OpenVAS
OpenVAS stands for Open Vulnerability Assessment System and is a network security scanner with associated tools like a graphical user front-end. The core component is a server with a set of network vulnerability tests (NVTs) to detect security problems in remote systems and applications.
Contents
Pre-install
Redis
Configure redis as prescribed by the OpenVAS redis configuration. In summary, amend the following to your /etc/redis.conf
unixsocket /var/lib/redis/redis.sock unixsocketperm 700 port 0 timeout 0 databases 128
Note: See the previous OpenVAS redis configuration
document on how to calculate the databases
number.
Additionally comment out the following (and similar) save
lines if present to avoid a stuck connection of the openvas-scanner
to redis
:
save 900 1 save 300 10 save 60 10000
Create and add the following to /etc/openvas/openvassd.conf
kb_location = /var/lib/redis/redis.sock
Finally restart redis
# systemctl restart redis
haveged (optional)
If running OpenVAS in a virtual machine or any other system having a low entropy install haveged to gather more entropy. This is required for e.g. the key material used for the encrypted credentials saved within the openvas-manager
database.
Installation
Install the openvas package group from the official repositories. This group provides the openvas-cli command-line omp
interface and greenbone-security-assistant web interface via the gsad
daemon along with other OpenVAS dependencies.
Initial setup
Create certificates for the server+client, default values were used
# openvas-manage-certs -a
Update the plugins and vulnerability data:
# greenbone-nvt-sync # greenbone-scapdata-sync # greenbone-certdata-sync
Note: If GSA complains that the scapdata database is missing, it may be necessary to use greenbone-scapdata-sync --refresh
Start the scanner service:
# systemctl start openvas-scanner
Rebuild the database:
# openvasmd --rebuild --progress
Add an administrator user account, be sure to copy the password:
# openvasmd --create-user=admin --role=Admin
Getting started
Start the openvasmd
daemon
# openvasmd -p 9390 -a 127.0.0.1
Start the Greenbone Security Assistant WebUI (optional)
# gsad -f --listen=127.0.0.1 --mlisten=127.0.0.1 --mport=9390
Point your web browser to http://127.0.0.1 and login with your admin crendentials
gsad
will bind to port 80. If you are already running a webserver, this will obviously cause problems. Pass the --port
switch to gsad
for an alternate port. Read the gsad
man page for options like --http-only
, --no-redirect
, and more.Systemd
Redhat based systemd units are in an AUR package named openvas-systemdAUR. The contain a few tweaks such as better TLS settings.
Migration to new major versions
The database needs to be migrated when moving to a new major version:
# openvasmd --migrate --progress
See also
- Wikipedia:OpenVAS
- OpenVAS Official OpenVAS website.