OpenVAS
OpenVAS stands for Open Vulnerability Assessment System and is a network security scanner with associated tools like a graphical user front-end. The core component is a server with a set of network vulnerability tests (NVTs) to detect security problems in remote systems and applications.
Contents
Pre-install
Redis
Configure redis as prescribed by the OpenVAS redis configuration. In summary, amend the following to your /etc/redis.conf
unixsocket /var/lib/redis/redis.sock unixsocketperm 700 port 0 timeout 0 databases 128
OpenVAS redis configuration
document on how to calculate the databases
number.Additionally comment out the following (and similar) save
lines if present to avoid a stuck connection of the openvas-scanner
to redis
:
save 900 1 save 300 10 save 60 10000
Create /etc/openvas/openvassd.conf
and add the following:
db_address = /var/lib/redis/redis.sock
Finally restart redis
:
# systemctl restart redis
haveged
If running OpenVAS in a virtual machine or any other system having a low entropy, you can optionally install haveged to gather more entropy. This is required for the key material used for the encrypted credentials saved within the openvas-manager
database.
Installation
Install the openvasAUR package from the AUR.
Alternatively install greenbone-vulnerability-manager which provides gvm-libs and Greenbone Security Assistant (gsa) greenbone-security-assistant OpenVAS web frontend. The Vulnerability scanning Daemon (openvasAUR) and the Greenbone Vulnerability Manager (gvmdAUR) were move to AUR and are no longer in the official repositories.
Initial setup
Create certificates for the server and clients, default values were used:
# gvm-manage-certs -a
Update the plugins and vulnerability data:
# greenbone-nvt-sync # greenbone-scapdata-sync # greenbone-certdata-sync
Add an administrator user account, be sure to copy the password:
# gvmd --create-user=admin --role=Admin
You can also change the password of the user later on
# gvmd --user=admin --new-password=<password>
Getting started
Start the gvmd
daemon
# gvmd -p 9390 -a 127.0.0.1
Start the Greenbone Security Assistant WebUI (optional)
# gsad -f --listen=127.0.0.1 --mlisten=127.0.0.1 --mport=9390
Point your web browser to http://127.0.0.1 and login with your admin crendentials
gsad
will bind to port 80. If you are already running a webserver, this will obviously cause problems. Pass the --port
switch to gsad
for an alternate port. Read the gsad
man page for options like --http-only
, --no-redirect
, and more.Systemd
Redhat based systemd units are in an AUR package named openvas-systemdAUR. The contain a few tweaks such as better TLS settings.
Migration to new major versions
The database needs to be migrated when moving to a new major version:
# gvmd --migrate
See also
- Wikipedia:OpenVAS
- OpenVAS Official OpenVAS website.