I am trying to get OpenVAS working per the the article below.
https://www.atlantic.net/community/howto/install-openvas-vulnerability-scanner-centos-7
However it isn't working, when I run openvas-check-setup I get this error below and when I check /var/log/redis/redis.log it says "Opening Unix socket: bind: Permission denied"
openvas-check-setup 2.3.7 Test completeness and readiness of OpenVAS-8 (add '--v6' or '--v7' or '--v9' if you want to check for another OpenVAS version)
Please report us any non-detected problems and help us to improve this check routine: http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Send us the log-file (/tmp/openvas-check-setup.log) to help analyze the problem.
Use the parameter --server to skip checks for client tools like GSD and OpenVAS-CLI.
Step 1: Checking OpenVAS Scanner ...
OK: OpenVAS Scanner is present in version 5.0.7.
OK: OpenVAS Scanner CA Certificate is present as /var/lib/openvas/CA/cacert.pem.
OK: redis-server is present in version v=3.0.7.
OK: scanner (kb_location setting) is configured properly using the redis-server socket: /tmp/redis.sock
ERROR: redis-server is not running or not listening on socket: /tmp/redis.sock
FIX: You should start the redis-server or configure it to listen on socket: /tmp/redis.sock
ERROR: Your OpenVAS-8 installation is not yet complete!
Best Answer
Congratulations, you've found a bad Internet tutorial. It appears that the author of that tutorial never actually tested it himself to see if it works, because it doesn't work as-is. Worse, it appears that that tutorial is actually linked to from the official OpenVAS web site, which is going to mislead and frustrate a lot of people.
So, the reason redis is failing to start is because SELinux denies redis-server to write to
/tmp
. You can see this in your audit logs:Rather than
/tmp
, the socket file should be located in/run/redis
, for instance:This allows it to operate within the constraints SELinux imposes.
While editing
/etc/redis.conf
, be sure to check the bottom of the file for a secondunixsocket
directive that got added byopenvas-setup
and remove it as redundant.Of course, generally on SELinux enabled systems, redis should be configured to listen to a TCP port on localhost, rather than using a socket, as other daemons might not be allowed to communicate with redis via a socket, but only via TCP. This isn't really an issue here as OpenVAS isn't (yet) SELinux-confined, but it also doesn't support contacting redis via TCP. The result of this is that this redis installation cannot be shared or reused with any other services than the local copy of OpenVAS.
But there's more than that wrong with this tutorial!
The second thing is that nowhere in it does OpenVAS ever get configured to actually use redis. It relies on the compiled in default, which as we have seen is wrong. To fix this requires setting a configuration directive in
/etc/openvas/openvassd.conf
, something which the tutorial never mentions:The third thing is that it uses a third party repo called atomic, which provides packages that conflict with packages in normal repos such as EPEL - which already provides redis and OpenVAS! It's not clear why atomic have done this, nor why this tutorial uses atomic to begin with. Using repositories with conflicting packages is potentially dangerous. If you continue with using atomic packages, you will need to be absolutely certain that this (virtual) machine is never used for anything else for any reason whatsoever.
Finally, once you get it installed, the web interface isn't actually reachable because the indicated port isn't open in the firewall. You also have to do this yourself.
Once you're done,
openvas-check-setup
should say, among other things...The irony is that it will then also say:
Which appears to be completely gratuitous and unnecessary, as OpenVAS doesn't run confined by SELinux anyway.