Linux Hardening with OpenVAS

The Open Vulnerability Assessment System (OpenVAS) is a framework of several services and tools offering a comprehensive and powerful vulnerability scanning and management solution.

The security scanner is accompanied with a regularly updated feed of Network Vulnerability Tests (NVTs), over 51,000 in total (as of February 2017).

OpenVAS Features

The OpenVAS security suite consists of three parts:

• OpenVAS Scanner
  • The actual scanner that executes the real-time vulnerability tests;
  • It can handle more than one target host at a time;
  • Uses the OpenVAS Transfer Protocol (OTP);
  • OTP supports SSL.
• OpenVAS Manager
  • Handles the SQL Database where all scanning results and configurations are stored;
  • Controls the scanner via OTP and offers XML based OpenVAS Management Protocol (OMP);
  • It can stop, pause or resume scanning operations;
  • Makes user management possible including group level management and access control management.
• OpenVAS CLI
  • Command line tool acting as a client for OMP.

Using OpenVAS 8 in Ubuntu 16.04

Installing OpenVAS

Install SQLite for OpenVAS manager.
sudo apt-get install sqlite3
Install other required packages
sudo apt-get -y install python-software-properties
Add Personal Package Archives repository for OpenVAS
sudo add-apt-repository ppa:mrazavi/openvas
Update your system
sudo apt-get update && sudo apt-get upgrade -y
Install the OpenVAS package
sudo apt-get install openvas
Press Yes

Upgrade vulnerability and compliance data (this will take some time):
sudo openvas-nvt-sync
sudo openvas-scapdata-sync
sudo openvas-certdata-sync
Restart services
sudo /etc/init.d/openvas-scanner restart
sudo /etc/init.d/openvas-manager restart
sudo /etc/init.d/openvas-gsa restart
Create database
sudo openvasmd --rebuild
The installation is complete!

Check installation

The OpenVAS developers provide a handy tool check the state of your application’s installation. To use the tool simply follow these three steps:
1. Download the tool’s latest version:
sudo wget https://svn.wald.intevation.org/svn/openvas/trunk/tools/openvas-check-setup --no-check-certificate
2. Ensure that the script is executable:
sudo chmod +x openvas-check-setup
3. Execute the script:
sudo ./openvas-check-setup
The result might look similar to this:


Fix the errors
sudo openvasmd --rebuild

Running OpenVAS

Open your browser (Firefox) and type:
https://localhost/login/login.html
Confirm security exception, and login with user “admin” and password “admin”:

After the successful login, you’ll get to Greenbone’s Security Assistant (GSA) portal:


Known vulnerabilities (February 2017)


For a scan of the local machine, just insert the loopback address and press Start Scan

OpenVAS results in Ubuntu

Ultimate scan results:


The final report will display a list of found vulnerabilities and the possible solutions to mitigate or override them.

OpenVAS 9 Beta

A set of new packages for OpenVAS 9 beta is also available. If you want to try it, after installing SQLite and the other packages, just install "openvas9" package instead of "openvas".

Installing in Ubuntu

sudo apt-get install openvas9
Then, update vulnerabilities and compliance data with the following commands:
sudo greenbone-nvt-sync
sudo greenbone-scapdata-sync
sudo greenbone-certdata-sync
Restart services and set database:
sudo service openvas-scanner restart
sudo service openvas-manager restart
sudo openvasmd --rebuild
Please note that the default port number of the GSA has changed to 4000. So, to access the web interface for version 9, go to https://localhost:4000

You can change GSA port number by modifying /etc/default/openvas-gsa file. Then, restart its service by issuing the command:
sudo service openvas-gsa restart
New interface and added features:

Remote scan with OpenVAS 9

Results of a full remote scan on a CentOS 7:

Results of remote full scan on a Fedora 25:

The remote system was identified simply as Linux Kernel

Network scan with OpenVAS 9

The scanner correctly identified Windows Server 2012/10 machines and Ubuntu/CentOS:

This means OpenVAS can also be used to harden Windows machines 

Using OpenVAS 8 in Fedora 25

In Fedora, OpenVAS can be installed either from the official repository or from the Atomic repository. 

Installing OpenVAs

Install from the official repository
sudo su
Disable SELinux
vi /etc/selinux/config
Change the line SELINUX=disabled

Reboot your system
Install the application
sudo su
dnf install openvas-gsa openvas-manager openvas-scanner openvas-cli
Install additional packages
dnf install texlive-latex nmap alien mingw32-nsis
Start service
systemctl start openvas-manager
Create certificate
openvas-mkcert
Install REDIS service
dnf install redis -y
Configure the REDIS service
vi /etc/redis.conf
Uncomment lines:

• unixsocket /tmp/redis.sock
• unixsocketperm 700

Update vulnerabilities and compliance data
openvas-nvt-sync
openvas-scapdata-sync
openvas-certdata-sync
Create client certificate
openvas-mkcert-client -n -i
Set database
systemctl start openvas-scanner
openvasmd --rebuild
Create OpenVAS Manager Admin user
openvasmd --create-user=admin --role=Admin && openvasmd --user=admin --new-password=admin
Start services
systemctl start redis
systemctl start openvas-manager
systemctl start openvas-scanner
systemctl start openvas-gsa

Check installation

openvas-check-setup

Running OpenVAS

Open Firefox and go to:
http://127.0.0.1
Start a local scan:

OpenVAS results in Fedora:

Network scan:

Like in Ubuntu, you’ll get a list of specific items that were found and the threats will be color-coded. For instance, this is one of the high threats:

As you can see, the report also includes information about how to address the issue.
Besides, the application will recognize and scan Windows machines!
 

Conclusion

OpenVAS is a magnificent tool to spot vulnerabilities and highlight areas to focus on when you are hardening your system.
This was just a quick introduction, showing a bare minimum of the functionality of the OpenVAS security suite. Explore the Greenbone Security Assistant interface and take advantage of the great built-in help system to learn more about your options.
For instance, using the application with the proper credentials to logon to remote machines will allow it to make better scanning.

Besides, among other tasks, you can easily schedule scans, automatically generate reports, and email alerts when certain threat levels are generated.

Linux Hardening with Lynis

Lynis is a powerful open source auditing tool for Unix/Linux like operating systems. It scans the system for security information, general system information, installed software information, configuration mistakes, security issues, user accounts without password, wrong file permissions, firewall auditing, etc.
Lynis is also one of the most trusted automated auditing tools for software patch management, malware scanning and vulnerability detecting in Unix/Linux based systems. This tool is useful for auditors, network and system administrators, security specialists and penetration testers.

Installing Lynis in Ubuntu

This application doesn’t require any installation, it can be used directly from any directory. So, it’s a good idea to create a custom directory for Lynis:
sudo mkdir /usr/local/lynis
Download the stable version of Lynis from the website and unpack it:
cd /usr/local/lynis
sudo wget https://cisofy.com/files/lynis-2.4.0.tar.gz

Unpack the tarball
sudo tar -xvf lynis-2.4.0.tar.gz

Running Lynis

You must be root user to run Lynis, because it creates and writes output to /var/log/lynis.log file. Therefore, to run Lynis execute the following commands:
cd lynis
./lynis
By running ./lynis without any option, it will provide you a complete list of available parameters and goes back to the shell prompt:

To start the Lynis analysis, you must define the proper parameter to begin scanning of your entire Linux system. Use the following command to start scanning:
sudo ./lynis audit system --quick
The "quick" option will run the scanner without any pauses between sections and will allow you to run Lynis while you doing other things.
 

Lynis Scanning Results

While scanning, you will see output as [OK] or [WARNING] where the first is considered as a good result and the later as bad. You should take corrective steps to fix those issues after reading logs at /var/log/lynis.log.

Ubuntu 16.04 LTS results:

Fedora Workstation 25 results:

CentOS 7-1611 Core results:

In most cases, the application provides suggestions to fix problems.
However, you should follow the provided links to get more info:

• https://cisofy.com/controls/AUTH-XXXX
• https://cisofy.com/controls/FILE-XXXX
• …

Or go to the general page with info on all Lynis controls

Updating Lynis

Lynis is often updated so you should check the status of your version on a regular basis:
./lynis update info
If outdated, go to the Cisofy downloads page and get the latest version

Linux Hardening with Tiger

Tiger is a security tool that can be used both as a security audit and as an IDS. It supports multiple UNIX platforms and it is free and provided under a GPL license.

Check all the details on the official website.

Installing Tiger in Ubuntu

Install the application by running the command:
sudo apt-get install tiger


Keys creation:

















Done!

Running Tiger

To start Tiger, just type:

sudo tiger

To check the scan in real time, open another terminal window and go to Tiger’s log folder:
cd /var/log/tiger
If you can´t get there, change your user to root. If you don’t have a root user, create one!
sudo passwd root
NOTE: You can use the “sudo su” command instead. This will prevent using the root user as this is not a good idea when we think about hardening a system 
Then use the tail command to see what the Tiger scanner is writing to the log file:
tail -f security.report.rui-VirtualBox.tmp.24839
NOTE: Your log file will have a different name.


To view the final report
less security.report.rui-VirtualBox.170222-18:16
Analyze the log file, identify the vulnerabilities and try to correct them.


Despite being an old tool, Tiger’s simplicity make it the perfect starting point for those who want to start learning about Linux hardening.