Vulnscand

From OpenNMS

Nessus integration

To enable the Vulnscand -

edit $OPENNMS_HOME/etc/service-configuration.xml 

<service>
        <name>OpenNMS:Name=Vulnscand</name>
        <class-name>org.opennms.netmgt.vulnscand.jmx.Vulnscand</class-name>
        <invoke at="start" pass="0" method="init"/>
        <invoke at="start" pass="1" method="start"/>
        <invoke at="status" pass="0" method="status"/>
        <invoke at="stop" pass="0" method="stop"/>
</service>

touch $OPENNMS_HOME/etc/vulnerabilities.enable (Doing this enables this menu-option)

Now you must change two tables within the OpenNMS database: vulnerabilities and vulnplugins. You are changing these database table because every now and then Nessus reports a long value here.

There are two ways to perform these changes, one for PostgreSQL 7 and an easier method for PostgreSQL 8.

PostgreSQL 7 

ALTER TABLE vulnerabilities ADD cveentry2 character varying(256);
UPDATE vulnerabilities SET cveentry2 = cveentry;
ALTER TABLE vulnerabilities DROP COLUMN cveentry;
ALTER TABLE vulnerabilities RENAME cveentry2 TO cveentry;

ALTER TABLE vulnplugins ADD cveentry2 character varying(256);
UPDATE vulnplugins SET cveentry2 = cveentry;
ALTER TABLE vulnplugins DROP COLUMN cveentry;
ALTER TABLE vulnplugins RENAME cveentry2 TO cveentry;

PostgreSQL 8 

ALTER TABLE vulnerabilities ALTER COLUMN cveentry TYPE character varying(256);
ALTER TABLE vulnplugins ALTER COLUMN cveentry TYPE character varying(256);

Configure nessus to allow plain text (No SSL) auth / traffic, that is not necessarily the best security approach but works.

echo "ssl_version = NONE" >> /etc/nessus/nessusd.conf

Patch the fillVulnPluginsTable.pl file with 

102,103c
                                ) || print "Insert failed: $DBI::errstr\n";
                                #) || $fatal_err++;
.
68a
                                'ssl' => '0',
.

Fill the plugintable by executing fillVulnPluginsTable.pl.

Create / configure the config file: (Minimal example with a few plugins) I'd suggest that you do a select such as - the following perl snippet and insert the plugins to the scanlevel you wish to achive.

(plugs.pl) 

#!/usr/bin/perl
# scanner, infos, mixed, attack
use DBI;

# These should be pretty obvious, but set your db_name, username, and password
my $db_name="opennms";
my $db_user="opennms";
my $db_pass="opennms";

if ($debug) {
        print "Using database name: $db_name\n";
        print "Using database username: $db_name\n";
        print "Using database password: $db_name\n";
}

# Go ahead and make the database connection
my $dbh = DBI->connect("DBI:Pg:dbname=$db_name", $db_user, $db_pass, {
                PrintError => 0,        ## Don't error via warn()
                RaiseError => 0         ## Do error via die()
        });

if ($debug) {
        print "Database connection succeded\n";
}

my $sth=$dbh->prepare ("
        select pluginid from vulnPlugins where category <> 'attack' AND category <> 'denial' AND category <> 'destructive_attack' AND category <>
 'kill_host' AND category <> 'flood'
");

$sth->execute;

while (my ($plugin) = $sth->fetchrow_array) {
        if ($plugin) {
                print "$plugin;\n";
        }
}


etc/vulnscand-config.xml 

<?xml version="1.0"?>
<vulnscand-configuration
        rescan-frequency="86400000"
        initial-sleep-time="300000"
        max-suspect-thread-pool-size="3"
        max-rescan-thread-pool-size="3"
        server-address="nessus-host.com"
        server-port="1241"
        server-username="opennms"
        server-password="password"
        status="true">

        <managed-interfaces
                status="true"
                scan-level="3"/>
        <excludes>
                <specific>10.193.253.25</specific>
                <specific>127.0.0.1</specific>
                <specific>10.193.12.91</specific>
        </excludes>


        <!-- scanner, infos, mixed, attack -->
        <scan-level
                level="3"
                safe-checks="true"
                plugin-list="

13130;
14336;
17005;
18519;
12293;
11113;
18896;
20297;
13996;
15830;
13400;
15732;
17376;


 ">
</scan-level>



</vulnscand-configuration>


Set the Vulnscand to DEBUG in the logging, restart opennms and you should start seeing activity against your nodes!


A word of caution, Vulnscand currently lacks an 'On/Off' feature, this is something that is being worked upon... This means essentially that once the time for a scan is there, Vulnscand will start scanning nodes regardless of production cycles. Current implementation idea is to have an allowed cycle schedule where the scanning begins in for example off-hours, quiets down during important production hours and then picks up again where it left off.

Retrieved from "http://www.opennms.org/wiki/Vulnscand"
Personal tools
DevJam 2008 Sponsors
DevJam 2008 Sponsor: Google
DevJam 2008 Sponsor: Netregistry
DevJam 2008 Sponsor: Papa John's
NewEdge Networks
OpenNMS takes home the gold award!
Join the Free Software Foundation
Support This Project Commercial OpenNMS Support OpenNMS Italia Get OpenNMS at SourceForge.net. Fast, secure and Free Open Source software downloads Our Network Simulator Our Java Profiler