Install OpenVAS 8 on Ubuntu 16.04
OpenVAS, the Open Vulnerability Assessment System, is a framework of tools that allow you to scan your system for thousands of known vulnerabilities. This guide will show you how to install OpenVAS 8 on Ubuntu 16.04.
OpenVAS consists of:
- a database that stores results and configurations;
- a regularly updated feed of Network Vulnerability Tests (NVTs);
- a scanner, which runs the NVTs;
- the Greenbone Security Assistant, a graphical interface that allows you to manage vulnerability scans from a web application.
For more information about the architecture of the software, refer to the OpenVAS website.
Caution
OpenVAS is a powerful security tool that is capable of scanning remote hosts as well as your local machine. This guide is intended to allow you to monitor vulnerabilities on machines that you control or have permission to scan. If you use OpenVAS to scan remote servers owned by others, be sure that you have a full understanding of the responsibilities involved and the potential consequences.
Before You Begin
-
Familiarize yourself with our Getting Started guide and complete the steps for setting your Linode’s hostname and timezone.
-
Complete the sections of our Securing Your Server guide to create a standard user account, harden SSH access and remove unnecessary network services.
-
Update your system.
sudo apt update && sudo apt upgrade
Note
This guide is written for a non-root user. Commands that require elevated privileges are prefixed withsudo
. If you’re not familiar with thesudo
command, see the Users and Groups guide.
Install OpenVAS
The openvas
repository and its packages are not officially supported by Ubuntu. If you’d like to review its contents, signing key, and fingerprint before installing OpenVAS, you can do so in the Ubuntu package archive.
-
Since OpenVAS is not included in the default Ubuntu repositories, install its PPA:
sudo apt install software-properties-common sudo add-apt-repository ppa:mrazavi/openvas
The first command installs the
software-properties-common
package, which is required for adding certain repositories. The second command will output a list of instructions for how to install OpenVAS. We’ll explain each of these instructions in the following steps. You don’t need to explicitly import the GPG key, as it will be added to your keyring automatically with the second command. However, you should verify that your output includes:gpg: key 4AA450E0: public key "Launchpad PPA for Mohammad Razavi" imported
-
After adding the repository, update your system packages and install the
openvas
package:sudo apt update sudo apt install openvas
When installing
openvas
, you’ll be prompted to configure a Redis database for application data, such as tasks and configurations. Select Yes when asked if you’d like to add a socket at/var/run/redis/redis.sock
: -
Install the SQLite 3 database package. This is used to store the Common Vulnerabilities and Exposures (CVE) data we’ll obtain in Step 5:
sudo apt install sqlite3
-
Sync the OpenVAS NVT feed. This allows your installation to access tests for the most current vulnerabilities and exposures:
sudo openvas-nvt-sync
Note
This feed is maintained by OpenVAS and is updated about once per week. To keep your NVT feed current, we recommend running this command regularly, or setting up a cron job to automate the process. -
Sync Security Content Automation Protocol (SCAP) and Computer Emergency Readiness Team (CERT) vulnerability data to a local database. The synchronization will take several minutes, and you can monitor its progress in the output:
sudo openvas-scapdata-sync sudo openvas-certdata-sync
-
Restart the OpenVAS scanner and manager:
sudo service openvas-scanner restart sudo service openvas-manager restart
-
Finally, rebuild the OpenVAS database, so the manager can access the NVT data downloaded previously:
sudo openvasmd --rebuild --progress
Configure OpenVAS
Remote Access
To access the Greenbone Security Assistant web interface remotely, you must configure it to listen on your Linode’s public IP address. You can do so by editing its configuration file under the /etc/init.d/openvas-gsa
, and specifying your public IP address on the DAEMON_ARGS
line. Replace 198.51.100.221
with your Linode’s public address:
- /etc/init.d/openvas-gsa
-
1
DAEMON_ARGS= --listen "198.51.100.221"
Save your changes, then restart openvas-gsa
:
sudo service openvas-gsa restart
User Authentication for OpenVAS
OpenVAS is now installed, and you’re almost ready to start using it to scan for vulnerabilities. However, you should first change the default password to prevent unauthorized access.
From your Linode, replace your_password
in the following example with your new password:
sudo openvasmd --user=admin --new-password=your_password
This changes the password for the admin
user to a value of your choosing. You can also create a new administrative user by replacing new_user
in the following command:
sudo openvasmd --create-user=new_user
This method creates a random password even if you specify one. To change the password for a newly created user, use the syntax of the first command, substituting the username and your desired password. To create a new guest user without admin privileges, use the gsad
(Greenbone Security Assistant Daemon) tool:
sudo gsad --guest-username=new_user --guest-password
Replace new_user
and your_password
with the appropriate values. For a complete list of administrative features available with the OpenVAS CLI, use openvasmd --help
and gsad --help
.
Scan Your System with OpenVAS
Congratulations! OpenVAS is now ready to use. In this section, we’ll provide a basic tutorial for both logging into the Greenbone Security Assistant (GSA) web application and running a basic vulnerability scan.
-
On your local computer, navigate to your Linode’s IP address or domain name in a web browser. You should be proxied to the GSA Login page.
In most browsers, you will first encounter a security warning. This happens because OpenVAS generates a self-signed SSL certificate upon installation and your host is not recognized as a trusted certificate authority.
To verify the certificate in Chrome:
- Click the warning icon next to
https://
in the URL bar, and choose “Details” under the message that is displayed. - In the “Security Overview” pane, click the “View Certificate” button.
- A small window will appear with information about the self-signed certificate. Click “Details” to expand the window and show more information.
- Scroll to the bottom and find the
SHA 1
Fingerprint. - On your Linode, run
sudo openssl x509 -noout -in /var/lib/openvas/CA/servercert.pem -fingerprint -sha1
. - Compare the two fingerprints. If they match, it’s safe to ignore the warning and proceed.
To verify the certificate in Firefox:
- Click the “Advanced” button on the warning page in your browser.
- Additional details will be displayed, including an error code, which will be something like
SEC_ERROR_UNKNOWN_ISSUER
. Click the error code to view more information. - A pane will be displayed with the “Certificate Chain” for your server.
- On your Linode, run
cat /var/lib/openvas/CA/servercert.pem
and look for the-----BEGIN CERTIFICATE-----
line in the output. - Compare the two certificates to ensure they match. If they do, it’s safe to click “Add Exception” and proceed.
- Click the warning icon next to
-
The next page you see will be a login for the Greenbone Security Assistant, the graphical web interface for the OpenVAS manager. Once the page appears on you screen, enter the credentials for your
admin
user and click “Login.” -
The welcome screen will display instructions on how to use the tool. OpenVAS uses “Tasks” to manage scans, but to start running one right away, simply enter a hostname or IP address in the text box under “Quick Start,” and then click “Start Scan.” This schedules a scan of the specified host to start immediately and sets the page contents to refresh every 30 seconds, so you can see the progress in real time.
Note
The Quick Start screen will not appear on login after you’ve scheduled 3 or more tasks. To access this screen at any time, click the “Scan Management” tab at the top of the screen, select “Tasks,” and hover over the purple magic wand icon in the top bar. From there, you can select “Task Wizard” or “Advanced Task Wizard” to create a new task quickly and easily. -
The reports showing results of your tasks can be accessed at any time while the scan is in progress. The time a scan takes to complete will depend on the services running on a host, and may vary significantly. To view the results of a scan, select “Scan Management” in the top navigation bar, and click “Reports.”
To view the details of a specific task, click its name under “Task.” In the example below, it was called “Immediate scan of IP localhost” when we created it with the Task Wizard:
-
A “Task Details” screen will be displayed, showing information such as status, and the number of vulnerabilities detected. To view the details of any vulnerabilities that were found, click the number next to “Results.” In our example, there were 33:
-
The “Results” page will list potential vulnerabilities found in the scan. To sort them, click the heading of any column at the top of the page. Note that if you run scans on multiple servers, you’ll need to sort the results by host to determine which servers are affected by vulnerabilities.
To view details of a vulnerability, such as the method of detection, impact to your system, and in some cases a solution, click the name of the vulnerability. In the example below, OpenVAS has detected that we haven’t changed the default login credentials, and it tells us how to resolve the issue:
Once you resolve a vulnerability, return to the “Tasks” screen, and click the green play button icon under “Actions” to run the scan again. When the task completes, the vulnerability should no longer be present in your results.
Troubleshooting
Occasionally, you may receive a 502 Bad Gateway error when you try to connect via browser. In most cases, this is caused by one of the OpenVAS daemons stopping.
To check for problems:
sudo netstat -plntu
Your output should include the following lines:
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:9391 0.0.0.0:* LISTEN 3579/openvassd: Wai
tcp6 0 0 :::443 :::* LISTEN 7046/gsad
tcp6 0 0 :::9390 :::* LISTEN 3577/openvasmd
These lines represent the OpenVAS scanner, the Greenbone Security Assistant, and the OpenVAS manager, respectively. If one of these lines is not present, simply start the daemon and try to reconnect. For example, if the gsad
program is stopped, run sudo service openvas-gsa restart
. Here are the names of the relevant daemons, as well as the commands you can use to restart them:
Program Name | Command to Restart |
---|---|
openvassd | sudo service openvas-scanner restart |
openvasmd | sudo service openvas-manager restart |
gsad | sudo service openvas-gsa restart |
Join our Community
Find answers, ask questions, and help others.
This guide is published under a CC BY-ND 4.0 license.