Vulnscand
Subscribe

From OpenNMS

Jump to: navigation, search

Nessus integration

To enable the Vulnscand -

edit $OPENNMS_HOME/etc/service-configuration.xml 

<service>
        <name>OpenNMS:Name=Vulnscand</name>
        <class-name>org.opennms.netmgt.vulnscand.jmx.Vulnscand</class-name>
        <invoke at="start" pass="0" method="init"/>
        <invoke at="start" pass="1" method="start"/>
        <invoke at="status" pass="0" method="status"/>
        <invoke at="stop" pass="0" method="stop"/>
</service>

touch $OPENNMS_HOME/etc/vulnerabilities.enable (Doing this enables this menu-option)

Now you must change two tables within the OpenNMS database: vulnerabilities and vulnplugins. You are changing these database table because every now and then Nessus reports a long value here.

There are two ways to perform these changes, one for PostgreSQL 7 and an easier method for PostgreSQL 8.

PostgreSQL 7 

ALTER TABLE vulnerabilities ADD cveentry2 character varying(256);
UPDATE vulnerabilities SET cveentry2 = cveentry;
ALTER TABLE vulnerabilities DROP COLUMN cveentry;
ALTER TABLE vulnerabilities RENAME cveentry2 TO cveentry;

ALTER TABLE vulnplugins ADD cveentry2 character varying(256);
UPDATE vulnplugins SET cveentry2 = cveentry;
ALTER TABLE vulnplugins DROP COLUMN cveentry;
ALTER TABLE vulnplugins RENAME cveentry2 TO cveentry;

PostgreSQL 8 

ALTER TABLE vulnerabilities ALTER COLUMN cveentry TYPE character varying(256);
ALTER TABLE vulnplugins ALTER COLUMN cveentry TYPE character varying(256);

Configure nessus to allow plain text (No SSL) auth / traffic, that is not necessarily the best security approach but works.

echo "ssl_version = NONE" >> /etc/nessus/nessusd.conf

Patch the fillVulnPluginsTable.pl file with 

102,103c
                                ) || print "Insert failed: $DBI::errstr\n";
                                #) || $fatal_err++;
.
68a
                                'ssl' => '0',
.

Fill the plugintable by executing fillVulnPluginsTable.pl.

Create / configure the config file: (Minimal example with a few plugins) I'd suggest that you do a select such as - the following perl snippet and insert the plugins to the scanlevel you wish to achive.

(plugs.pl) 

#!/usr/bin/perl
# scanner, infos, mixed, attack
use DBI;

# These should be pretty obvious, but set your db_name, username, and password
my $db_name="opennms";
my $db_user="opennms";
my $db_pass="opennms";

if ($debug) {
        print "Using database name: $db_name\n";
        print "Using database username: $db_name\n";
        print "Using database password: $db_name\n";
}

# Go ahead and make the database connection
my $dbh = DBI->connect("DBI:Pg:dbname=$db_name", $db_user, $db_pass, {
                PrintError => 0,        ## Don't error via warn()
                RaiseError => 0         ## Do error via die()
        });

if ($debug) {
        print "Database connection succeded\n";
}

my $sth=$dbh->prepare ("
        select pluginid from vulnPlugins where category <> 'attack' AND category <> 'denial' AND category <> 'destructive_attack' AND category <>
 'kill_host' AND category <> 'flood'
");

$sth->execute;

while (my ($plugin) = $sth->fetchrow_array) {
        if ($plugin) {
                print "$plugin;\n";
        }
}


etc/vulnscand-config.xml 

<?xml version="1.0"?>
<vulnscand-configuration
        rescan-frequency="86400000"
        initial-sleep-time="300000"
        max-suspect-thread-pool-size="3"
        max-rescan-thread-pool-size="3"
        server-address="nessus-host.com"
        server-port="1241"
        server-username="opennms"
        server-password="password"
        status="true">

        <managed-interfaces
                status="true"
                scan-level="3"/>
        <excludes>
                <specific>10.193.253.25</specific>
                <specific>127.0.0.1</specific>
                <specific>10.193.12.91</specific>
        </excludes>


        <!-- scanner, infos, mixed, attack -->
        <scan-level
                level="3"
                safe-checks="true"
                plugin-list="

13130;
14336;
17005;
18519;
12293;
11113;
18896;
20297;
13996;
15830;
13400;
15732;
17376;


 ">
</scan-level>



</vulnscand-configuration>


Set the Vulnscand to DEBUG in the logging, restart opennms and you should start seeing activity against your nodes!


A word of caution, Vulnscand currently lacks an 'On/Off' feature, this is something that is being worked upon... This means essentially that once the time for a scan is there, Vulnscand will start scanning nodes regardless of production cycles. Current implementation idea is to have an allowed cycle schedule where the scanning begins in for example off-hours, quiets down during important production hours and then picks up again where it left off.

Retrieved from "http://www.opennms.org/wiki/Vulnscand"