OpenVAS (Open Vulnerability Assessment System) is a network security scanner that includes a central server and a graphical user front-end. It’s core component is the server, with a set of network vulnerability tests (NVTs), written in the Nessus Attack Scripting Language (NASL), which OpenVAS updates frequently. The NVT’s detect security problems in remote systems and applications.
Architecture:
Installation and Configurations:
OpenVAS needs four major components installed at the server end:
OpenVAS-Server:
This is the core component of OpenVAS, which provides the functionality of scanning a large number of target servers at a high speed.
OpenVAS-Libraries:
This module contains the functionalities that are used by the OpenVAS-Server.
OpenVAS-LibNASL:
The NVT’s are written in the “Nessus Attack Scripting Language” (NASL). This module contains the functionalities required by OpenVAS-Server to interface with NASL.
OpenVAS-Plugins:
This module contains a base set of NVT’s. And then, we also need an OpenVAS Client to access the Open VAS server and run the scans.
OpenVAS-Server Installation:
Before installing the OpenVAS-Server package, the following components should be installed in sequence:
- openvas-libraries
- openvas-libnasl
- openvas-plugins
You can install the packages either from source or using RPM’s. Let us proceed with rpm based installation.
Packages for RPM-Based Distributions are available at unofficial repositories that can be found at
http://www.atomicorp.com/channels/atomic/
On a Centos 5.2 machine, with a 32 bit processor, you can use the following steps to install the packages.
[root@ipareplica ~]#wget http://www.atomicorp.com/channels/atomic/centos/5/i386/RPMS/openvas-libraries-2.0.2-1.el5.art.i386.rpm [root@ipareplica ~]#rpm -ivh openvas-libraries-2.0.2-1.el5.art.i386.rpm [root@ipareplica ~]#wget http://www.atomicorp.com/channels/atomic/centos/5/i386/RPMS/openvas-libnasl-2.0.1-1.el5.art.i386.rpm [root@ipareplica ~]#rpm -ivh openvas-libnasl-2.0.1-1.el5.art.i386.rpm [root@ipareplica ~]#wget http://www.atomicorp.com/channels/atomic/centos/5/i386/RPMS/openvas-plugins-1.0.5-2.el5.art.i386.rpm [root@ipareplica ~]#rpm -ivh openvas-plugins-1.0.5-2.el5.art.i386.rpm [root@ipareplica ~]#wget http://www.atomicorp.com/channels/atomic/centos/5/i386/RPMS/openvas-server-2.0.1-1.el5.art.i386.rpm [root@ipareplica ~]#rpm -ivh openvas-server-2.0.1-1.el5.art.i386.rpm
Additional components needed by these packages can be downloaded from repositories like http://rpm.pbone.net/ and http://www.atomicorp.com/channels/atomic/.
Configuring OpenVAS-Server:
After installing the OpenVAS-Server, some additional steps are to be done to get your OpenVAS installation up and running.
Generating a Server Certificate:-
If the machine that the OpenVAS-Server is running on, does not have a certificate, we have to generate this for the communication between the OpenVAS server and the client.
You can create an OpenVAS Server SSL certifcate as follows:
[root@ipareplica ~]#openvas-mkcert
Creation of the OpenVAS SSL Certificate
This script will now ask you for the relevant information required to create the SSL certificate of OpenVAS. Note that this information will *NOT* be sent to anybody (everything stays local). However, anyone with the ability to connect to your OpenVAS daemon will be able to retrieve this information. CA certificate life time in days [1460]: Server certificate life time in days [365]: Your country (two letter code) [FR]: Your state or province name [none]: Your location (e.g. town) [Paris]: London Your organization [OpenVAS Users United]:
Creation of the OpenVAS SSL Certificate
Congratulations. Your server certificate was properly created. /etc/openvas/openvasd.conf updated The following files were created: . Certification authority: Certificate = /var/lib/openvas/CA/cacert.pem Private key = /var/lib/openvas/private/CA/cakey.pem . OpenVAS Server : Certificate = /var/lib/openvas/CA/servercert.pem Private key = /var/lib/openvas/private/CA/serverkey.pem Press [ENTER] to exit
Adding New Users
In order to use an OpenVAS server, a client should have a proper user account on the server. The OpenVAS-Server package provide the openvas-adduser script which helps to simplify the creation of user accounts. Using this script, you can specify whether the user should use a password or a certificate to authenticate himself and also optionally restrict the access rights of the user.
Restricted access rights comes to be useful when you need to prevent users from scanning arbitrary hosts or networks. Rules can be specified to restrict an user to certain hosts or subnets and even prevent them from scanning any host, but his own.
The following is the correct syntax for user rules:
accept|deny ip/mask (mask is the CIDR netmask of the rule) and default accept|deny
The default statement is to be the last rule and this defines the policy for the user.
[root@ipareplica rpms]# openvas-adduser Using /var/tmp as a temporary file holder. Add a new openvasd user --------------------------------- Login : bob1 Authentication (pass/cert) [pass] : Login password : Login password (again) : User rules --------------- openvasd provides a rules system that allows you to restrict the hosts that bob1 has the right to test. For instance, you can make him able to scan his own host only. Enter the rules for this user, and hit ctrl-D once you are done: (the user can have an empty rules set) default accept Login : bob1 Password : *********** Rules : default accept Is that ok? (y/n) [y] y user added.
To remove a user at a later time use,
[root@ipareplica rpms]# openvas-rmuser <username>
Advanced Configuration
To make changes to the default OpenVAS-Server configuration, you need to do it in the configuration file which is located at: /etc/openvas/openvasd.conf.
Configuring NVT Feeds
An OpenVAS NVT Feed Service presents you with a set of NVT’s (i.e. “.nasl” and “.inc” files). These can be downloaded into your OpenVAS server installation.
In order to synchronize your NVT repository with an OpenVAS NVT Feed, you can use the script /usr/sbin/openvas-nvt-sync, which requires the RSYNC and md5sum tools installed.
You can invoke the script as follows:
[root@ipareplica rpms]# openvasd -D
Installing and Configuring OpenVAS-Client
Download and install the OpenVAS-Client using the steps below:
[root@ipareplica rpms]#wget http://www.atomicorp.com/channels/atomic/centos/5/i386/RPMS/openvas-client-2.0.2-1.el5.art.i386.rpm [root@ipareplica rpms]#rpm -ivh openvas-client-2.0.2-1.el5.art.i386.rpm
To start the OpenVAS Client, use the command below:
[root@ipareplica rpms]OpenVAS-Client &
This will launch the Graphical User Interface, from where you can connect to the server, retrieve the available plugins and do the scan.
The main window of OpenVAS-Client is divided into two main sections. On the left-hand side is the tree list which gives you an overview of the locally stored tasks, scopes and reports. On the right-hand side is a notebook with space for comments, options and reports. This is where a security scan can be configured, commented upon and where it’s result can be reviewed.
Common Terms used:
Tasks
Tasks are meant to cover all activities of a major topic.
Scopes
A scope is seen as a sub-task. It defines a certain security scan and a connection to an OpenVAS server is established within the context of a specific scope. If a scope is connected to the server, a scan that is based on the settings for this scope can be executed. An icon that is present to the right of the scope title provides the connection status of the scope. This means that a task can contain a selection of scopes, which connect to different OpenVAS servers with different plugins.
Report
When a scope is successfully executed, a report of the scan is generated and added to its list of reports.
Connection
In order to connect to the server, click Connect under the File menu or use the “Connect” icon. Enter your username and password that was just created to logon to the OpenVAS Server.
Now, the OpenVAS-Client is capable of handling multiple connections to different servers. Each scope has a connection of its own. Also, the global settings can be connected to an OpenVAS server in order to define a set of default plugin selections and plugin parameters. It should be noted that only explicitly saved Global Settings are used as defaults for new scopes.
OpenVas is indeed a great tool and alternative for the well known Nessus Vulnerability Assesment Scanner. It currently runs only on Linux platform, but you can run the client on Windows XP with SP2 machines.
So, try it now to secure your network!!!
About the Author :
Jitha K, works as a Senior Software Engineer in Bobcares. Ever since she joined Bobcares, Jitha primarily works on administering Linux servers and is a technical specialist when it comes to various control panels. She has interests towards installation and configuration of new systems and customizing them for specific requirements. Apart from that, she is passionate about music and movies.
Excellent article Jitha, I am very happy with the openvas project and find it a very useful tool. While Nessus is a bit more polished with a cleaner install and nicer client. OpenVas has not been left behind and the additional vulnerability feeds are excellent.
Most of our scanning is done in batch mode anyway – so the client is irrelevant.
We have a free online openvas tool available for those who are interested.
Very nice article… OpenVas is interesting. Need to try it out.
Thanks for sharing this 🙂
Hi Jitha, can you help recommend the General setting for OpenVas if we will use it for vulnerability assessment from external viewpoint?
Hello Yaggi,
You can install server and client softwares on a single machine and then configure the client to scan the machines you want. Each scope can handle a connection of its own.
Once a scope is connected to the server, you will have several options to configure your scan. Target Selection option will allow you to specify the host(s) that will be attacked by the OpenVAS server. You may define several targets by separating them with a comma (,). i.e. : “host1,host2” or can create a text file with the name of hosts to scanned and “Read from file” option can be chosen to input this text file.
Once you complete the configuration, you can execute the scan by selecting the scope to be executed and clicking on execute button or initiate it from the execute option under Scope menu. You will get the report of the scan at the end of the execution, which can be read directly or exported to different formats using the “Report->Export” option in your OpenVAS-Client.