The GSM appliance comes with various pre-defined scan configurations. However, they can be customized and expanded by your on configurations. The following configurations are already available from Greenbone:
The available scan configurations can be viewed under Configuration/Scan Configs. Remember that by default only the first 10 configurations are always displayed.
In figure The GSM comes with various scan configurations. one can identify how many NVT families and how many NVYs are activated in in a configuration. Additionally it shows the trend if a scan configuration was configured dynamically or statically .
Greenbone publishes new plugins regularly (NVTs). Also new NVT families can be introduced through the Greenbone Security Feed.
Scan configurations that are configured dynamically will include and activate new NVT families and new NVTs of the respective activated families automatically after a NVT Feed update. This ensures that new NVTs are available immediately and without any interaction by the administrator.
Scan configurations that are configured statically will not change after an NVT Feed update.
To make a configuration available the respective user, role or group must be assigned the get_configs permission. Then this configuration will be visible to the respective users as well.
On the following screen there is the option to import a scan configuration or to created manually. Greenbone themselves offer different scan configurations on their web site. In addition scan configurations can be exported on other GSM appliances and then imported.
When manually creating a scan configuration enter the name and an optional comment and decide which scan configuration to use a template. You can chose between:
Now the configuration can be customized. Of importance are the following settings:
Here it can be decided if a new family should be activated in this scan configuration.
In every family it can be decided if all NVTs in this family should be activated automatically.
When scrolling further down the Scanner Preferences will appear (see section Scanner Preferences). Here additional settings for the scan can be performed. Also, there are the NVT preferences that are being used by the NVTs. They can be customized here. Furthermore there is the possibility to define the settings directly within the respective NVTs.
To make changes to the NVTs you must switch into the respective family.
After selecting a family the individual NVTs can be accessed. The NVTs that are part of a family and their severity can be viewed.
Also the status (enabled/disabled) and the timeout of the NVT plugin can be viewed and verified as well if the NVT can be configured further via a configuration (column Prefs). If this is the case the configuration can be accessed via the respective wrench icon . The settings can be found all the way at the bottom of the page the opens next.
The customized settings of the NVTs are then visible on the overview page of the scan configuration (see figure The configuration offers many customization options. and The configuration allows for specific customization of the NVTs as well.).
For practical use especially the settings of the Port Scanner in use are of interest. The GSM appliance utilizes Nmap and Ping as port scanner. Nmap is being used via the NASL wrapper. This allows for the greatest flexibility.
To document all scanner and NVT preferences is out of scope of this document. Therefore only the most important general settings and specific settings of the Ping and Nmap-scanners will be covered.
auto_enable_dependencies: NVTs that are required by other NVTs will be activated automatically.
cgi_path: This is the path that will be used by the NVTs to access CGI scripts.
checks_read_timeout: This is the timeout for the network sockets during a scan.
drop_privileges: With this parameter the OpenVAS scanner gives up root privileges before the start of the NVTs. This increases the security but results in fewer findings with some NVTs.
host_expansion: Three different values are allowed:
dns: Performs an AXFR zone transfer on the target system and tests the systems that were found.
nfs: Tests the systems that are allowed access to NFS shares on the target system.
ip: Scans the specified subnet.
log_whole_attack: If this option is enabled the system logs the run time of each individual NVT. Otherwise only that start and completion of a scan is being logged. This reduces required storage space on the hard disk.
network_scan: Experimental option, which scans the entire network all at once instead of starting Nmap for each individual host. This can save time in specific environments.
non_simult_ports: These ports are not being tested simultaneously by NVTs.
optimize_test: NVTs will only be started if specific pre-requisites are met (i.e. open port).
plugins_timeout: Maximum run time of a NVT.
report_host_details: Detailed information of the host are being saved to the report.
safe_checks: Some NVTs can cause damage on the host system. This setting disables those respective NVTs.
unscanned_closed: This parameter defines if TCP ports that were not scanned should be treated like closed ports.
unscanned_closed_udp: This parameter defines if UDP ports that weren’t scanned should be treated as closed ports.
use_mac_addr: Systems will be identified by MAC address and not by IP address. This could be beneficial in a DHCP environment.
vhosts: If the GSM is to scan a web server with name based virtual hosts then the settings vhosts and vhosts_ip can be used. In the setting vhosts the names of the virtual hosts a entered comma separated.
vhosts_ip: If the GSM is to scan a web server with name based virtual hosts then the settings vhosts and vhosts_ip can be used. In the setting vhosts_ip the IP address of the web server is being entered. In the report it can not be referenced in which virtual instance a NVT discovered a vulnerability.
The Ping-Scanner-NVT contains the following configurations parameters.
Remember that the
Alive Test settings of a target object can overwrite some settings of the Ping-Scanner.
The following options will be directly translated into options for the execution of the nmap command. Therefore additional information can be found in the documentation for nmap.
Host: IP addresscan be found. If the option Do not scan targets not in the file is set at the same time only systems contained in the file will be scanned.
The timing policy uses the following values:
|Paranoid||5 min||100 ms||10 sec||Serial||5 min||1 sec|
|Sneaky||15 sec||100 ms||10 sec||Serial||15 sec||1 sec|
|Polite||1 sec||100 ms||10 sec||Serial||400 ms||1 sec|
|Normal||1 sec||100 ms||10 sec||Parallel||0 sec||1 sec|
|Aggressive||500 ms||100 ms||1250 ms||Parallel||0 sec||10 ms|
|Insane||250 ms||50 ms||300 ms||Parallel||0 sec||5 ms|