OpenVAS stands for Open Vulnerability Assessment System and is a network security scanner with associated tools like a graphical user front-end. The core component is a server with a set of network vulnerability tests (NVTs) to detect security problems in remote systems and applications.
Install the official repositories. This group provides the command-line
omp interface and web interface via the
gsad daemon along with other OpenVAS dependencies.
Create a certificate for the server, choosing the default values if desired:
Create a client certificate:
# openvas-mkcert-client -n -i
Update the plugins and vulnerability data:
# openvas-nvt-sync # openvas-scapdata-sync # openvas-certdata-sync
Start the scanner service:
# systemctl start openvas-scanner
Rebuild the database:
# openvasmd --rebuild --progress
Add an administrator user account:
# openvasmd --create-user=admin --role=Admin
Configure OpenVAS redis configuration. In summary, amend the following to your /etc/redis.confas perscribed by the
unixsocket /var/lib/redis/redis.sock port 0 timeout 0
Create and add the following to /etc/openvas/openvassd.conf
kb_location = /var/lib/redis/redis.sock
# openvasmd -p 9390 -a 127.0.0.1
Start the Greenbone Security Assistant WebUI (optional)
Point your web browser to http://127.0.0.1 and login with your admin crendentials
gsadwill bind to port 80. If you are already running a webserver, this will obviously cause problems. Pass the
gsadfor an alternate port. Read the
gsadman page for options like
--no-redirect, and more.
At the time of writing, there are no service files provided with the
gsad. Until they are added, consider using and customizing the following service files to ease the deployment of a streamlined OpenVAS system:
$ cat /usr/lib/systemd/system/openvas-manager.service [Unit] Description = OpenVAS Manager Wants = openvas-scanner.service After = network.target [Service] ExecStart = /usr/bin/openvasmd --foreground -p 9390 -a 127.0.0.1 [Install] WantedBy = multi-user.target
$ cat /usr/lib/systemd/system/gsa.service [Unit] Description = Greenbone Security Assistant After = network.target [Service] ExecStart = /usr/bin/gsad --foreground [Install] WantedBy = multi-user.target
--foregroundis needed and not optional.
Finally, start/enable your newly created
gsa services in addition to
openvas-scanner if you haven't already started it.
openvas-managershould start immediately but will take time to load NVTs. You won't be able to start scanning until all NVTs are loaded.
Migration to new major versions
The database needs to be migrated when moving to a new major version:
# openvasmd --migrate --progress
- OpenVAS Official OpenVAS website.