Trusted NVTs and Report Formats — Managing Signatures and Trust in OpenVAS
This text explains what you need to do to allow your OpenVAS Scanner to execute only signed NVTs with a trust level you decide and to verify the report formats in your OpenVAS installation.
Signed NVTs are usually provided by NVT Feed Services. For example, the NVTs contained in the OpenVAS NVT Feed are signed by the "OpenVAS Transfer Integrity" key which you can find at the bottom of this page. If you have already installed OpenVAS, you can use the "openvas-nvt-sync" command to synchronize your NVT collection with the OpenVAS NVT Feed and receive signatures for all NVTs.
Some Feed Services may also provide signatures for additional components like report formats. The OpenVAS NVT Feed for example provides signatures for a number of report formats contained in the default OpenVAS installation.
What is a signature (in simple words)?
A clever method is applied to compute a unique checksum for a file. If only a single character in the file changes, the checksum will change as well.
This checksum is digitally signed in a way that you can test with a public certificate whether a certain key was used to create the signature. Such a key and certificate do always form a pair that is related to each other.
If the signed file has been modified by a third party, the signature will be broken. In this case you should not trust the file.
If the signature is not broken, the question remains if you trust the owner of the key. If you decided to do so (and there any many ways and supporting technologies to manage this), you can accept the file as trustworthy.
The signature format
The signatures for OpenVAS NVTs, their associated files and report formats are standard so-called "ASCII-armored detached OpenPGP signatures" created with GnuPG. This format features:
- multiple signer keys possible
- site administrators can decide which keys to trust
- signatures can be created and verified with widely available tools like GnuPG
- detached signatures do not require changes to the signed file (like inline signatures would)
The name of the signature file is the name of the signed file with the added extension ".asc". That is, the name of the signature file for a file "myscript.nasl" is "myscript.nasl.asc".
The NVT signature verification process
The signature verification of the OpenVAS Scanner is activated by setting "nasl_no_signature_check = no" in /etc/openvas/openvassd.conf.
At start-up time of the OpenVAS Scanner, all signatures are checked for validity. Only fully trusted files are considered to be valid by the scanner and thus loaded and made available to users of the scanner.
The trust check uses a special list of certificates managed for the OpenVAS Scanner. It is a standard GnuPG keyring located by default in /etc/openvas/gnupg.
When OpenVAS verifies a signature it checks all signatures contained in the signature file and all signatures must be fully valid. This means that all of the following criteria must be fulfilled for all signatures:
- The certificate must be present in the keyring.
- The key must be fully valid.
- The signature must be valid.
If any of the signatures does not meet all of these criteria, the file is considered untrustworthy and will not be executed at all. If all signatures meet the criteria, the script is trusted fully and may execute any functions. If no signature file exists, the script is not executed at all.
The report format signature verification process
OpenVAS Manger contains a number of predefined report formats which allow you to view and download vulnerability scan results as a PDF document or an XML document among other formats.
To help you verify that the report formats of your OpenVAS installation are indeed the ones provided by the OpenVAS project and have not been tampered with, the OpenVAS NVT Feed also contains signatures for a number of report formats.
Please note that this verification requires you to specify your trust in the signing key as noted above. If you have already set up your OpenVAS Installation to verify NVT signatures there is nothing else you need to do. If you have not, see below for instructions.
You can use the Greenbone Security Assistant to verify the signatures by clicking on the "Verify Report Format" button in the list of report formats.
If you want to use the OMP protocol to verify a report format directly through OpenVAS Manager, please see the verify_report_format command.
Initial preparation to set trust: create key
To express trust to keys that signed NVTs (see "How to set trust" below) you need a signing key for your OpenVAS installation. You can use an existing key you already have, or you can generate a new one.
If you want to create a new or separate key for your OpenVAS installation, please ensure that there is an "gnupg" directory in your system configuration directory. If you have built your OpenVAS installation with a distinct prefix and are unsure which directory this refers to, use the "openvassd -y" command to display it. For the examples on this page, it is assumed that you system configuration directory is "/etc".
Once you have made sure that the /etc/openvas/gnupg exists, you can use the following command to create a new key in this directory:
# gpg --homedir=/etc/openvas/gnupg --gen-key
GnuPG will guide you through the key creation process by asking a number of questions about the key you wish to create. If you are unsure, it is safe to choose the default provided by GnuPG.
This needs to be done only once for a OpenVAS Scanner installation.
The remaining examples on this page will assume that you have created your key in the "/etc/openvas/gnupg" directory. If you are using a different key or have create the key in a different directory, please adjust the commands accordingly.
How to add a certificate
To add a certificate to the OpenVAS Scanner keyring issue this command:
# gpg --homedir=/etc/openvas/gnupg --import certificate-file.asc
For example, if you wanted to import the Transfer Integrity certificate for the OpenVAS NVT Feed provided at the bottom of this page, you could download and import it using the following two commands:
# wget http://www.openvas.org/OpenVAS_TI.asc # gpg --homedir=/etc/openvas/gnupg --import OpenVAS_TI.asc
How to set trust
For OpenVAS to trust a signature, the key used to create the signature has to be valid. A certificate corresponding to this key that was just imported has unknown validity and thus is not valid.
To mark a certificate as trusted for your purpose, you have to sign it. The preferred way is to use local signatures that remain only in the keyring of your OpenVAS Scanner installation.
To finally sign a certificate you need to know its KEY_ID. You either get it from the table at the bottom or via a "list-keys" command. Then you can locally sign:
# gpg --homedir=/etc/openvas/gnupg --list-keys # gpg --homedir=/etc/openvas/gnupg --lsign-key KEY_ID
For example, to express your trust in the OpenVAS Transfer Integrity you imported above, you could use the following command:
# gpg --homedir=/etc/openvas/gnupg --lsign-key 48DB4530
Before signing you should be absolutely sure that you are signing the correct certificate. You may use its fingerprint and other methods to convince yourself.
How to remove a certificate
In case you decide to no longer trust a key, you can delete the key from your keyring using the following command:
# gpg --homedir=/etc/openvas/gnupg --delete-keys KEY_ID
Manual signature verification
In case you want to manually verify the validity of a file, you need to do the following:
To verify signatures on the command line, you can either run GnuPG:
$ gpg --homedir=/etc/openvas/gnupg gpg --verify script.nasl.asc script.nasl
Or you can use the standalone nasl interpreter:
$ openvas-nasl -p script.nasl
The -p Option means that the script is only parsed and not executed.
To debug the signature verification done by the nasl interpreter, use the -T Option to enable the trace mode. The signature verification will leave some detailed information about the verification and the signatures found in the trace file.
Overview on existing certificates
|OpenVAS: Transfer Integrity||48DB4530||OpenVAS_TI.asc||OpenVAS Development Team||
This certificate signs .nasl and .inc scripts as they entered the OpenVAS source code repository or as they were updated.
Thus, a valid signature means that the script has not been modified on the way between the OpenVAS distribution point and your OpenVAS installation.
The presence of a signature does NOT MEAN ANY JUDGEMENT of the script itself. It only helps to verify integrity after transfer.
The scripts are WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.