Security Search

With the never-ending onslaught of hackers penetrating networks, most system administrators need a way of identifying vulnerabilities in a simple, consistent, and repeatable fashion. Wouldn't it be nice if users had a simple means for running a series of automated checks to identify known security problems?

One powerful and popular security analysis tool is The Open Vulnerability Assessment System, or OpenVAS. OpenVAS is actually a framework that supports scanning and reporting on your system's vulnerabilities. Scan a system, and OpenVAS will provided a detailed list of security issues. OpenVAS efficiently organizes the information, offering important details on the problem and what to do about it.

OpenVAS is available for download as a virtual appliance and is included in some security toolkits. The OpenVAS security scanner is often bundled with other security tools into specialized security-themed Linux distributions. A dedicated security distro can save you time, because you have more tools readily available depending on what you turn up with your analysis. Kali Linux is one of the more popular distributions, and Kali includes OpenVAS.

In this article, I will describe how to get started with checking Linux system security using OpenVAS. The instructions in this article cover OpenVAS running on Kali Linux. The Kali distribution also includes the Greenbone Security Assistant, which is a web interface wrapper for the OpenVAS framework. Greenbone offers a simple interface for interacting with OpenVAS.

OpenVAS Setup

You'll find OpenVAS under the drop-down menu Kali Linux | Vulnerability Analysis | OpenVAS, as shown in Figure  1.

Figure 1: Finding OpenVAS in Kali Linux.

The setup process lets you configure OpenVAS certificates and processes. You'll also have the chance to update the OpenVAS vulnerability database. Once the initial setup is complete, OpenVAS will stop and start its processes.

You'll then receive a password for the admin user (Figure 2). It is very important to make a note or screenshot of the admin password  – you'll need it later to access the OpenVAS web interface.

Figure 2: OpenVAS provides you with the password for the admin account – be sure to write it down or commit it to memory.

Startup

Log in to OpenVAS using the Greenbone Security Assistant. Greenbone provides a friendly web interface to the OpenVAS command-line tools and database. To access Greenbone, open a browser and point it to https://127.0.0.1:9392 (Figure 3).

Figure 3: Access Greenbone through a web browser.

The administrative account is admin and the password is the password given to you at setup. (Each install generates a unique password.)

The first time you access Greenbone, you are presented with the Task Wizard, which includes the Immediate Scan dialog box (Figure 4).

Figure 4: The Immediate Scan dialog in the Task Wizard lets you launch a scan simply by entering a hostname or IP address.

Although the Immediate Scan option is quite handy for simple scans – for example – after kickstarting a new Linux box, the real power is actually under the tabs at the top of the screen (refer to Figure 4).

Greenbone organizes openVAS features into the Scan Management, Asset Management, SecInfoManagement, Configuration, and Extra tabs. You will manage your security scan from the Scan Management tab. Scan management tabs include Tasks, Reports, Notes, and Overrides. The box titled "Greenbone Sections" provides a brief overview of the various tabs in the Greenbone user interface.

This article will focus on Task Management and Reports. In OpenVAS, a task is a description of a particular scan or the characteristics of a scan. The task might define the host or network to scan; however, a task can also contain other characteristics, such as the source interface if your OpenVAS scanner is multihomed.

The best way to see what a task looks like is by clicking on the New Task button (the star button in (Figure 7). The subsequent New Task dialog will present you with complete customization of the task (Figure 5).

Figure 5: Configuring a new task.

The fields in Figure 5 are less important for ad hoc ("immediate") scans; however, for an enterprise network subject to internal and external auditor scrutiny, you will want to make sure the settings are such that the results are consistent, repeatable, and easily understood by you and others.

In Figure 5, the Name field lets you associate a name with the task. If you run a task though the Immediate scan (refer to Figure 4), the system will name the scan "Immediate Scan of" and include the IP address or network in the name. Although this method will accurately identify scans, the name is not very descriptive if you need to refer to it later, and the IP address is typically not useful in larger environments. Typically, when I set up new tasks in an environment, I will set up a naming convention based upon geographic location, network purpose, and network address and mask. For example, a common geographic location could be based upon air port code ("DFW") or country, state, and city. I generally prefer the state and city nomenclature, because it lets me sort similar scans together – for example, all the Texas scans.

The naming of task convention isn't as important as the consistency. However, if you want to get a quick start, an easy scan name for an international environment would look something like:

<C>USA-Texas-Dallas-Servers-<C><C>  192-168.1.0/24<C>

The Comments field is a free-form field you can use for anything; however, in a large security program, it is often used to record the date of the task, as well as a note about who set up the task.

The Scan Config field determines how thorough the scan will be and how long the scan will take. OpenVAS comes with seven default settings. You can view the details of these options under Configuration | Scan Configs. Often, the best approach during initial setup is to set up some general tasks that use the System Discovery config. This config type can quickly identify hosts and networks for finer tuning based upon the results. However, this fast type of scanning is unlikely to find all the vulnerabilities and should only be used as a starting point. (You will also find an even lighter config called "Host Discovery," which may make sense in a very large environment with a large number of end points, such as a multiple-floor call center.)

Typically, the Full and Fast config type provides a good balance of speed and thoroughness – it makes uses of information gained on previous scans. Full and Fast is typically my go-to config and is also the default config if you choose to run an immediate scan.

When you discover a compromise of a system, you should run a full and very deep Ultimate config against the compromised host and as much of the network as possible to identify residual effects of the compromise. You can also pass the result on to law enforcement as part of their "body of evidence" for correlation and prosecution.

The Scan Targets entry (Figure 5) is a drop-down menu where you select the specific networks and hosts to scan. (You'll learn more about creating scan targets later in this article.). Alerts allow you to take action based upon the results of the scan. Figure 5 uses a simple mail report as a PDF alert. You can configure advanced alerting under Configuration | Alerts. The schedule allows finite control and off-hours scanning of the targets. The schedule configuration is controlled under Configuration | Schedule.

Distributed scanners are supported in very large environments. For example, in an international setup where information security teams run scans centrally, but bandwidth between sites is limited, a scanner could be set up in the branches. The remote scanner would then be selected as the slave in the task configuration. The Add results to Asset Management option should be set to no with very few exceptions. The only time I've seen this set to yes is for scanning labs. If you have a lab for provisioning servers before deployment, you might not need to keep intermittent results to the asset management, because the device on a particular IP address might change often.

The Alterable Task setting determines whether you will later be able to change the task configuration. Tasks are so easily created that either option will work for most environments. If you have a strong change control regimen, your local policy might require you to make the task unchangeable.

The final Section, Scan Intensity, allows you to influence how "friendly" the scan is to the targets and to your network in general. The setting labeled Maximum concurrently executed NVT per host is the number of network vulnerability tests that will tried on a target at one time. The default setting of 4 is easily executed on most systems. On newer, larger, multi-user segments, the number of NVTs can be doubled or tripled.

The maximum concurrently scanned hosts limits the scanner's impact to itself and the network. Twenty (20) is very network friendly. If the task is for local area networks only, this number could be higher.

Reports

Reports gather the results of the tasks – both created tasks and ad hoc ("immediate") tasks. They provide infosec personnel with the visibility and audit results needed for tracking the long-term health of the network and the systems within the network. Reports can help ensure systems are being patched and are deployed in a secure method.

Figure 6 shows the Reports tab with five reports available for reviewing. Reports, like tasks, are accessed under Scan Management. The Reports tab gives a paginated view of all the scans sorted in reverse chronological order (the newest results on top). The tab can be sorted based upon the other fields that make up the tab. For example, clicking on the status bar one time will sort the results based upon those finished and still running.

Figure 6: Viewing scan reports in Greenbone.

The Scan Results column is quite useful, because it can show the results that contain high-risk vulnerabilities. Most security programs require that all high-risk vulnerabilities either be removed or mediated.

By clicking on an individual date, you can see the results of that particular scan (see Figure 7). This report shows that there are several medium-level vulnerabilities. Each of the vulnerabilities include a hyperlink to the particular issue. For example, the OpenSSL CCS Man in the Middle is shown in Figure 8.

Figure 7: Click the scan date to view the scan results.

Figure 8: Click a vulernability to view a report to view a summary of pertinent information.

The details show not only which host and port are vulnerable but also what can happen with the vulnerability (Vulnerability Insight) and whether the vendor has a solution to the problem. The Report Details section also provides the Common Vulnerabilities and Exposure (CVE) number to make it easy to cross-reference with the vendor's vulnerabilities announcements.