English | Deutsch
Home »

How to use Security Local Auditing Daemon (SLAD) with OpenVAS

Homepage: http://www.dn-systems.org/projects/slad/

This description is a quick guide how you get first results with SLAD via OpenVAS. For real production mode you should make yourself familiar with the details of SLAD and its integrated tools. There is also the SLAD developer's and administrator's guide as PDF file.

Please note that the OpenVAS "stable" branch — the 1.0.x series — is the recommended version for using SLAD in OpenVAS. Due to the changes necessary for the upcoming 2.0 release, versions from the 2.0-beta branch may not work with SLAD until the beta phase has come to an end.

  1. Download SLADinstaller. The latest version of SLADinstaller is available in the OpenVAS file repository.
  2. Compile SLADinstaller by typing "make", which works at least on a Debian GNU/Linux "Etch" 4.0. There is a file "INSTALL" which might provide some helpful hints.
  3. Prepare SSH Authorization:
    You have to use an SSH key created following the example for ssh-keygen and openssl on the page about local security checks. Make sure that you create an RSA .p8 key file since the keys auto-generated by SLADinstaller are not usable with OpenVAS at the moment due to internal changes in OpenVAS.
  4. Ensure SLAD is not yet installed yet on your target system. You can remove an existing SLAD installation by using the following command:
    # /opt/slad/bin/slad-uninstall.sh
  5. Run SLADinstaller by executing the "sladinstaller" binary and fill out the entries. Remember that you have to use the SSH key you have just created yourself and not let sladinstaller create one for you as keys auto-generated by SLADinstaller will not work. Hostname defines the target system.
  6. It might be necessary for you to adjust the sshd configuration of the target system to enable SLADinstaller to log in. In this case, SLADinstaller will provide you with instructions on how to do this.
  7. Now you need to create the "slad.inc" file (which contains settings specific to your SLAD installation) and copy it onto your OpenVAS Scanner. You can create the file on the system where you installed SLAD using the following commands:
     # cd /opt/slad/share/nessus_plugins/
     # /opt/slad/bin/sladd -s plugins | awk -f sladbuild.awk > slad.inc
    
    The "slad.inc" file has to be copied into your NVT directory. If you compiled your OpenVAS installation from source and without any prefix, you will find this directory under /usr/local/lib/openvas/plugins. Please note that the location of this directory may differ depending on your installation method and your distribution.
  8. Finally, run OpenVAS-Client and configure your task to scan the target machine where you installed SLAD and enable the NVTs "SLAD init" and "SLAD run".

    Do not forget to set the preferences for "SLAD init". Remember to use the RSA .p8 key you created above in the "SLAD init" preferences field when asked for the "slad SSH private key". Also note that your "slad SSH key passphrase" is the passphrase you used when creating the RSA .p8 and not the one you used whe generating your SSH key.

    You may use the "SLAD run" preferences section to configure the individual SLAD plugins.

    A first scan will schedule the tasks; use the NVT "SLAD fetch results" to retrieve the results from the target host that were collected so far. Please note that the time needed for execution varies among the SLAD plugins (e.g. lsof is fast, John-the-ripper might take very long) and some results may not be available the first time you run "SLAD fetch results". Subsequent scans with "SLAD fetch results" enabled will fetch the remaining results.