方的下載按鈕可以下載報告(找超久)
成功獲得報告一份(內有parckage或port掃出來的風險)
回到主頁Overview有掃描狀態及分佈
為了掃瞄更全面,需要採用authenticated scan認證掃描
因此上述步驟才需要配置驗證訊息
它可以登入目標系統(使用提供的憑證)來評估在未經身份驗證的掃描中可能不可見的漏洞。這可以更深入、更準確地了解潛在的安全風險。
- 需要安裝 SSH 伺服器,使其處於活動/運行狀態,並且可以透過配置的 TCP 連接埠和 IP/主機名稱進行存取
- 掃描用戶需要存在並配置
- 需要允許配置的掃描用戶透過 SSH 連接到自己的主機
如上圖所示,驗證掃描及非驗證掃描出來的結果會有落差!
OpenVAS(Open Vulnerability Assessment System,開放式弱點評估系統)是一款開源的網絡掃描和弱點評估工具。它主要用來識別計算機網絡中的安全漏洞,幫助安全專家和系統管理員進行漏洞管理和風險評估。
主要功能
- 弱點掃描:
OpenVAS能夠掃描網絡中的設備,識別系統和應用程序中的安全漏洞。
- 報告生成:
提供詳細的掃描報告,包括漏洞描述、風險評估和修復建議。
- 漏洞數據庫更新:
OpenVAS包含定期更新的漏洞數據庫,確保其能識別最新的安全威脅。
- 配置檢查:
除了漏洞掃描,OpenVAS還可以檢查系統配置,確保符合安全最佳實踐。
相關組件
OpenVAS是一個完整的框架,包含多個組件,包括:
- GVMD (Greenbone Vulnerability Manager Daemon):管理掃描任務和報告。
- OpenVAS Scanner:執行實際的漏洞掃描。
- Greenbone Security Assistant (GSA):基於Web的用戶界面,方便用戶進行配置和查看報告。
- Greenbone Feed:漏洞數據庫,提供最新的漏洞信息和檢測插件。
使用情境
- 企業網絡安全:
幫助企業定期掃描內部網絡和公共互聯網上的資產,識別和修復安全漏洞,提升整體網絡安全水平。
- 合規性管理:
支持多種安全標準和合規要求,例如PCI-DSS,ISO 27001,幫助企業達到合規性要求。
