From ArchWiki

This article or section needs language, wiki syntax or style improvements. See Help:Style for reference.

Reason: Various Help:Style issues (Discuss in Talk:OpenVAS#Complete rewrite)

OpenVAS stands for Open Vulnerability Assessment System and is a network security scanner with associated tools like a graphical user front-end. The core component is a server with a set of network vulnerability tests (NVTs) to detect security problems in remote systems and applications.



Set up PostgreSQL before you continue.


Configure Redis as prescribed by the OpenVAS redis configuration. In summary, amend the following to your /etc/redis/redis.conf:

port 0
unixsocket /run/redis/redis.sock
unixsocketperm 770
timeout 0
databases 128
Note: See the previous OpenVAS redis configuration document on how to calculate the databases number.

Finally restart redis.service.


Install the following packages to get a full OpenVAS setup, including manager, web frontend, scanner, and so on: openvas-scannerAUR, ospd-openvasAUR, gsaAUR, gvmdAUR. nmap needs to be installed for the scanner to deliver proper results and texlive is needed for PDF report feature to work.

Warning: The packages openvas-scannerAUR, ospd-openvasAUR, gsaAUR, gvmdAUR are currently broken. To fix them refer to [1].

Initial setup

Setup the PostgreSQL DB for gvm:

[postgres]$ createuser gvm
[postgres]$ createdb -O gvm gvmd

Grant this user DBA roles:

[postgres]$ psql gvmd
# create role dba with superuser noinherit;
# grant dba to gvm;
# create extension "uuid-ossp";
# \q

Make sure to have the following sysctl configurations:

# echo "net.core.somaxconn = 1024" >> /etc/sysctl.d/90-openvas.conf
# echo "vm.overcommit_memory = 1" >> /etc/sysctl.d/90-openvas.conf
# sysctl -p /etc/sysctl.d/90-openvas.conf

Before doing this check the values of somaxconn (normally this is 4096 for Arch Linux and does not need to be adjusted:

# sysctl -a | grep somaxconn

If this is the case just skip the first echo line.

Grant the gvm user access to the redis socket:

# usermod -aG redis gvm
# echo "db_address = /run/redis/redis.sock" > /etc/openvas/openvas.conf
# chown gvm:gvm /etc/openvas/openvas.conf

Update NVTs:

# chown -R gvm:gvm /var/lib/openvas
[gvm]$ greenbone-nvt-sync && openvas --update-vt-info

Update feeds:

[gvm]$ greenbone-feed-sync --type GVMD_DATA
[gvm]$ greenbone-scapdata-sync --rsync
[gvm]$ greenbone-certdata-sync --rsync

You can enable the following timers to update these data on a frequently basis: greenbone-nvt-sync.timer, greenbone-feed-sync.timer, greenbone-scapdata-sync.timer, greenbone-certdata-sync.timer.

Create certificates for the server and clients, default values were used:

[gvm]$ gvm-manage-certs -a

Add an administrator user account, be sure to copy the password:

[gvm]$ gvmd --create-user=admin --role=Admin

You can also change the password of the user later on

[gvm]$ gvmd --user=admin --new-password=<password>

Getting started

Start ospd-openvas.service, gvmd.service and gsad.service.

Create the Scanner:

[gvm]$ gvmd --get-scanners

Copy the id of the OpenVAS Default scanner and run:

[gvm]$ gvmd --modify-scanner=id-of-scanner --scanner-host=/run/gvm/ospd.sock
[gvm]$ gvmd --verify-scanner=id-of-scanner

Set the feed import user:

[gvm]$ gvmd --get-users --verbose

Copy the id of the admin user and run:

[gvm]$ gvmd --modify-setting 78eceaec-3385-11ea-b237-28d24461215b --value id-of-admin

Point your web browser to and login with your admin credentials.

Note: By default, gsad will bind to port 80. If you are already running a webserver, this will obviously cause problems. You can modify the ports and listen addresses in the file /etc/default/gsad

See also