[Openvas-discuss] Getting the OpenVAS NVT/Plugin feed to start

Jan-Oliver Wagner jan-oliver.wagner at intevation.de
Thu Oct 11 15:24:09 CEST 2007


Hi,

it is getting the time that we are ready to start the feed service
for Network Vulnerability Tests (NVTs) aka plugins.

My initial idea is to concentrate on the Debian local security
checks in a startup phase. If we can promise that those tests will always be
uptodate in the feed, we have reached a very important step.
Because this will establish/test the whole process for NVT
creation.

There is a solution in discussion over here to offer a site to operate
the feed. Which essentially means a central URL on a secured
maschine from where to rsync the NVTs.
Also we have a update script being currently tested.

I see basically two important aspects to decide/discuss:

1. How to handle NVT signatures (old scripts, new ones,
    different authors/trust levels etc).

    My proposal would be:
    - sign all 'old' plugins with a special key that is exclusively
       defined to as a check that the plugins are the same as
       this from Nessus.
       -> Who should create the key, who should be the holder
            of the key+passphrase?
    - Whoever manages a group of NVTs may arrange a key
    (for the following assuming we operate the download service over here)
    -  Whoever takes care of a group of plugins gets a procedure
      to add them to the feed service. Basically this means
      to provide the nasl files and a signature file. Also, some convention
      about IDs is needed. My preference is to keep efford as low as possible
      with the initial phase. Such things could easily be organized over our
      mailing lists.
    - On a web page we list the certificates, which groups of plugins
      they maintain and what is the level of QA or trust or security associated
      with these signatures. And of course it is explained who to make OpenVAS
      Server accept plugins with certain signatures.

2. How to organize the DSA2NVT process.

   What we over here think about this is a evaluation/priorisation/implementation/QA
   process supported by a ticket management system like OTRS.
   Maybe is is a good idea to set up a test instance and see how it is working
   for OpenVAS during a test-phase.

All the best

	Jan
-- 
Dr. Jan-Oliver Wagner                        Intevation GmbH, Osnabrück
Amtsgericht Osnabrück, HR B 18998             http://www.intevation.de/
Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner



More information about the Openvas-discuss mailing list