Commit ef054c0b authored by Sophie Brun's avatar Sophie Brun

Merge tag 'upstream/4.0.2'

Upstream version 4.0.2
parents 3e5421a2 bba162da
This diff is collapsed.
......@@ -52,14 +52,14 @@ macro (Subversion_GET_REVISION dir variable)
endmacro (Subversion_GET_REVISION)
if (NOT CMAKE_BUILD_TYPE MATCHES "Release")
if (EXISTS ".svn/")
if (EXISTS "${CMAKE_SOURCE_DIR}/.svn/")
if (SVN_EXECUTABLE)
Subversion_GET_REVISION(. ProjectRevision)
set (SVN_REVISION ".SVN.r${ProjectRevision}")
else (SVN_EXECUTABLE)
set (SVN_REVISION ".SVN")
endif (SVN_EXECUTABLE)
endif (EXISTS ".svn/")
endif (EXISTS "${CMAKE_SOURCE_DIR}/.svn/")
endif (NOT CMAKE_BUILD_TYPE MATCHES "Release")
# TODO: Check pkg-config (maybe with code like in gsa/CMakeLists.txt).
......@@ -77,11 +77,11 @@ set (CPACK_SOURCE_GENERATOR "TGZ")
set (CPACK_SOURCE_TOPLEVEL_TAG "")
set (CPACK_SYSTEM_NAME "")
set (CPACK_TOPLEVEL_TAG "")
set (CPACK_PACKAGE_VERSION_MAJOR "3")
set (CPACK_PACKAGE_VERSION_MINOR "4")
set (CPACK_PACKAGE_VERSION_MAJOR "4")
set (CPACK_PACKAGE_VERSION_MINOR "0")
# Use this scheme for stable releases
set (CPACK_PACKAGE_VERSION_PATCH "0${SVN_REVISION}")
set (CPACK_PACKAGE_VERSION_PATCH "2${SVN_REVISION}")
set (CPACK_PACKAGE_VERSION "${CPACK_PACKAGE_VERSION_MAJOR}.${CPACK_PACKAGE_VERSION_MINOR}.${CPACK_PACKAGE_VERSION_PATCH}")
# Use this scheme for +betaN and +rcN releases:
#set (CPACK_PACKAGE_VERSION_PATCH "+beta1${SVN_REVISION}")
......@@ -106,10 +106,8 @@ set (CPACK_SOURCE_IGNORE_FILES
"Doxyfile_full$"
"openvassd.8$"
"VERSION$"
"tools/openvas-adduser$"
"tools/openvas-mkcert$"
"tools/openvas-mkcert-client$"
"tools/openvas-rmuser$"
"tools/openvas-nvt-sync$"
)
......@@ -160,7 +158,6 @@ set (OPENVAS_CACHE_DIR "${LOCALSTATEDIR}/cache/openvas")
set (OPENVAS_PID_DIR "${LOCALSTATEDIR}/run")
set (OPENVAS_SYSCONF_DIR "${SYSCONFDIR}/openvas")
set (OPENVAS_USERS_DIR "${OPENVAS_STATE_DIR}/users")
set (OPENVAS_NVT_DIR "${OPENVAS_STATE_DIR}/plugins")
set (OPENVAS_LIB_INSTALL_DIR "${LIBDIR}")
......@@ -173,7 +170,6 @@ set (OPENVAS_CA_CERTIFICATE "${OPENVAS_STATE_DIR}/CA/cacert.pem")
set (OPENVASSD_MESSAGES "${OPENVAS_LOG_DIR}/openvassd.messages")
set (OPENVASSD_DEBUGMSG "${OPENVAS_LOG_DIR}/openvassd.dump")
set (OPENVASSD_CONF "${OPENVAS_SYSCONF_DIR}/openvassd.conf")
set (OPENVASSD_RULES "${OPENVAS_DATA_DIR}/openvassd.rules")
set (NVT_TIMEOUT "320")
......@@ -186,7 +182,7 @@ message ("-- Install prefix: ${CMAKE_INSTALL_PREFIX}")
## list and throw an error, otherwise long install-cmake-install-cmake cycles
## might occur.
pkg_check_modules (LIBOPENVAS REQUIRED libopenvas>=6.0.0)
pkg_check_modules (LIBOPENVAS REQUIRED libopenvas>=7.0.0)
pkg_check_modules (GNUTLS REQUIRED gnutls>=2.8)
pkg_check_modules (GLIB REQUIRED glib-2.0>=2.16)
......@@ -197,13 +193,6 @@ if (NOT PCAP)
message (FATAL_ERROR "The pcap library is required.")
endif (NOT PCAP)
message (STATUS "Looking for gpgme...")
find_library (GPGME gpgme)
message (STATUS "Looking for gpgme... ${GPGME}")
if (NOT GPGME)
message (FATAL_ERROR "The gpgme library is required.")
endif (NOT GPGME)
execute_process (COMMAND pkg-config --cflags glib-2.0
OUTPUT_VARIABLE GLIB_CFLAGS
OUTPUT_STRIP_TRAILING_WHITESPACE)
......@@ -225,6 +214,13 @@ execute_process (COMMAND pkg-config --libs gnutls
OUTPUT_VARIABLE GNUTLS_LDFLAGS
OUTPUT_STRIP_TRAILING_WHITESPACE)
execute_process (COMMAND libgcrypt-config --libs
OUTPUT_VARIABLE GCRYPT_LDFLAGS
OUTPUT_STRIP_TRAILING_WHITESPACE)
execute_process (COMMAND libgcrypt-config --cflags
OUTPUT_VARIABLE GCRYPT_CFLAGS
OUTPUT_STRIP_TRAILING_WHITESPACE)
## Version
string (REPLACE "
......@@ -235,8 +231,6 @@ configure_file (doc/Doxyfile.in doc/Doxyfile @ONLY)
configure_file (doc/Doxyfile_full.in doc/Doxyfile_full @ONLY)
configure_file (doc/openvassd.8.in doc/openvassd.8 @ONLY)
configure_file (VERSION.in VERSION @ONLY)
configure_file (tools/openvas-adduser.in tools/openvas-adduser @ONLY)
configure_file (tools/openvas-rmuser.in tools/openvas-rmuser @ONLY)
configure_file (tools/openvas-mkcert.in tools/openvas-mkcert @ONLY)
configure_file (tools/openvas-mkcert-client.in tools/openvas-mkcert-client @ONLY)
configure_file (tools/openvas-nvt-sync.in tools/openvas-nvt-sync @ONLY)
......@@ -270,9 +264,7 @@ install (FILES ${CMAKE_BINARY_DIR}/src/openvassd
#install (FILES openvassd_log.conf
# DESTINATION ${OPENVAS_SYSCONF_DIR})
install (FILES ${CMAKE_BINARY_DIR}/tools/openvas-adduser
${CMAKE_BINARY_DIR}/tools/openvas-rmuser
${CMAKE_BINARY_DIR}/tools/openvas-mkcert
install (FILES ${CMAKE_BINARY_DIR}/tools/openvas-mkcert
${CMAKE_BINARY_DIR}/tools/openvas-mkcert-client
${CMAKE_BINARY_DIR}/tools/openvas-nvt-sync
DESTINATION ${SBINDIR}
......@@ -287,18 +279,13 @@ install (FILES ${CMAKE_SOURCE_DIR}/tools/greenbone-nvt-sync
install (FILES ${CMAKE_BINARY_DIR}/doc/openvassd.8
DESTINATION ${DATADIR}/man/man8 )
install (FILES ${CMAKE_SOURCE_DIR}/doc/openvas-adduser.8
${CMAKE_SOURCE_DIR}/doc/openvas-mkcert.8
install (FILES ${CMAKE_SOURCE_DIR}/doc/openvas-mkcert.8
${CMAKE_SOURCE_DIR}/doc/openvas-nvt-sync.8
${CMAKE_SOURCE_DIR}/doc/openvas-rmuser.8
${CMAKE_SOURCE_DIR}/doc/greenbone-nvt-sync.8
DESTINATION ${DATADIR}/man/man8 )
install (DIRECTORY DESTINATION ${OPENVAS_NVT_DIR})
install (DIRECTORY DESTINATION ${OPENVAS_CACHE_DIR})
install (DIRECTORY
DESTINATION ${OPENVAS_SYSCONF_DIR}/gnupg
DIRECTORY_PERMISSIONS OWNER_EXECUTE OWNER_READ OWNER_WRITE)
## Tests
......
......@@ -10,38 +10,31 @@ or under "GNU GPLv2 or any later version" (GNU GPLv2+).
GPLv2: See file COPYING.GPLv2
The following overview was collected 20100812 based
on the header of the respective files (last updated
20110114):
The following overview was initially collected 20100812 based
on the header of the respective files and since then updated
as changes were applied:
src/attack.[c|h]: GPLv2
src/auth.[c|h]: GPLv2
src/comm.[c|h]: GPLv2
src/hosts.[c|h]: GPLv2
src/locks.[c|h]: GPLv2
src/log.[c|h]: GPLv2
src/nasl_plugins.c: GPLv2
src/ntp_11.[c|h]: GPLv2
src/ntp.[c|h]: GPLv2
src/openvassd.c: GPLv2
src/otp_1_0.[c|h]: GPLv2+
src/oval_plugins.c: GPLv2+
src/parser.[c|h]: GPLv2
src/otp.[c|h]: GPLv2+
src/piic.[c|h]: GPLv2
src/pluginlaunch.[c|h]: GPLv2
src/pluginload.[c|h]: GPLv2
src/pluginscheduler.[c|h]: GPLv2
src/plugs_hash.[c|h]: GPLv2
src/plugs_req.[c|h]: GPLv2
src/preferences.[c|h]: GPLv2
src/processes.[c|h]: GPLv2
src/rules.[c|h]: GPLv2
src/save_kb.[c|h]: GPLv2
src/sighand.[c|h]: GPLv2
src/users.[c|h]: GPLv2
src/utils.[c|h]: GPLv2
tools/greenbone-nvt-sync: GPLv2
tools/openvas-adduser.in: GPLv2
tools/openvas-rmuser.in: GPLv2
tools/greenbone-nvt-sync: GPLv2+
tools/openvas-mkcert-client.in: GPLv2
tools/openvas-mkcert.in: GPLv2
tools/openvas-nvt-sync.in: GPLv2
This diff is collapsed.
......@@ -2,7 +2,7 @@ INSTALLATION INSTRUCTIONS FOR OPENVAS-SCANNER
=============================================
Please note: The reference system used by most of the developers is Debian
Debian GNU/Linux 'Squeeze' 6.0. The build might fail on any other systems.
Debian GNU/Linux 'Wheezy' 7. The build might fail on any other systems.
Also it is necessary to install dependent development packages.
......@@ -13,7 +13,7 @@ Prerequisites:
* cmake
* glib-2.0 >= 2.16
* gnutls >= 2.8
* openvas-libraries >= 6.0.0
* openvas-libraries >= 7.0.0
* pkg-config
Prerequisites for building documentation:
......@@ -29,7 +29,7 @@ If you have installed required libraries to a non-standard location, remember to
set the PKG_CONFIG_PATH environment variable to the location of you pkg-config
files before configuring:
$ export PKG_CONFIG_PATH=$PKG_CONFIG_PATH:/your/location/lib/pkgconfig
$ export PKG_CONFIG_PATH=/your/location/lib/pkgconfig:$PKG_CONFIG_PATH
Create a build directory and change into it with
......@@ -76,7 +76,15 @@ Setting up an openvas-scanner requires the following steps:
This command will guide you through the certificate creation and place the
certificates in the correct locations on your system.
2) In order to run vulnerability scans, you will need a collection of Network
2) (optional) You may decide to change the default scanner preferences
by setting them in the file $prefix/etc/openvassd.conf. If that file does
not exist (default), then the default settings are used. You can view
them with "openvassd -s". The output of that command is a valid configuration
file. The man page ("man openvassd") provides details about the available
settings, among these opportunities to restrict access of scanner regarding
scan targets and interfaces.
3) In order to run vulnerability scans, you will need a collection of Network
Vulnerability Tests (NVTs) that can be run by openvas-scanner. Initially,
your NVT collection will be empty. It is recommended that you synchronize
with an NVT feed service before starting openvas-scanner for the first time.
......@@ -98,7 +106,7 @@ Setting up an openvas-scanner requires the following steps:
Please visit the OpenVAS website for more information on available NVT feeds
and instructions for integrating feeds into your scanner installation.
3) You can launch openvas-scanner using the following command:
4) You can launch openvas-scanner using the following command:
$ openvassd
......@@ -107,6 +115,12 @@ Setting up an openvas-scanner requires the following steps:
the internal scanner cache has to be updated. Subsequent launches will be
much quicker.
Sending SIGHUP to the scanner main process will initiate a reload of the
feed content and of the scanner preferences. This will not affect running
scans. The NVT synchronisation routine will try to send the SIGHUP to the
scanner on its own. This works only if the pid-file of scanner is found
which is expected to be /var/run/openvas/openvassd.pid.
Please note that although you can start openvassd as a user without elevated
privileges, it is recommended that you start openvassd as root since a number
of Network Vulnerability Tests (NVTs) require root privileges to perform
......@@ -114,26 +128,13 @@ Setting up an openvas-scanner requires the following steps:
without permission to perform these operations, your scan results are very
likely to be incomplete.
4) Once the scanner has started, openvas-manager can act as a client and control
the scanner. The actual user interfaces (for example GSA, GSD or CLI-OMP)
5) Once the scanner has started, openvas-manager can act as a client and control
the scanner. The actual user interfaces (for example GSA or CLI-OMP)
will only interact with the manager, not the scanner.
It is still possible to use the latest version of the old OpenVAS-Client as
direct client application for the scanner but this will circumvent the whole
vulnerability management storage and processes.
5) [conditional]: If you do plan to use OpenVAS-Client as direct client and do
not plan to use OpenVAS Manager, then you need to create at least one user
for the openvas-scanner to be able to login. This can be done via the command:
$ openvas-adduser
The command will guide you through the user creation and allow you to specify
a name and authentication method for the user and to define rules restricting
the usage of the scanner by this user.
If you plan to use the OpenVAS Manager, you will be guided through
creation of user accounts by the INSTALL file of OpenVAS Manager.
You will be guided through creation of user accounts by the INSTALL file
of OpenVAS Manager.
If you encounter problems, the files /var/log/openvas/openvassd.messages and
......@@ -143,3 +144,26 @@ installation method.) Please have these files ready when contacting the OpenVAS
developers through the OpenVAS mailing list or the online chat or submitting bug
reports at http://bugs.openvas.org/ as they may help to pinpoint the source of
your issue.
Static code analysis with the Clang Static Analyzer
---------------------------------------------------
If you want to use the Clang Static Analyzer (http://clang-analyzer.llvm.org/)
to do a static code analysis, you can do so by adding the following parameter
when configuring the build:
-DCMAKE_C_COMPILER=/usr/share/clang/scan-build/ccc-analyzer
Note that the example above uses the default location of ccc-analyzer in Debian
GNU/Linux and may be different in other environments.
To have the analysis results aggregated into a set of HTML files, use the
following command:
$ scan-build make
The tool will provide a hint on how to launch a web browser with the results.
It is recommended to do this analysis in a separate, empty build directory and
to empty the build directory before "scan-build" call.
......@@ -11,9 +11,9 @@ Please see the file COPYING for the license information.
Please refer to the instructions provided in the file INSTALL if you want to
install and configure openvas-scanner. If you are not familiar or comfortable
with the procedure described there, we recommend that you use a binary package
provided by your distribution. Information regarding available binary packages
is available from the OpenVAS website.
with building from source code, we recommend that you use a install package or use
a prepared virtual machine. Information regarding available binary packages
and virtual machines is available from the download area of the OpenVAS website.
Note that you will need the openvas-libraries modules to compile
openvas-scanner. Further information about these modules is available
......
$Id: kb_entries.txt 1246 2008-08-29 14:56:30Z jan $
ATTENTION: THIS LIST OF ENTRIES SEEMS TO NOT OCCUR (SET) in OPENVAS NVTS!
This means that these entries are probably set by proprietary scripts
or are hopelessly outdated.
Name Value Meaning
-----------------------------------------------------------------------------
cfingerd/version <version> Version of the remote cfingerd
finger/.@host 1 Fingering "." gives away the list of users
finger/0@host 1 Fingering "0" gives away the list of users
finger/active 1 The finger service works properly
finger/search.**@host 1 Fingering ".**" gives the list of users
finger/user@host1@host2 1 Finger can be used as a relay
ftp/anonymous 1 Anonymous FTP is enabled
ftp/ncftpd 1 The remote server is NcFTPd
ftp/no_mkdir 1 The remote server prevents the use of MKD
ftp/overflow 1 The remote server can be overflown
ftp/overflow_method <cmd> Command vulnerable to an overflow
ftp/pftp_login_problem 1 The remote pftp server allows " "/" " to log in
ftp/root_via_cwd 1 Wu-FTPd allows the becoming of root via CWD
ftp/root_via_site_exec 1 Wu-FTPd allows the becoming of root using SITE EXEC
ftp/wftp_login_problem 1 WFTP allows any login
ftp/writeable_dir <dir> Name of a user-writeable dir
ftp/wu_ftpd_overflow 1 Wu-FTPd vulnerable to an overflow
http/10 1 HTTP/1.0 is spoken here
http/11 1 HTTP/1.1 is spoken here
Proxy/usage 1 The remote proxy can be used
RPC/NIS/domain domainname NIS domain
rpc/bootparamd 1 Bootparamd is present
rpc/portmap 1 Portmap is reachable
rsh/active 1 rsh is working properly
SMB/Users/Enumerated 1 The SMB users have been enumerated (through sid2user or via SNMP)
SMB/Win2K/ServicePack <ServicePack> ServicePack applied on the remote W2K server
SMB/WinNT4/ServicePack <ServicePack> ServicePack applied on the remote WNT4
SMB/WindowsVersion <Version> Version of windows the remote host is running
SMB/browse <BrowseList> Browse list of the remote host
SMB/domain_sid <SID> SID of the host's domain
SMB/login <login> Login to use for the tests
SMB/password <password> Password that goes with the login
SMB/registry_access 1 We can access to the remote registry
SMB/registry_full_access 1 We can access any value in the remote registry
SMB/shares <shares> List of shares exported by the remote server
SMB/svcs <svcs> Services run by the remote server
SMB/Users/<num> <username> Name of SMB users
SMB/ValidUsers/<num>/Login <username> Name of a (working) SMB user
SMB/ValidUsers/<num>/Password <passwd> Password of a valid SMB user
Sawmill/method <string> Is Sawmill running as a CGI or in standalone mode ?
Sawmill/readline <string> Sawmill can read the first line of any remote file
Services/nntp <port> Port of the remote NNTP server
Services/swat <port> Port of the remore SWAT server
Services/vqServer-admin <port> Port of the remote vqServer admin
Services/www <port> Port of the remote web server
Services/realserver <port> Port of the remote real server
Services/smtp <port> Port of the remote SMTP server
Services/ftp <port> Port of the remote FTP server
Services/ssh <port> Port of the remote SSH server
Services/http_proxy <port> Port of the remote HTTP proxy
Services/pop1 <port> Port of the remote POP-1 server
Services/pop2 <port> Port of the remote POP-2 server
Services/pop3 <port> Port of the remote POP-3 server
Services/imap <port> Port of the remote IMAP server
Services/auth <port> Port of the remote identd/auth server
Services/wild_shell <port> A shell is running on this port
Services/telnet <port> Port of the remote telnet server
Services/netbus <port> Port of the remote netbus server
Services/linuxconf <port> Port of the remote linuxconf server
Services/napster <port> Port of the remote napster client
SMTP/vrfy 1 The remote SMTP server accepts VRFY requests
SMTP/expn 1 The remote SMTP server acceps EXPN requests
SMTP/spam 1 The remote SMTP server is an open relay
www/<port>/content/cgi/<num> <cginame> CGI of the remote server
#
# XXX to be completed
#
DESCRIPTION OF THE NBE FILE FORMAT
The .nbe file format was designed to facilitate the export of openvassd reports
to other tools.
The format is the following for each line :
<category>|<subnet>|<host>|[Info]
Where :
<category> is either "timestamps" or "results".
If <category> is timestamps, then the format of [info] is :
<action>|<time>|
with
<action> = scan_start, scan_end, host_start or host_end
if action is scan_{start,end} then the fields subnet and host are empty.
If <category> is "results", then [info] is plain old .nsr, that is :
<port>|<plugin_id>|<category>|<report>
(described in the file nsr_file_format.txt)
With <port> being the port in plain text (ie: "tcpmux (1/tcp)"),
<plugin_id> is the ID of the plugin which generated an alert, <category>
is one of {Security Hole, Security Warning, Security Note} and <report>
is the report, with return carriages and newlines escaped as '\r' and '\n'
DESCRIPTION OF THE NSR FILE FORMAT
$Id: nsr_file_format.txt 5092 2009-09-21 12:15:09Z felix $
The .nsr file format was designed to facilitate the export of openvassd reports
to other tools.
The format is the following for each line :
'hostname|port' (1)
or
'hostname|port|script_id|type|data' (2)
The format (1) indicates that a port is open. The format (2) adds
a security report to the information
hostname : the host name or IP address
port : the port affected. The format is : 'portname (num/protocol)',
ie : www (80/tcp). It can also be 'general/protocol', which
means that the protocol itself is affected
script_id : is the number of the script which generated the information.
see http://cvs.nessus.org/plugins/search.html to find the
name of a plugin thanks to its id
type : either INFO (security warning) or REPORT (security hole)
data : content of the report or warning. All the '\n' chars are
replaced by ';'
.TH OpenVAS-ADDUSER 8 "May 2009" "The OpenVAS Project" "User Manuals"
.SH NAME
openvas-adduser \- add a user in the openvassd userbase
.sp
.SH SYNOPSIS
.BI openvas-adduser
.SH DESCRIPTION
.LP
The
.B OpenVAS Security Scanner
comes with its own user base which contains the list of who can
use the services of
.BR openvassd ,
and what restriction (or
.IR rules )
each user has.
.B openvas-adduser
is a simple program which will add a user to the
.B openvassd
userbase.
The program is straightforward and asks for the following items:
.IP "\(bu Login"
the login name of the
.B openvassd
user to add
.IP "\(bu Password"
the password that the user will use to connect to
.B openvassd
.IP "\(bu Rules"
the set of rules to apply to the user. See below.
.SH RULES
Each user has his own set of rules. Rules are here to restrict
the rights of the users. For instance, you can add user \*(lqjoe\*(rq so
that he can only test the host \*(lq192.168.1.1\*(rq, whereas you can
add user \*(lqbob\*(rq so that he can test whatever IP address he wishes.
Each rule fits on one line. A user can have an unlimited amount of
rules (and can even have no rule at all).
The syntax is:
.RS
accept|deny ip/mask
.RE
and
.RS
default accept|deny
.RE
Where
.I mask
is the CIDR netmask of the rule.
The
.I default
statement must be the last rule and defines the policy of the user.
The following rule set will allow the user to test 192.168.1.0/24,
192.168.3.0/24 and 172.22.0.0/16, but nothing else:
.RS
accept 192.168.1.0/24
.br
accept 192.168.3.0/24
.br
accept 172.22.0.0/16
.br
default deny
.RE
The following rule set will allow the user to test whatever he wants,
except the network 192.168.1.0/24:
.RS
deny 192.168.1.0/24
.br
default accept
.RE
The keyword
.I client_ip
has been defined, and is replaced at run time by the IP address
of the
.B openvassd
user. For instance, if you want your users to be able
to only be able to scan the system they come from, then you want
them to have the following ruleset:
.RS
accept client_ip
.br
default deny
.RE
.SH SEE ALSO
.BR openvas-rmuser (8),\ openvassd (8)
.SH MORE INFORMATION ABOUT THE OpenVAS PROJECT
The canonical places where you will find more information
about the OpenVAS project are:
.RS
.UR
http://www.openvas.org/
.UE
(Official site)
.RE
.SH AUTHOR
.B openvas-adduser
was quickly written by Renaud Deraison <deraison@cvs.nessus.org>
.SH BUGS
.B openvas-adduser
creates temporary files in
.IR $TMPDIR/ .
If this variable is not
set, then it will use
.I /var/tmp
which may be a security risk
depending of your configuration.
If you set your TMPDIR variable to
.IR /tmp ,
then you are in trouble.
......@@ -3,8 +3,9 @@
openvas-mkcert \- Creates a scanner certificate
.sp
.SH SYNOPSIS
.BI openvas-mkcert
[ -q ] [ -f ]
.B openvas-mkcert
.RB [ -q ]
.RB [ -f ]
.SH DESCRIPTION
......
.\" Hey, EMACS: -*- nroff -*-
.TH OPENVAS-NVT-SYNC 8 "September 2009" "The OpenVAS Project" "User Manuals"
.TH OPENVAS-NVT-SYNC 8 "January 2014" "The OpenVAS Project" "User Manuals"
.SH NAME
openvas-nvt-sync \- updates the OpenVAS security checks from OpenVAS NVT Feed
.SH SYNOPSIS
......@@ -14,8 +14,9 @@ plugins appear on the OpenVAS site (www.openvas.org)
The script
.B openvas-nvt-sync
will fetch all the newest security checks for you and install them at the proper
location. Once this is done you will need to restart openvas-scanner(8)
so that it loads them and uses them for new security scans.
location. Once this is done you will need to either restart openvas-scanner(8)
or send a SIGHUP to its main process so that it loads the new checks and uses them
for new security scans.
.br
.B openvas-nvt-sync
......
.TH OpenVAS-RMUSER 8 "February 2001" "The OpenVAS Project" "User Manuals"
.SH NAME
openvas-rmuser \- removes a user from the openvassd userbase
.sp
.SH SYNOPSIS
.BI openvas-rmuser\ [\| <login> \|]
.SH DESCRIPTION
The
.B OpenVAS Security Scanner
comes with its own user base which contains the list of who can
use the services of
.BR openvasad ,
and what restriction (or
.IR rules )
each user has.
.BI openvas-rmuser
is a simple program which will remove user from the proper openvasad
configuration files, as well as its data (saved KBs and saved sessions).
.SH SEE ALSO
.BR openvas-adduser (8),\ openvassd (8),\ openvas (1)
.SH MORE INFORMATION ABOUT THE OPENVAS PROJECT
The canonical places where you will find more information
about the OpenVAS project are:
.RS
.UR
http://www.openvas.org/
.UE
(Official site)
.br
.UR
http://cvs.openvas.org/
.UE
(Developers site)
.RE
.SH AUTHOR
.B openvas-rmuser
was quickly written by Renaud Deraison <deraison@cvs.nessus.org>
......@@ -2,7 +2,7 @@
.SH NAME
openvassd \- The Scanner of the Open Vulnerability Assessment System (OpenVAS)
.SH SYNOPSIS
.BI "openvassd [\|-v\|] [\|-h\|] [\|-c " config-file\| "] [\|-S " ip[,ip2,...]\| "] [\|-a " address\|
.BI "openvassd [\|-v\|] [\|-h\|] [\|-c " config-file\| "] [\|-a " address\|
.BI "] [\|-p " port-number\| "] [\|-D\|] [\|-R\|] [\|-P\|] [\|-q\|] [\|-f\|]"
.SH DESCRIPTION
......@@ -17,7 +17,7 @@ target hosts in a highly optimized way.
.BR openvassd
inspects the remote hosts and attempts to list all the vulnerabilities and common
misconfigurations that affects them. Note that openvassd will run in daemon mode
by default (unless you specify -f as an option).
by default (unless you specify \-f as an option).
.SH OPTIONS
.TP
......@@ -30,7 +30,7 @@ Use the alternate configuration file instead of
Tell the scanner to only listen to connections on the address
.I <address>
which is an IP, not a machine name. For instance,
"openvassd -a 192.168.1.1"
"openvassd \-a 192.168.1.1"
will make
.B openvassd
only listen to requests going to
......@@ -39,34 +39,26 @@ This option is useful if you are running openvassd on a gateway and if you don't
want people on the outside to connect to your
.BR openvassd .
.TP
.BI "-S " <ip[,ip2,...]> ", --src-ip=" <ip[,ip2,...]>
Force the source IP of the connections established by OpenVAS to
.I <ip>
.\" Note that you can not set arbitrary addresses here, as most OpenVAS
checks need to fully establish a connection to the remote host. This
option is only useful if you have a multi-homed machine with multiple
public IP addresses that you would like to use instead of the default
one. Example :
.BR "openvassd -S 192.168.1.1,192.168.1.2,192.168.1.3,192.168.1.4"
will make
.B openvassd
establish connections with a source IP of one among those listed above.
For this setup to work, the host running openvassd should have multiple
NICs with these IP addresses set.
.TP
.BI "-p " <port-number> ", --port=" <port-number>
Tell the scanner to listen on connection on the port <port-number> rather
than listening on port 9391 (default).
.TP
.B "-f, --foreground"
Make the scanner stay in foreground (non-daemon mode)
.BI " --gnutls-priorities=" <priority-string>
Sets the GnuTLS priority string for the listening socket to adjust the supported
cipher suites.
.TP
.BI " --dh-params=" <file>
Sets the path to a PEM file containing Diffie-Hellman parameters. Needed for key
DHE-based key exchange algorithms that provide Perfect Forward Secrecy.
This file could be generated using tools like "openssl dhparam" and
"certtool --genrate-dh-params".
.TP
.B "-q, --quiet"
Prevent the scanner from printing the loading status of the plugins at startup
.B "-f, --foreground"
Make the scanner stay in foreground (non-daemon mode)
.TP
.B "-v, --version"
......@@ -151,95 +143,44 @@ OpenVAS plugins use the result of each other to execute their job. For instance,
.IP use_mac_addr
Set this option to 'yes' if you are testing your local network and each local host has a dynamic IP address (affected by DHCP or BOOTP), and all the tested hosts will be referred to by their MAC address.
.IP rules
path to the rules database
The other options in this file can usually be redefined by the client.