From Fedora Project Wiki

(update to openvas-7)
m
 
(6 intermediate revisions by 2 users not shown)
Line 1: Line 1:
{{Admon/warning | This test case is meant of OpenVAS-7. The version in Fedora 20 (OpenVAS-6) is known to not work well so please rebuild the openvas-7 packages from rawhide. The openvas-gsa package still missing in Fedora }}
+
{{QA/Test_Case  
{{QA/Test_Case
+
|description=This test case tests the ability of OpenVAS to scan a host or network for vulnerabilities.  
|description=This test case tests the ability of OpenVAS to scan a host or network for vulnerabilities.
 
 
|setup=
 
|setup=
* A remote host with various network services (SSH, HTTP, DNS, SMTP ...) is required. For example: a Linux server with OpenSSH, Apache HTTPd, ISC BIND, Postfix or Sendmail.
+
* For tests you will need some remote host with various network services (SSH, HTTP, DNS, SMTP ...) is required. For example: a Linux server with OpenSSH, Apache HTTPd, ISC BIND, Postfix or Sendmail.
* Open ports of the scanned services in the remote host firewall.
+
* Open ports of the scanned services on the remote host firewall.
* Ensure that {{package|openvas-libraries}}, {{package|openvas-scanner}}, {{package|openvas-manager}}, {{package|openvas-cli}} packages are installed.
+
* If unsure about the past OpenVAS configuration, it is recommended to bootstrap the environment by removing all openvas* packages, removing all the application files, reinstalling the packages back and start configuring the suite from scratch:
 +
**{{ command | <nowiki>OV_RPMS=`rpm -qa|grep openvas`</nowiki> }}
 +
**{{ command | rpm -e $OV_RPMS }}
 +
**{{ command | rm -rf /etc/openvas /etc/pki/openvas /usr/share/openvas /var/log/openvas /var/lib/openvas /var/cache/openvas }}
 +
* Ensure that {{package|openvas-libraries}}, {{package|openvas-scanner}}, {{package|openvas-manager}}, {{package|openvas-cli}}, {{package|openvas-gsa}} packages are installed:
 +
**{{ command | dnf -y install openvas-libraries openvas-scanner openvas-manager openvas-cli openvas-gsa }}
 +
* At each step you can verify the current progress with openvas-check-setup script:
 +
**{{ command | openvas-check-setup }}
 +
* Openvas-8 requires redis-server to be configured and running in order to work as expected:
 +
**{{command |dnf install redis}}
 +
* Ports can be configured in /etc/sysconfig/openvas-*
 
|actions=
 
|actions=
# Start OpenVAS scanner: {{command |service openvas-scanner start}}
+
# Try to start OpenVAS scanner (probably unsuccessfully without configuration):
# Check the logs on what is happening: {{command | tail -f /var/log/openvas/openvassd.log }}
+
#*{{command |service openvas-scanner start}}
# Create a new certificate: {{command |openvas-mkcert}}
+
# Check the logs on what is happening (as there is no server certificate it should fail to start):
# Add user certificate for the manager to be able to connect to scanner: {{command |openvas-mkcert-client -n -i }}
+
#*{{command | tail -f /var/log/openvas/openvassd.log }}
# Update the NVTs: {{command |openvas-nvt-sync}}
+
# Create a new certificate, press "Enter" to use the defaults:
# Restart OpenVAS scanner (take a while for the first time): {{command |service openvas-scanner restart}}
+
#*{{command |openvas-mkcert}}
# Test that the OpenVAS scanner process openvassd is running: {{ command |ps aux &#124; grep [o]penvassd }}
+
# Download the NVTs signatures:
# Test that the OpenVAS scanner listens on configured port: {{ command |sudo lsof -i -nP &#124; grep [o]penvassd }}
+
#*{{command |openvas-nvt-sync --wget}}
# Connect using the gnutls client to scanner port: {{ command | gnutls-cli --insecure -p 9391 127.0.0.1 }}. Start the communication with < OTP/1.0 >. Try to login with the user created above.
+
# Install the redis-server and configure redis-server for use with openvas:  
# Start OpenVAS manager: {{command |service openvas-manager start}}
+
#*{{command |dnf install redis}}
# Generate a new client certificate for manager to connect to scanner {{command | openvas-mkcert-client -n om -i }}
+
#*{{command | sed -i -e 's&#124;^# unixsocket&#124;unixsocket&#124;' /etc/redis.conf}}
# Rebuild the NVT cache database {{command | openvasmd --rebuild }}
+
#*{{command | service redis restart}}
# Start OpenVAS manager: {{command |service openvas-manager start}}
+
# Restart OpenVAS scanner (it will take a while for the first time):
# Test that the OpenVAS manager process openvasmd is running: {{ command |ps aux &#124; grep [o]penvasmd }}
+
#*{{command |service openvas-scanner restart}}
# Test that the OpenVAS manager listens on configured port: {{ command |sudo lsof -i -nP &#124; grep [o]penvasmd }}
+
# Test that the OpenVAS scanner process openvassd is running. Wait untill NVT signatures loaded and process is awaiting connections:
# Connect using the gnutls client to manager port: {{ command | gnutls-cli --insecure -p 9390 127.0.0.1 }}. Start the communication with < OTP/1.0 >. Try to login with the user created above.
+
#*{{command |ps aux &#124; grep [o]penvassd }}
# Start OpenVAS client: {{command |openvas-client}} (or System Tools > OpenVAS Client)
+
# Test that the OpenVAS scanner listens on configured port:
# Connect to OpenVAS server with the user created above.
+
#*{{command |sudo lsof -i -nP &#124; grep openvassd }}
 +
# Try to start OpenVAS manager without client certificate (should fail):
 +
#*{{command |service openvas-manager start}}
 +
# Generate user certificate for the openvas-manager to be able to connect to scanner:
 +
#*{{command |openvas-mkcert-client -n -i }}
 +
# Try to connect to openvas scanner port by using the gnutls client (should fail):
 +
#*{{command | gnutls-cli --insecure -p 9391 127.0.0.1 }}
 +
# Try to connect to openvas scanner port by using the gnutls client, this time passing the correct client certificate. Start the communication with "< OTP/2.0 >":
 +
#*{{command | <nowiki>gnutls-cli --insecure -p 9391 127.0.0.1 --x509keyfile=/etc/pki/openvas/private/CA/clientkey.pem --x509certfile=/etc/pki/openvas/CA/clientcert.pem </nowiki>}}
 +
# Rebuild the NVT cache database for openvas-manager:
 +
#*{{command | openvasmd --rebuild }}
 +
# Create test account to access the openvas manager:
 +
#*{{ command | <nowiki>openvasmd --create-user=testuser</nowiki> }}  
 +
# Start OpenVAS manager:
 +
#*{{command |service openvas-manager start}}
 +
# Test that the OpenVAS manager process openvasmd is running:
 +
#*{{ command |ps aux &#124; grep [o]penvasmd }}
 +
# Test that the OpenVAS manager listens on configured port:
 +
#*{{ command |sudo lsof -i -nP &#124; grep [o]penvasmd }}
 +
# Connect using the gnutls client to manager port. Providing wrong credentials:
 +
#*{{ command | <nowiki>( echo "<authenticate><credentials><username>wronguser</username><password>wrongpassword</password></credentials></authenticate>" ; sleep 1 ) | gnutls-cli --insecure -p 9390 127.0.0.1</nowiki> }}
 +
# Connect to manager using the openvas-cli utility omp:
 +
#*{{ command | <nowiki>omp --ping</nowiki> }}
 +
#*{{ command | <nowiki>omp -p 9390 --username=testuser --password=goodpassword --xml="<help/>"</nowiki> }}
 +
#*{{ command | <nowiki>omp -p 9390 --username=testuser --password=goodpassword --xml="<get_scanners/>"</nowiki> }}
 +
#*{{ command | <nowiki>omp -p 9390 --username=testuser --password=goodpassword --xml='<verify_scanner scanner_id="08b69003-5fc2-4037-a479-93b440211c73"/>'</nowiki> }}
 +
# Start OpenVAS Greenbone Security Assistant (GSA):
 +
#*{{command |service openvas-gsa start}}
 +
# Test that the OpenVAS GSA process gsad is running:
 +
#*{{ command |ps aux &#124; grep [g]sad }}
 +
# Test that the OpenVAS GSA listens on configured port:
 +
#*{{ command |sudo lsof -i -nP &#124; grep gsad }}
 +
# Connect to OpenVAS GSA server with the user created above - https://localhost:9443 .
 
# Create a new scan using the client and wait until it finishes.
 
# Create a new scan using the client and wait until it finishes.
# Export the report to HTML or PDF.
 
 
|results=
 
|results=
 
# Start of openvas-scanner without previous configuration will most probably fail. Syslog should display hint about generating certificates.
 
# Start of openvas-scanner without previous configuration will most probably fail. Syslog should display hint about generating certificates.
 +
# Logs should give hints on what is wrong.
 
# Certificate should be created in /etc/pki/openvas/CA/cacert.pem, /etc/pki/openvas/CA/servercert.pem with private keys in /etc/pki/openvas/private/CA/
 
# Certificate should be created in /etc/pki/openvas/CA/cacert.pem, /etc/pki/openvas/CA/servercert.pem with private keys in /etc/pki/openvas/private/CA/
# Adding of the user will create the account in /var/lib/openvas/users/
 
 
# openvas-nvt-sync will download plugins to /var/lib/openvas/plugins
 
# openvas-nvt-sync will download plugins to /var/lib/openvas/plugins
# Restart of the service should result with OK. It takes longer for the first time. On Fedora 16 it is possible that the systemd will timeout thinking that the service failed to start, while actually it is still starting. Give it a while and try stop/start again.
+
# Redis server should be running now with unix socket ready in /tmp/redis.sock. The openvas-check-setup should no longer complain about issues with redis server.
 +
# Restart of the service should result with OK. It takes longer for the first time. On Fedora 16 it is possible that the systemd will timeout thinking that the service failed to start, while actually it is still starting. Give it a while and try stop/start again. Process list shows the progress of the loading of the database of signatures - for example "openvassd: Reloaded 5750 of 39422 NVTs (14% / ETA: 00:58)"
 
# Process list should show openvassd process running as root "openvassd: waiting for incoming connections"
 
# Process list should show openvassd process running as root "openvassd: waiting for incoming connections"
 
# lsof for openvassd should show it is listening on port 9391
 
# lsof for openvassd should show it is listening on port 9391
# Passing wrong credentials will print error message about unsuccessfull authentication. After passing right credentials the server will wait expecting more commands to go.
+
# Attempt to starting openvas-manager without configuration of user certificate and cache database of signatures will fail. Check syslog/logs for the hints. Check openvas-check-setup for hints.
# Starting openvas-manager without configuration of certificate and database will fail. Check syslog for the hint.
+
# Adding of the user certificate will create certificate in /etc/pki/openvas/CA/clientcert.pem and key in /etc/pki/openvas/private/CA/clientkey.pem
# Client certificate will for manager will be generated to /etc/pki/openvas/CA/clientcert.pem and key to /etc/pki/openvas/private/CA/clientkey.pem
+
# Connecting to a port 9391 without passing the user certificate should result in connection being rejected by the server. For comparision/troubleshooting the network connection gnutls-serv in echo mode can be used instead of the openvas-scanner:
 +
#*{{command | <nowiki>gnutls-serv --x509keyfile=/etc/pki/openvas/private/CA/serverkey.pem --x509certfile=/etc/pki/openvas/CA/servercert.pem -p 9391 --echo</nowiki> }}
 +
# When passing the right client certificate you should be able to get response from the openvas-server. Response will be either "< OTP/2.0 >" meaning scanner is ready or it will be something like <nowiki>"SCANNER_LOADING <|> 36750 <|> 39422"</nowiki> in case it is still loading the NVT database.
 
# Database will be generated to /var/lib/openvas/mgr/tasks.db
 
# Database will be generated to /var/lib/openvas/mgr/tasks.db
 +
# User should be created and the utility will report back the initial password for the account.
 
# Start of the openvas-manager after configuring certificate and NVT cache database should result with OK.
 
# Start of the openvas-manager after configuring certificate and NVT cache database should result with OK.
# Process list should show openvasmd process running as root "openvasmd --port=9390 --slisten=127.0.0.1 --sport=9391 --otp"
+
# Process list should show openvasmd process running as root "openvasmd"
 
# lsof for openvasmd should show it is listening on port 9390
 
# lsof for openvasmd should show it is listening on port 9390
# Passing wrong credentials will disconnect immediately. After passing right credentials the server will wait expecting more commands to go.
+
# Passing wrong credentials will disconnect immediately. After passing right credentials the server will wait expecting more commands to go. After provided with wrong credentials the server will response with '<authenticate_response status="400" status_text="Authentication failed"/>'
# The scan should finish correctly.
+
# Using the omp should be able to communicate with the openvas manager getting some reasonable output in XML format.
# In the report, you should see the network services being scanned and vulnerabilities reported.
+
# It should be possible to start the GSA.
 +
# Process of gsad should be running.
 +
# Process of gsad should be listening on 9443 (and possibly on 80 for redirect to 9443).
 +
# It should be possible to login with the user account.
 +
# The scan should finish correctly. In the report, you should see the network services being scanned and vulnerabilities reported.
 
}}
 
}}
  

Latest revision as of 01:53, 6 July 2017

Description

This test case tests the ability of OpenVAS to scan a host or network for vulnerabilities.

Setup

  • For tests you will need some remote host with various network services (SSH, HTTP, DNS, SMTP ...) is required. For example: a Linux server with OpenSSH, Apache HTTPd, ISC BIND, Postfix or Sendmail.
  • Open ports of the scanned services on the remote host firewall.
  • If unsure about the past OpenVAS configuration, it is recommended to bootstrap the environment by removing all openvas* packages, removing all the application files, reinstalling the packages back and start configuring the suite from scratch:
    • OV_RPMS=`rpm -qa|grep openvas`
    • rpm -e $OV_RPMS
    • rm -rf /etc/openvas /etc/pki/openvas /usr/share/openvas /var/log/openvas /var/lib/openvas /var/cache/openvas
  • Ensure that Package-x-generic-16.pngopenvas-libraries, Package-x-generic-16.pngopenvas-scanner, Package-x-generic-16.pngopenvas-manager, Package-x-generic-16.pngopenvas-cli, Package-x-generic-16.pngopenvas-gsa packages are installed:
    • dnf -y install openvas-libraries openvas-scanner openvas-manager openvas-cli openvas-gsa
  • At each step you can verify the current progress with openvas-check-setup script:
    • openvas-check-setup
  • Openvas-8 requires redis-server to be configured and running in order to work as expected:
    • dnf install redis
  • Ports can be configured in /etc/sysconfig/openvas-*

How to test

  1. Try to start OpenVAS scanner (probably unsuccessfully without configuration):
    • service openvas-scanner start
  2. Check the logs on what is happening (as there is no server certificate it should fail to start):
    • tail -f /var/log/openvas/openvassd.log
  3. Create a new certificate, press "Enter" to use the defaults:
    • openvas-mkcert
  4. Download the NVTs signatures:
    • openvas-nvt-sync --wget
  5. Install the redis-server and configure redis-server for use with openvas:
    • dnf install redis
    • sed -i -e 's|^# unixsocket|unixsocket|' /etc/redis.conf
    • service redis restart
  6. Restart OpenVAS scanner (it will take a while for the first time):
    • service openvas-scanner restart
  7. Test that the OpenVAS scanner process openvassd is running. Wait untill NVT signatures loaded and process is awaiting connections:
    • ps aux | grep [o]penvassd
  8. Test that the OpenVAS scanner listens on configured port:
    • sudo lsof -i -nP | grep openvassd
  9. Try to start OpenVAS manager without client certificate (should fail):
    • service openvas-manager start
  10. Generate user certificate for the openvas-manager to be able to connect to scanner:
    • openvas-mkcert-client -n -i
  11. Try to connect to openvas scanner port by using the gnutls client (should fail):
    • gnutls-cli --insecure -p 9391 127.0.0.1
  12. Try to connect to openvas scanner port by using the gnutls client, this time passing the correct client certificate. Start the communication with "< OTP/2.0 >":
    • gnutls-cli --insecure -p 9391 127.0.0.1 --x509keyfile=/etc/pki/openvas/private/CA/clientkey.pem --x509certfile=/etc/pki/openvas/CA/clientcert.pem
  13. Rebuild the NVT cache database for openvas-manager:
    • openvasmd --rebuild
  14. Create test account to access the openvas manager:
    • openvasmd --create-user=testuser
  15. Start OpenVAS manager:
    • service openvas-manager start
  16. Test that the OpenVAS manager process openvasmd is running:
    • ps aux | grep [o]penvasmd
  17. Test that the OpenVAS manager listens on configured port:
    • sudo lsof -i -nP | grep [o]penvasmd
  18. Connect using the gnutls client to manager port. Providing wrong credentials:
    • ( echo "<authenticate><credentials><username>wronguser</username><password>wrongpassword</password></credentials></authenticate>" ; sleep 1 ) | gnutls-cli --insecure -p 9390 127.0.0.1
  19. Connect to manager using the openvas-cli utility omp:
    • omp --ping
    • omp -p 9390 --username=testuser --password=goodpassword --xml="<help/>"
    • omp -p 9390 --username=testuser --password=goodpassword --xml="<get_scanners/>"
    • omp -p 9390 --username=testuser --password=goodpassword --xml='<verify_scanner scanner_id="08b69003-5fc2-4037-a479-93b440211c73"/>'
  20. Start OpenVAS Greenbone Security Assistant (GSA):
    • service openvas-gsa start
  21. Test that the OpenVAS GSA process gsad is running:
    • ps aux | grep [g]sad
  22. Test that the OpenVAS GSA listens on configured port:
    • sudo lsof -i -nP | grep gsad
  23. Connect to OpenVAS GSA server with the user created above - https://localhost:9443 .
  24. Create a new scan using the client and wait until it finishes.

Expected Results

  1. Start of openvas-scanner without previous configuration will most probably fail. Syslog should display hint about generating certificates.
  2. Logs should give hints on what is wrong.
  3. Certificate should be created in /etc/pki/openvas/CA/cacert.pem, /etc/pki/openvas/CA/servercert.pem with private keys in /etc/pki/openvas/private/CA/
  4. openvas-nvt-sync will download plugins to /var/lib/openvas/plugins
  5. Redis server should be running now with unix socket ready in /tmp/redis.sock. The openvas-check-setup should no longer complain about issues with redis server.
  6. Restart of the service should result with OK. It takes longer for the first time. On Fedora 16 it is possible that the systemd will timeout thinking that the service failed to start, while actually it is still starting. Give it a while and try stop/start again. Process list shows the progress of the loading of the database of signatures - for example "openvassd: Reloaded 5750 of 39422 NVTs (14% / ETA: 00:58)"
  7. Process list should show openvassd process running as root "openvassd: waiting for incoming connections"
  8. lsof for openvassd should show it is listening on port 9391
  9. Attempt to starting openvas-manager without configuration of user certificate and cache database of signatures will fail. Check syslog/logs for the hints. Check openvas-check-setup for hints.
  10. Adding of the user certificate will create certificate in /etc/pki/openvas/CA/clientcert.pem and key in /etc/pki/openvas/private/CA/clientkey.pem
  11. Connecting to a port 9391 without passing the user certificate should result in connection being rejected by the server. For comparision/troubleshooting the network connection gnutls-serv in echo mode can be used instead of the openvas-scanner:
    • gnutls-serv --x509keyfile=/etc/pki/openvas/private/CA/serverkey.pem --x509certfile=/etc/pki/openvas/CA/servercert.pem -p 9391 --echo
  12. When passing the right client certificate you should be able to get response from the openvas-server. Response will be either "< OTP/2.0 >" meaning scanner is ready or it will be something like "SCANNER_LOADING <|> 36750 <|> 39422" in case it is still loading the NVT database.
  13. Database will be generated to /var/lib/openvas/mgr/tasks.db
  14. User should be created and the utility will report back the initial password for the account.
  15. Start of the openvas-manager after configuring certificate and NVT cache database should result with OK.
  16. Process list should show openvasmd process running as root "openvasmd"
  17. lsof for openvasmd should show it is listening on port 9390
  18. Passing wrong credentials will disconnect immediately. After passing right credentials the server will wait expecting more commands to go. After provided with wrong credentials the server will response with '<authenticate_response status="400" status_text="Authentication failed"/>'
  19. Using the omp should be able to communicate with the openvas manager getting some reasonable output in XML format.
  20. It should be possible to start the GSA.
  21. Process of gsad should be running.
  22. Process of gsad should be listening on 9443 (and possibly on 80 for redirect to 9443).
  23. It should be possible to login with the user account.
  24. The scan should finish correctly. In the report, you should see the network services being scanned and vulnerabilities reported.