User:Maffblaster/Drafts/OpenVAS

From Gentoo Wiki
Jump to: navigation, search

OpenVAS (Open Vulnerability Assessment System) is security scanning software used identify and detect network accessible vulnerabilities. It is used by both offensive and defensive security experts to determine attack surfaces. OpenVAS is a fork of Nessus, the popular corporate security scanner maintained by Tenable.

Both OpenVAS and Nessus were originally built from the nmap port scanner.

Installation

USE flags

USE flags for net-analyzer/openvas A remote security scanner

cli Command Line Interface for OpenVAS Scanner throught net-analyzer/gvm-tools
extras Extra fonts, pdf results and html docs support
gsa Greenbone Security Assistant (WebUI) through net-analyzer/greenbone-security-assistant
ldap Enable support for ldap through net-nds/openldap
ospd Enable support for scanner wrappers through net-analyzer/ospd
radius Enable support for radius through net-dialup/freeradius-client

Emerge

The net-analyzer/openvas is a meta-package. It depends upon the command-line interface, libraries, manager, scanner, and tools. Do not be surprised if the dependency list is a little long:

root #emerge --ask net-analyzer/openvas

Additional software

Additional support for extra checks gained from emerging the following software:

Package Description
app-forensics/ovaldi For ovaldi (OVAL) — an OVAL Interpreter.
net-analyzer/amap For amap — an application protocol detection tool.
net-analyzer/greebone-security-assistant For The Greenbone Security Assistant as alternative to the plain scanner.
net-analyzer/ike-scan For ike-scan - an IPsec VPN scanning, fingerprinting and testing tool.
net-analyzer/nikto For Nikto — a web server scanning and testing tool.
net-analyzer/portbunny For portbunny — a Linux-kernel-based portscanner.
net-analyzer/w3af For w3af — a web application attack and audit framework.

Configuration

The following steps can be checked at any point by running the openvas-check-setup utility.

Generate an SSL certificate

Before OpenVAS can be started, an SSL certificate must be generated:

root #openvas-mkcert

Generate the client's SSL certificate

root #openvas-mkcert-client -n -i

Download vulnerability list

Download the vulnerability list with the following command:

root #openvas-nvt-sync

Update the scan daemon's cache

root #openvassd --only-cache

Rebuild the management daemon's NVT cache

root #openvasmd --rebuild

Download the SCAP data

root #openvas-scapdata-sync

Download the OpenVAS CERT database

root #openvas-certdata-sync

Create a user

Users will not be able to login until accounts have been created for them. Pretending a user by the name of Larry would like to create an account:

root #openvasmd --create-user larry

Unless you want a large GUID for a password, be sure to change it:

root #openvasmd --user=larry --new-password=SuPErSeCR3TP@assw0rd

Users can be listed with the following command:

root #openvasmd --get-users

Usage

Troubleshooting

Stuck on configuration steps

root #openvas-check-setup

Service not starting

Check the log files located at /var/log/openvas/.

See also