Difference between revisions of "OpenVAS"

From ArchWiki
Jump to navigation Jump to search
(Added note about using greenbone-scapdata-sync --refresh, currently necessary on fresh installs)
(moved redis installation from post-install to pre-install see also: https://bugs.archlinux.org/task/57470)
Line 4: Line 4:
 
{{Style|Various [[Help:Style]] issues}}
 
{{Style|Various [[Help:Style]] issues}}
 
[http://www.openvas.org/ OpenVAS] stands for Open Vulnerability Assessment System and is a network security scanner with associated tools like a graphical user front-end. The core component is a server with a set of network vulnerability tests (NVTs) to detect security problems in remote systems and applications.  
 
[http://www.openvas.org/ OpenVAS] stands for Open Vulnerability Assessment System and is a network security scanner with associated tools like a graphical user front-end. The core component is a server with a set of network vulnerability tests (NVTs) to detect security problems in remote systems and applications.  
 +
 +
== Pre-install ==
 +
 +
Configure {{pkg|redis}} as prescribed by the [https://svn.wald.intevation.org/svn/openvas/tags/openvas-scanner-release-5.0.3/doc/redis_config.txt OpenVAS redis configuration]. In summary, amend the following to your /etc/redis.conf
 +
 +
unixsocket /var/lib/redis/redis.sock
 +
unixsocketperm 700
 +
port 0
 +
timeout 0
 +
 +
Create and add the following to /etc/openvas/openvassd.conf
 +
 +
kb_location = /var/lib/redis/redis.sock
 +
 +
Finally restart {{ic|redis}}
 +
 +
# systemctl restart redis
  
 
== Installation ==
 
== Installation ==
Line 36: Line 53:
 
  # openvasmd --create-user=admin --role=Admin
 
  # openvasmd --create-user=admin --role=Admin
  
== Post-install ==
 
 
Configure {{pkg|redis}} as prescribed by the [https://svn.wald.intevation.org/svn/openvas/tags/openvas-scanner-release-5.0.3/doc/redis_config.txt OpenVAS redis configuration]. In summary, amend the following to your /etc/redis.conf
 
 
unixsocket /var/lib/redis/redis.sock
 
unixsocketperm 700
 
port 0
 
timeout 0
 
 
Create and add the following to /etc/openvas/openvassd.conf
 
 
kb_location = /var/lib/redis/redis.sock
 
 
Finally restart {{ic|redis}}
 
 
# systemctl restart redis
 
  
 
== Getting started ==
 
== Getting started ==

Revision as of 14:17, 26 May 2018

Tango-edit-clear.pngThis article or section needs language, wiki syntax or style improvements. See Help:Style for reference.Tango-edit-clear.png

Reason: Various Help:Style issues (Discuss in Talk:OpenVAS#)

OpenVAS stands for Open Vulnerability Assessment System and is a network security scanner with associated tools like a graphical user front-end. The core component is a server with a set of network vulnerability tests (NVTs) to detect security problems in remote systems and applications.

Pre-install

Configure redis as prescribed by the OpenVAS redis configuration. In summary, amend the following to your /etc/redis.conf

unixsocket /var/lib/redis/redis.sock
unixsocketperm 700
port 0
timeout 0

Create and add the following to /etc/openvas/openvassd.conf

kb_location = /var/lib/redis/redis.sock

Finally restart redis

# systemctl restart redis

Installation

Install the openvas package group from the official repositories. This group provides the openvas-cli command-line omp interface and greenbone-security-assistant web interface via the gsad daemon along with other OpenVAS dependencies.

Initial setup

Create certificates for the server+client, default values were used

# openvas-manage-certs -a

Update the plugins and vulnerability data:

# greenbone-nvt-sync
# greenbone-scapdata-sync
# greenbone-certdata-sync

Note: If GSA complains that the scapdata database is missing, it may be necessary to use greenbone-scapdata-sync --refresh


Start the scanner service:

# systemctl start openvas-scanner

Rebuild the database:

# openvasmd --rebuild --progress

Add an administrator user account, be sure to copy the password:

# openvasmd --create-user=admin --role=Admin


Getting started

Start the openvasmd daemon

# openvasmd -p 9390 -a 127.0.0.1

Start the Greenbone Security Assistant WebUI (optional)

# gsad -f --listen=127.0.0.1 --mlisten=127.0.0.1 --mport=9390

Point your web browser to http://127.0.0.1 and login with your admin crendentials

Note: By default, gsad will bind to port 80. If you are already running a webserver, this will obviously cause problems. Pass the --port switch to gsad for an alternate port. Read the gsad man page for options like --http-only, --no-redirect, and more.
Note: The Greenbone Security Assistant WebUI requires the texlive-most package in order to provide PDF downloads of the reports.

Systemd

Redhat based systemd units are in an AUR package named openvas-systemdAUR. The contain a few tweaks such as better TLS settings.

Migration to new major versions

The database needs to be migrated when moving to a new major version:

# openvasmd --migrate --progress

See also