OpenVAS

From ArchWiki
Jump to: navigation, search

Tango-edit-clear.pngThis article or section needs language, wiki syntax or style improvements.Tango-edit-clear.png

Reason: Various Help:Style issues (Discuss in Talk:OpenVAS#)

OpenVAS stands for Open Vulnerability Assessment System and is a network security scanner with associated tools like a graphical user front-end. The core component is a server with a set of network vulnerability tests (NVTs) to detect security problems in remote systems and applications.

Pre-install

Redis

Configure redis as prescribed by the OpenVAS redis configuration. In summary, amend the following to your /etc/redis.conf

unixsocket /var/lib/redis/redis.sock
unixsocketperm 700
port 0
timeout 0
databases 128

Note: See the previous OpenVAS redis configuration document on how to calculate the databases number.

Additionally comment out the following (and similar) save lines if present to avoid a stuck connection of the openvas-scanner to redis:

save 900 1
save 300 10
save 60 10000

Create and add the following to /etc/openvas/openvassd.conf

kb_location = /var/lib/redis/redis.sock

Finally restart redis

# systemctl restart redis

haveged (optional)

If running OpenVAS in a virtual machine or any other system having a low entropy install haveged to gather more entropy. This is required for e.g. the key material used for the encrypted credentials saved within the openvas-manager database.

Installation

Install the openvas package group from the official repositories. This group provides the openvas-cli command-line omp interface and greenbone-security-assistant web interface via the gsad daemon along with other OpenVAS dependencies.

Initial setup

Create certificates for the server+client, default values were used

# openvas-manage-certs -a

Update the plugins and vulnerability data:

# greenbone-nvt-sync
# greenbone-scapdata-sync
# greenbone-certdata-sync

Note: If GSA complains that the scapdata database is missing, it may be necessary to use greenbone-scapdata-sync --refresh


Start the scanner service:

# systemctl start openvas-scanner

Rebuild the database:

# openvasmd --rebuild --progress

Add an administrator user account, be sure to copy the password:

# openvasmd --create-user=admin --role=Admin


Getting started

Start the openvasmd daemon

# openvasmd -p 9390 -a 127.0.0.1

Start the Greenbone Security Assistant WebUI (optional)

# gsad -f --listen=127.0.0.1 --mlisten=127.0.0.1 --mport=9390

Point your web browser to http://127.0.0.1 and login with your admin crendentials

Note: By default, gsad will bind to port 80. If you are already running a webserver, this will obviously cause problems. Pass the --port switch to gsad for an alternate port. Read the gsad man page for options like --http-only, --no-redirect, and more.
Note: The Greenbone Security Assistant WebUI requires the texlive-most package in order to provide PDF downloads of the reports.

Systemd

Redhat based systemd units are in an AUR package named openvas-systemdAUR. The contain a few tweaks such as better TLS settings.

Migration to new major versions

The database needs to be migrated when moving to a new major version:

# openvasmd --migrate --progress

See also