Hi All,
I'm trying to simplify the initial setup of OpenVas installation using Puppet. I have a few questions:
[*] Is there a way to pre-package up a lot of the downloaded CVTs and to make the initial setup faster? What paths would I need to package up?
[*] /bin/openvas-setup does a lot of the setup, but I'd rather be able to break it down into separate steps for idempotency. Is there a clear guide on what steps are being run?
If possible I'd like to be able to do the minimum to get the OpenVas server running, then let the user run the sync steps at their own speed.
Thanks
Regards
Speeding up provisioing time of OpenVas
-
pizzapete_
- New Forum User
- Posts: 1
- Joined: Fri Jun 17, 2016 7:03 am
- Location: London
-
scott
- Atomicorp Staff - Site Admin
- Posts: 8355
- Joined: Wed Dec 31, 1969 8:00 pm
- Location: earth
- Contact:
Re: Speeding up provisioing time of OpenVas
I'd thought about doing an nvt bundle early on, and opted for the nvt update job as the first step. They change daily, so I'm not sure how useful that bundle would be unless I was doing package updates at a higher frequency (weekly might be possible). Or maybe even an AWS image with openvas already set up.
What you could do with puppet is sync the directory /var/lib/openvas to other targets, or maybe even run your own update mirror.
And the detailed steps of setup are:
1) Get the latest nvts
/usr/sbin/openvas-nvt-sync
2) download the CERT data. This is optional, so you could skip this one and let the cron update job do this later.
/usr/sbin/openvas-certdata-sync
3) download SCAP data. Again, this is optional and will get updated by cron. Its also the biggest download, from the most unreliable/slow mirror (run by NIST).
/usr/sbin/openvas-scapdata-sync
4) Make the Openvas client cert.Required for openvassd and openvasmd to communicate
/usr/sbin/openvas-mkcert-client -n -i
5) Start openvas scanner (order is very very important here!)
/sbin/service openvas-scanner restart
6) Wait for about 10 seconds. Even better wait until openvassd completely loads all its NVT's.
7) Run an openvasmd migration event. Very important for upgrades, but it also has some internal checks to auto-correct things:
/usr/sbin/openvasmd --migrate
Start openvas manager, openvas scanner must be running (step 5) at this point
/sbin/service openvas-manager restart
9) Configure GSAD, by default it will listen on localhost only. If you want it to be reachable from other systems edit:
/etc/sysconfig/gsad
and change
GSA_ADDRESS=0.0.0.0
10) start GSAD
/sbin/service gsad restart
11) Create user(s)
/usr/sbin/openvasmd --create-user=USERNAME
where USERNAME is the user you are creating
12) Set USERNAMES password. If you dont do this here, step 11 will create a random password:
/usr/sbin/openvasmd --user=USERNAME --new-password=PASSWORD
13) Configure Redis (required, openvas wont work without this), edit:
/etc/redis.conf
and set/change the socket:
unixsocket /tmp/redis.sock
14) Make sure the redis socket permissions are set to 700, edit /etc/redis.conf
and set/change:
unixsocketperm 700
15) Start redis:
service redis start
16) If you are on EL7, enable the services to start on boot:
systemctl enable openvas-scanner
systemctl enable openvas-manager
systemctl enable gsad
What you could do with puppet is sync the directory /var/lib/openvas to other targets, or maybe even run your own update mirror.
And the detailed steps of setup are:
1) Get the latest nvts
/usr/sbin/openvas-nvt-sync
2) download the CERT data. This is optional, so you could skip this one and let the cron update job do this later.
/usr/sbin/openvas-certdata-sync
3) download SCAP data. Again, this is optional and will get updated by cron. Its also the biggest download, from the most unreliable/slow mirror (run by NIST).
/usr/sbin/openvas-scapdata-sync
4) Make the Openvas client cert.Required for openvassd and openvasmd to communicate
/usr/sbin/openvas-mkcert-client -n -i
5) Start openvas scanner (order is very very important here!)
/sbin/service openvas-scanner restart
6) Wait for about 10 seconds. Even better wait until openvassd completely loads all its NVT's.
7) Run an openvasmd migration event. Very important for upgrades, but it also has some internal checks to auto-correct things:
/usr/sbin/openvasmd --migrate
Start openvas manager, openvas scanner must be running (step 5) at this point/sbin/service openvas-manager restart
9) Configure GSAD, by default it will listen on localhost only. If you want it to be reachable from other systems edit:
/etc/sysconfig/gsad
and change
GSA_ADDRESS=0.0.0.0
10) start GSAD
/sbin/service gsad restart
11) Create user(s)
/usr/sbin/openvasmd --create-user=USERNAME
where USERNAME is the user you are creating
12) Set USERNAMES password. If you dont do this here, step 11 will create a random password:
/usr/sbin/openvasmd --user=USERNAME --new-password=PASSWORD
13) Configure Redis (required, openvas wont work without this), edit:
/etc/redis.conf
and set/change the socket:
unixsocket /tmp/redis.sock
14) Make sure the redis socket permissions are set to 700, edit /etc/redis.conf
and set/change:
unixsocketperm 700
15) Start redis:
service redis start
16) If you are on EL7, enable the services to start on boot:
systemctl enable openvas-scanner
systemctl enable openvas-manager
systemctl enable gsad