I’m a huge fan of OpenVAS. It is a great tool for probing your network and finding possible security holes. Many of you have probably heard of Nessus, another fantastic tool, but it can be pretty pricey. I would recommend it for business, but for home use, go for OpenVAS.
In many cases, I would recommend you setup a Linux distribution called Kali Linux. It has a lot of really good tools built right in, including OpenVAS, but I’ve started running into issues with it lately. I’ll run a scan, and the systems load gets so high it becomes completely unresponsive for days at a time, then fails to finish. I’m not sure what I’m doing wrong there, so I decided to wipe the machine and put my good ‘ol Slackware back on it. After using it for several weeks I have decided to leave it Slackware as those issues have disappeared. So now I’m going to point you in the direction to get OpenVAS installed, plus a few extras that will make things easier.
I’m going to assume you are familiar with slackbuilds.org and hopefully a wonderful tool called sbopkg, as some wonderful people over there have build script for OpenVAS that will make your life so much better. Kent Fritz has written a great guide on how to get going over on slackbuilds.org. Go through his steps then come back here.
FYI, I have build and used OpenVAS on both 32 and 64bit Slackware and even on ARM using a Raspberry Pi. I’ve only had one program (hiredis) fail to build using sbopkg, so I had to do it the old fashioned way and download the build script and source and build outside sbopkg.
Note that while going through the instructions over on slackbuilds.org, before running any type of sync command, stop the running processes like openvasmd and openvassd. This is because the first time you run them, they will require a large amount of memory and will crash on the Raspberry Pi (I’m not sure on the pi2, I haven’t tried yet). By ensuring those processes are not running, it will surely finish properly.
Welcome back… I’m assuming you followed the instructions over on slackbuilds.org and are ready to continue. Here are some tips and script to make like just a little easier.
First, edit some permissions:
chmod 755 /etc/rc.d/rc.redis chmod 755 /etc/rc.d/rc.openvassd chmod 755 /etc/rc.d/rc.openvasmd chmod 755 /etc/rc.d/rc.gsad
Now we are going to create a bunch of scripts that will simplify everything.
#!/bin/bash echo "Starting OpenVAS Services" /etc/rc.d/rc.redis start /etc/rc.d/rc.gsad start /etc/rc.d/rc.openvassd start /etc/rc.d/rc.openvasmd start
#!/bin/bash echo "Stopping OpenVAS Services" /etc/rc.d/rc.gsad stop /etc/rc.d/rc.openvassd stop /etc/rc.d/rc.openvasmd stop /etc/rc.d/rc.redis stop
#!/bin/bash echo "Updating OpenVAS Feeds" echo "Stopping OpenVAS if running..." /usr/bin/openvas-stop openvas-nvt-sync openvas-scapdata-sync openvas-certdata-sync echo "Rebuilding Database" openvasmd --rebuild echo "You can start OpenVAS now if needed"
#!/bin/bash test -e /var/lib/openvas/CA/cacert.pem || openvas-mkcert -q if (openssl verify -CAfile /var/lib/openvas/CA/cacert.pem \ /var/lib/openvas/CA/servercert.pem |grep -q ^error); then openvas-mkcert -q -f fi openvas-nvt-sync openvas-scapdata-sync openvas-certdata-sync if ! test -e /var/lib/openvas/CA/clientcert.pem || \ ! test -e /var/lib/openvas/private/CA/clientkey.pem; then openvas-mkcert-client -n -i fi if (openssl verify -CAfile /var/lib/openvas/CA/cacert.pem \ /var/lib/openvas/CA/clientcert.pem |grep -q ^error); then openvas-mkcert-client -n -i fi /etc/rc.d/rc.openvasmd stop /etc/rc.d/rc.openvassd stop /etc/rc.d/rc.openvassd start openvasmd --migrate openvasmd --rebuild /etc/rc.d/rc.openvassd stop killall openvassd sleep 15 /etc/rc.d/rc.openvassd start /etc/rc.d/rc.openvasmd start /etc/rc.d/rc.gsad restart /etc/rc.d/rc.redis restart if ! openvasmd --get-users | grep -q ^admin$ ; then openvasmd --create-user=admin fi
Here is a great program that can help find any issues while getting setup. This link is mentioned in Kent’s instructions. So hopefully you have it already.
wget https://svn.wald.intevation.org/svn/openvas/trunk/tools/openvas-check-setup -o /usr/bin/openvas-check-setup
Here we are going to chmod those files:
chmod 755 /usr/bin/openvas-start chmod 755 /usr/bin/openvas-stop chmod 755 /usr/bin/openvas-feed-update chmod 755 /usr/bin/openvas-setup chmod 755 /usr/bin/openvas-check-setup
WOW! That is a lot! Alright, so several files have been created. Here is what each one does.
This will start all the services needed.
This will stop all the services.
This will update all your feeds.
This script will help if you have any issues. Sometimes OpenVAS feeds cause an issue, and by running this command you will find it fixes the problem 99% of the time.
This one will help you diagnose issues.
Give it time:
When starting OpenVAS, each part is thrown into the background to finish loading. Depending on your computers speed, it can take a while before you can do anything. Best to watch with top, htop, or iotop to see when everything has finished loading. Then proceed to use GreenBone.
When trying to log in to the GreenBone Security Assistant, You might get an error that says the OMP service could not be found. Try running the openvas-setup-check. If you get an error saying there are no users, run openvas-setup. This will fix it. This is a problem I have seen several times in the past on both Slackware and Kali, so I believe it to be a bug somewhere in OpenVAS.
I think that’s just about it. You should now be up and running with OpenVAS!