Synopsis

The Open Vulnerability Assessment System (OpenVAS), is a Free/Libre software product that can be used to audit the security of an internal corporate network and find vulnerabilities in a free and automated fashion. It is a competitor to the well known Nessus vulnerability scanning tool. Analyzing the results from tools like Nessus or OpenVAS is an excellent first step for an IT security team working to create a picture of their network. Alternatively, these tools can also be used as part of a more mature IT platform that regularly assesses a corporate network for vulnerabilities and alerts IT professionals when a major change or new vulnerability has been introduced into the enterprise.

OpenVAS is a modular tool that contains a few major components. The first is a scanning engine, that takes in Network Vulnerability Tests (NVTs), and executes them to find vulnerabilities. According to the OpenVAS website, there were “over 47,000” available NVTs “as of June 2016.” There is also a manager component that schedules scans and manages generation of reports, a command line interface to control the scanner, and the “Greenbone Security Assistant” – a web application interface that is an easier alternative to the command line client to control the scanner, schedule scans and view reports.

OpenVAS has binary precompiled packages for Red-Hat derived distributions such as Fedora and CentOS, the Kali Linux penetration testing Linux distribution, and a PPA for Ubuntu. Since the only other major Linux distribution not covered by this is the Debian GNU/Linux distribution, this tutorial will cover installing the scanner and Greenbone Security Assistant web interface on Debian using the Ubuntu PPA. Later blog posts will cover configuring your first scan, and interpreting the results. If you are using a different Linux distribution than Debian, refer to the binary packages and the download page on the main OpenVAS site.

Installation

Since no official package for the latest version of OpenVAS (OpenVAS 8 at the time of this writing) exists for the Debian GNU/Linux distribution, we will have to adapt the Ubuntu PPA instead. This tutorial assumes you are running Debian 8 Jessie and have root access. All commands written here should be run as root, unless otherwise specified.

First update the system and ensure it’s running the latest software before installing any new software:

apt-get update; apt-get upgrade

Install necessary build packages:

apt-get install devscripts build-essential

Add the PPA info to the package manager database so it knows to pull from it:

echo "deb-src" http://ppa.launchpad.net/mrazavi/openvas/ubuntu xenial main" > /etc/apt/sources.list.d/openvas.list

Import the cryptographic key used to sign the package to ensure it is legitimate:

apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 4AA450E0

Update the package manager so that it knows about the new sources from the PPA:

apt-get update

Now you will run into issues during the build process where you lack some list of required packages. For example, I had to install the following packages in order to build the openvas packages:

apt-get install cmake libgcrypt11-dev libsqlite3-dev libgpgme11-dev

Because the openvas package relies on several packages in the PPA, you will need to build those packages for Debian first:

apt-get source --build rats 
dpkg -i rats_2.3-1xenial2_amd64.deb

One of the packages that is required to build before the whole openvas package can be installed is the libopenvas8 package. Unfortunately, this package requires the development version of the gnutls library. This library is called libgnutls-dev in Ubuntu, but in newer versions of Debian is called libgnutls28-dev. In order to address this discrepancy so that we can build OpenVAS, we we will have to create a Debian metapackage that links libgnutls-dev to libgnutls28-dev. We will do this using the equivs package:

 apt-get install equivs 
 equivs-control libgnutls-dev

Now there will be a file called libgnutls-dev in your working directory. With your favorite text editor, open it up and change it to the following:

vi libgnutls-dev
 Section: misc 
 Priority: optional 
 Standards-Version: 3.9.2 
 Package: libgnutls-dev 
 Version: 3.3.8-6 
 Depends: libgnutls28-dev 
 Architecture: all 
 Description: 
 long description and info 
 . 
 second paragraph

Now use the equivs package to create a debian package that will pull in libgnutls28-dev:

equivs-build libgnutls-dev

Now install libgnutls28-dev and install the libgnutls-dev package that points to it:

apt-get install libgnutls28-dev 
dpkg -i libgnutls-dev_3.3.8-6_all.deb

On my system, I had to install the additional following packages to build libopenvas8-dev:

apt-get install libpcap-dev uuid-dev libssh-dev libhiredis-dev libsnmp-dev libksba-dev libldap2-dev

And now you can build and install the underlying library for OpenVAS.

apt-get source --build libopenvas8-dev 
dpkg -i libopenvas8-dev_8.0.8-1xenial_amd64.deb 
dpkg -i libopenvas8_8.0.8-1xenial_amd64.deb

Using the apt tool, download the source code for the rest of the OpenVAS packages and build them:

apt-get source --build openvas 
apt-get install libjemalloc1 redis-tools redis-server 
apt-get source --build openvas-scanner 
dpkg -i openvas-scanner_5.0.7-1xenial_amd64.deb 
apt-get source --build openvas-manager 
dpkg -i openvas-manager_6.0.9-1xenial_amd64.deb

The Greenbone Security Assistant is the web interface to OpenVAS. To install it, you will need the following dependencies:

apt-get install libxml2-dev libxslt1-dev libmicrohttpd-dev

Now build the Greenbone Security Assistant:

apt-get source --build openvas-gsa 
dpkg -i openvas-gsa_6.0.11-1xenial_amd64.deb

And lastly, you’ll neeed to build and install the command line interface for openvas:

apt-get source --build openvas-cli 
dpkg -i openvas-cli_1.4.4-1xenial_amd64.deb

FINALLY, you can install the openvas package:

dpkg -i openvas_6.0.9-1xenial_amd64.deb

Optionally, if you want to have PDF report output, you’ll need the LaTeX engine to create PDFs:

apt-get install texlive-latex-extra --no-install-recommends

After all this, you must now sync the database files necessary for openvas. This will take a long time to sync, as it needs to download all of the thousands of threat information files from the internet.

apt-get install sqlite3 
openvas-nvt-sync 
openvas-scapdata-sync 
openvas-certdata-sync

Start the service!

 service openvas-scanner restart 
 service openvas-manager restart 
 openvasmd --rebuild --progress

Note that the OpenVAS Greenbone Security Assistant web application that can be used to control scans is exposed on port 443. In order to access it, you should browse to the IP address in your browser, making sure to put “https://” before the IP address. The server will present a self-signed certificate that was generated during the installation process. You should restrict access to the Greenbone web application administration interface, either by hosting it on a secure network, or restricting access to the host using a firewall.

This concludes the installation process for the OpenVAS scanner on Debian GNU/Linux. Our next post will examine the various configuration options available in order to configure a scan, and how to read and access the post-scan report data.

Complementary Tools

More Reading & Other Resources