OpenVAS
OpenVAS stands for Open Vulnerability Assessment System and is a network security scanner with associated tools like a graphical user front-end. The core component is a server with a set of network vulnerability tests (NVTs) to detect security problems in remote systems and applications.
Contents
Pre-install
Redis
Configure redis as prescribed by the OpenVAS redis configuration. In summary, amend the following to your /etc/redis.conf
unixsocket /var/lib/redis/redis.sock unixsocketperm 700 port 0 timeout 0 databases 128
OpenVAS redis configuration
document on how to calculate the databases
number.Additionally comment out the following (and similar) save
lines if present to avoid a stuck connection of the openvas-scanner
to redis
:
save 900 1 save 300 10 save 60 10000
Create /etc/openvas/openvassd.conf
and add the following:
kb_location = /var/lib/redis/redis.sock
Finally restart redis
:
# systemctl restart redis
haveged
If running OpenVAS in a virtual machine or any other system having a low entropy, you can optionally install haveged to gather more entropy. This is required for the key material used for the encrypted credentials saved within the openvas-manager
database.
Installation
Install the openvas package group from the official repositories.
This group provides the openvas-cli command-line omp
interface and greenbone-security-assistant web interface via the gsad
daemon along with other OpenVAS dependencies.
Initial setup
Create certificates for the server and clients, default values were used:
# openvas-manage-certs -a
Update the plugins and vulnerability data:
# greenbone-nvt-sync # greenbone-scapdata-sync # greenbone-certdata-sync
Start the openvas-scanner
service, then rebuild the database:
# openvasmd --rebuild --progress
Add an administrator user account, be sure to copy the password:
# openvasmd --create-user=admin --role=Admin
Getting started
Start the openvasmd
daemon
# openvasmd -p 9390 -a 127.0.0.1
Start the Greenbone Security Assistant WebUI (optional)
# gsad -f --listen=127.0.0.1 --mlisten=127.0.0.1 --mport=9390
Point your web browser to http://127.0.0.1 and login with your admin crendentials
gsad
will bind to port 80. If you are already running a webserver, this will obviously cause problems. Pass the --port
switch to gsad
for an alternate port. Read the gsad
man page for options like --http-only
, --no-redirect
, and more.Systemd
Redhat based systemd units are in an AUR package named openvas-systemdAUR. The contain a few tweaks such as better TLS settings.
Migration to new major versions
The database needs to be migrated when moving to a new major version:
# openvasmd --migrate --progress
See also
- Wikipedia:OpenVAS
- OpenVAS Official OpenVAS website.