[Openvas-commits] r1454 - trunk/openvas-compendium

scm-commit@wald.intevation.org scm-commit at wald.intevation.org
Fri Sep 26 12:21:52 CEST 2008


Author: mwiegand
Date: 2008-09-26 12:21:51 +0200 (Fri, 26 Sep 2008)
New Revision: 1454

Modified:
   trunk/openvas-compendium/ChangeLog
   trunk/openvas-compendium/openvas-compendium.tex
Log:
* openvas-compendium.tex: Updated sections regarding binary packages,
adapted section about SLAD plugins, other small fixes.


Modified: trunk/openvas-compendium/ChangeLog
===================================================================
--- trunk/openvas-compendium/ChangeLog	2008-09-26 09:38:37 UTC (rev 1453)
+++ trunk/openvas-compendium/ChangeLog	2008-09-26 10:21:51 UTC (rev 1454)
@@ -1,3 +1,8 @@
+2008-09-26  Jan-Oliver Wagner <jan-oliver.wagner at intevation.de>
+
+	* openvas-compendium.tex: Updated sections regarding binary packages,
+	adapted section about SLAD plugins, other small fixes.
+
 2008-09-25  Jan-Oliver Wagner <jan-oliver.wagner at intevation.de>
 
 	* openvas-compendium.tex: Rewrote and extended chapter on

Modified: trunk/openvas-compendium/openvas-compendium.tex
===================================================================
--- trunk/openvas-compendium/openvas-compendium.tex	2008-09-26 09:38:37 UTC (rev 1453)
+++ trunk/openvas-compendium/openvas-compendium.tex	2008-09-26 10:21:51 UTC (rev 1454)
@@ -337,10 +337,9 @@
 \xname{installing-binary-packages-server}
 \section{Installing Binary Packages}
 
-Easily installable binary packages for OpenVAS-Client are available for
-download on the OpenVAS website. The availability of these packages may change
-over time and thus the following descriptions might be slightly outdated;
-please refer to the OpenVAS website for up-to-date information.
+Binary packages for the major linux distributions and some other platforms are
+available for download from the OpenVAS website or from services provided by
+third parties.
 
 \xname{installing-debian-server}
 \subsection{Debian "Sid" (unstable) and "Lenny" (testing)}
@@ -352,15 +351,23 @@
  \item libopenvas1-dev
 \end{itemize}
 
+The following modules are only available for ``Lenny'':
+\begin{itemize}
+ \item libopenvasnasl1
+ \item libopenvasnasl1-dev
+\end{itemize}
+
  You can install these modules with the following commands: 
 
 \begin{verbatim}
  # apt-get install libopenvas1
  # apt-get install libopenvas1-dev
+ # apt-get install libopenvasnasl1
+ # apt-get install libopenvasnasl1-dev
 \end{verbatim}
 
-ATTENTION: For the remaining modules you need to get the latest
-source tar-balls and compile them on your own.
+NOTE: For the remaining modules you will need to get the latest source tar-balls
+and compile them on your own.
 
 \xname{installing-etch-server}
 \subsection{Debian 4.0 ``Etch''(stable)}
@@ -539,6 +546,31 @@
 simply running the OpenVAS server, it is not necessary to install the -devel-
 packages.
 
+\xname{installing-freebsd-server}
+\subsection{FreeBSD}
+
+The FreeBSD Ports and Packages Collection provides ports and packages for all
+OpenVAS modules.
+
+The following commands can be used to compile and install the FreeBSD ports on
+your FreeBSD system:
+
+\begin{verbatim}
+cd /usr/ports/security/openvas-libraries/ && make install clean
+cd /usr/ports/security/openvas-libnasl/ && make install clean
+cd /usr/ports/security/openvas-server/ && make install clean
+cd /usr/ports/security/openvas-plugins/ && make install clean
+\end{verbatim}
+
+If you would rather use binary packages, you will want to use the following
+commands:
+\begin{verbatim}
+pkg_add -r openvas-libraries
+pkg_add -r openvas-libnasl
+pkg_add -r openvas-server
+pkg_add -r openvas-plugins
+\end{verbatim}
+
 \xname{compiling-openvas-server-from-source}
 \section{Compiling OpenVAS-Server from Source Packages}
 
@@ -548,6 +580,15 @@
 The download link for the latest source code release can be found in the
 "Download" section on the OpenVAS website.
 
+Be aware the there are currently two different series available for download:
+the stable 1.0 series and the upcoming 2.0 series. The releases for the 2.0
+series are currently designated as ``beta'', meaning that they are still in a
+testing phase and might not work as expected. You are more than welcome to use
+the releases for the 2.0 series if you want to take part in testing the new
+functionality provided by this versions; if you are planning on using OpenVAS
+in a production environment, we recommend that you use the releases of the 1.0
+series until the 2.0 series has been finalized.
+
 Download the four ".tar.gz" source code archives and unpack with "tar -xzf
 openvas-MODULE-N.N.N.tar.gz". Compiling from source is currently geared towards
 GNU/Linux systems, but may work as well in other environments.
@@ -571,16 +612,34 @@
 system)}
 
 You need subversion to retrieve the code: 
+
+\paragraph{Stable 1.0 branch}
+
+Note: Due to the current state of development, three modules needed to run
+OpenVAS-Server have already been branched into a stable branch while
+openvas-plugins is not affected by the major development efforts that required
+the branching and can be used with both branches.
+
 \begin{verbatim}
 $ svn checkout
-https://svn.wald.intevation.org/svn/openvas/trunk/openvas-libraries
+https://svn.wald.intevation.org/svn/openvas/branches/openvas-libraries-1-0
 $ svn checkout
-https://svn.wald.intevation.org/svn/openvas/trunk/openvas-libnasl
-$ svn checkout https://svn.wald.intevation.org/svn/openvas/trunk/openvas-server
+https://svn.wald.intevation.org/svn/openvas/trunk/openvas-libnasl-1-0
 $ svn checkout
-https://svn.wald.intevation.org/svn/openvas/trunk/openvas-plugins
+https://svn.wald.intevation.org/svn/openvas/branches/openvas-server-1-0
+$ svn checkout https://svn.wald.intevation.org/svn/openvas/trunk/openvas-plugins
 \end{verbatim}
 
+\paragraph{Current state of development}
+
+\begin{verbatim}
+$ svn checkout
+https://svn.wald.intevation.org/svn/openvas/trunk/openvas-libraries
+$ svn checkout https://svn.wald.intevation.org/svn/openvas/trunk/openvas-libnasl
+$ svn checkout https://svn.wald.intevation.org/svn/openvas/trunk/openvas-server
+$ svn checkout https://svn.wald.intevation.org/svn/openvas/trunk/openvas-plugins
+\end{verbatim}
+
 Now read the file \verb|INSTALL_README| inside the directory "openvas-libraries"
 for the next steps.
 
@@ -604,6 +663,9 @@
 compendium and the steps necessary on your distribution. Please refer to the
 documentation provided by your distribution for additional information.
 
+Also note that you might need to installation additional software in you are
+planning on using the tools described in chapter \ref{chap:tools}.
+
 \xname{generating-a-server-certificate}
 \subsection{Generating a Server Certificate}
 
@@ -1268,17 +1330,17 @@
 \xname{installing-binary-packages-client}
 \section{Installing Binary Packages}
 
-Easily installable binary packages for OpenVAS-Client are available for
-download on the OpenVAS website. The availability of these packages may change
-over time; please refer to the OpenVAS website for up-to-date information.
+Binary packages for the major linux distributions and some other platforms are
+available for download from the OpenVAS website or from services provided by
+third parties.
 
 \xname{installing-debian-client}
 \subsection{Debian "Sid" (unstable) and "Lenny" (testing)}
 
-OpenVAS-Client is an official Debian package for the distribution "unstable"
+OpenVAS-Client is an official Debian package for the distributions "unstable"
 ("Sid) and "testing" ("Lenny"). You can find more information about the Debian
-packages on the OpenVAS-Client package pages
-for Sid\footnote{\hyperurl{http://packages.debian.org/sid/openvas-client}} and
+packages on the OpenVAS-Client package pages for
+Sid\footnote{\hyperurl{http://packages.debian.org/sid/openvas-client}} and
 Lenny\footnote{\hyperurl{http://packages.debian.org/lenny/openvas-client}}.
 
 This means you can simply install OpenVAS-Client on Debian Sid or Debian
@@ -1366,12 +1428,40 @@
 where N.N.N stands for the version of OpenVAS-Client, M for the package release
 number and LL for the language (e.g. en=English, de=German, sv=Swedish).
 
+\xname{installing-freebsd-client}
+\subsection{FreeBSD}
+
+The FreeBSD Ports and Packages Collection provides ports and packages for
+OpenVAS-Client.
+
+The following commands can be used to compile and install the FreeBSD port on
+your FreeBSD system:
+
+\begin{verbatim}
+cd /usr/ports/security/openvas-client/ && make install clean
+\end{verbatim}
+
+If you would rather use the binary package, you will want to use the following
+commands:
+\begin{verbatim}
+pkg_add -r openvas-client
+\end{verbatim}
+
 \xname{compiling-openvas-client-from-source}
 \section{Compiling OpenVAS-Client from Source Packages}
 
 \xname{latest-source-code-release-client}
 \subsection{Latest source code release}
 
+Be aware the there are currently two different series of OpenVAS available for
+download: the stable 1.0 series and the upcoming 2.0 series. The releases for
+the 2.0 series are currently designated as ``beta'', meaning that they are still
+in a testing phase and might not work as expected. You are more than welcome to
+use the releases for the 2.0 series if you want to take part in testing the new
+functionality provided by this versions; if you are planning on using OpenVAS in
+a production environment, we recommend that you use the releases of the 1.0
+series until the 2.0 series has been finalized.
+
 Download the ".tar.gz" source code archive from the download section of the
 OpenVAS website and unpack with "tar -xzf openvas-client-N.N.N.tar.gz".
 Compiling from source is currently geared towards GNU/Linux systems, but may
@@ -1385,17 +1475,25 @@
 
 You need subversion to retrieve the code:
 
+\paragraph{Stable 1.0 branch}
+
 \begin{verbatim}
  $ svn checkout
+https://svn.wald.intevation.org/svn/openvas/branches/openvas-client-1-0
+\end{verbatim}
+
+\paragraph{Current state of development}
+
+\begin{verbatim}
+ $ svn checkout
 https://svn.wald.intevation.org/svn/openvas/trunk/openvas-client
 \end{verbatim}
 
 Change to the new directory and follow the instructions of the README file.
 
 Although the OpenVAS team is committed to maintaining a high code quality,
-please
-be aware that you are using a development state that may be incomplete and
-unstable and should not be used in production environments.
+please be aware that you are using a development state that may be incomplete
+and unstable and should not be used in production environments.
 
 \clearpage
 
@@ -1407,9 +1505,9 @@
 and how to use them for day-to-day use as well as more specific
 features that might be of interest for advanced users.
 
-This documentation assumes OpenVAS-Client in version 1.0.4. Newer version
-might offer additional or changed functionality. In case, please refer to the website
-for information or support.
+This documentation assumes OpenVAS-Client in version 2.0-beta1. Newer version
+might offer additional or changed functionality. In case, please refer to the
+website for information or support.
 
 \xname{the-main-window}
 \section{The Main Window}
@@ -1424,12 +1522,12 @@
 
 \IncludeImage[width=10cm]{images/mainwindow-en}
 
-When you first start of OpenVAS-Client, you will see only one entry
-in the list: Global Settings. These settings you see on the first start-up are
-the default settings shipped with OpenVAS-Client. They do not cover a
-specific selection of plugins since a connection to an OpenVAS server is
-required to make a plugin selection. You can establish a connection with a
-server and then specify a global default plugin selection for later use.
+When you first start OpenVAS-Client, you will see only one entry in the list:
+Global Settings. These settings you see on the first start-up are the default
+settings shipped with OpenVAS-Client. They do not cover a specific selection of
+plugins since a connection to an OpenVAS server is required to make a plugin
+selection. You can establish a connection with a server and then specify a
+global default plugin selection for later use.
 
 \xname{tasks}
 \subsection{Tasks}
@@ -2427,12 +2525,222 @@
 
 \item Finally, run OpenVAS-Client and configure your task to scan the target
 where you installed SLAD and fill out the "SLAD init" preferences and, if
-wished,
-adjust the "SLAD run" preferences. A first scan will schedule the tasks, the
-next scan will retrieve the results that were collected so far (lsof is fast,
-John-the-ripper could take very long).
+wished, adjust the "SLAD run" preferences. A first scan will schedule the tasks,
+the next scan will retrieve the results that were collected so far (lsof is
+fast, John-the-ripper could take very long).
 \end{enumerate}
 
+\xname{slad-plugins}
+\subsection{SLAD plugins}
+
+As shown above, the sladd is just a program to run other programs from inside a
+daemon and provide an unififed interface to their output. The current package of
+SLAD contains the following plugins:
+
+\subsubsection{chkrootkit}
+
+The chkrootkit package is a tool to locally check for signs of installed
+rootkits.
+
+\subsubsection{clamav}
+
+The clamav plugin provides a GPLed virus scanner for linux. The options include
+scanning with or without archive (.zip, .tar.gz, etc) scanning, and removing
+infected files or putting them into quarantine.
+
+\subsubsection{john}
+
+John the ripper is a fast password cracker. This tool is meant to find
+weak user passwords, which could compromise system security. It comes
+with three options:
+
+\begin{description}
+  \item[Fast crack mode:] In this mode, John only tries the usernames and
+derived  words against the hashed passwords.
+  \item[Dictionary mode:] In this mode all words from the installed dictionary
+are tried to attack the hashed passwords.
+  \item[Full crack mode:] This slowest mode tries all words from the dictionary,
+as well as rules generated variations of these, against the user's passwords 
+\end{description}
+
+\textbf{The "normal" version of John exposes cracked passwords in clear-text.
+This makes John difficult to operate with in a professional environment.
+Therefore, SLAD uses a John the Ripper version which has been patched. In this
+version cracked passwords are not exposed anymore, instead only the
+user-accounts with crackable passwords are identified.}
+
+\subsubsection{lsof}
+
+The unix system utility lsof simply shows a list of files currently open on the
+system and which program uses them. This can assist an administrator to find
+unusual activity on the system.
+
+\subsubsection{tiger}
+
+The tiger suite is a package to analyze the host's security. Out of the many
+checks the suite can perform four groups have been created. These are:
+
+\begin{description}
+\item[Users:] The users check covers accounts, checks for mail aliases, ftp
+login users and the like.
+\item[Permission:] This selection checks users and group access permissions on
+device nodes, logfiles and other important files and directories.
+\item[Config:] This script checks for weaknesses and mistakes in common system
+and application specific configuration files.
+\item[System:] The system check looks for open deleted files, processes that are
+waiting for incoming connections, and other ``unsual'' things.
+\item[Full system check:] This runs all of the above checks.
+\end{description}
+
+\subsubsection{tripwire}
+
+Tripwire is an open source file integrity checker. It initially stores hashes of
+system files in a database for comparison on subsequent runs. Modifications
+performed by a potential intruder can be easily spotted this way.
+
+The default installation of tripwire contains a rule set for Debian. For details
+on how to adapt these to a different operating system or distribution, see the
+SLAD 2 Developers and Administrators Guide.
+
+\subsubsection{Snort}
+
+Snort is a network intrusion detection and prevention system that provides real
+time traffic analysis and packet logging on IP networks. It is capable of
+detecting a large number of attacks such as buffer overflows, stealth port
+scans, CGI attacks, SMB probes or OS fingerprinting attempts by doing both
+protocol analysis and content checks. Once an attack has been detected Snort is
+also capable of counteracting them by dropping the according connections.  The
+SLAD plugin selects all relevant Snort messages from a MySQL Database and sends
+them to the management platform.
+
+\paragraph{Snort-Installation}
+
+To use the Snort plugin, Snort needs to be installed with MySQL support. This
+could be done with Debian by using the \verb|apt-get| tool.
+
+% ?
+Answer for the Configuration with mysql to use the snort-mysql database.
+For the Hostname use your MySQL-Server Host where the SLAD-Plugin collects to.
+In the most cases this is 127.0.0.1, but you can use any other host here.
+Then use the database you want to use for logging, in most cases this will 
+be "snort", you must install mysql first, and create the database via
+"mysql create snort" and set the permissions first. For further information 
+consult your mysql-manual.
+
+\begin{verbatim}
+# mysqladmin create snort
+# apt-get install mysql-server snort-mysql
+# zcat /usr/share/doc/snort-mysql/create_mysql.gz | mysql snort
+\end{verbatim}
+
+After you installed Snort, you need to change the local-plugin configuration.
+This could be found at "/opt/slad/plugins/snort/snortconfig".
+
+\begin{verbatim}
+#!/bin/sh
+SNORTDBPW="changeme"
+MYSQLHOST="localhost"
+MYSQLUSER="snort"
+MYSQLDB="snort"
+SID="0"
+\end{verbatim}
+
+You can test the configuration by fetching the local-events by running:
+
+\begin{verbatim}
+# ./getsnortevents.sh
+\end{verbatim}
+
+\subsubsection{LMSensors}
+
+This fetches the events from your hardware monitoring, (for example someone
+opening the chassis of the server) and your server mainboard. The management
+system supports hardware sensor logging. An alert will be shown describing the
+physical incident on the SLAD managed server. This features is supported from
+the most mid-range server boards like Intel BX440 and newer.
+
+\subsubsection{LogWatch}
+
+Logwatch extracts events from the system log, like the syslog files present at
+"/var/log".
+All important information like login users, SSH and PAM Sessions, etc. are
+filtered and aggregated and returned to the calling SLAD.
+Three different levels of detail are supported:
+
+\begin{description}
+% ?
+\item[--low] Returns logfile values in a low detail level highesT aggregation.
+
+\item[--medium] Returns logfile aggregation in a medium detail level.
+
+\item[--high] Full and lowest aggregation level of logfile-values.
+
+\end{description}
+
+\subsubsection{TrapWatch}
+
+TrapWatch is a special version of Logwatch and listens on SNMP hardware traps.
+The Simple Network Management Protocol (SNMP) is the most common protocol
+for managing all kinds of network devices and is implemented in almost all
+currently available network devices. An SNMP trap is a message sent out by
+a network device to report an incident such as loss of link, failed
+authentication attempts etc. TrapWatch catches these messages and puts them
+into the report. This can be useful to detect changes in the network, like
+machines being unplugged or added to the network.
+Support for Netscreen firewall traps, HP-Procure switches and Cisco hardware
+is installed out of the Box.
+If non-standard MIBs are used, it might necessary to configure TrapWatch
+accordingly.
+
+To enable TrapWatch, you need to install an SNMP trap handler that puts the
+TRAP results into a syslog file. If you use Debian you can use the ``SNMP Trap
+Format'' package:
+
+\begin{verbatim}
+# apt-get install snmptrapfmt
+\end{verbatim}
+
+After the service is installed, you will get all new traps from the box.
+% Box? Which box?
+SNMP traps need to be correctly configured in your network hardware. It is
+highly recommended to test your setup before the first use with SLAD.
+To test the SNMP-TrapWatch feature, you can call the TrapWatch subsystem
+manually via:
+
+\begin{verbatim}
+# /opt/slad/plugins/trapwatch/trapwatch.sh --high
+\end{verbatim}
+
+The result should look like the following:
+
+\begin{tiny}
+\begin{verbatim}
+I 08/18/06 12:28:27 ports: port C4 is now off-line
+I 08/18/06 12:28:30 ports: port C4 is now on-line
+I 08/18/06 12:28:32 ports: port C4 is now off-line
+I 08/18/06 12:28:49 ports: port B4 is now on-line
+I 08/18/06 12:29:10 ports: port B4 is now off-line
+2006-08-18 14:31:25 [Root]system-alert-00026: IPSec tunnel on int ethernet1 with
+tunnel ID 0x8 received a packet with a bad SPI.
+217.0.72.117->193.108.181.253/56, ESP, SPI 0x0, SEQ 0x45080218
+I 08/18/06 15:55:04 ports: port F1 is now off-line
+I 08/18/06 15:55:06 ports: port F1 is now on-line
+I 08/18/06 15:57:00 sntp: updated time by 4 seconds
+2006-08-18 18:04:53 [Root]system-critical-00436: Large ICMP packet! From
+210.51.16.51 to 193.108.181.6, proto 1 (zone Untrust int ethernet1). Occurred 1
+times.
+2006-08-18 18:05:33 [Root]system-critical-00436: Large ICMP packet! From
+210.51.16.51 to 193.108.181.6, proto 1 (zone Untrust int ethernet1). Occurred 1
+times.
+I 08/18/06 19:15:24 ports: port F1 is now off-line
+I 08/18/06 19:15:26 ports: port F1 is now on-line
+2006-08-18 18:34:09 [Root]system-critical-00438: FIN but no ACK bit! From
+83.76.204.46:56242 to 193.108.181.101:6346, proto TCP (zone Untrust int
+ethernet1). Occurred 2 times.
+\end{verbatim}
+\end{tiny}
+
+
 \xname{nikto}
 \section{Nikto}
 \compendiumauthor{Michael Wiegand}



More information about the Openvas-commits mailing list