OpenVAS

From ArchWiki
Jump to: navigation, search

Tango-edit-clear.pngThis article or section needs language, wiki syntax or style improvements. See Help:Style for reference.Tango-edit-clear.png

Reason: Various Help:Style issues (Discuss in Talk:OpenVAS#)

OpenVAS stands for Open Vulnerability Assessment System and is a network security scanner with associated tools like a graphical user front-end. The core component is a server with a set of network vulnerability tests (NVTs) to detect security problems in remote systems and applications.

Pre-install

Redis

Configure redis as prescribed by the OpenVAS redis configuration. In summary, amend the following to your /etc/redis.conf

unixsocket /var/lib/redis/redis.sock
unixsocketperm 700
port 0
timeout 0
databases 128
Note: See the previous OpenVAS redis configuration document on how to calculate the databases number.

Additionally comment out the following (and similar) save lines if present to avoid a stuck connection of the openvas-scanner to redis:

save 900 1
save 300 10
save 60 10000

Create /etc/openvas/openvassd.conf and add the following:

kb_location = /var/lib/redis/redis.sock

Finally restart redis:

# systemctl restart redis

haveged

If running OpenVAS in a virtual machine or any other system having a low entropy, you can optionally install haveged to gather more entropy. This is required for the key material used for the encrypted credentials saved within the openvas-manager database.

Installation

Install the openvas package group from the official repositories.

This group provides the openvas-cli command-line omp interface and greenbone-security-assistant web interface via the gsad daemon along with other OpenVAS dependencies.

Initial setup

Create certificates for the server and clients, default values were used:

# openvas-manage-certs -a

Update the plugins and vulnerability data:

# greenbone-nvt-sync
# greenbone-scapdata-sync
# greenbone-certdata-sync
Note: If GSA complains that the scapdata database is missing, it may be necessary to use greenbone-scapdata-sync --refresh.

Start the openvas-scanner service, then rebuild the database:

# openvasmd --rebuild --progress

Add an administrator user account, be sure to copy the password:

# openvasmd --create-user=admin --role=Admin

Getting started

Start the openvasmd daemon

# openvasmd -p 9390 -a 127.0.0.1

Start the Greenbone Security Assistant WebUI (optional)

# gsad -f --listen=127.0.0.1 --mlisten=127.0.0.1 --mport=9390

Point your web browser to http://127.0.0.1 and login with your admin crendentials

Note: By default, gsad will bind to port 80. If you are already running a webserver, this will obviously cause problems. Pass the --port switch to gsad for an alternate port. Read the gsad man page for options like --http-only, --no-redirect, and more.
Note: The Greenbone Security Assistant WebUI requires the texlive-most package in order to provide PDF downloads of the reports.

Systemd

Redhat based systemd units are in an AUR package named openvas-systemdAUR. The contain a few tweaks such as better TLS settings.

Migration to new major versions

The database needs to be migrated when moving to a new major version:

# openvasmd --migrate --progress

See also