[Openvas-discuss] Getting the OpenVAS NVT/Plugin feed to start
jan-oliver.wagner at intevation.de
Thu Oct 11 15:24:09 CEST 2007
it is getting the time that we are ready to start the feed service
for Network Vulnerability Tests (NVTs) aka plugins.
My initial idea is to concentrate on the Debian local security
checks in a startup phase. If we can promise that those tests will always be
uptodate in the feed, we have reached a very important step.
Because this will establish/test the whole process for NVT
There is a solution in discussion over here to offer a site to operate
the feed. Which essentially means a central URL on a secured
maschine from where to rsync the NVTs.
Also we have a update script being currently tested.
I see basically two important aspects to decide/discuss:
1. How to handle NVT signatures (old scripts, new ones,
different authors/trust levels etc).
My proposal would be:
- sign all 'old' plugins with a special key that is exclusively
defined to as a check that the plugins are the same as
this from Nessus.
-> Who should create the key, who should be the holder
of the key+passphrase?
- Whoever manages a group of NVTs may arrange a key
(for the following assuming we operate the download service over here)
- Whoever takes care of a group of plugins gets a procedure
to add them to the feed service. Basically this means
to provide the nasl files and a signature file. Also, some convention
about IDs is needed. My preference is to keep efford as low as possible
with the initial phase. Such things could easily be organized over our
- On a web page we list the certificates, which groups of plugins
they maintain and what is the level of QA or trust or security associated
with these signatures. And of course it is explained who to make OpenVAS
Server accept plugins with certain signatures.
2. How to organize the DSA2NVT process.
What we over here think about this is a evaluation/priorisation/implementation/QA
process supported by a ticket management system like OTRS.
Maybe is is a good idea to set up a test instance and see how it is working
for OpenVAS during a test-phase.
All the best
Dr. Jan-Oliver Wagner Intevation GmbH, Osnabrück
Amtsgericht Osnabrück, HR B 18998 http://www.intevation.de/
Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
More information about the Openvas-discuss