User:Maffblaster/Drafts/OpenVAS
OpenVAS (Open Vulnerability Assessment System) is security scanning software used identify and detect network accessible vulnerabilities. It is used by both offensive and defensive security experts to determine attack surfaces. OpenVAS is a fork of Nessus, the popular corporate security scanner maintained by Tenable.
Both OpenVAS and Nessus were originally built from the nmap port scanner.
Installation
USE flags
USE flags for net-analyzer/openvas A remote security scanner
cli
|
Command Line Interface for OpenVAS Scanner throught net-analyzer/gvm-tools |
extras
|
Extra fonts, pdf results and html docs support |
gsa
|
Greenbone Security Assistant (WebUI) through net-analyzer/greenbone-security-assistant |
ldap
|
Enable support for ldap through net-nds/openldap |
ospd
|
Enable support for scanner wrappers through net-analyzer/ospd |
radius
|
Enable support for radius through net-dialup/freeradius-client |
Emerge
The net-analyzer/openvas is a meta-package. It depends upon the command-line interface, libraries, manager, scanner, and tools. Do not be surprised if the dependency list is a little long:
root #emerge --ask net-analyzer/openvasAdditional software
Additional support for extra checks gained from emerging the following software:
| Package | Description |
|---|---|
| app-forensics/ovaldi | For ovaldi (OVAL) — an OVAL Interpreter. |
| net-analyzer/amap | For amap — an application protocol detection tool. |
| net-analyzer/greebone-security-assistant | For The Greenbone Security Assistant as alternative to the plain scanner. |
| net-analyzer/ike-scan | For ike-scan - an IPsec VPN scanning, fingerprinting and testing tool. |
| net-analyzer/nikto | For Nikto — a web server scanning and testing tool. |
| net-analyzer/portbunny | For portbunny — a Linux-kernel-based portscanner. |
| net-analyzer/w3af | For w3af — a web application attack and audit framework. |
Configuration
The following steps can be checked at any point by running the openvas-check-setup utility.
Generate an SSL certificate
Before OpenVAS can be started, an SSL certificate must be generated:
root #openvas-mkcertGenerate the client's SSL certificate
root #openvas-mkcert-client -n -iDownload vulnerability list
Download the vulnerability list with the following command:
root #openvas-nvt-syncUpdate the scan daemon's cache
root #openvassd --only-cacheRebuild the management daemon's NVT cache
root #openvasmd --rebuildDownload the SCAP data
root #openvas-scapdata-syncDownload the OpenVAS CERT database
root #openvas-certdata-syncCreate a user
Users will not be able to login until accounts have been created for them. Pretending a user by the name of Larry would like to create an account:
root #openvasmd --create-user larryUnless you want a large GUID for a password, be sure to change it:
root #openvasmd --user=larry --new-password=SuPErSeCR3TP@assw0rdUsers can be listed with the following command:
root #openvasmd --get-usersUsage
Troubleshooting
Stuck on configuration steps
root #openvas-check-setupService not starting
Check the log files located at /var/log/openvas/.
See also
- Security Handbook — a step-by-step hardening guide for Gentoo Linux.