Greenbone

Security Manager

Greenbone
Security
with Manager

Greenbone OS 4.3

User Manual

 Greenbone Networks GmbH
Neumarkt 12
49074 Osnabrück Germany
https://www.greenbone.net
Status: GOS 4, July 25, 2019

This is the manual for the Greenbone Security Manager with Greenbone OS (GOS) version
4. Due to the numerous functional and other di erences between GOS 4 and previous ver-
sions, this manual should not be used with older versions of GOS.
The Greenbone Security Manager is under constant development. This manual attempts
to always document the latest software release. It is, however, possible that latest func-
tionality has not been captured in this manual.
Should you have additional notes or error corrections for this manual please send an email
to support (mailto:[email protected]).

Contributors to this manual are:

• Greenbone Networks GmbH
• OpenSource Training Ralf Spenneberg
• Alexander Rau, arX IT Services

The copyright for this manual is held by the company Greenbone Networks GmbH. Greenbone and the
Greenbone logo are registered trademarks of Greenbone Networks GmbH. Other logos and registered
trademarks used within this manual are the property of their respective owners and are used only for
explanatory purposes.
 Contents

1 Introduction 1

2 Read Before Use 3

3 Greenbone Security Manager – Overview 5

3.1 Physical Appliances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
3.1.1 Large Enterprise Class – GSM 5400/6500 . . . . . . . . . . . . . . . . . . . . . . . . 6
3.1.2 Medium Enterprise Class – GSM 400/600/650 . . . . . . . . . . . . . . . . . . . . 6
3.1.3 Small Enterprise/Small Branch (SME/SMB) Class – GSM 150 . . . . . . . . . . . . 6
3.1.4 Physical Sensor – GSM 35 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
3.2 Virtual Appliances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
3.2.1 Small Enterprise/Small Branch (SME/SMB) Class – GSM 150V . . . . . . . . . . . 8
3.2.2 Virtual Sensor – GSM 25V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
3.2.3 GSM ONE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
3.2.4 GSM MAVEN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
3.3 GSM CE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

4 Upgrading from GOS 3 to GOS 4 13

4.1 GSM ONE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
4.2 GSM 25V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
4.3 GSM 25 and GSM 100 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
4.4 GSM 400 up to GSM 6400 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
4.5 Upgrading GOS 4.2 to GOS 4.3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
4.5.1 Upgrading GOS 4.2 to the Latest Patch Level . . . . . . . . . . . . . . . . . . . . . . 14
4.5.2 Upgrading to GOS 4.3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
4.5.3 Updating the Flash Card to the Latest Version . . . . . . . . . . . . . . . . . . . . . 17
4.6 Changes of default behaviour . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

5 Guideline for Using the Greenbone Security Manager 19

6 Managing the Greenbone Operating System 21

6.1 General Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
6.1.1 Authorization Concept . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
6.1.2 User Level Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
6.1.3 GOS Administration Menu Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Logging in as an Administrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
System Administration Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
6.1.4 Committing Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
6.2 Setup Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
6.2.1 Users Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Changing the System Administrator Password . . . . . . . . . . . . . . . . . . . . . 24
Managing Web Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Creating a Web Administrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

i
 Enabling a Guest User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Creating a Super Administrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Deleting a User Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Changing a User Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Changing the Password Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
6.2.2 Configuring the Network Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Switching an Interface to Another Namespace . . . . . . . . . . . . . . . . . . . . . 28
Configuring Network Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Configuring the DNS Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Configuring the Global Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Setting the Host Name and the Domain Name . . . . . . . . . . . . . . . . . . . . . . 33
Restricting the Management Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Displaying the MAC and IP addresses and the Network Routes . . . . . . . . . . . . 35
6.2.3 Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Configuring HTTPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Configuring GMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Configuring SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Configuring SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Configuring a Port for the Temporary HTTP Server . . . . . . . . . . . . . . . . . . . 46
6.2.4 Importing a Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
6.2.5 Configuring Periodic Backups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
6.2.6 Configuring the Feed Synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Adding a GSF Subscription Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Enabling or Disabling Synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Configuring the Synchronization Port . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Setting the Synchronization Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Cleanup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
6.2.7 Configuring the GSM as an Airgap Master/Slave . . . . . . . . . . . . . . . . . . . . 53
Using the Airgap USB Stick . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Using the Airgap FTP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
6.2.8 Configuring the Time Synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . 57
6.2.9 Selecting the Keyboard Layout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
6.2.10 Configuring Automatic E-Mails . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Configuring the Mail Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Configuring the E-Mail Size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
6.2.11 Configuring the Collection of Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Configuring the Logging Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Managing HTTPS Certificates for Logging . . . . . . . . . . . . . . . . . . . . . . . . . 60
6.2.12 Setting the Maintenance Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
6.3 Maintenance Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
6.3.1 Performing a Selfcheck . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
6.3.2 Performing a Backup and Restoring a Backup . . . . . . . . . . . . . . . . . . . . . 62
Performing a Backup Manually . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Restoring a Backup Manually . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Performing or Restoring a Backup Using a USB Stick . . . . . . . . . . . . . . . . . . 64
6.3.3 Performing a GOS Upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
6.3.4 Performing a GOS Upgrade on Sensors . . . . . . . . . . . . . . . . . . . . . . . . . 64
6.3.5 Performing a Feed Update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
6.3.6 Performing a Feed Update on Sensors . . . . . . . . . . . . . . . . . . . . . . . . . . 65
6.3.7 Upgrading the Flash Partition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
6.3.8 Rebooting and Shutting down the Appliance . . . . . . . . . . . . . . . . . . . . . . 66
Rebooting the Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Shutting down the Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
6.4 Advanced Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
6.4.1 Displaying Log Files of the GSM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
6.4.2 Performing Advanced Administrative Work . . . . . . . . . . . . . . . . . . . . . . . 68
Managing the Superuser Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Generating and Downloading a Support Package . . . . . . . . . . . . . . . . . . . . 70

ii
 Accessing the Shell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
6.4.3 Displaying the Subscription Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
6.4.4 Displaying the Copyright File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
6.5 Displaying Information about the GSM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

7 Getting to Know the Web Interface 75

7.1 Concepts of the Web Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
7.1.1 Dashboards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Main Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Scan dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Assets dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
SecInfo dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
7.1.2 Charts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
7.1.3 Icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
7.1.4 Filtering the Page Content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Using the Filter Bar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Syntax of the Powerfilter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Examples for Powerfilters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Saving and Managing Powerfilters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
7.1.5 Tags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
7.2 List Pages and Details Pages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
7.3 Using the Trashcan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
7.4 Changing the User Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
7.5 Setting the Auto-Refresh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
7.6 Displaying the Feed Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

8 Managing the Web Interface 91

8.1 Managing Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
8.1.1 Creating and Managing Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
8.1.2 Simultaneous Login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
8.1.3 Creating a Guest Login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
8.1.4 Creating a Super Administrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
8.2 Managing Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
8.2.1 Creating and Managing Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
8.2.2 Granting Read Access to Other Users . . . . . . . . . . . . . . . . . . . . . . . . . . 96
8.3 Managing Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
8.4 Managing Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
8.4.1 Creating and Managing Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
8.4.2 Creating Permissions from the Resource Details Page . . . . . . . . . . . . . . . . 99
8.4.3 Super Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
8.4.4 Sharing Individual Objects for Other Users . . . . . . . . . . . . . . . . . . . . . . . 102
8.5 Using a Central User Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
8.5.1 LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
8.5.2 LDAP with SSL/TLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
8.5.3 RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

9 Scanning a System 109

9.1 Performing a Scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
9.1.1 Running a Simple Scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Using the Task Wizard for a First Scan . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Using the Advanced Task Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Using the Wizard to Modify a Task . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Configuring a Scan Manually . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
9.1.2 Running an Authenticated Scan Using Local Security Checks . . . . . . . . . . . . 119
Advantages and Disadvantages of Authenticated Scans . . . . . . . . . . . . . . . . 120
Using Credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Requirements on Target Systems with Microsoft Windows . . . . . . . . . . . . . . 123
Requirements on Target Systems with Linux/UNIX . . . . . . . . . . . . . . . . . . . 133
Requirements on Target Systems with ESXi . . . . . . . . . . . . . . . . . . . . . . . 134

iii
 Requirements on Target Systems with Cisco OS . . . . . . . . . . . . . . . . . . . . . 136
9.1.3 Running a Prognosis Scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
9.2 Creating a Container Task . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
9.3 Managing Scan Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
9.3.1 List Page of all Scan Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
9.3.2 Details Page of a Scan Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
9.3.3 Creating a New Scan Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
9.3.4 Importing a Scan Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
9.3.5 Editing the Scanner Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
General Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Ping Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
Nmap NASL Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
9.4 Obstacles While Scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
9.4.1 Hosts not Found . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
9.4.2 Long Scan Periods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
9.4.3 NVT not Used . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
9.5 Performing a Scheduled Scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
9.6 Managing the Scanners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
9.6.1 List Page of all Scanners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
9.6.2 Details Page of a Scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
9.6.3 Creating a New Scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
9.7 Using Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
9.7.1 Creating a New Alert . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
9.7.2 Assigning an Existing Alert to a Task . . . . . . . . . . . . . . . . . . . . . . . . . . . 157

10 Reports and Vulnerability Management 159

10.1 Managing Report Formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
10.2 Reading a Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
10.3 Filtering a Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
10.4 Exporting a Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
10.5 Displaying the Total Number of Reports for the same Task . . . . . . . . . . . . . . . . . . 166
10.6 Trend of a Vulnerability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
10.7 Creating a Delta Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
10.8 Displaying Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
10.9 Using Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
10.9.1 Creating a Note . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
10.9.2 Generalizing Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
10.9.3 Managing Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
10.10 Overrides and False Positives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
10.10.1 Creating an Override . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
10.10.2 Disabling and Enabling Overrides . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
10.10.3 Automatic False Positives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173

11 Asset Management 175

11.1 Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
11.2 Creating and Editing Hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
11.2.1 Modifying Hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
11.2.2 Adding Hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
11.2.3 Host Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
11.3 Operating Systems View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
11.4 Classic Asset Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179

12 SecInfo Management 181

12.1 SecInfo Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
12.2 Network Vulnerability Tests (NVT) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
12.3 Security Content Automation Protocol (SCAP) . . . . . . . . . . . . . . . . . . . . . . . . . . 183
12.3.1 CVE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
12.3.2 CPE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
12.3.3 OVAL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186

iv
 12.3.4 CVSS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
12.4 DFN-CERT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
12.5 CERT-Bund . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190

13 Compliance and Special Scans 191

13.1 Generic Policy Scans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
13.1.1 Checking File Content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
Patterns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
Severity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
13.1.2 Checking Registry Content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Registry Content Pattern . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Severity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
13.1.3 Checking File Checksums . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
Checksum Patterns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
Severity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Microsoft Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Example Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
13.1.4 CPE-Based . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
Simple CPE-Based Checks for Security Policies . . . . . . . . . . . . . . . . . . . . . 204
Checking Policy Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
Detecting the Presence of Problematic Products . . . . . . . . . . . . . . . . . . . . 209
Detecting the Absence of Important Products . . . . . . . . . . . . . . . . . . . . . . 211
13.2 Standard Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
13.2.1 IT-Grundschutz . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
Checking IT-Grundschutz . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
Importing Results into a Spreadsheet Application . . . . . . . . . . . . . . . . . . . 218
Importing Results into IT-Grundschutz Tools . . . . . . . . . . . . . . . . . . . . . . . 219
Result Classes of IT-Grundschutz Checks . . . . . . . . . . . . . . . . . . . . . . . . . 220
Supported measures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
13.2.2 PCI DSS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
Payment Card Industry Data Security Standard . . . . . . . . . . . . . . . . . . . . . 226
Greenbone Security Manager and PCI DSS . . . . . . . . . . . . . . . . . . . . . . . . 226
Policy Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
13.2.3 BSI TR-03116: Kryptographische Vorgaben für Projekte der Bundesregierung . . 227
13.2.4 Cyber Essentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
Testing for Compliance with Cyber Essentials . . . . . . . . . . . . . . . . . . . . . . 230
13.2.5 General Data Protection Regulation . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
Testing Technical Requirements of GDPR . . . . . . . . . . . . . . . . . . . . . . . . . 232
13.3 Special Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
13.3.1 Mailserver Online Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
13.4 TLS-Map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
13.4.1 Preparing the Scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
13.4.2 Checking for TLS and Exporting the Scan Results . . . . . . . . . . . . . . . . . . . 236
13.5 OVAL System Characteristics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
13.5.1 Preparing the Scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
13.5.2 Collecting and Exporting Scan Results as OVAL SCs . . . . . . . . . . . . . . . . . . 239
13.6 Policy Control Scans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242

14 Greenbone Management Protocol 245

14.1 Changes to GMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
14.2 Activating GMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
14.3 Accessing with gvm-cli.exe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
14.3.1 Configuring the Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
14.3.2 Starting a Scan Using gvm-cli . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
14.4 gvm-pyshell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248

v
 14.4.1 Starting a Scan Using gvm-pyshell . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
14.5 Example Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
14.5.1 Status Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251

15 Master-Sensor Setup 253

15.1 Configuring a Master-Sensor Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
15.1.1 Connecting a Master to a Sensor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
15.1.2 Creating a Scan User Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
15.2 Deploying Sensors in Secure Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
15.3 Configuring a Sensor as a Remote Scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
15.4 Using a Remote Scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258

16 Performance 261
16.1 Scan Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
16.1.1 Selecting a Port List for a Scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
Ports and Port Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
Creating a new Port List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262
Which Port List for which Scan Task . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
Scan Duration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
Total Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264
16.1.2 Scan Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264
16.1.3 Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264
16.2 Backend Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264
16.3 Appliance Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265

17 Integration with Other Systems 267

17.1 Integration with Third-Party Vendors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
17.1.1 OSP Scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
17.2 Verinice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268
17.2.1 IT Security Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
Importing of the ISM Scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
Creating Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
Remediating Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
17.2.2 IT-Grundschutz . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
Importing the ITG Scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
17.3 Nagios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
17.3.1 Configuring the GSM User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
17.3.2 Configuring the Script . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
17.3.3 Caching and Multiprocessing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
17.4 Firepower Management Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
17.4.1 Installing the Report Plug-in . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
17.4.2 Configuring the Host-Input-API clients . . . . . . . . . . . . . . . . . . . . . . . . . 279
17.4.3 Configuring Alerts on the GSM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
17.5 Alemba vFire . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280
17.5.1 Prerequisites for Alemba vFire . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280
17.5.2 Configuring the Alemba vFire Alert . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
17.6 Splunk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
17.6.1 Configuring the Splunk Alert . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
17.6.2 Accessing the Information in Splunk . . . . . . . . . . . . . . . . . . . . . . . . . . . 283

18 Tools 285
18.1 GVM-Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285
18.2 Splunk Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285

19 Setup Guides 289

19.1 GSM 5400/6500 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
19.1.1 Installing the Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
19.1.2 Utilizing the Serial Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
19.1.3 Starting the Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290

vi
 19.1.4 Performing a General System Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
19.1.5 Logging into the Web Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
19.2 GSM 400/600/650 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
19.2.1 Installing the Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
19.2.2 Utilizing the Serial Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
19.2.3 Starting the Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
19.2.4 Performing a General System Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
19.2.5 Logging into the Web Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
19.3 GSM 150 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
19.3.1 Installing the Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
19.3.2 Utilizing the Serial Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
19.3.3 Starting the Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295
19.3.4 Performing a General System Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . 295
19.3.5 Logging into the Web Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295
19.4 GSM 35 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
19.4.1 Installing the Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
19.4.2 Utilizing the Serial Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
19.4.3 Starting the Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
19.4.4 Performing a General System Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
19.5 GSM 150V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298
19.5.1 Setup Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298
Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298
Supported Hypervisor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298
Verification of Integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
19.5.2 Deploying the Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
19.5.3 Performing a General System Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
19.5.4 Logging into the Web Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
19.6 GSM 25V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
19.6.1 Setup Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302
Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302
Supported Hypervisor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302
Verification of Integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302
19.6.2 Deploying the Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303
19.6.3 Performing a General System Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . 305
19.7 GSM ONE/MAVEN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305
19.7.1 Setup Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305
Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305
Supported Hypervisor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306
Verification of Integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306
19.7.2 Deploying the Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306
19.7.3 Performing a General System Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
19.7.4 Logging into the Web Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
19.7.5 GSM ONE/MAVEN Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308

20 Architecture 311
20.1 Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
20.2 Security Gateway Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314
20.2.1 Standalone/Master GSM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
20.2.2 Sensor GSM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315

21 Frequently Asked Questions 317

21.1 Why is the Scanning Process so Slow? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317
21.2 Why Does the Scan Trigger Alarms at Other Security Tools? . . . . . . . . . . . . . . . . . . 317
21.3 Why Does a VNC Dialog Appear on the Scanned Target System? . . . . . . . . . . . . . . . 317
21.4 Why Does Neither Feed Update nor GOS Upgrade Work After a Factory Reset? . . . . . . 318

22 Glossary 319
22.1 Alert . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319
22.2 Asset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319

vii
 22.3 CERT-Bund Advisory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319
22.4 CPE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319
22.5 CVE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320
22.6 CVSS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320
22.7 DFN-CERT Advisory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320
22.8 Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320
22.9 Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320
22.10 Host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320
22.11 Note . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320
22.12 Network Vulnerability Test (NVT) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320
22.13 OVAL Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
22.14 Override . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
22.15 Permission . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
22.16 Port List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
22.17 Quality of Detection (QoD) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
22.18 Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322
22.19 Report Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
22.20Result . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
22.21 Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
22.22 Scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
22.23 Scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
22.24Scan Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
22.25 Schedule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
22.26 Severity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324
22.27 Solution Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324
22.28Tag . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324
22.29 Target . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
22.30Task . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325

Index 327

viii
 CHAPTER 1

Introduction

Vulnerability management is a core element in modern information technology (IT) compliance. IT

compliance is defined as the adherence to legal, corporate and contractual rules and regulations as
they relate to IT infrastructures. Within its context IT compliance mainly relates to information secu-
rity, availability, storage and privacy. Companies and agencies have to comply with many legal obli-
gations in this area.
The control and improvement in IT security is an ongoing process that consists at a minimum of these
three steps:
• Discovery of the current state
• Taking actions to improve the current state
• Review of the measures taken
The Greenbone Security Manager (GSM) assists companies and agencies with automated and inte-
grated vulnerability assessment and management. Its task is to discover vulnerabilities and security
gaps before a potential attacker would. GSM can achieve this through di erent perspectives of an
attacker:
External The GSM attacks the network externally. This way it can identify badly configured or mis-
configured firewalls.
DMZ Here the GSM can identify actual vulnerabilities. These could be exploited by attackers if they
get past the firewall.
Internal Many attacks are executed internally by insiders through methods of social engineering or
a worm. This is why this perspective is very important for the security of the IT infrastructure.
For DMZ and internal scans it can be di erentiated between authenticated and non-authenticated
scans. When performing an authenticated scan the GSM uses credentials and can discover vulnera-
bilities in applications that are not running as a service but have a high risk potential. This includes
web browsers, oce applications or PDF viewers. For a further discussion on the advantages and
disadvantages on authenticated scans see section Advantages and Disadvantages of Authenticated
Scans (page 120).
Due to new vulnerabilities being discovered on a daily basis, regular updates and testing of systems
are required. The Greenbone Security Feed ensures that the GSM is provided with the latest testing
routines and can discover the latest vulnerabilities reliably. Greenbone analyzes CVE 1 messages and
security bulletins of vendors and develops new testing routines daily.
With a scan using the Greenbone Security Manager, sta responsible for IT, receive a list of vulnera-
bilities that have been identified on the network. Especially if no vulnerability management has been
practiced, the list is often extensive. For the selection of remediation measures a prioritization is in-
evitable. Most important are the measures that protect against critical risks and remediate those
respective security holes.
1
The Common Vulnerability and Exposures (CVE) project is a vendor neutral forum for the identification and publication of
new vulnerabilities.

1
Chapter 1. Introduction

The GSM utilizes the Common Vulnerability Scoring System (CVSS). CVSS is an industry standard for
the classification and rating of vulnerabilities. This assists in prioritizing the remediation measures.
To deal with vulnerabilities fundamentally two options exist:
1. Removal of the vulnerability through updating the software, removal of the component or a
change in configuration.
2. Implementation of a rule in a firewall or intrusion prevention system (virtual patching).
Virtual patching is the apparent remediation of the vulnerability through a compensating control. The
real vulnerability still exists. The attacker can still exploit the vulnerability if the compensating control
fails or by utilizing an alternate approach. An actual patch/update of the a ected software is always
preferred over virtual patching.
The Greenbone Security Manager supports the testing of the implemented remediation measures
as well. With its help responsible IT sta can document the current state of IT security, recognize
changes and document these changes in reports. To communicate with management the GSM o ers
abstraction of technical details in simple graphics or in the form of a trac light that displays the state
of security in the colours red, yellow and green. This way the IT security process can be visualized in
a simplified way.

2
 CHAPTER 2

Read Before Use

The Greenbone Security Manager (GSM) includes a full-featured Vulnerability Scanner. While the vul-
nerability scanner is designed to have a minimal invasive impact on your network environment, it still
needs to interact and communicate with the target systems which are analyzed during a vulnerability
scan.
Remember that it is the fundamental task of this solution to find and identify otherwise undetected
vulnerabilities. The scanner must behave to a certain extent like a real attacker would.
While the default and recommended settings reduce the impact of the vulnerability scanner to the
environment to a minimum, unwanted side e ects may still occur. The scanner settings allow the
control and refinement of the scanner’s e ects. Please be aware of the following general side e ects:
• Log and alert messages may show up on the target systems triggered by the probes of the vul-
nerability scanner.
• Log and alert messages may show up on firewalls and intrusion detection and prevention sys-
tems.
• Scans may increase latency on the target and/or the network being scanned, in extreme cases
resulting in situations similar to a denial of service (DoS) attack.
• Scans may trigger bugs in fragile or insecure applications resulting in faults or crashes.
• Scans may result in user accounts being locked due to the testing of default user-
name/password combinations.
• Embedded systems and elements of operational technology with weak network stacks are es-
pecially subject to possible crashes or even broken devices.
Remember that triggering faults, crashes or locking with default settings means that an attacker can
do the very same at unplanned times and to an unplanned extent. Finding out about it earlier than the
attacker is the key to resilience.
While these side e ects are very rare when using the default and recommended settings, the vulner-
ability scanner allows the configuration of invasive behavior and thus will increase the probability of
the above listed e ects.
Before using the GSM to scan the target systems in your environment please be aware of these facts
and verify that you are authorized to execute such scans.

3
Chapter 2. Read Before Use

4
 CHAPTER 3

Greenbone Security Manager – Overview

The Greenbone Security Manager (GSM) is a dedicated appliance for vulnerability scanning and vul-
nerability management. It is o ered in di erent performance levels.

Fig. 3.1: Solution overview physical appliances

5
Chapter 3. Greenbone Security Manager – Overview

3.1 Physical Appliances

3.1.1 Large Enterprise Class – GSM 5400/6500

The GSM 6500 and GSM 5400 are designed for the operation in large companies and agencies. The
appliances themselves can be controlled as remote sensors by another appliance.
Aside from the current GSM 5400 and GSM 6500 appliances, Greenbone Networks is still fully sup-
porting the older appliances in this class (GSM 5300/6400).
The appliances in the Large Enterprise Class come in a 2U 19” chassis for easy integration into the
data center. For easy installation and monitoring they are equipped with a two line LCD display with
16 characters per line. For uninterruptible operation they have redundant, hot swappable power sup-
plies, hard drives and fans.
For managing the appliance, a serial port is available in addition to an out-of-band management Eth-
ernet port. The serial port is set up as a Cisco compatible console port.
To connect to the monitored systems the appliances can be equipped with three modules. The fol-
lowing modules can be used in any order:
• 8 Port Gigabit Ethernet 10/100/1000 Base-TX (copper)
• 8 Port Gigabit Ethernet SFP (Small Form-factor Pluggable)
• 2 Port 10-Gigabit Ethernet XFP

3.1.2 Medium Enterprise Class – GSM 400/600/650

The GSM 400, GSM 600 and GSM 650 are designed for medium-sized companies and agencies as well
as larger branch oces. The appliances themselves can be controlled as remote sensors by another
appliance.
Aside from the current GSM 400, GSM 600 and GSM 650 appliances, Greenbone Networks is still fully
supporting the older appliances in this class (GSM 500/510/550).
The appliances in the Medium Enterprise Class come in a 1U 19” chassis for easy integration into the
data center. For easy installation and monitoring they are equipped with a two line LCD display with
16 characters per line. For uninterruptible operation the appliances come with redundant fans.
For managing the appliance, a serial port is available in addition to a management Ethernet port. The
serial port is set up as a Cisco compatible console port.
To connect to the monitored systems the appliances are equipped with eight ports in total, pre-
configured and set up as follows:
• 6 Port Gigabit Ethernet 10/100/1000 Base-TX (copper)
• 2 Port Gigabit Ethernet SFP (Small Form-factor Pluggable)
A modular configuration of the ports is not possible. One of these ports is also used as management
port.

3.1.3 Small Enterprise/Small Branch (SME/SMB) Class – GSM 150

The GSM 150 is designed for small companies and agencies as well as small to medium branch oces.
Controlling sensors in other security zones is not considered. However, the GSM 150 itself can be
controlled as a remote sensor by another appliance.
The appliance comes in a 1U steel chassis. For easy integration into the data center an optional rack-
mount kit can be used. The appliance does not come with a display.

6
 3.1. Physical Appliances

Fig. 3.2: Solution overview virtual appliances

7
Chapter 3. Greenbone Security Manager – Overview

Fig. 3.3: GSM of the Large Enterprise Class

Fig. 3.4: GSM of the Medium Enterprise Class

For managing the appliance, a serial port is available in addition to a management Ethernet port. The
serial port is set up as a Cisco compatible console port.
To connect to the monitored systems the appliance comes with four Gigabit Ethernet 10/100/1000
Base-TX (copper) ports in total. One of these ports is also used as management port.

3.1.4 Physical Sensor – GSM 35

The GSM 35 is designed as a sensor for smaller companies and agencies as well as small branches.
The GSM 35 requires the control of an additional appliance in master mode. GSMs of the Medium
Enterprise Class and the Large Enterprise Class (GSM 400 and beyond) can be utilized as masters for
the GSM 35.
The appliance comes in a 1U steel chassis. For easy integration into the data center an optional rack-
mount kit can be used. The appliance does not come with a display.
For managing the appliance, a serial port is available in addition to a management Ethernet port. The
serial port is set up as a Cisco compatible console port.
To connect to the monitored systems the appliance comes with four Gigabit Ethernet 10/100/1000
Base-TX (copper) ports in total. One of these ports is also used as management port.

3.2 Virtual Appliances

3.2.1 Small Enterprise/Small Branch (SME/SMB) Class – GSM 150V

The GSM 150V is a virtual appliance designed for small companies and agencies as well as small to
medium branch oces. Controlling sensors in other security zones is not considered. However, the
GSM 150V itself can be controlled as a remote sensor by another appliance.

Fig. 3.5: GSM of the SME/SMB Class

8
 3.2. Virtual Appliances

Fig. 3.6: Physical sensor

The GSM 150V can be deployed using VMware on Microsoft Windows, MacOS and Linux systems.

Fig. 3.7: Virtual GSM of the SME/SMB Class

To connect to the monitored systems the appliance comes with four dynamic, virtual ports in total.
One of these ports is also used as management port.

3.2.2 Virtual Sensor – GSM 25V

The GSM 25V is designed as a virtual sensor for smaller companies and agencies as well as small
branches. It provides a simple and cost e ective option to monitor virtual infrastructures.
The GSM 25V can be deployed using VMware on Microsoft Windows, MacOS and Linux systems.
The GSM 25V requires the control of an additional appliance in master mode. GSMs of the Medium
Enterprise Class and the Large Enterprise Class (GSM 400 and beyond) can be utilized as masters for
the GSM 25V.

Fig. 3.8: Virtual sensor

To connect to the monitored systems the appliance comes with four dynamic, virtual ports in total.
One of these ports is also used as management port.

3.2.3 GSM ONE

The GSM ONE is designed for specific requirements such as audit using a laptop or educational pur-
poses. It can neither control other sensors nor be controlled as a sensor by another appliance.
The GSM ONE can be deployed using VMware on Microsoft Windows, MacOS and Linux systems.
The GSM ONE comes with one virtual port used for management, scan and updates.
The GSM ONE has all the functions of the Medium and Large Enterprise Class except for the following:

9
Chapter 3. Greenbone Security Manager – Overview

Fig. 3.9: GSM ONE

• Master mode: The GSM ONE cannot control other appliances as sensors.
• Sensor mode: The GSM ONE cannot be controlled as a remote sensor by another appliance.
• Alerts: The GSM ONE cannot send any alerts via SMTP, SNMP, syslog or HTTP.
• VLANs: The GSM ONE does not support VLANs on the virtual port.

Note: The GSM ONE is optimized for the usage on a mobile computer. Features required for enterprise
vulnerability management like schedules, alerts and remote scan engines are only available on the full
featured appliances.

3.2.4 GSM MAVEN

The GSM MAVEN is designed for micro oces as well as small branches. It can neither control other
sensors nor be controlled as a sensor by another appliance.
The GSM MAVEN can be deployed using VMware on Microsoft Windows, MacOS and Linux systems.

Fig. 3.10: GSM MAVEN

The GSM MAVEN comes with one virtual port used for management, scan and updates.
The GSM MAVEN has all the functions of the Medium and Large Enterprise Class except for the fol-
lowing:
• Master mode: The GSM MAVEN cannot control other appliances as sensors.
• Sensor mode: The GSM MAVEN cannot be controlled as a remote sensor by another appliances.
• Alerts: The GSM MAVEN cannot send any alerts via SMTP, SNMP, syslog or HTTP.
• VLANs: The GSM MAVEN does not support VLANs on the virtual port.

Note: The GSM MAVEN is optimized for the usage on a mobile computer. Features required for enter-
prise vulnerability management like schedules, alerts and remote scan engines are only available on
the full featured appliances.

10
 3.3. GSM CE

3.3 GSM CE

The GSM Community Edition (GSM CE) is a derivative of the GSM ONE for evaluation purposes. The
GSM CE can be deployed using VirtualBox on Microsoft Windows, MacOS and Linux systems.
In contrast to the commercial version the GSM CE uses the OpenVAS Community Feed instead of the
Greenbone Security Feed (GSF). While the commercial versions support seamless updates of the op-
erating systems, new versions of the GSM CE are provided as ISO images requiring a new full in-
stallation. Further di erences between the other GSM models and the GSM CE are explained on
https://www.greenbone.net/en/community-edition/.

Note: The GSM CE is optimized for the usage on a mobile computer. Features required for enterprise
vulnerability management like schedules, alerts and remote scan engines are only available on the
full featured appliances.

11
Chapter 3. Greenbone Security Manager – Overview

12
 CHAPTER 4

Upgrading from GOS 3 to GOS 4

GOS 4 is the most extensive overhaul compared to any prior version. Many internal functions and
features were redesigned. This also applies to the web interface and the command line interface for
the administration.

Note: With increasing complexity of a GSM setup, the migration can get complex as well.
Plan and execute the migration in close coordination with the Greenbone Networks support.

4.1 GSM ONE

A usual update of the system for the GSM ONE like in the past is not supported.
The migration is done as follows:
1. Contact the Greenbone Networks support and request a virtual image of GSM ONE with GOS 4.

Note: Provide the subscription key ID.

→ A virtual image with GOS 4 and a guide for the migration are provided.
2. Perform a backup of the user data on the GSM ONE using GOS 3.1.
3. Export the backup file.
4. Import and restore the backup on the GSM ONE using GOS 4.

4.2 GSM 25V

Virtual sensors are replaced by new virtual images.

Contact the Greenbone Networks support and request a virtual image of the GSM 25V with GOS 4.

Note: Provide the subscriptions key ID for the respective sensor.

Because sensors do not store scan data, the setup and configuration of the sensor will only be done
in GOS 4. No migration steps are required.

13
Chapter 4. Upgrading from GOS 3 to GOS 4

4.3 GSM 25 and GSM 100

The small enterprise/branch physical appliances GSM 25 and GSM 100 require a migration of the user
data using a USB stick.
Contact the Greenbone Networks support to request a detailed guide for the migration as well as
advice adjusted to the specific setup.
The following aspects are important when migrating a GSM 25 or GSM 100 to GOS 4:
• If user data of the GSM should be kept, it is mandatory to create a user data backup using a USB
stick.

Note: In case no physical access to the GSM is possible, contact the Greenbone Networks sup-
port for an alternative procedure involving additional manual steps.

• A pre-condition for the migration of a GSM is that it has direct access to the Greenbone Security
Feed service. If it does not, contact the Greenbone Networks support for an alternative proce-
dure involving additional manual steps.
• For the migration the appliance needs to be at least at GOS version 3.1.42 or newer. Earlier GOS
versions do not o er a migration.
GOS 4 o ers a guided setup. The user data backup is imported using the GOS administration menu.

4.4 GSM 400 up to GSM 6400

All physical appliances o er a seamless migration from GOS 3.1 to GOS 4. The user data will be moved
to the new version and the system settings are kept for the most part. Especially complex setups like
master-sensor setup, Airgap or Expert-Net should be planned carefully.
Contact the Greenbone Networks support to request a detailed guide for the migration as well as
advice adjusted to the specific setup.
The following aspects are important when migrating a GSM 400 or higher to GOS 4:
• While the user data should be moved automatically during the migration, a backup is a safety
measure that should always be undertaken. Create a user data backup and store it on a USB
stick.
• A pre-condition for the migration of a GSM is that it has direct access to the Greenbone Security
Feed service. If it does not contact the Greenbone Networks support for an alternative procedure
involving additional manual steps.
• For the migration the appliance needs to be at least at GOS version 3.1.42 or newer. Earlier GOS
versions do not o er a migration.
GOS 4 o ers a guided setup and migration. The migrated user data from 3.1 can be restored. This is
a one-time o er. If the data are not restored, they are deleted from the appliance and the only copy
left is the backup on the USB stick.

4.5 Upgrading GOS 4.2 to GOS 4.3

4.5.1 Upgrading GOS 4.2 to the Latest Patch Level

After migrating GOS 4.2 is at an old patch level. For the latest fixes and performance improvements a
GOS upgrade is recommended.
First, a feed update has to be carried out as follows:

14
 4.5. Upgrading GOS 4.2 to GOS 4.3

1. In the GOS administration menu select Maintenance and press Enter.

2. Select Feed and press Enter.
3. Select Update and press Enter.
→ A message informs that the feed update was started in the background.

Tip: The currently running system operation can be displayed by selecting About and pressing
Enter in the GOS administration menu.

4. Press Enter.
After the feed update is finished, the GOS upgrade can be carried out.
Upgrading a master or stand-alone appliance is done as follows:
1. Open the web browser and enter the following URL:
https://www.greenbone.net/GBFeedSigningKey2018.gpg.asc
2. Download the ASC file.
3. In the GOS administration menu select Advanced and press Enter.
4. Select New Update Key (HTTP) or New Update Key (Editor) and press Enter.
5. In case New Update Key (HTTP) was selected, open the web browser and enter the displayed
URL.
Click Browse..., select the previously downloaded ASC file and click Upload.
or
5. In case New Update Key (Editor) was selected, copy the content of the previously downloaded
ASC file and paste it into the editor.
Press Ctrl + X. Press Y and Enter.
→ A message informs that the key is retrieved by the GSM.
6. Press Enter.
7. Select Maintenance and press Enter.
8. Select Upgrade and press Enter.
9. Select Update and press Enter.
→ A message informs that the upgrade was started in the background.

Tip: The currently running system operation can be displayed by selecting About and pressing
Enter in the GOS administration menu.
When the GOS upgrade is finished a Reboot of the GSM is required (see Chapter Rebooting the
Appliance (page 66)).

Upgrading a sensor is done as follows:

1. Ensure that the master and the sensors are set up correctly (see Chapter Master-Sensor Setup
(page 253)).
2. In the GOS administration menu of the master select Maintenance and press Enter.
3. Select Feed and press Enter.
4. Select Sensors and press Enter.

15
Chapter 4. Upgrading from GOS 3 to GOS 4

5. Select the desired sensor and press Enter.

→ The current feed is pushed from the master to the sensors.
6. Open the web browser and enter the following URL:
https://www.greenbone.net/GBFeedSigningKey2018.gpg.asc
7. Download the ASC file.
8. In the GOS administration menu of the master select Advanced and press Enter.
9. Select New Update Key (HTTP) or New Update Key (Editor) and press Enter.
10. In case New Update Key (HTTP) was selected, open the web browser and enter the displayed
URL.
Click Browse..., select the previously downloaded ASC file and click Upload.
or
10. In case New Update Key (Editor) was selected, copy the content of the previously downloaded
ASC file and paste it into the editor.
Press Ctrl + X. Press Y and Enter.
→ A message informs that the key is retrieved by the GSM. The key is distributed to the sensors
automatically.
Perform the following steps for each sensor:
11. In the GOS administration menu of the sensor select About and press Enter to check whether
the feed update is finished.
12. In the GOS administration menu of the master select Maintenance and press Enter.
13. Select Upgrade and press Enter.
14. Select Sensors and press Enter.
15. Select the desired sensor and press Enter.
→ A message informs that the upgrade was started in the background.

Tip: The currently running system operation can be displayed by selecting About and pressing
Enter in the GOS administration menu.
When the GOS upgrade is finished a Reboot of the sensor is required (see Chapter Rebooting the
Appliance (page 66)).

17. After upgrading all sensors, select Advanced in the GOS administration menu of the master and
press Enter.
18. Select Delete Update Key and press Enter.

4.5.2 Upgrading to GOS 4.3

After the appliance is upgraded to the latest GOS 4.2 patch level, upgrading to GOS 4.3 is possible as
follows:
1. In the GOS administration menu select Maintenance and press Enter.
2. Select Upgrade and press Enter.
3. Select Switch Release and press Enter.
→ A message informs that the release switch was started in the background.

16
 4.6. Changes of default behaviour

Tip: The currently running system operation can be displayed by selecting About and pressing
Enter in the GOS administration menu.

4.5.3 Updating the Flash Card to the Latest Version

The internal flash card of the GSM contains a backup copy of GOS and is used in case of a factory reset.
Updating the GOS version stored on the flash card is recommended.
1. Ensure that the GSM has direct access to the Greenbone Security Feed (GSF).
2. In the GOS administration menu select Maintenance and press Enter.
3. Select Flash and press Enter.
4. Select Sync and press Enter.
→ A message informs that the synchronization was started in the background.

Tip: The currently running system operation can be displayed by selecting About and pressing
Enter in the GOS administration menu.

5. Press Enter.
6. When the synchronization is finished select Flash and press Enter.
→ A message informs that the process was started in the background.

Tip: The currently running system operation can be displayed by selecting About and pressing
Enter in the GOS administration menu.

4.6 Changes of default behaviour

The following list displays the changes of default behaviour from GOS 3 to GOS 4. Depending on the
current features used, these changes may apply to the currently deployed setup. Please check the
following list to decide whether changes to the currently deployed setup are required. Greenbone
Networks support may help during this process.
• NVTs Starting with GOS 4.2 policy violation NVTs now have a score of 10 by default (see sec-
tion Compliance and Special Scans (page 191)). In the past these NVTs had a score of 0
and overrides were required (see section Severity (page 194), Severity (page 196), Severity
(page 199), etc.)
• GMP The OpenVAS Management Protocol has been replaced with the Greenbone Management
Protocol (GMP). The major di erence is the transport channel used. While OMP uses an
SSL/TLS-encrypted channel on port 9390/tcp, GMP uses ssh. Therefore, the older omp.exe
tool cannot connect to GOS 4 appliances. The new appliances require the GVM-Tools (see
section Greenbone Management Protocol (page 245)). The GVM-Tools are compatible with
GOS 3.1, so that the scripts can be migrated prior to migrating the GSM.
• GMP The Greenbone Management Protocol (GMP) changed the API lightly. New commands
are available and some commands have changed their usage. The complete refer-
ence guide and the changes are available at https://docs.greenbone.net/API/OMP/omp-
7.0.html#changes.

17
Chapter 4. Upgrading from GOS 3 to GOS 4

• TLS If an external CA should be used (see section Managing Certificates (page 37)), the certifi-
cate requests generated by the GOS menu option now generate 3072 bit keys. Some CAs do
not support such long keys yet. In those cases the PKCS #12 import still support keys with
a key length of 2048 bits.
• Master/Sensor While deployment using GOS 3.1 require two ports for a master/sensor setup,
only one port is needed when using GOS 4.2. The port 22/tcp is used for controlling the
sensor and the synchronization of updates and feeds. The former used port 9390/tcp for
the remote control of the sensors by the master is not used anymore. In addition, as a
security measure, the identity of all linked master/sensor appliances is now validated via
a key exchange in GOS 4. It will be necessary to perform this key exchange when migrating
old GOS 3.1 sensors. Note that on GOS 4, sensors are regarded a special type of scanners
and are configured in the web interface under the respective section.
• Report Format Plug-ins (RFP) In contrast to GOS 3.1, in GOS 4 RFP connected to an alert will not
be executed if the RFP was set to disabled.
• Report Format Plug-ins (RFP) The filter defining the first element of the page (“first=”) has no
longer an impact on the results exported in a report. All results are contained.
• Report Format Plug-ins (RFP) All RFPs which were uploaded manually in GOS 3.1 or which were
created by cloning another RFP will be automatically disabled during the migration to GOS
4. Some might not work on GOS 4 anymore. If they are not used anywhere, they should
be removed. For some RFPs there are advanced versions in the pre-configured set of RFPs
and it should be switched to those if they should be used. Before re-activating an RFP, test
it with a report and make sure it is not automatically used with an alert in the background
while it is tested. If in doubt, ask the Greenbone Networks support what to do with a certain
RFP.
• Expert-Net If Expert networking mode (Expert-Net) was enabled in GOS 3.1, the network config-
uration will be reset after upgrading to GOS 4. Please contact Greenbone Networks support
for further details and be prepared to configure the GSM without remote network access.

18
 CHAPTER 5

Guideline for Using the Greenbone Security Manager

The following steps are fundamental in using the Greenbone Security Manager (GSM):
• Setting up the GSM → Setup Guides (page 289)
• Upgrading the Greenbone operating system (GOS) → Upgrading from GOS 3 to GOS 4 (page 13)
and Performing a GOS Upgrade (page 64)
• Performing a scan → Scanning a System (page 109)
• Reading and using a report → Reading a Report (page 162)
• Using notes to manage the results → Using Notes (page 169)
• Using overrides to manage false positives → Overrides and False Positives (page 171)
The following steps are more advanced:
• Setting up a central authentication using LDAP → Using a Central User Management (page 103)
• Connecting verinice to the GSM → Verinice (page 268)
• Connecting OMD/Check_MK/Nagios to the GSM → Nagios (page 274)

19
Chapter 5. Guideline for Using the Greenbone Security Manager

20
 CHAPTER 6

Managing the Greenbone Operating System

The administration of the Greenbone Operating System (GOS) version 4.3 is achieved using a menu
based console access. The administrator does not need any command line or shell access to fulfill
the configuration or maintenance tasks. Shell access is only provided for support and troubleshooting
purposes. To access the GOS administration menu, logging in as an administrator is required.

6.1 General Information

6.1.1 Authorization Concept

The GSM o ers two di erent levels of access:

• User Level The user level (web administrator) is available via the web interface or the Green-
bone Management Protocol (GMP).
• System Level The system level (system administrator) is only available via console or secure
shell protocol (SSH).

6.1.2 User Level Access

The user level access does support the management of users, groups and fine-grained permissions.
Further details can be found in Chapter Managing Users (page 91). While the user level can be ac-
cessed either via the web interface or the GMP, the GMP access is turned o by default on all devices
except sensors. In delivery state no account has been defined on all GSM devices for accessing the
user level. Thus, no unauthorized access is possible between the commissioning and the configura-
tion of the device.

6.1.3 GOS Administration Menu Access

The GOS administration menu is only available via the console or SSH. A single account (administrator)
for the total GOS administration of the GSM is supported. This user cannot directly modify any system
files but instruct the system to modify some configurations.
When delivered by Greenbone Networks, the user admin is assigned the password admin. During
the first setup this password should be changed (see Chapter Changing the System Administrator
Password (page 24)).
All network interfaces are disabled by default and no IP address is assigned. The SSH service is dis-
abled as well. To use SSH for accessing the GSM, the network interfaces and the SSH service need to
be enabled first (see Chapter Configuring SSH (page 42)). The Greenbone Security Manager Commu-
nity Edition (GSM CE) and the GSM ONE enables the network interfaces using DHCP immediately after
the installation but the SSH service is disabled as well.

21
Chapter 6. Managing the Greenbone Operating System

If the SSH service is enabled, only the administrator can log in remotely.

Logging in as an Administrator

Once turned on, the appliance will boot. The boot process can be monitored in the serial console. The
boot process of a virtual appliance can be monitored in the hypervisor (VirtualBox or VMWare).

Fig. 6.1: Boot screen of the appliance

After the boot process is completed, locally logging into the system is possible. The default login is:
• user: admin
• password: admin
After the login the GSM shows a reminder in case the setup has not been completed yet.

System Administration Access

The shell can be accessed using the serial console or SSH.

Note: SSH access is possibly deactivated and has to be enabled using the serial console first (see
Chapter Configuring SSH (page 42)).

Access via SSH Access using SSH from a Linux system can be done directly via command line:
$ ssh admin@<gsm>

Replace gsm with the IP address or DNS name of the GSM appliance.
The host key can be verified by displaying its fingerprint as follows:
1. Start the GOS administration menu.
2. Select Setup and press Enter.
3. Select Services and press Enter.
4. Select SSH and press Enter.
5. Select Fingerprint and press Enter.
→ The fingerprint is displayed on the GOS administration menu.

22
 6.1. General Information

Access via serial console Access to the shell using the serial console is described in Chapter Access-
ing the Shell (page 71). Login is performed as an administrator (see Chapter Logging in as an
Administrator (page 22)).

6.1.4 Committing Changes

All changes introduced through the system administration menus are not saved and activated imme-
diately. Instead the menu is modified and the new option Save is added below the other options (see
figure New option for saving outstanding changes (page 23)).

Fig. 6.2: New option for saving outstanding changes

If the menu is exited without saving any outstanding changes, a warning is displayed (see figure Sav-
ing outstanding changes (page 23)). The changes can be saved by selecting Yes and pressing Enter.

Fig. 6.3: Saving outstanding changes

23
Chapter 6. Managing the Greenbone Operating System

6.2 Setup Menu

6.2.1 Users Management

The GOS administration menu o ers the possibility to manage web users. Web users are the users of
the web interface of the GSM.

Changing the System Administrator Password

The password of the system administrator can be changed. This is especially important during the
first base configuration. The factory setting is not suitable for a production environment.
The password can be changed as follows:
1. Select Setup and press Enter.
2. Select User and press Enter.
3. Select Password and press Enter (see figure Accessing the user management (page 24)).

Fig. 6.4: Accessing the user management

4. Enter the current password and press Enter.

5. Enter the new password and press Enter.

Note: Trivial passwords are rejected. This includes the default password admin as well.

6. Repeat the new password and press Enter.

→ The change is e ective immediately and a commit of the change is not required. A rollback is
not possible either.

Managing Web Users

To be able to use the GSM appliance a web administrator must be set up. This user is being referred
to as scan administrator in some documentation and by some applications.
The set-up of the first web administrator is only possible using the GOS administration menu as fol-
lows:
1. Select Setup and press Enter.

24
 6.2. Setup Menu

Fig. 6.5: Changing the GSM administrator password

2. Select User and press Enter.

3. Select Users and press Enter (see figure Accessing the user management (page 24)).
→ Several new options are displayed.

Fig. 6.6: Managing the web users

• List Users This displays a list of the current web users.

• Admin User This creates a new web administrator (see Chapter Creating a Web Administra-
tor (page 25)). The first web administrator has to be defined using the GOS administration
menu. Once logged into the web interface, the web administrator can add further web ad-
ministrators or normal web users.
• Enable Guest This enables the guest user. This cannot be done using the web interface but only
the GOS administration menu (see Chapter Creating a Guest Login (page 93)).
• Super Admin This creates the super administrator (see Chapter Creating a Super Administrator
(page 94)). This can only be done using the GOS administration menu.
• Delete Account This option can be used to delete a web user.
• Change Password This option can be used to change the password of any web user.
• Password Policy This option is used to change the requirements a password has to fulfill, such
as length and complexity.
More than one user with administrative rights can be set up.
To edit the existing users, or add users with fewer permissions, the web interface has to be used.

Creating a Web Administrator

A web administrator can be created as follows:

25
Chapter 6. Managing the Greenbone Operating System

1. Select Setup and press Enter.

2. Select User and press Enter.
3. Select Users and press Enter.
4. Select Admin User and press Enter.
5. Determine the user name and the password of the web administrator and press Tab.
6. Press Enter.

Enabling a Guest User

To allow a guest to log in without needing a password, this feature has to be activated as follows:
1. Select Setup and press Enter.
2. Select User and press Enter.
3. Select Users and press Enter.
4. Select Guest User and press Enter.
5. Enter the user name and the password of an existing user and press Tab.
6. Press Enter.
→ The guest user is enabled and can log in to the web interface without needing the password
(see figure Logging in as a guest user without password (page 26)).

Fig. 6.7: Logging in as a guest user without password

Creating a Super Administrator

A super administrator can be created as follows:

1. Select Setup and press Enter.
2. Select User and press Enter.
3. Select Users and press Enter.
4. Select Super Admin and press Enter.
→ A warning asking to confirm the process appears.
5. Select Yes and press Enter.
6. Determine the user name and the password of the super administrator and press Tab.
7. Press Enter.
→ The super administrator is created and can be edited in the web interface.

Note: The super administrator can only be edited by the super administrator.

26
 6.2. Setup Menu

Deleting a User Account

A web user can be deleted as follows:

1. Select Setup and press Enter.
2. Select User and press Enter.
3. Select Users and press Enter.
4. Select Delete Account and press Enter.
5. Select the web user that should be deleted and press Enter.

Note: The web user is deleted immediately.

6. Press Enter to return to the previous menu.

Changing a User Password

A web user can be deleted as follows:

1. Select Setup and press Enter.
2. Select User and press Enter.
3. Select Users and press Enter.
4. Select Change Password and press Enter.
5. Select the web user of which the password should be changed and press Enter.
6. Enter the new password twice and press Tab.
7. Press Enter.

Changing the Password Policy

The requirements for password can be changed as follows:

1. Select Setup and press Enter.
2. Select User and press Enter.
3. Select Users and press Enter.
4. Select Password Policy and press Enter.
5. Select Length and press Enter to set the minimal length a password must have.
Select Username and press Enter to determine whether user name and password can be the
same.
Select Complex and press Enter to determine whether a password has to contain at least one
letter, one number and one symbol.
6. Select Save and press Enter.
7. Press Tab and press Enter.

27
Chapter 6. Managing the Greenbone Operating System

6.2.2 Configuring the Network Settings

Note: Any change within the network configuration has to be saved in the menu and the GSM has to
be rebooted for the change to be fully e ective.

Some GSM types (GSM 6500/5400 and GSM 650/600/400) have two di erent namespaces:
• Namespace: Management This namespace includes all interfaces required for management
activities.
• Namespace: Scan1 This namespace includes all interfaces required for scanning purposes.
By default, all interfaces are in the management namespace. This enables both management and
scan trac on all interfaces. As soon as at least one interface is in the scan namespace, namespace
separation goes into e ect.
Only interfaces in the management namespace can handle management trac. This includes access-
ing the GOS administration menu, the web interface, the Greenbone feed server and for the master-
sensor communication.
Only interfaces in the scan namespace can handle scan trac.
The namespaces are separated to connect only the interfaces in the scan namespace to networks
accessible from the internet. In that way, attacks from the internet cannot reach the management
interfaces of the GSM.

Tip: Separating the namespaces is recommended.

Switching an Interface to Another Namespace

Interfaces that should be in namespace scan1 can be selected as follows:

1. Select Setup and press Enter.
2. Select Network and press Enter.
3. Select Configure Namespaces and press Enter.
→ The namespace scan1 is selected.
4. Press Enter.
5. Select the desired interface that should be switched to the namespace scan1 and press Space.
→ The interface is marked with *. Interfaces that are in the management namespace are labeled
accordingly.
6. Press Enter.
7. Select Save and press Enter.

Configuring Network Interfaces

Note: At least one network interface must be configured to access the GSM using the network. Usu-
ally the first network adapter eth0 is used for this. The administrator has to configure this network
interface and to attach the appliance to the network.

Depending on the actual model the first network interface is preconfigured:

• GSM ONE: DHCP

28
 6.2. Setup Menu

• All other GSMs: no IP address set

By default, IPv6 is disabled on all GSM types.
Network interfaces can be configured as follows:
1. Select Setup and press Enter.
2. Select Network and press Enter.
3. Select the namespace of the desired interface and press Enter.
4. Select Interfaces and press Enter.
5. Select the desired interface and press Enter.

Note: If there is only one interface in this namespace, the configuration of the interface is
opened directly.

→ The interface can be configured.

Fig. 6.8: Configuring the network interface

Setting up a Static IP Address

1. Select the desired interface (see Configuring Network Interfaces (page 28)).
2. Select Static IP (for IPv4 or IPv6) and press Enter.
3. Delete dhcp from the input box and replace it with the correct IP address including the prefix
length (see figure Entering a static IP address (page 30)).

4. Press Enter.
→ A message informs that the changes have to be saved.

Note: The static IP can be disabled by leaving the input box empty.

29
Chapter 6. Managing the Greenbone Operating System

Fig. 6.9: Entering a static IP address

Configuring a Network Interface to Use DHCP

A network interface can be configured to use DHCP as follows:

1. Select the desired interface (see Configuring Network Interfaces (page 28)).
2. Select DHCP (for IPv4 or IPv6) and press Enter.

Configuring the MTU

Note: The configuration of the MTU is only possible when a static IP is configured.

1. Select the desired interface (see Configuring Network Interfaces (page 28)).
2. Select MTU (for IPv4 or IPv6) and press Enter.
3. Enter the MTU in the input box.
4. Press Enter.
→ A message informs that the changes have to be saved.

Note: If the input box is left empty, the default value is set.

Using the Router Advertisement for IPv6

If the configuration of IP addresses and the routing for IPv6 should be performed automatically, router
advertisement can be enabled as follows:
1. Select the desired interface (see Configuring Network Interfaces (page 28)).
2. Select Router-advertisement and press Enter.

Configuring VLANs

A new VLAN subinterface can be created as follows:

30
 6.2. Setup Menu

1. Select the desired interface (see Configuring Network Interfaces (page 28)).
2. Select Configure the VLAN interfaces on this interface and press Enter.
3. Select Configure a new VLAN interface and press Enter.
4. Enter the VLAN ID in the input box and press Enter (see figure Creating a new VLAN subinterface
(page 31)).
→ A message informs that the changes have to be saved.

Fig. 6.10: Creating a new VLAN subinterface

5. Press Enter.
→ The new interface can be configured using IPv4 and IPv6 (see figure Configuring the VLAN
subinterface (page 32)).
The created subinterface can be configured as follows:
1. Select the desired interface (see Configuring Network Interfaces (page 28)).
2. Select Configure the VLAN interfaces on this interface and press Enter.
3. Select Configure the VLAN interface ... for the desired subinterface.
4. Configure the subinterface as described in Configuring Network Interfaces (page 28).

Configuring the Routes for an Interface

A new route for an interface can be configured as follows:

1. Select the desired interface (see Configuring Network Interfaces (page 28)).
2. Select Configure the Routes for this interface and press Enter.
3. Select Configure IPv4 Routes or Configure IPv6 Routes and press Enter.
4. Select Add a new route and press Enter.
5. Enter the target network and the next hop in the input boxes, select OK and press Enter.
The created route can be configured as follows:
1. Select the desired interface (see Configuring Network Interfaces (page 28)).
2. Select Configure the Routes for this interface and press Enter.

31
Chapter 6. Managing the Greenbone Operating System

Fig. 6.11: Configuring the VLAN subinterface

3. Select Configure IPv4 Routes or Configure IPv6 Routes and press Enter.
4. Select the desired route and press Enter.
5. Edit the route, select OK and press Enter.

Configuring the DNS Server

For receiving the feed and updates, the GSM requires a reachable and functioning DNS (Domain Name
System) server for name resolution. If the GSM uses a proxy for downloading the feed and updates
this setting is not required.
If DHCP is used for the configuration of the network interfaces, the DNS servers provided by the DHCP
protocol will be used.
The GSM supports up to three DNS servers. At least one DNS server is required. Additional servers
will only be used when an outage of the first server occurs.
The DNS server can be configured as follows:
1. Select Setup and press Enter.
2. Select Network and press Enter.
3. Select Namespace: Management and press Enter.
4. Select DNS and press Enter.
5. Select the desired DNS server and press Enter.
6. Enter the IP address used as the DNS server in the input box and press Enter (see figure Con-
figuring the DNS server (page 33)).
→ A message informs that the changes have to be saved.
7. Press Enter.
8. Select Save and press Enter.

Note: Whether the DNS server can be reached and is functional can be determined by performing a
selfcheck (see Chapter Performing a Selfcheck (page 61)).

32
 6.2. Setup Menu

Fig. 6.12: Configuring the DNS server

Configuring the Global Gateway

The global gateway may be automatically obtained using DHCP or router advertisements. The global
gateway is often called the default gateway as well.

Note: If the GSM is configured to use static IP addresses, the global gateway has to be configured
manually. Separate options are available for IPv4 and IPv6.
When using DHCP to assign IP addresses, the global gateway will also be set via DHCP unless the
global gateway has been set explicitly.

The global gateway can be configured as follows:

1. Select Setup and press Enter.
2. Select Network and press Enter.
3. Select the namespace for which the global gateway should be configured and press Enter.
4. Select Global Gateway for IPv4 or Global Gateway (IPv6) for IPv6 and press Enter.
5. Select the desired interface and press Enter (see figure Configuring the global gateway
(page 34)).
6. Enter the IP address used as the global gateway in the input box and press Enter.
→ A message informs that the changes have to be saved.
7. Press Enter.
8. Select Save and press Enter.

Setting the Host Name and the Domain Name

While the GSM does not require a special host name, the host name is an important item when creating
certificates and sending e-mails.
The host name is used to configure the short hostname and the domain name option is used for the
domain sux. The factory default values are:
• Host Name: gsm
• Domain Name: gbuser.net

33
Chapter 6. Managing the Greenbone Operating System

Fig. 6.13: Configuring the global gateway

The host name and the domain name can be configured as follows:
1. Select Setup and press Enter.
2. Select Network and press Enter.
3. Select Namespace: Management and press Enter.
4. Select Hostname or Domainname and press Enter.
5. Enter the host name or the domain name in the input box and press Enter (see figure Setting
the host name/domain name (page 34)).

Fig. 6.14: Setting the host name/domain name

→ A message informs that the changes have to be saved.

6. Press Enter.
7. Select Save and press Enter.

34
 6.2. Setup Menu

Restricting the Management Access

The IP address on which the management interface is available can be set.

All administrative access (SSH, HTTPS, GMP) will be restricted to the respective interface and will not
be available on the other interfaces.

Note: This feature overlaps with the separation of namespaces (see Chapter Configuring the Network
Settings (page 28)). Separating the namespaces is recommended.

Note: If no IP address is set, the management interface will be available on all IP addresses of inter-
faces in the management namespace.

The IP address for the management interface can be set as follows:

1. Select Setup and press Enter.
2. Select Network and press Enter.
3. Select Namespace: Management and press Enter.
4. Select Management IP (v4) or Management IP (v6) and press Enter.
5. Enter the IP address for the management interface in the input box and press Enter.

Note: The IP address has to be the IP address of one of the interfaces in the management
namespace. If another IP address is set, the management interface will not be available.
Either the IP address or the name of the interface (e.g. eth0) can be entered.

Fig. 6.15: Restricting the management access

6. Select Save and press Enter.

Displaying the MAC and IP addresses and the Network Routes

The used MAC addresses, the currently configured IP addresses and the network routes of the GSM
can be displayed in a simple overview.

35
Chapter 6. Managing the Greenbone Operating System

Note: This does not support the configuration of the MAC addresses.

The MAC and IP addresses of the interfaces can be displayed as follows:

1. Select Setup and press Enter.
2. Select Network and press Enter.
3. Select the namespace for which the IP addresses, MAC addresses or network routes should be
displayed and press Enter.
4. Select MAC, IP or Routes and press Enter.
→ The MAC/IP addresses or the network routes of the selected namespace are displayed (see
figure Displaying the MAC/IP addresses or network routes (page 36)).

Fig. 6.16: Displaying the MAC/IP addresses or network routes

5. Press Enter.

6.2.3 Services

To access the GSM appliance remotely, many interfaces are available:

HTTPS This is the usual option for the creation, execution and analysis of vulnerability scans. It is
activated by default and cannot be deactivated. Configuration is only possible for the timeout
of the automatic logout when the HTTPS session is inactive.
GMP (Greenbone Management Protocol) The Greenbone Management Protocol (GMP) allows for
the communication with other Greenbone Networks products (e.g. an additional GSM). It is re-
quired for the master-sensor communication (see Chapter Master-Sensor Setup (page 253)).
This protocol is based on the OpenVAS Management Protocol. It can also be used for the commu-
nication of in-house software with the appliance (see Chapter Greenbone Management Protocol
(page 245)).
SSH This option allows to access the GOS administration menu of the GSM. This access is deacti-
vated by default and must be activated first. This can be done using the serial console for ex-
ample. Additionally, SSH is required for feed updates from the Greenbone feed server and for
the master-sensor communication (see Chapter Master-Sensor Setup (page 253)).
SNMP SNMP Read access of the GSM is possible via SNMPv3 (see Chapter Configuring SNMP
(page 44)).

36
 6.2. Setup Menu

Configuring HTTPS

Configuring the Timeout of the Web Interface

The timeout value of the web interface can be set as follows:

1. Select Setup and press Enter.
2. Select Services and press Enter.
3. Select HTTPS and press Enter.
4. Select Timeout and press Enter.
5. Enter the desired value for the timeout in the input box and press Enter

Note: The value can be between 1 and 1440 minutes (1 day). The default is 15 minutes.

→ A message informs that the changes have to be saved.

6. Press Enter.

Configuring the Ciphers

The HTTPS ciphers can be configured. The current setting allows only secure ciphers using at least
128 bit key length, explicitly disallowing AES-128-CBC, Camellia-128-CBC and the cipher suites used
by SSLv3 and TLSv1.0.
1. Select Setup and press Enter.
2. Select Services and press Enter.
3. Select HTTPS and press Enter.
4. Select Ciphers and press Enter.
5. Enter the desired value in the input box and press Enter.

Note: The string used to define the ciphers is validated by GnuTLS and has to conform to the
corresponding syntax.

→ A message informs that the changes have to be saved.

6. Press Enter.

Managing Certificates

Self-signed HTTPS certificates can be generated or certificates signed by external certificate author-
ities can be imported.
The following options are available:
• Download: Downloading the current HTTPS to import it in the web browser
• CSR: Generating a Certificate Signing Request (CSR) for the HTTPS certificate
• Generate: Auto-generating a new self-signed HTTPS certificate
• PKCS#12: Importing a PKCS#12 file as new HTTPS certificate
• Certificate: Importing a certificate signed by an external certificate authority (CA)
The GSM appliance basically uses two types of certificates:

37
Chapter 6. Managing the Greenbone Operating System

• Self-signed certificates
• Certificates issued by an external CA
All modern operating systems support the creation and management of their own CA. Under Microsoft
Windows Server the Active Directory Certificate Services support the administrator in the creation of a
root CA2 . For Linux systems various options are available. One option is described in the IPSec-Howto3 .
When creating and exchanging certificates it needs to be considered that the administrator verifies
how the systems are accessed later before creating the certificate. The IP address or the DNS name is
stored when creating the certificate. Additionally, after creating the certificate a reboot is required so
that all services can use the new certificate. This needs to be taken into consideration when changing
certificates.

Self-Signed Certificates The use of self-signed certificates is the easiest way. It poses, however,
the lowest security and more work for the user:
• The trust of a self-signed certificate can only be checked manually by the user through manually
importing the certificate and examining its fingerprint.
• Self-signed certificates cannot be revoked. Once they are accepted by the user in the browser,
they are stored permanently in the browser. If an attacker gains access to the corresponding
private key a man-in-the-middle attack on the connection protected by the certificate can be
launched.
To support a quick setup, the GSM supports self-signed certificates. For most GSM types, such a cer-
tificate is not installed by default and must be created by the administrator. The GSM ONE, however,
already comes with a pre-installed certificate.
Self-signed certificates can be easily created as follows:
1. Select Setup and press Enter.
2. Select Services and press Enter.
3. Select HTTPS and press Enter.
4. Select Certificate and press Enter.
5. Select Generate and press Enter.
→ A message informs that the current certificate and private key will be overwritten.
6. Confirm the message by selecting Yes and pressing Enter.
7. Provide the settings for the certificate, select OK and press Enter.
→ When the process is finished, a message informs that the certificate can be downloaded.
8. Press Enter
9. Select Download and press Enter.
10. Open the web browser and enter the displayed URL (see figure Downloading the certificate
(page 39)).
11. Download the PEM file.
12. In the GOS administration menu press Enter.
→ When the certificate is retrieved by the GSM, the GOS administration menu displays the fin-
gerprint of the certificate for verification.
2 https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-
2008/cc731183(v=ws.11)
3 http://www.ipsec-howto.org/x600.html

38
 6.2. Setup Menu

Fig. 6.17: Downloading the certificate

13. Check the fingerprint and confirm the certificate by pressing Enter.
→ To enable the new certificate a Reboot of the GSM is required (see Chapter Rebooting the
Appliance (page 66)).

Certificate by an External Certificate Authority (CA) The use of a certificate issued by a CA has
several advantages:
• All clients trusting the authority can verify the certificate directly and establish a security con-
nection. No warning is displayed in the browser.
• The certificate can be revoked easily by the CA. If the clients have the ability to check the certifi-
cate status they can decline a certificate that may still be within its validity period but has been
revoked. As mechanisms the Certificate Revocation Lists (CRLs) or Online Certificate Status Pro-
tocol (OCSP) can be used.
• Especially when multiple systems within an organization serve SSL/TLS protected information,
the use of an organizational CA simplifies the management drastically. All clients simply have
to trust the organizational CA to accept all the certificates issued by the CA.
To import a certificate by an external CA two options are available:
• Generate a certificate signing request (CSR) on the GSM, sign it using an external CA and import
the certificate
• Generate the CSR and the certificate externally and import both using a PCKS#12 file
A new CSR can be created as follows:
1. Select Setup and press Enter.
2. Select Services and press Enter.
3. Select HTTPS and press Enter.
4. Select Certificate and press Enter.
5. Select CSR and press Enter.
→ A message informs that the current certificate and private key will be overwritten.
6. Confirm the message by selecting Yes and pressing Enter.
7. Provide the settings for the certificate, select OK and press Enter.
8. Open the web browser and enter the displayed URL.

39
Chapter 6. Managing the Greenbone Operating System

9. Download the PEM file.

→ The GOS administration menu displays a message to verify that the CSR has not been tam-
pered with.
10. Verify the information by pressing Enter.
11. Select Certificate and press Enter.
12. Open the web browser and enter the displayed URL (see figure Uploading the signed certificate
(page 40)).

Fig. 6.18: Uploading the signed certificate

13. Click Browse..., select the signed certificate and click Upload.
→ When the certificate is retrieved by the GSM, the GOS administration menu displays the fin-
gerprint of the certificate for verification.
14. Check the fingerprint and confirm the certificate by pressing Enter.
→ To enable the new certificate a Reboot of the GSM is required (see Chapter Rebooting the
Appliance (page 66)).
If a private key and a signed certificate which should be used for the GSM are already available, they
can be imported. The private key and the certificate need to be formatted as a PKCS#12 file. The file
can be protected using an export password.
The PKCS#12 file can be imported as follows:
The certificate will be activated after a reboot (see Chapter Rebooting the Appliance (page 66)).
1. Select Setup and press Enter.
2. Select Services and press Enter.
3. Select HTTPS and press Enter.
4. Select Certificate and press Enter.
5. Select PKCS#12 and press Enter.
→ A message informs that the current certificate and private key will be overwritten.
6. Confirm the message by selecting Yes and pressing Enter.
7. Open the web browser and enter the displayed URL (see figure Uploading the PKCS#12 container
(page 41)).

40
 6.2. Setup Menu

Fig. 6.19: Uploading the PKCS#12 container

8. Click Browse..., select the PKCS#12 container and click Upload.

Note: If an export password was used to protect the PKCS#12 container, the password has to
be entered.

→ When the certificate is retrieved by the GSM, the GOS administration menu displays the fin-
gerprint of the certificate for verification.
9. Check the fingerprint and confirm the certificate by pressing Enter.
→ To enable the new certificate a Reboot of the GSM is required (see Chapter Rebooting the
Appliance (page 66)).

Displaying Fingerprints

The fingerprints of the used certificate can be checked and displayed as follows:
1. Select Setup and press Enter.
2. Select Services and press Enter.
3. Select HTTPS and press Enter.
4. Select Fingerprints and press Enter.
→ The following fingerprints of the currently active certificate are displayed:
• SHA1
• SHA256
• BB

Configuring GMP

The Greenbone Management Protocol (GMP) can be activated using the GOS administration menu as
follows:

Note: The SSH service has to be enabled before GMP can be enabled (see Chapter Configuring SSH
(page 42)).

41
Chapter 6. Managing the Greenbone Operating System

Fig. 6.20: Displaying the fingerprints

1. Select Setup and press Enter.

2. Select Services and press Enter.
3. Select GMP and press Enter.
→ A message informs that the changes have to be saved.

Fig. 6.21: Enabling the GMP

Configuring SSH

The SSH server embedded in the GSM can be enabled in the GOS administration menu as follows:
1. Select Setup and press Enter.
2. Select Services and press Enter.
3. Select SSH and press Enter.
4. Select SSH State and press Enter to enable SSH.

Note: A login protection can be enabled. If a number of consecutive login attempts fail, the user

42
 6.2. Setup Menu

will be locked.

5. Select Login Protection and press Enter.

6. Select Login Protection and press Enter to enable the login protection.
→ A message informs that the login protection can lead to a locked SSH access.
7. Select Continue and press Enter.
8. Select Login Attempts and press Enter.
9. Enter the desired value and press Enter.
→ A message informs that the changes have to be saved.
10. Press Tab and press Enter.

Note: SSH public keys may be uploaded to enable key-based authentication of administra-
tors. SSH keys can be generated with OpenSSH by using the command ssh-keygen on Linux
or puttygen.exe when using Putty on Microsoft Windows. The formats Ed25519 or RSA are
recommended. All SSH keys must correspond to RFC 47164 .

11. Select Admin Key and press Enter.

12. Open the web browser and enter the displayed URL (see figure Uploading an SSH public key
(page 43)).

Fig. 6.22: Uploading an SSH public key

13. Click Browse..., select the SSH public key and click Upload.
→ When the upload is completed, a message informs that the login via SSH is possible (see figure
SSH public key is accepted (page 44)).

Displaying Fingerprints

The GSM provides di erent host key pairs for its own authentication. The client decides which key
pair to use. In the GOS administration menu the fingerprint of the public keys used by the SSH server
of the appliance can be displayed as follows:
1. Select Setup and press Enter.
4 https://tools.ietf.org/html/rfc4716

43
Chapter 6. Managing the Greenbone Operating System

Fig. 6.23: SSH public key is accepted

2. Select Services and press Enter.

3. Select SSH and press Enter.
4. Select Fingerprint and press Enter.
→ The MD5 fingerprints of the following keys are displayed:
• ECDSA
• ED25519
• RSA

Fig. 6.24: Displaying the SSH fingerprints

Configuring SNMP

The GSM appliance supports SNMP. The SNMP support can be used for sending traps through alerts
and monitoring of vital parameters of the appliance.

44
 6.2. Setup Menu

The supported parameters are specified in a Management Information Base (MIB) file. The current
MIB is available from the Greenbone tech [doc] portal5 .
The GSM supports SNMPv3 for read access and SNMPv1 for traps.
The SNMPv3 can be configured as follows:
1. Select Setup and press Enter.
2. Select Services and press Enter.
3. Select SNMP and press Enter.
4. Select SNMP and press Enter.
→ Several new options are displayed (see figure Configuring SNMPv3 (page 45)).

Fig. 6.25: Configuring SNMPv3

5. Select Location and press Enter.

6. Enter the location of the SNMP service in the input box and press Enter.
7. Select Contact and press Enter.
8. Enter the contact of the SNMP service in the input box and press Enter.
9. Select Username and press Enter.
10. Enter the SNMP user name in the input box and press Enter.

Note: When configuring the authentication and privacy passphrase be aware of the fact that
the GSM uses SHA-1 and AES128 respectively.

11. Select Authentication and press Enter.

12. Enter the SNMP user authentication passphrase in the input box and press Enter.
13. Select Privacy and press Enter.
14. Enter the SNMP user privacy passphrase and press Enter.

Note: After a user has been configured, the engine ID of the GSM can be displayed by selecting
Engine ID and pressing Enter.

5 https://docs.greenbone.net/API/SNMP/snmp-gos-4.1.en.html

45
Chapter 6. Managing the Greenbone Operating System

Afterwards, test read access of the SNMP service under Linux/Unix with snmpwalk:
$ snmpwalk -v 3 -l authPriv -u user -a sha -A password -x aes -X key 192.168.222.115
iso .3.6.1.2.1.1.1.0 = STRING: "Greenbone Security Manager"
iso .3.6.1.2.1.1.5.0 = STRING: "gsm"
...

The following information can be gathered:

• Uptime
• Network interfaces
• Memory
• Harddisk
• Load
• CPU

Configuring a Port for the Temporary HTTP Server

By default, the port for HTTP uploads and downloads is randomly selected.
A permanent port can be configured as follows:
1. Select Setup and press Enter.
2. Select Services and press Enter.
3. Select Temporary HTTP and press Enter.
4. Select Port and press Enter.
5. Enter the port in the input box and press Enter.
→ A message informs that the changes have to be saved.
6. Select Save and press Enter.

6.2.4 Importing a Backup

If a GSM with an older version of GOS is used, a direct upgrade is not possible. Instead of installing an
upgrade package like in the past, a complete reinstall of the GSM is required because the underlying
database system has been exchanged completely and depending on the used model the filesystem
of the GSM is now encrypted as well.
To upgrade the GSM a backup of the data on the old GSM is needed. After installing the new firmware,
the backup can be imported.
Data from an older backup can be imported as follows:
1. Select Setup and press Enter.
2. Select Data import and press Enter.
→ A warning informs that all existing configurations on the GSM will be overwritten (see figure
Warning when importing a backup (page 47)).
3. Select Continue and press Enter.
→ The GSM starts a web service to upload the backup file (see figure Data import upload mes-
sage (page 47)).
4. Open the web browser and enter the displayed URL.

46
 6.2. Setup Menu

Fig. 6.26: Warning when importing a backup

Fig. 6.27: Data import upload message

47
Chapter 6. Managing the Greenbone Operating System

5. Click Browse..., select the backup and click Upload.

→ The import of the backup takes several minutes. During this period the GSM will not allow
any web access.

Note: A detailed upgrade manual depicting the upgrade to GOS 4.3 from older versions for the used
GSM type is available. Contact the Greenbone Networks Support.

6.2.5 Configuring Periodic Backups

The GSM supports automatic daily backups. These backups can be stored locally or remote using the
following scheme:
• Last 7 daily backups
• Last 5 weekly backups
• Last 12 monthly backups
Backups older than one year will be deleted automatically. In factory state backups are disabled.
Periodic Backups can be enabled as follows:
1. Select Setup and press Enter.
2. Select Backup and press Enter.
3. Select Periodic Backup and press Enter (see figure Configuring periodic backups (page 48)).
→ Periodic backups are enabled.

Fig. 6.28: Configuring periodic backups

By default, backups are stored locally. To store them on a remote server the server has to be set up
appropriately. The GSM uses the SFTP protocol supported by SSH to transfer the backups.
Set up a remote server as follows:
1. Select Setup and press Enter.
2. Select Backup and press Enter.
3. Select Backup Location and press Enter (see figure Setting up the remote server (page 49)).
→ More options for the backup location are added (see figure Setting up the remote server
(page 49)).

48
 6.2. Setup Menu

Fig. 6.29: Setting up the remote server

4. Select Server and press Enter.

5. Enter the remote server address in the following format:
username@hostname[:port]/directory

Note: The optional port may be omitted if the server uses port 22.

6. Select OK and press Enter.

→ A message informs that the changes have to be saved.

Note: The GSM uses a public key to identify the remote server before logging in.

7. Select Server key and press Enter.

8. Open the web browser and enter the displayed URL.
9. Click Browse..., select the SSH host public key and click Upload.

Note: The GSM uses an SSH private key to log in on the remote server. To enable this login
process the public key of the GSM must be enabled in the authorized_keys file on the remote
server. The GSM generates such a private/public key pair.

10. To download the public key select User key and press Enter.
11. Open the web browser and enter the displayed URL.
12. Download the PUB file.

Note: If several GSM appliances upload their backups to the same remote server, the files must
be distinguishable. For this a unique backup identifier has to be defined. If this identifier is not
set, the host name will be used. If the host name was modified from the default and is unique,
the backup files will be distinguishable as well.

13. Select Client and press Enter.

14. Enter the identifier and press Enter.

49
Chapter 6. Managing the Greenbone Operating System

Note: Since the setup of the remote backup including the keys are error-prone, a test routine is
available. This option will test the successful login to the remote system.

15. Select Test and press Enter.

→ The login to the remote system is tested.

6.2.6 Configuring the Feed Synchronization

The Greenbone Security Feed (GSF) provides updates to the network vulnerability tests (NVT), the
SCAP data (CVE and CPE) and the advisories from the CERT-Bund and DFN-CERT. Additionally, the GSF
provides updates to GOS.
A subscription key is required to use the GSF. This key allows the GSM to download the GSF provided
by Greenbone Networks.
If no valid subscription key is stored on the appliance, the appliance uses only the public Greenbone
Community Feed (GCF) and not the GSF.
To configure the feed several options are available:
• Adding a GSF subscription key
• Enabling/Disabling synchronization
• Configuring the synchronization port
• Setting the synchronization proxy
• Cleanup

Adding a GSF Subscription Key

A new GSF subscription key can be stored on the appliance by either uploading it using HTTP or by
copying and pasting it using an editor.

Note: The new key will overwrite any key already stored on the device.

The key can be added using HTTP as follows:

1. Select Setup and press Enter.
2. Select Feed and press Enter.
3. Select Key(HTTP) and press Enter.
→ A message informs that the current subscription key will be overwritten (see figure Overwrit-
ing the current subscription key (page 51)).
4. Select Yes and press Enter.
5. Open the web browser and enter the displayed URL.
6. Click Browse..., select the subscription key and click Upload.
The key can be added using the editor as follows:
1. Select Setup and press Enter.
2. Select Feed and press Enter.

50
 6.2. Setup Menu

3. Select Key(Editor) and press Enter.

→ A message informs that the current subscription key will be overwritten (see figure Overwrit-
ing the current subscription key (page 51)).
4. Select Yes and press Enter.
→ The editor is opened.
5. Enter the subscription key.
6. Press Ctrl + X.
7. Press Y to save the changes.
8. Press Enter.

Fig. 6.30: Overwriting the current subscription key

Enabling or Disabling Synchronization

The automatic synchronization of the GSF can be disabled if the GSM does not have any internet access
and should not try to access the Greenbone Networks services on the internet. The synchronization
can be enabled again.
The synchronization can be enabled or disabled as follows:
1. Select Setup and press Enter.
2. Select Feed and press Enter.
3. Select Synchronisation and press Enter.
→ The synchronization is enabled.

Note: The changes have to be saved by selecting Save and pressing Enter.

4. The synchronization can be disabled by selecting Synchronisation and pressing Enter again.

Note: The time of the automatic feed synchronization can be set by changing the maintenance time
(see Chapter Setting the Maintenance Time (page 61)).

51
Chapter 6. Managing the Greenbone Operating System

Configuring the Synchronization Port

The GSF is provided by Greenbone Networks on two di erent ports:

• 24/tcp
• 443/tcp
While port 24/tcp is the default port, many firewall setups do not allow trac to pass to this port on
the internet. So the modification of the port to 443/tcp is possible. This port is most often allowed.
The port can be configured as follows:
1. Select Setup and press Enter.
2. Select Feed and press Enter.
3. Select Greenbone Server and press Enter.
4. Select Sync port and press Enter.
5. Select the desired port and press Enter (see figure Configuring the synchronization port
(page 52)).

Fig. 6.31: Configuring the synchronization port

Note: The port 443/tcp is usually used by HTTPS trac. While the GSM uses this port, the actual
trac is not HTTPS but SSH. The GSM uses rsync embedded in SSH to retrieve the feed. Firewalls
supporting deep inspection and application awareness may still reject the trac if these features are
enabled.

Setting the Synchronization Proxy

If the security policy does not allow for direct internet access, the GSM can use an HTTPS proxy service.
This proxy must not inspect the SSL/TLS trac but must support the CONNECT method. The trac
passing through the proxy is not HTTPS but SSH encapsulated in http-proxy.
The proxy can be set as follows:
1. Select Setup and press Enter.
2. Select Feed and press Enter.
3. Select Greenbone Server and press Enter.

52
 6.2. Setup Menu

4. Select Sync proxy and press Enter.

5. Enter the URL of the proxy in the input box (see figure Setting the synchronization proxy
(page 53)).

Note: The URL must have the form http://proxy:port.

Fig. 6.32: Setting the synchronization proxy

Cleanup

The GSF subscription key can be removed. This is useful if an appliance is at the end of life and needs
to be removed from production. The cleanup ensures that no licenses are left on the device. Without
the GSF subscription key the GSM will only retrieve the Greenbone Community Feed.
There is a warning when choosing this option.
The cleanup can be done as follows:
1. Select Setup and press Enter.
2. Select Feed and press Enter.
3. Select Cleanup and press Enter.
→ A warning informs that the synchronization with the GSF is no longer possible after the
cleanup (see figure Removing the GSF subscription key (page 54)).
4. Select Yes and press Enter.
→ A message informs that the GSF subscription key has been deleted.
5. Press Enter.

6.2.7 Configuring the GSM as an Airgap Master/Slave

The Airgap function allows a GSM that is not directly connected to the internet to obtain feed updates
and GOS upgrades.
Two GSMs are required:
• Airgap slave: situated in a secured area and is not connected to the internet
• Airgap master: is connected to the internet

53
Chapter 6. Managing the Greenbone Operating System

Fig. 6.33: Removing the GSF subscription key

All GSM types from GSM 400 or higher can be configured as an Airgap master/slave.
Two options are available for the Airgap function:
• Greenbone Airgap USB stick
• Airgap FTP server

Using the Airgap USB Stick

The updates and upgrades are loaded from a GSM that is connected to the internet and copied to a
USB stick. The USB stick can then can be used to update the second GSM.

Note: The USB stick has to be a specific Greenbone Airgap USB stick provided by Greenbone Networks.
Contact the Greenbone Networks support providing the customer number to request a respective Air-
gap USB stick.

Tip: The USB stick can be checked for malware by a security gateway beforehand.

The data transfer using the Airgap USB stick is performed as follows:
1. In the GOS administration menu of the Airgap master select Setup and press Enter.
2. Select Feed and press Enter.
3. Select Airgap Master and press Enter.
4. Select USB Master and press Enter (see figure Configuring the Airgap USB master (page 55)).
5. Select Save and press Enter.

Note: Configuring a GSM as an Airgap USB master disables the possibility to configure the GSM
as an Airgap USB slave.

6. Connect the Airgap USB stick to the Airgap master.

→ The data transfer starts automatically.

54
 6.2. Setup Menu

Fig. 6.34: Configuring the Airgap USB master

7. When the data transfer is finished, connect the Airgap USB stick to the Airgap slave.
→ The data transfer starts automatically.

Using the Airgap FTP Server

The updates and upgrades can be provided via an FTP server operating as a data diode. A data diode
is a unidirectional security gateway allowing the data flow in only one direction.
The GSM can use a FTP server operating as a data diode. The FTP server takes on the function of the
Airgap USB stick (see Chapter Using the Airgap USB Stick (page 54)).
• The Airgap master picks up the updates/upgrades from the Greenbone server and writes it to
the FTP server at its maintenance time.
• The Airgap slave downloads the updates/upgrades from the FTP server at its maintenance time.

Note: Ensure that the maintenance time of the Airgap slave is at least three hours behind the main-
tenance time of the Airgap master (see Chapter Configuring the Time Synchronization (page 57)).

The data transfer using the Airgap FTP server is performed as follows:
1. In the GOS administration menu of the Airgap master select Setup and press Enter.
2. Select Feed and press Enter.
3. Select Airgap Master and press Enter.
4. Select FTP Master and press Enter.
→ Additional menu options for the configuration of the FTP server are shown (see figure Con-
figuring the FTP server for the Airgap master (page 56)).
5. Select FTP Master Location and press Enter.
6. Enter the path of the FTP server in the input box and press Enter.
7. Select FTP Master User and press Enter.
8. Enter the user used for logging into the FTP server in the input box and press Enter.
9. Select FTP Master Password and press Enter.
10. Enter the password used for logging into the FTP server in the input box and press Enter.

55
Chapter 6. Managing the Greenbone Operating System

Fig. 6.35: Configuring the FTP server for the Airgap master

11. Select FTP Master Test and press Enter.

→ It is tested whether a login with the entered information is working.
12. Select Save and press Enter.
13. In the GOS administration menu of the Airgap slave select Setup and press Enter.
14. Select Feed and press Enter.
15. Select Airgap Slave and press Enter.
16. Execute steps 5 to 12 in the GOS administration menu of the Airgap slave using the same input
as for the Airgap master.

Note: The menu options have slightly di erent names than in the GOS administration menu of
the Airgap master (see figure Configuring the FTP server for the Airgap slave (page 56)).

→ The data transfer takes place automatically.

Fig. 6.36: Configuring the FTP server for the Airgap slave

56
 6.2. Setup Menu

6.2.8 Configuring the Time Synchronization

To synchronize the appliance with central time servers, the GSM supports the Network Time Protocol
(NTP). Up to four di erent NTP servers can be configured. The appliance will choose the most suitable
server. During an outage of one server, another server will be used automatically.
Both IP addresses and DNS names are supported.
The NTP settings can be configured as follows:
1. Select Setup and press Enter.
2. Select Timesync and press Enter.
3. Select Time synchronisation and press Enter.
→ The time synchronization is enabled.

Note: The changes have to be saved by selecting Save and pressing Enter.

4. Select the desired time server and press Enter (see figure Configuring the NTP settings
(page 57)).
5. Enter the time server in the input box and press Enter.
→ A message informs that the settings have to be saved.

Fig. 6.37: Configuring the NTP settings

6.2.9 Selecting the Keyboard Layout

This menu displays the current keyboard layout of the appliance and if necessary supports the mod-
ification to the required needs and locale. The keyboard layout of the appliance can be modified as
follows:
1. Select Setup and press Enter.
2. Select Keyboard and press Enter.
→ All available keyboard layouts are displayed. The current layout has the annotation (selected)
(see figure Selecting the keyboard layout (page 58)).
3. Select the desired keyboard layout and press Enter.
→ A message asks to confirm the change.

57
Chapter 6. Managing the Greenbone Operating System

Fig. 6.38: Selecting the keyboard layout

4. Select Yes and press Enter.

→ A message informs that the layout has been changed.

6.2.10 Configuring Automatic E-Mails

If reports should automatically be sent via e-mail after completion of a scan, the appliance needs to
be configured with a mail server. This server is called a mailhub or smart host. The appliance itself
does not come with a mail server.

Note: The appliance does not store e-mails in case of delivery failure. There will be no second delivery
attempt.
Possible spam protection on the mail server such as grey listing must be deactivated for the appliance.
Authentication using a username and password is not supported by the appliance. The authentication
must be done IP based.

Configuring the Mail Server

The mail server can be configured as follows:

1. Select Setup and press Enter.
2. Select Mail and press Enter.
3. Select Mail and press Enter.
4. Enter the URL of the mailhub in the input box (see figure Configuring the mailhub (page 59)).
5. Select OK and press Enter.
→ A message informs that the settings have to be saved.
6. Press Enter.

Configuring the E-Mail Size

The maximum content or attachment size (in bytes) of the e-mails can be configured as follows:

58
 6.2. Setup Menu

Fig. 6.39: Configuring the mailhub

1. Select Setup and press Enter.

2. Select Mail and press Enter.
3. Select Max size/Max include and press Enter.
4. Enter the maximum size (in bytes) in the input box.
5. Select OK and press Enter.
→ A message informs that the settings have to be saved.
6. Press Enter.

6.2.11 Configuring the Collection of Logs

The GSM supports the configuration of a central logging server for the collection of the logs. Either
only the security relevant logs or all system logs can be sent to a remote logging server. The security
relevant logs contain:
• User authentication
• User authorization
The GSM appliance uses the syslog protocol. Central collection of the logs allows for central analysis,
management and monitoring of logs. Additionally, the logs are always stored locally as well.
One logging server can be configured for each kind of log (security relevant logs or all system logs).
As transport layer UDP (default), TLS and TCP can be used. TCP ensures the delivery of the logs even
when a packet loss occurs. If a packet loss occurs during a transmission via UDP, the logs will be lost.

Configuring the Logging Server

The logging server can be set up as follows:

1. Select Setup and press Enter.
2. Select Remote Syslog and press Enter.
3. Select Security Syslog and press Enter to enable security relevant logs.
or

59
Chapter 6. Managing the Greenbone Operating System

3. Select Full Syslog and press Enter to enable all system logs.

Note: Both logs can be enabled.

4. Select Security Remote and press Enter to set the logging server URL for security relevant logs.
or
4. Select Full Remote and press Enter to set the logging server URL for all system logs.
5. Enter the logging server URL in the input box (see figure Configuring the logging server
(page 60)).

Note: If no port is specified, the default port 514 will be used.

If the protocol is not specified, UDP will be used.
→ A message informs that the settings have to be saved.

Fig. 6.40: Configuring the logging server

Managing HTTPS Certificates for Logging

HTTPS certificates for logging can be managed as follows:

1. Select Setup and press Enter.
2. Select Remote Syslog and press Enter.
3. Select Certificates and press Enter.
4. Select Generate and press Enter to generate a certificate.
→ A message informs that the current certificate and private key will be overwritten.
5. Confirm the message by selecting Yes and pressing Enter.
6. Provide the settings for the certificate, select OK and press Enter.
→ When the process is finished, a message informs that the certificate can be downloaded.
7. Press Enter.
8. Select Certificates and press Enter.
9. Select Download and press Enter.

60
 6.3. Maintenance Menu

10. Open the web browser and enter the displayed URL.
11. Download the file.
12. In the GOS administration menu press Enter.
→ When the certificate is retrieved by the GSM, the GOS administration menu displays the fin-
gerprint of the certificate for verification.
13. Check the fingerprint and confirm the certificate by pressing Enter.
→ To enable the new certificate a Reboot of the GSM is required (see Chapter Rebooting the
Appliance (page 66)).
The certificate and the according fingerprint can be displayed as follows:
1. Select Setup and press Enter.
2. Select Remote Syslog and press Enter.
3. Select Certificates and press Enter.
4. Select Show and press Enter to display the certificate.
Select Fingerprints and press Enter to display the fingerprint.
→ The following fingerprints of the currently active certificate are shown:
• SHA1
• SHA256

6.2.12 Setting the Maintenance Time

During maintenance the daily feed synchronization takes place. Any time during the day can be chosen
except for 10:00 to 13:00 UTC. During this period Greenbone Networks itself updates the feed and
disables the synchronization services.
The default maintenance time is a random time between 3:00 a.m. and 5:00 a.m. UTC.
The maintenance time can be set as follows:
1. Select Setup and press Enter.
2. Select Time and press Enter.
3. Enter the desired maintenance time in the input box and press Enter (see figure Configuring the
maintenance time (page 62)).

Note: The time has to be converted to UTC before entering it.

→ A message informs that the settings have to be saved.

6.3 Maintenance Menu

6.3.1 Performing a Selfcheck

The selfcheck option checks the setup of the appliance. It displays wrong or missing configuration
details which might prevent the correct function of the appliance. The following items are checked:
• Network connection
• DNS resolution
• Feed reachability

61
Chapter 6. Managing the Greenbone Operating System

Fig. 6.41: Configuring the maintenance time

• Available updates
• User configuration
The selfcheck is performed as follows:
1. Select Maintenance and press Enter.
2. Select Selfcheck and press Enter.
→ The selfcheck is performed and any found problems are listed on the result page.

6.3.2 Performing a Backup and Restoring a Backup

Scheduled local and remote backups are configured in the menu Setup (see Chapter Configuring Peri-
odic Backups (page 48)). Backups can also be performed manually. Depending on the backup location
configured within Chapter Configuring Periodic Backups (page 48), the manually triggered backups
are stored remotely or locally. These backups can be transferred to a USB stick for o site storage.
The backup includes all user data (e.g. tasks, reports, results) and the settings of the GSM.

Performing a Backup Manually

A backup can be performed manually as follows:

1. Select Maintenance and press Enter.
2. Select Backup and press Enter.
3. Select Incremental Backup and press Enter (see figure Triggering a backup manually (page 63)).
→ A message informs that the backup was started in the background.

Tip: The currently running system operation can be displayed by selecting About and pressing
Enter in the GOS administration menu.

Restoring a Backup Manually

Alternatively a backup can be restored as follows:

62
 6.3. Maintenance Menu

Fig. 6.42: Triggering a backup manually

1. Select Maintenance and press Enter.

2. Select Backup and press Enter.
3. Select List and press Enter
4. Select the desired backup and press Enter (see figure Restoring a backup (page 63)).

Fig. 6.43: Restoring a backup

5. Select Yes and press Enter if the system settings should be restored as well.
or
5. Select No and press Enter if only the data should be restored.
→ If the restoration of the systems settings is selected, a warning informs that all local settings
are lost.
6. Confirm the message by selecting Yes and pressing Enter.
→ A message informs that the restoration was started in the background.

Tip: The currently running system operation can be displayed by selecting About and pressing

63
Chapter 6. Managing the Greenbone Operating System

Enter in the GOS administration menu.

Performing or Restoring a Backup Using a USB Stick

Backups can be transferred to and restored from a USB stick as follows:

1. Connect a USB stick to the appliance.

Note: A FAT-formatted USB stick has to be used.

2. Select Maintenance and press Enter.

3. Select Backup and press Enter.
4. Select USB Backup and press Enter.
→ The backup or restoration starts automatically.

6.3.3 Performing a GOS Upgrade

During the daily feed update the appliance will also download new GOS upgrades if available. While
the upgrades are automatically downloaded, they are not automatically installed.

Note: Since the upgrades might interrupt current scan tasks, they need to be scheduled carefully.

GOS upgrades can be installed manually as follows:

1. Select Maintenance and press Enter.
2. Select Upgrade and press Enter.
3. Select Upgrade and press Enter to install an upgrade.
or
3. Select Switch Release and press Enter to switch to a new release.
→ A message informs that the upgrade was started in the background.

Tip: The currently running system operation can be displayed by selecting About and pressing
Enter in the GOS administration menu.

Note: By default, a successful GOS upgrade starts a GOS upgrade on connected sensors as well.
Nonetheless, an upgrade can manually be installed on sensors (see Chapter Performing a GOS
Upgrade on Sensors (page 64)).

6.3.4 Performing a GOS Upgrade on Sensors

A GOS upgrade on a sensor can be installed as follows:

1. Select Maintenance and press Enter.
2. Select Upgrade and press Enter.
3. Select Sensors and press Enter.

64
 6.3. Maintenance Menu

4. Select the desired sensor and press Space.

→ The sensor is marked with *. Multiple sensors can be selected at the same time.
Sensors which are not ready for an upgrade are labelled accordingly.
5. Press Enter.
→ A message informs that the upgrade was started in the background.

Tip: The currently running system operation can be displayed by selecting About and pressing
Enter in the GOS administration menu.

6.3.5 Performing a Feed Update

By default, the appliance will try to download new feeds and GOS updates daily.
The feed synchronization can be triggered manually as follows:
1. Select Maintenance and press Enter.
2. Select Feed and press Enter.
3. Select Update and press Enter (see figure Triggering a feed update manually (page 65)).
→ A message informs that the feed update was started in the background.

Tip: The currently running system operation can be displayed by selecting About and pressing
Enter in the GOS administration menu.

Fig. 6.44: Triggering a feed update manually

Note: By default, a successful feed update starts a feed update on connected sensors as well.
Nonetheless, a feed update can manually be pushed to sensors (see Chapter Performing a Feed
Update on Sensors (page 65)).

6.3.6 Performing a Feed Update on Sensors

A feed update can be pushed to a sensor as follows:

65
Chapter 6. Managing the Greenbone Operating System

1. Select Maintenance and press Enter.

2. Select Feed and press Enter.
3. Select Sensors and press Enter.
4. Select the desired sensor and press Enter.
→ A message informs that the feed update was started in the background.

Tip: The currently running system operation can be displayed by selecting About and pressing
Enter in the GOS administration menu.

6.3.7 Upgrading the Flash Partition

The flash partition is used to perform factory resets of the GSM. To make factory resets easier, it
should be upgraded to the latest GOS version.

Note: Make sure the GSM itself is able to establish a connection to the Greenbone Feed Server.
It is not possible to upgrade the flash partition of sensors via the master.

The flash partition can be upgraded as follows:

1. Upgrade the GSM to the latest GOS version (see Chapter Performing a GOS Upgrade (page 64)).
2. Select Maintenance and press Enter.
3. Select Flash and press Enter.
4. Select Download and press Enter (see figure Upgrading the flash partition (page 67)).
→ The latest flash image is downloaded.

Tip: The currently running system operation can be displayed by selecting About and
pressing Enter in the GOS administration menu.

5. When the download is finished, select Write and press Enter (see figure Upgrading the flash
partition (page 67)) .
→ The image is written to the flash partition. The process may take up to 20 minutes.

Tip: The currently running system operation can be displayed by selecting About and pressing
Enter in the GOS administration menu.

6.3.8 Rebooting and Shutting down the Appliance

The GSM should not be turned o using the power switch. The appliance should be shut down and re-
booted using the GOS administration menu instead. This ensures that mandatory cleanup processes
are run during the shutdown and reboot.

Rebooting the Appliance

The appliance is rebooted as follows:

1. Select Maintenance and press Enter.

66
 6.3. Maintenance Menu

Fig. 6.45: Upgrading the flash partition

2. Select Power and press Enter.

3. Select Reboot and press Enter.
→ A message asks to confirm the reboot (see figure Rebooting the appliance (page 67)).
4. Select Yes and press Enter.
→ The appliance will reboot. The reboot process may take up to several minutes.

Fig. 6.46: Rebooting the appliance

Shutting down the Appliance

The appliance is shut down as follows:

1. Select Maintenance and press Enter.
2. Select Power and press Enter.
3. Select Shutdown and press Enter.
→ A message asks to confirm the shutdown (see figure Shutting down the appliance (page 68)).

67
Chapter 6. Managing the Greenbone Operating System

4. Select Yes and press Enter.

→ The appliance will shutdown. The shutdown process may take up to several minutes.

Fig. 6.47: Shutting down the appliance

6.4 Advanced Menu

6.4.1 Displaying Log Files of the GSM

The log files of the GSM can be displayed as follows:

1. Select Advanced and press Enter.
2. Select Logs and press Enter.
3. Select the desired logs and press Enter.
→ The log file is displayed in a viewer.
4. Press q to quit the viewer.

6.4.2 Performing Advanced Administrative Work

Managing the Superuser Account

When the shell is accessed, a Linux command line as the unprivileged user admin is displayed (see
Chapter Accessing the Shell (page 71)). Any Linux command can be executed.

Note: The privileged account root (superuser) should only be used in consultation with the Greenbone
Networks support.
If any modifications are done without consultation, the entitlement to receive assistance by the
Greenbone Networks support expires.

To obtain root privileges on the GSM, the command su has to be entered in the shell. Using su to
switch from the admin user to the root user is disabled by default.
The superuser has to be enabled and provided with a password as follows:
1. Select Advanced and press Enter.

68
 6.4. Advanced Menu

2. Select Support and press Enter.

3. Select Superuser and press Enter.
4. Select Superuser State and press Enter.
→ A warning informs that root privileges should only be obtained by exception and while con-
sulting the Greenbone Networks support (see figure Warning when enabling the superuser
(page 69)).

Fig. 6.48: Warning when enabling the superuser

5. Select Yes and press Enter.

→ A message informs that the changes have to be saved.
6. Press Enter.
7. Select Password and press Enter.
8. Enter the password twice, select OK and press Enter (see figure Defining the superuser pass-
word (page 69)).

Fig. 6.49: Defining the superuser password

9. Select Save and press Enter.

69
Chapter 6. Managing the Greenbone Operating System

Generating and Downloading a Support Package

Sometimes the Greenbone Networks support requires additional information to troubleshoot and
support customers. The required data is collected as an encrypted support package including all con-
figuration data of the GSM appliance.
The package can be encrypted using the GPG public key of the Greenbone Networks support team.
The support package is stored on the appliance.
A support package can be created as follows:
1. Select Advanced and press Enter.
2. Select Support and press Enter.
3. Select Support Package and press Enter.
→ A message asks to confirm the generation of the support package.
4. Select Yes and press Enter.
→ A message asks whether the support package should be encrypted.
5. Select Yes to encrypt the support package.
Select No to not encrypt the support package.
6. If an encrypted support package was chosen, open the web browser, enter the displayed URL
(see figure Downloading an encrypted support package (page 70)) and download the GPG file
(encrypted ZIP folder).

Fig. 6.50: Downloading an encrypted support package

or

Note: If the support package is not encrypted, the download needs to be done using the Secure
Copy Protocol (SCP). For this, SSH has to be enabled first (see Chapter Configuring SSH (page 42)).

6. If an unencrypted support package was chosen, enter the displayed command using SCP (see
figure Downloading an unencrypted support package (page 71) and download the support pack-
age (ZIP folder).

Note: The ”.” at the end can be replaced with a path. If the ”.” is maintained, the current folder is
chosen.

70
 6.4. Advanced Menu

Fig. 6.51: Downloading an unencrypted support package

7. Send the ZIP folder to the Greenbone Networks support.

On Microsoft Windows systems the support package can be downloaded using either pscp which is a
command line tool included in Putty or WinSCP and smarTTY which are graphical tools implementing
secure copy.

Accessing the Shell

Shell access is not required for any administrative work, but may be requested by Greenbone Net-
works support for diagnostics and support.
The shell can be accessed as follows:
1. Select Advanced and press Enter.
2. Select Support and press Enter.
3. Select Shell and press Enter.
→ A warning informs that the shell level is undocumented and should not be used for adminis-
trative settings (see figure Warning when accessing the shell (page 72)).
4. Select Continue and press Enter.
→ A Linux shell is opened using the unprivileged user admin (see figure Accessing the local shell
(page 72)).

Note: Access as root requires the enabling of the superuser and the determination of a pass-
word (see Chapter Managing the Superuser Account (page 68)). Afterwards, switching to root
using the command su is possible.

5. Enter exit or press Ctrl + D to quit the shell.

6.4.3 Displaying the Subscription Key

The subscription key (see Chapter Adding a GSF Subscription Key (page 50)) can be displayed as fol-
lows:

71
Chapter 6. Managing the Greenbone Operating System

Fig. 6.52: Warning when accessing the shell

Fig. 6.53: Accessing the local shell

72
 6.5. Displaying Information about the GSM

1. Select Advanced and press Enter.

2. Select Subscription and press Enter.
→ The subscription key is displayed in a viewer.
3. Press q to quit the viewer.

6.4.4 Displaying the Copyright File

The copyright file can be displayed as follows:

1. Select Advanced and press Enter.
2. Select Copyright and press Enter.
→ The copyright file is displayed in a viewer.
3. Press q to quit the viewer.

6.5 Displaying Information about the GSM

Information about the GSM can be displayed by selecting About.

The following information is displayed:
• GSM type
• GOS version
• Feed version
• Name of the subscription key
• IP of the web interface
• Configured sensors
• Currently running system operations

73
Chapter 6. Managing the Greenbone Operating System

74
 CHAPTER 7

Getting to Know the Web Interface

7.1 Concepts of the Web Interface

This chapter covers recurring concepts when using the web interface of the Greenbone Security Man-
ager (GSM). This includes the dashboard, standard icons, filters and tags.

7.1.1 Dashboards

The GSM has four dashboards:

• Main dashboard
• Scan dashboard
• Assets dashboard
• SecInfo dashboard
The default dashboards can be modified by clicking . Dashboards can be added, removed and reset
to their defaults.

Fig. 7.1: Main dashboard

75
Chapter 7. Getting to Know the Web Interface

Main Dashboard

The main dashboard is reached by clicking Dashboard in the menu bar.

The main dashboard provides a quick presentation of the network state. All elements can be selected
using the mouse and support a drill-down.
The main dashboard displays all tasks both by status and by severity at the top. At the bottom the
host topology is shown and the CVEs and NVTs are rated by severity and creation time.

Scan dashboard

The scan dashboard is reached by clicking Scans > Dashboard in the menu bar.
The scan dashboard concentrates on the actual scan tasks. It shows the individual scanned hosts and
the full reports by their severity class. Additionally, the scan dashboard includes the tasks shown by
status and severity from the main dashboard.

Assets dashboard

The assets dashboard is reached by clicking Assets > Dashboard in the menu bar.
The assets dashboard includes the host topology from the main dashboard and additionally displays
the most vulnerable hosts, the distribution of the found vulnerabilities compared to the discovered
operating systems and the operating systems by severity class.

SecInfo dashboard

The SecInfo dashboard is reached by clicking SecInfo > Dashboard in the menu bar.
The SecInfo dashboards displays the NVTs, CVEs and CERT Bund advisories by their corresponding
severity class. Additionally, it displays both CVEs and CERT Bund advisories by their creation time.

7.1.2 Charts

The charts in the dashboards can be customized. This allows displaying and formatting the data in
di erent ways. The created graphs can be downloaded and included into other documents.
There are three di erent chart types:
• Line chart (see figure Line chart (page 77))
• Bar chart (see figure Bar chart (page 77))
• Donut chart (see figure Donut chart (page 77))
The content of a chart can be modified as follows:
1. Click in the upper left corner of the dashboard.
2. Choose the desired content in the drop-down-list at the bottom of the chart (see figure Selecting
the content of a chart (page 78)).
or
2. Click or to select the previous/next item of the drop-down-list.
→ The content and, if necessary, the chart type change immediately.
A chart can be downloaded in various formats by clicking the context menu at the top left of the chart
(see figure Downloading a chart (page 78)).

76
 7.1. Concepts of the Web Interface

Fig. 7.2: Line chart

Fig. 7.3: Bar chart

Fig. 7.4: Donut chart

77
Chapter 7. Getting to Know the Web Interface

Fig. 7.5: Selecting the content of a chart

Fig. 7.6: Downloading a chart

78
 7.1. Concepts of the Web Interface

7.1.3 Icons

The web interface uses recurring icons for identical actions. The function of the same icon may di er
depending on the currently opened page.
• Display the context aware help.
• Display a full list of currently selected objects types.
• Create a new object. This can be a user, a target, a task, a permission or a filter.
• Move an object to the trash can.
• Edit an object.
• Add a note.
• Add an override.
• Copy/Clone a resource.
• Export a resource as a GSM object.
• Refresh the page.
• Expand additional information.
• Collapse additional information.
• Delete an object irrevocably.
• Jump to the next object in a view.
• Jump to the previous object in a view.
• Jump to the last object (page) in a view.
• Other users have the permission to access the object as well.
Other icons can only be accessed in a certain context.
• Start the currently not running task.
• Stop the currently running task. All discovered results will be written to the database.
• Resume the stopped task.
• Start a task by schedule.
• The task is alterable.
• Start the task wizard.
• Enable or disable overrides.
• Select as the first report for delta report.
• Select as the second report for delta report.
• A fix for a vulnerability exists.
• A vendor patch is available.
• A workaround is available.
• A mitigation by configuration is available.
• No fix is and will be available.
• No solution exists.
• A scan configuration is adjusted with new NVTs automatically.
• A scan configuration is not adjusted with new NVTs automatically.

79
Chapter 7. Getting to Know the Web Interface

• Reset to factory defaults.

• Save changes.
• Upload/Import an external files.
• Download an RPM installation package.
• Download a DEB installation package.
• Download an EXE installation package.
• Download an SSH public key in ASCII format. This key corresponds to the keys used for RPM
and DEB packages.
• Verify the signature of an imported report format.
• Send feedback to the Greenbone Networks Customer Support.

7.1.4 Filtering the Page Content

Almost every page in the web interface o ers the possibility to filter the displayed content.

Using the Filter Bar

Fig. 7.7: Filter bar at the top of the page

Various filter parameters are combined to form the Powerfilter.

The filter parameters can be entered in the input box in the filter bar (see figure Filter bar at the top of
the page (page 80)) using the specific notation of the filter (see Syntax of the Powerfilter (page 81))
or be modified as follows:
1. Click in the filter bar (see figure Filter bar at the top of the page (page 80)).
→ A separate window with multiple filter parameters is opened.

Fig. 7.8: Filter opened in a separate window

80
 7.1. Concepts of the Web Interface

Note: The filter is context aware which means that the filter parameters depend on the cur-
rently opened page.

2. Select and modify the filter parameters (see figure Filter opened in a separate window
(page 80)).

Note: The Powerfilter is not case-sensitive.

Tip: Keywords which should be searched for can be entered in the input box Filter.

3. Click Update.
→ The filter parameters are applied.
A typical Powerfilter search could search for all CVEs vulnerabilities from 2012 within the
192.168.222.0/24 network:

Fig. 7.9: Powerfilter searching for CVEs

Note: By clicking right of the input box in the filter bar, the current input is removed.
By clicking right of the input box in the filter bar, the filter is updated with the current input.

Syntax of the Powerfilter

When applied, the filter parameters are shown below the input box in the filter bar (see figure Applied
filter parameters (page 81)).

Fig. 7.10: Applied filter parameters

The filter uses a specific syntax which has to be considered when entering the filter parameters di-
rectly in the input box in the filter bar.
In general the specification of the following parameters is always possible:
• rows: Number of rows that are displayed per page. Per default the value is rows=10. Entering a
value of -1 will display all results. Entering a value of -2 will use the value that was pre-set
in My Settings under Rows Per Page (see Chapter Changing the User Settings (page 87)).

81
Chapter 7. Getting to Know the Web Interface

• first: Determination of the first item displayed. Example: If the filter returns 50 results, rows=10
first=11 displays the results 11 to 20.
• sort: Determination of the column used for sorting the results. The results are sorted ascend-
ing. Example: sort=name sorts the results by name. After applying the filter, upper cases
of the column names are changed to lower cases and spaces are changed to underscores.
The sorting can also be done by clicking the title of the column. Typical column names are:
– name
– severity
– host
– location
– qod (Quality of detection)
– comment
– modified
– created
• sort-reverse: Determination of the column used for sorting the results (see above). The results
are sorted descending.
• tag: Selection of results with a specific tag (see Tags (page 85)). It can be filtered by a specific
tag value (tag=”server:mail”) or only by the tag (tag=”server”). Regular expressions are also
allowed.

Note: By filtering using tags custom categories can be created and used in the filters. This
allows for versatile and granular filter functionality.

When specifying the components the following operators are used:

• = equals e.g. rows=10
• ~ contains e.g. name~admin
• < less than e.g. created<-1w → older than a week
• > greater than e.g. created>-1w → younger than a week
• :RegEx e.g. name:admin$
There are a couple of special features:
• If no value follows =, all results without this filter parameter are displayed. This example shows
all results without a comment:
comment=

• If a keyword should be found but it is not defined which column to scan, all columns will be
scanned. This example searches whether at least one column contains the stated value:
=192.168.15.5

• The data is usually or-combined. This can be specified with the keyword or. To achieve an and-
combination the keyword and needs to be specified:
modified>2019-01-01 and name=services

Using not will negate the filter.

82
 7.1. Concepts of the Web Interface

Text Phrases

In general, text phrases that are being searched for can be specified.
The following examples show the di erences:
overflow Finds all results that contain the word overflow. This applies to Overflow as well as to
Bu eroverflow. Also, 192.168.0.1 will find 192.168.0.1 as well as 192.168.0.100.
remote exploit Finds all results containing remote or exploit. Of course, results that contain both
words will be displayed as well.
remote and exploit Both words must be found in a result in any column. The results do not have
to be found in the same column.
"remote exploit" The exact string is being searched for and not the individual words.
regexp 192\.168\.[0-9]+.1 The regex is being searched for.

Date Specifications

Date specifications in the Powerfilter can be absolute or relative.

Absolute date specification An absolute date specification has the following format:
2014-05-26T13h50

When the time is left out, a time of 12:00 am will be assumed automatically. The date specifica-
tion can be used in the search filter e.g. created>2014-05-26.
Relative date specification Relative time specifications are always calculated in relation to the cur-
rent time. Time specification in the past are defined with a preceding minus (-). Time specifica-
tion without a preceding character are interpreted as being in the future. For time periods the
following letters can be used:
• s second
• m minute
• h hour
• d day
• w week
• m month (30 days)
• y year (365 days)
For example, entering created>-5d shows the results that were created within the past 5 days.
A combination such as 5d1h is not permitted but has to be replaced with 121h.
To limit the time period, e.g. month for which information should be displayed, the following
expression can be used:
modified>2019-01-01 and modified<2019-01-31

Examples for Powerfilters

Here are some examples for powerfilter:

• 127.0.0.1 shows any item that has “127.0.0.1” anywhere in the text of any column.
• 127.0.0.1 IANA shows any item that has “127.0.0.1” or “IANA” anywhere in the text of any col-
umn.

83
Chapter 7. Getting to Know the Web Interface

• 127.0.0.1 and IANA shows any item that has “127.0.0.1” and “IANA” anywhere in the text of
any column.
• regexp 10.128.[0-9]+.[0-9]+ shows any item that has an IP style string starting with
“10.128” anywhere in the text of any column.
• name=Localhost shows any item with the exact name “Localhost”.
• name˜local shows any item with “local” anywhere in the name.
• name:ˆLocal shows any item with a name starting with “Local”.
• port_list˜TCP shows any item that has “TCP” anywhere in the port list name.
• modified>2019-02-03 and modified<2019-02-05 shows any item that was modified
between 2019-02-03 0:00 and 2019-02-05 0:00.
• create>2019-02-03T13h00 shows any item that was created after 13:00 on 2019-02-03.
• rows=20 first=1 sort=name shows the first twenty items sorted by the column Name.
• create>-7d shows any item that was created within the past 7 days.
• =127.0.0.1 shows any item that has “127.0.0.1” as the exact name in any column.
• tag="geo:long=52.2788 shows any item that has a tag named “geo:long” with the value
“52.2788”.
• tag˜geo shows any item that has a tag with a name containing “geo”.

Saving and Managing Powerfilters

Often used filters can be saved simplifying their re-use as follows:

1. Enter the name of the filter in the right input box in the filter bar (see figure Saving a filter
(page 84)).

Fig. 7.11: Saving a filter

2. Click .
→ The filter is saved and can be selected in the drop-down-list.

Note: If JavaScript is activated, the filter is applied immediately after being selected from the
drop-down-list. Otherwise, click to apply the selected filter.

Tip: If a specific filter should always be activated on a page, it can be set as default filter in the user
settings (see also chapter Changing the User Settings (page 87)).

All existing filters can be displayed by selecting Configuration > Filters in the menu bar (see figure
Managing filters (page 85)).
For all filters the following actions are available:
• Delete the filter.
• Edit the filter.
• Clone the filter.

84
 7.1. Concepts of the Web Interface

Fig. 7.12: Managing filters

• Download the filter as an XML file.

Note: By clicking or below the list of filters more than one filter can be deleted or exported at a
time. The drop-down-list is used to select which filters are deleted or exported.

Filters can also be created using the page Filters as follows:

1. Select Configuration > Filters in the menu bar.
2. Create a new filter by clicking in the upper left corner.
3. Define the name of the filter.
4. Define the filter criteria in the input box Term (see Chapter Syntax of the Powerfilter (page 81)).
5. Select the resource type for which the filter should by applied in the drop-down-list Type (see
figure Creating a new filter (page 85)).

Fig. 7.13: Creating a new filter

6. Click Create.
→ The filter can be used for the resource type for which it was created.

7.1.5 Tags

Tags are information that can be linked to any resource. Tags are created directly with the resources
and can only be linked to the resource type they are created for.
In this example a tag is created for a target:
1. Create a target (see Creating a Target (page 113)).
2. Click on the created target on the page Targets.
3. For User Tags click .

85
Chapter 7. Getting to Know the Web Interface

4. Define the tag (see figure Tag for the resource type Host (page 86)).
5. Click Create.
→ The tag is displayed on the page Tags (Configuration > Tags in the menu bar) and can be used
to filter objects with help of the Powerfilter (see section Filtering the Page Content (page 80)).

Fig. 7.14: Tag for the resource type Host

Example: When filtering for tag=target:server the specific tag must be set. Otherwise, the de-
sired result would not be found. With tag="target:server=mail" the exact tag with the respec-
tive value must be set (see figure Tag for the resource type Host (page 86)).

7.2 List Pages and Details Pages

Basically, there are two di erent types of pages on the web interface:
List page List pages give a tabular overview of all items of one kind, e.g. the list page Scan Configs
shows all available scan configurations (see figure List page with tabular overview (page 86)).

Fig. 7.15: List page with tabular overview

The list page provides information such as name, status, type or possible actions. The shown
information in the table depend on the item type.
List pages are opened by selecting the desired page in the menu bar, e.g. selecting Configuration
> Scan Configs in the menu bar opens the list page Scan Configs.

86
 7.3. Using the Trashcan

Details page The details page of a specific item is opened by clicking on the name of the item in the
column Name on the list page.
The details page provides further information and actions.

Fig. 7.16: Details page

For most items, tags (see Chapter Tags (page 85)) and permissions (see Chapter Managing Per-
missions (page 98)) can be added on the details page.
By clicking in the upper left corner the list page of the corresponding item type is opened.

7.3 Using the Trashcan

The page Trashcan is opened by selecting Extras > Trashcan in the menubar. The page lists all re-
sources that are currently in the trashcan, grouped by resource type.
The summary table Content shows all possible types with item counts. By clicking on a resource name
the corresponding sections on the page is shown.
The trashcan can be emptied by clicking Empty Trashcan.
In the section of the respective resource type the single resources can be managed:
• Clicking moves the resource out of the trashcan and back to its regular page. When the re-
source depends on another resource, it cannot be restored.
• Clicking removes the resource entirely from the system. When another resource in the trash-
can depends on the resource, it cannot be deleted.

7.4 Changing the User Settings

Every user of the GSM appliance can manage their own settings for the web interface. These settings
can be accessed by either selecting Extras > My Settings in the menu bar or by clicking on the user
name in the top right corner of the page.
The settings can be modified by clicking .

87
Chapter 7. Getting to Know the Web Interface

Fig. 7.17: Managing user settings

Important settings are:

Timezone The GSM saves all information in the UTC time zone internally. In order to display the data
in the time zone of the user the respective selection is required.
Password The user password can be changed here.
User Interface Language The language can be defined here. The browser setting are used per de-
fault.
Rows Per Page This defines the number of results in a list.
Wizard Rows This defines up to how many tasks to display the task wizard. For example, if the value
is set to 3 the wizard will not be displayed in the task overview as soon as a minimum of 4 tasks
is available.
Details Export File Name This defines the default name of the file for exported resource details. The
format string can contain alphanumeric characters, hyphens, underscores and placeholders
that will be replaced as follows:
• %C: The creation date in the format YYYYMMDD. Changed to the current date if a creation
date is not available.
• %c: The creation time in the format HHMMSS. Changed to the current time if a creation time
is not available.
• %D: The current date in the format YYYYMMDD.
• %F: The name of the format plug-in used (XML for lists and types other than reports).
• %M: The modification date in the format YYYYMMDD. Changed to the creation date or to
the current date if a modification date is not available.
• %m: The modification time in the format HHMMSS. Changed to the creation time or to the
current time if a modification time is not available.
• %N: The name for the resource or the associated task for reports. Lists and types without
a name will use the type (see %T).
• %T: The resource type, e.g. “task”, “port_list”. Pluralized for list pages.
• %t: The current time in the format HHMMSS.
• %U: The unique ID of the resource or “list” for lists of multiple resources.
• %u: The name for the currently logged in user.

88
 7.5. Setting the Auto-Refresh

• %%: The percent sign (%).

List Export File Name This defines the default name of the file for exported resource lists (see
above).
Report Export File Name This defines the default name of the file for exported reports (see above).
Severity Class This defines the classification of the vulnerability with respect to the score.
• NVD Vulnerability Severity Ratings
– 7.0 - 10.0: High
– 4.0 - 6.9: Medium
– 0.0 - 3.9: Low
• BSI Vulnerability Trac Light
– 7.0 - 10.0: Red
– 4.0 - 6.9: Yellow
– 0.0 - 3.9: Green
• OpenVAS classic
– 5.1 - 10.0: High
– 2.1 - 5.0: Medium
– 0.0 - 2.0: Low
• PCI-DSS
– 4.3 - 10.0: High
– 0.0 - 4.2: None
Filter Specific default filters for each page can be specified here. The filters are then activated auto-
matically when the page is loaded.

7.5 Setting the Auto-Refresh

When an auto-refresh is set, the page refreshs automatically after the selected time interval.
The following time intervals are possible:
• Every 30 seconds
• Every 60 seconds
• Every 2 minutes
• Every 5 minutes
The auto-refresh can be set by selecting the desired time interval in the drop-down-list at the top of
the page (see figure Setting the auto-refresh (page 89)).

Fig. 7.18: Setting the auto-refresh

89
Chapter 7. Getting to Know the Web Interface

7.6 Displaying the Feed Status

The synchronization status of all SecInfos can be displayed by selecting Extras > Feed Status in the
menu bar.
The following information is displayed (see figure Displaying the feed status (page 90)):
• Type: feed type (NVT, SCAP or CERT)
• Content: type of information provided by the feed
• Origin: name of the feed service that is used to synchronize the SecInfos

Note: Move the mouse over an item in this column to display information about the feed service.

• Version: version number of the feed data

• Status: status information of the feed, e.g. time since the last update

Fig. 7.19: Displaying the feed status

90
 CHAPTER 8

Managing the Web Interface

8.1 Managing Users

The Greenbone Security Manager (GSM) allows for the definition and management of multiple users
with di erent roles and permissions. When initializing the GSM, the first user – the web/scan admin-
istrator – is already created in the GOS administration menu. With this user, additional users can be
created and managed.
Roles The GSM user management supports a role based permission concept when accessing the web
interface. Various roles are already set up by default. Additional roles can be created and used
by an administrator. The role defines which options of the web interface can be viewed and
modified by the user. The role enforcement is not implemented in the web interface but rather
in the underlying GMP protocol and so a ects all GMP clients. Read and write access can be
assigned to roles separately.
Groups In addition to roles the GSM user management supports groups as well. This serves mainly
for logical grouping.
Groups and roles may be used to assign permissions to several users at once.
Each user is assigned an IP address range containing the allowed or denied targets. The GSM appliance
will refuse to scan any other IP addresses than the ones specified. Similarly, the access to specific
interfaces of the GSM appliance can be allowed or denied.
The user management is completely done with the GSM. External sources for the user management
are not supported. However, to support central authentication and to allow password synchroniza-
tion the GSM can be integrated with a central LDAP or RADIUS server. The server will only be used to
verify the password during the login process of the user. All other settings are performed in the user
management of the GSM.

8.1.1 Creating and Managing Users

Users can be created as follows:

Note: Only administrators are allowed to create and manage additional users.

1. Log in as an administrator.
2. Select Administration > Users in the menu bar.
3. Click .
4. Define the user (see figure Creating a new user (page 92)).
The following specifications have to be made:

91
Chapter 8. Managing the Web Interface

Fig. 8.1: Creating a new user

• Login Name This is the name used for logging in. When an LDAP or a RADIUS server is
used for central password management, the user needs to be created with the identical
name (rDN) as used by the server. The name can contain letters and numbers and can
be at most 80 characters long.
• Password This is the password used for logging in. The password can contain any type of
character and can be at most 40 characters long.

Note: When using special characters, note that they have to be available on all used key-
boards and operating systems.

• Roles (optional) Each user can have multiple roles. The roles define the permissions of a
user when using the GMP protocol. While it is possible to add and configure additional
roles, by default the roles Admin, User, Info, Observer, Guest and Monitor are available.
For further details see Chapter Managing Roles (page 94).
• Groups Each user can be a member of multiple groups. Permissions management can be
performed using groups as well (see Chapter Managing Permissions (page 98)).
• Host Access The user can specify which systems should or should not be considered in
a scan. The restrictions also apply to administrators but they are allowed to remove
them themselves. Normal users (User) and roles without access to the user manage-
ment cannot circumvent the restrictions. Basically either a whitelist (deny all and al-
low) or a blacklist (allow all and deny) is possible.
– Whitelist The scanning of all systems is denied in general. Only explicitly listed
systems are allowed to be scanned.
– Blacklist The scanning of all systems is allowed in general. Only explicitly listed
systems are not allowed to be scanned.

Tip: In general the whitelist methodology should be used. This ensures that users do
not scan systems lying beyond their responsibility, located somewhere on the Internet
or reacting to malfunctioning scans by accident.

System names as well as IPv4 and IPv6 addresses can be entered. Individual IP ad-
dresses as well as address ranges and network segments can be specified. The fol-
lowing listing shows some examples:
– 192.168.15.5 (IPv4 address)
– 192.168.15.5-192.168.15.27 (IPv4 range long form)
– 192.168.15.5-27 (IPv4 range short form)

92
 8.1. Managing Users

– 192.168.15.128/25 (CIDR notation)

– 2001:db8::1 (IPv6 address)
– 2001:db8::1-2001:db8::15 (IPv6 range long form)
– 2001:db8::1-15 (IPv6 range short form)
– 2001:db8::/120 (CIDR notation)
All options can be mixed and matched and entered as a comma-separated list. The
netmask in the CIDR notation is restricted to a maximum of 20 IP addresses for IPv4 and
116 IP addresses for IPv6. In both cases the result is a maximum of 4096 IP addresses.
• Interface Access This refers to the input box Network Source Interface when creating a
new task (see Creating a Task (page 115)). If a task is bound to a certain network inter-
face by its configuration and a user has no access to this network interface, the user
is restricted from running the task successfully. A comma-separated list of network
adapters can be entered. Similar to Host Access a whitelist or a blacklist methodology
is possible (see above).
5. Click Create.
→ The user is created and displayed on the page Users.
6. Click on the name of a user to display the details (see figure Details of a user (page 93)).

Fig. 8.2: Details of a user

All existing users can be displayed by selecting Administration > Users in the menu bar when logged
in as an administrator.
For all users the following actions are available:
• Delete the user. Only users which are currently not logged in can be deleted.
• Edit the user.
• Clone the user.
• Download the user as an XML file.
Click on the name of a user to open the details page of the user. The same actions are available there.

8.1.2 Simultaneous Login

It is possible that two users are logged in at the same time.

If the same user wants to log in more than once at the same time, the login must be performed from a
di erent PC or with a di erent browser. Another login in the same browser invalidates the first login.

8.1.3 Creating a Guest Login

The guest user is only allowed to access the page SecInfo (see chapter SecInfo Management
(page 181)).

93
Chapter 8. Managing the Web Interface

To allow the guest access, a user can be created and assigned the role Guest (see Chapter Creating
and Managing Users (page 91)).
Having knowledge of the password the guest user can now log in and is presented with the SecInfo
dashboard.
To allow a guest to log in without needing a password, this feature has to be activated in the GOS
administration menu (see Chapter Enabling a Guest User (page 26)).

8.1.4 Creating a Super Administrator

The role Super Admin is the highest level of access.

The role Admin is allowed to create, modify and delete users. Additionally, it can view, modify and
delete permissions but is subordinated to those permissions as well. If any user creates a private
scan configuration but does not share it, the administrator cannot access it. The administrator would
have to assign respective permissions to the resource created by the user to himself which is quite
tedious.
The role Super Admin is more suited for diagnostic purposes. The super administrator is excluded
from permission restrictions and allowed to view and edit any configuration settings of any user.
The super administrator has to be created in the GOS administration menu (see Chapter Creating a
Super Administrator (page 26))

Note: The super administrator can only be edited by the super administrator.

8.2 Managing Roles

The web interface supports the creation and configuration of own user roles. Modifying the default
roles is not possible but they can be copied (cloned) and subsequently modified. This ensures consis-
tent behaviour when updating the software.
To access the role management click Administration > Roles in the menu bar.
The following roles are available by default:
• Admin This role has all permissions by default. It is especially allowed to create and manage
other users, roles and groups.
• User This role has all permissions by default except for user, role and group management. This
role is not allowed to synchronize and manage the feeds. In the web interface there is no
access to the page Administration.
• Info This role (Information Browser) has only read access to the NVTs and SCAP information. All
other information is not accessible. The role can modify personal setting, e.g. change the
password.
• Guest This role corresponds with the role Info but is not allowed to change the user settings.
• Monitor This role has access to system reports of the GSM (see Chapter Appliance Performance
(page 265)).
• Observer This role has read access to the system but is not allowed to start or create new
scans. It has only read access to the scans for which it has been set as an observer.
• Super Admin This role has access to all objects of all users. It has no relation to the SuperUser
in the GOS administration menu. This role cannot be configured in the web interface but in
the GOS administration menu (see Chapter Creating a Super Administrator (page 94))

94
 8.2. Managing Roles

8.2.1 Creating and Managing Roles

Additional roles can be created.

Note: Only administrators are allowed to create and manage additional roles.

When an existing role closely reflects the demands, a new role can be created by copying the existing
role.
1. Log in as an administrator.
2. Select Administration > Roles in the menu bar.
3. In the row of an existing role click .
→ The details of the new role are displayed.
4. Click .
5. Define the role (see figure Editing a copied role (page 95)). Permissions can be added or deleted.

Fig. 8.3: Editing a copied role

6. Click Save.
7. Click .
→ The page Roles is opened.
When a role with only limited functionality should be created, it can be started with a new, empty role.
1. Log in as an administrator.
2. Select Administration > Roles in the menu bar.
3. Create a new role by clicking .
4. Define the role.
5. Click Create.
→ The role is created and displayed on the page Roles.
6. In the row of the newly created role click .

95
Chapter 8. Managing the Web Interface

7. Define the permissions of the role.

8. Click Save.

Note: Some permissions are required:

• authenticate and get_settings These permissions are necessary to log in to the web interface.
• write_settings (optional) This allows a user to change its own password, time zone and other
personal settings.

A user can have more than one role to group permissions. The roles are assigned when creating a new
user (see figure Creating a new user with multiple roles (page 96), see Chapter Creating and Managing
Users (page 91)). If more than one role is assigned to a user, the permissions of the roles will be added.

Fig. 8.4: Creating a new user with multiple roles

All existing roles can be displayed by selecting Administration > Roles in the menu bar.
For all roles the following actions are available:
• Delete the role. Only self-created roles can be deleted.
• Edit the role. Only self-created roles can be edited.
• Clone the role.
• Download the role as an XML file.
Click on the name of a role to open the details page of the role. The same actions are available there.

8.2.2 Granting Read Access to Other Users

By default, only administrators can grant other users read access to tasks and reports. Regular users
cannot share their tasks and reports with other users.
If users want to assign read access for their tasks and reports to other users they require the permis-
sion get_users. This permission is not granted by default but can be added as follows:
1. Log in to the web interface as an administrator.
2. Select Administration > Roles in the menu bar.
3. Create a new role by clicking .
4. Enter GrantReadPriv in the input box Name.

96
 8.3. Managing Groups

5. Click Create.
→ The role is created and displayed on the page Roles.
6. In the row of the newly created role click .
7. In the drop-down-list Name in the section New Permission select get_users (Has read access
to users) (see figure Selecting permissions for a new role (page 97)).

Fig. 8.5: Selecting permissions for a new role

8. Click Create Permission.

→ The permission is displayed in the section General Command Permissions (see figure A new
permission is added to a role (page 97)).

Fig. 8.6: A new permission is added to a role

9. Click Save.
10. Select Administration > Users in the menu bar.
11. In the row of the user which should be assigned the newly created role click .
12. In the input box Roles add the role GrantReadPriv.
13. Click Save.

Note: Additionally, the permissions get_groups — granting read access to a group — and get_roles
— granting read access to a role — are available and follow the same principle as described above.

8.3 Managing Groups

Groups are used to logically assemble users. An unlimited number of groups can be created. Permis-
sions can be assigned for the groups (see Chapter Managing Permissions (page 98)). By default, no

97
Chapter 8. Managing the Web Interface

groups are set up.

A group is created as follows:

Note: Only administrators are allowed to create and manage additional users.

1. Log in as an administrator.
2. Select Administration > Groups in the menu bar.
3. Create a new group by clicking .
4. Define the group (see figure Creating a new group (page 98)).
The following specifications have to be made:
• Name The name of the group can contain letters and numbers and can be at most 80 char-
acters long.
• Comment (optional) A comment describes the group in more detail.
• Users The members of the group can be entered in the input box Users, separated by a
space or comma. The entry can be at most 1000 characters long. Alternatively, group
memberships can be managed in the user profile (see Chapter Creating and Managing
Users (page 91)).

Fig. 8.7: Creating a new group

5. Click Create.
→ The group is created and displayed on the page Groups.
6. Click on the name of a group to display the details.

8.4 Managing Permissions

Select Configuration > Permissions to display all permissions assigned on the system. If multiple roles
are created, there can easily be hundreds of permissions. Each permission relates to exactly one sub-
ject. The permission enables the user to perform the associated action.
Subjects can be:
• Users
• Roles
• Groups
There are two types of permissions:
• Command permissions Command permissions are linked to the Greenbone Management Pro-
tocol (GMP). Each command permission applies to a specific GMP command. The name of
the permission is the relevant command. A command permission is either a command level
permission or a resource level permission.

98
 8.4. Managing Permissions

– Command level When no resource is specified, a command level permission is cre-

ated. A command level permission allows the subject to run the given GMP com-
mand.
– Resource level When a resource is specified, a resource level permission is created. A
resource level permission allows the subject to run the given GMP command on a
specific resource.
• Super permissions (see Chapter Super Permissions (page 100))

8.4.1 Creating and Managing Permissions

Note: Usually, permissions are assigned in the web interface using the role management (see Chapter
Managing Roles (page 94)).
Creating and managing permissions using the page Permissions is only recommended to experienced
users looking for a specific permission.

A new permission can be created as follows:

1. Select Configuration > Permissions in the menu bar.
2. Create a new permission by clicking .
3. Define the permission.

Note: The subjects for which permissions can be assigned depend on the role of the currently
logged in user. Users can grant permissions to other users, whereas administrators can grant
permissions to users, roles and groups.

4. Click Create.
→ The permission is created and displayed on the page Permissions.
5. Click on the name of a permission to display the details.
All existing permissions can be displayed by selecting Configuration > Permissions in the menu bar.
For all permissions the following actions are available:
• Delete the permission. Only administrators can delete permissions.
• Edit the permission. Only administrators can edit permissions.
• Clone the permission. Only administrators can clone permissions.
• Download the permission as an XML file.

8.4.2 Creating Permissions from the Resource Details Page

When accessing a resource details page, e.g. the detail page of a task, permissions for the resource
can be granted directly on the details page as follows:
1. Open the details page of a resource.
Example: Select Scans > Tasks in the menu bar. Click on the name of a task.
2. In the section Permissions click .
3. Define the permission.

99
Chapter 8. Managing the Web Interface

4. Click Create.
→ The permission is created and displayed in the section Permissions on the resource details
page.
There are two types of permissions that can be granted directly on the resource details page:
• read Granting the permission read means allowing to view the resource on list pages and on
its details page.
• proxy Granting the permission proxy means allowing to view and modify (but not delete) the
resource.
Some resource types include additional permissions:
• Tasks When granting the permission proxy for a task, the permissions to start (start_task),
stop (stop_task) and resume (resume_task) the task are added automatically.
• Alerts When granting the permission proxy for an alert, the permissions to test the alert
(test_alert) is added automatically.
• Report formats, agents and scanners When granting the permission proxy for a re-
port format, an agent or a scanner, the permissions to verify the report format
(verify_report_format), the agent (verify_agent) or the scanner (verify_scanner) is
added automatically.
For some resource types it can be selected whether the permissions should also be granted for related
resources (see figure Creating a permission from the resource details page (page 100)).
• Tasks For tasks this includes alerts and their filters, the target as well as its related credentials
and port list, the schedule, the scanner and the scan configuration.
• Targets For targets this includes credentials and the port list.
• Alerts For alerts this includes the filter that is used on the report.

Note: Permissions can also be created only for the related resources.
The details of the related resources can be displayed by clicking the links below the drop-down-list.

Fig. 8.8: Creating a permission from the resource details page

8.4.3 Super Permissions

Any resource created on the GSM (e.g. scan, configuration and target) is either global or owned by a
specific user. Global resources are identified by .

100
 8.4. Managing Permissions

Non-global resources can initially be viewed and used only by their owner. Individual permissions are
necessary to make the resources available to other users which is quite tedious.
To avoid that, users, roles and groups can be assigned with super permissions. This makes all objects
of other users, roles or groups accessible.
A user can get super permissions for:
• User
• Role
• Group
• Any
These super permissions allow complete access to any resource of the respective user, role, group or
e ectively all resources.

Note: The super permission Any cannot be set explicitly. It is restricted to the super administrator
(see Chapter Creating a Super Administrator (page 94)) and can only be set by creating such.

A user can only set super permissions for self-created objects. Only the super administrator can grant
super permissions to any other user, role or group.
1. Open the detail page of the user/role/group for which super permissions should be assigned by
clicking on the name of the user/role/group on the page Users/Roles/Groups.
→ The resource ID can be found in the upper right corner (see figure ID of a resource (page 101)).

Fig. 8.9: ID of a resource

2. Note or copy the ID.

3. Select configuration > Permissions in the menu bar.
4. Create a new permission by clicking .
5. In the drop-down-list Name select Super (Has super access).
6. Select the radiobutton of the subject type that should have super permissions (see figure Cre-
ating a new super permission (page 102)).
7. In the according drop-down-list select the user/role/group that should have super permissions
(see figure Creating a new super permission (page 102)).
8. Enter or paste the previously determined resource ID into the input box ID (see figure Creating a
new super permission (page 102)).
9. Click Create.
→ The super permission is created and displayed on the page Permissions.
10. Click on the name of the super permission to display the details.

Tip: Super permissions simplify the permission management on the GSM. They can easily be assigned
for entire groups. This allows all users of a group to access all resources that are created by other
members of the group.

101
Chapter 8. Managing the Web Interface

Fig. 8.10: Creating a new super permission

8.4.4 Sharing Individual Objects for Other Users

Every user can share indefinite self-created objects. The user must be assigned the permission
get_users. Otherwise, the user will not have permission to determine the name of other users (see
Chapter Granting Read Access to Other Users (page 96)).
An object can be shared as follows:
1. Open the detail page of the object which should be shared by clicking on the name of the object
on the respective page.
→ The object ID can be found in the upper right corner (see figure ID of an object (page 102)).

Fig. 8.11: ID of an object

2. Note or copy the ID.

3. Select Configuration > Permissions in the menu bar.
4. Create a new permission by clicking .
5. In the drop-down-list Name select the permission for the object to be shared.
• Filter: get_filters
• Scan configuration: get_configs
• Alert: get_alerts
• Note: get_notes
• Override: get_overrides
• Tag: get_tags
• Target: get_targets
• Task with report: get_tasks
• Schedule: get_schedules
6. Select the radiobutton of the subject type the object should be shared with (see figure Share
objects with other users (page 103)).

102
 8.5. Using a Central User Management

7. In the according drop-down-list select the user/role/group the object should be shared with
(see figure Share objects with other users (page 103)).
8. Enter or paste the previously determined object ID into the input box ID (see figure Share objects
with other users (page 103)).

Fig. 8.12: Share objects with other users

9. Click Create.
→ The permission is created and displayed on the page Permissions.
10. Click on the name of the permission to display the details.

8.5 Using a Central User Management

Especially in larger environments with multiple users it is often dicult to achieve password syn-
chronization. The e ort to create new or reset passwords is often very high. To avoid this, the GSM
supports the usage of a central password store using LDAP or RADIUS.
The GSM will use the service only for authentication on a per user basis, i.e. users who should be able
to authenticate by the service have to be configured for authentication and to exist on the GSM as
well.

Note: Prerequisite for using central authentication is the naming of the users with the same names
as the objects in the LDAP tree or the RADIUS server.

8.5.1 LDAP

For the connection to an LDAP tree the GSM uses a very simple interface and a simple bind operation
with a hard coded object path. The LDAP authentication is done as follows:
1. Log in as an administrator.
2. Select Administration > LDAP in the menu bar.
3. Activate the checkbox Enable.
4. Enter the distinguished name (DN) of the objects in the input box Auth. DN.

Note: The wildcard %s replaces the user name.

Examples for the Auth. DN are:

103
Chapter 8. Managing the Web Interface

• cn=%s,ou=people,dc=domain,dc=de This format works for any LDAP server with the
correct attributes. The attribute cn (common name) is used. Users in di erent sub trees
or di erent recursive depths of an LDAP tree are not supported. All users logging into
the GSM must be in the same branch and in the same level of the LDAP tree.
• uid=%s,ou=people,dc=domain,dc=de This format works for any LDAP server with the
correct attributes. The attribute uid (user ID) is used as a filter. It should be in the first
place. The attributes ou=people,dc=domain,dc=de are used as base objects to perform
a search and to retrieve the corresponding DN.
• %[email protected] This format is typically used by Active Directory. The exact location of the
user object is irrelevant.
• domain.de\%s This format is typically used by Active Directory. The exact location of the
user object is irrelevant.

5. Enter the LDAP host in the input box LDAP host.

Note: Only one system can be entered by IP address or by name.

The GSM accesses the LDAP host using SSL/TLS. For verifying the host, the certificate of the host
has to be uploaded to the GSM. Without SSL/TLS the LDAP authentication will not be accepted
(see Chapter LDAP with SSL/TLS (page 104)).

Fig. 8.13: Configuring an LDAP authentication

6. Click Save.
→ When the LDAP authentication is enabled, the option LDAP Authentication Only is available
when creating or editing a user. By default, this option is disabled.
7. Create a new user or edit an existing user (see Chapter Managing Users (page 91)).
8. Activate the checkbox LDAP Authentication Only when the user should be allowed to authenti-
cate using LDAP (see figure Enabling authentication using LDAP (page 105)).

Note: The user has to exist with the same name in LDAP before the authentication with LDAP can be
used. The GSM does not add, modify or remove users in LDAP and it does not automatically grant any
user from LDAP access to the GSM.

8.5.2 LDAP with SSL/TLS

The GSM uses either the command StartTLS via LDAP on port 389 or SSL/TLS via LDAP on port 636.
The LDAP server must make its services available to SSL/TLS.

104
 8.5. Using a Central User Management

Fig. 8.14: Enabling authentication using LDAP

The following references are helpful for the exact configuration of all available LDAP server:
• Microsoft: https://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-
ldaps-certificate.aspx
• OpenLDAP: http://www.openldap.org/doc/admin24/tls.html
To verify the identity of the LDAP server, the GSM has to trust its certificate. For this, the certificate of
the issuing certificate authority must be stored on the GSM. To do so the certificate of the certificate
authority must be exported as a Base64 encoded file. A Base64 encoded certificate is often using the
file extension .pem. The file itself starts with ------BEGIN CERTIFICATE-------.
If the certificate authority is an intermediate certificate authority, the complete certificate chain needs
to be imported. This is often true if an ocial certificate authority is used because the Root CA is
separated from the Issuing Certificate Authority. In these cases the contents of the file looks like:
-----BEGIN CERTIFICATE-----
......
Issuing Certificate Authority
......
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
......
Root CA
......
-----END CERTIFICATE-----

The actual place where this certificate can be found may vary based on the environment.
• Univention Corporate Server (UCS)
Here the CA certificate is retrieved from the file /etc/univention/ssl/ucsCA/CAcert.pem.
This file already contains the certificate in the correct format and must be uploaded when en-
abling LDAP.
• Active Directory LDAP
If the Active Directory LDAP service does not yet use LDAPS, the following article may
be helpful: https://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-
ldaps-certificate.aspx The Active Directory LDAP — CA certificates can then be exported using
the following procedure which must be performed from a desktop or server that has access to
the Certification Authority console.
– Open the Certification Authority console from any domain-joined computer or server.
– Right-click the name of the certification authority and then select Properties.

105
Chapter 8. Managing the Web Interface

– In the CA certificates dialog box, choose the General tab, and then select the certificate for
the certification authority that should be accessed.
– Choose View Certificate.
– In the Certificate dialog box, choose the Certification Authority tab. Select the name of the
root certification authority and then choose View Certificate.
– In the Certificate dialog box, choose the Details tab and then choose Copy to File.
– The Certificate Export Wizard appears. Choose Next.
– On the Export File Format page, select the Base-64 encoded X.509 (.CER) option.
– Choose Next.
– In the File to Export box, choose the path and name for the certificate, and then choose
Next.
– Choose Finish. The .cer file will be created in the location that was specified in the previous
step.
– A dialog box appears to inform that the export was successful. Choose OK to finish.
The contents of the file must be uploaded when enabling LDAP.
If the LDAP authentication does not work, please verify that the entry in LDAP Host matches the com-
monName of the certificate of the LDAP server. If there are deviations, the GSM appliance will refuse
using the LDAP server.

8.5.3 RADIUS

The RADIUS authentication is done as follows:

1. Log in as an administrator.
2. Select Administration > Radius in the menu bar.
3. Activate the checkbox Enable.
4. Enter the host name or IP address of the RADIUS server in the input box RADIUS Host.
5. Enter the common preshared secret key in the input box Secret Key.

Fig. 8.15: Configuring a RADIUS authentication

6. Click Save.
→ When the RADIUS authentication is enabled, the option RADIUS Authentication Only is avail-
able when creating or editing a user. By default, this option is disabled.
7. Create a new user or edit an existing user (see Chapter Managing Users (page 91)).
8. Activate the checkbox RADIUS Authentication Only when the user should be allowed to authen-
ticate using RADIUS (see figure Enabling authentication using RADIUS (page 107)).

106
 8.5. Using a Central User Management

Fig. 8.16: Enabling authentication using RADIUS

107
Chapter 8. Managing the Web Interface

108
 CHAPTER 9

Scanning a System

9.1 Performing a Scan

Generally speaking the GSM can use two di erent approaches to scan a target:
• Remote scan
• Authenticated scan using local security checks

9.1.1 Running a Simple Scan

This first section describes the first steps of the configuration of the first scan.
Basically two options are available:
• Using the task wizard that creates all required configurations for a first scan with only very little
input
• Configuring the scan manually

The steps are also explained in a video based on GOS 3.1 at

https://docs.greenbone.net/Videos/gos-3.1/en/GSM-FirstScan-GOS-3.1-en-20150716.mp4.

Using the Task Wizard for a First Scan

When logging into the web interface of the GSM appliance for the first time after initial set up an empty
dashboard will be displayed (see figure The dashboard is displayed empty by default (page 109)).

Fig. 9.1: The dashboard is displayed empty by default

109
Chapter 9. Scanning a System

A new task with the task wizard can be configured as follows:

1. Select Scans > Tasks in the menu bar.
→ If less then four scans are created yet, an overlay promoting the wizard is displayed (see
figure Overlay promoting the task wizard (page 110)).

Fig. 9.2: Overlay promoting the task wizard

2. Start the wizard by clicking and selecting Task Wizard.

3. Enter the IP address or DNS name of the target system in the input box (see figure Configuring
the task wizard (page 110)).

Note: When using a DNS name however, the GSM has to be able to resolve the name.

Fig. 9.3: Configuring the task wizard

4. Click Start Scan.

→ The task wizard performs the following steps automatically:
(a) Creating a new scan target on the GSM.
(b) Creating a new scan task on the GSM.
(c) Starting the scan task immediately.
(d) Displaying the page Tasks and reloading it every 30 seconds in order to monitor the
progress of the task.
After the task is started, the progress can be monitored (see figure Page Tasks displaying the progress
of the task (page 111)).
The bar in the column Status shows information about the status of a scan. The following colours and
states are possible:

110
 9.1. Performing a Scan

Fig. 9.4: Page Tasks displaying the progress of the task

• The task has not been run since it was created.

• The task is currently running and 42% completed. The information is based on
the number of NVTs executed on the selected hosts. For this reason the information does not
necessarily correlate with the time spent.
• The task was just started. The GSM is preparing the scan.
• The task was deleted. The actual deletion process can take some time as reports
need to be deleted as well.
• The task was stopped recently. However, the scan engine has not reacted respec-
tively yet.
• The last scan was stopped by the user at 15%. The latest report is possibly not
yet complete. Other reasons for this status could be the reboot of the GSM or a power outage.
After restarting the scanner, the task will be resumed automatically.
• An error has occurred. The latest report is possibly not yet complete or is missing
completely.
• The task has been completed successfully.
• The task is a container task.
For all tasks the following actions are available:
• Start the task. Only currently not running tasks can be started.
• Stop the currently running task. All discovered results will be written to the database.
• Resume the stopped task.
• Delete the task.
• Edit the task.
• Clone the task.
• Download the task as an XML object.
The report of a task can be displayed as soon as the task has been started by clicking the bar in the
column Status.

Note: For reading, managing and downloading reports see Chapter Reports and Vulnerability Man-
agement (page 159).

Using the Advanced Task Wizard

Next to the simple wizard the GSM also provides an advanced wizard that allows for more configu-
ration options.
A new task with the advanced task wizard can be configured as follows:
1. Select Scans > Tasks in the menu bar.

111
Chapter 9. Scanning a System

2. Start the wizard by clicking and selecting Advanced Task Wizard.

3. Define the task (see figure Configuring the advanced task wizard (page 112)).

Tip: For the information to enter in the input boxes see Chapters Creating a Target (page 113)
and Creating a Task (page 115).
When an e-mail address is entered in the input box Email report to an alert is created sending
an e-mail as soon as the task is completed (see Chapter alerts).

Fig. 9.5: Configuring the advanced task wizard

4. Click Create.
→ The advanced task wizard performs the following steps automatically:
(a) Starting the scan task immediately.
(b) Displaying the page Tasks and reloading it every 30 seconds in order to monitor the
progress of the task.
After the task is started, the progress can be monitored (see Chapter Using the Task Wizard for a First
Scan (page 109)).

Using the Wizard to Modify a Task

An additional wizard can modify the e-mail address to which the report should be sent:
1. Select Scans > Tasks in the menu bar.
2. Start the wizard by clicking and selecting Modify Task Wizard.
3. Select the task which should be modified in the drop-down-menu Task (see figure Modifying a
task using the wizard (page 113)).
4. Enter the e-mail address in the input box Email report to.
5. Click Save.

112
 9.1. Performing a Scan

Fig. 9.6: Modifying a task using the wizard

Configuring a Scan Manually

Creating a Target

The first step is to define a scan target as follows:

1. Select Configuration > Targets in the menu bar.
2. Create a new target by clicking .
3. Define the target (see figure Creating a new target (page 113)).
4. Enter the systems that should be scanned in the input box Hosts/Manual.

Note: The IP address or the DNS name is required. In both cases it is necessary that the GSM
can connect to the system. When using the DNS name, the GSM must also be able to resolve the
name.

Fig. 9.7: Creating a new target

5. Click Create.

113
Chapter 9. Scanning a System

The following information can be entered:

Name The name can be chosen freely. A descriptive name should be chosen if possible. Possibilities
are Mailserver, ClientNetwork, Webserverfarm, DMZ or the like, describing the entered systems
in more detail.
Comment The optional comment allows specifying background information. It simplifies under-
standing the configured targets later.
Hosts Manual entry of the hosts, separated by commas, or importing a list of hosts. When entering
manually the following options are available:
• Single IP address, e.g. 192.168.15.5
• Host name, e.g. mail.example.com
• IPv4 address range in long format, e.g. 192.168.15.5-192.168.15.27
• IPv4 address range in short format, e.g. 192.168.55.5-27
• IPv4 address range in CIDR notation, e.g. 192.168.15.0/24 6 (at most 4096 IP addresses)
• Single IPv6 address, e.g. fe80::222:64 :fe76:4cea
• IPv6 address range in long format, e.g. ::12:fe5:fb50-::12:fe6:100
• IPv6 address range in short format, e.g. ::13:fe5:fb50-fb80
• IPv6 address range in CIDR notation, e.g. fe80::222:64 :fe76:4cea/120 (at most 4096 IP
addresses)
Multiple options can be mixed. When importing from a file, the same syntax can be used. Entries
can be separated with commas or by line breaks. When many systems have to be scanned, using
a file with the hosts is simpler than entering all hosts manually.
Alternatively the systems can be imported from the host asset database.

Note: Importing a host from the asset database is only possible if a target is created from the
page Hosts.

Exclude Hosts Systems that should be excluded from the lists mentioned above.
Reverse Lookup Only Only scan IP addresses that can be resolved into a DNS name.
Reverse Lookup Unify If multiple IP addresses resolve to the same DNS name the DNS name will only
get scanned once.
Port list The TCP and UDP protocols support 65535 ports respectively. Scanning all ports in many
cases takes too long. Many ports are usually not used. A manufacturer developing a new ap-
plication often reserves the respective port with the IANA (Internet Assigned Numbers Associ-
ation). For most scans it is often enough to scan the ports registered with the IANA. But keep in
mind that the registered ports di erentiate from the privileged ports. Privileged ports are ports
smaller than 1024 7 . The ports 1433/tcp (MS-SQL) and 3306/tcp (MySQL) are also registered
and included in the appropriate lists. Nmap by default uses a di erent list and does not check
all ports either. OpenVAS uses a di erent default as well.
The scan of TCP ports is usually performed simply and fast. Operating system without firewall
features always reply to a TCP request and as such advertise a port as being open (TCP-ACK) or
closed (TCP-RST). With UDP this is not the case. The operating system only responds reliably
when the port is closed (ICMP-Port-Unreachable). An open port is deducted by the scanner by a
missing response. Therefore, the scanner has to wait for an internal timeout. This behaviour is
only true for systems not protected by a firewall. When a firewall exists the discovery of open
or closed ports is much more dicult.
6 The maximum netmask is /20. This equals 4096 addresses.
7 In UNIX access to these privileged ports is only allowed for privileged users (i.e. root). Ports starting at 1024 are also
available to unprivileged users.

114
 9.1. Performing a Scan

If applications run on unusual ports and they should be monitored and tested with the GSM, the
default port lists should be verified and adapted by selecting Configuration > Port Lists in the
menu bar. If necessary, create a list that includes the desired port.
Additionally, a port list can be created on the fly by clicking next to the drop-down-list.
The default port lists cannot be modified.
Alive Test This options specifies the method to check if a target is reachable. Options are:
• ICMP Ping
• TCP Service Ping
• ARP Ping
• ICMP & TCP Service Ping
• ICMP & ARP Ping
• TCP Service & ARP Ping
• ICMP, TCP Service & ARP Ping
Sometimes there are problems with this test from time to time. In some environments routers
and firewall systems respond to a TCP service ping with a TCP-RST even though the host is ac-
tually not alive (see Chapter Obstacles While Scanning (page 150)).
Network components exist that support Proxy-ARP and respond to an ARP ping. Therefore this
test often requires local customization to the environment.
SSH Credential Selection of a user that can log into the target system of a scan if it is a Linux or
UNIX system. This allows for an Authenticated Scan using local security checks (see Chapters
Using Credentials (page 121) and Running an Authenticated Scan Using Local Security Checks
(page 119)).
SMB Credential Selection of a user that can log into the target system of a scan if it is a Microsoft
Windows system. This allows for an Authenticated Scan using local security checks (see Chap-
ters Using Credentials (page 121) and Running an Authenticated Scan Using Local Security
Checks (page 119)).
ESXi Credential Selection of a user that can log into the target system of a scan if it is a VMWare
ESXi system. This allows for an Authenticated Scan using local security checks (see Chapters
Using Credentials (page 121) and Running an Authenticated Scan Using Local Security Checks
(page 119)).
SNMP Credential Selection of a user that can log into the target system of a scan if it is an SNMP
aware system. This allows for an Authenticated Scan using local security checks (see Chapters
Using Credentials (page 121) and Running an Authenticated Scan Using Local Security Checks
(page 119)).
All credentials can be created on the fly by clicking next to the credential.
All created targets can be displayed by selecting Configuration > Targets in the menu bar.

Creating a Task

The GSM controls the execution of a scan using tasks. These tasks can be repeated regularly or run
at specific times (see Chapter Performing a Scheduled Scan (page 150)).
A task can be created as follows:
1. Select Scans > Tasks in the menu bar.
2. Create a new task by clicking and selecting New Task.
3. Define the task (see figure Creating a new task (page 116)).
4. Click Create.

115
Chapter 9. Scanning a System

Fig. 9.8: Creating a new task

The following information can be entered:

Name The name can be chosen freely. A descriptive name should be used if possible. Possibilities
to describe the entered task are Scan Mailserver, Test ClientNetwork, Check DMZ for new ports
and systems or the like.
Comment The optional comment allows for the entry of background information. It simplifies under-
standing the configured task later.
Scan Targets Select a previously configured target from the drop-down-list.
Additionally, the target can be created on the fly by clicking next to the drop-down-list.
Alerts Select a previously configured alert. Status changes of a task can be communicated to the
world via e-mail, Syslog, HTTP or a connector.
Additionally, an alert can be created on the fly by clicking next to the input box.
Schedule Select a previously configured schedule. The task can be run once or repeatedly at a pre-
determined time, e.g. every Monday morning at 6:00 am.
Additionally, a schedule can be created on the fly by clicking next to the drop-down-list.
Add results to Asset Management Selecting this option will make the systems available to the as-
set management of the GSM automatically (see Chapter Asset Management (page 175)). This
selection can be changed at a later point as well.
• Apply Overrides Overrides can be directly applied when adding the results to the asset
database.
• Min QoD Here the minimum quality of detection can be specified for the addition of the
results to the asset database.
Alterable Task Allow for modification of the task even though reports were already created. The
consistency between reports can no longer be guaranteed if tasks are altered.
Auto Delete Reports This option may automatically delete old reports. The maximum number of re-
ports to store can be configured. If the maximum is exceeded, the oldest report is automatically
deleted. The factory setting is Do not automatically delete reports.
Scanner By default, only the built-in OpenVAS and CVE scanners are supported. Sensors can be used
as additional scanning engines but need to be configured first (see Chapter Master-Sensor Setup
(page 253)).

116
 9.1. Performing a Scan

• OpenVAS Scanner

Note: The following options are only relevant for the OpenVAS scanner. The CVE scan-
ner does not support any options.

• Scan Config The GSM comes by default with seven pre-configured scan configurations for
the OpenVAS scanner.
– Discovery Only NVTs are used that provide the most possible information of the
target system. No vulnerabilities are being detected.
– Host Discovery Only NVTs are used that discover target systems. This scan only
reports the list of systems discovered.
– System Discovery Only NVTs are used that discover target systems including in-
stalled operating systems and hardware in use.
– Full and Fast This is the default and for many environments the best option to
start with. This configuration is based on the information gathered in the prior
port scan and uses almost all NVTs. Only NVTs are used that will not damage the
target system. Plug-ins are optimized in the best possible way to keep the po-
tential false negative rate especially low. The other configurations only provide
more value only in rare cases but with much more required e ort.
– Full and fast ultimate This configuration expands the first configuration with
NVTs that could disrupt services or systems or even cause shutdowns.
– Full and very deep This configuration di ers from the Full and Fast configuration
in the results of the port scan and application or service detection not having an
impact on the selection of the NVTs. Therefore, NVTs will be used that will have
to wait for a timeout or which are testing for vulnerabilities of an application or
service which was not detected previously. This scan is very slow.
– Full and very deep ultimate This configuration adds the dangerous NVTs that
could cause possible service or system disruptions to the Full and very deep
configuration.
• Network Source Interface Here the source interface of the GSM for the scan can be cho-
sen.
• Order for target hosts Select how the specified network area should be searched. Options
available are:
– Sequential
– Random
– Reverse
This is interesting if for example a network, e.g. 192.168.0.0/24, is scanned that has
lots of systems at the beginning or end of the IP address range. With the selection of
the Random mode the progress view is more meaningful.
• Maximum concurrently executed NVTs per host/Maximum concurrently scanned hosts
Select the speed of the scan on one host. The default values are chosen sensibly. If more
NVTs run simultaneously on a system or more systems are scanned at the same time,
the scan may have a negative impact on either the performance of the scanned systems,
the network or the GSM appliance itself. These values maxhosts and maxchecks may be
tweaked.
All created task can be displayed by selecting Scans > Tasks in the menu bar (see figure Page Tasks
displaying all tasks (page 118)).
In the column Name the following icons may be displayed:

117
Chapter 9. Scanning a System

Fig. 9.9: Page Tasks displaying all tasks

• The task is marked as alterable. Some properties that would otherwise be locked once reports
exists can be edited.
• The task is configured to run on a remote scanner (see Chapter Master-Sensor Setup
(page 253))
• The task is visible to one or more other user(s).
• The task is owned by another user.
Click on the name of a task to display the details of the task.

Granting Permissions for a Task

On the details page of a task permissions for the task can be managed as follows:

Note: By default, normal users can not create permissions for other users as they do not have read
permission to the user database. To do this a user must specifically have the get_users permission.
It makes most sense to create an additional role (see Chapter Granting Read Access to Other Users
(page 96)).

1. Open the details page of the task.

2. In the section Permissions click .
3. Select the permission type in the drop-down-list Grant.
4. Select User, Group or Role and enter the respective name (see figure Creating a new permission
(page 118)).

Fig. 9.10: Creating a new permission

5. Click Create.
→ The permission is displayed on the details page of the task (see figure Permission displayed
on the details page of a task (page 119)).

118
 9.1. Performing a Scan

Fig. 9.11: Permission displayed on the details page of a task

After logging in the user can see the tasks and can access the respective reports.

Starting a Task

All created task can be displayed by selecting Scans > Tasks in the menu bar.
The bar in the column Status shows information about the status of a scan. The following colours and
states are possible:
• The task has not been run since it was created.
• The task is currently running and 42% completed. The information is based on
the number of NVTs executed on the selected hosts. For this reason the information does not
necessarily correlate with the time spent.
• The task was just started. The GSM is preparing the scan.
• The task was deleted. The actual deletion process can take some time as reports
need to be deleted as well.
• The task was stopped recently. However, the scan engine has not reacted respec-
tively yet.
• The last scan was stopped by the user at 15%. The latest report is possibly not
yet complete. Other reasons for this status could be the reboot of the GSM or a power outage.
After restarting the scanner, the task will be resumed automatically.
• An error has occurred. The latest report is possibly not yet complete or is missing
completely.
• The task has been completed successfully.
• The task is a container task.
For all tasks the following actions are available:
• Start the task. Only currently not running tasks can be started.
• Stop the currently running task. All discovered results will be written to the database.
• Resume the stopped task.
• Delete the task.
• Edit the task.
• Clone the task.
• Download the task as an XML object.

9.1.2 Running an Authenticated Scan Using Local Security Checks

An authenticated scan can provide more vulnerability details on the scanned system. During an au-
thenticated scan the target is both scanned from the outside using the network and from the inside
using a valid user login.

119
Chapter 9. Scanning a System

During an authenticated scan the GSM logs into the target system in order to run local security checks
(LSC). The scan requires the prior setup of user credentials. These credentials are used to authenticate
to di erent services on the target system. In some circumstances the results could be limited by the
permissions of the users used.
The NVTs in the corresponding NVT families (local security checks) will only be executed if the GSM
was able to log into the target system. The local security check NVTs in the resulting scan are mini-
mally invasive.
The GSM only determines the risk level but does not introduce any changes on the target system.
However, the login by the GSM is probably logged in the protocols of the target system.
The GSM can use di erent credentials based on the nature of the target. The most important ones
are:
• SMB On Microsoft Windows systems the GSM can check the patch level and locally installed
software such as Adobe Acrobat Reader or the Java suite.
• SSH This access is used to check the patch level on UNIX and Linux systems.
• ESXi This access is used for testing of VMWare ESXi servers locally.
• SNMP Network components like routers and switches can be tested via SNMP.

Advantages and Disadvantages of Authenticated Scans

The extent and success of the testing routines for authenticated scans depend heavily on the permis-
sions of the used account.
On Linux systems an unprivileged user is sucient and can access most interesting information while
especially on Microsoft Windows systems unprivileged users are very restricted and administrative
users provide more results. An unprivileged user does not have access to the Microsoft Windows
registry, the Microsoft Windows system folder \windows, which contains the information on updates
and patch levels etc.
Local security checks are the most gentle method to scan for vulnerability details. While remote se-
curity checks try to be least invasive as well, they might have some impact.
Simply stated an authenticated scan is similar to a Whitebox approach. The GSM has access to prior
information and can access the target from within. Especially the registry, software versions and
patch levels are accessible.
A remote scan is similar to a Blackbox approach. Here the GSM uses the same techniques and proto-
cols as a potential attacker to access the target from the outside. The only information available was
collected by the GSM itself. During the test the GSM may provoke malfunctions to extract any avail-
able information on the used software, e.g. the scanner may send a malformed request to a service
to trigger a response containing further information on the deployed product.
During a remote scan using the scan configuration Full and Fast all remote checks are safe. The used
NVTs may have some invasive components but none of the used NVTs try to trigger a defect of mal-
function in the target (see example below). This is ensured by the scan preference safe_checks=yes
in the scan configuration (see Chapter Managing Scan Configurations (page 141)). All NVTs with very
invasive components or which may trigger a denial of service (DoS) are automatically excluded from
the test.

Example of an Invasive NVT

An example for an invasive but safe NVT is the Heartbleed NVT. This is executed even with
safe_checks enabled because the NVT does not have any negative impact on the target. The NVT is
still invasive because it does test the memory leakage of the target. If the target is vulnerable, actual
memory of the target is leaked. The GSM does not evaluate the leaked information. The information
is immediately discarded.

120
 9.1. Performing a Scan

Using Credentials

Credentials for local security checks are required to allow NVTs to log into target systems, e.g. for the
purpose of locally checking the presence of all vendor security patches.

Creating New Credentials

A new credential can be created as follows:

1. Select Configuration > Credentials in the menu bar.
2. Create a new credential by clicking .
3. Define the credential (see figure Creating a new credential (page 121)).
4. Click Create.

Fig. 9.12: Creating a new credential

The following details of the credential can be defined:

Note: If the details contain German umlauts, the login does not work. The umlauts have to be replaced
as follows:
• “ß” → “ss”
• “ä” → “a”
• “ö” → “o”
• “ü” → “u”

Name Definition of the name. The name can be chosen freely.

Comment An optional comment can contain additional information.
Type Definition of the credential type. The following types can be chosen:
• Username + Password
• Username + SSH Key
• Client Certificate
• SNMP
• Password only
Allow insecure use Select whether the GSM can use the credential for unencrypted or otherwise in-
secure authentication methods.

121
Chapter 9. Scanning a System

Autogenerate Credentials Select whether the GSM creates a random password.

Note: If the radiobutton Yes is selected, it is not possible to define a password in the input box
Password.

Username Definition of the login name used by the GSM to authenticate on the scanned target sys-
tem.
Password Definition of the password used by the GSM to authenticate on the scanned target system.
Depending on the type further options might be shown:
SSH
• Passphrase Definition of the passphrase of the private SSH key.
• Private Key Upload of the private SSH key.
Client Certificate
• Certificate Upload of the certificate file.
• Private Key Upload of the corresponding private key.
SNMP
• SNMP Community Definition of the community for SNMPv1 or SNMPv2c.
• Username Definition of the user name for SNMPv3.
• Password Definition of the password for SNMPv3.
• Privacy password Definition of the password for the encryption for SNMPv3.
• Auth algorithm Selection of the authentication algorithm (MD5 or SHA1).
• Privacy algorithm Selection of the encryption algorithm (AES128, DES or none).

Note: The credential has to be linked to at least one target. This allows the scan engine to apply the
credential.

All existing credentials can be displayed by selecting Configuration > Credentials in the menu bar.
For all credentials the following actions are available:
• Delete the credential. Only credentials which are currently not used can be deleted.
• Edit the credential.
• Clone the credential.
• Download the credential as an XML file.
Depending on the chosen credential type (see above) more actions may be available:
• Download an EXE package for Microsoft Windows. This action is available if Username +
Password was chosen.
• Download an RPM package for Red Hat Enterprise Linux and its derivates. This action is avail-
able if Username + SSH Key was chosen.
• Download a Debian package for Debian GNU/Linux and its derivates. This action is available
if Username + SSH Key was chosen.
• Download a public key. This action is available if Username + SSH Key or Client Certificate was
chosen.

122
 9.1. Performing a Scan

These installation packages simplify the installation and creation of accounts for authenticated
scans. They create the user and the most important permissions for the authenticated scan and reset
them during uninstalling.

Note: If the auto-generation of passwords is enabled (see above), the packages have to be used,
otherwise the usage is optional.

Requirements on Target Systems with Microsoft Windows

General Notes on the Configuration

• The remote registry service must be started in order to access the registry.
This is achieved by configuring the service to automatically start up. If an automatic start is
not preferred, a manual startup can be configured. In that case the service is started while the
system is scanned by the GSM and afterwards it is disabled again. To ensure this behaviour the
following item about LocalAccountTokenFilterPolicy must be considered.
• It is necessary that for all scanned systems the file and printer sharing is activated. When using
Microsoft Windows XP, take care to disable the setting “Use Simple File Sharing”.
• For individual systems not attached to a domain the following registry key must be set:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\
DWORD: LocalAccountTokenFilterPolicy = 1

• On systems with domain controller the user account in use must be a member of the group Do-
main Administrators to achieve the best possible results. Due to the permission concept it is
not possible to discover all vulnerabilities using the Local Administrator or the administrators
assigned by the domain. Alternatively follow the instructions below under Configuring a Domain
Account for Authenticated Scans (page 123).
• Should a Local Administrator be selected – which it explicitly not recommended – it is manda-
tory to set the following registry key as well:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\
DWORD: LocalAccountTokenFilterPolicy = 1

• Generated install package for credentials: The installer sets the Remote Registry service to
auto start. If the installer is executed on a Domain Controller, the user account will be assigned
to the Group BUILTIN/Administrators (SID S-1-5-32-544).
• An exception rule for the GSM on the Microsoft Windows firewall must be created. Additionally,
on XP systems the File and Printer Sharing must be set to enabled.
• Generated install package for credentials: During the installation the installer o ers a dialog to
enter the IP address of the GSM. If the entry is confirmed, the firewall rule is configured. The File
and Printer Sharing service will be enabled in the firewall rules.

Configuring a Domain Account for Authenticated Scans

In order to use a domain account for host based remote audits on a Microsoft Windows target this
must be performed under Windows XP Professional, Windows Vista, Windows 2003, Windows 2008,
Windows 2012, Windows 2016, Windows 7, Windows 8, Windows 8.1 or Windows 10 and also be part
of a domain.
Taking security into consideration a scan can be created as described in the following.
Creating a Security Group

123
Chapter 9. Scanning a System

1. Log into a domain controller and open Active Directory Users and Computers.
2. Select Action > New > Group in the menu bar.
3. Enter Greenbone Local Scan in the input box Name.
4. Select Global for Group Scope and Security for Group Type.
5. Add the account that is used for the local authenticated scans under Microsoft Windows by the
Greenbone Appliance to the group.
6. Click OK.
Creating a Group Policy
1. In the left panel open the Group Policy Management console.
2. Right click Group Policy Objects and select New.
3. Enter Greenbone Local SecRights in the input box Name (see figure Creating a new Win-
dows group policy object for Greenbone scans (page 124)).

Fig. 9.13: Creating a new Windows group policy object for Greenbone scans

4. Click OK.
Configuring the Policy
1. Click the policy Greenbone Local SecRights and select Edit.
2. In the left panel open Computer Configuration > Policies > Windows Settings > Security Settings.
3. Click Restricted Groups and select Add Group.
4. Click Browse... and enter Greenbone Local Scan in the input box (see figure Checking Win-
dows group names (page 125)).
5. Click Check Names.
6. Click OK twice to close the open windows.
7. At This group is member of click Add.

124
 9.1. Performing a Scan

Fig. 9.14: Checking Windows group names

8. Enter Administrators in the input box Group (see figure Adding a group membership
(page 125)) and click OK twice to close the open windows.

Note: Additionally, on non-English systems enter the respective name of the local administra-
tor group.

Fig. 9.15: Adding a group membership

Configuring the Policy to Deny the Group “Greenbone Local Scan” Logging into the System Locally
1. Click the policy Greenbone Local SecRights and select Edit.
2. In the left panel open Computer Configuration > Policies > Windows Settings > Security Settings
> Local Policies > User Rights Assignment.
3. In the right panel double click Deny log on locally.

125
Chapter 9. Scanning a System

4. Activate the checkbox Define these policy settings and click Add User or Group.
5. Click Browse... and enter Greenbone Local Scan in the input box (see figure Editing the policy
(page 126)).
6. Click Check Names.

Fig. 9.16: Editing the policy

7. Click OK three times to close the open windows.

Configuring the Policy to Deny the Group “Greenbone Local Scan” Logging into the System Re-
motely
1. Click the policy Greenbone Local SecRights and select Edit.
2. In the left panel open Computer Configuration > Policies > Windows Settings > Security Settings
> Local Policies > User Rights Assignment.
3. In the right panel double click Deny log on through Desktop Services.
4. Activate the checkbox Define these policy settings and click Add User or Group.
5. Click Browse... and enter Greenbone Local Scan in the input box (see figure Editing the policy
(page 127)).
6. Click Check Names.
7. Click OK three times to close the open windows.
Configuring the Policy to Give Read Permissions Only to the Local Drive for the Group “Greenbone
Local Scan”

Important: This setting still exists after the GPO has been removed (“tattooing GPO”).
This changes fundamental privileges which may not be simply reversed by removing the GPO.
Research whether the settings are compatible with the environment.

Note: The following steps are optional.

126
 9.1. Performing a Scan

Fig. 9.17: Editing the policy

1. Click on the policy Greenbone Local SecRights and select Edit.

2. In the left panel open Computer Configuration > Policies > Windows Settings > Security Settings.
3. In the right panel click File System and select Add File....
4. Enter %SystemDrive% in the input box Folder and click OK (see figure Specifying the %System-
Drive% folder (page 127)).

Fig. 9.18: Specifying the %SystemDrive% folder

5. At Group or user names click Add and enter Greenbone Local Scan in the input box and click
OK (see figure Selecting the Greenbone local scan group (page 128)).
6. In the section Group or user names select Greenbone Local Scan.

127
Chapter 9. Scanning a System

Fig. 9.19: Selecting the Greenbone local scan group

7. Deactivate all checkboxes for Allow and activate the checkbox Write for Deny (see figure Deny-
ing write access to the group (page 129)).
8. Click OK and confirm the warning message by clicking Yes.
9. Select the radiobuttons Configure this file or folder then and Propagate inheritable permissions
to all subfolders and files and click OK (see figure Making the permissions recursive (page 129)).

Configuring the Policy to Give Read Permissions Only to the Registry for the Group “Greenbone
Local Scan”

Important: This setting still exists after the GPO has been removed (“tattooing GPO”).
This changes fundamental privileges which may not be simply reversed by removing the GPO.
Research whether the settings are compatible with the environment.

Note: The following steps are optional.

1. In the left panel right click Registry and select Add Key.
2. Select USERS and click OK (see figure Selecting the registry key (page 130)).
3. Click Advanced and Add.
4. Enter Greenbone Local Scan in the input box and click OK (see figure Selecting the Green-
bone Local Scan group (page 130)).
5. Select This object and child objects in the drop-down-list Apply to.
6. Deactivate all checkboxes for Allow and activate the checkbox Set Value, Create Subkey, Create
Link, Delete, Change Permissions and Take Ownership for Deny (see figure Disallowing edition
of the registry (page 131)).
7. Click OK twice and confirm the warning message by clicking Yes.

128
 9.1. Performing a Scan

Fig. 9.20: Denying write access to the group

Fig. 9.21: Making the permissions recursive

129
Chapter 9. Scanning a System

Fig. 9.22: Selecting the registry key

Fig. 9.23: Selecting the Greenbone Local Scan group

130
 9.1. Performing a Scan

Fig. 9.24: Disallowing edition of the registry

8. Click OK.
9. Select the radiobuttons Configure this key then and Propagate inheritable permissions to all
subkeys and click OK (see figure Making the permissions recursive (page 131)).

Fig. 9.25: Making the permissions recursive

10. Repeat the steps 2 to 9 for MACHINE and CLASSES_ROOT.

Allowing WMI access on Microsoft Windows Vista, 7, 8, 10, 2008, 2008R2, 2012 and 2016 Windows
Firewall

Note: The following steps are optional.

1. Click on the policy Greenbone Local SecRights and select Edit.

2. In the left panel open Computer Configuration > Policies > Windows Settings > Security Settings
> Windows Firewall with Advanced Security > Windows Firewall with Advanced Security > In-
bound Rules.
3. Right click in the working area and select New Rule...?.
4. Select the radiobutton Predefined and select Windows Management Instrumentation (WMI) in
the drop-down-list (see figure Configuring the firewall via GPO (page 132)).
5. Click Next.

131
Chapter 9. Scanning a System

Fig. 9.26: Configuring the firewall via GPO

6. Activate the checkboxes Windows Management Instrumentation (ASync-In), Windows Manage-

ment Instrumentation (WMI-In) and Windows Management Instrumentation (DCOM-In) (see fig-
ure Configuring the firewall via GPO (page 132)).

Fig. 9.27: Configuring the firewall via GPO

7. Click Next and click Finish.

Linking the Group Policy Object
1. In the right panel right click Link an Existing GPO and select Link an Existing GPO....
2. Select Greenbone Local SecRights in the sections Group Policy objects and click OK (see figure
Linking the policy (page 133)).

Restrictions Based on the fact that write permissions to the registry and system drive have been
removed, the following two tests will no longer work:
• Leave information on scanned Windows hosts OID 1.3.6.1.4.1.25623.1.0.96171 This
test, if desired, creates information about the start and end of a scan under HKLMSoft-
wareVulScanInfo. Due to denying write access to HKLM this is no longer possible. If the
test should be possible, the GPO must be adjusted respectively.
• Windows file Checksums OID 1.3.6.1.4.1.25623.1.0.96180 This test, if desired, saves the tool
ReHash under C:\Windows\system32 (for 32-bit systems) or c:\Windows\SysWOW64 (for
64-bit systems). Due to denying write access this is no longer possible. If the test should
be possible, the tool must be saved separately or the GPO must be adjusted respectively.

132
 9.1. Performing a Scan

Fig. 9.28: Linking the policy

More information can be found in Chapter Checking File Checksums (page 198).

Scanning Without Domain Administrator and Local Administrator Permissions

It is possible to build a GPO in which the user also does not have any local administrator permissions.
But the e ort to add respective read permissions to each registry branch and folder is huge. Unfor-
tunately, inheriting of permissions is deactivated for many folders and branches. Additionally, these
changes can be set by GPO but cannot be removed again (tattooing GPO). Specific permissions could
be overwritten so that additional problems could occur as well.
Building a GPO in which the user does not have any local administrator permissions does not make
sense from a technical and administrative point of view.

Requirements on Target Systems with Linux/UNIX

• For authenticated scans on Linux or UNIX systems regular user access is usually enough. The lo-
gin is performed via SSH. The authentication is done either with passwords or an SSH key stored
on the GSM.
• Generated installation package for credentials: The install package for Linux Debian or Linux
RedHat is a DEB or a RPM file creating a new user without any specific permissions. An SSH Key
that is created on the GSM is stored in the user’s home folder. For users of other Linux distri-
butions or UNIX derivatives the key is o ered for download. Creating a user and saving the key
with the proper file permissions is the responsibility of the user.
• In both cases it needs to be made sure that public key authentication is not prohibited by the
SSH daemon. The line PubkeyAuthentication no must not be present.
• Existing SSH keys may also be used. SSH keys can be generated with OpenSSH by using the
command ssh-keygen on Linux or puttygen.exe when using Putty on Microsoft Windows.
The formats Ed25519 or RSA are recommended. All SSH keys must correspond to RFC 47168 .
• For scans that include policy testing, root permission or the membership in specific groups (of-
ten wheel) may be necessary. For security reasons many configuration files are only readable
by super users or members of specific groups.
8 https://tools.ietf.org/html/rfc4716

133
Chapter 9. Scanning a System

Requirements on Target Systems with ESXi

By default, local ESXi users are limited to read-only roles. Either an administrative account or a read-
only role with permission to global settings has to be used. This can be set up as follows:
1. Start the Vsphere client.
2. Select Administration > Roles in the menu bar (see figure Vsphere client o ering access to the
roles (page 134)).

Fig. 9.29: Vsphere client o ering access to the roles

→ The roles are displayed.

3. Right click ReadOnly and select Clone (see figure Displaying the roles (page 134)).

Fig. 9.30: Displaying the roles

134
 9.1. Performing a Scan

→ The cloned role is displayed as well.

4. Right click the cloned role and select Rename.
5. Enter the new name of the cloned role in the input box and click OK.
6. Right click the cloned role and select Edit Role....
7. Unfold Global and activate the checkbox Settings (see figure Editing the role (page 135)).

Fig. 9.31: Editing the role

8. Click OK.
9. Select Inventory > Inventory in the menu bar.
10. Open the tab Permissions.
11. Right click in the empty space and select Add Permission... (see figure Adding a permission to
the scan user (page 135)).

Fig. 9.32: Adding a permission to the scan user

135
Chapter 9. Scanning a System

12. Select the scan user account used by the GSM in the left section (see figure Assigning the role
to the scan user (page 136)).
13. Select the created role in the drop-down-list in the right section (see figure Assigning the role
to the scan user (page 136)).
14. Click OK.

Fig. 9.33: Assigning the role to the scan user

Requirements on Target Systems with Cisco OS

The GSM can check network components like routers and switches for vulnerabilities as well. While
the usual network services are discovered and checked via the network some vulnerabilities can only
be discovered by an authenticated scan. For the authenticated scan the GSM can use either SNMP or
SSH.

SNMP

The GSM can use the SNMP protocol to access the Cisco network component. The GSM supports SN-
MPv1, v2c and v3. SNMP uses the port 161/udp. The default port list does not include any UDP port.
Therefore, this port is ignored during the vulnerability test using Full and Fast and no SNMP check is
enabled. To scan network components the port list should be modified to include at least the follow-
ing ports:
• 22/tcp SSH
• 80/tcp 8080/tcp HTTP
• 443/tcp 8443/tcp HTTPS
• 2000/tcp SCCP
• 2443/tcp SCCPS
• 5060/tcp 5060/udp SIP
• 5061/tcp 5061/udp SIPS

136
 9.1. Performing a Scan

• 67/udp DHCP Server

• 69/udp TFTP
• 123/udp NTP
• 161/udp SNMP
• 162/udp SNMP Traps
• 500/udp IKE
• 514/udp Syslog
• 546/udp DHCPv6
• 6161/udp 6162/udp Unified CM
The administrator can set up special port lists used only for such network components.
The GSM needs to access only very few objects from the SNMP tree. For a less privileged access an
SNMP view should be used to constrain the visibility of the SNMP tree for the GSM. The following two
examples explain how to set up the view using either a community string or an SNMPv3 user.
To use an SNMP community string the following commands are required on the target:
# configure terminal

Using an access list the usage of the community can be restricted. The IP address of the GSM is
192.168.222.74 in this example:
(config) # access-list 99 permit 192.168.222.74

The view gsm should only allow accessing the system description:
(config) # snmp-server view gsm system included
(config) # snmp-server view gsm system.9 excluded

The last command links the community gsm-community with the view gsm and the access-list 99:
(config) # snmp-server community gsm-community view gsm RO 99

When using an SNMPv3 user including encryption the following configuration lines are required on
the target:
# configure terminal
(config) # access-list 99 permit 192.168.222.74
(config) # snmp-server view gsm system included
(config) # snmp-server view gsm system.9 excluded

SNMPv3 requires the setup of a group first. Here the group gsmgroup is linked to the view gsm and
the access-list 99:
(config) # snmp-server group gsmgroup v3 priv read gsm access 99

Now the user can be created supplying the password gsm-password and the encryption key
gsm-encrypt. The authentication is done using MD5 while the encryption is handled by AES128:
(config) # snmp-server user gsm-user gsm-group v3 auth md5 gsm-password priv
aes 128 gsm-encrypt

To configure either the community or the SNMPv3 user in the GSM the administrator selects
Configuration > Credentials in the menu bar (see Chapter Using Credentials (page 121)).

137
Chapter 9. Scanning a System

SSH

The authenticated scan can be performed via SSH as well. When using SSH, the usage of a special
unprivileged user is recommended. The GSM currently requires only the command show version to
retrieve the current version of the firmware of the device.
To set up a less privileged user which is only able to run this command, several approaches are pos-
sible. The following example uses the role based access control feature.

Tip: Before using the following example, make sure all side e ects of the configuration are under-
stood. If used without verification the system may restrict further logins via SSH or console.

To use role based access control AAA and views have to be enabled:
> enable
# configure terminal
(config)# aaa new-model
(config)# exit
> enable view
# configure terminal

The following commands create a restricted view including just the command show version. The
supplied password view-pw is not critical:
(config)# parser view gsm-view
(config-view)# secret 0 view-pw
(config-view)# commands exec include show version
(config-view)# exit

Now the user gsm-user with the password gsm-pw is created and linked to the view gsm-view:
(config)# username gsm-user view gsm-view password 0 gsm-pw
(config)# aaa authorization console
(config)# aaa authorization exec default local

If SSH is not enabled yet the following commands take care of that. Use the appropriate host name
and domain:
(config)# hostname switch
(config)# ip domain-name greenbone.net
(config)# crypto key generate rsa general-keys modulus 2048

Finally, enable SSH logins using the following commands:

(config)# line vty 0 4
(config-line)# transport input ssh
(config-line)# Crtl-Z

The credentials of the user need to be entered on the GSM. Select Configuration > Credentials in the
menu bar and create the appropriate user (see Chapter Using Credentials (page 121)).
Link the credentials to the target to be used as SSH credentials.

9.1.3 Running a Prognosis Scan

Not every vulnerability justifies a new scan of the network or of individual systems. If the GSM has
already obtained information about vulnerabilities by former scans, it can make a prognosis of which
security risks could exist.
Using the CVE scanner allows forecasting possible security risks based on current information about
known security risks from the SecInfo management (see Chapter SecInfo Management (page 181))

138
 9.1. Performing a Scan

without the need of a new scan. This is especially interesting for environments in which most vulner-
abilities have been removed or remediated by using the GSM.
If security risks become known, an actual scan can be run to verify the prognosis.

Note: The asset database requires current data for the CVE scanner. A full scan, e.g. with the scan
configuration “Full and fast”, has to be performed and the results have to be added to the assets.
A full scan of the systems should occur regularly in weekly or monthly intervals.

A prognosis scan can be run as follows:

1. Run a full scan (see Chapter Configuring a Scan Manually (page 113)).

Note: A full scan configuration has to be chosen, e.g. Full and fast.
Additionally, the radiobutton Yes has to be selected for Add results to Assets.

2. Select Scans > Tasks in the menu bar.

3. Create a new task by clicking and selecting New Task.
4. Define the task (see Chapter Creating a Task (page 115)).
5. Select CVE in the drop-down-list Scanner.
6. Click Create.
7. Start the scan by clicking of the respective task.
→ The scan is running. As soon as the status changes to Done the complete report is available.
At any the time the intermediate results can be reviewed.

Note: It can take a while for the scan to complete. The page is refreshing automatically if an
auto-refresh is set (see Chapter Setting the Auto-Refresh (page 89)).

8. When the scan is completed select Scans > Reports in the menu bar.
9. Click on the date of the report to show the results.
→ The report shows each found CVE as a vulnerability (see figure Results of a prognosis scan
(page 139)).

Fig. 9.34: Results of a prognosis scan

10. Click on a CVE in the column Vulnerability.

→ Details of the CVE and the product to which the CVE is assigned are shown (see figure Details
of a detected CVE (page 140)).

139
Chapter 9. Scanning a System

Fig. 9.35: Details of a detected CVE

Note: The CVE scanner might show false positives as it does not check whether the vulnerability
actually exists.

9.2 Creating a Container Task

A container task can be used to import and provide reports created on other GSMs.
A container task can be created as follows:
1. Select Scans > Tasks in the menu bar.
2. Create a new container task by clicking and selecting New Container Task.
3. Define the container task (see figure Creating a container task (page 140)).

Fig. 9.36: Creating a container task

4. Click Create.
All existing container tasks can be displayed by selecting Scans > Tasks in the menu bar.
For all container tasks the following actions are available:
• Import reports to the container task.
• Delete the container task.
• Edit the container task.
• Clone the container task.
• Download the container task as an XML object.
Reports can be added to the container task as follows:
1. Select Scans > Tasks in the menu bar.
2. In the row of the container task click .

140
 9.3. Managing Scan Configurations

3. Click Browse... and select the XML file of a report.

4. Select the container task to which the report should be added in the drop-down-list Container
Task.

Tip: A new container task can be created by clicking next to the drop-down-list.

Fig. 9.37: Adding a report to a Container Task

5. Select whether the report should be added to the assets (see Chapter Asset Management
(page 175)).
6. Click Create.

9.3 Managing Scan Configurations

The GSM appliance comes with various predefined scan configurations. They can be customized and
new scan configurations can be created.
The following configurations are already available:
Empty This is an empty template.
Discovery Only NVTs that provide information of the target system are used. No vulnerabilities are
being detected.
Host Discovery Only NVTs that discover target systems are used. This scan only reports the list of
systems discovered.
System Discovery Only NVTs that discover target systems including installed operating systems and
hardware in use are used.
Full and fast For many environments this is the best option to start with.
This scan configuration is based on the information gathered in the previous port scan and uses
almost all plug-ins. Only plug-ins that will not damage the target system are used. Plug-ins are
optimized in the best possible way to keep the potential false negative rate especially low. The
other configurations only provide more value in rare cases but with much higher e ort.
Full and fast ultimate This scan configuration expands the scan configuration “Full and fast” with
plug-ins that could disrupt services or systems or even cause shutdowns.
Full and very deep This scan configuration is based on the scan configuration “Full and fast” but the
results of the port scan or the application/service detection do not have an impact on the se-
lection of the plug-ins. Therefore, plug-ins that wait for a timeout or test for vulnerabilities of
an application/service which were not detected previously are used. A scan with this scan con-
figuration is very slow.
Full and very deep ultimate This scan configuration expands the scan configuration “Full and very
deep” with dangerous plug-ins that could cause possible service or system disruptions. A scan
with this scan configuration is very slow.

141
Chapter 9. Scanning a System

9.3.1 List Page of all Scan Configurations

The available scan configurations can be displayed by selecting Configuration > Scan Configs in the
menu bar.

Note: By default, only the first 10 configurations are displayed.

Fig. 9.38: Page Scan Configs displaying all available scan configurations

The columns Families/Total and NVTs/Total show how many NVT families and NVTs are activated
for a scan configuration (see figure Page Scan Configs displaying all available scan configurations
(page 142)).

Note: Greenbone Networks publishes new plug-ins (NVTs) regularly. New NVT families can be intro-
duced through the Greenbone Security Feed as well.

Additionally, the trend of a scan configuration is displayed (see figure Page Scan Configs displaying
all available scan configurations (page 142)). The trend shows if a scan configuration was configured
dynamically or statically.
• dynamic
This scan configuration is configured dynamically. It includes and activates new NVT
families and new NVTs of the activated NVT families automatically after an NVT feed
update. This ensures that new NVTs are available immediately and without any inter-
action by the administrator.
• static
This scan configuration is configured statically. It does not change after an NVT feed
update.
The icon in the column Name indicates that the scan configuration is available to other users and
can be used by them.
For all scan configurations the following actions are available:
• Clone the scan configuration.
• Download the scan configuration as an XML file.
Additionally, for self-created scan configurations the following actions are available:

142
 9.3. Managing Scan Configurations

• Delete the scan configuration. Only scan configurations which are currently not used can be
deleted.
• Edit the scan configuration. Only scan configurations which are currently not used can be
edited.

9.3.2 Details Page of a Scan Configuration

By clicking on the name of a scan configuration the details page of the scan configuration is opened.
In the section Network Vulnerability Test Families all NVT families with the number of activated NVTs
and the trend are displayed. By clicking on the name of a NVT family the list page of the NVT family is
opened.
In the section Scanner Preferences all scanner preferences with current and default values are dis-
played.
In the section Network Vulnerability Test Preferences all NVT preferences are displayed.
Additionally, the tasks using the scan configuration, tags and permissions are displayed.
For all scan configurations the following actions are available:
• Clone the scan configuration.
• Download the scan configuration as an XML file.
Additionally, for self-created scan configurations the following actions are available:
• Delete the scan configuration. Only scan configurations which are currently not used can be
deleted.
• Edit the scan configuration. Only scan configurations which are currently not used can be
edited.
By clicking the page Scan Configs is opened.

9.3.3 Creating a New Scan Configuration

Tip: Greenbone Networks o ers di erent scan configurations on their website (see chapter Compli-
ance and Special Scans (page 191)).

A new scan configuration can be created as follows:

1. Select Configuration > Scan Configs in the menu bar.
2. Create a new scan configuration by clicking .

Note: Alternatively, a scan configuration can be imported (see Chapter Importing a Scan Con-
figuration (page 145)).

3. Define the name of the scan configuration (see figure Creating a new scan configuration
(page 144)).
4. Select the radiobutton of the base that should be used (see figure Creating a new scan configu-
ration (page 144)).
It can be chosen between Empty, static and fast and Full and fast.
5. Click Create.
→ The scan configuration can be edited (see figure Editing the new scan configuration
(page 144)).

143
Chapter 9. Scanning a System

Fig. 9.39: Creating a new scan configuration

Fig. 9.40: Editing the new scan configuration

144
 9.3. Managing Scan Configurations

6. Select the according radiobutton when newly introduced NVT families should be included and
activated automatically (see figure Selecting the trend of a family of NVTs (page 145)).

Fig. 9.41: Selecting the trend of a family of NVTs

7. Select the according radiobutton when all newly introduced NVTs of a family should be included
and activated automatically (see figure Selecting the trend of an NVT (page 145)).

Fig. 9.42: Selecting the trend of an NVT

8. Activate the checkboxes in the column Select all NVTs if all NVTs of a family should be activated.
9. Click for an NVT family to edit it (see figure Editing a family of NVTs (page 145)).

Fig. 9.43: Editing a family of NVTs

10. Activate the checkboxes of the NVTs that should be activated.

11. Click for an NVT to edit it (see figure Editing an NVT (page 146)).
12. Click Save to save the NVT.
13. Click Save to save the family of NVTs.
14. In the section Edit Scanner Preferences click to edit the scanner preferences (see Chapter
Editing the Scanner Preferences (page 146)).
15. In the section Network Vulnerability Test Preferences click to display the preferences of each
NVT.
16. Click Save to save the scan configuration.

9.3.4 Importing a Scan Configuration

A scan configuration can be imported as follows:

1. Select Configuration > Scan Configs in the menu bar.

145
Chapter 9. Scanning a System

Fig. 9.44: Editing an NVT

2. Click .
3. Click Browse... and select the XML file of the scan configuration.
4. Click Create.

Note: If the name of the imported scan configuration already exists, a numeric sux is added
to the name.

→ The imported scan configuration is displayed on the page Scan Configs.

5. Click for the scan configuration.
6. Execute steps 6 to 16 of Creating a New Scan Configuration (page 143) to edit the scan configu-
ration.

9.3.5 Editing the Scanner Preferences

The GSM uses Nmap and Ping as port scanners. Nmap is being used via the NASL wrapper. This allows
for the greatest flexibility.

Note: Documenting all scanner and NVT preferences is out of scope of this document.
Only the most important general settings and specific settings of the scanners are covered.

Scanner preferences can be edited as follows:

1. Select Configuration > Scan Configs in the menu bar.
2. Click for the scan configuration.
3. In the section Edit Scanner Preferences click to edit the scanner preferences.

146
 9.3. Managing Scan Configurations

4. After editing the scanner preferences click Save to save the scan configuration.

General Preferences

Fig. 9.45: Editing the scanner preferences

• auto_enable_dependencies: This defines whether NVTs that are required by other NVTs are ac-
tivated automatically.
• cgi_path: Path used by the NVTs to access CGI scripts.
• checks_read_timeout: Timeout for the network sockets during a scan.
• drop_privileges: With this parameter the OpenVAS scanner gives up root privileges before the
start of the NVTs. This increases the security but results in fewer findings with some NVTs.
• max_sysload: Maximum load on the GSM. Once this load is reached, no further NVTs are started
until the load drops below this value again.
• min_free_mem: Minimum available memory (in MB) which should be kept free on the GSM. Once
this limit is reached, no further NVTs are started until sucient memory is available again.
• network_scan: This is an experimental option which scans the entire network all at once instead
of starting Nmap for each individual host. This can save time in specific environments.
• non_simult_ports: These ports are not being tested simultaneously by NVTs.
• optimize_test: NVTs will only be started if specific prerequisites are met (e.g. open port or de-
tected application).
• plugins_timeout: Maximum run time of an NVT.
• report_host_details: Detailed information of the host are being saved to the report.
• safe_checks: Some NVTs can cause damage on the host system. This setting disables those
respective NVTs.
• scanner_plugins_timeout: Maximum lifetime (in seconds) for all NVTs from the port scanners
family. If an NVT runs longer, the plug-in is terminated.
• time_between_request: Wait time (in milliseconds) between two actions such as opening a TCP
socket, sending a request through the open tcp socket and closing the TCP socket.
• timeout_retry: Number of retries when a socket connection attempt times out.

147
Chapter 9. Scanning a System

• unscanned_closed: This defines whether TCP ports that were not scanned should be treated
like closed ports.
• unscanned_closed_udp: This defines whether UDP ports that were not scanned should be
treated as closed ports.
• use_mac_addr: Systems will be identified by MAC address and not by IP address. This could be
beneficial in a DHCP environment.
• vhosts: If the GSM should scan a web server with name based virtual hosts, the settings vhosts
and vhosts_ip can be used. In the setting vhosts the names of the virtual hosts can be entered
separated by commas.
• vhosts_ip: If the GSM should scan a web server with name based virtual hosts, the settings
vhosts and vhosts_ip can be used. In the setting vhosts_ip the IP address of the web server can
be entered. In the report it cannot be referenced in which virtual instance an NVT discovered a
vulnerability.

Ping Preferences

The ping NVT from the port scanners family contains the following configuration parameters.

Note: The Alive Test settings of a target can overwrite some settings of the ping scanner.

• Do a TCP ping: This defines whether the reachability of a host should be tested using TCP. In this
case the following ports will be tested: 21,22,23,25,53,80,135,137,139,143,443,445.
• Do an ICMP ping: This defines whether the reachability of hosts should be tested using ICMP.
• Mark unreachable Hosts as dead: This defines whether a host that is not discovered by this NVT
should be tested by other NVTs later.
• Report about reachable Hosts: This defines whether a host discovered by this NVT should be
listed.
• Report about unreachable Hosts: This defines whether a host not discovered by this NVT should
be listed.
• TCP ping tries also TCP-SYN ping: The TCP ping uses a TCP-ACK packet by default. A TCP-SYN
packet can be used additionally.
• Use ARP: This defines whether hosts should be searched for in the local network using the ARP
protocol.
• Use Nmap: This defines whether the ping NVT should use Nmap.
• nmap: try also with only –sP: If Nmap is used the ping scan is performed using the –sP option.
• nmap additional ports for –PA: Additional ports for the TCP ping test. This is only the case if Do
a TCP ping is selected.

Nmap NASL Preferences

The following options of the Nmap (NASL Wrapper) NVT will be directly translated into options for
the execution of the nmap command. Additional information can be found in the documentation for
nmap9 .
• Do not randomize the order in which ports are scanned: Nmap will scan the ports in ascending
order.
• Do not scan targets not in the file: See File containing grepable results.
9 https://nmap.org/docs.html

148
 9.3. Managing Scan Configurations

• Fragment IP packets: Nmap fragments the packets for the attack. This allows bypassing simple
packet filters.
• Identify the remote OS: Nmap tries to identify the operating system.
• RPC port scan: Nmap tests the system for Sun RPC ports.
• Run dangerous ports even if safe checks are set: UDP and RPC scans can cause problems and
usually are disabled with the setting safe_checks.
• Service scan: Nmap tries to identify services.
• Use hidden option to identify the remote OS: Nmap tries to identify more aggressively.
• Data length: Nmap adds random data of specified length to the packet.
• Host Timeout: Host timeout.
• Initial RTT timeout: Initial round trip timeout. Nmap can adjust this timeout dependent on the
results.
• Max RTT timeout: Maximum RTT.
• Min RTT timeout: Minimum RTT.
• Max Retries: Maximum number of retries.
• Maximum wait between probes: This regulates the speed of the scan.
• Min RTT Timeout: This regulates the speed of the scan.
• Minimum wait between probes: This regulates the speed of the scan.
• Ports scanned in parallel (max): This defines how many ports should at most be scanned simul-
taneously.
• Ports scanned in parallel (min): This defines how many ports should at least be scanned simul-
taneously.
• Source port: Source port. This is of interest when scanning through a firewall if connections are
in general allowed from a specific port.
• File containing grepable results: Allows for the specification of a file containing line entries in
the form of Host: IP address can be found. If the option Do not scan targets not in the file
is set at the same time only systems contained in the file will be scanned.
• TCP scanning technique: Actual scan technique.
• Timing policy: Instead of changing the timing values individually the timing policy can be modi-
fied.
The timing policy uses the following values:
ini- min_rtt_timeoutmax_rtt_timeoutmax_parallelismscan_delay max_scan_delay
tial_rtt_timeout
Para- 5 min 100 ms 10 sec Serial 5 min 1 sec
noid
Sneaky 15 sec 100 ms 10 sec Serial 15 sec 1 sec
Polite 1 sec 100 ms 10 sec Serial 400 ms 1 sec
Normal 1 sec 100 ms 10 sec Parallel 0 sec 1 sec
Aggres- 500 ms 100 ms 1250 ms Parallel 0 sec 10 ms
sive
Insane 250 ms 50 ms 300 ms Parallel 0 sec 5 ms

149
Chapter 9. Scanning a System

9.4 Obstacles While Scanning

There are several typical problems which might occur during a scan using the default values of the
GSM. While the default values of the GSM are valid for most environments and customers, depend-
ing on the actual environment and the configuration of the scanned hosts they might require some
tweaking.

9.4.1 Hosts not Found

During a typical scan (either “Discovery” or “Full and Fast”) the GSM will by default first use the ping
command to check the availability of the configured targets. If the target does not reply to the ping
request it is presumed to be dead and will not be scanned by the port scanner or any NVT.
In most LAN environments this does not pose any problems because all devices will respond to a ping
request. But sometimes (local) firewalls or other configuration might suppress the ping response. If
this happens the target will not be scanned and will not be included in the results and the scan report.
To remediate this problem, both the target configuration and the scan configuration support the set-
ting of the Alive Test (see Alive Test (page 115)).
If the target does not respond to a ping request, a TCP Ping may be tested. If the target is located
within the same broadcast domain, a ARP Ping may be tried as well.

9.4.2 Long Scan Periods

Once the target is discovered to be alive using the ping command the GSM uses a port scanner to scan
the target. By default, a TCP port list containing around 5000 ports is used. If the target is protected
by a (local) firewall dropping most of these packets the port scan will need to wait for the timeout of
each individual port. If the hosts are protected by (local) firewalls the port lists or the firewalls may
be tuned. If the firewall does not drop the request but rejects the request the port scanner does not
have to wait for the timeout. This is especially true if UDP ports are included in the scan.

9.4.3 NVT not Used

This happens especially very often if UDP based NVTs like NVTs using the SNMP protocol are used. If
the default configuration Full and Fast is used, the SNMP NVTs are included. But if the target is
configured using the default port list, the NVTs are not executed. This happens because the default
port list does not include any UDP ports. Therefore, the port 161/udp (snmp) is not discovered and
excluded from further scans. Both the discovery scans and the recommended Full and Fast scan
configuration optimize the scan based on the discovered services. If the UDP port is not discovered,
no SNMP NVTs are executed.
Do not enable all ports per default in the port lists. This will prolong the scans considerably. Best
practice is the tuning of the port lists to the ports which are used in the environment and are supported
by the firewalls.

9.5 Performing a Scheduled Scan

For continuous vulnerability management the manual execution of task is tedious. The GSM supports
the scheduling of tasks for their automation and refers to schedules as automatic scans at a specific
time. They can be run once or repeatedly.
The GSM does not provide any schedules by default.
A new schedule can be created as follows:
1. Select Configuration > Schedules in the menu bar.

150
 9.6. Managing the Scanners

2. Create a new schedule by clicking .

3. Define the schedule (see figure Creating a new schedule (page 151)).
4. Click Create.

Fig. 9.46: Creating a new schedule

The following details of the schedule can be defined:

• Name Definition of the name. The name can be chosen freely.
• Comment An optional comment can contain additional information.
• First Time Definition of the time of the first run.
• Timezone Definition of the timezone the time refers to. UTC is default.

Note: Since the GSM runs in the UTC timezone internally, the chosen time zone is very important. For
Eastern Standard Time (EST) America/New York has to be selected.

• Period Definition of the interval between two runs. It can be selected between hourly, daily,
weekly and monthly. If left blank, the interval is a single instance.
• Duration Definition of the maximum duration a task can take for its execution. After the as-
signed time is expired, the task is aborted and will be suspended until the next scheduled
time slot becomes available. This way it can be ensured that the scan will always run with
a specific (maintenance) time window.

9.6 Managing the Scanners

The GSM appliance comes with two predefined scanners. They can be managed and new scanners
can be created.
The following scanners are already available:
• OpenVAS Default
• CVE: The CVE scanner allows forecasting possible security risks based on current information
about known vulnerabilities from the SecInfo management (see Chapter SecInfo Management
(page 181)) without the need of a new scan (see Chapter Running a Prognosis Scan (page 138)).

Note: The desired scanner for a task is selected when creating the task (see Chapter Creating a Task
(page 115)).

151
Chapter 9. Scanning a System

9.6.1 List Page of all Scanners

The available scanners can be displayed by selecting Configuration > Scanners in the menu bar.

Fig. 9.47: Page Scanners displaying all available scanners

The list shows the hosts, ports, types and credentials of the scanners (see figure Page Scanners dis-
playing all available scanners (page 152)).
The icon in the column Name indicates that the scanner is available to other users and can be used
by them.
For all scanners the following actions are available:
• Verify that the scanner is online and that the manager can connect to it using the provided
certificates.
• Download the scanner as an XML file.
Additionally, for self-created scanners the following actions are available:
• Delete the scanner. Only scanners which are currently not used can be deleted.
• Edit the scanner. Only scanners which are currently not used can be edited.
• Clone the scanner.
• Download the CA Certificate/Certificate.

9.6.2 Details Page of a Scanner

By clicking on the name of a scanner the details page of the scanner is opened.
The tasks using the scanner, tags and permissions are displayed.
For all scanners the following actions are available:
• Verify that the scanner is online and that the manager can connect to it using the provided
certificates.
• Download the scanner as an XML file.
Additionally, for self-created scanners the following actions are available:
• Clone the scanner.
• Delete the scanner. Only scanners which are currently not used can be deleted.
• Edit the scanner. Only scanners which are currently not used can be edited.
• Download the CA Certificate/Certificate.
By clicking the page Scanners is opened.

152
 9.7. Using Alerts

9.6.3 Creating a New Scanner

Note: The creation of a new scanner is only used in the following cases:
• Creating a new remote scanner (see Chapter Configuring a Sensor as a Remote Scanner
(page 257))
• Creating an OSP scanner (see Chapter OSP Scanner (page 267))

9.7 Using Alerts

Alerts are anchored within the system. When a configured event (e.g. a task is finished) happens, a
specified condition is checked (e.g. vulnerability with a high severity category detected). If the condi-
tions is met, an action is performed, e.g. an e-mail is sent to a defined address.

9.7.1 Creating a New Alert

A new alert can be created as follows:

1. Select Configuration > Alerts.
2. Create a new alert by clicking .
3. Define the alert (see figure Creating a new alert (page 153)).
4. Click Create.

Fig. 9.48: Creating a new alert

The following details of the alert can be defined:

Name Definition of the name. The name can be chosen freely.

153
Chapter 9. Scanning a System

Comment An optional comment can contain additional information.

Event Definition of the event for which the alert message is sent. Alarms can be sent when the status
of a task changes or when SecInfos (NVTs, CVEs, CPEs, CERT-Bund Advisories, DFN-CERT Advi-
sories, OVAL Definition) are added or updated.
Condition Definition of the additional conditions that have to be met.

Note: The options di er for task and for SecInfo related alerts.

The alert message can occur:

• Always
• When a specific severity level is reached.
• If the severity level changes, increases or decreases.
• If a powerfilter matches at least the specified number of results.
• If a powerfilter matches at least the specified number of results more than in the previous
scan.
Report Result Filter (only for task related alerts) The results can be limited with an additional filter.
The filter must be created previously (see section Filtering the Page Content (page 80)).
Details URL (only for SecInfo related alerts) Definition of the URL from which the SecInfos are ob-
tained.
Delta Report Optionally, a delta report can be created, either in comparison to a previous report or
to a report with a certain ID.
Method Selection of the method for the alert. Only one method per alert can be chosen. If di erent
alerts for the same event should be triggered, multiple alerts must be created and linked to the
same task.

Note: Some methods cannot be used for SecInfo related alerts.

The following methods are possible:

Email An e-mail is sent to the given address. To use this method the mailserver to be used must be
configured using the GSM console (see section Configuring Automatic E-Mails (page 58)). For
the subject the following place holders can be used:
• $d date of last SecInfo check (blank for task alerts)
• $e event description
• $n task name (blank for SecInfo alerts)
• $N alert name
• $q type of SecInfo event (New, Updated or blank for task alerts)
• $s type of SecInfo (NVT, CERT-Bund Advisory or blank for task alerts)
• $S see $s, but plural (NVTs, CERT-Bund Advisories, ...)
• $T total number of resources in the list for SecInfo alerts (0 for task alerts)
• $u owner of the alert or currently logged in user if the alert was triggered manually
• $U UUID of the alert
• $$ the $ symbol
The content of the e-mail can be a simple notice, an included or an attached report.

154
 9.7. Using Alerts

• Include Report The report can be included directly in the e-mail. A report format that uses
the content type text/* can be chosen as an e-mail does not support binary content
directly.
• Attach Report The report can be attached to the e-mail. Any report format can be chosen.
The report will be attached to the generated e-mail in its correct MIME type.
The content of the e-mail message can be edited for both, the included and the attached report.
For the message the following place holders can be used:
• $c condition description
• $d date of last SecInfo check (blank for task alerts)
• $e event description
• $F name of filter
• $f filter term
• $H host summary
• $i report text or list of SecInfo resources (only when including the report/list)
• $n task name (blank for SecInfo alerts)
• $N alert name
• $q type of SecInfo event (New, Updated or blank for task alerts)
• $r report format name
• $s type of SecInfo (NVT, CERT-Bund Advisory or blank for task alerts)
• $S see $s, but plural (NVTs, CERT-Bund Advisories, ...)
• $t note if the report was truncated
• $T total number of resources in the list for SecInfo alerts (0 for task alerts)
• $u owner of the alert or currently logged in user if the alert was triggered manually
• $U UUID of the alert
• $z timezone
• $$ the $ symbol
HTTP Get The URL is issued as HTTP Get. For example, an SMS text message can be sent via HTTP Get
gateway or a bug report can be created in an issue tracker. The following variables can be used
when specifying the URL:
• $n name of the task
• $e description of the event (Start, Stop, Done)
• $c description of the condition that occurred
• $$ the $ symbol
SCP The report is copied to the given destination using SCP with the given login credentials.

Note: The host name must exactly match the input box Host.

Known hosts can be listed. Each line specifies a single host in the format “host protocol pub-
lic_key”, e.g. localhost ssh-rsa AAAAB3NzaC1y...P3pCquVb.

Note: If the host is an IP address the known hosts have to be IP addresses as well.

The following variables can be used when specifying the path:

155
Chapter 9. Scanning a System

• $$: $
• $n: task name
Send to host The report is sent to an arbitrary host-port-combination via TCP. The format of the re-
port can be chosen from the installed report formats.
SMB The report is copied to a given destination using the SMB protocol with the given login creden-
tials.
The share path and the file path must be specified. The share path contains the part of the UNC
path containing the host and the share name, e.g. “hostshare”.

Note: If the file path contains subdirectories which do not exist, the necessary subdirectories
are created.

For the file path the following placeholders can be used:

• %C creation date in the format YYYYMMDD (changed to current date if creation date is not
available)
• %c creation time in the format HHMMSS (changed to current time if creation time is not
available)
• %D current date in the format YYYYMMDD
• %F name of the format plug-in used (XML for lists and types other than reports)
• %M modification date in the format YYYYMMDD (changed to creation date or to current
date if modification date is not available)
• %m modification time in the format HHMMSS (changed to creation time or to current time
if modification time is not available)
• %N name for the resource or the associated task for reports (lists and types without a name
will use the type (see %T))
• %T resource type (task, port_list, ...), pluralized for list pages
• %t current time in the format HHMMSS
• %U UUID of the resource or (list for lists of multiple resources)
• %u name of the currently logged in user
• %% the % symbol

Note: The file extension is appended corresponding to the format selected in the drop-down-
list Report Format.
The default report export file name (see Chapter Changing the User Settings (page 87)) is ap-
pended to the file path if the file path ends with \.

Note: If a task uses the tag smb-alert:file_path with a value, then the value is used as the
file path instead of the one that has been configured with the alert (see Chapter Tags (page 85)).
Example: smb-alert:file_path=alert_1 assigns the file path alert_1

SNMP An SNMP trap is sent to the given agent. The provided community is used to authenticate the
SNMP trap and the agent is the targeted SNMP trap receiver. For the message the following
place holders can be used:
• $$ the $ symbol
• $d date of last SecInfo check (blank for task alerts)

156
 9.7. Using Alerts

• $e event description
• $n task name (blank for SecInfo alerts)
• $q type of SecInfo event (New, Updated or blank for task alerts)
• $s type of SecInfo (NVT, CERT-Bund Advisory or blank for task alerts)
• $S see $s, but plural (NVTs, CERT-Bund Advisories, ...)
• $T total number of resources in the list for SecInfo alerts (0 for task alerts)
Sourcefire Connector The data can be sent to a Cisco Firepower Management Center (formerly
known as Sourcefire Defense Center) automatically. For more information see section Firepower
Management Center (page 277).
Start Task The alert can start an additional task. The task is selected in the drop-down-list.
System Logger The alert is sent to a Syslog daemon. The Syslog server is defined using the console
(see section Configuring the Collection of Logs (page 59)).
verinice.PRO Connector The data can be sent to a verinice.PRO installation automatically. For more
information see Chapter Verinice (page 268).
Alemba vFire A new ticket in the service management application vFire is created. The report can be
attached in one or more formats. For more information see section Alemba vFire (page 280).

9.7.2 Assigning an Existing Alert to a Task

If an alert should be used afterwards, the alert has to be defined for a specific task as follows:

Note: Already defined and used tasks can be edited as well as it does not have any e ect on already
created reports.

1. Select Scans > Tasks in the menu bar.

2. In the row of the task click .
3. Click the input box Alerts.
→ A drop-down-list with the available alerts is opened (see figure Configuring a task with an
alert (page 157)).

Fig. 9.49: Configuring a task with an alert

4. Select the desired alert.

Note: A new alert can be created by clicking .

5. Click Save.

157
Chapter 9. Scanning a System

→ Afterwards the task using the alert appears on the details page of the alert (see figure Tasks
using a specific alert (page 158)).

Fig. 9.50: Tasks using a specific alert

158
 CHAPTER 10

Reports and Vulnerability Management

The results of a scan are summarized in a report. Reports can be displayed on the web interface and
downloaded in di erent formats.
The GSM saves all reports of all scans in a local database. Not only is the last report of a scan saved
but all reports of all scans ever run. This allows access to information from the past. The reports
contain the discovered vulnerabilities and information of a scan.
Once a scan has been started, the report of the results found so far can be viewed. When a scan is
completed, the status changes to Done and no more results will be added.

10.1 Managing Report Formats

Report plug-ins are defined as the formats a report is created from, based on the scan results. This
ranges from PDF documents as per corporate identity to interactive reports like the Greenbone Secu-
rity Explorer. The plug-ins can be used to export report information into other document formats so
they can be processed by other third party applications (connectors).
The name of the exported report is configurable in the user settings (see section Changing the User
Settings (page 87)). Greenbone Networks supports the creation of additional plug-ins. Requests, sug-
gestions and concrete templates are welcome.
The report plug-in framework has the following properties:
Simple import/export: A report plug-in is always a single XML file. The import can be performed
easily.
Parameterized: Plug-ins can contain parameters that can be customized to specific requirements in
the graphical interface.
Content type: For every plug-in it is determined of which type the result is. The well-known HTTP
descriptors are being used, for example, application/pdf, graphics/png or text/plain.
Depending on the content type the plug-ins are displayed in contextual relation. For example,
the types text/* for the sending as e-mail inline.
Signature support: The Greenbone Security Feed provides signatures for trusted plug-ins. By that it
can be verified that an imported plug-in was verified by Greenbone Networks.
By default, the following report formats are available:
Anonymous XML This is the anonymous version of the XML format. IP addresses are replaced by
random IP addresses.
ARF: Asset Reporting Format v1.0.0 This format creates a report that represents the NIST Asset Re-
porting Format.
CPE – Common Enumeration CSV Table This report selects all CPE tables and creates a single
comma-separated file.

159
Chapter 10. Reports and Vulnerability Management

CSV hosts This report creates a comma-separated file containing the systems discovered.
CSV Results This report creates a comma-separated file with the results of a scan.
GSR HTML – Greenbone Security Report (recommended) This is the complete Greenbone Security
with all vulnerabilities and results. It can be opened with any web browser and contains dy-
namically sortable lists as known from the web interface. The language of the report is English.
GSR PDF – Greenbone Security Report (recommended) This is the complete Greenbone Security re-
port with all vulnerabilities in graphical format as a PDF file. The topology graph is not included
when more than 100 hosts are covered in the report. The language of the report is English.
GXR PDF – Greenbone Executive Report (recommended) This is a shortened report with all vulner-
abilities in graphical format as a PDF file for management. The topology graph is not included
when more than 100 hosts are covered in the report. The language of the report is English.
HTML This report is in HTML format and can be opened in a web browser. It is a detailed listing con-
taining the complete description of vulnerabilities including note and overrides with all refer-
ences and cross-references. It is a neutral document without any further references to Green-
bone Networks or the Greenbone Security Manager. The report can also be used o ine and the
language is English.
ITG – IT-Grundschutz catalog This report is guided by the BSI IT-Grundschutz catalog. It provides an
overview of the discovered results in tabular view in CSV format. The language of the report is
German.
LaTeX This report is o ered as LaTeX source text. The language of the report is English.
NBE This is the old OpenVAS/Nessus report format. It does not have support for notes, overrides and
some additional information.
PDF This is a complete report in PDF. Like the HTML format it is neutral. The language of the report is
English.
Topology SVG This presents the results in an SVG picture.
TXT This creates a text file. This format is especially useful when being sent by e-mail. The language
of the report is English.
Verinice ISM Creates an import file for the ISMS tool Verinice.
Verinice ITG Creates an import file for the ISMS tool Verinice.
XML The report is exported in the native XML format. Contrary to the other formats this format con-
tains all results and does not format them at all.
The report plug-ins define the format of the reports to be exported. Many report plug-ins reduce the
available data in order to display it in a meaningful way. However, the native GSM XML format contains
all data and can be used to import exported reports on another GSM. To do so, use the Container Task
(see also section Creating a Container Task (page 140)).
The available report formats can be displayed by selecting Configuration > Report Formats in the
menu bar.
The overview (see figure Page Report Formats displaying all available report formats (page 161))
shows additional details of the report plug-ins. For every plug-in the following information is dis-
played:
Extension: The file name of the downloaded report consists of the UUID (unique internal ID of the
report) and this extension. Among others, the extension supports the browser to start a com-
patible application in case the specified content type is not recognized.
Content Type: The content type specifies the format in use and is transmitted when being down-
loaded. By this, a compatible application can directly be launched by the browser.
Additionally, the content type is important internally: It is used to o er suitable plug-ins within
its context. For example, when sending a report via e-mail all plug-ins of the type text/\* are
o ered as they can be embedded in an e-mail in a humanly readable way.

160
 10.1. Managing Report Formats

Fig. 10.1: Page Report Formats displaying all available report formats

Trust: Some plug-ins only consist of a data transformation while others execute more complex op-
erations and use support programs as well. To avoid misuse the plug-ins are signed digitally. If
the signature is authentic and the publisher is trusted, it is ensured that the plug-in exists in the
exact format as certified by the publisher. The verification is done by clicking . The date of the
verification is saved automatically. Verification is not required for the supplied default plug-ins.
Active: The plug-ins are only available in the respective selection menus if they are activated. Newly
imported plug-ins are always deactivated at first.

Note: Greenbone Networks o ers the following additional report format plug-ins:
• Sourcefire Host Input Import10
• OVAL System Characteristics11
• OVAL System Characteristics Archive12

Note: The report format plug-ins for the verinice connector are already shipped with GOS. They do
not need to be manually imported.

A new report format can be imported as follows:

1. Download the report format plug-in from one of the links mentioned above.

Important: External links to the Greenbone download website are case-sensitive.

Note that upper cases, lower cases and special characters have to be entered exactly as they
are written in the footnotes.

2. Select Configuration > Report Formats in the menu bar.

3. Click .
10 https://download.greenbone.net/rfps/sourcefire-1.1.0.xml
11https://download.greenbone.net/rfps/oval-sc-1.0.1.xml
12 https://download.greenbone.net/rfps/oval-sc-archive-1.0.0.xml

161
Chapter 10. Reports and Vulnerability Management

4. Click Browse... and select the previously downloaded report format plug-in (see figure Importing
a report format plug-in (page 162)).
5. Click Create.
→ The imported report format is displayed on the page Report Formats.

Fig. 10.2: Importing a report format plug-in

Note: The report format plug-in has to be verified and activated before it can be used.

6. Verify the signature of the report format by clicking .

→ The result of the verification is displayed in the column Trust (Last Verified).
7. In the row of the report format click .
8. For Active select the radiobutton Yes (see figure Activating a new report format plug-in
(page 162)).
9. Click Save.

Fig. 10.3: Activating a new report format plug-in

10.2 Reading a Report

The report of a scan can be displayed as follows:

1. Select Scans > Reports in the menu bar.
2. Click on the date of a report to show the results.
3. Move the mouse over Report: Results.
→ A drop-down-list is opened (see figure Opening the page Report: Summary and Download
(page 163)).
4. Click Report: Summary and Download.
The page Report: Summary and Download gives a quick overview over the current state. It shows the
name of the corresponding task as well as the starting and the ending time of the scan. The table
below displays the found vulnerabilities.

162
 10.2. Reading a Report

Fig. 10.4: Opening the page Report: Summary and Download

Fig. 10.5: Page Report: Summary and Download with overview of found vulnerabilities

The report contains a list of all the vulnerabilities detected by the GSM (see figure Page Report: Results
showing a list of discovered vulnerabilities (page 163)). The results can be displayed as follows:
1. Select Scans > Reports in the menu bar.
2. Click on the date of the report.
or
2. When another Reports page is opened (e.g. Reports: Summary and Download), move the mouse
over the page heading and select Report: Results in the drop-down-list.
→ The page Report: Results is opened.

Fig. 10.6: Page Report: Results showing a list of discovered vulnerabilities

Column Vulnerability The column Vulnerability shows the found vulnerabilities. By clicking de-
tails of a vulnerability are shown (see figure Detailed information about the vulnerability and
solution options (page 164)). The details are hidden by clicking . Vulnerabilities with an at-
tached note are marked with .

Note: If the column of the respective vulnerability still appears empty the respective NVT has
not been updated yet.

163
Chapter 10. Reports and Vulnerability Management

Fig. 10.7: Detailed information about the vulnerability and solution options

Note: Even though the alerts contain a lot of information, external references are always listed
in the details.
These refer to web sites on which the vulnerability was already discussed.
Additional background information is available such as who discovered the vulnerability, what
e ects it could have and how it can be remediated.

Column Solution type To simplify the elimination of vulnerabilities every alert o ers a solution for
problems. In most cases it will be referred to the latest vendor software package. In some cases
a configuration change will be mentioned. The column Solution type displays the existence of a
solution. The following the solutions are possible:
• A vendor patch is available.
• A workaround is available.
• A mitigation by configuration is available.
• No fix is and will be available.
• No solution exists.
Column Severity The column Severity shows the severity of the vulnerability. To support the admin-
istrator with the analysis of the results, the severity of a vulnerability (CVSS, see also section
CVSS (page 187)) is displayed as a bar.
By clicking overrides are enabled (see Chapter Overrides and False Positives (page 171)). By
clicking overrides are disabled.
Column QoD QoD is short for Quality of Detection. The column QoD shows how reliable the detection
of a vulnerability is. QoD was introduced with OpenVAS 8. Results created with earlier versions
are assigned a QoD of 75 % during migration. By default, only NVTs with a QoD of 70% or higher
are displayed. The possibility of false positives is thereby lower.
Column Host The column Host shows the host for which the result was found.
Column Location The column Location shows the location of the vulnerability.
Column Actions Notes (see Chapter Using Notes (page 169)) and overrides (see Chapter Overrides
and False Positives (page 171)) can be added.

164
 10.3. Filtering a Report

To interpret the results note the following information:

• False Positives A false positive is a finding that describes a problem that does not really
exist. Vulnerability scanners often find evidence that point at a vulnerability but a final
judgment cannot be made. There are two options available:
– Reporting of a potentially nonexistent vulnerability (false positive).
– Ignoring reporting of a potentially existing vulnerability (false negative).
Since a user can identify, manage and as such deal with false positives compared to false
negatives, the GSM Vulnerability Scanner reports all potentially existing vulnerabilities. If
the user knows that false positives exist an override can be configured (see section Over-
rides and False Positives (page 171)). The AutoFP function (see section Automatic False
Positives (page 173)) can be used as well.
• Multiple findings can have the same cause. If an especially old software package is installed,
often multiple vulnerabilities exist. Each of these vulnerabilities is tested by an individual
NVT and causes an alert. The installation of a current package will remove a lot of vulner-
abilities at once.
• High and Medium Findings of the severity levels High and Medium are most
important and should be addressed with priority. Before addressing medium level findings,
high level findings should get addressed. Only in exceptional cases this approach should be
deviated from, e.g. when it is known that the high alerts need to be less considered because
the service cannot be reached through the firewall.
• Low and Log Findings of the severity levels Low and Log are mostly interest-
ing for detail understanding. These findings are filtered out by default but can hold very
interesting information. Considering them will increase the security of the network and the
systems. Often a deeper knowledge of the application is required for their understanding.
Typical for an alert of the level Log is that a service uses a banner with its name and version
number. This could be useful for an attacker when this version has a known vulnerability.

10.3 Filtering a Report

Since a report often contains a lot of findings, the complete report as well as only filtered results
can be displayed and downloaded. By default, only vulnerabilities with severity High or Medium are
shown. This can be changed as follows:
1. Click in the filter bar.
2. For Severity (Class) select the checkboxes of the desired severity categories (see figure Adjusting
the filter for the report (page 166)).
3. Click Update.

10.4 Exporting a Report

For supported formats for downloading see Chapter Managing Report Formats (page 159).
A report can be downloaded as follows:
1. Select Scans > Reports in the menu bar.
2. Click on the date of a report to show the results.
3. Move the mouse over Report: Results.
→ A drop-down-list is opened.
4. Click Report: Summary and Download.

165
Chapter 10. Reports and Vulnerability Management

Fig. 10.8: Adjusting the filter for the report

5. In the row of the desired report, select the desired export format in the drop-down-list.
6. In the row of the desired report, click .
A report can also be downloaded on any other Report page as follows:
1. Select Scans > Reports in the menu bar.
2. Click on the date of a report to show the results.
3. Move the mouse over Report: Results.
→ A drop-down-list is opened.
4. Select the desired presentation of the report.
5. In the upper left corner of the page, select the desired export format in the drop-down-list.
6. Click .

10.5 Displaying the Total Number of Reports for the same Task

If a task has been run multiple times the total number of reports is displayed on the page Tasks.
To get there select Scans > Tasks in the menu bar.
From this page the reports of a specific task can be accessed.
The first number in the column Reports/Total is the total amount of all completed reports. The second
number (in brackets) is the total amount of all reports, including the ones not completed yet (see
figure Amount of reports saved in total and date of the last report (page 167)). By clicking on one of
the numbers, a list with the respective reports is opened.
By clicking on the date in the column Reports/Last the latest report is displayed.

10.6 Trend of a Vulnerability

If a task has been run multiple times the trend of discovered vulnerabilities is displayed on the page
Tasks (see figure Task with trend (page 167)).
To get there select Scans > Tasks in the menu bar.

166
 10.7. Creating a Delta Report

Fig. 10.9: Amount of reports saved in total and date of the last report

The trend describes the change of vulnerabilities between the newest and the second newest report.

Fig. 10.10: Task with trend

The following trends are possible:

• In the newest report the highest severity is higher than the highest severity in the second
newest report.
• The highest severity is the same for both reports. However, the newest report contains more
security issues of this severity than the second newest report.
• The highest severity and the amount of security issues are the same for both reports.
• The highest severity is the same for both reports. However, the newest report contains less
security issues of this severity than the second newest report.
• In the newest report the highest severity is lower than the highest severity in the second
newest report.

10.7 Creating a Delta Report

If more than one report of a single task is available (see Chapter Displaying the Total Number of Re-
ports for the same Task (page 166)) a delta report can be created as follows:
1. Select Scans > Tasks in the menu bar.
2. Click on the total number of reports in the column Reports/Total.

Note: The number in brackets is the total amount of all scans, including the ones not completed
yet.

→ The page Reports is opened and shows all reports belonging to the selected task.
3. Select the first report by clicking in the column Actions of the respective report (see figure
Selecting the first report (page 168)).
→ The icon is grayed out for the selected report.
4. Select the second report by clicking in the column Actions of the respective report (see figure
Selecting the second report (page 168)).

167
Chapter 10. Reports and Vulnerability Management

Fig. 10.11: Selecting the first report

→ The delta report with the delta results is displayed and can be exported (see figure Delta
results (page 168)).

Fig. 10.12: Selecting the second report

Fig. 10.13: Delta results

There are four types of delta results:

• Gone The result exists in the first report but not in the second report (according to order of
selection).
• New The result exists in the second report but not in the first report (according to order of se-
lection).
• Same The result exists in both reports and is equal.
• Changed The result exists in both reports but is di erent.

Tip: The term delta_states= can be entered into the filter bar to show only a specific type of delta
results (see Chapter Filtering the Page Content (page 80)).
• delta_states=g show all results of the type Gone.
• delta_states=n show all results of the type New.
• delta_states=s show all results of the type Same.
• delta_states=c show all results of the type Changed.
Multiple types can be displayed at the same time, e.g. delta_states=gs shows all results of the
type Gone and Same.

168
 10.8. Displaying Results

10.8 Displaying Results

While the reports only contain the results of one single run of a task, all results are saved in the in-
ternal database and can be viewed by selecting Scans > Results in the menu bar.
By default, the view is sorted by the creation time of the results (see figure Page Results showing all
results of all scans (page 169)). The results can be sorted by all other columns as well.
Additionally, powerfilters (see section Filtering the Page Content (page 80)) can be used to display
only interesting results.

Fig. 10.14: Page Results showing all results of all scans

10.9 Using Notes

Notes allow adding comments to a NVT and are displayed in the reports as well. A note can be added
to a specific result, a specific task, a risk level, port or host and as such will only appear in specific
reports. A note can be generalized as well so that it will be displayed in all reports.

10.9.1 Creating a Note

To create a new note select the finding in the report that should be added a note to and click . Al-
ternatively a note can be created without relation to a finding. However, the GSM can not suggest any
meaningful values for the di erent fields in the following dialogue.
A new window opens in which exactly those criteria of the selected vulnerability are pre-set.
Individual values can be selected and unselected to generalize or the note even further or make it
more specific. Additionally, the note can be activated for a specific period of time. This allows adding
of information to a note that a security update is uploaded in the next seven days. For the next seven
days the note will be displayed in the report that the vulnerability is being worked on.

10.9.2 Generalizing Notes

Any note can be generalized. In this example a quite extensive generalization is configured, matching
any target host, port and task.
From this moment on the note is always shown in the results view if this NVT matches.

169
Chapter 10. Reports and Vulnerability Management

Fig. 10.15: Creating a new note

Fig. 10.16: Report containing a note

Fig. 10.17: Generalizing a note

170
 10.10. Overrides and False Positives

This applies for all previously created scan reports and for all future scan reports until the note is
deleted.

10.9.3 Managing Notes

All created notes can be displayed by selecting Scans > Notes in the menu bar.

Fig. 10.18: Managing notes

New notes can be added by clicking .

In the list of notes it is displayed if created notes are currently active.
For all notes the following actions are available:
• Delete the note.
• Edit the note.
• Clone the note.
• Download the note as an XML file.

Note: By clicking or below the list of notes more than one note can be deleted or exported at a
time. The drop-down-list is used to select which notes are deleted or exported.

10.10 Overrides and False Positives

The severity of a result can be modified. This is called override.

Overrides are especially useful to manage results that are detected as a false positive and that have
been given a critical severity but should be given a di erent severity in the future.
The same applies to results that only have been given the severity Log but should be assigned a higher
severity locally. This can be managed with an override as well.
Overrides are also used to manage acceptable risks.

10.10.1 Creating an Override

Overrides can be created in di erent ways. The simplest way is through the respective scan result in
a report:
1. Select Scans > Reports in the menu bar.
2. Click on the date of the report to show the results.

171
Chapter 10. Reports and Vulnerability Management

3. In the row of a result click .

4. Define the override. Select the new severity in the drop-down-list New Severity (see figure Cre-
ating a new override (page 172)).

Tip: It is possible to enter ranges of IP addresses and CIDR blocks into the input box Hosts. In
that way, overrides for entire subnets can be created without having to specify every host in a
comma-separated list.

Fig. 10.19: Creating a new override

5. Click Create.

Note: If several overrides apply to the same NVT in the same report the most recent override is used
and applied.

10.10.2 Disabling and Enabling Overrides

When overrides change the display of the results, the overrides can be enabled or disabled. This is
done by clicking in the column Severity on the results page (see figure Disabling and enabling over-
rides (page 172)).

Fig. 10.20: Disabling and enabling overrides

172
 10.10. Overrides and False Positives

10.10.3 Automatic False Positives

The GSM is able to detect false positives and assign an override automatically. However, the target
system must be analyzed internally and externally with an authenticated scan.
An authenticated scan can identify vulnerabilities in locally installed software. Vulnerabilities that
can be exploited by local users or are available to an attacker if he already gained local access as an
unprivileged user can be identified. In many cases an attack occurs in di erent phases and an attacker
exploits multiple vulnerabilities to increase his privileges.
An authenticated scan o ers a second more powerful function justifying its execution. By scanning
the system externally, it often cannot be properly identified if a vulnerability really exists. The Green-
bone Security Manager reports all potential vulnerabilities. With the authenticated scan many poten-
tial vulnerabilities can be recognized and filtered as false positives.
Automatic false positives are enabled when filtering a report (see Chapter Filtering a Report
(page 165)). The best results are obtained when using Partial CVE match.

173
Chapter 10. Reports and Vulnerability Management

174
 CHAPTER 11

Asset Management

The GSM stores all results of a scan in the asset management if this is defined when creating a new
task (see Chapter Creating a Task (page 115)). When defining a task it can be determined whether the
results of a scan should be recorded in the asset management (see section Creating a Task (page 115)).
While the asset management of older GOS versions is still available (see section Classic Asset Man-
agement (page 179)) the new asset management o ers additional features.

11.1 Dashboard

The dashboard provides a quick overview of the found and scanned systems including their operating
systems, vulnerabilities and severities. The dashboard can be accessed by selecting Assets > Dash-
board in the menu bar.

Fig. 11.1: Assets dashboard

175
Chapter 11. Asset Management

11.2 Creating and Editing Hosts

All scanned hosts can be displayed by selecting Assets > Hosts in the menu bar.

Fig. 11.2: Page Hosts displaying all scanned hosts

11.2.1 Modifying Hosts

While displaying the main information of the hosts like IP addresses, host names, operating systems,
and maximum severities this view is also used to alter the stored information.
For each host the following actions are available:
• Delete the host from the asset management.
• Edit the host. Currently only comments can be added.
• Create a scan target based on the asset. The window for creating a target is opened and the
input box Hosts is prefilled.
• Download the asset in XML format.

Note: By clicking , or below the list of hosts more than one host can be deleted, used to create
a target or downloaded. The drop-down-list is used to select which hosts are deleted, used to create
a target or downloaded.

A target with a set of hosts can be created as follows:

1. Filter the hosts so that only the hosts that should be used for the target (e.g. only Microsoft
Windows hosts) are displayed.
2. Create a new target by clicking below the list of hosts (see figure Creating a target with the
displayed hosts (page 176)).
→ The window for creating a target is opened. The input box Hosts is prefilled with the set of
displayed hosts.

Fig. 11.3: Creating a target with the displayed hosts

176
 11.3. Operating Systems View

Note: If additional suitable hosts show up in further scans they will not be added to the target.

11.2.2 Adding Hosts

Hosts can be added to the asset management as follows:

1. Select Assets > Hosts in the menu bar.
2. Create a new host by clicking in the upper left corner of the page.
3. Define the host. Currently only the IP address and a comment can be provided.

Fig. 11.4: Creating a new host

This feature is also available via GMP (see section Configuring GMP (page 41)). The import of hosts
from a configuration management database can be achieved using this option.

11.2.3 Host Details

Select Assets > Hosts to open the page Hosts and click on the name of a host in the list of hosts. The
host details are displayed including:
• Comment
• Host name
• IP address
• Operating system
• Route
• Maximum severity
Additionally, the identifiers of the system are displayed, especially SSH keys and X.509 certificates.

11.3 Operating Systems View

The operating systems view within the asset management provides a di erent view on the stored
data. While the hosts view is centered on the individual hosts, this view concentrates on the used
operating systems.
The operating systems can be displayed by selecting Assets > Operating Systems in the menu bar. This
view displays the latest, the highest and the average severity of all hosts using the same operating
system (see figure Page Operating Systems displaying all scanned operating systems (page 178)).
By clicking on the name of an operating system in the list, the details page of the operating system is
shown.
By clicking on the hosts (see figure Details page of an operating system (page 178)), the page Hosts is
opened showing only the hosts using this operating system.

177
Chapter 11. Asset Management

Fig. 11.5: Details of a host

Fig. 11.6: Page Operating Systems displaying all scanned operating systems

Fig. 11.7: Details page of an operating system

178
 11.4. Classic Asset Management

11.4 Classic Asset Management

The classic asset management is opened by selecting Assets > Hosts (Classic) in the menu bar.

Fig. 11.8: The asset database displays the stored systems.

It is displayed how many security holes were discovered on the systems. In addition, the overview
displays the operating system with a logo (OS column) and the discovered ports and applications.
Also, it is being displayed how a scan of the system would possible turn out at this moment (Prognosis
column, see also Chapter Running a Prognosis Scan (page 138)). Via the a prognostic report can be
created as well. Through the asset management you can always access the last report of the host. The
date of the report is visible and can be accessed directly by clicking on the link. If multiple reports exist,
older reports can be accessed in the host details. By clicking on the host IP address the host details
can be accessed. Here the amount of discovered vulnerabilities, the identified operating system, the
discovered ports and the amount of detected applications on the system can be viewed.

Fig. 11.9: The host details contain further information on the host.

The host details contain additional information of the system:

179
Chapter 11. Asset Management

Hardware The GSM stores information about the hardware. If the MAC address is known, it is listed
here. It can only be displayed though if the target system is on the same LAN as the GSM.
Detected Applications Especially of interest are the detected applications. With this the Greenbone
Security Manager can give a prognosis based on its SecInfo database without re-scanning if
additional security risks would be found. This is especially of interest for systems that currently
do not have any vulnerability and new scans are not being performed regularly.

180
 CHAPTER 12

SecInfo Management

The SecInfo Management o ers central access to di erent information relating to IT-Security. This
includes the following information:
NVTs These are the Network Vulnerability Tests. These tests test the target system for potential
vulnerabilities.
CVEs The Common Vulnerability and Exposures are vulnerabilities published by vendors and security
researchers.
CPEs The Common Platform Enumeration o ers standardized names of the products that are being
used information technology.
OVAL Definition The Open Vulnerability Assessment Language o ers a standardized language for
the testing of vulnerabilities. OVAL definitions use this language to concretely discover vulner-
abilities.
CERT-Bund Advisories The CERT-Bund Advisories are published by the emergency response team13
of the Federal Oce for Information Security (German: Bundesamt für Sicherheit in der Informa-
tionstechnik, abbreviated as BSI). The main task of the CERT-Bund is the operation of a warning
and information service publishing information regarding new vulnerabilities and security risks
as well as threats for IT systems.
DFN-CERT Advisories The DFN-CERT14 is the emergency response team of the German Research Net-
work (German: Deutsches Forschungsnetz, abbreviated as DFN).
The CVEs, CPEs and OVAL definitions are published and made accessible by NIST as part of the Na-
tional Vulnerability Database (NVD) (see also section Security Content Automation Protocol (SCAP)
(page 183)).

Note: When the SCAP database and/or the CERT database are missing on the GMP server an error
message is displayed.
In this case, the list on the according SecInfo list page is empty.
The SCAP data is updated during a SCAP data feed synchronization. The CERT data is updated during
a CERT data feed synchronization. Most likely the data appears after the these synchronizations.
Usually, it is taken care of by a periodic background process automatically.

To get a quick overview over this information the Secinfo dashboard (see figure The SecInfo Dashboard
allows displaying data graphically. (page 182)) exists. It allows for the graphical display of di erent
information grouped by di erent aspects.
13 https://www.cert-bund.de/
14 https://www.dfn-cert.de/

181
Chapter 12. SecInfo Management

Fig. 12.1: The SecInfo Dashboard allows displaying data graphically.

12.1 SecInfo Portal

SecInfo Data is being provided by Greenbone Networks online as well. This portal15 can be accessed
directly through the Internet. It corresponds to data that can be displayed in the GSM as well. The
SecInfo Portal is a GSM ONE that has been configured especially for anonymous guest access. Con-
trary to a full-fledged GSM only the SecInfo management and the CVSS online calculator are available
for the guest user.
The SecInfo portal achieves a multitude of functions:
• Anonymous access to details of the Greenbone vulnerability tests as well as SCAP data (CVE, CPE,
OVAL) and messages of di erent CERTs. The data itself is referenced thus o ering the possibility
to browse by Security-Information regarding a product, a vendor or a specific vulnerability.
• Demo of the respective upcoming version of the Greenbone OS as soon as the SecInfo section
reached beta status.
• Service for embedded diagrams as they are used on the Greenbone website for feed statistics
for example.
• Service for direct links to details or specific selections, for example for a specific CVE (CVE-2014-
0160, Heartbleed) or an overview: All published CVE notices in 2013.
• Service for links to CVSS vulnerability rating including CVSS online calculator:
AV:N/AC:L/Au:N/C:P/I:P/A:P
• Example of how a GSM can be configured on an Intranet to allow direct links in internal reports
and platforms.
Such access can be provided by activating guest access (see section Creating a Guest Login (page 93))
15 https://secinfo.greenbone.net

182
 12.2. Network Vulnerability Tests (NVT)

12.2 Network Vulnerability Tests (NVT)

NVT is short for Network Vulnerability Test. NVTs are test routines the GSM utilizes and that are up-
dated with the Greenbone Security Feed regularly. Here information about when the test was devel-
oped, which systems are a ected, what impact the vulnerabilities have and how they can be remedi-
ated can be found.
Compared to Greenbone OS 3.0 there are two new pieces of information, the Solution Type (see Solu-
tion Type (page 324)) and the Quality of Detection (QoD, see Quality of Detection (QoD) (page 321)).
With the introduction of the QoD, the parameter Paranoid in the scan configuration (see chapter Man-
aging Scan Configurations (page 141)) is removed without replacement. In the past a scan configura-
tion without this parameter only used NVTs with a QoD of at least 70%. Now all NVTs are used and
executed in a scan configuration. The filtering of the results is done based on QoD. That way all the
results are always available in the database and can be turned on or o respectively.
All available NVTs can be displayed by selecting SecInfo > NVTs in the menu bar. By clicking on a NVT
in the column Name the details page containing further information of the NVT is opened.

12.3 Security Content Automation Protocol (SCAP)

The National Institute of Standards and Technology16 (NIST) provides the National Vulnerability
Database17 (NVD). NVD is a data repository for the vulnerability management of the US government.
The goal is the standardized provision of the data for automated processing. By that, vulnerability
management is supported and the implementation of compliance guidelines is verified. The NVD pro-
vides di erent databases including the following:
• Checklists
• Vulnerabilities
• Misconfigurations
• Products
• Threat metrics
For this, the NVD utilizes the Security Content Automation Protocol18 (SCAP). SCAP is a combination of
di erent interoperable standards. Many standards were developed or derived from public discussion.
The public participation of the community in the development is an important aspect for accepting and
spreading of the SCAP standards. The SCAP protocol is currently specified in version 1.2 and includes
the following components:
• Languages
– XCCDF: The Extensible Configuration Checklist Description Format
– OVAL: Open Vulnerability and Assessment Language
– OCIL: Open Checklist Interactive Language
– Asset Identification
– ARF: Asset Reporting Format
• Collections
– CCE: Common Configuration Enumeration
– CPE: Common Platform Enumeration
– CVE: Common Vulnerabilities and Exposure
16 https://www.nist.gov
17 https://nvd.nist.gov/
18 https://csrc.nist.gov/projects/security-content-automation-protocol/

183
Chapter 12. SecInfo Management

• Metrics
– CVSS: Common Vulnerability Scoring System
– CCSS: Common Configuration Scoring System
• Integrity
– TMSAD: Trust Model for Security Automation Data
OVAL, CCE, CPE and CVE are trademarks of NIST.
The Greenbone Vulnerability Scanner uses OVAL, CVE, CPE and CVSS. By utilizing these standards the
interoperability with other systems is guaranteed. The standards also allow comparing of the results.
Vulnerability scanners such as the Greenbone Security Manager can be validated by NIST respectively.
The Greenbone Security Manager has been validated with respect to SCAP version 1.019 .

12.3.1 CVE

In the past, multiple organizations often discovered and reported vulnerabilities at the same time
and assigned them di erent names. Thus, di erent scanners reported the same vulnerability under
di erent names which made communication and comparison of the results complicated.
To address this, MITRE, sponsored by the US-CERT, founded the CVE project in 1999. Every vulnerability
is assigned a unique identifier consisting of the year and a simple number. This identifier then serves
as a central reference.
The CVE database of MITRE is not a vulnerability database. CVE was developed in order to connect the
vulnerability database and other systems with each other. This allows for the comparison of security
tools and services.
The CVE database does not contain detailed technical information or any information regarding risk,
impact or elimination of the vulnerability. A CVE only contains the identification number with the sta-
tus, a short description and references to reports and advisories.
The NVD refers to the CVE database and complements the content with information regarding the
elimination, severity, possible impact and a ected products of the vulnerability. Greenbone Networks
refers to the CVE database of the NVD. At the same time the Greenbone Security Manager combines
the information with the NVTs and the CERT-Bund and DFN-CERT advisories.
All available CVEs can be displayed by selecting SecInfo > CVEs in the menu bar. By clicking on a CVE
in the column Name the details page containing further information of the CVE is opened (see figure
Details page of a CVE (page 185)).

12.3.2 CPE

CPE is short for Common Platform Enumeration20 and is modelled after CVE. It is a structured naming
scheme for applications, operating systems and hardware devices. Thus, a common naming for global
referencing exists.
CPE was initiated by MITRE21 . Today the CPE standard is maintained by NIST as a part of the NVD. NIST
has already maintained the ocial CPE dictionary and the CPE specifications for many years. CPE is
based on the generic syntax of the Uniform Resource Identifier (URI).
Due to the fact that the CPE standard is closely tied to the CVE standard, their combination allows for
conclusion of existing vulnerabilities when discovering a platform or product.
CPE is composed of the following components:
19 https://csrc.nist.gov/Projects/Security-Content-Automation-Protocol/SCAP-Releases
20 https://csrc.nist.gov/projects/security-content-automation-protocol/scap-specifications/cpe
21 https://www.mitre.org/

184
 12.3. Security Content Automation Protocol (SCAP)

Fig. 12.2: Details page of a CVE

Fig. 12.3: Name structure of a CPE name

185
Chapter 12. SecInfo Management

• Naming The name specification describes the logical structure of well-formed names (WFNs),
their binding to URIs and formatted character strings as well as their conversion.
• Name Matching The name matching specification describes the methods to compare WFNs
with each other. This allows for the testing whether some or all WFNs refer to the same
product.
• Dictionary The dictionary is a repository of CPE names and metadata. Every name defines a
single class of an IT product. The dictionary specification describes the processes for the
use of the dictionary, e.g. the search for a specific name or for entries belonging to a more
general class.
• Applicability Language The applicability language specification describes the creation of com-
plex logical expressions with the help of the WFNs. These applicability statements can be
used for the tagging of checklists, guidelines or other documents and so describe for which
products these documents are relevant for.
All available CPEs can be displayed by selecting SecInfo > CPEs in the menu bar. By clicking on a CPE
in the column Name the details page containing further information of the CPE is opened.

12.3.3 OVAL

The Open Vulnerability and Assessment Language is a MITRE project as well. It is a language to de-
scribe vulnerabilities, configuration settings (compliance), patches and applications (inventory). The
XML based definitions allow for simple processing by automated systems. As such the OVAL defi-
nition oval:org.mitre.oval:def:22127 of the inventory class describes the Adobe Flash Player
12 while the OVAL definition oval:org.mitre.oval:def:22272 describes a vulnerability of Google
Chrome under Windows.
These OVAL definitions are made available in XML and describe the discovery of individual systems
and vulnerabilities. The OVAL definition 22272 mentioned above has the following structure:
<definition id="oval:org.mitre.oval:def:22272" version="4" class="vulnerability">
<metadata>
<title>Vulnerability in Google Chrome before 32.0.1700.76 on Windows allows
attackers to trigger a sync with an arbitrary Google account by
leveraging improper handling of the closing of an untrusted signin
confirm dialog</title>
<affected family="windows">
<platform>Microsoft Windows 2000</platform>
<platform>Microsoft Windows XP</platform>
<platform>Microsoft Windows Server 2003</platform>
<platform>Microsoft Windows Server 2008</platform>
<platform>Microsoft Windows Server 2008 R2</platform>
<platform>Microsoft Windows Vista</platform>
<platform>Microsoft Windows 7</platform>
<platform>Microsoft Windows 8</platform>
<platform>Microsoft Windows 8.1</platform>
<platform>Microsoft Windows Server 2012</platform>
<platform>Microsoft Windows Server 2012 R2</platform>
<product>Google Chrome</product>
</affected>
<reference source="CVE" ref_id="CVE-2013-6643"
ref_url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6643"/>
<description>The OneClickSigninBubbleView::WindowClosing function in
browser/ui/views/sync/one_click_signin_bubble_view.cc in Google
Chrome before 32.0.1700.76 on Windows and before 32.0.1700.77 on Mac
OS X and Linux allows attackers to trigger a sync with an arbitrary
Google account by leveraging improper handling of the closing of an
untrusted signin confirm dialog.</description>
<oval_repository>
<dates>

186
 12.3. Security Content Automation Protocol (SCAP)

<submitted date="2014-02-03T12:56:06">
<contributor organization="ALTX-SOFT">Maria Kedovskaya</contributor>
</submitted>
<status_change date="2014-02-04T12:25:48.757-05:00">DRAFT</status_change>
<status_change date="2014-02-24T04:03:01.652-05:00">INTERIM</status_change>
<status_change date="2014-03-17T04:00:17.615-04:00">ACCEPTED</status_change>
</dates>
<status>ACCEPTED</status>
</oval_repository>
</metadata>
<criteria>
<extend_definition comment="Google Chrome is installed"
definition_ref="oval:org.mitre.oval:def:11914"/>
<criteria operator="AND" comment="Affected versions of Google Chrome">
<criterion comment="Check if the version of Google Chrome is greater than
or equals to 32.0.1651.2" test_ref="oval:org.mitre.oval:tst:100272"/>
<criterion comment="Check if the version of Google Chrome is less than
or equals to 32.0.1700.75" test_ref="oval:org.mitre.oval:tst:99783"/>
</criteria>
</criteria>
</definition>

This information is graphically processed by the web interface and presented easily readable (see
figure Details page of an OVAL definition (page 187)).
All available OVAL definitions can be displayed by selecting SecInfo > OVAL Definitions in the menu bar.
By clicking on an OVAL definition in the column Name the details page containing further information
of the OVAL definition is opened (see figure Details page of an OVAL definition (page 187)).

Fig. 12.4: Details page of an OVAL definition

12.3.4 CVSS

A large problem for administrators is the interpretation of a vulnerability within their own environ-
ment.

187
Chapter 12. SecInfo Management

To support personnel that does not work with the analysis and rating of vulnerabilities constantly, the
Common Vulnerability Scoring System (CVSS) was invented. CVSS is an industry standard for the de-
scription of the severity of security risks in computer systems. Security risks are rated and compared
using di erent criteria. This allows for the creation of a priority list of counter measures.
The CVSS score is continuously improved. In general, the CVSS score version 2 is being used currently.
Version 3 is being developed by the CVSS Special Interest Group (CVSS-SIG) of the Forum of Incident
Response and Security Teams22 (FIRST).
The CVSS score in version 2 supports base score metrics, temporal score metrics and environmental
score metrics.
The base score metrics test the exploitability of a vulnerability and their impact on the target system.
Access, complexity and requirement of authentication are rated. At the same time, they rate if the
confidentiality, integrity or availability is threatened.
The temporal score metrics test if completed example code exists, the vendor already supplied a
patch and confirmed the vulnerability. The score will be changing drastically in the course of time.
The environmental score metrics review if control damage has to be suspected, the target distribution
and if confidentiality, integrity of availability is required. This assessment strongly depends on the
environment in which the vulnerable product is used.
Since the base score metrics are merely meaningful in general and can be determined permanently,
the GSM provides them as part of the SecInfo data.
The CVSS calculator can be opened by selecting Extras > CVSS Calculator in the menu bar (see figure
CVSS calculator for calculating scores conveniently (page 188)).

Fig. 12.5: CVSS calculator for calculating scores conveniently

The following formula is being used and can be calculated with the CVSS calculator:
BaseScore = roundTo1Decimal( ( ( 0.6 * Impact ) +
( 0.4 * Exploitability ) - 1.5 ) * f( Impact ) )

Hereby the impact is calculated as follows:

Impact = 10.41 * (1 - (1 - ConfImpact) *
(1 - IntegImpact) * (1 - AvailImpact))

The exploitability is calculated as:

Exploitability = 20 * AccessVector * AccessComplexity * Authentication

The function f( Impact ) is 0, if the impact is 0. In all other cases the value is 1.176. The other values
are constants:
22 https://www.first.org/cvss

188
 12.4. DFN-CERT

• Access Vector
– requires local access: 0.395
– adjacent network accessible: 0.646
– network accessible: 1.0
• Access Complexity
– high: 0.35
– medium: 0.61
– low: 0.71
• Authentication
– requires multiple instances of authentication: 0.45
– requires single instance of authentication: 0.56
– requires no authentication: 0.704
• ConfImpact
– none: 0.0
– partial: 0.275
– complete: 0.660
• IntegImpact
– none: 0.0
– partial: 0.275
– complete: 0.660
• AvailImpact
– none: 0.0
– partial: 0.275
– complete: 0.660

12.4 DFN-CERT

While the individual NVTs, CVEs, CPEs and OVAL definitions are created primarily to be processed by
computer systems, the DFN-CERT23 publishes new advisories regularly.
The DFN-CERT is responsible for hundreds of universities and research institutions that are associ-
ated with the German Research Network (German: Deutsches Forschungsnetz, abbreviated as DFN).
Additionally, it provides key security services to government and industry. An advisory describes es-
pecially critical security risks that require fast reacting. The DFN-CERT advisory service includes the
categorization, distribution and rating of advisories issued by di erent software vendors and distrib-
utors. Advisories are obtained by the Greenbone Security Manager and stored in the database for
reference.
All available DFN-CERT advisories can be displayed by selecting SecInfo > DFN-CERT Advisories in the
menu bar. By clicking on a DFN-CERT advisory in the column Name the details page containing further
information of the DFN-CERT advisory is opened.
23 https://www.dfn-cert.de/

189
Chapter 12. SecInfo Management

12.5 CERT-Bund

CERT-Bund24 (Computer Emergency Response Team for federal agencies) is the central point of con-
tact for preventive and reactive measures regarding security related computer incidents.
With the intention of avoiding harm and limiting potential damage, the work of CERT-Bund includes
the following:
• Creating ad publishing recommendations for preventive measures
• Pointing out vulnerabilities in hardware and software products
• Proposing measures to address known vulnerabilities
• Supporting public agencies e orts to respond to IT security incidents
• Recommending various mitigation measures
Additionally, CERT-Bund operates the German IT Situation Centre.
The services of CERT-Bund are primarily available to the federal authorities and include the following:
• 24-hour on-call duty in cooperation with the IT Situation Centre
• Analyzing incoming incident reports
• Creating recommendations derived from incidents
• Supporting federal authorities during IT security incidents
• Operating a warning and information service
• Active alerting of the federal administration in case of imminent danger
CERT-Bund o ers a warning and information service (German: Warn- und Informationsdienst, abbre-
viated as “WID”). Currently this service o ers two di erent types of information:
Advisories This information service is only available to federal agencies as a closed list. The advi-
sories describe current information about security critical incidents in computer systems and
detailed measures to remediate security risks.
Short Information Short information features the short description of current information regarding
security risks and vulnerabilities. This information is not always verified and could under some
circumstances be incomplete or even inaccurate.
The Greenbone Security Feed contains the CERT-Bund Short Information. They can be identified by
the “K” in the message (CB-K14/1296).
All available CERT-Bund advisories can be displayed by selecting SecInfo > CERT-Bund Advisories in
the menu bar. By clicking on a CERT-Bund advisory in the column Name the details page containing
further information of the CERT-Bund advisory is opened.

24 https://www.cert-bund.de/

190
 CHAPTER 13

Compliance and Special Scans

Compliance in the IT security world is the primary approach for organizations to keep their information
and assets protected and secure.
With cybercrime on the rise, governments see the need to protect their citizens and pass rules and
regulations on privacy and IT security in the hopes to protect our identities and assets. Information
Security bodies such as the Information Systems Audit and Control Association (ISACA) or the Inter-
national Organization for Standardization (ISO) publish IT security standards, frameworks and guide-
lines such as the Control Objectives for Information and Related Technology (COBIT) or the ISO 27000
series which cover information security standards. The German Federal Oce for Information Secu-
rity (BSI), for example, publishes the IT-Grundschutz catalogs. This is a collection of documents that
provide useful information for detecting weaknesses and combating attacks on IT environments. To
better protect against credit card data theft the Payment Card Industry Security Standards Council
publishes the payment Card Industry Data Security Standard (PCI DSS).
All these privacy laws, standards, frameworks, rules and regulations are to force and assist organi-
zations to implement the appropriate safeguards to protect themselves and their information assets
from attacks. In order to implement these laws, standards, frameworks, rules and regulations within
an organization the organization will have to create an IT security framework consisting of policies,
standards, baselines, guidelines and detailed procedures.
Security scanners such as the Greenbone Security Manager (GSM) can assist IT security professionals
to check their IT security safeguards against the aforementioned regulations, standards and frame-
works for compliance.
In the following sections we will describe how the GSM can be utilized to perform certain compliance
checks.

13.1 Generic Policy Scans

When performing policy scans, there are several groups each with four NVTs that can be configured
accordingly. In the policy section of the NVTs database at least two of these four policy NVTs are
required to run a policy scan. The four NVT types are:
• Base This NVT performs the actual scan/function of the actual policy scan.
• Matches This NVT summarizes any items which match the checks performed by the base NVT.
• Violations This NVT summarizes any items which did not match the checks performed by the
base NVT.
• Errors This NVT summarizes any items where some errors occurred when running the policy
scan.

Note: The base NVT must be selected for a policy check since it performs the actual tests. The other
three plug-ins may be selected according to the needs. For example, if matching patterns are of no

191
Chapter 13. Compliance and Special Scans

concern then only the violation’s plug-in should be selected additionally.

13.1.1 Checking File Content

File content checks belong to policy audits which do not explicitly test for vulnerabilities but rather
test the compliance of file contents (e.g. configuration files) regarding a given policy.
The GSM provides a policy module to check if a file content is compliant with a given policy.
In general this is an authenticated check, i.e. the scan engine will have to log into the target system
to perform the check.
The file content check can only be performed on systems supporting the command grep. Normally
this means Linux or Linux-like systems.
Four di erent NVTs in the family Policy provide the file content check:
• File Content: This NVT performs the actual file content check.
• File Content: Matches: This NVT shows the patterns and files which passed the file content
check (the predefined pattern matches in the file).
• File Content: Violations: This NVT shows the patterns and files which did not pass the file con-
tent check (the predefined pattern does not match in the file).
• File Content: Errors: This NVT shows the files in which errors occurred (e.g. the file is not found
on the target system).

Patterns

1. Create a reference file with the patterns to check. Following is an example:

filename|pattern|presence/absence
/tmp/filecontent_test|̂ paramter1=true.*$|presence
/tmp/filecontent_test|̂ paramter2=true.*$|presence
/tmp/filecontent_test|̂ paramter3=true.*$|absence
/tmp/filecontent_test_notthere|̂ paramter3=true.*$|absence

Note: This file must contain the row filename|pattern|presence/absence.

The subsequent rows each contain a test entry.
Each row contains three elements which are separated by |. The first field contains the path and
file name, the second field contains the pattern to check (as a regular expression) and the third field
indicates if a pattern has to be present or absent.

2. Click for the scan configuration.

3. In the section Edit Network Vulnerability Test Families click for Policy.
→ All NVTs that allow special configuration are listed (see figure Editing the family of NVTs
(page 193)).
4. Click for File Content.
5. Activate the checkbox Upload file.

Tip: Activate the checkbox Replace existing file with to upload a new reference file (see figure
Uploading the reference file (page 193)). The possibilities to change is only available if the scan
configuration is not in use.

192
 13.1. Generic Policy Scans

Fig. 13.1: Editing the family of NVTs

Fig. 13.2: Uploading the reference file

193
Chapter 13. Compliance and Special Scans

6. Click Browse... and select the previously created reference file.

7. Click Save to save the NVT.
8. Click Save to save the family of NVTs.
9. Click Save to save the scan configuration.

Severity

The severity of the NVTs depend on the GOS version used. Since GOS 4.2, the violation NVTs have a
default score of 10. In the past these NVTs had a default score of 0 (log message) and overrides were
required for di erent scores. The new default score of 10 can be changed using overrides as well.
By sectioning the report plug-ins in three di erent NVTs it is now possible to create distinct overrides
on the severity according to the needs.
In the following picture the severities of File Content: Violations and File Content: Errors have been
changed (see Chapter Overrides and False Positives (page 171)) which will be shown in the reports
accordingly.

Fig. 13.3: Overrides changing the severity

Example

Note: The overrides can be created either before or after a scan. The latter is easier since the appro-
priate reference can be created through a simple click in the result page.

1. Download policy_file_content_example.xml25 and the correspronding test file filecon-

tent_test26 .

Important: External links to the Greenbone download website are case-sensitive.

Note that upper cases, lower cases and special characters have to be entered exactly as they
are written in the footnotes.

2. Extract the test file to the /tmp/ directory on the target system.
25 https://download.greenbone.net/scanconfigs/policy_file_content_example.xml
26 https://download.greenbone.net/misc/filecontent_test

194
 13.1. Generic Policy Scans

3. Select Scans > Tasks in the menu bar.

4. Create a task for the target on which the test file was saved by clicking .

Note: The scan has to be an authenticated scan with the appropriate SSH credentials.

5. In the row of the newly created task click .

13.1.2 Checking Registry Content

The registry is a database in Microsoft Windows that contains important information about system
hardware, installed programs and settings and profiles of each of the user accounts on the computer.
Microsoft Windows continually refers to the information in the registry27 .
Due to the nature of the Microsoft Windows registry every program/application installed under Mi-
crosoft Windows will register itself in the Microsoft Windows registry and as such has a registry entry.
Even malware and other malicious code usually leaves traces within the registry. The registry can be
utilized to search for specific applications or malware related information such as version levels and
numbers. Also, missing or changed registry settings could point to a potential security policy violation
on an endpoint.
The GSM provides a policy auditing module to verify registry entries on target systems. This module
checks for the presence or absence of registry settings as well as registry violations. Since the registry
is unique to Microsoft Windows systems, this check can only be run on these systems. To access the
registry on the target system the check needs to authenticate on the target system.
Four di erent NVTs in the family Policy provide the registry content check:
• Windows Registry Check: This NVT performs the actual registry content check on the files.
• Windows Registry Check: OK: This NVT shows the registry setting which passed the registry
check (registry content OK).
• Windows Registry Check: Violations: This NVT shows the registry content which did not pass
the registry check (wrong registry content).
• Windows Registry Check: Errors: This NVT shows the files in which errors occurred (e.g. registry
content not found on the target system).

Registry Content Pattern

1. Create a reference file with the reference registry content. Following is an example:
Present|Hive|Key|Value|ValueType|ValueContent
TRUE|HKLM|SOFTWARE\Macromedia\FlashPlayer\SafeVersions|8.0|REG_DWORD|33
TRUE|HKLM|SOFTWARE\Microsoft\Internet Explorer
TRUE|HKLM|SOFTWARE\Microsoft\Internet Explorer|Version|REG_SZ|9.11.10240.16384
TRUE|HKLM|SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\
System|LocalAccountTokenFilterPolicy|REG_DWORD|1
FALSE|HKLM|SOFTWARE\Virus
TRUE|HKLM|SOFTWARE\ShouldNotBeHere
TRUE|HKLM|SOFTWARE\Macromedia\FlashPlayer\SafeVersions|8.0|REG_DWORD|*

Note: This file must contain the row Present|Hive|Key|Value|ValueType|ValueContent.

The subsequent rows each contain a test entry.
Each row contains a registry entry to be checked. Each row contains six elements which are separated
by |.
27 https://docs.microsoft.com/en-us/windows/desktop/sysinfo/registry

195
Chapter 13. Compliance and Special Scans

The first field sets if a registry entry should be present or not, the second the hive the registry entry
is located in, the third the key, the fourth the value, the fifth the value type and the sixth the value
content. If a star * is used in the last column any value is valid and accepted for existence or non-
existence.

2. Click for the scan configuration.

3. In the section Edit Network Vulnerability Test Families click for Policy.
→ All NVTs that allow special configuration are listed (see figure Editing the family of NVTs
(page 193)).

Fig. 13.4: Editing the family of NVTs

4. Click for Windows Registry Check.

5. Activate the checkbox Upload file.

Tip: Activate the checkbox Replace existing file with to upload a new reference file (see figure
Uploading the reference file (page 197)). The possibilities to change is only available if the scan
configuration is not in use.

6. Click Browse... and select the previously created reference file.

7. Click Save to save the NVT.
8. Click Save to save the family of NVTs.
9. Click Save to save the scan configuration.

Severity

The severity of the NVTs depend on the GOS version used. Since GOS 4.2, the violation NVTs have a
default score of 10. In the past these NVTs had a default score of 0 (log message) and overrides were
required for di erent scores. The new default score of 10 can be changed using overrides as well.
By sectioning the report plug-ins in three di erent NVTs it is now possible to create distinct overrides
on the severity according to the needs.

196
 13.1. Generic Policy Scans

Fig. 13.5: Uploading the reference file

In the following picture the severities of Registry Content: Violations and Registry Content: Errors
have been changed (see Chapter Overrides and False Positives (page 171)) which will be shown in the
reports accordingly.

Fig. 13.6: Overrides changing the severity

Example

Note: The overrides can be created either before or after a scan. The latter is easier since the appro-
priate reference can be created through a simple click in the result page.

1. Download policy_registry_ScanConfig.xml28 and the correspronding test file.

28 https://download.greenbone.net/misc/policy_registry_ScanConfig.xml

197
Chapter 13. Compliance and Special Scans

Important: External links to the Greenbone download website are case-sensitive.

Note that upper cases, lower cases and special characters have to be entered exactly as they
are written in the footnotes.

2. Extract the test file to the /tmp/ directory on the target system.
3. Select Scans > Tasks in the menu bar.
4. Create a task for the target on which the test file was saved by clicking .

Note: The scan has to be an authenticated scan with the appropriate SSH credentials.

5. In the row of the newly created task click .

13.1.3 Checking File Checksums

File checksum checks belong to policy audits which do not explicitly test for vulnerabilities but rather
test the integrity of files.
The GSM provides a policy auditing module to verify file integrity on target systems. This module
checks the file content by MD5 or SHA1 checksums. In general, this is an authenticated check, i.e. the
scan engine will have to log into the target system to perform the check. The file checksum check
can only be performed on systems supporting checksums. Normally this means Linux or Linux-like
systems. The GSM provides however as well a module for checksum checks for Microsoft Windows
systems (see Microsoft Windows (page 201)).
Four di erent NVTs in the family Policy provide the file checksum check:
• File Checksums: This NVT performs the actual checksum check on the files.
• File Checksums: Matches: This NVT shows the files which passed the checksum check (check-
sum matches).
• File Checksums: Violations: This NVT shows the files which did not pass the checksum check
(wrong checksum).
• File Checksums: Errors: This NVT shows the files in which errors occurred (e.g. file not found on
the target system).

Checksum Patterns

1. Create a reference file with the reference checksums. Following is an example:

Checksum|File|Checksumtype
6597ecf8208cf64b2b0eaa52d8169c07|/bin/login|md5
ed3ed98cb2efa9256817948cd27e5a4d9be2bdb8|/bin/bash|sha1
7c59061203b2b67f2b5c51e0d0d01c0d|/bin/pwd|md5

Note: This file must contain the row Checksum|File|Checksumtype.

The subsequent rows each contain a test entry.
Each row contain three elements which are separated by |.
The first field contains the checksum in hex, the second field the path and file name and the third field
the checksum type. Currently MD5 and SHA1 checksums are supported.

198
 13.1. Generic Policy Scans

Important: Checksums and checksum types must be lowercase.

2. Click for the scan configuration.

3. In the section Edit Network Vulnerability Test Families click for Policy.
→ All NVTs that allow special configuration are listed (see figure Editing the family of NVTs
(page 193)).

Fig. 13.7: Editing the family of NVTs

4. Click for File Checksums.

5. Activate the checkbox Upload file.

Tip: Activate the checkbox Replace existing file with to upload a new reference file (see figure
Uploading the reference file (page 200)). The possibilities to change is only available if the scan
configuration is not in use.

6. Click Browse... and select the previously created reference file.

7. Click Save to save the NVT.
8. Click Save to save the family of NVTs.
9. Click Save to save the scan configuration.

Severity

The severity of the NVTs depend on the GOS version used. Since GOS 4.2, the violation NVTs have a
default score of 10. In the past these NVTs had a default score of 0 (log message) and overrides were
required for di erent scores. The new default score of 10 can be changed using overrides as well.
By sectioning the report plug-ins in three di erent NVTs it is now possible to create distinct overrides
on the severity according to the needs.
In the following picture the severities of File Checksum: Violations and File Checksum: Errors have
been changed (see Chapter Overrides and False Positives (page 171)) which will be shown in the re-
ports accordingly.

199
Chapter 13. Compliance and Special Scans

Fig. 13.8: Uploading the reference file

Fig. 13.9: Overrides changing the severity

200
 13.1. Generic Policy Scans

Example

Note: The overrides can be created either before or after a scan. The latter is easier since the appro-
priate reference can be created through a simple click in the result page.

1. Download policy_file_checksums_example.xml29 and the correspronding test file pol-

icy_file_checksums_testfiles30 .

Important: External links to the Greenbone download website are case-sensitive.

Note that upper cases, lower cases and special characters have to be entered exactly as they
are written in the footnotes.

2. Extract the test file to the /tmp/ directory on the target system, e.g. by tar -xvC /tmp/ -f
policy_file_checksums_testfiles.tar.gz.
3. Select Scans > Tasks in the menu bar.
4. Create a task for the target on which the test file was saved by clicking .

Note: The scan has to be an authenticated scan with the appropriate SSH credentials.

5. In the row of the newly created task click .

Microsoft Windows

The GSM provides a similar module for Microsoft Windows systems for checksum checks.
Since Microsoft Windows does not provide an internal program for creating checksums it
has to be installed one either manually or automatically by the NVT. The GSM uses ReHash
(http://rehash.sourceforge.net/) for creating checksums on Microsoft Windows systems.
As for Linux systems the NVTs for checksum checks are located in the family Policy.
1. Click for the scan configuration.
2. In the section Edit Network Vulnerability Test Families click for Policy.
→ All NVTs that allow special configuration are listed (see figure Editing the family of NVTs
(page 193)).

3. Click for Windows file Checksums.

4. Activate the checkbox Upload file.

Tip: Activate the checkbox Replace existing file with to upload a new reference file (see figure
Uploading the reference file (page 202)). The possibilities to change is only available if the scan
configuration is not in use.

5. Click Browse... and select the previously created reference file.

6. Click Save to save the NVT.
7. Click Save to save the family of NVTs.
8. Click Save to save the scan configuration.
29 https://download.greenbone.net/scanconfigs/policy_file_checksums_example.xml
30 https://download.greenbone.net/misc/policy_file_checksums_testfiles.tar.gz

201
Chapter 13. Compliance and Special Scans

Fig. 13.10: Editing the family of NVTs

Fig. 13.11: Uploading the reference file

202
 13.1. Generic Policy Scans

Note: There are two operating modes for these checks:

• Using a tool that was installed on the target system manually
• The tool ReHash will automatically be installed and deinstalled as well if requested on the target
system during the checking routine.

Through the preferences it can be set if the checksum program ReHash should be deleted after the
check or not. The program can be left on the target system, e.g. to speed up recurring tests and
therefore do not have to be transferred each time. It can further be set if the checksum program
should be installed automatically on the target system. If not it has to be installed manually (under
C:\\Windows\\system32 on 32-bit system) or C:\\Windows\\SysWOW64 (on 64-bit systems))
and has to be executable for the authenticated user. The file with the reference checksums must
be uploaded in the preferences as it is done for the Linux checksum check. The file has the same
structure as the one for Linux.

203
Chapter 13. Compliance and Special Scans

Example Windows

Note: The overrides can be created either before or after a scan. The latter is easier since the appro-
priate reference can be created through a simple click in the result page.

1. Download sample_config-Windows_file_Policy.xml31 and the correspronding test file win-

dows_checksums_testfiles.zip32 .

Important: External links to the Greenbone download website are case-sensitive.

Note that upper cases, lower cases and special characters have to be entered exactly as they
are written in the footnotes.

2. Extract the test file to the C:\ directory on the target system.
3. Select Scans > Tasks in the menu bar.
4. Create a task for the target on which the test file was saved by clicking .

Note: The scan has to be an authenticated scan with the appropriate SSH credentials.

5. In the row of the newly created task click .

13.1.4 CPE-Based

For detailed information about CPE see Chapter CPE (page 184).

Simple CPE-Based Checks for Security Policies

With any executed scan, CPEs for the identified products are stored. This happens independently of
whether the product actually reveals a security problem or not. On this basis it is possible to describe
simple security policies and the checks for compliance with these. With the Greenbone Security Man-
ager it is possible to describe policies to check for the presence as well as for the absence of a product.
These cases can be associated with a severity to appear in the scan report.

Checking Policy Compliance

This example demonstrates how to check the compliance of a policy regarding specific products in an
IT infrastructure and how the reporting with the corresponding severity can be done. The information
about whether a certain product is present on the target system is gathered by a single Network Vul-
nerability Test (NVT) or even independently by a number of special NVTs. This means that for a certain
product an optimized scan configuration that only concentrates on this product and does not do any
other scan activity can be specified.
Advantages The advantage of such a special scan configuration is a considerably faster execution of
the scan compared to a comprehensive scan configuration such as Full and Fast.
Disadvantages The disadvantage of a special scan configuration is that some experience is required
to select the right set of NVTs to maximize the probability of success. Initially it is easier to apply
a comprehensive scan configuration. In this case it is not necessary to care about the product
character, only the CPE identifier is entered.
This example follows the simple approach.
31 https://download.greenbone.net/scanconfigs/sample_config-Windows_file_Policy.xml
32 https://download.greenbone.net/misc/windows_checksums_testfiles.zip

204
 13.1. Generic Policy Scans

1. Select Configuration > Scan Configs in the menu bar.

2. Create a new scan configuration by clicking .
3. Define the name of the scan configuration (see figure Creating a new scan configuration
(page 205)).
4. Select Full and Fast as the base (see figure Creating a new scan configuration (page 205)).

Note: This is necessary because Full and Fast is a pre-configured scan configuration and thus
can not be modified.

Fig. 13.12: Creating a new scan configuration

5. Click Create.
→ The scan configuration is created and can be edited directly.
6. Unfold the section Network Vulnerability Test Preferences by clicking .
→ All NVTs that allow special configuration are listed.
7. Click of a specific NVT (see figure Overview of NVTs (page 205)).

Tip: This short-cut avoids having to click through the family structures to get to the desired
NVT (the here used NVTs are in the family Policy).

Fig. 13.13: Overview of NVTs

8. Specify a single CPE directly in the input box Single CPE or import a list of CPEs in a file by ac-
tivating the checkbox Upload file, clicking Browse... and selecting the file (see figure Editing an
NVT (page 206)).
Below is an example for checking for Internet Explorer 9 and ClamAV 0.98:
cpe:/a:microsoft:ie:9
cpe:/a:clamav:clamav:0.99

205
Chapter 13. Compliance and Special Scans

For this example the stated CPEs must be present to comply. This means whether there are
some installations violating this policy (e.g. missing or wrong products/versions) is of interest.
9. Click Save to save the NVT.

Fig. 13.14: Editing an NVT

10. Click Save to save the scan configuration.

Note: The severity of the NVTs depends on the GOS version used. Since GOS 4.2, the violation
NVTs have a default score of 10. In the past they had a default score of 0 (log message) and
overrides were required for di erent scores. The new default score of 10 can be changed using
overrides as well.
In this example violations of the policy should be reported with di erent severity. For this a new
override has to be created.

11. Select Scans > Overrides in the menu bar.

12. Create a new override by clicking .
13. Enter “1.3.6.1.4.1.25623.1.0.103964” (for the NVT CPE-based Policy Check Violations) in the input
box NVT OID (see figure Creating a new override (page 207)).
14. Select “5.0 (Medium)” in the drop-down-list New Severity (see figure Creating a new override
(page 207)).
15. Click Save.

Note: In case the detection eciency should be increased by applying local security checks it is
required to configure remote access via the Credentials feature.

16. To do so, select Configuration > Credentials in the menu bar and create a new credential by click-
ing . Save the credential by clicking Create (see Creating a new credential (page 207)).
If not done yet, create a corresponding user account on the Windows systems. A low privileged
user account is sucient.
17. Select Configuration > Targets in the menu bar.
18. Create a new target by clicking .
19. Define the target systems and, if applicable, choose the respective credentials (see figure Cre-
ating a new target (page 207)).
20. Click Save.

206
 13.1. Generic Policy Scans

Fig. 13.15: Creating a new override

Fig. 13.16: Creating a new credential

Fig. 13.17: Creating a new target

207
Chapter 13. Compliance and Special Scans

21. Now the actual task is created. This means to combine the newly created scan configuration
with the newly created targets.
Select Scans > Tasks in the menu bar.
22. Create a new task by clicking and selecting New Task.
23. Define the task with the desired scan configuration (see figure Creating a new task (page 208)).

Fig. 13.18: Creating a new task

24. Click Create.

→ The task is created and displayed on the page Tasks.
25. Start the scan by clicking of the respective task.
→ The scan is running. As soon as the status changes to Done the complete report is available.
At any the time the intermediate results can be reviewed.

Note: It can take a while for the scan to complete. The page is refreshing automatically if an
auto-refresh is set (see Chapter Setting the Auto-Refresh (page 89)).

26. When the scan is completed select Scans > Reports in the menu bar.

Tip: To show only the results of the CPE-based policy checks, a suitable filter can be applied.

27. Enter “cpe” in the input box Filter.

→ The reports for CPE-based policy checks are displayed (see figure Reports for CPE-based pol-
icy checks (page 209)).
28. Click on the date of the report to show the results.
29. Click on an item in the column Vulnerability to show details for the result.
In this example ClamAV 0.99 was found on one of the target systems and reported as a log mes-
sage (see figure Result with the severity Log (page 209)).
Internet Explorer 9 on the other hand was not found on the target system because it will be
reported as a medium risk as defined in the override (see figure Result with the severity Medium
(page 209)).

208
 13.1. Generic Policy Scans

Fig. 13.19: Reports for CPE-based policy checks

Fig. 13.20: Result with the severity Log

Fig. 13.21: Result with the severity Medium

Detecting the Presence of Problematic Products

This example demonstrates how the presence of a certain product in an IT infrastructure is classified
as a severe problem and reported as such.
1. Execute steps 1 to 6 of Checking Policy Compliance (page 204).

Note: When choosing a general scan like Full and Fast both cases are treated the same, pres-
ence of the product as a running service and presence of the product on a hard drive.

209
Chapter 13. Compliance and Special Scans

This essentially means if it should be sure the desired product indeed runs as a service, running
NVTs that check for the simple presence on the file system or in a registry should be avoided.
If such details are not desired right now, the report details can still be checked for false positives
and false negatives.

2. This time a single CPE (Internet Explorer 6) will be searched.

Click of the NVT CPE Policy Check — Single CPE.
3. Enter the following in the input box Single CPE (see figure Editing CPE Policy Check – Single CPE
(page 210)):
cpe:/a:microsoft:ie:6

Note: In this case it has to be set that the entered CPE must be “present”.

4. For Check for select the radiobutton present (see figure Editing CPE Policy Check – Single CPE
(page 210)).

Fig. 13.22: Editing CPE Policy Check – Single CPE

5. Click Save to save the NVT.

6. Click Save to save the scan configuration.

Note: The severity of the NVTs depends on the GOS version used. Since GOS 4.2, the violation
NVTs have a default score of 10. In the past these NVTs had a default score of 0 (log message)
and overrides were required for di erent scores.
The new default score of 10 can be changed using overrides as well.

Note: In case the mere availability of a product should be considered it is required to configure
remote access via the Credentials feature to apply local security checks.

7. Execute steps 16 to 25 of Checking Policy Compliance (page 204) to enable local security checks,
to create a new task with the target systems and to start it.

210
 13.1. Generic Policy Scans

8. When the scan is completed select Scans > Reports in the menu bar.

Tip: To show only the results of the CPE-based policy checks, a suitable filter can be applied.

9. Enter “cpe” in the input box Filter.

→ The reports for CPE-based policy checks are displayed (see figure Reports for CPE-based pol-
icy checks (page 209)).
10. Click on the date of the report to show the results.
11. Click on an item in the column Vulnerability to show details for the result.
In this example Internet Explorer 6 was found on one of the target systems and reported as a
severe problem as defined in the override (see figure Result with the severity High (page 211)).

Fig. 13.23: Result with the severity High

Detecting the Absence of Important Products

This example shows how the absence of a certain product in the IT infrastructure is defined and re-
ported as a severe problem.
1. Execute steps 1 to 6 of Checking Policy Compliance (page 204).

Note: When choosing a general scan like Full and Fast both cases are treated the same, pres-
ence of the product as a running service and presence of the product on a hard drive.
This essentially means that if it should be sure the desired product indeed runs as a service,
running NVTs that check for the simple presence on the file system or in a registry should be
avoided.
If such details are not desired right now, the report details can still be checked for false positives
and false negatives.

2. This time a single CPE (Norton Antivirus) will be searched.

Click of the NVT CPE Policy Check – Single CPE.
3. Enter the following in the input box Single CPE (see figure Editing CPE Policy Check – Single CPE
(page 212)):
cpe:/a:symantec:norton_antivirus

211
Chapter 13. Compliance and Special Scans

Note: In this case it has to be set that the entered CPE must be “missing”.

4. For Check for select the radiobutton missing (see figure Editing CPE Policy Check – Single CPE
(page 212)).

Fig. 13.24: Editing CPE Policy Check – Single CPE

5. Click Save to save the NVT.

6. Click Save to save the scan configuration.

Note: The severity of the NVTs depends on the GOS version used. Since GOS 4.2, the violation
NVTs have a default score of 10. In the past these NVTs had a default score of 0 (log message)
and overrides were required for di erent scores. The new default score of 10 can be changed
using overrides as well.

Note: In case the mere availability of a product should be considered it is required to configure
remote access via the Credentials feature to apply local security checks. If just running network
services should be searched it normally does not help but rather increase the number of false
positives.

7. Execute steps 16 to 25 of Checking Policy Compliance (page 204) to enable local security checks,
to create a new task with the target systems and to start it.
8. When the scan is completed select Scans > Reports in the menu bar.

Tip: To show only the results of the CPE-based policy checks, a suitable filter can be applied.

9. Enter “cpe” in the input box Filter.

→ The reports for CPE-based policy checks are displayed (see figure Reports for CPE-based pol-
icy checks (page 209)).
10. Click on the date of the report to show the results.
11. Click on an item in the column Vulnerability to show details for the result.

212
 13.2. Standard Policies

In this example Norton Antivirus was not found on one of the target systems.

Fig. 13.25: Missing important product

13.2 Standard Policies

13.2.1 IT-Grundschutz

With the Greenbone Security Manager (GSM) it is possible to automatically check either the German IT-
Grundschutz catalogs or the modernized IT-Grundschutz compendium as published and maintained
by the German Federal Oce for Information Security33 (BSI).
The current “15. Ergänzungslieferung” with tests for over 80 measures is supported for the IT-
Grundschutz catalogs. That is the maximum number of measures which is possible to support with
automatic tests.
Some measures are quite comprehensive and actually consist of several single tests. A couple of
measures address a specific operating system and hence will only be applied to those. The number
and type of tested systems remains irrelevant for the GSM.
This makes the GSM the fastest co-worker for executing an IT-Grundschutz audit. And it opens the
opportunity to install a check for breaches as a permanent background process.

Checking IT-Grundschutz

This example executes a check according to the German IT-Grundschutz, where IT-Grundschutz cat-
alogs and IT-Grundschutz compendium can be selected.
1. Download the scan configuration IT-Grundschutz Scan34 .
For verinice integration use the scan configuration IT-Grundschutz Scan incl. Discovery for
verinice35 .

Important: External links to the Greenbone download website are case-sensitive.

Note that upper cases, lower cases and special characters have to be entered exactly as they
are written in the footnotes.

2. Select Configuration > Scan Configs in the menu bar.

3. Click .
33 https://www.bsi.bund.de/EN/TheBSI/thebsi_node.html
34 https://download.greenbone.net/scanconfigs/it-grundschutz-v2.xml
35 https://download.greenbone.net/scanconfigs/it-grundschutz-discovery-v2.xml

213
Chapter 13. Compliance and Special Scans

4. Click Browse... and select the previously downloaded scan configuration (see figure Importing a
scan configuration (page 214)).
5. Click Create.
→ The imported scan configuration is displayed on the page Scan Configs (see figure Imported
scan configuration on the page Scan Configs (page 214)).

Fig. 13.26: Importing a scan configuration

Fig. 13.27: Imported scan configuration on the page Scan Configs

Note: This covers the settings to execute all checks. The actual checks are not explicitly se-
lected so that rather a summary result is generated.

Test for IT-Grundschutz catalogs

1. Click of the scan configuration.
2. In the section Edit Network Vulnerability Test Families click for Compliance.
→ All NVTs that allow special configuration are listed. Two NVTs are selected per default:
Compliance Tests and IT-Grundschutz, 15. EL (see figure NVTs of the family Compliance
(page 214)).

Fig. 13.28: NVTs of the family Compliance

3. Click for Compliance Tests.

214
 13.2. Standard Policies

4. For Launch IT-Grundschutz (15. EL) select the radiobutton yes (see figure Editing the NVT
Compliance Tests (page 215)).

Fig. 13.29: Editing the NVT Compliance Tests

5. Click Save to save the NVT.

6. Click for IT-Grundschutz, 15. EL.
7. For Berichtformat select the radiobutton of the desired report format (see figure Selecting
the report format (page 217)).
• Text: Textual report format
• Tabellarisch: Tabular report format
• Text und Tabellarisch: Textual and tabular report format
8. Click Save to save the NVT.
9. Click Save to save the family of NVTs.
10. Click Save to save the scan configuration.
Test for IT-Grundschutz compendium
1. Click of the scan configuration.
2. In the section Edit Network Vulnerability Test Families click for Compliance.
→ All NVTs that allow special configuration are listed (see figure NVTs of the family Com-
pliance (page 216)).
3. Activate the checkboxes for Compliance Tests and IT-Grundschutz, Kompendium.
4. Click for Compliance Tests.
5. For Launch latest IT-Grundschutz version select the radiobutton yes (see figure Editing the
NVT Compliance Tests (page 217)).

215
Chapter 13. Compliance and Special Scans

Fig. 13.30: NVTs of the family Compliance

6. For Level of Security (IT-Grundschutz) select the radiobutton of the level which was intro-
duced in the modernized IT-Grundschutz compendium (see figure Editing the NVT Compli-
ance Tests (page 217)).
7. Click Save to save the NVT.
8. Click for IT-Grundschutz, Kompendium.
9. For Berichtformat select the radiobutton of the desired report format (see figure Selecting
the report format (page 217)).
• Text: Textual report format
• Tabellarisch: Tabular report format
• Text und Tabellarisch: Textual and tabular report format
10. Click Save to save the NVT.
11. Click Save to save the family of NVTs.
12. Click Save to save the scan configuration.

Note: The majority of checks for the measures is based on local security checks. For
these respective access needs to be configured.

6. Execute steps 16 to 25 of Checking Policy Compliance (page 204).

7. When the scan is completed select Scans > Reports in the menu bar.
8. Click on the date of the report to show the results.

Note: For the textual form of the report the severity category “Low” in the filter has to be en-
abled. For the tabular form of the report the category “Log” in the filter has to be enabled.

9. To do so, click in the filter bar.

→ The window for editing the filter is opened.
10. For Severity (Class) activate the checkbox Low or Log.

216
 13.2. Standard Policies

Fig. 13.31: Editing the NVT Compliance Tests

Fig. 13.32: Selecting the report format

Fig. 13.33: Report for the IT-Grundschutz scan

217
Chapter 13. Compliance and Special Scans

11. Click Update.

Note: The number of reports depends on the selected report format. The entry in the column Location
is general/IT-Grundschutz for the textual report and general/IT-Grundschutz-T for the tabular re-
port. When both report formats were chosen, they both appear with the same name but with their
corresponding entry in the column Location (see figure Report for IT-Grundschutz scan in both report
formats (page 218)).

Fig. 13.34: Report for IT-Grundschutz scan in both report formats

Importing Results into a Spreadsheet Application

The results can be imported into a spreadsheet application, e.g. Microsoft Excel, Apache OpenOce
Calc or LibreOce Calc as follows:
1. Move the mouse over Report: Results.
→ A drop-down-list is opened (see figure Opening the page Report: Summary and Download
(page 218)).

Fig. 13.35: Opening the page Report: Summary and Download

2. Click Report: Summary and Download.

Note: The report is available in a full or a filtered version. In the filtered version, the currently
applied filter (besides rows and first) is considered.

3. In the row of the desired version, select ITG in the drop-down-list in the column Download (see
figure Exporting a report (page 218)).
4. In the row of the desired version click .
→ The report is exported as a CSV file.

Fig. 13.36: Exporting a report

5. Open the spreadsheet application and open the previously exported CSV file.

Note: This example shows the import using LibreOce Calc 5.2.7.2.

218
 13.2. Standard Policies

6. Select Unicode (UTF-8) in the drop-down-list Character set.

7. Select the radiobutton Separated by, activate the checkbox Other and enter | (vertical line) in
the input box.
8. Select “ in the drop-down-list Text delimiter.
9. Mark the last column in the preview window and select Text in the drop-down-list Column type.

Fig. 13.37: Adjusting the import settings

10. Click OK.

→ The report is opened in the spreadsheet application and can be used for further analysis.

Importing Results into IT-Grundschutz Tools

There is a number of tools available to assist IT-Grundschutz processes with structured approach,
data entries and management.
The German Federal Oce for Information Security (BSI) o ers an overview on IT-Grundschutz tools36
on its website.

Note: For importing the results of an IT-Grundschutz scan into one of these tools contact the vendor
of the corresponding tool. For additional questions do not hesitate to contact the Greenbone Net-
works Support.

36 https://www.bsi.bund.de/EN/Topics/ITGrundschutz/ITGrundschutzGSTOOL/itgrundschutzgstool_node.html

219
Chapter 13. Compliance and Special Scans

Result Classes of IT-Grundschutz Checks

The following result classes can occur for a check:

• Not fulfilled (FAIL) It was detected that the target system does not fulfill the measure.
• Fulfilled (OK) It was detected that the target system does fulfill the measure.
• Error (ERR) It was not possible to execute the test routine properly.
Example: Some checks require credentials. If the credentials are missing, the check cannot
be executed for technical reasons. In case no credentials are provided, many of the checks
will have this status.
• Check of this measure is not available (NA) In general it is assumed that this measure can au-
tomatically be checked for, but an implementation is not yet available. For newly re-
leased “Ergänzungslieferungen” this is initially true for a number of measures. However,
the Greenbone Security Feed is updated continuously, and eventually all measures will be
implemented.
• Check of the measure is not implemented (NI) A number of measures of the IT-Grundschutz
catalogs are kept too general to create an explicit automatic check. Other measures de-
scribe checks that can only be done physically and thus also belong to this class of test
that cannot be implemented at all.
• Check not suited for the target system (NS) Some measures refer exclusively to a special type
of operating system. If the target system runs another operating system type, the measure
does not apply.
• This measure is deprecated (DEP) Some updates (“Ergänzungslieferungen”) removed some
measures without a replacement. Old IDs of such deprecated measures are never re-used.
The results marked as DEP can be safely ignored but the entries remain for completeness.

Supported measures

This overview refers to the current “Ergänzungslieferung”. The measure IDs link to the corresponding
detailed information available on the website of BSI.
The following test types are distinguished:
• Remote: For the check it is only necessary to have network connection to the target system.
• Credentials: For the check it is required to use an account on the target system.

BSI reference Title Test type Note

M4.237 Screen lock Credentials Windows: Can only test for lo-
cal accounts. Linux: Only de-
fault screen savers in Gnome
and KDE.
M4.338 Use of anti virus protection Credentials
software
M4.439 Compliant handling of drives Credentials
for removable media and exter-
nal data storage devices
M4.540 Logging of telecommunication Credentials
equipment
M4.741 Changing of default passwords Remote Test only via SSH and Telnet.
M4.942 Use of the security mechanisms Credentials
of XWindows
M4.1443 Mandatory password protec- Credentials
tion in Unix
Continued on next page

220
 13.2. Standard Policies

Table 13.1 – continued from previous page

BSI reference Title Test type Note
M4.1544 Secure login Credentials
M4.1645 Access restrictions of user IDs Credentials
and / or terminals
M4.1746 Locking and deleting unneeded Credentials
accounts and terminals
M4.1847 Administrative and technical Credentials
securing of access to monitor-
ing and single-user mode
M4.1948 Restrictive allocation of at- Credentials
tributes for UNIX system files
and directories
M4.2049 Restrictive allocation of at- Credentials
tributes for UNIX user files and
directories
M4.2150 Preventing of unauthorized es- Credentials
calation of administrator rights
M4.2251 Preventing of loss of confiden- Credentials
tiality of sensitive data in the
UNIX system
M4.2352 Safe access of executable files Credentials
M4.3353 Use of a virus scanning pro- Credentials
gram for storage media ex-
change and data transfer
M4.3654 Disabling of certain fax receiv- Credentials Cisco devices can only be tested
ing phone numbers via telnet because they do not
support blowfish-cbc encryp-
tion.
M4.3755 Disabling of certain fax sending Credentials Cisco devices can only be tested
phone numbers via telnet because they do not
support blowfish-cbc encryp-
tion.
M4.4056 Preventing the unauthorized Credentials Only implemented for Linux.
use of the computer micro- Under Windows, it is not
phone possible to determine the
status of the microphone via
registry/WMI.
M4.4857 Password protection if Win- Credentials
dows systems
M4.4958 Securing of the boot process of Credentials
Windows systems
M4.5259 Equipment protection under Credentials
Windows NT-based systems
M4.5760 Deactivation of automatic CD- Credentials
ROM recognition
M4.8061 Secure access methods for re- Remote
mote administration
M4.9462 Protection of web server files Remote
M4.9663 Disabling of DNS Credentials
M4.9764 One service per server Remote
M4.9865 Limit communication though a Credentials Microsoft Windows Firewall is
packet filter to a minimum being tested. For Vista and
newer any firewall that is in-
stalled conforming to the sys-
tem.
Continued on next page

221
Chapter 13. Compliance and Special Scans

Table 13.1 – continued from previous page

BSI reference Title Test type Note
M4.10666 Activation of system wide log- Credentials
ging
M4.13567 Restrictive assigning of access Credentials
rights to system files
M4.14768 Secure use of EFS under Win- Credentials
dows
M4.20069 Use of USB storage media Credentials
M4.22770 Use of a local NTP server for Credentials
time synchronization
M4.23871 Use of a local packet filter Credentials Microsoft Windows Firewall is
being tested. For Vista and
newer any firewall that is in-
stalled conforming to the sys-
tem.
M4.24472 Secure system configuration of Credentials
Windows client operating sys-
tems
M4.27773 Securing of the SMB, LDAP Credentials
and RCP communication of
Windows servers
M4.28474 Handling of services of Win- Credentials
dows Server 2003
M4.28575 Uninstallation of unneeded Credentials
client services of Windows
Server 2003
M4.28776 Secure administration of VoIP Remote
middleware
M4.30077 Information protection of print- Remote
ers, copies and multi-function
equipment
M4.30578 Use of storage quotas Credentials
M4.31079 Implementation of LDAP access Remote
to file services
M4.31380 Providing of secure domain Credentials
controllers
M4.32581 Deletion of swap files Credentials
M4.32682 Providing the NTFS properties Credentials
on a Samba file server
M4.32883 Secure base configuration of a Credentials
Samba server
M4.33184 Secure configuration of the op- Credentials
erating system for a samba
server
M4.33285 Secure configuration of access Credentials
controls of a Samba server
M4.33386 Secure configuration of Win- Credentials
bind under Samba
M4.33487 SMB message signing and Credentials
Samba
M4.33888 Use of Windows Vista and new Credentials Only a general test if file
file and registry virtualization and registry virtualization is
enabled.
Continued on next page

222
 13.2. Standard Policies

Table 13.1 – continued from previous page

BSI reference Title Test type Note
M4.33989 Avoidance of unauthorized use Credentials
of portable media under Win-
dows Vista and later
M4.34090 Use of the Windows user ac- Credentials
count control UAC starting with
Windows Vista
M4.34191 Integrity protection starting Credentials Where possible technically im-
with Windows Vista plemented (active UAC and pro-
tected mode in di erent zones).
M4.34292 Activation of last access certifi- Credentials
cate stamp starting with Win-
dows Vista
M4.34493 Monitoring of Windows Vista- Credentials
, Windows 7 and Windows
Server 2008-Systems
M4.36894 Regular audits of the terminal Credentials
server environment
M5.895 Regular security check of the Remote Only a message is being dis-
network played that tests should be per-
formed with up-to-date plug-
ins.
M5.1796 Use of the security mechanisms Credentials
of NFS
M5.1897 Use of the security mechanisms Credentials
of NIS
M5.1998 Use of the security mechanisms Remote
of sendmail
M5.1999 Use of the security mechanisms Credentials
of sendmail
M5.20100 Use of the security mechanisms Credentials
of rlogin, rsh and rcp
M5.21101 Secure use of telnet, ftp, tftp Credentials
and rexec
M5.34102 Use of one time passwords Credentials
M5.59103 Protection from DNS-spoofing Credentials
with authentication mecha-
nisms
M5.63104 Use of GnuPG or PGP Credentials
M5.64105 Secure shell Remote
M5.66106 Use of TLS/SSL Remote
M5.72107 Deactivation of not required net Credentials Only displays the services in
services question.
M5.90108 Use of IPSec under Windows Credentials
M5.91109 Use of personal firewalls for Credentials Microsoft Windows Firewall is
clients being tested. For Vista and
newer any firewall that is in-
stalled conforming to the sys-
tem. On Linux systems, display-
ing if the iptables rules, if possi-
ble.
M5.109110 Use of an e-mail scanner on the Remote
mailserver
M5.123111 Securing of the network com- Credentials
munication under Windows
Continued on next page

223
Chapter 13. Compliance and Special Scans

Table 13.1 – continued from previous page

BSI reference Title Test type Note
M5.131112 Securing of the IP protocols un- Credentials
der Windows Server 2003
M5.145113 Secure use of CUPS Credentials
M5.147114 Securing of the communication Remote
with directory services

224
 13.2. Standard Policies

37 https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKataloge/Inhalt/_content/m/m04/m04002.html
38 https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKataloge/Inhalt/_content/m/m04/m04003.html
39 https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKataloge/Inhalt/_content/m/m04/m04004.html
40 https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKataloge/Inhalt/_content/m/m04/m04005.html
41 https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKataloge/Inhalt/_content/m/m04/m04007.html
42 https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKataloge/Inhalt/_content/m/m04/m04009.html
43 https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKataloge/Inhalt/_content/m/m04/m04014.html
44 https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKataloge/Inhalt/_content/m/m04/m04015.html
45 https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKataloge/Inhalt/_content/m/m04/m04016.html
46 https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKataloge/Inhalt/_content/m/m04/m04017.html
47 https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKataloge/Inhalt/_content/m/m04/m04018.html
48 https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKataloge/Inhalt/_content/m/m04/m04019.html
49 https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKataloge/Inhalt/_content/m/m04/m04020.html
50 https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKataloge/Inhalt/_content/m/m04/m04021.html
51 https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKataloge/Inhalt/_content/m/m04/m04022.html
52 https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKataloge/Inhalt/_content/m/m04/m04023.html
53 https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKataloge/Inhalt/_content/m/m04/m04033.html
54 https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKataloge/Inhalt/_content/m/m04/m04036.html
55 https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKataloge/Inhalt/_content/m/m04/m04037.html
56 https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKataloge/Inhalt/_content/m/m04/m04040.html
57 https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKataloge/Inhalt/_content/m/m04/m04048.html
58 https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKataloge/Inhalt/_content/m/m04/m04049.html
59 https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKataloge/Inhalt/_content/m/m04/m04052.html
60 https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKataloge/Inhalt/_content/m/m04/m04057.html
61 https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKataloge/Inhalt/_content/m/m04/m04080.html
62 https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKataloge/Inhalt/_content/m/m04/m04094.html
63 https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKataloge/Inhalt/_content/m/m04/m04096.html
64 https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKataloge/Inhalt/_content/m/m04/m04097.html
65 https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKataloge/Inhalt/_content/m/m04/m04098.html
66 https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKataloge/Inhalt/_content/m/m04/m04106.html
67 https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKataloge/Inhalt/_content/m/m04/m04135.html
68 https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKataloge/Inhalt/_content/m/m04/m04147.html
69 https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKataloge/Inhalt/_content/m/m04/m04200.html
70 https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKataloge/Inhalt/_content/m/m04/m04227.html
71 https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKataloge/Inhalt/_content/m/m04/m04238.html
72 https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKataloge/Inhalt/_content/m/m04/m04244.html
73 https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKataloge/Inhalt/_content/m/m04/m04277.html
74 https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKataloge/Inhalt/_content/m/m04/m04284.html
75 https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKataloge/Inhalt/_content/m/m04/m04285.html
76 https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKataloge/Inhalt/_content/m/m04/m04287.html
77 https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKataloge/Inhalt/_content/m/m04/m04300.html
78 https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKataloge/Inhalt/_content/m/m04/m04305.html
79 https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKataloge/Inhalt/_content/m/m04/m04310.html
80 https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKataloge/Inhalt/_content/m/m04/m04313.html
81 https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKataloge/Inhalt/_content/m/m04/m04325.html
82 https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKataloge/Inhalt/_content/m/m04/m04326.html
83 https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKataloge/Inhalt/_content/m/m04/m04328.html
84 https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKataloge/Inhalt/_content/m/m04/m04331.html
85 https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKataloge/Inhalt/_content/m/m04/m04332.html
86 https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKataloge/Inhalt/_content/m/m04/m04333.html
87 https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKataloge/Inhalt/_content/m/m04/m04334.html
88 https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKataloge/Inhalt/_content/m/m04/m04338.html
89 https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKataloge/Inhalt/_content/m/m04/m04339.html
90 https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKataloge/Inhalt/_content/m/m04/m04340.html
91 https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKataloge/Inhalt/_content/m/m04/m04341.html
92 https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKataloge/Inhalt/_content/m/m04/m04342.html
93 https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKataloge/Inhalt/_content/m/m04/m04344.html
94 https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKataloge/Inhalt/_content/m/m04/m04368.html
95 https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKataloge/Inhalt/_content/m/m05/m05008.html
96 https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKataloge/Inhalt/_content/m/m05/m05017.html

225
Chapter 13. Compliance and Special Scans

13.2.2 PCI DSS

Payment Card Industry Data Security Standard

The Payment Card Industry Data Security Standard (PCI DSS) is a security standard for payment card
transactions and is supported by the major payment systems MasterCard, Visa, AMEX, Discover and
JCB.
All organizations processing card payments and/or storing or transferring card data are required to
perform compliance validation according to PCI DSS. Non-compliance or lack of validation means the
risk of being fined or, ultimately, losing the ability to process payment cards.
The validation of compliance depends on the volume of card transactions. Here, service providers are
usually classified as Level 1 Service Provider. They must validate their cardholder data environment by
an independent scanning vendor approved by the PCI Security Standards Council (PCI SSC) on a quar-
terly basis. In addition, an annual on-site PCI Security Audit has to be performed by an independent
Qualified Security Assessor (QSA), also approved by the PCI SSC.
The Approved Scanning Vendor (ASV) is a service provider performing a vulnerability scan of the card-
holder data environment visible to the Internet. As such the vulnerability scanners themselves cannot
be classified or certified as ASVs. However, they are tools for the ASV to perform the vulnerability scan
using the approved process.

Greenbone Security Manager and PCI DSS

According to PCI DSS (Version 3.1, Requirement 11.2) two types of vulnerability scans have to be per-
formed on a quarterly basis and after significant changes to the cardholder data environment:
• Vulnerability scan conducted by the ASV
• Internal scan of the cardholder data environment
The latter scan may be performed by employees of the organization and requires no approval
by the PCI SSC.
The Greenbone Security Manager (GSM) can perform both of these scans. The false positive manage-
ment features help to avoid significant work load of manually eliminating wrong alerts.
A merchant can use the GSM to check the security requirements prior to the ASV vulnerability scan in
order to avoid costly re-scans.
This way, a merchant can use the GSM to check for PCI compliance on an ongoing basis even between
the scans performed by the ASV.
Since security changes are stored immutable for audit compliance within the GSM, the correct security
and compliance status can even be verified at all times in between the quarterly ASV scans.
97 https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKataloge/Inhalt/_content/m/m05/m05018.html
98 https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKataloge/Inhalt/_content/m/m05/m05019.html
99 https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKataloge/Inhalt/_content/m/m05/m05019.html
100 https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKataloge/Inhalt/_content/m/m05/m05020.html
101 https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKataloge/Inhalt/_content/m/m05/m05021.html
102 https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKataloge/Inhalt/_content/m/m05/m05034.html
103 https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKataloge/Inhalt/_content/m/m05/m05059.html
104 https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKataloge/Inhalt/_content/m/m05/m05063.html
105 https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKataloge/Inhalt/_content/m/m05/m05064.html
106 https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKataloge/Inhalt/_content/m/m05/m05066.html
107 https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKataloge/Inhalt/_content/m/m05/m05072.html
108 https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKataloge/Inhalt/_content/m/m05/m05090.html
109 https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKataloge/Inhalt/_content/m/m05/m05091.html
110 https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKataloge/Inhalt/_content/m/m05/m05109.html
111 https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKataloge/Inhalt/_content/m/m05/m05123.html
112 https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKataloge/Inhalt/_content/m/m05/m05131.html
113 https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKataloge/Inhalt/_content/m/m05/m05145.html
114 https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKataloge/Inhalt/_content/m/m05/m05147.html

226
 13.2. Standard Policies

Escalation methods can continuously inform an external auditor as well as internal experts about the
security status. Summaries are sent to the responsible parties.

Policy Monitoring

The GSM can also check the system parameters according to the PCI DSS policy in the same way it
periodically checks the technical aspects of other policies.
With a permanent background policy scan it is ensured that antivirus tools are not outdated or fire-
walls are not deactivated without notice. Such parameters can be monitored and escalated in the
same way as software vulnerabilities.
Advantages for merchant:
• Permanent policy monitoring
• Flexible escalation
• False positive management
• Internal and external vulnerability scanning
• Complete vulnerability analysis according to PCI DSS for internal scans
Advantages for the ASV:
• False positive management
• Static scan configuration for re-scans
• Complete vulnerability analysis according to PCI DSS for external scans via Internet
• Flexible reporting framework for individual scan reports

Tip: Greenbone Networks as the vendor of the GSM does not act as an ASV. But among Greenbone’s
business partners security consultants who act as an ASV at the same time and can introduce the
GSM into the security process can be found.

13.2.3 BSI TR-03116: Kryptographische Vorgaben für Projekte der Bun-

desregierung

The German Federal Oce for Information Security (BSI) published a technical guideline “TR-03116:
Kryptographische Vorgaben für Projekte der Bundesregierung”. Part 4 of this guideline describes
the security requirements for services of the federal government using the cryptographic protocols
SSL/TLS, S/MIME and OpenPGP.
The requirements are based on forecasts for the security of the algorithms and key length for the next
seven years including 2022.
Greenbone Networks provides a scan configuration for testing the compliance of services with the
technical guideline “TR-03116”. This configuration needs to be imported to the GSM subsequently.
This scan configuration tests if the scanned hosts and services use SSL/TLS. If this is the case, the
compliance with the guideline is tested.
At least the following ciphers must be supported to pass the test:
• TLS_ECDHE_ECDSA-WITH_AES_128_CBC_SHA256
• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
• TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
• TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

227
Chapter 13. Compliance and Special Scans

If a preshared-key is used by the application in addition to the SSL/TLS algorithm one of the following
ciphers is required:
• TLS_RSA_PSK_WITH_AES_128_CBC_SHA256
• TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256
1. Download the scan configuration BSI TR-03116 Scan Config115 .

Important: External links to the Greenbone download website are case-sensitive.

Note that upper cases, lower cases and special characters have to be entered exactly as they
are written in the footnotes.

2. Select Configuration > Scan Configuration in the menu bar.

3. Click .
4. Click Browse... and select the previously downloaded scan configuration.
5. Click Create.
→ The imported scan configuration is displayed on the page Scan Configs.
6. Click of the scan configuration.
7. In the section Edit Network Vulnerability Test Families click for Policy.
→ All NVTs that allow special configuration are listed.
8. Click for BSI-TR-03116-4 Policy.
9. For Perform check select the radiobutton yes (see figure Editing a NVT (page 228)).

Fig. 13.38: Editing a NVT

10. Click Save to save the NVT.

11. Click Save to save the family of NVTs.
12. Click Save to save the scan configuration.
13. Execute steps 16 to 25 of Checking Policy Compliance (page 204).
115 https://download.greenbone.net/scanconfigs/policy_BSI-TR-03116-4.xml

228
 13.2. Standard Policies

14. When the scan is completed select Scans > Reports in the menu bar.
→ The scan report will show either matches or violations (see figures Result of a match
(page 229) and Report showing result of violations with severity Medium (page 229)).

Fig. 13.39: Result of a match

Fig. 13.40: Report showing result of violations with severity Medium

Note: The severity of the NVTs depends on the GOS version used. Since GOS 4.2, the violation NVTs
have a default score of 10. In the past these NVTs had a default score of 0 (log message) and overrides
were required for di erent scores. The new default score of 10 can be changed using overrides as well.

13.2.4 Cyber Essentials

The Cyber Essentials are simple but yet e ective requirements to protect organizations of any size
against the most common cyber attacks. This UK government scheme, launched in 2014, addresses
Internet-based threats to cyber security, namely hacking, phishing and password guessing. It reduces
the risk of successful attacks which use widely available tools and demand little skill. The Cyber Es-
sentials specify the requirements under five technical control themes:
• Firewalls (boundary and/or host-based)
• Secure Configuration
• User Access Control
• Malware Protection
• Patch Management
The requirements for each technical control theme can be found here116 .
116 https://www.cyberessentials.ncsc.gov.uk/requirements-for-it-infrastructure

229
Chapter 13. Compliance and Special Scans

Testing for Compliance with Cyber Essentials

1. Download the scan configuration Cyber Essentials Scan Config117 .

Important: External links to the Greenbone download website are case-sensitive.

Note that upper cases, lower cases and special characters have to be entered exactly as they
are written in the footnotes.

2. Select Configurations > Scan Configs in the menu bar.

3. Click .
4. Click Browse... and select the previously downloaded scan configuration (see figure Importing a
scan configuration (page 230)).

Fig. 13.41: Importing a scan configuration

5. Click Create.
→ The imported scan configuration is displayed on the page Scan Configs.
6. Select Configuration > Targets in the menu bar.
7. Create a new target by clicking .
8. Define the target systems. For more information see Creating a Target (page 113).
9. Click Save.
10. Now the actual task is created. This means to combine the newly created scan configuration
with the newly created targets.
Select Scans > Tasks in the menu bar.
11. Create a new task by clicking and selecting New Task.
12. Define the task with the desired scan configuration (see figure Creating a new task (page 231)).
13. Click Create.
14. Start the scan by clicking of the respective task.
→ The scan is running. As soon as the status changes to Done the complete report is available.
At any the time the intermediate results can be reviewed.

Note: It can take a while for the scan to complete. The page is refreshing automatically if an
auto-refresh is set (see Chapter Setting the Auto-Refresh (page 89)).

15. Select Scans > Reports in the menu bar.

16. Click on the date of the report to show the results.
The results are divided into (see figure Results of the Cyber Essentials scan (page 231)):
• Cyber Essentials. Only appears, if the tests can not be run against one hosts for any reason.
117 https://download.greenbone.net/scanconfigs/cyber_essentials_scanconfig.xml

230
 13.2. Standard Policies

Fig. 13.42: Creating a new task

• Cyber Essentials: Error. Summarizes requirements with errors (if any).

• Cyber Essentials: Fail. Summarizes requirements the host does not comply with (if any).
• Cyber Essentials: Ok. Summarizes requirements the host does comply with (if any).

Fig. 13.43: Results of the Cyber Essentials scan

Note: The technical control theme Malware Protection includes requirements for application
whitelisting. This can be done with Greenbones CPE-based scans. See chapter Simple CPE-Based
Checks for Security Policies (page 204) for more information.

13.2.5 General Data Protection Regulation

The General Data Protection Regulation (GDPR) regulates the processing of personal data (relating
to individuals in the EU) by another individual, a company or an organization for any use outside the
personal sphere. For example, it applies to financial activities. Personal data is any information that
relates to an identified or identifiable living individual. Examples are:
• (Sur-) Name
• E-Mail addresses belong to an individual (not like [email protected])
• IP address
• Home address

231
Chapter 13. Compliance and Special Scans

Since the regulation does not refer to any technology, it applies to both digital and analogue process-
ing/storage of personal data. For more information see also the webpage of the European Commis-
sion118 regarding the GDPR.
There are no ocial technical requirements for the GDPR published. As stated in Art. 32 GDPR, the
organization “shall implement appropriate technical and organizational measures to ensure a level
of security appropriate to the risk” of personal data. Many checklists for GDPR compliance are avail-
able, which contain amongst other requirements considerations for password management, audit-
ing/logging and handling of removable media devices.

Testing Technical Requirements of GDPR

Following technical settings can be tested automatically with Greenbone:

• Min. password length
• Max. password age
• Password complexity enforcement
• Handling of removable media
• Logging policy
Execute the following steps to test these settings on the hosts:
1. Download the scan configuration GDPR Scan Config119 .

Important: External links to the Greenbone download website are case-sensitive.

Note that upper cases, lower cases and special characters have to be entered exactly as they
are written in the footnotes.

2. Select Configurations > Scan Configs in the menu bar.

3. Click .
4. Click Browse... and select the previously downloaded scan configuration (see figure Importing a
scan configuration (page 232)).

Fig. 13.44: Importing a scan configuration

5. Click Create.
→ The imported scan configuration is displayed on the page Scan Configs.
6. Select Configuration > Targets in the menu bar.
7. Create a new target by clicking .
8. Define the target systems. For more information see Creating a Target (page 113).
9. Click Save.
118 https://ec.europa.eu/commission/priorities/justice-and-fundamental-rights/data-protection/2018-reform-eu-data-
protection-rules_en
119 https://download.greenbone.net/scanconfigs/gdpr_scan_config.xml

232
 13.2. Standard Policies

10. Now the actual task is created. This means to combine the newly created scan configuration
with the newly created targets.
Select Scans > Tasks in the menu bar.
11. Create a new task by clicking and selecting New Task.
12. Define the task with the desired scan configuration (see figure Creating a new task (page 233)).

Fig. 13.45: Creating a new task

13. Click Create.

14. Start the scan by clicking of the respective task.
→ The scan is running. As soon as the status changes to Done the complete report is available.
At any the time the intermediate results can be reviewed.

Note: It can take a while for the scan to complete. The page is refreshing automatically if an
auto-refresh is set (see Chapter Setting the Auto-Refresh (page 89)).

15. Select Scans > Reports in the menu bar.

16. Click on the date of the report to show the results (see figure Results of the GDPR scan
(page 233)).

Fig. 13.46: Results of the GDPR scan

Important: The settings found on the host have to comply with the organizations guidelines.

233
Chapter 13. Compliance and Special Scans

13.3 Special Policies

13.3.1 Mailserver Online Test

In September 2014 the Bavarian State Oce for Data Protection performed the online test Mailserver:
STARTTLS & Perfect Forward Secrecy120 . The organizations which were found to be a ected by this
test were asked to remove the security risks.
Using Greenbone Security Manager or OpenVAS respectively an organization can test themselves if
their own mail servers comply with the security criteria. Execute the following steps to perform the
test:
1. Download the scan configuration Mailserver Online Test Scan Config121 .

Important: External links to the Greenbone download website are case-sensitive.

Note that upper cases, lower cases and special characters have to be entered exactly as they
are written in the footnotes.

2. Select Configurations > Scan Configs in the menu bar.

3. Click .
4. Click Browse... and select the previously downloaded scan configuration.
5. Click Create.
→ The imported scan configuration is displayed on the page Scan Configs.
6. Select Configuration > Port Lists.
7. Create a new port list by clicking .
8. Define the port list and enter “T:25” in the input box Port Ranges — Manual.
9. Click Save.
10. Select Configuration > Targets in the menu bar.
11. Create a new target by clicking .
12. Define the target system containing the mailserver that should be tested and select the previ-
ously created port list in the drop-down-list Port List.

Note: Depending on the network settings it could make sense to select Consider Alive in the
drop-down-list Alive Test.

13. Click Save.

14. Now the actual task is created. This means to combine the newly created scan configuration
with the newly created targets.
Select Scans > Tasks in the menu bar.
15. Create a new task by clicking and selecting New Task.
16. Define the task with the desired scan configuration.
17. Click Create.
120 https://www.lda.bayern.de/en/mailserver.html
121 https://download.greenbone.net/scanconfigs/onlinepruefung-mailserver-scanconfig.xml

234
 13.4. TLS-Map

18. Start the scan by clicking of the respective task.

→ The scan is running. As soon as the status changes to Done the complete report is available.
At any the time the intermediate results can be reviewed.

Note: It can take about 30 to 40 minutes for the scan to complete because in general the scanner
has to wait for some data from the mailservers a bit longer. The page is refreshing automatically
if an auto-refresh is set (see Chapter Setting the Auto-Refresh (page 89)).

19. Select Scans > Reports in the menu bar.

→ The report contains di erent log entries for each mailserver.
The missing StartTLS will initially only be displayed as a log message as it is a policy question
how it should be assessed. For example, an override for this NVT can be created defining it as a
high risk. The override can then be expanded to all hosts and possibly all tasks.

Note: Should monitoring be established, a schedule for this task can be created (e.g. every week on
Sundays) as well as an alert (e.g. an e-mail). Combined with the respective overrides an automated
warning system is being created in the background.

13.4 TLS-Map

The TLS (Transport Layer Security) protocol ensures the confidentiality, authenticity and integrity of
communication in insecure networks. It establishes confidential communication between sender and
receiver, for example web server and web browser. In the past years various security holes were
detected for the often used protocol TLS 1.0 and used by attackers to actually read the communication.
With the Greenbone Security Manager (GSM) it is possible to identify systems that o er services using
SSL/TLS protocols. Additionally, the GSM detects the protocol versions and o ers encryption algo-
rithms. Further details about the service can be achieved in case it can be properly identified.

13.4.1 Preparing the Scan

For a simplified export of the scan results Greenbone Networks prepared a special report format plug-
in. The resulting data file makes it easy to further process the data.
1. Download the TLS-Map Report Format Plug-in122 .

Important: External links to the Greenbone download website are case-sensitive.

Note that upper cases, lower cases and special characters have to be entered exactly as they
are written in the footnotes.

2. Select Configuration > Report Formats.

3. Click .
4. Click Browse... and select the previously downloaded report format plug-in.
5. Click Create.
→ The imported report format is displayed on the page Report Formats.
6. Verify the signature of the report format by clicking .
122 https://download.greenbone.net/rfps/tls-map-1.0.0.xml

235
Chapter 13. Compliance and Special Scans

7. In the row of the report format click .

8. For Active select the radiobutton Yes.
9. Click Save.

13.4.2 Checking for TLS and Exporting the Scan Results

Important: External links to the Greenbone download website are case-sensitive.

Note that upper cases, lower cases and special characters have to be entered exactly as they are
written in the footnotes.

For an overview on TLS usage in the network or on single systems Greenbone Networks recommends
using one of the following scan configurations:
• TLS-Map Scan Config123 This scan configuration identifies the used protocol versions and the
o ered encryption algorithms but does not try to identify in-depth details of the service.
• TLS-Map with service detection124 This scan configuration identifies the used protocol ver-
sions and the o ered encryption algorithms. Additionally, it tries to identify in-depth de-
tails of the service. This identification takes more time and produces more network trac
compared to the simple scan configuration mentioned above.
1. Download one of the scan configurations according to the needs.
2. Select Configurations > Scan Configs in the menu bar.
3. Click .
4. Click Browse... and select the previously downloaded scan configuration.
5. Click Create.
→ The imported scan configuration is displayed on the page Scan Configs.

Note: Select Configuration > Port Lists to have a look at the pre-configured port lists. By clicking
own port lists can be created. Choose a suitable list of ports that should be scanned. Pay
attention that all ports of interest are covered by the list.
The more extensive the list the longer the scan will take but this may also detect services at
unusual ports.
Consider that the TLS protocol is based on the TCP protocol. A port list with UDP port will slow
down the scan without benefits. If any TCP ports should be covered All TCP should be selected.

6. Select Configurations > Targets in the menu bar.

7. Create a new target by clicking .
8. Define the target system and in the drop-down-list Port List select the desired port list.
9. Click Save.
10. Now the actual task is created. This means to combine the newly created scan configuration
with the newly created target.
Select Scans > Tasks in the menu bar.
11. Create a new task by clicking and selecting New Task.
12. Define the task with the desired scan configuration.
123 https://download.greenbone.net/scanconfigs/tls-map-scan-config.xml
124 https://download.greenbone.net/scanconfigs/tls-map-app-detection-scan-config.xml

236
 13.4. TLS-Map

13. Click Create.

→ The task is created and displayed on the page Tasks.
14. Start the scan by clicking of the respective task.
→ The scan is running. As soon as the status changes to Done the complete report is available.
At any the time the intermediate results can be reviewed.

Note: It can take a while for the scan to complete. The page is refreshing automatically if an
auto-refresh is set (see Chapter Setting the Auto-Refresh (page 89)).

15. When the scan is completed select Scans > Reports in the menu bar.
16. Click on the date of the report to show the results.
17. Move the mouse over Report: Results.
→ A drop-down-list is opened (see figure Opening the page Report: Summary and Down-
load (page 237)).

Fig. 13.47: Opening the page Report: Summary and Download

18. Click Report: Summary and Download.

Note: The report is available in a full or a filtered version. In the filtered version, the
currently applied filter (besides rows and first) is considered.

19. In the row of the full version, select TLS Map in the drop-down-list in the column Download.
20. In the row of the full version click .
→ The report is exported as a CSV file and can be used in spreadsheet applications.
The file contains one line per port and systems where an SSL/TLS protocol is o ered:
IP,Host,Port,TLS-Version,Ciphers,Application-CPE
192.168.12.34,www.local,443,TLSv1.0;SSLv3,SSL3_RSA_RC4_128_SHA;TLS1_RSA_RC4_128_SHA,
cpe:/a:apache:http_server:2.2.22;cpe:/a:php:php:5.4.4
192.168.56.78,www2.local,443,TLSv1.0;SSLv3,SSL3_RSA_RC4_128_SHA;TLS1_RSA_RC4_128_SHA,
cpe:/a:apache:http_server:2.2.22

Separated by commas, each line contains the following information:

• IP The IP address of the system where the service was detected.
• Host The DNS name of the system in case it is available.
• Port The port where the service was detected.
• TLS-Version The protocol version o ered by the service. In case more than one is o ered, the
versions are separated with semicolons.

237
Chapter 13. Compliance and Special Scans

• Ciphers The encryption algorithms o ered by the service. In case more than one is o ered, the
algorithms are separated with semicolons.
• Application-CPE The detected application in CPE format. In case more than one is identified,
the applications are separated with semicolons.

13.5 OVAL System Characteristics

The Open Vulnerability and Assessment Language (OVAL)125 is an approach for a standardized de-
scription of the (security) state of an IT system. OVAL files describe a vulnerability and define tests to
identify the state in which a system is vulnerable. They usually refer to specific versions of software
products for which a known vulnerability exists.
This means that in order to check for vulnerabilities described in an OVAL definition, information about
the current state of the system is needed. This information is collected in a standardized format as
well — the OVAL System Characteristics (SC).
There is a number of solutions which perform checks based on OVAL definitions and SC files. OVAL
definitions are provided by various vendors126 . MITRE provides the OVAL Repository127 with more than
13,000 entries.

13.5.1 Preparing the Scan

Each OVAL SC file contains only information about one system. Collecting a large number of SCs from
many di erent systems in one single step is possible when using the GSM.
Greenbone Networks provides two report format plug-ins:
• OVAL System Characteristics128 : Produces a single SC file in XML format.
• OVAL System Characteristics Archive129 : Can be used for an arbitrary number of SCs which are
collected in a ZIP file. The names of the individual SC files contain the IP address of the target
system.
1. Download the desired report format plug-in.

Important: External links to the Greenbone download website are case-sensitive.

Note that upper cases, lower cases and special characters have to be entered exactly as they
are written in the footnotes.

2. Select Configuration > Report Formats.

3. Click .
4. Click Browse... and select the previously downloaded report format plug-in.
5. Click Create.
→ The imported report format is displayed on the page Report Formats.
6. Verify the signature of the report format by clicking .
7. In the row of the report format click .
8. For Active select Yes.
9. Click Save.
125 http://oval.mitre.org/
126 http://oval.mitre.org/repository/about/other_repositories.html
127 http://oval.mitre.org/repository/
128 https://download.greenbone.net/rfps/oval-sc-1.0.1.xml
129 https://download.greenbone.net/rfps/oval-sc-archive-1.0.0.xml

238
 13.5. OVAL System Characteristics

13.5.2 Collecting and Exporting Scan Results as OVAL SCs

During a scan the Greenbone Security Manager (GSM) collects large amounts of data about the target
system. This information is managed in an optimized data pool. Parts of this information are usable
as a component of an OVAL System Characteristics.

Important: External links to the Greenbone download website are case-sensitive.

Note that upper cases, lower cases and special characters have to be entered exactly as they are
written in the footnotes.

The creation of OVAL SC files is not enabled by default but has to be explicitly enabled. A scan config-
uration can be used to achieve this.
1. Download the scan configuration Collect OVAL SC Scan Config130 .
2. Select Configuration > Scan Configs in the menu bar.
3. Click .
4. Click Browse... and select the previously downloaded scan configuration (see figure Importing a
scan configuration (page 239)).
5. Click Create.
→ The imported scan configuration is displayed on the page Scan Configs (see figure Imported
scan configuration on the page Scan Configs (page 239)).

Fig. 13.48: Importing a scan configuration

Fig. 13.49: Imported scan configuration on the page Scan Configs

Note: The most comprehensive results of a target system can be collected using authenticated
scans. For this an account on the target system is required. Ensure that the account has the
necessary privileges. For unixoid systems an account with low privileges is usually sucient,
for Windows system administrative privileges are required.

6. To do so, select Configuration > Credentials in the menu bar and create a new credential by click-
ing . Save the credential by clicking Create (see figure Creating a new credential (page 240)).

7. Select Configuration > Targets in the menu bar.

8. Create a new target by clicking .
9. Define the target system and, if applicable, choose the respective credentials (see figure Creat-
ing a new target (page 240)).
130 https://download.greenbone.net/scanconfigs/collect-oval-sc-v2.xml

239
Chapter 13. Compliance and Special Scans

Fig. 13.50: Creating a new credential

Note: The example shows the creation of a Linux target. For a Windows target the credential
must be set in the drop-down-list SMB instead of SSH.

Fig. 13.51: Creating a new target

10. Click Save.

11. Now the actual task is created. This means to combine the newly created scan configuration
with the newly created targets.
Select Scans > Tasks in the menu bar.
12. Create a new task by clicking and selecting New Task.
13. Define the task with the desired scan configuration (see figure Creating a new task (page 241)).
14. Click Create.
→ The task is created and displayed on the page Tasks.
15. Start the scan by clicking of the respective task.
→ The scan is running. As soon as the status changes to Done the complete report is available.
At any the time the intermediate results can be reviewed.

Note: It can take a while for the scan to complete. The page is refreshing automatically if an

240
 13.5. OVAL System Characteristics

Fig. 13.52: Creating a new task

auto-refresh is set (see Chapter Setting the Auto-Refresh (page 89)).

16. When the scan is completed, select Scans > Reports in the menu bar.
17. Click on the date of the report to show the results.

Note: The results are returned in the severity category “Log”. By default, the category “Log” is
suppressed.

18. To adjust the displayed severity categories, click .

19. For Severity (Class) activate the checkbox Log.
20. Click Update.
21. Move the mouse over Report: Results.
→ A drop-down-list is opened (see figure Opening the page Report: Summary and Download
(page 241)).

Fig. 13.53: Opening the page Report: Summary and Download

22. Click Report: Summary and Download.

241
Chapter 13. Compliance and Special Scans

Note: The report is available in a full or a filtered version. In the filtered version, the currently
applied filter (besides rows and first) is considered.

23. In the row of the full version, select OVAL-SC or OVAL-SC Archive in the drop-down-list in the
column Download.
24. In the row of the full version click .
→ The report is exported as an XML file or as a ZIP file containing XML files.

13.6 Policy Control Scans

Using the GSM it is possible to test a specific setting to compare a desired configuration with the
current one.
1. Download the scan configuration Policy Controls Scan Configuration131 .

Important: External links to the Greenbone download website are case-sensitive.

Note that upper cases, lower cases and special characters have to be entered exactly as they
are written in the footnotes.

2. Select Configuration > Scan Configs in the menu bar.

3. Click .
4. Click Browse and select the previously downloaded scan configuration.
5. Click Create.
→ The imported scan configuration is displayed on the page Scan Configs.
6. Click of the scan configuration.
7. In the section Edit Network Vulnerability Test Families click for Policy.
8. Select the tests that should be executed.
9. Click Save to save the family of NVTs.
10. Click Save to save the scan configuration.
11. To do so, select Configuration > Credentials in the menu bar and create a new credential by click-
ing . Save the credential by clicking Create (see figure Creating a new credential (page 242)).

Fig. 13.54: Creating a new credential

131 https://download.greenbone.net/policy_controls_scan_config_v1.0.xml

242
 13.6. Policy Control Scans

12. Select Configurations > Targets in the menu bar.

13. Create a new target by clicking .
14. Define the target system and, if applicable, choose the respective credentials (see figure Creat-
ing a new target (page 243)).

Fig. 13.55: Creating a new target

15. Click Save.

16. Now the actual task is created. This means to combine the newly created scan configuration
with the newly created targets.
Select Scans > Tasks in the menu bar.
17. Create a new task by clicking and selecting New Task.
18. Define the task with the desired scan configuration (see figure Creating a new task (page 244)).

19. Click Create.

→ The task is created and displayed on the page Tasks.
20. Start the scan by clicking for the respective task.
→ The scan is running. As soon as the status changes to Done the complete report is available.
At any the time the intermediate results can be reviewed.

Note: It can take a while for the scan to complete. The page is refreshing automatically if an
auto-refresh is set (see Chapter Setting the Auto-Refresh (page 89)).

21. When the scan is completed, select Scans > Reports in the menu bar.
22. Click on the date of the report to show the results.

Note: The results are returned in the severity category “Log”. By default, the category
“Log” is suppressed.

243
Chapter 13. Compliance and Special Scans

Fig. 13.56: Creating a new task

23. To adjust the displayed severity categories, click .

24. For Severity (Class) activate the checkbox Log.
25. Click Update.

244
 CHAPTER 14

Greenbone Management Protocol

The vulnerability management functionality of the GSM appliance is also available via the Greenbone
Management Protocol (GMP).
GMP was formerly known as OMP. Greenbone Networks provides tools to access the func-
tionality made available by GMP. While the gvm-tools (see section GVM-Tools (page 285)) may
be used to connect to both GOS 4 and older GOS 3.1 appliances, the older omp.exe (see
https://docs.greenbone.net/GSM-Manual/gos-3.1/en/omp.html) tool is not compatible with GOS 4.
This documentation covers gvm-tools up to version 1.4.1.
The newest version of GMP is documented at the Greenbone TechDoc portal:
https://docs.greenbone.net/API/GMP/gmp.html

14.1 Changes to GMP

The Greenbone Management Protocol (GMP) is updated regularly to adapt to changes in the function-
ality provided by the underlying service and to provide a consistent and comprehensive interface.
Updates result in a new version of GMP being released. Each new version includes a list of added,
modified and removed protocol elements like commands or attributes. The most recent version of
the list is available at https://docs.greenbone.net/API/GMP/gmp.html#changes.
A comprehensive documentation of actions required by users of the protocol and a migration guide is
provided by Greenbone Networks.
Depending on the impact and the nature of the change, the old way of accessing functionality may
continue to be available for a time. During this transitional phase, the new way to access functionality
will be available alongside the previous, now deprecated manner. The subsequent protocol version
will then remove support for outdated elements.
Outdated elements are documented at https://docs.greenbone.net/API/GMP/gmp.html#deprecations.
This list helps to prepare early for upcoming changes, but does in no way represent the complete list
of upcoming changes.

14.2 Activating GMP

To be able to use GMP it first needs to be activated on the GSM appliance. The web interfaces uses
GMP only locally on the appliance and not through the network. Activating GMP can be performed
using the GOS administration menu (see Chapter Configuring GMP (page 41)). In general, access to
GMP is done SSL/TLS encrypted and authenticated. The same users as in the web interface are used.
The users are subject to the same restrictions and have the exact same permissions.

245
Chapter 14. Greenbone Management Protocol

14.3 Accessing with gvm-cli.exe

While with the help of the GMP documentation the GSM be developed for access, Greenbone has de-
veloped a command line application for easy access and a Python shell and makes both available on
the website for Linux and Windows. The tool and the download locations are described in Chapter
GVM-Tools (page 285).
GMP is XML based. Every command and every response is a GMP object.
The command line tool gvm-cli.exe supplied by Greenbone Networks o ers the direct sending and
receiving of XML commands and XML responses.
The tool supports the following connections:
• tls
• ssh
• socket
The command line tool supports several switches. These can be displayed using:
$ gvm-cli -h
usage: gvm-cli [-h] [-V] [connection_type] ...

gvm-cli 1.2.0 (C) 2017 Greenbone Networks GmbH

This program is a command line tool to access services via

GMP (Greenbone Management Protocol).

Examples:
gvm-cli --xml "<get_version/>"
gvm-cli --xml "<commands><authenticate><credentials><username>myuser</username>
<password>mypass</password></credentials></authenticate><get_tasks/></commands>"
...

While the tool supports more switches the additional options are only displayed when the connec-
tion_type is specified:
$ gvm-cli ssh -h
usage: gvm-cli ssh [-h] [-c [CONFIG]] [--timeout TIMEOUT]
[--log [{DEBUG,INFO,WARNING,ERROR,CRITICAL}]]
[--gmp-username GMP_USERNAME] [--gmp-password GMP_PASSWORD]
[-X XML] --hostname HOSTNAME [--port PORT]
[--ssh-user SSH_USER]
[infile]

positional arguments:
infile

optional arguments:
-h, --help show this help message and exit
-c [CONFIG], --config [CONFIG]
Configuration file path. Default: ~/.config/gvm-tools.conf

...

While the current GSM appliances (GOS 4) use SSH to protect GMP, older appliances used TLS and Port
9390 to transport GMP. The gvm-tools may be used with both the older and the current GOS.
The tools are mostly helpful for batch mode (batch processing, scripting).
With this tool GMP can be used in a simple way:

246
 14.3. Accessing with gvm-cli.exe

gvm-cli --xml "<get_version/>"

gvm-cli --xml "<get_tasks/>"
gvm-cli < file

14.3.1 Configuring the Client

To use the gvm-cli command logging into the appliance is needed. For this the required information
is supplied either using command line switches or a configuration file (~/.config/gvm-tools.conf).
To provide the GMP user using command line switches use:
• --gmp-username
• --gmp-password
Alternatively a configuration file ~/.config/gvm-tools.conf containing this information may be cre-
ated:
[Auth]
gmp_username=webadmin
gmp_password=kennwort

This configuration file is not read be default. The command line switch --config or -c has to be
added to read the configuration file.

14.3.2 Starting a Scan Using gvm-cli

A typical example for using GMP is the automatic scan of a new system. Below we assume that an
Intrusion Detection System is in use that monitors the systems in the DMZ and immediately discovers
new systems and unusual TCP ports not used up to now. If such an event is discovered, the IDS should
automatically initiate a scan of the new system. This should be done with the help of a script. For this,
gvm-cli can be used although the gvm-pyshell or using self written python scripts might be more
suitable. The processing of the XML output is better supported by python then by using the shell.
Starting point is the IP address of the new suspected system. A target needs to be created for this IP
address in the GSM.
Under https://docs.greenbone.net/API/OMP/omp-7.0.html#command_create_target the command
create_target is described.
If the IP address is saved in the variable IPADDRESS the respective target can be created with the
following command:
$ gvm-cli ssh --gmp-username webadmin --gmp-password kennwort \
--hostname 192.168.222.115 \
--xml "<create_target><name>Suspect Host</name>\
<hosts>$IPADDRESS</hosts></create_target>"

<create_target_response status="201" status_text="OK, resource

created" id="4574473f-a5d0-494c-be6f-3205be487793"/>

247
Chapter 14. Greenbone Management Protocol

Now the task can be created:

$ gvm-cli ssh --gmp-username webadmin --gmp-password kennwort \
--hostname 192.168.222.115 \
--xml "<create_task><name>Scan Suspect Host</name> \
<target id=\"4574473f-a5d0-494c-be6f-3205be487793\"></target> \
<config id=\"daba56c8-73ec-11df-a475-002264764cea\"></config></create_task>"

<create_task_response status="201" status_text="OK, resource

created" id="ce225181-c836-4ec1-b83f-a6fcba70e17d"/>

The output us the ID of the task. It is required to start and monitor the task.
The other IDs used by the command may be retrieved using the following commands displaying the
available targets and scan configs:
$ gvm-cli ssh --gmp-username webadmin --gmp-password kennwort \
--hostname 192.168.222.115 --xml "<get_targets/>"

$ gvm-cli ssh --gmp-username webadmin --gmp-password kennwort \

--hostname 192.168.222.115 --xml "<get_configs/>"

The output of the above commands is XML.

Now the task needs to be started:
$ gvm-cli ssh --gmp-username webadmin --gmp-password kennwort \
--hostname 192.168.222.115 \
--xml ‛<start_task task_id="ce225181-c836-4ec1-b83f-a6fcba70e17d"/>‛

The connection will be closed by the GSM.

Now the task is running. The status of the task can be displayed with the following command:
$ gvm-cli ssh --gmp-username webadmin --gmp-password kennwort \
--hostname 192.168.222.115 \
--xml ‛<get_tasks task_id="ce225181-c836-4ec1-b83f-a6fcba70e17d"/>‛

<get_tasks_response status="200" status_text="OK"><apply_overrides>

...<status>Running</status><progress>98<host_progress>
<host>192.168.255.254</host>98</host_progress></progress>.../>

As soon as the scan is completed, the report can be downloaded. For this the ID that was output when
the task was started is required. Also, a meaningful report format must be entered. The IDs for the
report formats can be displayed via:
$ $ gvm-cli ssh --gmp-username webadmin --gmp-password kennwort \
--hostname 192.168.222.115 --xml ‛<get_report_formats/>‛

Now the report can be loaded:

$ gvm-cli ssh --gmp-username webadmin --gmp-password kennwort \
--hostname 192.168.222.115 \
--xml ‛<get_reports report_id="23a335d6-65bd-4be2-a83e-be330289eef7" \
format_id="35ba7077-dc85-42ef-87c9-b0eda7e903b6"/>‛

For a complete automatic processing of the data the task could be combined with an alert that could
send out the report automatically at a specific severity level.

14.4 gvm-pyshell

The command line tool gvm-pyshell.exe supplied by Greenbone Networks o ers for one the di-
rect sending and receiving of XML commands and XML responses using python commands. These

248
 14.4. gvm-pyshell

commands take care of the generation and parsing of the XML data.
The tool supports the following connections:
• tls
• ssh
• socket
While the current GSM appliances (GOS 4) use SSH to protect GMP, older appliances used TLS and Port
9390 to transport GMP. The gvm-tools may be used with both the older and the current GOS.
The tools are mostly helpful for batch mode (batch processing, scripting).
The authentication configuration of the gvm-pyshell can be stored in a file in the home directory of
the user. The syntax is explained in section Configuring the Client (page 247).
The Python implementation follows the GMP API. Under https://docs.greenbone.net/API/OMP/omp-
7.0.html the API is described. Optional arguments in the API are identified by a ?. The following exam-
ple explains the usage of the Python functions:
gmp.create_task("Name","Config","Scanner","Target",comment="comment")

While mandatory arguments may be supplied in the correct order and are identified automatically
they may also be specified using their identifier:
gmp.create_task(name="Name",config_id="Config",scanner_id="Scanner",
target_id="Target",comment="comment")

14.4.1 Starting a Scan Using gvm-pyshell

A typical example for using GMP is the scan of a new system. Below we assume that an Intrusion
Detection System is in use that monitors the systems in the DMZ and immediately discovers new
systems and unusual TCP ports not used up to now. If such an event is being discovered, the IDS
should automatically initiate a scan of the new system. This should be done with the help of a script.
For this, the gvm-pyshell is very suitable. The processing of the XML output is better supported by
python then by using the shell.
Starting point is the IP address of the new suspected system. A target needs to be created for this IP
address in the GSM.
Under https://docs.greenbone.net/API/OMP/omp-7.0.html#command_create_target the command
create_target is described.
The following lines will first step through the required commands using the interactive python shell:
$ gvm-pyshell ssh \
--gmp-username webadmin --gmp-password kennwort\
--hostname 192.168.222.115
GVM Interactive Console. Type "help" to get information about functionality.
>>> res=gmp.create_target("Suspect Host", True, hosts="192.168.255.254")
>>> target_id = res.xpath(‛@id‛)[0]

The variable target_id contains now the ID of the created target. This ID can now be used to create
the corresponding task.
The task creation requires the following input:
• target_id
• config_id
• scanner_id
• task_name

249
Chapter 14. Greenbone Management Protocol

• task_comment
To display all available scan configurations the following code may be used:
>>> res = gmp.get_configs()
>>> for i, conf in enumerate(res.xpath(‛config‛)):
... id = conf.xpath(‛@id‛)[0]
... name = conf.xpath(‛name/text()‛)[0]
... print(‛\n({0}) {1}: ({2})‛.format(i, name, id))

The scanners can be discovered using the same technique. But if only the built in scanners are used
the following ID are hard-coded:
• OpenVAS 08b69003-5fc2-4037-a479-93b440211c73
• CVE 6acd0832-df90-11e4-b9d5-28d24461215b
To create the task use the following command:
>>> res=gmp.create_task(name="Scan Suspect Host",
... config_id="daba56c8-73ec-11df-a475-002264764cea",
... scanner_id="08b69003-5fc2-4037-a479-93b440211c73",
... target_id=target_id)
>>> task_id = res.xpath(‛@id‛)[0]

To start the task use:

>>> gmp.start_task(task_id)

The current version of the GSM (4.1.7) closes the connection in the gvm-pyshell immediately. Further
commands are not possible.
All these commands may be put in a python script which may be invoked by the gvm-pyshell:
len_args = len(args.script) - 1
if len_args is not 2:
message = """
This script creates a new task with specific host and nvt!
It needs two parameters after the script name.
First one is name of the target and the second one is the
chosen host. The task is called target-task

Example:
$ gvm-pyshell ssh newtask target host
"""
print(message)
quit()

target = args.script[1]
host = args.script[2]
task = target + " Task"

# Full and Fast

myconfig_id = "daba56c8-73ec-11df-a475-002264764cea"

# OpenVAS Scanner
myscanner_id = "08b69003-5fc2-4037-a479-93b440211c73"

res=gmp.create_target(target, True, hosts=host)

mytarget_id = res.xpath(‛@id‛)[0]

res=gmp.create_task(name=task,
config_id=myconfig_id,
scanner_id=myscanner_id,
target_id=mytarget_id)
mytask_id = res.xpath(‛@id‛)[0]

250
 14.5. Example Scripts

gmp.start_task(mytask_id)

14.5 Example Scripts

The gvm-tools come with a collection of example scripts which may be used by the
gvm-pyshell.exe tool. Currently the following scripts are available for gvm-tools version
1.4.1 (https://github.com/greenbone/gvm-tools/tree/v1.4.1/scripts):
• application-detection.gmp
This script will display all hosts with the searched application.
• cfg-gen-for-certs.gmp
This script creates a new scan config with nvts based on a given CERT-Bund Advisory.
• clean-slave.gmp
This script removes all resources from a sensor except active tasks.
• create-dummy-data.gmp
This script generates dummy data.
• DeleteOverridesByFilter.gmp
This script deletes overrides using a filter.
• monthly-report2.gmp
This script will display all vulnerabilities based on the reports of a given months. Made for GOS
4.x.
• monthly-report.gmp
This script will display all vulnerabilities based on the reports of a given months. Made for GOS
3.1.
• nvt-scan.gmp
This script creates a new task with specific host and nvt using hardcoded base config.
• startNVTScan.gmp
This script interactively creates a new task with specific host and nvt.
• SyncAssets.gmp
This script will upload assets to the asset db.
• SyncReports.gmp
This script will pull reports and upload these to a second GSM using container tasks.
These scripts may serve as a starting point for the development of private scripts.

14.5.1 Status Codes

GMP uses status codes for communication. These status codes can be displayed in the web interface.

The status codes are similar to HTTP status codes. The following codes are being used:
2xx: The command was sent, understood and accepted successfully.
• 200: OK
• 201: Resource created

251
Chapter 14. Greenbone Management Protocol

Fig. 14.1: GMP uses status codes and alerts to display statuses.

• 202: Request submitted

4xx: A user error occurred.
400: Syntax error This could be di erent syntax errors. Often elements or attributes in the
GMP command are missing. The status text shows additional information. Currently this
status code is also used for missing or wrong authentication.
401: Authenticate First This is the error code that is being used for missing or wrong authen-
tication. Currently the value 400 is still being used.
403: Access to resource forbidden This is the error code that is being used for having not
enough permissions. Often 400: Permission denied will be displayed instead as
well.
404: Resource missing The resource could not be found. The resource ID was empty or wrong.
409: Resource busy This error code happens, for example, if the feed synchronization is being
started while it is already in progress.
5xx: A server error occurred
500: Internal Error This could be entries that exceed an internal bu er size.
503: Scanner loading NVTs The scanner is currently busy loading the NVTs from its cache. Try
again later.
503: Service temporarily down Possibly the scanner daemon is not running. Often the problem
could be expired certificates.
503: Service unavailable The GMP command is blocked on the GSM.

252
 CHAPTER 15

Master-Sensor Setup

Due to security reasons it is often not possible to scan specific network segments directly. For ex-
ample, direct access to the internet may be prohibited. To overcome this issue, the Greenbone Secu-
rity Manager (GSM) supports the setup of a distributed scan system: Two or more GSMs in di erent
network segments can be connected securely in order to run vulnerability tests for those network
segments that are otherwise not accessible.
In this case one GSM controls one or more other GSMs remotely. A controlling GSM is referred to as a
“master” and a controlled GSM is referred to as a “sensor”.
GSMs of the medium enterprise class and upwards can be used as a master (see Chapter Greenbone
Security Manager – Overview (page 5)). All GSM types except for GSM ONE/MAVEN can be used as a
sensor. The GSM types GSM 35 and 25V can only be used as a sensor and are always controlled by a
master.
All sensors can be managed directly by the master including automatic or manual updates of the
Greenbone Security Feed (GSF) as well as the Greenbone Operating System (GOS). A sensor does not
require any network connectivity other than to the master and the scan targets and no further ad-
ministrative steps after the initial setup. The connection between master and sensor is established
using the Secure Shell (SSH) protocol via port 22/TCP.
If a sensor should perform scans remotely, it has to be configured as a remote scanner. The user can
individually configure a scan for the remote scanner using the web interface of the master depend-
ing on requirements and permissions. The remote scanner runs the scan and relays the results to
the master where all vulnerability information is managed. The connection to a remote scanner is
established by using the Greenbone Management Protocol (GMP) via SSH.
To distinguish between the sensor and remote scanner terminology:
• Sensors This feature requires the setup of the master-sensor link using the GOS administra-
tion menu of both the master and the sensor. This feature then supports the remote feed
synchronization and the upgrade management of the sensor.
• Remote Scanners This feature requires the activation of GMP on the sensor using the GOS ad-
ministration menu and the setup of the remote scanner using the web interface on the mas-
ter. This feature then supports the execution of scans via the sensor.

15.1 Configuring a Master-Sensor Setup

15.1.1 Connecting a Master to a Sensor

A master can be linked to a sensor as follows:

1. Open the GOS administration menu of both the master and the sensor (see Chapter GOS Admin-
istration Menu Access (page 21)).
2. In the GOS administration menu of the master select Setup and press Enter.

253
Chapter 15. Master-Sensor Setup

3. Select Master and press Enter.

4. Select Master Identifier and press Enter.
5. Select Download and press Enter.
6. Open the web browser and enter the displayed URL (see figure Downloading the master identi-
fier (page 254)).

Fig. 15.1: Downloading the master identifier

7. Download the PUB file.

→ When the key is downloaded, the GOS administration menu of the master displays the finger-
print of the key for verification.

Important: Do not confirm the fingerprint until the key is uploaded to the sensor.

8. In the GOS administration menu of the sensor select Setup and press Enter.
9. Select Sensor and press Enter.
10. Select Configure Master and press Enter.
11. Select Upload and press Enter.
12. Open the web browser and enter the displayed URL.
13. Click Browse..., select the previously downloaded PUB file and click Upload.
→ When the key is uploaded, the GOS administration menu of the sensor displays the fingerprint
of the key for verification.
14. Compare the fingerprint to the fingerprint displayed on the GOS administration menu of the
master.
If the fingerprints match, press Enter in both GOS administration menus.
15. In the GOS administration menu of the sensor select Save and press Enter.
16. Perform twice: Press Tab and press Enter.
17. Select Services and press Enter.
18. Select SSH and press Enter.
19. Select SSH State and press Enter.
→ SSH is enabled on the sensor.

254
 15.1. Configuring a Master-Sensor Setup

20. Select Save and press Enter.

Note: On GSM 25V and GSM 35 the GMP service is always enabled.
If one of these types is used, continue with step 25.

21. Press Tab and press Enter.

22. Select GMP and press Enter.
23. Select GMP-State and press Enter.
→ A message informs that the changes have to be saved.
24. Select Save and press Enter.
25. In the GOS administration menu of the master select Setup and press Enter.
26. Select Master and press Enter.
27. Select Sensors and press Enter.
28. Select Add a new sensor and press Enter.
29. Enter the IP address or the host name of the sensor in the input box and press Enter.
→ Additional menu options for the sensor configuration are shown (see figure Sensor configu-
ration menu (page 255)).

Fig. 15.2: Sensor configuration menu

30. Select Auto and press Enter.

→ The master connects to the sensor automatically and retrieves the identifier.
The fingerprint of the identifier is displayed on the GOS administration menu of the master.
31. In the GOS administration menu of the sensor select Setup.
32. Select Sensor and press Enter.
33. Select Sensor Identifier and press Enter.
34. Select Fingerprint and press Enter.

255
Chapter 15. Master-Sensor Setup

35. Compare the fingerprint to the fingerprint displayed on the GOS administration menu of the
master.
If the fingerprints match, press Enter in the GOS administration menu of the master.
36. Select Save and press Enter.
37. Select Test and press Enter.
→ The configuration of the sensor is tested.
If the test fails, a warning with instructions is displayed.

Fig. 15.3: Testing the sensor configuration

Note: Once configured successfully, sensors can be managed directly on the master using the GOS
administration menu as follows:
1. Select Maintenance and press Enter.
2. Select Feed and press Enter.
3. Select Sensors and press Enter.
or
2. Select Upgrade and press Enter.
3. Select Sensors and press Enter.

15.1.2 Creating a Scan User Account

In addition to linking the master and the sensor, a scan user account on the sensor is required for using
the sensor as a remote scanner (see Chapter Configuring a Sensor as a Remote Scanner (page 257)).
The scan user can be created as follows:
1. In the GOS administration menu of the sensor select Setup and press Enter.
2. Select User and press Enter.
3. Select Users and press Enter.
4. Select Admin User and press Enter.

256
 15.2. Deploying Sensors in Secure Networks

5. Determine the user name and the password of the scan user and press Tab.
6. Press Enter.

15.2 Deploying Sensors in Secure Networks

For master-sensor setups the master stores all vulnerability information and credentials. A sensor
does not store any information permanently (except for NVTs).
Due to this the master needs to be placed in the highest security zone with communication to the
outside (to the sensors). All communication is initiated from the master in the higher security zone
down to the sensor in the lower security zone.

Note: A firewall separating the di erent zones only needs to allow connections from the master to
the sensor. No additional connections need to be allowed into the higher security zone.

Master and sensor appliances communicate via the SSH protocol. Port 22/TCP is used by default. For
backward compatibility port 9390/TCP can be used. This can be configured as follows:
1. In the GOS administration menu of the sensor select Setup.
2. Select Sensor and press Enter.
3. Select Port 9393 and press Enter.
4. Select Save and press Enter.
On sensors GSF updates and GOS upgrades can be downloaded either directly from the Greenbone
Networks servers or using the master. In the second case only the master contacts the Greenbone
Networks servers and distributes the corresponding files to all connected sensors. To prevent the
sensor from contacting the Greenbone Networks servers, automatic synchronization can be disabled
as follows:
1. In the GOS administration menu of the sensor select Setup.
2. Select Feed and press Enter.
3. Select Synchronisation and press Enter.
4. Select Save and press Enter.

Tip: As an additional layer of security a source and destination NAT rule on a flow-aware firewall can
be used to avoid the need of default routes on the GSM appliances.

15.3 Configuring a Sensor as a Remote Scanner

Note: In order to configure a sensor as a remote scanner, all steps in Chapter Connecting a Master to
a Sensor (page 253) have to be completed first.

Sensors can be used as remote scanning engines (scanners) on the master in addition to the default
OpenVAS and CVE scanners. For this, the sensor must be configured as a remote scanner using the
web interface of the master.

Note: Since the communication between the master and the remote scanner is based on GMP, a
remote scanner is referred to as a GMP scanner.

257
Chapter 15. Master-Sensor Setup

A new remote scanner can be configured as follows:

1. Log into the web interface of the master.
2. Select Configuration > Scanners in the menu bar.
3. Create a new scanner by clicking .
4. Define the name of the remote scanner.
5. Enter the IP address or the host name of the sensor in the input box Host.
6. Choose GMP Scanner in the drop-down-list Type (see figure Configuring the remote scanner on
the master (page 258)).

Fig. 15.4: Configuring the remote scanner on the master

7. Create a new credential by clicking .

8. Enter the account information of the scan user account (see Chapter Creating a Scan User Ac-
count (page 256)) in the input boxes Username and Password.
9. Click Create to create the credential.
10. Click Create to create the remote scanner.
11. In the row of the newly created remote scanner click to verify the scanner.
→ If the setup is correct, the scanner is successfully verified (see figure Verifying the scanner
(page 258)).

Fig. 15.5: Verifying the scanner

Tip: Scanners are configured on a per-user basis. Scanners can be created for each user or permis-
sions can be used to grant usage rights to other users (see Chapter Managing Permissions (page 98)).

15.4 Using a Remote Scanner

After a sensor is configured as a remote scanner, scan tasks can be configured on the master to run
on the sensor (see Chapter Creating a Task (page 115)).
An already created task can be moved to a remote scanner as follows:

258
 15.4. Using a Remote Scanner

Fig. 15.6: Selecting the remote scanner for a task

1. Select Scans > Tasks in the menu bar.

2. Click on the name of the desired task to display the details.
3. Move the mouse over and select the remote scanner to which the task should be moved.

259
Chapter 15. Master-Sensor Setup

260
 CHAPTER 16

Performance

When operating the Greenbone Security Manager (GSM), a considerable amount of data can be trans-
mitted by the target systems. The available scan results are also analyzed, filtered and processed
by the GSM. On larger GSM types this occurs generally at the same time and by many users and pro-
cesses.
This chapter covers the diverse questions regarding performance and discusses optimization options.

16.1 Scan Performance

The speed of a scan depends on many parameters. This section points out the most important set-
tings and makes some recommendations.

16.1.1 Selecting a Port List for a Scan

Which port list is configured for a target and as such for the tasks and the scans has a large influence
on the discovery performance and on the scan duration.
Evaluating those two aspects when planning the vulnerability scanning is required.

Ports and Port Lists

Ports are the connection points of network communication. Each port of a system connects with the
port on another system.
Every system has 65535 TCP ports and 65535 UDP ports. Additionally, there is the special port 0.
In a connection between two TCP ports data transmission occurs in both directions. For UDP ports
data transmission only occurs in one direction. Due to the fact that data received by UDP are not
necessarily confirmed, the testing of UDP ports usually takes longer.
Ports 0 to 1023 need to be highlighted as so called privileged or system ports and cannot be opened
by user applications.
At the IANA (Internet Assigned Numbers Authority) standard protocol ports can be reserved which are
then assigned a protocol name like port 80 for http or port 443 for https.
At IANA over 5000 ports are registered.
All ports of all systems of all internet accessible systems were analyzed and lists of the most used
ports were created. Those do not necessarily reflect the IANA list because there is no obligation to
register a specific service type for a respective port.
Typically, desktop systems have fewer ports open than servers. In general, active network compo-
nents such as routers, printers and IP phones have only very few ports open: those they require for
their actual task and for their maintenance.

261
Chapter 16. Performance

The following port lists are predefined on the GSM:

• All IANA assigned TCP 2012-02-10: All TCP ports assigned by IANA on 10th of February 2012
• All IANA assigned TCP and UDP 2012-02-10: All TCP and UDP ports assigned by IANA on 10th of
February 2012
• All privileged TCP
• All privileged TCP and UDP
• All TCP
• All TCP and Nmap 5.51 top 100 UDP: All TCP ports and the top 100 UDP ports according to Nmap
5.51
• All TCP and Nmap 5.51 top 1000 UDP: All TCP ports and the top 1000 UDP ports according to Nmap
5.51
• Nmap 5.51 top 2000 TCP and top 100 UDP: The top 2000 TCP ports and the top 100 UDP ports
according to Nmap 5.51
• OpenVAS Default: The TCP ports which are scanned by the OpenVAS scanner when passing the
default port range preference

Creating a new Port List

A new port list can be created as follows:

1. Select Configuration > Port Lists in the menu bar.
2. Create a new port list by clicking .
3. Define the port list (see figure Creating a new port list (page 262)).

Fig. 16.1: Creating a new port list

4. Click Create.
The following details of the port list can be defined:
Name Definition of the name. The name can be chosen freely.
Comment An optional comment can contain additional information.
Port Ranges Manual entry of the port ranges or importing of a list of the port ranges. When entering
manually, the port ranges are separated by commas. When importing from a file, the entries can
be separated with commas or line breaks.
Each value in the list can be a single port (e.g. 7) or a port range (e.g. 9-11). These options can
be mixed (e.g. 5, 7, 9-11, 13).
An entry in the list can be preceded by a protocol specifier (T: for TCP, U: for UDP), e.g. T:1-3,
U:7, 9-11 (TCP ports 1, 2 and 3, UDP ports 7, 9, 10 and 11). If no specifier is given, TCP is assumed.

262
 16.1. Scan Performance

Which Port List for which Scan Task

The choice of the port list always needs to be weighed up between discovery performance and scan
duration.
The duration of a scan is mostly determined by the amount of ports to be tested and the network
configuration. For example, starting with a certain amount of ports to be tested, throttling by the
network elements or the tested systems could occur.
For the discovery performance it is obvious that services that are not bound to ports on the list, are
not being tested for vulnerabilities. Additionally, malicious applications that are bound to such ports
will not be discovered of course. The malicious application mostly open ports that are usually not
being used and are far form the system ports.
Other criteria are the defence mechanisms that are being activated by often exhaustive port scans
and initiate counter measures or alerts. Even with normal scans firewalls can simulate that all 65535
ports are active and as such slow down the actual scan of those ports that are being scanned for
nothing, with so called time-outs.
Also to remember that for every port that is being queried the service behind it reacts at least with
one log entry. For organizational reasons some services possibly should be scanned or at least at a
specific time only.
The following table outlines which port list could be most meaningful for which task.
Task/Problem Port List
Initial Suspicion, Penetration Test, High Security,
• All TCP and All UDP
First scan of unknown systems in limited num-
bers
Background test of an environment with known
or defined environment (servers) in large num- • Specific List of Known Services
bers or with high frequency • All IANA TCP

First scan of unknown systems in large numbers

• All IANA TCP
or with high frequency
• Nmap Top 1000 TCP and Top 100 UDP

The final decision needs to be made by the person(s) responsible for the scans. There should be at
least documentation of the targets or problem to justify the selection of the ports.
On the one hand one can play it safe, meaning always scan all ports, will not achieve the desired
outcome because all systems simply can not be scanned in time or because it will interrupt business
operations.
On the other hand super fast, meaning only scan all privileged ports, will seem inadequate for un-
known systems with high security requirements if during a later incident a vulnerability is being dis-
covered that was rather easy to be identified. Examples for this are database services.
Also to be remembered, some systems do not use a static port allocation rather than constantly
changing them even during operation. This, of course, makes it more dicult for a specific port list.

Scan Duration

In some situations with port throttling scanning all TCP and UDP ports can take 24 hours or more for
a single system. Since the scans are being performed in parallel, two systems will of course only take
marginally more time than a single system. However, the parallelizing has its limits due to system
resources or network performance.
However, all IANA TCP ports do usually take no more than a couple of minutes.
Since some counter measures can increase the duration of a scan, there is the option to prevent throt-
tling by making configuration changes on the defense system.

263
Chapter 16. Performance

All in all at the end one will learn over time network ranges to be scanned and how they will react to
scans and routine tasks can be optimized in that regard.
In suspected cases of a compromise or highest security breaches a fully inclusive scan is unavoidable.

Total Security

For port scans the basic principle that no total security exists is also true. This means that even when
All TCP and All UDP are being used the pre-set timeout of the port testing can be too short to
coax a hidden malicious application into a response.
Or especially with a large amount of ports it comes directly down to defense through infrastructure.
Less could sometimes even mean more.
If an initial suspicion exists an experienced penetration tester who combines the use of the actual
scan tools with experience and professionally related intuition and has a good command of detailed
parameterization should be consulted.

16.1.2 Scan Configuration

The scan configuration has an impact on the scan duration as well. The GSM o ers four di erent scan
configurations for vulnerability scans:
• Full and fast
• Full and fast ultimate
• Full and very deep
• Full and very deep ultimate
Both the Full and fast and Full and fast ultimate scan configurations optimize their pro-
cess using already found information. This allows for the optimization of many NVTs and in doubt
do not need to be tested. The two other scan configurations ignore already discovered information
and therefore will execute all NVTs. This includes those NVTs as well that are not useful based on
previously discovered information.

16.1.3 Tasks

During the progress of a scan a progress bar is being created. This progress bar should reflect the
progress of the scan in percent. In most cases this is a rough estimate since it is dicult for the GSM
to project how the systems or services that haven’t been scanned yet behave compared to the already
scanned systems and services.
This can be understood best when looking at an example. Assumed is a network 162.168.0.0/24 with
5 hosts: 192.168.0.250-254. A scan is being configured for this network. The scan will be performed
in sequence. Due to the fact that the IP addresses at the beginning of the network are not being used
the scan will run very quickly and reaches 95%. Then however, systems are being discovered that use
many services. The scan will slow down respectively and since all these services are being tested.
The progress bar only jumps very little. To adjust for this behaviour in the scanner dialog the Order
for target hosts can be adjusted. The setting Random makes sense.

16.2 Backend Performance

The web interface accesses the GSM utilizing the GMP protocol. Some operations require more time
than others. To allow a speed analysis and examination of the GMP backend every web page displays
the time required to prepare the data at the bottom of the web page.

264
 16.3. Appliance Performance

Fig. 16.2: The processing times of the backend are displayed.

16.3 Appliance Performance

The overall performance of the GSM can be monitored with the integrated monitoring by selecting
Extras > Performance in the menu bar. Here the resource utilization of the GSM for the last hour, day,
week, month and year can be displayed.
The performance of a configured sensor can be displayed on the master as well.

Fig. 16.3: The processing times of the backend are being displayed.

Here the following points are important:

Processes A high amount of processes is not critical. However, primarily only sleeping and running
processes should be displayed.
System Load An ongoing high utilization is critical. Hereby a load of 4 on a system with 4 cores is
considered acceptable.
CPU Usage Here especially a high Wait-IO is critical.
Memory Usage The GSM uses aggressive caching. The usage of most of the memory as cache is okay.
Swap A use of the Swap memory points to a potential system overload.

265
Chapter 16. Performance

266
 CHAPTER 17

Integration with Other Systems

The Greenbone Security Manager (GSM) can be connected to other systems.

Some systems have already been integrated into the GSM by Greenbone Networks including the
verinice ITSM system, the Sourcefire IPS Defense Center and the Nagios Monitoring System.

17.1 Integration with Third-Party Vendors

The GSM has numerous interfaces that allow for the communication with third-party vendors.
Hereby the GSM o ers the following interfaces:
Greenbone Management Protocol (GMP) The Greenbone Management Protocol allows to remote
control the GSM completely. The protocol supports the creating of users, creating and start-
ing of scan tasks and downloading reports.
Connecting additional scanners via OSP The Open Scanner Protocol (OSP) is a standardized inter-
face for di erent vulnerability scanners. Arbitrary scanners can be seamlessly integrated into
the GSM vulnerability management. Controlling the scanners and handling the results works in
the same way for all scanners.
Report Format The GSM can present the scan results in any format. To do so the GSM already
comes with a multitude of pre-installed report formats (see Chapter Managing Report Formats
(page 159)). Additional report formats can be downloaded from the Greenbone download web-
site or developed in collaboration with Greenbone Networks.
Alert via Syslog, E-Mail, SNMP-Trap or HTTP (see Chapter Using Alerts (page 153))
Automatic result forwarding through connectors These connectors are created by Greenbone Net-
works, verified and integrated into the GSM.
Monitoring via SNMP The website https://docs.greenbone.net/API/SNMP/snmp-gos-4.3.en.html
provides the current MIB file (Management Information Base). MIB files describe the files that
can be queried by SNMP about the equipment.

17.1.1 OSP Scanner

The Open Scanner Protocol (OSP) resembles the Greenbone Management Protocol (GMP, see chap-
ter Greenbone Management Protocol (page 245)). It is XML based, stateless and does not require a
permanent connection for communication. The design allows for embedding of additional scanners
seamlessly into GSM.
The open format allows developing custom OSP scanners. Greenbone provides the protocol docu-
mentation at https://docs.greenbone.net/API/OSP/osp.html.

267
Chapter 17. Integration with Other Systems

17.2 Verinice

Verinice132 is a free Open Source Information Security Management System (ISMS) developed by Ser-
Net133 .

Fig. 17.1: Integrating the GSM with verinice

Verinice is suitable for:

• Vulnerability remediation workflow
• Implementing the IT-Grundschutz catalogs of the German Federal Oce for Information Security
(BSI)
• Performing risk analysis based on ISO 27005
• Operating an ISMS based on ISO 27001
• Performing an IS assessment per VDA specifications
• Proof of compliance with standards such as ISO 27002, IDW PS 330
The GSM can support the modelling and implementation of IT-Grundschutz as well as the operation
of an ISMS.
For this, Greenbone Networks o ers two report plug-ins for the export of data from the GSM into
verinice:
• Verinice-ISM: containing all scan results
• Verinice-ITG: containing the scan results of a BSI IT-Grundschutz scan
It is possible to transfer data completely automated from the GSM to verinicePRO, the server exten-
sion of verinice.
Following the manual, the import of reports from the GSM in the free verinice version is covered.
132 https://verinice.com/en/
133 https://sernet.de/en/

268
 17.2. Verinice

Note: For support with the use of the connector contact SerNet or Greenbone Networks.

17.2.1 IT Security Management

The report plug-in for verinice is pre-configured and is available as “Verinice-ISM”.

With this report plug-in Greenbone Networks supports the vulnerability remediation workflow in
verinice.
Verinice uses the notes (see Chapter Using Notes (page 169)) of the scan results to create objects for
processing. If there are no notes in a task only the assets will be imported as well as the complete
vulnerability report. Exclusively such vulnerabilities that have a note will be imported by verinice as
vulnerabilities. This allows controlling the import in fine detail.

Note: Within the entire security process it has to be decided which vulnerability must be resolved
and which are tolerable. This decision is made in the vulnerability management, by tagging the vul-
nerabilities accordingly.
The remediation workflow targets at solving any of the managed issues. Within the remediation work-
flow it is not allowed to decide about tolerating an issue.

Afterwards the report has to be saved as Verinice ISM-Report. A VNA file will be created. This is
a ZIP file containing the data of the GSM scan.

Importing of the ISM Scan

The report can be imported in Verinice as follows:

1. Start Verinice.
2. Open the ISM perspective.
3. Import the catalog Implementation Assistance for ISO27001.
4. Create an organization.
→ Afterwards the screen should look like displayed in figure ISM perspective in Verinice
(page 270).
5. In the window Information Security Model click .
6. Click Select file... and select the ISM report. The remaining parameters can be kept with their
default settings (see figure Selecting the ISM report (page 270)).
7. Click OK.
→ The results of the ISM report are imported and can be unfolded in Verinice (see figure Unfold-
ing the results of the ISM report (page 271)).
The process to track vulnerabilities for the imported organization can be separated into two sub pro-
cesses:
• Creation of tasks
• Remediation of vulnerabilities

Creating Tasks

Before creating tasks the data for the organization must be prepared as follows:

269
Chapter 17. Integration with Other Systems

Fig. 17.2: ISM perspective in Verinice

Fig. 17.3: Selecting the ISM report

270
 17.2. Verinice

Fig. 17.4: Unfolding the results of the ISM report

1. After the first import of an organization it must be moved to the top level from the group of
imported objects.
Cut the organization and paste it into the top level (see figure Moving the imported organization
to the top level (page 271)).

Fig. 17.5: Moving the imported organization to the top level

2. The assets and controls must be grouped.

Right click on Assets GSM-Scans and select Group with Tags....
Right click on Controls GSM-Scans and select Group with Tags....
3. All assets groups must be assigned a responsible person.
Create a person and assign them by drag and drop to the assets group.
→ The successful assignment is displayed in the window Relations (see figure Displaying the
relations for a group (page 271)).

Fig. 17.6: Displaying the relations for a group

4. Right click on the organization and select Greenbone: Start Vulnerability Tracking.

271
Chapter 17. Integration with Other Systems

→ It is verified whether all assets and controls are grouped and whether all asset groups are
assigned to a person. A message displays the result of the verification.
5. Continue with creating a task or cancel the creation.

Remediating Vulnerabilities

The created tasks can be managed with the help of the task view or the web frontend of the
verinice.Pro version (under: ISO 27000 tasks). The task to remediate vulnerabilities is called “Reme-
diate Vulnerabilities”.
A task contains controls, scenarios and assets that are connected to a control group and are assigned
to a responsible person.
As the responsible person remediate the vulnerabilities for all assets.

Note: If the deadline for the task “Remediate Vulnerabilities” expires, a reminder e-mail is sent to the
responsible person.

After the task is completed all connections between assets and scenarios that were assigned to a
task are deleted.
The following states of a control are possible:
• Implemented: no asset is assigned to the scenario anymore
• Partly: other connections to assets still exist

17.2.2 IT-Grundschutz

Greenbone Networks provides a special configuration (IT-Grundschutz scan including discovery for
Verinice) as well as an IT-Grundschutz report plug-in (Verinice ITG) which allows for the export of a
report suited for Verinice.
For optimum results the scan configuration needs to be imported. The report plug-in is now shipped
with the GSM. A manual import is not required anymore.
For optimum results in the scan it is helpful to perform an authenticated scan (see Chapter Running
an Authenticated Scan Using Local Security Checks (page 119)).
As soon as the scan is completed, export it in the verinice ITG format. A VNA file is created. This is a
ZIP archive in which the results of the scans are stored. This file can be loaded by verinice directly.
Following for clarity purposes a scan is being used with only one host.

Importing the ITG Scan

The report can be imported in Verinice as follows:

1. Start Verinice.
2. Open the BSI IT Baseline perspective (see figure Starting Verinice (page 273)).

Note: If no IT bond has been created yet the middle view is empty.

3. In the window BSI Model click .

4. Click Select file... and select the ITG report. The remaining parameters can be kept with their
default settings (see figure Selecting the ITG report (page 273)).

272
 17.2. Verinice

Fig. 17.7: Starting Verinice

Fig. 17.8: Selecting the ITG report

273
Chapter 17. Integration with Other Systems

5. Click OK.
→ The results of the ITG report are imported and can be unfolded in Verinice (see figure Unfolding
the results of the ITG report (page 274)).

Fig. 17.9: Unfolding the results of the ITG report

The imported objects are named by the target in the GSM or their IP address. Every imported object
has a sub-object GSM result with the activity results of the scan.
Now the IT-Grundschutz modules can be added by right clicking on a server and selecting Greenbone:
Automatically assign components.
Verinice chooses the appropriate components to model the system based on the tags set by the GSM.

Fig. 17.10: IT-Grundschutz components selected automatically

Now the results of the scans can be added into the control catalog by right clicking on a server and
selecting Greenbone: Automatic Base Security Check.

17.3 Nagios

Nagios can integrate the scan results in its monitoring tasks as an additional test. In this case the
scanned systems are automatically matched with the monitored systems. With this the scan results
are eventually available for the alert rules and other processes of Nagios.
When linking Nagios with the GSM, Nagios will assume the controlling role. Nagios regularly and au-
tomatically retrieves the newest scan results from the GSM. This is done via a Nagios command which
uses the gvm-script tool to call the check-gmp.gmp script.
Follow the instructions to connect the GSM to Nagios.

Note: Other products compatible with Nagios such as Open Monitoring Distribution, Icinga, Centreon
etc. should generally work but may require small adjustments to the described steps.

274
 17.3. Nagios

Fig. 17.11: Linking Nagios with the GSM

17.3.1 Configuring the GSM User

For access the plug-in requires a user used to log in to the appliance. For this user a scan target (or
multiple scan targets) has to be set up with all hosts of which the security status should be monitored.
The sample configuration used here assumes that there is only one relevant target but technically it
is possible to link complex setups with multiple targets and multiple GSMs.
The GSM user account provided for queries by the GMP script must be owner of the relevant scan
targets or at least have unrestricted reading access to them. The tasks should be run as scheduled
scans regularly.
In addition, network access via GMP to the GSM must be possible. Therefore, the GMP access must be
activated in the GOS administration menu (see Chapter Activating GMP (page 245)).

17.3.2 Configuring the Script

Greenbone Networks provides the check-gmp.gmp script as part of the script collection of
gvm-tools. This script can be called by the monitoring solution using gvm-script (see Chapter
GVM-Tools (page 285)).

Note: The following assumes Nagios is installed in /usr/local/nagios/, afterwards referred to

as /.../.
Adjust the file location if necessary.

1. Copy the plug-in to /.../libexec/.

2. Check if the script can reach the GSM through the network, GMP was activated and the user was
created properly.

Note: In the following command replace the IP address with the IP address of the GSM and
provide the user name and the created password.

275
Chapter 17. Integration with Other Systems

nagios-host# gvm-script --gmp-username=webadmin --gmp-password=kennwort \

ssh --hostname 192.168.10.169 /.../libexec/check-gmp.gmp --ping \
GMP OK: Ping successful

3. Check whether there is access to the data.

nagios-host# gvm-script --gmp-username=webadmin --gmp-password=kennwort \
ssh --hostname 192.168.10.169 /.../libexec/check-gmp.gmp \
-F 192.168.10.130 --last-report -T "Scan Suspect Host" --status
GMP CRITICAL: 284 vulnerabilities found - High: 118 Medium: 153 Low: 13
Report did contain 1 errors for IP 192.168.10.130
|High=118 Medium=153 Low=13

The script supports several commandline switches. These can be displayed using:
nagios-host# gvm-script -c /.../etc/gvm-tools.conf ssh --hostname
192.168.10.169 scripts/check-gmp.gmp -H
usage: check-gmp [-H] [-V] [--cache [CACHE]] [--clean] [-F HOSTADDRESS] [-T TASK]
...

Check-GMP Nagios Command Plugin 2.0.0 (C) 2017-2019 Greenbone Networks GmbH
...

optional arguments:
-H Show this help message and exit.
-V, --version Show program‛s version number and exit
--cache [CACHE] Path to cache file. Default: /tmp/check_gmp/reports.db.
--clean Activate to clean the database.
...

→ If the tests were successful the check can be integrated into Nagios monitor.

4. Add the host to be monitored in the Nagios /.../etc/objects/localhost.cfg configura-

tion file, in the section HOST DEFINITIONS.
In this example the host is a Metasploitable Linux.
define host{
use linux-server
host_name metasploitable
alias metasploitable
address 192.168.10.130
}

5. In the same configuration file, in the section SERVICE DEFINITIONS, define a new service
which calls the check_gmp_status nagios command.
As the example shows, an argument is passed to the command, the task name where to fetch
the report from.
define service{
use local-service ; Name of service template to use
host_name metasploitable
service_description GMP task last report status
check_command check_gmp_status!metasploitable
}

6. Create the check_gmp_status command into the file /.../etc/objects/commands.cfg.

define command{
command_name check_gmp_status
command_line gvm-script -c /.../etc/gvm-tools.conf ssh
--hostname 192.168.10.169 $USER1$/check-gmp.gmp -F $HOSTADDRESS$

276
 17.4. Firepower Management Center

--last-report -T $ARG1$ --status

}

Note: In the command line it can be seen that no user name and password options but a configuration
file are passed to the gvm-script tool (see Chapter GVM-Tools (page 285)).

7. Restart the Nagios service to apply the new configuration.

nagios-host# systemctl restart nagios

Fig. 17.12: Nagios site displaying the monitored host status

17.3.3 Caching and Multiprocessing

The check-gmp.gmp supports caching. All new reports will be cached in a SQLite database. The first
call with an unknown host will take longer because the report needs to be retrieved from the GSM.
Subsequent calls to the plug-in will only retrieve the current report from the GSM if the end time of
the scan di ers. Otherwise, the information from the database is used. This will greatly reduce the
load both on the monitoring server and the GSM.
The cache file is written to /tmp/check_gmp/reports.db by default. A di erent location of the
database can be specified using the command line switch --cache.
To further reduce the load both on the monitoring server and the GSM the plug-in can restrict the
maximum number of simultaneously running plug-in instances. Additionally started instances are
stopped and wait for their continuation. The default value of MAX_RUNNING_INSTANCES is 10. The
default can be modified using the command line switch -I.

17.4 Firepower Management Center

The Cisco Firepower Management Center (former Sourcefire Intrusion Prevention System) (IPS) is one
of the leading solution for intrusion detection and defense in computer networks. As a Network Intru-
sion Detection System (NIDS) it is tasked with the discovery, alerting and the defense against attacks
on the network.
For Firepower to correctly identify and classify attacks it requires as close as possible information
about the systems in the network, the installed applications as well as their possible vulnerabilities.
For this purpose Firepower has its own asset database that can be augmented with information from
the GSM. Additionally, the Sourcefire system can start an automatic scan if it suspects anything.
The following connection methods are available:

277
Chapter 17. Integration with Other Systems

Automatic data transfer from the GSM to the NIDS/IDS If the GSM and NIDS/IDS are configured re-
spectively the data transfer from the GSM to the NIDS/IPS can be utilized easily, like any other
alert functionality of the GSM. After completion of the scan it will be forwarded as an alert to
the NIDS/IPS in respect to the desired criteria. If the scan task is run automatically on a weekly
basis, a fully automated alerting and optimization system is obtained.
Active control of the GSM by the NIDS/IPS In the operation of the NIDS/IPS suspected incidents on
systems with high risk can occur. In such a case the NIDS/IPS can instruct the GSM to check the
system 134 .
To use the connection methods the GSM as well as the Sourcefire Defense Center have to be prepared.
On the GSM a report plug-in has to be installed and on the Sourcefire Defense Center receiving the data
must be enabled.

17.4.1 Installing the Report Plug-in

The report plug-in can be installed as follows:

1. Download the following report format plug-in: https://download.greenbone.net/rfps/sourcefire-
1.1.0.xml

Important: External links to the Greenbone download website are case-sensitive.

Note that upper cases, lower cases and special characters have to be entered exactly as they
are written here.

2. Select Configuration > Report Formats in the menu bar.

3. Click .
4. Click Browse... and select the previously downloaded report format plug-in.
5. Click Create.
→ The imported report format is displayed on the page Report Formats.

Fig. 17.13: Importing the report format plug-in

Note: The report format plug-in has to be verified and activated before it can be used.

6. Verify the signature of the report format by clicking .

→ The result of the verification is displayed in the column Trust (Last Verified).
7. In the row of the report format click .
8. For Active select the radiobutton Yes.
9. Click Save.
134 This control does not exist as a finalized Remediation for the Sourcefire system but it can be implemented via GMP (see

chapter Greenbone Management Protocol (page 245)).

278
 17.4. Firepower Management Center

17.4.2 Configuring the Host-Input-API clients

Fig. 17.14: Setting up the GSM in the defense center

Log into the Sourcefire Defense Center and create a Host-Input-Client. The Host-Input-API is an inter-
face through which the Defense Center accepts data from other applications for its asset database.
This option can be found in the web interface under System->Local->Registration. There change into
the Host Input Client register. Here create the GSM appliance. It is important to enter the IP ad-
dress of the appliance that the appliance will use to connect to the Defense Center. The connection
is TLS encrypted. The Defense Center creates a private key and certificate automatically. In the cer-
tificate the IP address entered above will be used as Common Name and verified when the client is
establishing a connection. If the client uses a di erent IP address, the connection fails.
The created PKCS#12 file is optionally secured by a password.
Afterwards the certificate and the key are being created and made available as a download. Download
this file.

Fig. 17.15: Downloading the created PKCS#12 file

17.4.3 Configuring Alerts on the GSM

Now the respective alert must be set up on the GSM.

1. Select Configuration > Alerts in the menu bar.
2. Create a new alert by clicking .
3. Define the alert (see figure Using the PKCS#12 file for authentication (page 280)).
4. Choose Sourcefire Connector in the drop-down-list Method.

279
Chapter 17. Integration with Other Systems

Fig. 17.16: Using the PKCS#12 file for authentication

5. Supply the PKCS#12 file by clicking Browse....

Note: If a password was entered when the client was created, the PKCS#12 file has to be de-
crypted before loading it into the GSM.
To do so, the following command in Linux can be used:

$ openssl pkcs12 -in encrypted.pkcs12 -nodes -out decrypted.pcks12

Enter Import Password : password
MAC verified OK
$

6. Click Create.

17.5 Alemba vFire

vFire is an Enterprise Service Management application, developed by Alemba135 .

The GSM can be configured to create tickets in an instance of vFire based on events like finished scans.

17.5.1 Prerequisites for Alemba vFire

For the integration to work properly, the following prerequisites must be met on the vFire system:
• The vFire installation must support the RESTful Alemba API, which has been added in vFire ver-
sion 9.7. The legacy API of older versions is not supported by the Greenbone connector.
• An Alemba API client with the correct session type (analyst/user) and password login must be
enabled.
• The user account that should be used requires permissions to use the Alemba API.
135 https://alemba.com/

280
 17.6. Splunk

17.5.2 Configuring the Alemba vFire Alert

To have the GSM automatically create tickets (calls) in vFire, an alert must be set up as follows:
1. Select Configuration > Alerts in the menu bar.
2. Create a new alert by clicking .
3. Define the alert.
4. Choose Alemba vFire in the drop-down-list Method.
5. Click Create.
The options for the alert are:
Report Formats: The report formats used for the attachments. Multiple report formats
can be selected or the selection can be left empty if no attachments are wanted.
vFire Base URL: This is the URL of the Alemba instance including the server name
and virtual directory. For example, if the user interface is accessed via
https://alemba.example.com/vfire/core.aspx, the base URL would be
https://alemba.example.com/vfire.
Credential: The user name and the password used for logging into Alemba vFire.
Session Type: The type of session to use. It can be either “analyst” or “user”. As an “ana-
lyst” it is possible to perform some actions not available to a “user”. The user account
requires special permissions for these actions and the number of concurrent logins
may be limited.
Alemba Client ID: This is the Alemba API client ID (see Chapter Prerequisites for Alemba
vFire (page 280)).
Partition: The partition to create the ticket in. See the Alemba vFire help for more infor-
mation about partitioning.
Call Description: This is the template for the description text used for the newly created
calls. The same placeholders as in the message input box of the e-mail alert method
can be used (see Chapter Using Alerts (page 153)).
Call Template: The name of a call template to use for the calls created by the alert. A
call template can be configured in vFire to fill in all the fields that cannot be specified
directly in the alert.
Call Type: The name of a call type to use for the calls created by the alert.
Impact: The full name of an impact value.
Urgency: The full name of an urgency value.

17.6 Splunk

The GSM can be configured to forward the scan results to a Splunk enterprise installation for further
analysis and correlation.
The Splunk integration requires the installation of the Greenbone Splunk app on the splunk server.
The download and installation of the app are explained in Chapter Splunk Application (page 285).
Once the app is installed on the Splunk server, the GSM can be instructed to send the results to the
Splunk server.

281
Chapter 17. Integration with Other Systems

17.6.1 Configuring the Splunk Alert

The GSM is configured as follows:

1. Select Configuration > Alerts in the menu bar.
2. Create a new alert by clicking .
3. Define the alert (see figure Configuring the Splunk alert (page 282)).
4. Choose Send to host in the drop-down-list Method.
5. Enter the IP address of the Splunk server in the input box Send to host and the port of the Green-
bone Splunk app in the input box on port

Note: The TCP port is 7680 by default.

These setting can be checked using the Splunk web interface by selecting Settings > Data Inputs
> TCP (see Chapter Splunk Application (page 285)).

6. Choose XML in the drop-down-list Report.

Fig. 17.17: Configuring the Splunk alert

7. Click Create.
This alert can now be added to the appropriate task as follows:
1. Select Scans > Tasks in the menu bar.
2. Create a new task by clicking and selecting New Task.
3. Define the task.
4. Enter the name of the alert in the input box Alerts.
5. Click Create.
The alert can be added to already existing tasks as well. The alert does not modify the scan behavior.
1. Select Scans > Tasks in the menu bar.
2. In the row of the task click .
3. Enter the name of the alert in the input box Alerts.
4. Click Create.

282
 17.6. Splunk

For testing purposes existing reports may be processed by the alert.

1. Select Scans > Reports in the menu bar.
2. Click on the date of a report.
3. Move the mouse over Report: Results.
→ A drop-down-list is opened.
4. Click Report: Summary and Download.
5. In the row of the desired version, select Splunk Connector in the column Run Alert (see figure
Processing an existing report using the alert (page 283)).
6. In the row of the desired version click .

Fig. 17.18: Processing an existing report using the alert

17.6.2 Accessing the Information in Splunk

To access the information in Splunk switch to the Greenbone dashboard. The Greenbone dashboard
within the Splunk web interface displays the vulnerabilities found within the last 7 days.

Fig. 17.19: Greenbone dashboard within the Splunk web interface

Since the information forwarded by the GSM is indexed by Splunk the search view can be used to
search for any data.
Some supported indexes are:
• host
• source, sourcetype
• date_hour, date_minute, date_month, date_year, date_mdate, date_wday, date_zone
• VulnerabilityResultNvtCVE

283
Chapter 17. Integration with Other Systems

Fig. 17.20: Splunk server supporting complex searches

• VulnerabilityResultNvtCVSS
• VulnerabilityResultQod
• VulnerabilityResultSeverity
• VulnerabilityResultThreat

284
 CHAPTER 18

Tools

This chapter presents some additional tools which may be used with the GSM appliance.

18.1 GVM-Tools

The gvm-tools implement the Greenbone Management Protocol (GMP). These tools are supplied by
Greenbone Networks for both the Linux and the Windows operating system. These tools are provided
both as a commandline tool and a Python Shell. The tools for Microsoft Windows can be downloaded
at:
• CLI: gvm-cli.exe136
• Python Shell: gvm-pyshell.exe137

Important: External links to the Greenbone download website are case-sensitive.

Note that upper cases, lower cases and special characters have to be entered exactly as they are
written in the footnotes.

The tool is a statically linked executable file that should work on most Microsoft systems. Greenbone
has released all components as open source so the tool can be built for other systems like Linux as
well:
• https://github.com/greenbone/gvm-tools
Please be aware of the fact, that the tools require Python 3 to work. To install the tools please follow
the instructions provided at the location above.
Greenbone has already developed a small collection of scripts using these tools. They may be found
in the scripts directory of the GitHub repository.
The usage of the tool is explained in section Greenbone Management Protocol (page 245).

18.2 Splunk Application

Greenbone Networks o ers a small application for the integration with Splunk. The application is
currently available at https://download.greenbone.net/tools/Greenbone-Splunk-App-1.0.1.tar.gz. If
there are problems with downloading or testing the application contact the Greenbone Networks sup-
port.

Important: External links to the Greenbone download website are case-sensitive.

136 https://download.greenbone.net/tools/gvm-cli.exe
137 https://download.greenbone.net/tools/gvm-pyshell.exe

285
Chapter 18. Tools

Note that upper cases, lower cases and special characters have to be entered exactly as they are
written here.

The installation of the splunk app is quite simple. The following guide uses the splunk enterprise
version 6.4.3. The installation of the app in splunk light is not supported.
To install the app first login to the splunk server. Navigate to Splunk > Apps > Manage Apps.

Fig. 18.1: Splunk support the installation of 3rd party add-ons.

Choose Install app from file. Browse to the downloaded Greenbone-Splunk-App and upload it to the
splunk server.

Fig. 18.2: 3rd party add-ons may be installed from file.

Choose Upload. The next screen will show the successful installation of the plugin.

Fig. 18.3: Splunk lists the add-on after successful installation.

Check the port of the Greenbone-Splunk-App after the installation. The port can be accessed in the
web interface by selecting Settings > Data inputs > TCP in the menu bar.

286
 18.2. Splunk Application

Fig. 18.4: The port of the app is required for the configuration on the GSM.

287
Chapter 18. Tools

288
 CHAPTER 19

Setup Guides

This chapter provides specific setup guides and troubleshooting for the di erent GSM appliances:
• GSM 5400/6500 (page 289)
• GSM 400/600/650 (page 291)
• GSM 150 (page 294)
• GSM 35 (page 296)
• GSM 150V (page 298)
• GSM 25V (page 301)
• GSM ONE/MAVEN (page 305)

19.1 GSM 5400/6500

This setup guide will show the steps required to put a GSM 5400 or 6500 appliance into operation.
The following checklist can be used to monitor the progress:
Step Done
Power supply (2 connectors)
Serial console cable/USB converter
Putty/screen setup
Keyboard layout
IP address configuration
DNS configuration
Password change
Web administrator account
SSL certificate
Readiness

19.1.1 Installing the Appliance

The GSM 5400 and GSM 6500 are 19” mountable and require two rack units (RU). For installation in a
19” this equipment comes with the respective racking brackets.
For cabling GSM 5400 and GSM 6500 appliances have corresponding connectors at the front and back:
• Front:
– Keyboard via USB
– 2 management Ethernet network ports, labeled “MGMT”

289
Chapter 19. Setup Guides

– 1 RS-232 console port (|O|O|O), Cisco compatible, suitable cable is enclosed

– 2 USB 2.0 ports
– Up to 4 network modules with additional ports (Ethernet, SFP, SFP+ or XFP)
• Back:
– 2 power supplies
– 2 USB 2.0 ports
– 2 USB 3.0 ports
– 1 VGA port
For the installation a terminal application and a console cable for establishing a connection have to
be used.

19.1.2 Utilizing the Serial Port

The enclosed console cable is used for utilizing the serial port. Alternatively, a blue Cisco console
cable (rollover cable) can be used.
To access the serial port a terminal application is required. The application needs to be configured to
a speed of 9600 bits/s (Baud).
In Linux the command screen can be used in the command line. It is sucient to run the command
providing the serial port.

Tip: When starting a command, it may be necessary to hit Return several times to get a command
prompt.

screen /dev/ttyS0 #(for serial port)

screen /dev/ttyUSB0 #(for USB adapter)

Note: Sometimes the first serial port does not work.

Experiment with the number (0, 1 or 2).

Quit the command by entering CTRL-a \.

In Microsoft Windows the Putty138 application can be used. After starting it, the options as shown in
figure Setting up the serial port in Putty (page 291) and the appropriate serial port have to be selected.

19.1.3 Starting the Appliance

Once the appliance is fully wired, a connection to the appliance using the console cable is achieved
and the terminal application (Putty, screen or similar) is set up, the appliance can be started.
The appliance will boot and after short time – depending on the exact model – the first messages will
be displayed in the terminal application.
138 https://www.chiark.greenend.org.uk/~sgtatham/putty/

290
 19.2. GSM 400/600/650

Fig. 19.1: Setting up the serial port in Putty

19.1.4 Performing a General System Setup

All GSM appliances share the same way of basic configuration and readiness check.

Note: Follow the steps described in Chapter Managing the Greenbone Operating System (page 21).
Afterwards, continue with logging into the web interface.

19.1.5 Logging into the Web Interface

The main interface of the GSM is the web interface. The web interface can be accessed as follows:
1. Open the web browser.
2. Enter the IP address of the web interface of the GSM.

Tip: The IP address of the GSM is displayed on the login prompt of the console or in the GOS
administration menu after selecting About and pressing Enter.

3. Log in using the web administrator created during the setup.

19.2 GSM 400/600/650

This setup guide shows the steps required to put a GSM 400, 600 or 650 appliance into operation.
The following checklist can be used to monitor the progress:

291
Chapter 19. Setup Guides

Step Done
Power supply
Serial console cable/USB converter
Putty/screen setup
Keyboard layout
IP address configuration
DNS configuration
Password change
Web administrator account
SSL certificate
Readiness

19.2.1 Installing the Appliance

The GSM 400, GSM 600 and GSM 650 are 19” mountable and require one rack unit (RU). For installation
in a 19” this equipment comes with the respective racking brackets.
For cabling GSM 400, GSM 600 and GSM 650 appliances have corresponding connectors at the front
and back:
• Front:
– Keyboard via USB
– Network port eth0
– 1 RS-232 console port (|O|O|O), Cisco compatible, suitable cable is enclosed
• Back:
– 1 power supply
– 1 VGA port
– Keyboard via USB
– Serial console
For the installation a terminal application and a console cable for establishing a connection have to
be used.

19.2.2 Utilizing the Serial Port

The enclosed console cable is used for utilizing the serial port. Alternatively, a blue Cisco console
cable (rollover cable) can be used.
To access the serial port a terminal application is required. The application needs to be configured to
a speed of 9600 bits/s (Baud).
In Linux the command screen can be used in the command line. It is sucient to run the command
providing the serial port.

Tip: When starting a command, it may be necessary to hit Return several times to get a command
prompt.

screen /dev/ttyS0 #(for serial port)

screen /dev/ttyUSB0 #(for USB adapter)

Note: Sometimes the first serial port does not work.

292
 19.2. GSM 400/600/650

Experiment with the number (0, 1 or 2).

Quit the command by entering CTRL-a \.

In Microsoft Windows the Putty139 application can be used. After starting it, the options as shown in
figure Setting up the serial port in Putty (page 293) and the appropriate serial port have to be selected.

Fig. 19.2: Setting up the serial port in Putty

19.2.3 Starting the Appliance

Once the appliance is fully wired, a connection to the appliance using the console cable is achieved
and the terminal application (Putty, screen or similar) is set up, the appliance can be started.
The appliance will boot and after short time – depending on the exact model – the first messages will
be displayed in the terminal application.

19.2.4 Performing a General System Setup

All GSM appliances share the same way of basic configuration and readiness check.

Note: Follow the steps described in Chapter Managing the Greenbone Operating System (page 21).
Afterwards, continue with logging into the web interface.

19.2.5 Logging into the Web Interface

The main interface of the GSM is the web interface. The web interface can be accessed as follows:
1. Open the web browser.
2. Enter the IP address of the web interface of the GSM.

Tip: The IP address of the GSM is displayed on the login prompt of the console or in the GOS
administration menu after selecting About and pressing Enter.

3. Log in using the web administrator created during the setup.

139 https://www.chiark.greenend.org.uk/~sgtatham/putty/

293
Chapter 19. Setup Guides

19.3 GSM 150

This setup guide shows the steps required to put a GSM 150 appliance into operation.
The following checklist can be used to monitor the progress:
Step Done
Power supply
Serial console cable/USB converter
Putty/screen setup
Keyboard layout
IP address configuration
DNS configuration
Password change
Web administrator account
SSL certificate
Readiness

19.3.1 Installing the Appliance

The GSM 150 is 19” mountable and requires one rack unit (RU). The optional RACKMOUNT150 kit pro-
vides the racking brackets for installing the appliance in a 19” rack.
For stand-alone appliances four self-sticking rubber pads have to be mounted on the corresponding
bottom side embossments.
For cabling the GSM 150 appliance has corresponding connectors at the front and back:
• Front
– 1 RS-232 console port, Cisco compatible, suitable cable is enclosed
– 2 USB 3.0 ports
– 1 HDMI port
– 4 Ethernet network ports
• Back:
– 1 Power supply +12V DC (one)
For the installation a terminal application and a serial cable for establishing a connection have to be
used.

19.3.2 Utilizing the Serial Port

The enclosed console cable is used for utilizing the serial port. Alternatively, a blue Cisco console
cable (rollover cable) can be used.
To access the serial port a terminal application is required. The application needs to be configured to
a speed of 9600 bits/s (Baud).
In Linux the command screen can be used in the command line. It is sucient to run the command
providing the serial port.

Tip: When starting a command, it may be necessary to hit Return several times to get a command
prompt.

screen /dev/ttyS0 #(for serial port)

screen /dev/ttyUSB0 #(for USB adapter)

294
 19.3. GSM 150

Note: Sometimes the first serial port does not work.

Experiment with the number (0, 1 or 2).

Quit the command by entering CTRL-a \.

In Microsoft Windows the Putty140 application can be used. After starting it, the options as shown in
figure Setting up the serial port in Putty (page 295) and the appropriate serial port have to be selected.

Fig. 19.3: Setting up the serial port in Putty

19.3.3 Starting the Appliance

Once the appliance is fully wired, a connection to the appliance using the console cable is achieved
and the terminal application (Putty, screen or similar) is set up, the appliance can be started.
The appliance will boot and after short time – depending on the exact model – the first messages will
be displayed in the terminal application.

19.3.4 Performing a General System Setup

All GSM appliances share the same way of basic configuration and readiness check.

Note: Follow the steps described in Chapter Managing the Greenbone Operating System (page 21).
Afterwards, continue with logging into the web interface.

19.3.5 Logging into the Web Interface

The main interface of the GSM is the web interface. The web interface can be accessed as follows:
1. Open the web browser.
2. Enter the IP address of the web interface of the GSM.
140 https://www.chiark.greenend.org.uk/~sgtatham/putty/

295
Chapter 19. Setup Guides

Tip: The IP address of the GSM is displayed on the login prompt of the console or in the GOS
administration menu after selecting About and pressing Enter.

3. Log in using the web administrator created during the setup.

19.4 GSM 35

This setup guide shows the steps required to put a GSM 35 sensor appliance into operation.
The following checklist can be used to monitor the progress:
Step Done
Power supply
Serial console cable/USB converter
Putty/screen setup
Keyboard layout
IP address configuration
DNS configuration
Password change
Scan user account
Master key download
Sensor setup on the master
Readiness

19.4.1 Installing the Appliance

The GSM 35 is 19” mountable and requires one rack unit (RU). The optional RACKMOUNT35 kit provides
the racking brackets for installing the appliance in a 19” rack.
For stand-alone appliances four self-sticking rubber pads have to be mounted on the corresponding
bottom side embossments.
For cabling the GSM 35 appliance has corresponding connectors at the front and back:
• Front
– RS-232 console port, Cisco compatible, suitable cable is enclosed
– 2 USB 3.0 ports
– 1 HDMI port
– 4 Ethernet network ports
• Back:
– 1 power supply +12V DC
For the installation a terminal application and a serial cable for establishing a connection have to be
used.

19.4.2 Utilizing the Serial Port

The enclosed console cable is used for utilizing the serial port. Alternatively, a blue Cisco console
cable (rollover cable) can be used.
To access the serial port a terminal application is required. The application needs to be configured to
a speed of 9600 bits/s (Baud).

296
 19.4. GSM 35

In Linux the command screen can be used in the command line. It is sucient to run the command
providing the serial port.

Tip: When starting a command, it may be necessary to hit Return several times to get a command
prompt.

screen /dev/ttyS0 #(for serial port)

screen /dev/ttyUSB0 #(for USB adapter)

Note: Sometimes the first serial port does not work.

Experiment with the number (0, 1 or 2).

Quit the command by entering CTRL-a \.

In Microsoft Windows the Putty141 application can be used. After starting it, the options as shown in
figure Setting up the serial port in Putty (page 297) and the appropriate serial port have to be selected.

Fig. 19.4: Setting up the serial port in Putty

19.4.3 Starting the Appliance

Once the appliance is fully wired, a connection to the appliance using the console cable is achieved
and the terminal application (Putty, screen or similar) is set up, the appliance can be started.
The appliance will boot and after short time – depending on the exact model – the first messages will
be displayed in the terminal application.

19.4.4 Performing a General System Setup

All GSM appliances share the same basic configuration and readiness check.
However, since the GSM 35 is a dedicated sensor, some setup steps di er from those of other appli-
ances:
• A scan user account has to be created instead of a web administrator account.
• The master key has to be exchanged with the sensor.
141 https://www.chiark.greenend.org.uk/~sgtatham/putty/

297
Chapter 19. Setup Guides

Note: Follow the steps described in Chapter Managing the Greenbone Operating System (page 21).
Add the scan user account instead of a web administrator account. Afterwards, continue with the
Chapter Master-Sensor Setup (page 253) to exchange the keys with the master.

The GSM 35 sensor does not o er any web interface. The sensor is solely managed by the master.
Logging into the sensor is possible by using the console and SSH from the master.
If the communication between master and sensor fails, the rule set of any internal firewall governing
the network connection may be adjusted.

19.5 GSM 150V

This setup guide shows the steps required to put the GSM 150V appliance into operation.
The following checklist can be used to monitor the progress:
Step Done
VMware ESXi installed
Integrity verification (optional)
Import of the OVA
Resources: 2 CPUs, 8 GB RAM, 32 GB hard disk
Keyboard layout
IP address configuration
DNS configuration
Password change
Web administrator account
SSL certificate
Readiness

19.5.1 Setup Requirements

This section lists the requirements for successfully deploying the GSM 150V appliance. All require-
ments have to be met.

Resources

The virtual appliance requires at least the following resources:

• 2 virtual CPUs
• 8 GB RAM
• 32 GB hard disk

Supported Hypervisor

While the GSM 150V can be run on various hypervisors, only VMware hypervisors are currently sup-
ported.
The GSM 150V is delivered in VM version 7 format.
For VMware ESXi/ESX version 5.1 or higher is required.

298
 19.5. GSM 150V

Verification of Integrity

Note: The integrity of the virtual appliance can be verified. On request the Greenbone Networks
support provides an integrity checksum.
To request the checksum contact the Greenbone Networks support via e-mail (sup-
[email protected]) including the subscription number.
The integrity checksum can be provided via phone or via support portal at
https://support.greenbone.net. Specify the preferred channel in the e-mail.

The local verification of the checksum depends on the host operating system.
On Linux systems the following command for calculating the checksum for the GSM 150V can be used:
sha256sum GSM-150V-4.3.13-gsf201905271.ova

On Microsoft Windows systems an appropriate program has to be installed first.

Tip: Rehash may be used which can be found at http://rehash.sourceforge.net.

To calculate the checksum, use:

rehash.exe -none -sha256 C:\<path>\GSM-150V-4.3.13-gsf201905271.ova

If the checksum does not match the checksum provided by the Greenbone Network support, the virtual
appliance has been modified and should not be used.

19.5.2 Deploying the Appliance

The GSM 150V is provided by Greenbone Networks in the Open Virtualization Appliance (OVA) format.
Each GSM 150V is activated using a unique subscription key.

Note: Cloning the GSM 150V and using several instances in parallel is not permitted because it can
result in inconsistencies and unwanted side e ects.

To deploy the GSM 150V, it has to be imported into the hypervisor of choice as follows:

Note: The example features VMware ESXi, but is also applicable for VMware vSphere.

1. Install VMware ESXi for the current operating system.

2. Open the web interface of the VMware ESXi instance and log in.
3. Click Create / Register VM.
4. Select Deploy a virtual machine from an OVF or OVA file and click Next (see figure Selecting the
creation type (page 300)).
5. Enter a name for the virtual machine in the input box and click Next.
6. Click Click to select files or drag/drop, select the OVA file of the appliance and click Next.
7. Select the storage location in which to store the virtual machine files and click Next.
8. Adjust the deployment options as needed and click Next.

299
Chapter 19. Setup Guides

Fig. 19.5: Selecting the creation type

Note: The default deployment settings may be used.

9. Check the configuration of the virtual machine (see figure Checking the configuration of the vir-
tual machine (page 300)).

Tip: Settings can be changed by clicking Back and adjusting them in the respective dialog.

Fig. 19.6: Checking the configuration of the virtual machine

10. Click Finish.

→ The appliance is imported. This can take up to 10 minutes.

Important: Do not refresh the browser while the virtual machine is being deployed.

300
 19.6. GSM 25V

When the appliance is imported, it is displayed in the list Virtual Machines in the Navigator panel
(see figure Imported virtual machine (page 301)).
11. Select the appliance in the list and click Power on.

Fig. 19.7: Imported virtual machine

19.5.3 Performing a General System Setup

All GSM appliances share the same way of basic configuration and readiness check.

Note: Follow the steps described in Chapter Managing the Greenbone Operating System (page 21).
Afterwards, continue with logging into the web interface.

19.5.4 Logging into the Web Interface

The main interface of the GSM is the web interface. The web interface can be accessed as follows:
1. Open the web browser.
2. Enter the IP address of the web interface of the GSM.

Tip: The IP address of the GSM is displayed on the login prompt of the console or in the GOS
administration menu after selecting About and pressing Enter.

3. Log in using the web administrator created during the setup.

19.6 GSM 25V

This setup guide will show the steps required to put the GSM 25V appliance into operation.
The following checklist can be used to monitor the progress:

301
Chapter 19. Setup Guides

Step Done
VMware ESXi installed
Integrity verification (optional)
Import of the OVA
Resources: 2 CPUs, 4 GB RAM, 16 GB hard disk
Keyboard layout
IP address configuration
DNS configuration
Password change
Web administrator account
Readiness

19.6.1 Setup Requirements

This section lists the requirements for successfully deploying the GSM 25V appliance. All require-
ments have to be met.

Resources

The virtual appliance requires at least the following resources:

• 2 virtual CPUs
• 4 GB RAM
• 16 GB hard disk

Supported Hypervisor

While the GSM 25V can be run on various hypervisors, only VMware hypervisors are currently sup-
ported.
The GSM 25V is delivered in VM version 7 format.
For VMware ESXi/ESX version 5.1 or higher is required.

Verification of Integrity

Note: The integrity of the virtual appliance can be verified. On request the Greenbone Networks
support provides an integrity checksum.
To request the checksum contact the Greenbone Networks support via e-mail (sup-
[email protected]) including the subscription number.
The integrity checksum can be provided via phone or via support portal at
https://support.greenbone.net. Specify the preferred channel in the e-mail.

The local verification of the checksum depends on the host operating system.
On Linux systems the following command for calculating the checksum for the GSM 25V can be used:
sha256sum GSM-25V-4.3.13-gsf201905271.ova

On Microsoft Windows systems an appropriate program has to be installed first.

Tip: Rehash may be used which can be found at http://rehash.sourceforge.net.

302
 19.6. GSM 25V

To calculate the checksum, use:

rehash.exe -none -sha256 C:\<path>\GSM-25V-4.3.13-gsf201905271.ova

If the checksum does not match the checksum provided by the Greenbone Network support, the virtual
appliance has been modified and should not be used.

19.6.2 Deploying the Appliance

The GSM 25V is provided by Greenbone Networks in the Open Virtualization Appliance (OVA) format.
Each GSM 25V is activated using a unique subscription key.

Note: Cloning the GSM 25V and using several instances in parallel is not permitted because it can
result in inconsistencies and unwanted side e ects.

To deploy the GSM 25V, it has to be imported into the hypervisor of choice as follows:

Note: The example features VMware ESXi, but is also applicable for VMware vSphere.

1. Install VMware ESXi for the current operating system.

2. Open the web interface of the VMware ESXi instance and log in.
3. Click Create / Register VM.
4. Select Deploy a virtual machine from an OVF or OVA file and click Next (see figure Selecting the
creation type (page 303)).

Fig. 19.8: Selecting the creation type

5. Enter a name for the virtual machine in the input box and click Next.
6. Click Click to select files or drag/drop, select the OVA file of the appliance and click Next.
7. Select the storage location in which to store the virtual machine files and click Next.
8. Adjust the deployment options as needed and click Next.

303
Chapter 19. Setup Guides

Note: The default deployment settings may be used.

9. Check the configuration of the virtual machine (see figure Checking the configuration of the vir-
tual machine (page 304)).

Tip: Settings can be changed by clicking Back and adjusting them in the respective dialog.

Fig. 19.9: Checking the configuration of the virtual machine

10. Click Finish.

→ The appliance is imported. This can take up to 10 minutes.

Important: Do not refresh the browser while the virtual machine is being deployed.

When the appliance is imported, it is displayed in the list Virtual Machines in the Navigator panel
(see figure Imported virtual machine (page 304)).
11. Select the appliance in the list and click Power on.

Fig. 19.10: Imported virtual machine

304
 19.7. GSM ONE/MAVEN

19.6.3 Performing a General System Setup

All GSM appliances share the same basic configuration and readiness check.
However, since the GSM 25V is a dedicated sensor, some setup steps di er from those of other appli-
ances:
• A scan user account has to be created instead of a web administrator account.
• The master key has to be exchanged with the sensor.

Note: Follow the steps described in Chapter Managing the Greenbone Operating System (page 21).
Add the scan user account instead of a web administrator account. Afterwards, continue with the
Chapter Master-Sensor Setup (page 253) to exchange the keys with the master.

The GSM 25V sensor does not o er any web interface. The sensor is solely managed by the master.
Logging into the sensor is possible by using the console and SSH from the master.
If the communication between master and sensor fails, the rule set of any internal firewall governing
the network connection may be adjusted.

19.7 GSM ONE/MAVEN

This setup guide shows the steps required to put the GSM ONE/MAVEN appliance into operation.
The following checklist can be used to monitor the progress:
Step Done
VirtualBox installed
Integrity verification (optional)
Import of the OVA
Resources: 2 CPUs, 4 GB RAM, 16 GB hard disk
Keyboard layout
IP address configuration
DNS configuration
Password change
Web administrator account
SSL certificate
Readiness

19.7.1 Setup Requirements

This section lists the requirements for successfully deploying the GSM ONE/MAVEN appliance. All
requirements have to be met.

Resources

The virtual appliance requires at least the following resources:

• 2 virtual CPUs
• 4 GB RAM
• 16 GB hard disk

305
Chapter 19. Setup Guides

Supported Hypervisor

While the GSM ONE/MAVEN can be run on various hypervisors, only the following two hypervisors
are currently supported:
• Oracle VirtualBox on GNU/Linux
• Oracle VirtualBox on Microsoft Windows

Verification of Integrity

Note: The integrity of the virtual appliance can be verified. On request the Greenbone Networks
support provides an integrity checksum.
To request the checksum contact the Greenbone Networks support via e-mail (sup-
[email protected]) including the subscription number.
The integrity checksum can be provided via phone or via support portal at
https://support.greenbone.net. Specify the preferred channel in the e-mail.

The local verification of the checksum depends on the host operating system.
On Linux systems the following command for calculating the checksum for the GSM ONE/MAVEN can
be used:
sha256sum GSM-ONE-4.3.13-gsf201905271.ova
sha256sum GSM-MAVEN-4.3.13-gsf201905271.ova

On Microsoft Windows systems an appropriate program has to be installed first.

Tip: Rehash may be used which can be found at http://rehash.sourceforge.net.

To calculate the checksum, use:

rehash.exe -none -sha256 C:\<path>\GSM-ONE-4.3.13-gsf201905271.ova
rehash.exe -none -sha256 C:\<path>\GSM-MAVEN-4.3.13-gsf201905271.ova

If the checksum does not match the checksum provided by the Greenbone Network support, the virtual
appliance has been modified and should not be used.

19.7.2 Deploying the Appliance

The GSM ONE/MAVEN is provided by Greenbone Networks in the Open Virtualization Appliance (OVA)
format.
Each GSM ONE/MAVEN is activated using a unique subscription key.

Note: Cloning the GSM ONE/MAVEN and using several instances in parallel is not permitted because
it can result in inconsistencies and unwanted side e ects.

To deploy the GSM ONE/MAVEN, it has to be imported into the hypervisor of choice as follows:
1. Install Oracle VirtualBox for the current operating system.

Note: VirtualBox is often included with Linux distributions.

306
 19.7. GSM ONE/MAVEN

Should this not be the case and or a version of Microsoft Windows is used, VirtualBox is available
at https://www.virtualbox.org/wiki/Downloads.

2. Start VirtualBox.
3. Select File > Import Appliance in the menu bar.
4. Click and select the OVA file of the appliance (see figure Importing the OVA file of the appliance
(page 307)).

Fig. 19.11: Importing the OVA file of the appliance

5. Check the configuration of the virtual machine in the window Appliance settings (see figure Im-
porting the OVA file of the appliance (page 307)).
Values can be changed by double clicking into the input box of the respective value.

Note: If possible, select 4096 MB RAM (memory) for optimal configuration of the virtual appli-
ance.

6. Click Import.
→ The appliance is imported. This can take up to 10 minutes.
When the appliance is imported, it is displayed in the list Tools in VirtualBox.
7. Select the appliance in the list and click Start.

19.7.3 Performing a General System Setup

All GSM appliances share the same way of basic configuration and readiness check.

Note: Follow the steps described in Chapter Managing the Greenbone Operating System (page 21).
Afterwards, continue with logging into the web interface or with troubleshooting.

307
Chapter 19. Setup Guides

19.7.4 Logging into the Web Interface

The main interface of the GSM is the web interface. The web interface can be accessed as follows:
1. Open the web browser.
2. Enter the IP address of the web interface of the GSM.

Tip: The IP address of the GSM is displayed on the login prompt of the console or in the GOS
administration menu after selecting About and pressing Enter.

3. Log in using the web administrator created during the setup.

19.7.5 GSM ONE/MAVEN Troubleshooting

The following warnings and problems are known and depend on the environment:
• On Linux host systems VirtualBox may warn during the import that the Host-I/O-Cache is ac-
tivated if the virtual image is stored on a xfs partition. This warning is expected and can be
accepted.
• On Linux host systems the warning “Failed to attach the network LUN
(VERR_INTNET_FLT_IF_NOT_FOUND)” is displayed if the virtual machine does not discover
any network card.
The network card within the VirtualBox hypervisor needs to be configured by clicking Settings
and selecting Network. Usually the default can be accepted.

Fig. 19.12: Choosing the correct network card in VirtualBox

• If the warning “AMD-V is disabled in the BIOS. (VERR_SVM_DISABLED).” is displayed, the option
“VT-X/AMD-V” in the BIOS of the host has to be enabled.
An alternative solution is disabling the acceleration in the system configuration of the virtual
machine by clicking Settings and selecting System > Acceleration.

308
 19.7. GSM ONE/MAVEN

Fig. 19.13: Disabling the hardware acceleration in VirtualBox

309
Chapter 19. Setup Guides

310
 CHAPTER 20

Architecture

This chapter covers the architecture and the communication protocols used by the Greenbone Secu-
rity Manager. Some protocols are mandatory and some protocols are optional. Some protocols are
only used in specific setups.

20.1 Protocols

The GSM requires several protocols to fully function. These protocols provide the feed updates, DNS
resolution, time, etc. The following protocols are used by a standalone system or a GSM master to
initiate connections being a client:

Fig. 20.1: GSM acting as client

• GSM is client
– DNS - Name resolution
* connecting to 53/udp and 53/tcp
* mandatory
* not encrypted

311
Chapter 20. Architecture

* may use internal DNS server

– NTP - time synchronization
* connecting to 123/udp
* mandatory
* not encrypted
* may use internal NTP server
– Feeds (see below)
* direct
· connecting to 24/tcp or 443/tcp
· direct Internet access required
* via proxy
· connecting to internal HTTP-Proxy supporting CONNECT method on configurable
port
* connecting to apt.greenbone.net and feed.greenbone.net
* mandatory on stand-alone and master appliances
* Protocol used is SSH
* encrypted and bidirectionally authenticated via SSH
· Server: public key
· Client: public key
– DHCP
* connecting to 67/udp and 68/udp
* optional
* not encrypted
– LDAPS - User authentication
* connecting to 636/tcp
* optional
* encrypted and authenticated via SSL/TLS
· Server: certificate
· Client: username/password
– Syslog - Remote Logging and alerts
* connecting to 512/udp or 512/tcp
* optional
* not encrypted
– SNMP Traps for alerts
* connecting to 162/udp
* optional
* just SNMPv1
* not encrypted
– SMTP for E-Mail alerts

312
 20.1. Protocols

* connecting to 25/tcp
* optional
* not encrypted
– SSH for Backup
* connecting to 22/tcp
* optional
* encrypted and bidirectionally authenticated via SSH
· Server: public key
· Client: public key
– Cisco Firepower (Sourcefire) for IPS integration
* connecting to 8307/tcp
* optional
* encrypted and bidirectionally authenticated via SSL/TLS
· Server: certificate
· Client: certificate
– verinice.PRO
* connecting to 443/tcp
* optional
* encrypted via SSL/TLS
· Server: optionally via certificate
· Client: username/password
– TippingPoint SMS
* connecting to 443/tcp
* optional
* encrypted via SSL/TLS
· Server: certificate
· Client: certificate, username/password
The following connection are accepted by a GSM acting as a server.
• GSM is server
– HTTPS - Web interface
* 443/tcp
* mandatory on stand-alone and master appliances
* encrypted and authenticated via SSL/TLS
· Server: optionally via certificate
· Client: username/password
– SSH - CLI access and GMP
* 22/tcp
* optional
* encrypted and authenticated via SSH

313
Chapter 20. Architecture

Fig. 20.2: GSM acting as server

· Server: public key

· Client: username/password
– SNMP
* 161/udp
* optional
* optionally encrypted when using SNMPv3
In a master/sensor setup the following additional requirements apply. The master (client) initiates
two additional connections to the sensor (server):
• SSH for Updates and Feeds and GMP
– 22/tcp
– mandatory
– encrypted and bidirectionally authenticated via SSH
* Server: public key
* Client: public key

20.2 Security Gateway Considerations

Many enterprises deploy security gateways to restrict the Internet access. These security gateways
may operate as packet filters or application layer gateways. Some products support deep inspection
and try to determine the actual protocol used in the communication channels. They might even try to
decrypt and analyze any encrypted communication.

314
 20.2. Security Gateway Considerations

Fig. 20.3: GSM master and sensor

20.2.1 Standalone/Master GSM

While many protocols used by the GSM are only used internally, some protocols require access to the
Internet. These might be filtered by such a security gateway. When deploying the GSM as standalone
appliance or master the GSM needs to be able to access the Greenbone security feed. The Greenbone
security feed may be access directly via port 24/tcp or 443/tcp or using a proxy. In all cases the actual
protocol used is SSH. Even when using the port 443/tcp or a HTTP proxy the protocol used is SSH.
A deep inspection firewall might detect the usage of the SSH protocol running on port 443/tcp and
could drop or block the trac. If the security gateway would try to decrypt the trac using man-in-
the-middle techniques the communication of the GSM and the Feed server will fail. The SSH protocol
using bidirectional authentication based on public keys will prevent any man-in-the-middle approach
by terminating the communication.
Additional protocols which might need Internet access are DNS and NTP. Both DNS and NTP may be
configured to use internal DNS and NTP servers.

20.2.2 Sensor GSM

If security gateways are deployed between the master and the sensor the security gateway must
permit SSH (22/tcp) connections from the master to the sensor.

315
Chapter 20. Architecture

316
 CHAPTER 21

Frequently Asked Questions

21.1 Why is the Scanning Process so Slow?

The performance of a scan depends on various aspects.

• Several port scanners were activated concurrently.
If an individual scan configuration is used, take care to select only a single port scanner in the
family Port Scanner (see Chapter Creating a New Scan Configuration (page 143)). Of course Ping
Host can still be activated.
• Unused IP addresses are scanned very time-consuming.
In a first phase for each IP address it is detected whether an active system is present. In case it
is not, this IP address will not be scanned. Firewalls and other systems can prevent a successful
detection. The NVT “Ping Host” (1.3.6.1.4.1.25623.1.0.100315) o ers to fine tune detection.

21.2 Why Does the Scan Trigger Alarms at Other Security Tools?

For many vulnerability tests the behaviour of real attacks is applied. Even though a real attack does
not happen, some security tools will issue an alarm.
A known example is:
• Symantec reports attack regarding CVE-2009-3103 if the NVT “Microsoft Win-
dows SMB2 ‘_Smb2ValidateProviderCallback()’ Remote Code Execution Vulnerability”
(1.3.6.1.4.1.25623.1.0.100283) is executed. This NVT is only executed if safe checks is explicitly
disabled in the scan configuration because it can a ect the target system.

21.3 Why Does a VNC Dialog Appear on the Scanned Target Sys-
tem?

When testing port 5900 or configuring a VNC port, a window appears on the scanned target system
asking the user to allow the connection. This was observed for UltraVNC Version 1.0.2.
Solution: exclude port 5900 or other configured VNC ports from the target specification. Alternatively
upgrading to a newer version of UltraVNC would help (UltraVNC 1.0.9.6.1 only uses balloons to inform
users).

317
Chapter 21. Frequently Asked Questions

21.4 Why Does Neither Feed Update nor GOS Upgrade Work After
a Factory Reset?

This is not relevant for virtual appliances where no factory reset is integrated.
A factory reset deletes the whole system including the subscription key. The key is mandatory for
feed updates and GOS upgrade.
1. Reactivate the subscription key:
A backup key is delivered with each GSM appliance, usually stored on a USB stick and labelled
with the key ID. Use this key to reactivate the GSM. The activation is described in the setup guide
of the respective GSM type (see Chapter Setup Guides (page 289)).
2. Update system to current version:
Depending on the age of the emergency system, the respective upgrade procedure has to be
executed.

318
 CHAPTER 22

Glossary

This section defines relevant terminology which is consistently used across the entire system.

22.1 Alert

An alert is an action which can be triggered by certain events. In most cases, this means the output
of a notification, e.g. an e-mail in case of new found vulnerabilities.

22.2 Asset

Assets are discovered on the network during a vulnerability scan or entered manually by the user.
Currently, assets include hosts and operating systems.

22.3 CERT-Bund Advisory

An advisory published by CERT-Bund. See https://www.cert-bund.de/about for more information.

22.4 CPE

Common Platform Enumeration (CPE) is a structured naming scheme for information technology sys-
tems, platforms, and packages. Based on the generic syntax for Uniform Resource Identifiers (URI),
CPE includes a formal name format, a language for describing complex platforms, a method for check-
ing names against a system, and a description format for binding text and tests to a name.
A CPE name starts with “cpe:/”, followed by up to seven components separated by colons:
• Part (h, o or a)
• Vendor
• Product
• Version
• Update
• Edition
• Language
Example: cpe:/o:linux:kernel:2.6.0

319
Chapter 22. Glossary

22.5 CVE

Common Vulnerabilities and Exposures (CVE) is a dictionary of publicly known information security
vulnerabilities and exposures.

22.6 CVSS

The Common Vulnerability Scoring System (CVSS) is an open framework to characterize vulnerabili-
ties.

22.7 DFN-CERT Advisory

An advisory published by DFN-CERT. See https://www.dfn-cert.de/ for more information.

22.8 Filter

A filter describes how to select a certain subset from a group of resources.

22.9 Group

A group is a collection of users.

22.10 Host

A host is a single system that is connected to a computer network and that can be scanned. One or
many hosts form the basis of a scan target.
A host is also an asset type. Any scanned or discovered host can be recorded in the asset database.
Hosts in scan targets and in scan reports are identified by their network address, either an IP address
or a host name.
In the asset database the identification is independent of the actual network address, which however
is used as the default identification.

22.11 Note

A note is a textual comment associated with an NVT. Notes show up in reports, below the results
generated by the NVT. A note can be applied to a particular result, task, severity class, port and/or
host, so that the note appears only in certain reports.

22.12 Network Vulnerability Test (NVT)

A Network Vulnerability Test (NVT) is a routine that checks a target system for the presence of a spe-
cific known or potential security problem.
NVTs are grouped into families of similar NVTs. The selection of families and/or single NVTs is part of
a scan configuration.

320
 22.13. OVAL Definition

22.13 OVAL Definition

An OVAL definition is a definition as specified by the OVAL (Open Vulnerability and Assessment Lan-
guage), version 5.10.1. It can be used for di erent classes of security data like vulnerabilities, patches
or compliance policies.

22.14 Override

An override is a rule to change the severity of items within one or many report(s).
Overrides are especially useful to mark report items as False Positives (e.g. an incorrect or expected
finding) or emphasize items that are of higher severity in the observed scenario.

22.15 Permission

A permission grants a user, role group the right to perform a specific action.

22.16 Port List

A port list is a list of ports. Each target is associated with a port list. This determines which ports are
scanned during a scan of the target.

22.17 Quality of Detection (QoD)

The Quality of Detection (QoD) is a value between 0 % and 100 % describing the reliability of the exe-
cuted vulnerability detection or product detection.
While the QoD range allows to express the quality quite fine-grained, in fact most of the test routines
use a standard methodology. Therefore, QoD types are associate with a QoD value. The current list
of types might be extended over time.

321
Chapter 22. Glossary

QoD QoD Type Description

100% exploit The detection happened via an exploit and is there-
fore fully verified.
99% remote_vul Remote active checks (code execution, traversal
attack, SQL injection etc.) in which the response
clearly shows the presence of the vulnerability.
98% remote_app Remote active checks (code execution, traversal
attack, SQL injection etc.) in which the response
clearly shows the presence of the vulnerable ap-
plication.
97% package Authenticated package-based checks for
Linux(oid) systems.
97% registry Authenticated registry based checks for Windows
systems.
95% remote_active Remote active checks (code execution, traversal
attack, SQL injection etc.) in which the response
shows the likely presence of the vulnerable appli-
cation or of the vulnerability. “Likely” means that
only rare circumstances are possible in which the
detection would be wrong.
80% remote_banner Remote banner check of applications that o er
patch level in version. Many proprietary products
do so.
80% executable_version Authenticated executable version checks for
Linux(oid) or Windows systems where applica-
tions o er patch level in version.
75% During system migration this value was assigned
to any results obtained before QoD was introduced.
However, some NVTs eventually might own this
value for some reason.
70% remote_analysis Remote checks that do some analysis but which
are not always fully reliable.
50% remote_probe Remote checks in which intermediate systems
such as firewalls might pretend correct detection
so that it is actually not clear whether the applica-
tion itself answered. For example, this can happen
for non-TLS connections.
30% remote_banner_unreliable Remote banner checks of applications that do not
o er patch level in version identification. For ex-
ample, this is the case for many open source prod-
ucts due to backport patches.
30% executable_version_unreliable Authenticated executable version checks for
Linux(oid) systems where applications do not o er
patch level in version identification.
1% general_note General note on potential vulnerability without
finding any present application.
The value of 70% is the default minimum used for filtering the displayed results in the reports.

22.18 Report

A report is the result of a scan and contains a summary of what the selected NVTs detected for each
of the target hosts.
A report is always associated with a task. The scan configuration that determines the extent of the
report is part of the associated task and cannot be modified. Therefore, for any report it is ensured
that its execution configuration is preserved and available.

322
 22.19. Report Format

22.19 Report Format

A format in which a report can be downloaded.

An example is TXT which has the content type “text/plain”, meaning that the report is a plain text
document.

22.20 Result

A single result generated by the scanner as part of a report, for example a vulnerability warning or a
log message.

22.21 Role

A role defines a set of permissions that can be applied to a user or a group.

22.22 Scan

A scan is a task in progress. For each task only one scan can be active. The result of a scan is a report.
The status of all active scans can be seen on the page Tasks.
The progress is shown as a percentage of total number of tests to be executed. The duration of a scan
is determined by the number of targets and the complexity of the scan configuration and ranges from
minutes to many hours or even days.
The page Tasks o ers an option to stop a scan.

22.23 Scanner

A scanner is an OpenVAS Scanner daemon or compatible OSP daemon on which the scan will be run.

22.24 Scan Configuration

A scan configuration covers the selection of NVTs as well as general and very specific (expert) param-
eters for the scan server and for some of the NVTs.
Not covered by a scan configuration is the selection of targets.

22.25 Schedule

A schedule sets the time when task should be automatically started, a period after which the task
should run again and a maximum duration the task is allowed to take.

323
Chapter 22. Glossary

22.26 Severity

The severity is a value between 0.0 (no severity) and 10.0 (highest severity) and expresses also a
severity class (None, Low, Medium or High).
This concept is based on CVSS but is applied in case no full CVSS Base Vector is available as well.
For example, arbitrary values in that range are applied for overrides and used by OSP scanners even
without a vector definition.
Comparison, weighting and prioritisation of any scan results or NVTs is possible because the severity
concept is strictly applied across the entire system. Any new NVT is assigned with a full CVSS vector
even if CVE does not o er one and any result of OSP scanners is assigned an adequate severity value
even if the respective scanner uses a di erent severity scheme.
The severity classes None, Low, Medium and High are defined by sub-ranges of the main range 0.0 –
10.0. Users can select to use di erent classifications. The default is the NVD classification which is
the most commonly used one.
Scan results are assigned a severity while achieved. The severity of the related NVT may change over
time though. When Dynamic Severity is selected the system always uses the most current severities
of NVTs for the results.

22.27 Solution Type

This information shows possible solutions for the remediation of the vulnerability.
• Workaround: Information about a configuration or specific deployment scenario that can
be used to avoid exposure to the vulnerability is available. There can be none, one or more
workarounds available. This is usually the “first line of defense” against a new vulnerability
before a mitigation or vendor fix has been issued or even discovered.
• Mitigation: Information about a configuration or deployment scenario that helps to reduce the
risk of the vulnerability is available but that does not resolve the vulnerability on the a ected
product. Mitigations may include using devices or access controls external to the a ected prod-
uct. Mitigations may or may not be issued by the original author of the a ected product and they
may or may not be ocially sanctioned by the document producer.
• Vendor fix: Information is available about an ocial fix that is issued by the original author
of the a ected product. Unless otherwise noted, it is assumed that this fix fully resolves the
vulnerability.
• No fix available: Currently there is no fix available. Information should contain details about
why there is no fix.
• Will not fix: There is no fix for the vulnerability and there never will be one. This is often
the case when a product has been orphaned, is no longer maintained or otherwise deprecated.
Information should contain details about why there will be no fix issued.

22.28 Tag

A tag is a short data package consisting of a name and a value that is attached to a resource of any
kind and contains user defined information on this resource.

324
 22.29. Target

22.29 Target

A target defines a set of systems (hosts) that is scanned. The systems are identified either by their IP
addresses, by their host names or with CIDR network notation.

22.30 Task

A task is initially formed by a target and a scan configuration. Executing a task initiates a scan. Each
scan produces a report. As a result, a task collects a series of reports.
A task’s target and scan configuration are static. Thus, the resulting sequence of reports describes
the change of security status over time. However, a task can be marked as alterable when there are no
reports present. For such a task the target and scan configuration can be changed at any time which
may be convenient in certain situations.
A container task is a task with the function to hold imported reports. Running a container task is
forbidden.

325
Chapter 22. Glossary

326
 Index

A D
advisory, 189 Dashboards, 75
Airgap, 53 DFN, 189
Airgap FTP server, 55 DFN-CERT, 181, 189
Airgap USB stick, 54 DFN-CERT Advisory, 320
Alert, 44, 319 DHCP, 29, 312
Alerts, 153, 279 DNS, 32, 61, 311
Alive Test, 115, 150 DNS server, 32
Architecture, 311 domain name, 33
Asset, 319
Assets dashboard, 76 E
Authenticated scan, 119 E-Mail alerts, 312
Auto-refresh, 89 eth0, 28

B F
Backup, 48, 313 False Positive, 171
Blackbox, 120 Feed, 50, 61, 65
BSI, 191, 213, 219, 227, 268 Feed status, 90
BSI TR-03116, 227 Feed update, 65
Feed update on sensors, 65
C File checksums, 198
CERT-Bund, 181 File content, 192
CERT-Bund Advisory, 319 Filter, 80, 320
Certificate, 37, 38 Firepower Management Center, 277
Charts, 76
Ciphers, 37 G
Cisco Firepower, 313 Global gateway, 32
COBIT, 191 GMP, 41, 91, 245, 267, 285, 313, 314
Common Platform Enumeration, 204 GOS Admin Menu
Common Platform Enumeration (CPE), 319 (selected), 57
Common Vulnerabilities and Exposures (CVE), 319 *, 28, 65
Common Vulnerability Scoring System, 188 About, 15–17, 62–66, 73, 291, 293, 296, 301,
Common Vulnerability Scoring System (CVSS), 308
320 Add a new route, 31
Community Edition, 11, 21 Add a new sensor, 255
Container Task, 160 Admin Key, 43
Container task, 140 Admin User, 25, 26, 256
Control Objectives for Information and Related Advanced, 15, 16, 68, 70, 71, 73
Technology, 191 Airgap Master, 54, 55
Copyright file, 73 Airgap Slave, 56
CPE, 181, 184 Authentication, 45
CVE, 181 Auto, 255
CVE scanner, 138 Backup, 48, 62–64
CVSS, 188 Backup Location, 48

327
Index

Certificate, 38–40 Length, 27

Certificates, 60, 61 List, 63
Change Password, 25, 27 List Users, 25
Ciphers, 37 Location, 45
Cleanup, 53 Login Attempts, 43
Client, 49 Login Protection, 43
Complex, 27 Logs, 68
Configuration > Targets, 113 MAC, 36
Configure a new VLAN interface, 31 Mail, 58, 59
Configure IPv4 Routes, 31, 32 Maintenance, 15–17, 62–67, 256
Configure IPv6 Routes, 31, 32 Management IP (v4), 35
Configure Master, 254 Management IP (v6), 35
Configure Namespaces, 28 Master, 254, 255
Configure the Routes for this interface, 31 Master Identifier, 254
Configure the VLAN interface ..., 31 Max include, 59
Configure the VLAN interfaces on this inter- Max size, 59
face, 31 MTU, 30
Contact, 45 Namespace: Management, 32, 34, 35
Continue, 43, 46, 71 Network, 28, 29, 32–36
Copyright, 73 New Update Key (Editor), 15, 16
CSR, 39 New Update Key (HTTP), 15, 16
Data import, 46 No, 63
Delete Account, 25, 27 OK, 31, 32, 38, 39, 49, 58–60, 69
Delete Update Key, 16 Password, 69
DHCP, 30 Password Policy, 25, 27
DNS, 32 Periodic Backup, 48
Domainname, 34 PKCS#12, 40
Download, 38, 60, 66, 254 Port, 46
Enable Guest, 25 Port 9393, 257
Engine ID, 45 Power, 67
Enter, 32, 60, 61 Privacy, 45
eth0, 28 Reboot, 39–41, 61, 67
Feed, 15, 50–56, 65, 66, 256, 257 Remote Syslog, 59–61
Fingerprint, 44, 255 Routes, 36
Fingerprints, 41, 61 Save, 23, 27, 28, 32–35, 46, 51, 54, 56, 57, 69,
Flash, 17, 66 254–257
FTP Master, 55 scan1, 28
FTP Master Location, 55 Scans > Tasks, 115
FTP Master Password, 55 Security Remote, 60
FTP Master Test, 56 Security Syslog, 59
FTP Master User, 55 Selfcheck, 62
Full Remote, 60 Sensor, 254, 255, 257
Full Syslog, 60 Sensor Identifier, 255
Generate, 38, 60 Sensors, 15, 16, 64, 66, 255, 256
Global Gateway, 33 Server, 49
Global Gateway (IPv6), 33 Server key, 49
GMP, 42, 255 Services, 37–42, 44–46, 254
GMP-State, 255 Setup, 26–29, 32–43, 45, 46, 48, 50–62, 253–
Greenbone Server, 52 255, 257
Guest User, 26 Shell, 71
Hostname, 34 Show, 61
HTTPS, 37–41 Shutdown, 67
Incremental Backup, 62 SNMP, 45
Interfaces, 29 SSH, 42, 44, 254
IP, 36 SSH State, 42, 254
Key(Editor), 51 Static IP, 29
Key(HTTP), 50 Subscription, 73
Keyboard, 57 Super Admin, 25, 26

328
 Index

Superuser, 69 Add Permission..., 135

Superuser State, 69 Add results to Assets, 139
Support, 69–71 Add User or Group, 126
Support Package, 70 Admin, 94
Switch Release, 16, 64 Administration, 94
Sync, 17 Administration > Groups, 98
Sync port, 52 Administration > LDAP, 103
Sync proxy, 53 Administration > Radius, 106
Synchronisation, 51, 257 Administration > Roles, 94–96, 134
Temporary HTTP, 46 Administration > Users, 91, 93, 97
Test, 50, 256 Advanced, 128
Time, 61 Advanced Task Wizard, 112
Time synchronisation, 57 Alemba vFire, 281
Timeout, 37 Alerts, 157, 282
Timesync, 57 alerts, 112
Update, 15, 65 Alive Test, 148, 234
Upgrade, 15, 16, 64, 256 All TCP, 236
Upload, 254 Allow, 128
USB Backup, 64 America/New York, 151
USB Master, 54 Any, 101
User, 26, 27, 256 Appliance settings, 307
User key, 49 Apply to, 128
Username, 27, 45 Assets > Dashboard, 76, 175
Users, 26, 27, 256 Assets > Hosts, 176, 177
Write, 66 Assets > Hosts (Classic), 179
Yes, 23, 38–40, 50, 51, 53, 58, 60, 63, 67–70 Assets > Operating Systems, 177
GOS Commands Assets GSM-Scans, 271
check-gmp.gmp, 275, 277 Auth. DN, 103
grep, 192 Back, 300, 304
gvm-cli, 247 Berichtformat, 215, 216
gvm-cli.exe, 246 Browse, 242
gvm-pyshell, 247, 249 Browse..., 15, 16, 40, 41, 43, 48–50, 124, 126,
gvm-pyshell.exe, 248, 251 141, 146, 162, 194, 196, 199, 201, 205, 214,
gvm-script, 274, 275, 277 228, 230, 232, 234–236, 238, 239, 254,
gvm-tools, 275 278, 280
snmpwalk, 46 BSI Model, 272
GOS WebUI BSI-TR-03116-4 Policy, 228
-, 83 Bu eroverflow, 83
:RegEx, 82 CERT-Bund Advisories, 154, 155, 157
=, 82 CERT-Bund Advisory, 154, 155, 157
$s, 154, 155, 157 Change Permissions, 128
%T, 156 Changed, 168
~, 82 Character set, 219
>, 82 Check for, 210, 212
<, 82 Check Names, 124, 126
|hyperpage, 219 CLASSES_ROOT, 131
121h, 83 Click to select files or drag/drop, 299, 303
192.168.0.1, 83 Client Certificate, 122
192.168.0.100, 83 Clone, 134
5d1h, 83 cn, 104
3, 88 Column type, 219
Action > New > Group, 124 Compliance, 214, 215
Actions, 164, 167 Compliance Tests, 214, 215
Active, 162, 236, 238, 278 Computer Configuration > Policies > Win-
Add, 124, 127, 128 dows Settings > Security Settings, 124,
Add File..., 127 127
Add Group, 124 Computer Configuration > Policies > Win-
Add Key, 128 dows Settings > Security Settings > Local

329
Index

Policies > User Rights Assignment, 125, Deploy a virtual machine from an OVF or OVA
126 file, 299, 303
Computer Configuration > Policies > Win- Do not automatically delete reports, 116
dows Settings > Security Settings > Win- Done, 139, 159, 208, 230, 233, 235, 237, 240,
dows Firewall with Advanced Security > 243
Windows Firewall with Advanced Secu- Download, 218, 237, 242
rity > Inbound Rules, 131 Dynamic Severity, 324
Configuration > Alerts, 153, 279, 281, 282 Edit, 124–127, 131
Configuration > Credentials, 121, 122, 137, 138, Edit Network Vulnerability Test Families, 192,
206, 239, 242 196, 199, 201, 214, 215, 228, 242
Configuration > Filters, 84, 85 Edit Role..., 135
Configuration > Permissions, 98, 99, 102 Edit Scanner Preferences, 145, 146
configuration > Permissions, 101 Email report to, 112
Configuration > Port Lists, 115, 234, 236, 262 Empty Trashcan, 87
Configuration > Report Formats, 160, 161, 235, Empty, static and fast, 143
238, 278 Enable, 103, 106
Configuration > Scan Configs, 86, 142, 143, exploit, 83
145, 146, 205, 213, 239, 242 Extras > CVSS Calculator, 188
Configuration > Scan Configuration, 228 Extras > Feed Status, 90
Configuration > Scanners, 152, 258 Extras > My Settings, 87
Configuration > Schedules, 150 Extras > Performance, 265
Configuration > Tags, 86 Extras > Trashcan, 87
Configuration > Targets, 115, 206, 230, 232, Families/Total, 142
234, 239 File > Import Appliance, 307
Configurations > Scan Configs, 230, 232, 234, File Checksum: Errors, 199
236 File Checksum: Violations, 199
Configurations > Targets, 236, 243 File Checksums, 199
Configure this file or folder then, 128 File Content, 192
Configure this key then, 131 File Content: Errors, 194
Consider Alive, 234 File Content: Violations, 194
Container Task, 141 File System, 127
Content, 87 Filter, 81, 208, 211, 212
Controls GSM-Scans, 271 Filters, 85
CPE Policy Check — Single CPE, 210 Fingerprint, 22
CPE Policy Check – Single CPE, 211 Finish, 132, 300, 304
CPE-based Policy Check Violations, 206 first, 218, 237, 242
Create, 85, 86, 93, 95, 97–101, 103, 112, 113, 115, Folder, 127
118, 121, 139–141, 143, 146, 151, 153, 162, Full and Fast, 120, 136, 204, 205, 209, 211
172, 205, 206, 208, 214, 228, 230, 232– Full and fast, 139, 143
240, 242, 243, 258, 262, 278, 280–282 General Command Permissions, 97
Create / Register VM, 299, 303 general/IT-Grundschutz, 218
Create Link, 128 general/IT-Grundschutz-T, 218
Create Permission, 97 get_users (Has read access to users), 97
Create Subkey, 128 Global, 124, 135
created>-1w, 82 GMP Scanner, 258
created>-5d, 83 Gone, 168
created>2014-05-26, 83 Grant, 118
created<-1w, 82 GrantReadPriv, 97
Credentials, 206, 210, 212 Greenbone Local Scan, 127
CVE, 139 Greenbone Local SecRights, 124–127, 131, 132
d, 83 Greenbone: Automatic Base Security Check,
Dashboard, 76 274
Define these policy settings, 126 Greenbone: Automatically assign compo-
Delete, 128 nents, 274
Deny, 128 Greenbone: Start Vulnerability Tracking, 271
Deny log on locally, 125 Group, 118, 125
Deny log on through Desktop Services, 126 Group or user names, 127
Group Policy Management, 124

330
 Index

Group Policy Objects, 124 New Task, 115, 139, 208, 230, 233, 234, 236,
Group Policy objects, 132 240, 243, 282
Group Scope, 124 Next, 131, 132, 299, 303
Group Type, 124 No, 70
Group with Tags..., 271 None, 324
Groups, 92, 98, 101 NVT, 154, 155, 157
h, 83 NVT OID, 206
High, 165, 324 NVTs, 154, 155, 157
Host, 155, 164, 258 NVTs/Total, 142
Host Access, 92, 93 OK, 124–128, 131, 132, 135, 136, 219, 269, 274
Hosts, 114, 172, 176, 177 on port, 282
Hosts/Manual, 113 Other, 219
ID, 101, 103 ou=people,dc=domain,dc=de, 104
Import, 307 OVAL-SC, 242
Information Security Model, 269 OVAL-SC Archive, 242
Interface Access, 93 Overflow, 83
Inventory > Inventory, 135 overflow, 83
IT-Grundschutz, 15. EL, 214, 215 Paranoid, 183
IT-Grundschutz, Kompendium, 215, 216 Partial CVE match, 173
ITG, 218 Password, 24, 92, 122, 258
Launch IT-Grundschutz (15. EL), 215 Perform check, 228
Launch latest IT-Grundschutz version, 215 Permissions, 99–101, 103, 118, 135
LDAP Authentication Only, 104 Ping Host, 317
LDAP Host, 106 Policy, 192, 195, 196, 198, 199, 201, 205, 228,
LDAP host, 104 242
Level of Security (IT-Grundschutz), 216 Port List, 234, 236
Link an Existing GPO, 132 Port Ranges — Manual, 234
Link an Existing GPO..., 132 Port Scanner, 317
list, 156 port_list, 156
localhost ssh-rsa Power on, 301, 304
AAAAB3NzaC1y...P3pCquVb, 155 Predefined, 131
Location, 164, 218 present, 210
Log, 165, 171, 216, 241, 244 Propagate inheritable permissions to all sub-
Login Name, 92 folders and files, 128
Low, 165, 216, 324 Propagate inheritable permissions to all sub-
m, 83 keys, 131
MACHINE, 131 proxy, 100
Medium, 165, 324 QoD, 164
Method, 279, 281, 282 RADIUS Authentication Only, 106
missing, 212 RADIUS Host, 106
Modify Task Wizard, 112 read, 100
My Settings, 81 ReadOnly, 134
Name, 84, 87, 96, 97, 101, 102, 117, 124, 142, Reboot, 15, 16
152, 183, 184, 186, 187, 189, 190 Registry, 128
name:admin$, 82 Registry Content: Errors, 197
name~admin, 82 Registry Content: Violations, 197
Navigator, 301, 304 Relations, 271
Network, 308 remote, 83
Network Source Interface, 93 Rename, 135
Network Vulnerability Test Families, 143 Replace existing file with, 192, 196, 199, 201
Network Vulnerability Test Preferences, 143, Report, 166, 282
145, 205 Report Format, 156
New, 124, 154, 155, 157, 168 Report Formats, 162, 235, 238, 278
New Container Task, 140 Report: Results, 162, 163, 165, 166, 218, 237,
New Permission, 97 241, 283
New Rule...?, 131 Report: Summary and Download, 162, 165,
New Severity, 172, 206 218, 237, 241, 283
Reports, 163, 167

331
Index

Reports/Last, 166 SMB, 240

Reports/Total, 166, 167 Solution type, 164
Reports: Summary and Download, 163 sort=name, 82
Restricted Groups, 124 Sourcefire Connector, 279
resume_task, 100 Splunk Connector, 283
Role, 118 SSH, 22, 240
Roles, 95, 97, 101 Start, 307
Roles (optional), 92 Start Scan, 110
Router-advertisement, 30 start_task, 100
rows, 218, 237, 242 Status, 110, 111, 119
rows=10, 81, 82 stop_task, 100
Run Alert, 283 Super (Has super access), 101
s, 83 Super Admin, 94
safe checks, 317 System > Acceleration, 308
Same, 168 Tags, 86
Save, 95–97, 104, 106, 112, 145, 147, 157, 162, Take Ownership, 128
194, 196, 199, 201, 206, 210, 212, 215, 216, Targets, 85
228, 230, 232, 234, 236, 238, 240, 242, Task, 112
243, 278 task, 156
Scan Configs, 86, 143, 146, 214, 228, 230, 232, Task Wizard, 110
234, 236, 239, 242 Tasks, 110, 112, 166, 208, 237, 240, 243, 323
Scanner, 139 Term, 85
Scanner Preferences, 143 test_alert, 100
Scanners, 152 Text, 219
Scans > Dashboard, 76 Text delimiter, 219
Scans > Notes, 171 This group is member of, 124
Scans > Overrides, 206 This object and child objects, 128
Scans > Reports, 139, 162, 163, 165, 166, 171, TLS Map, 237
208, 211, 212, 216, 229, 230, 233, 235, 237, Tools, 307
241, 243, 283 Trashcan, 87
Scans > Results, 169 Trust (Last Verified), 162, 278
Scans > Tasks, 99, 110–112, 117, 119, 139, 140, Type, 85, 258
157, 166, 167, 195, 198, 201, 204, 208, 230, uid, 104
233, 234, 236, 240, 243, 259, 282 Unicode (UTF-8), 219
SecInfo, 93 Update, 81, 165, 218, 241, 244
SecInfo > CERT-Bund Advisories, 190 Updated, 154, 155, 157
SecInfo > CPEs, 186 Upload, 15, 16, 40, 41, 43, 48–50, 254
SecInfo > CVEs, 184 Upload file, 192, 196, 199, 201, 205
SecInfo > Dashboard, 76 User, 24, 25, 118
SecInfo > DFN-CERT Advisories, 189 User Tags, 85
SecInfo > NVTs, 183 Username, 258
SecInfo > OVAL Definitions, 187 Username + Password, 122
SecInfo Management, 181 Username + SSH Key, 122
Secret Key, 106 USERS, 128
Security, 124 Users, 25, 93, 98, 101
Select all NVTs, 145 verify_agent, 100
Select file..., 269, 272 verify_report_format, 100
Send to host, 282 verify_scanner, 100
Separated by, 219 Virtual Machines, 301, 304
Services, 22 Vulnerability, 139, 163, 208, 211, 212
Set Value, 128 w, 83
Settings, 135, 308 Windows file Checksums, 201
Settings > Data Inputs > TCP, 282 Windows Management Instrumentation
Settings > Data inputs > TCP, 286 (ASync-In), 132
Setup, 22, 24, 256 Windows Management Instrumentation
Severity, 164, 172 (DCOM-In), 132
Severity (Class), 165, 216, 241, 244 Windows Management Instrumentation
Single CPE, 205, 210, 211 (WMI), 131

332
 Index

Windows Management Instrumentation Logging into the web interface, 291, 293, 295, 301,
(WMI-In), 132 307
Windows Registry Check, 196
Write, 128 M
XML, 282 MAC address, 35
y, 83 mailhub, 58
Yes, 26, 70, 122, 128, 139, 162, 236, 238, 278 Main dashboard, 75
yes, 215, 228 Management IP address, 35
Greenbone Management Protocol, 245, 267 maxchecks, 117
Greenbone Security Explorer, 159 maxhosts, 117
Greenbone Security Feed, 183 Medium Enterprise Class, 6
Group, 320 migration, 13
Groups, 97 MITRE, 186
GSM 150, 6 MTU, 30
GSM 25V, 9, 10
GSM 35, 8 N
GSM 400, 6 Nagios, 274
GSM 5400, 6 NASL wrapper, 146
GSM 600, 6 Network Intrusion Detection System, 277
GSM 650, 6 Network Time Protocol, 57
GSM 6500, 6 Network Vulnerability Test, 183
GSM MAVEN, 10 Network Vulnerability Test (NVT), 320
GSM ONE, 9 NIDS, 277
Guest, 93 Nmap, 146
Note, 320
H Notes, 169
Host, 320 NTP, 57, 312
host name, 33 NVT, 142, 169, 181, 183
HTTP proxy, 315 NVT-Family, 142
HTTP-Proxy, 312
HTTPS, 313 O
OMP Commands
I create_target, 247, 249
Icons, 76 Open Scanner Protocol, 267
Information Systems Audit and Control Associa- Open Vulnerability and Assessment Language,
tion, 191 186
International Organization for Standardization, OSP, 267
191 OVAL, 238
IP address, 35 OVAL Definition, 181, 320
IPS, 277 Override, 171, 321
IPv6, 30
ISACA, 191 P
ISMS, 268 PCI DSS, 191, 226
ISO, 191 Permission, 321
ISO 27000, 191 Permissions
ISO 27001, 268 authenticate, 96
ISO 27005, 268 get_alerts, 102
IT Grundschutz, 213 get_configs, 102
IT security management, 267 get_filters, 102
IT-Grundschutz, 267, 272 get_groups, 97
IT-Grundschutz catalogs, 268 get_notes, 102
get_overrides, 102
L get_roles, 97
Large Enterprise Class, 6 get_schedules, 102
LDAP, 91, 92, 103, 104 get_settings, 96
LDAPS, 312 get_tags, 102
Local security checks, 119 get_targets, 102
local security checks, 115 get_tasks, 102

333
Index

get_users, 96, 102, 118 report_host_details, 147

write_settings, 96 RPC port scan, 149
Ping, 146 Run dangerous ports even if safe checks are
Port list, 321 set, 149
port list, 150 safe_checks, 147, 149
Powerfilter, 80 scanner_plugins_timeout, 147
first, 82 Service scan, 149
rows, 81 Source port, 149
sort, 82 TCP ping tries also TCP-SYN ping, 148
sort-reverse, 82 TCP scanning technique, 149
tag, 82 time_between_request, 147
powerfilter, 154 timeout_retry, 147
Preferences Timing policy, 149
auto_enable_dependencies, 147 unscanned_closed, 148
Base, 191 unscanned_closed_udp, 148
cgi_path, 147 Use ARP, 148
checks_read_timeout, 147 Use hidden option to identify the remote OS,
Data length, 149 149
Do a TCP ping, 148, 148 Use Nmap, 148
Do an ICMP ping, 148 use_mac_addr, 148
Do not randomize the order in which ports vhosts, 148, 148
are scanned, 148 vhosts_ip, 148, 148
Do not scan targets not in the file, 148, 149 Violations, 191
drop_privileges, 147 Windows Registry Check, 195
Errors, 191 Windows Registry Check: Errors, 195
File Checksums, 198 Windows Registry Check: OK, 195
File Checksums: Errors, 198 Windows Registry Check: Violations, 195
File Checksums: Matches, 198 Prognosis, 138, 179
File Checksums: Violations, 198 Protocols, 311
File containing grepable results, 148, 149
File Content, 192 Q
File Content: Errors, 192 QoD, 183, 321
File Content: Matches, 192 QoD types, 321
File Content: Violations, 192 Quality of Detection, 321
Fragment IP packets, 149 Quality of Detection (QoD), 321
Host Timeout, 149
Identify the remote OS, 149 R
Initial RTT timeout, 149 RADIUS, 91, 92, 103
Mark unreachable Hosts as dead, 148 Reboot, 66
Matches, 191 Registry Content, 195
Max Retries, 149 rehash.exe, 201
Max RTT timeout, 149 Report, 322
max_sysload, 147 Report Format, 267
Maximum wait between probes, 149 Report format, 322
Min RTT Timeout, 149 Result, 323
Min RTT timeout, 149 Role, 323
min_free_mem, 147 Roles, 94
Minimum wait between probes, 149 Admin, 92, 94
network_scan, 147 Guest, 92, 94, 94
nmap additional ports for –PA, 148 Info, 92, 94
nmap: try also with only –sP, 148 Monitor, 92, 94
non_simult_ports, 147 Observer, 92, 94
optimize_test, 147 Super Admin, 94
plugins_timeout, 147 User, 92, 94
Ports scanned in parallel (max), 149 Routes, 31, 35
Ports scanned in parallel (min), 149
Report about reachable Hosts, 148 S
Report about unreachable Hosts, 148 Scan, 323

334
 Index

scan administrator, 24 Wizard Rows, 88

Scan Config, 117
Scan configuration, 323 V
Scan dashboard, 76 Verinice, 267
Scanner, 151, 323 verinice.PRO, 313
Schedule, 323 Virtual sensor, 9
SCP, 155 VirtualBox, 11
SecInfo Dashboard, 182 VLAN, 30
Selfcheck, 61 VMware, 9, 10
Severity, 323
Severity class, 323 W
Shell, 71 web administrator, 24
Shutdown, 67 Web interface, 75
smart host, 58 Whitebox, 120
SME/SMB Class, 6
SMTP, 312
SNMP, 36, 44, 46, 150, 156, 267, 312, 314
SNMP trap, 156
Solution Type, 183
Solution type, 324
Sourcefire, 277
Splunk, 281, 285
SSH, 313, 314
SSH Fingerprint, 43
Starting the appliance, 290, 293, 295, 297
Static IP address, 29
Status Codes, 251
Subscription key, 71
Super Admin, 94
Superuser, 68
Support, 68
Support package, 69, 70
Syslog, 59, 267, 312

T
Tag, 324
Tags, 85
Target, 324
Task, 325
Temporary HTTP server, 46
TippingPoint SMS, 313
TLS, 235
Trend, 166

U
Upgrade, 64
Upgrading Sensors, 64
User Management, 91
User Settings
Details Export File Name, 88
Filter, 89
List Export File Name, 89
Password, 88
Report Export File Name, 89
Rows Per Page, 81, 88
Severity Class, 89
Timezone, 88
User Interface Language, 88

335