OpenVAS NVT Feed Services
This text explains how NVT Feed Services work in general and how to issue a feed service for keeping up-to-date your OpenVAS server with the newest NVTs.
Note: If you experience problems or think the description should be more detailed on some items, please give feedback on the OpenVAS discussion mailing list.
Overview
An OpenVAS NVT Feed Service provides a set of NVTs (i.e. ".nasl" and ".inc" files) which can be downloaded to your OpenVAS server installation.
In fact, only changed and new NVTs will be downloaded along with their signature files (".asc") and an overall "md5sums". This synchronization process uses the RSYNC technology. The signatures get only relevant for you if you configure OpenVAS to execute only trusted NVTs.
Prerequisites
Apart from openvas-plugins, minimum version 0.9.1, which contains "openvas-nvt-sync", you need to have the standard tools "rsync" and "md5sum" installed on your OpenVAS server system. If you installed a packaged OpenVAS, the package management should have taken care to meet these dependencies already.
Performing a synchronization with a OpenVAS NVT Feed
You need to follow these steps:
- Check the configuration of the synchronization command:
Usually you will find this shell script installed as "/usr/sbin/openvas-nvt-sync".
You should verify that the variables "NVT_DIR" and "FEED" are correct. This should be the case for NVT_DIR if you did not deviate from the standard build and install routine. For FEED there is currently only the pre-configured one available anyway. So, just don't change it.
- Run the synchronization command:
# openvas-nvt-syncIt will connect to the currently only available NVT feed. At the end, it will verify the md5 checksums of all synchronized files. If any of them fails, an error is reported. In this case you should retry a couple of minutes later (reasons for failures could be network lags or that feed was updated at the same time.) If the problem occurs again, please report it to the OpenVAS discussion mailing list.
- Restart the OpenVAS server (openvasd):
# kill -1 PIDWhere PID is the process ID of the main openvasd. You may see in the "openvas-nvt-sync" script how this should work ideally, but currently it does not work. You might consider using the "killall openvasd" command if you really know what this means.
Available NVT Feed Services
For demonstration purposes, the OpenVAS project offers a simple NVT feed under rsync://rsync.openvas.org:/nvt-feed. It is pre-configured in the "openvas-nvt-sync" tool.
However, the NVTs are signed with the OpenVAS Transfer Integrity certificate.
How is the NVT Feed Server itself created
This section describes how the feed server itself is setup mainly for transparency purposes. It is not necessary for users to set up such a server. It is strongly recommended that you coordinate with the OpenVAS team if you want to offer NVTs via a feed service to avoid a scattered availability of NVTs.
The steps as explained in the following assume you are familiar with unixoid systems and the typical tools any system administrator know from his/her daily work.
Also note, that this is a simple version of a NVT server as used for the sample feed of OpenVAS. A more sophisticated version is in preparation.
- Configure rsyncd to server a directory of your choice.
E.g. a section like this in /etc/rsyncd.conf:
[my-feed] path = /home/my-nvt-feed comment = My NVT feed, see http://www.openvas.org/ - Place all NVTs (*.nasl files) and NASL libraries (*.inc files) in the respective directory (here /home/my-nvt-feed)
- Place all signatures (*.nasl.asc files) in the same directory.
Maybe you have not created the signatures yet, this is how you could sign all of the files in one go (you need to do this on a system where your signing is available, of course):
$ eval $(gpg-agent --daemon) $ cd /home/my-nvt-feed $ for f in *.nasl *.inc; do gpg --use-agent --detach-sign -a $f; done - Create the md5sums file:
$ md5sum *.nasl* *.inc* > md5sums