openvas_logo

The Open Vulnerability Assessment System (OpenVAS) is a framework of several services and tools offering a comprehensive and powerful vulnerability scanning and vulnerability management solution

Architecture Overview

The Open Vulnerability Assessment System (OpenVAS) is a framework of several services and tools. The core of this SSL-secured service-oriented architecture is the OpenVAS Scanner. The scanner very efficiently executes the actual Network Vulnerability Tests (NVTs) which are served with daily updates Openvas NVT Feed or via a commercial feed service.

1

 

 

The OpenVAS Manager is the central service that consolidates plain vulnerability scanning into a full vulnerability management solution. The Manager controls the Scanner via OTP (OpenVAS Transfer Protocol) and itself offers the XML-based, stateless OpenVAS Management Protocol (OMP). All intelligence is implemented in the Manager so that it is possible to implement various lean clients that will behave consistently e.g. with regard to filtering or sorting scan results. The Manager also controls a SQL database (sqlite-based) where all configuration and scan result data is centrally stored.

 

A couple of different OMP clients are available: The Greenbone Security Assistant (GSA) is a lean web service offering a user interface for web browsers. GSA uses XSL transformation stylesheet that converts OMP responses into HTML.

The Greenbone Security Desktop (GSD) is a Qt-based desktop client for OMP. It runs on various Linux, Windows and other operating systems.

OpenVAS CLI contains the command line tool “omp” which allows to create batch processes to drive OpenVAS Manager.

The OpenVAS Administrator acts as a command line tool or as a full service daemon offering the OpenVAS Administration Protocol (OAP). The most important tasks are the user management and feed management. GSA support OAP and users with the role “Admin” can access the OAP functionality.

Most of the tools listed above share functionality that is aggregated in the OpenVAS Libraries.

The OpenVAS Scanner offers the communication protocol OTP (OpenVAS Transfer Protocol) which allows to control the scan execution. This protocol is subject to be eventually replaced and thus it is not recommended to develop OTP clients. Traditionally, the desktop- and cli-tool OpenVAS Client acts as a direct OTP client.

 

 

Installation

 

#wget -q -O – http://www.atomicorp.com/installers/atomic |sh

 

Atomic Archive installer, version 2.0.3

BY INSTALLING THIS SOFTWARE AND BY USING ANY AND ALL SOFTWARE

PROVIDED BY ATOMICORP LIMITED YOU ACKNOWLEDGE AND AGREE:

THIS SOFTWARE AND ALL SOFTWARE PROVIDED IN THIS REPOSITORY IS

PROVIDED BY ATOMICORP LIMITED AS IS, IS UNSUPPORTED AND ANY

EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR

PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL ATOMICORP LIMITED, THE

COPYRIGHT OWNER OR ANY CONTRIBUTOR TO ANY AND ALL SOFTWARE PROVIDED

BY OR PUBLISHED IN THIS REPOSITORY BE LIABLE FOR ANY DIRECT,

INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES

(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS

OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,

STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)

ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED

OF THE POSSIBILITY OF SUCH DAMAGE.

 

Do you agree to these terms? (yes/no) [Default: yes]

ENTER

Installing the Atomic GPG key: OK

Downloading atomic-release-1.0-14.el6.art.noarch.rpm: OK

 

The Atomic Rocket Turtle archive has now been installed and configured for your system

The following channels are available:

atomic          – [ACTIVATED] – contains the stable tree of ART packages

atomic-testing  – [DISABLED]  – contains the testing tree of ART packages

atomic-bleeding – [DISABLED]  – contains the development tree of ART packages

 

1

 

 

Install OpenVAS

 

#yum install openvas -y

 

 

Run openvas-setup to configure OpenVAS

 

#openvas-setup

Openvas Setup, Version: 0.1

Step 1: Update NVT’s

Please note this step could take some time.

Once completed, NVT’s will be updated automatically every 24 hours

 

Updating NVTs….

Stopping openvas-scanner:                                  [OK]

Starting openvas-scanner:                                   [OK]

Updating OpenVAS Manager database….

 

Step 2: Configure GSAD

The Greenbone Security Assistant is a Web Based front end

for managing scans. By default it is configured to only allow

connections from localhost.

 

Allow connections from any IP? [Default: yes] Stopping gree[  OK  ]curity-assistant:

Starting greenbone-security-assistant:                     [OK ]

 

Step 3: Choose the GSAD admin users password.

The admin user is used to configure accounts,

Update NVT’s manually, and manage roles.

 

Enter password: enter password for admin user

ENTER

ad   main:MESSAGE:3223:2012-01-19 11h09.05 IST: No rules file provided, the new user will have no restrictions.

ad   main:MESSAGE:3223:2012-01-19 11h09.05 IST: User admin has been successfully created.

 

Step 4: Create a user

Using /var/tmp as a temporary file holder.

Add a new openvassd user

———————————

Login : sathish

ENTER

Authentication (pass/cert) [pass] :

ENTER

Login password : enter user password

ENTER

Login password (again) : enter user password again

ENTER

User rules

—————

openvassd has a rules system which allows you to restrict the hosts that humus has the right to test.

For instance, you may want him to be able to scan his own host only.

Please see the openvas-adduser(8) man page for the rules syntax.

Enter the rules for this user, and hit ctrl-D once you are done:

(the user can have an empty rules set)

ctrl-D

Login             : humus

Password          : ***********

Rules             :

Is that ok? (y/n) [y]

ENTER

Setup complete, you can now access GSAD at:

https://<IP&gt;:9392

 

 

2 3 4

 

Start OpenVAS administrator

 

#/etc/init.d/openvas-administrator start

 

 

Download openvas-check-setup script and check OpenVAS setup

#cd /usr/local/src/

 

#wgetvhttps://svn.wald.intevation.org/svn/openvas/trunk/tools/openvas-check-setup -O openvas-check-setup.sh –no-check-certificate

 

#chmod +x openvas-check-setup.sh

#openvas-certdata-sync

#./openvas-check-setup.sh –server

 

5

Open Greenbone Security Assistent port in linux firewall

 

#vi /etc/sysconfig/iptables

-A INPUT -m state –state NEW -m tcp -p tcp –dport 9392 -j ACCEPT

 

 

#service iptables restart

 

Connect to OpenVAS server

 

Using a web browser browse to https://http://www.sathish.com:9392

7 8

That’s it. OpenVAS server installation completed. You can create new scans on your network and schdule them to run frequently and check their reports.