===== Scan OpenVAS RHEL 7.3 =====
I want to know how Firewall, SELinux or NFS services affects scan vulnerability tests.

==== Scenario ====
  * Debian Sid unstable hypervisor with KVM 4.1 with libvirt 5.6
  * Three virtual machines
    * RHEL 7.3 client
      * 1GB RAM
      * 10GB SDD
      * 1 vCPU
      * IP 192.168.122.254
    * RHEL 7.3 NFS Server:
      * 1GB RAM
      * 10 GB SDD
      * 1 vCPU
      * IP 192.168.122.14
    * Greenbone OS 5.0
      * 4GB RAM
      * 10GB SDD
      * 1 vCPU
      * IP 192.168.122.254
I will run several scans with OpenVAS to the RHEL 7.3 client, I provided the root password to OpenVAS:
  * 1. RHEL 7.3 with Firewall up and SELinux enforcing, without NFS mount as client, without Chronyd started
  * 2. RHEL 7.3 with firewall down and SELinux enforcing, without NFS mount as client, without Chronyd started
  * 3. RHEL 7.3 with Firewall down and SELinux enforcing, without NFS mount as client, with Chronyd started
  * 4. RHEL 7.3 with Firewall down and SELinux enforcing, with NFS mount as client, with Chronyd started
  * 5. RHEL 7.3 with Firewall down and SELinux permissive, with NFS mount as client, with Chronyd started
  * 6. RHEL 7.3 with Firewall down and SELinux permissive, with NFS mount as client, with Chronyd started with fixed founded problems

Finally I will export scan results as CSV with the option: "CSV Results". With diff I will try to find differences beetween scans. I removed all columns except: IP, Hostname, Port, Port Protocol, CVSS, Severity,Solution Type, NVT Name.

I also want to obviate package updates.

==== Results ====
=== Boring numbers ===
^ Result number ^ Amount of Results ^ Amount of Results without logs ^ Amount of Results without update problems ^ Difference between previous result ^
| 1 | 204 | 176 | 3 | NA |
| 2 | 206 | 176 | 3 | 0 |
| 3 | 209 | 177 | 3 | 0 |
| 4 | 209 | 177 | 3 | 0 |
| 5 | 209 | 177 | 3 | 0 |
| 6 | 205 | 174 | -3 | 0 |

=== Boring differentes ===
I compared first result with 2, 3, 4 and 5 scan respectively.
  * 2nd scan:
<code>
15a16
> 192.168.122.254,,111,tcp,0.0,Log,,Obtain list of all port mapper registered programs via RPC
137a139
> 192.168.122.254,,111,tcp,0.0,Log,,RPC portmapper (TCP)
</code>
  * 3rd scan:
<code>
15a16
> 192.168.122.254,,111,tcp,0.0,Log,,Obtain list of all port mapper registered programs via RPC
20a22,23
> 192.168.122.254,,,,5.0,Medium,VendorFix,QEMU <= 3.1.50 Denial of Service Vulnerability
> 192.168.122.254,,,,0.0,Log,,QEMU Version Detection (Linux)
137a141
> 192.168.122.254,,111,tcp,0.0,Log,,RPC portmapper (TCP)
145a150
> 192.168.122.254,,,,0.0,Log,,Sun/Oracle OpenJDK Version Detection
</code>
  * 4th scan:
<code>
15a16
> 192.168.122.254,,111,tcp,0.0,Log,,Obtain list of all port mapper registered programs via RPC
20a22,23
> 192.168.122.254,,,,5.0,Medium,VendorFix,QEMU <= 3.1.50 Denial of Service Vulnerability
> 192.168.122.254,,,,0.0,Log,,QEMU Version Detection (Linux)
137a141
> 192.168.122.254,,111,tcp,0.0,Log,,RPC portmapper (TCP)
145a150
> 192.168.122.254,,,,0.0,Log,,Sun/Oracle OpenJDK Version Detection
</code>
  * 5th scan:
<code>
15a16
> 192.168.122.254,,111,tcp,0.0,Log,,Obtain list of all port mapper registered programs via RPC
20a22,23
> 192.168.122.254,,,,5.0,Medium,VendorFix,QEMU <= 3.1.50 Denial of Service Vulnerability
> 192.168.122.254,,,,0.0,Log,,QEMU Version Detection (Linux)
137a141
> 192.168.122.254,,111,tcp,0.0,Log,,RPC portmapper (TCP)
145a150
> 192.168.122.254,,,,0.0,Log,,Sun/Oracle OpenJDK Version Detection
</code>

==== Fixing sins ====
Disable tcp timestamps:
<code>
echo "net.ipv4.tcp_timestamps = 0" >> /etc/sysctl.d/99-sysctl.conf
sysctl -p
</code>

Restrict rpcbind:
<code>
echo "rpcbind: 192.168.122.14" >> /etc/hosts.allow
echo "rpcbind: ALL" >> /etc/hosts.deny
</code>

SSH weak encryption and MAC algorithms:
<code>
MACs hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160

Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com
</code>

==== Conclusion ====

I noticed that with firewall up the scan can obtain the list of port mapper registered programs via RPC. I can fix those with TCP Wrappers instead firewall.

I noticed that SELinux doesn't make difference.

==== Recommendations ====
  * Make a better penetration tests, because SELinux is not correctly tested with OpenVAS
  * The scenario was a controlled environment without real applications, I need test Oracle Database, Tomcat or WebLogic

==== Useless Screenshots ====
{{::shot-2019-09-18_17-01-40.jpg?800|}}
{{::shot-2019-09-18_17-04-01.jpg?800|}}
{{::shot-2019-09-18_17-04-38.jpg?800|}}

==== Resources ====
  * Original CSVs: {{ ::original.tar.gz |}}
  * Filtered CSVs: {{ ::filtered.tar.gz |}}
  * https://tipstricks.itmatrix.eu/making-rpcbindpreviously-portmap-port-111-more-secure/
  * https://www.thegeekdiary.com/how-to-disable-md5-based-hmac-algorithms-for-ssh/