The Open Vulnerability Assessment System (OpenVAS), is a Free/Libre software product that can be used to audit the security of an internal corporate network and find vulnerabilities in a free and automated fashion. It is a competitor to the well known Nessus vulnerability scanning tool. Analyzing the results from tools like Nessus or OpenVAS is an excellent first step for an IT security team working to create a picture of their network. Alternatively, these tools can also be used as part of a more mature IT platform that regularly assesses a corporate network for vulnerabilities and alerts IT professionals when a major change or new vulnerability has been introduced into the enterprise.
OpenVAS is a modular tool that contains a few major components. The first is a scanning engine, that takes in Network Vulnerability Tests (NVTs), and executes them to find vulnerabilities. According to the OpenVAS website, there were “over 47,000” available NVTs “as of June 2016.” There is also a manager component that schedules scans and manages generation of reports, a command line interface to control the scanner, and the “Greenbone Security Assistant” – a web application interface that is an easier alternative to the command line client to control the scanner, schedule scans and view reports.
OpenVAS has binary precompiled packages for Red-Hat derived distributions such as Fedora and CentOS, the Kali Linux penetration testing Linux distribution, and a PPA for Ubuntu. Since the only other major Linux distribution not covered by this is the Debian GNU/Linux distribution, this tutorial will cover installing the scanner and Greenbone Security Assistant web interface on Debian using the Ubuntu PPA. Later blog posts will cover configuring your first scan, and interpreting the results. If you are using a different Linux distribution than Debian, refer to the binary packages and the download page on the main OpenVAS site.
Since no official package for the latest version of OpenVAS (OpenVAS 8 at the time of this writing) exists for the Debian GNU/Linux distribution, we will have to adapt the Ubuntu PPA instead. This tutorial assumes you are running Debian 8 Jessie and have root access. All commands written here should be run as root, unless otherwise specified.
First update the system and ensure it’s running the latest software before installing any new software:
apt-get update; apt-get upgrade
Install necessary build packages:
apt-get install devscripts build-essential
Add the PPA info to the package manager database so it knows to pull from it:
echo "deb-src" http://ppa.launchpad.net/mrazavi/openvas/ubuntu xenial main" > /etc/apt/sources.list.d/openvas.list
Import the cryptographic key used to sign the package to ensure it is legitimate:
apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 4AA450E0
Update the package manager so that it knows about the new sources from the PPA:
Now you will run into issues during the build process where you lack some list of required packages. For example, I had to install the following packages in order to build the openvas packages:
apt-get install cmake libgcrypt11-dev libsqlite3-dev libgpgme11-dev
Because the openvas package relies on several packages in the PPA, you will need to build those packages for Debian first:
apt-get source --build rats dpkg -i rats_2.3-1xenial2_amd64.deb
One of the packages that is required to build before the whole openvas package can be installed is the libopenvas8 package. Unfortunately, this package requires the development version of the gnutls library. This library is called libgnutls-dev in Ubuntu, but in newer versions of Debian is called libgnutls28-dev. In order to address this discrepancy so that we can build OpenVAS, we we will have to create a Debian metapackage that links libgnutls-dev to libgnutls28-dev. We will do this using the equivs package:
apt-get install equivs equivs-control libgnutls-dev
Now there will be a file called libgnutls-dev in your working directory. With your favorite text editor, open it up and change it to the following:
Section: misc Priority: optional Standards-Version: 3.9.2 Package: libgnutls-dev Version: 3.3.8-6 Depends: libgnutls28-dev Architecture: all Description: long description and info . second paragraph
Now use the equivs package to create a debian package that will pull in libgnutls28-dev:
Now install libgnutls28-dev and install the libgnutls-dev package that points to it:
apt-get install libgnutls28-dev dpkg -i libgnutls-dev_3.3.8-6_all.deb
On my system, I had to install the additional following packages to build libopenvas8-dev:
apt-get install libpcap-dev uuid-dev libssh-dev libhiredis-dev libsnmp-dev libksba-dev libldap2-dev
And now you can build and install the underlying library for OpenVAS.
apt-get source --build libopenvas8-dev dpkg -i libopenvas8-dev_8.0.8-1xenial_amd64.deb dpkg -i libopenvas8_8.0.8-1xenial_amd64.deb
Using the apt tool, download the source code for the rest of the OpenVAS packages and build them:
apt-get source --build openvas apt-get install libjemalloc1 redis-tools redis-server apt-get source --build openvas-scanner dpkg -i openvas-scanner_5.0.7-1xenial_amd64.deb apt-get source --build openvas-manager dpkg -i openvas-manager_6.0.9-1xenial_amd64.deb
The Greenbone Security Assistant is the web interface to OpenVAS. To install it, you will need the following dependencies:
apt-get install libxml2-dev libxslt1-dev libmicrohttpd-dev
Now build the Greenbone Security Assistant:
apt-get source --build openvas-gsa dpkg -i openvas-gsa_6.0.11-1xenial_amd64.deb
And lastly, you’ll neeed to build and install the command line interface for openvas:
apt-get source --build openvas-cli dpkg -i openvas-cli_1.4.4-1xenial_amd64.deb
FINALLY, you can install the openvas package:
dpkg -i openvas_6.0.9-1xenial_amd64.deb
Optionally, if you want to have PDF report output, you’ll need the LaTeX engine to create PDFs:
apt-get install texlive-latex-extra --no-install-recommends
After all this, you must now sync the database files necessary for openvas. This will take a long time to sync, as it needs to download all of the thousands of threat information files from the internet.
apt-get install sqlite3 openvas-nvt-sync openvas-scapdata-sync openvas-certdata-sync
Start the service!
service openvas-scanner restart service openvas-manager restart openvasmd --rebuild --progress
Note that the OpenVAS Greenbone Security Assistant web application that can be used to control scans is exposed on port 443. In order to access it, you should browse to the IP address in your browser, making sure to put “https://” before the IP address. The server will present a self-signed certificate that was generated during the installation process. You should restrict access to the Greenbone web application administration interface, either by hosting it on a secure network, or restricting access to the host using a firewall.
This concludes the installation process for the OpenVAS scanner on Debian GNU/Linux. Our next post will examine the various configuration options available in order to configure a scan, and how to read and access the post-scan report data.