OpenVAS

From ArchWiki
Jump to navigation Jump to search

Tango-view-refresh-red.pngThis article or section is out of date.Tango-view-refresh-red.png

Reason: openvas-manager was renamed to gvmd, command names have changed and instructions need to be updated to work with the latest version. (Discuss in Talk:OpenVAS#)

Tango-edit-clear.pngThis article or section needs language, wiki syntax or style improvements. See Help:Style for reference.Tango-edit-clear.png

Reason: Various Help:Style issues (Discuss in Talk:OpenVAS#)

OpenVAS stands for Open Vulnerability Assessment System and is a network security scanner with associated tools like a graphical user front-end. The core component is a server with a set of network vulnerability tests (NVTs) to detect security problems in remote systems and applications.

Pre-install

Redis

Configure redis as prescribed by the OpenVAS redis configuration. In summary, amend the following to your /etc/redis.conf

unixsocket /var/lib/redis/redis.sock
unixsocketperm 700
port 0
timeout 0
databases 128
Note: See the previous OpenVAS redis configuration document on how to calculate the databases number.

Additionally comment out the following (and similar) save lines if present to avoid a stuck connection of the openvas-scanner to redis:

save 900 1
save 300 10
save 60 10000

Create /etc/openvas/openvassd.conf and add the following:

db_address = /var/lib/redis/redis.sock

Finally restart redis:

# systemctl restart redis

haveged

If running OpenVAS in a virtual machine or any other system having a low entropy, you can optionally install haveged to gather more entropy. This is required for the key material used for the encrypted credentials saved within the openvas-manager database.

Installation

Install the openvasAUR package from the AUR.

Alternatively install greenbone-vulnerability-manager which provides gvm-libs and Greenbone Security Assistant (gsa) greenbone-security-assistant OpenVAS web frontend. The Vulnerability scanning Daemon (openvasAUR) and the Greenbone Vulnerability Manager (gvmdAUR) were move to AUR and are no longer in the official repositories.

Initial setup

Create certificates for the server and clients, default values were used:

# gvm-manage-certs -a

Update the plugins and vulnerability data:

# greenbone-nvt-sync
# greenbone-scapdata-sync
# greenbone-certdata-sync
Note: If GSA complains that the scapdata database is missing, it may be necessary to use greenbone-scapdata-sync --refresh.

Add an administrator user account, be sure to copy the password:

# gvmd --create-user=admin --role=Admin

You can also change the password of the user later on

# gvmd --user=admin --new-password=<password>

Getting started

Start the gvmd daemon

# gvmd -p 9390 -a 127.0.0.1

Start the Greenbone Security Assistant WebUI (optional)

# gsad -f --listen=127.0.0.1 --mlisten=127.0.0.1 --mport=9390

Point your web browser to http://127.0.0.1 and login with your admin crendentials

Note: By default, gsad will bind to port 80. If you are already running a webserver, this will obviously cause problems. Pass the --port switch to gsad for an alternate port. Read the gsad man page for options like --http-only, --no-redirect, and more.
Note: The Greenbone Security Assistant WebUI requires the texlive-most package in order to provide PDF downloads of the reports.

Systemd

Redhat based systemd units are in an AUR package named openvas-systemdAUR. The contain a few tweaks such as better TLS settings.

Migration to new major versions

The database needs to be migrated when moving to a new major version:

# gvmd --migrate

See also