Status: As at 26 Feb 2020 - tested and running and now mostly documented so others can do this as well

Status: As of June 2020 - with upgrade of OpenVAS 9 to GVM-11 the simple Ubuntu install is broken.

Status: As of Jan 2021 - Recommendation is to built on AWS from Source (see section on "GSM 20.08"


NOTE: As of OpenVAS 10, OpenVAS is now know as Greenbone Vulnerability Management (GVM). I have updated this tip to reflect GVM update.

OpenVAS / GVM is a very useful Open Source security scanning tool.

Running a security scan on your network is strongly recommended, however if you are running scanner on your internal network, then the scan results may not reflect the situation of how your network looks to the "outside world".

To do this you should run your scanner from a machine that is accessing your network from the public internet, as this is a key attack path.  A simple way to do this is to spin up a scanner instance in AWS or other public cloud and then run your scan from there. This is relatively easy to do and you can even use free Ubuntu EC2 machine to achieve this at low cost.

For running OpenVAS on QEMU / KVM, see here for my tip on running the OpenVAS on QEMU / KVM using the "Greenbone Networks" VM applicance.


GVM 20.08 on Ubuntu 20.04 on AWS

OpenVAS 9, which is no longer supported and the "simple" Ubuntu install for GVM-11 never work correctly and it any case now obselete as current version is now GVM 20.08 (reflects August 2020 as new release naming convention).

You can get a GVM 20.08 build up and running on AWS on Ubuntu 20.04 using source build.

Be aware that to build on AWS you will need a AWS host with more than the 1GB RAM is that provided by the "free tier" AWS Ubuntu 20.04 "Micro T2" machine.

I have done testing of build process and the "Micro T2" VM goes into virtual memory swap thrashing when building the "gsa" component. This occurs doing the  node/yarn build process and I have observed this by running "top" during the build process. I tried to work around this by changing the "vm.swappiness" configuration from default 60% to 80% but VM still goes into swap thrashing.

If you set up an "medium T2" VM with:

  • 2 CPUs and
  • 4GB RAM with
  • Security setup to allow: ssh (port 22), http (port 80) and https (port 443) access.

Then you can successfully build an GVM 20.08 instance from source on AWS.

I did this via instructions from:

Beware that the script enable Linux firewall (ufw) as part of its setup and fails to completes the data sync correctly as part of build on Ubuntu 20.04 and so you will need to re-run data load. Both these issues have been documented and can be worked around.

I have validated the the instructions from Mike Lab blog: https://www.mikeslab.net/install-greenbone-vulnerability-manager-20-08-on-ubuntu-20-04/  and Kevin Lucus's script on github.

I will not repeat the instructions here as you are better just using either of these.

The build will make a machine that is accessible via https via AWS public IP of your VM.


OpenVAS 9 on Ubuntu on AWS

NOTE: OpenVAS 9 is not longer supported and project has been renamed to "Greenbone Vulnerability Management" (GVM) with GVM-11 new stable release. Instructions require update to new version.

  1. If you have not already done so, setup an AWS account: https://aws.amazon.com
  2. Using AWS Management Console, create a new EC2 VM
AWS Management Console - Web Interface to Create EC2 VM

3. Setup an Ubuntu Server 18.04 64-bit (x86) VM

NOTE: Free Tier is sufficient to run a scanner, as long is you accept that it is slow

4. Using EC2 console, configure your VM firewall security and download your ssh key

For Firewall rules you should configure these so you can get acces to the following ports:

  • 22 - ssh / sftp
  • 80 / 443 - http / https
  • 4000 - port for OpenVAS Web URL

The source access addresses will be based on your particular IP address ranges and security concerns.

5. Login to your VM:

$ ssh -i "aws-YOUR-key-01.pem" ubuntu@ec2-YOUR_VM.compute.amazonaws.com
...
Usual Ubuntu Greetings...
...


$ uname -a
Linux ip-172-31-9-160 4.15.0-1060-aws #62-Ubuntu SMP Tue Feb 11 21:23:22 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
$ cat /etc/*-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=18.04
DISTRIB_CODENAME=bionic
DISTRIB_DESCRIPTION="Ubuntu 18.04.3 LTS"
NAME="Ubuntu"
VERSION="18.04.3 LTS (Bionic Beaver)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 18.04.3 LTS"
VERSION_ID="18.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=bionic
UBUNTU_CODENAME=bionic

6. Now install OpenVAS

To make this a bit more repeatable, I have put what is needed into shell script

$ cat install.sh 
#/bin/sh
sudo add-apt-repository ppa:mrazavi/openvas
sudo update
sudo apt update
sudo apt upgrade
sudo apt install sqlite3
sudo apt install openvas9
sudo apt install libopenvas9-dev
sudo greenbone-nvt-sync
sudo greenbone-scapdata-sync
sudo greenbone-certdata-sync
sudo systemctl enable openvas-scanner
sudo systemctl enable openvas-manager
sudo systemctl enable openvas-gsa
sudo systemctl start openvas-scanner
sudo systemctl start openvas-manager
sudo systemctl start openvas-gsa
sudo openvasmd --rebuild --progress

7. Connect via Web to your OpenVAS machine...

This should be availabe via the machine, AWS Address and port 4000

ie: https://ec2-YOUR_VM.compute.amazonaws.com:4000

You can now configure your scans and run them

So happy scanning....


Trouble Shooting and Operating

Here are some common operating issues...

User Administration

Use the openvasmd (OpenVAS) Manager Daemon to administor users and passwords.

$ openvasmd --help
Usage:
  openvasmd [OPTION…] - Manager of the Open Vulnerability Assessment System

Help Options:
  -h, --help                                   Show help options

Application Options:
  --backup                                     Backup the database.
  --check-alerts                               Check SecInfo alerts.
  --client-watch-interval=             Check if client connection was closed every  seconds. 0 to disable. Defaults to 1 seconds.
  -d, --database=                   Use  as database for SQLite/Postgres.
  --disable-cmds=                    Disable comma-separated .
  --disable-encrypted-credentials              Do not encrypt or decrypt credentials.
  --disable-password-policy                    Do not restrict passwords to the policy.
  --disable-scheduling                         Disable task scheduling.
  --create-user=                     Create admin user  and exit.
  --delete-user=                     Delete user  and exit.
  --get-users                                  List users and exit.
  --create-scanner=                   Create global scanner  and exit.
  --modify-scanner=              Modify scanner  and exit.
  --scanner-name=                        Name for --modify-scanner.
  --scanner-host=                Scanner host for --create-scanner and --modify-scanner. Default is /var/run/openvassd.sock.
  --otp-scanner=                   Path to scanner unix socket file. Used by --rebuild and --update
  --scanner-port=                Scanner port for --create-scanner and --modify-scanner. Default is 9391.
  --scanner-type=                Scanner type for --create-scanner and --mdoify-scanner. Either 'OpenVAS' or 'OSP'.
  --scanner-ca-pub=            Scanner CA Certificate path for --[create|modify]-scanner.
  --scanner-key-pub=       Scanner Certificate path for --[create|modify]-scanner.
  --scanner-key-priv=     Scanner private key path for --[create|modify]-scanner.
  --verify-scanner=              Verify scanner  and exit.
  --delete-scanner=              Delete scanner  and exit.
  --get-scanners                               List scanners and exit.
  --schedule-timeout=
Listen on
. --listen2=
Listen also on
. --listen-owner= Owner of the unix socket --listen-group= Group of the unix socket --listen-mode= File mode of the unix socket --max-ips-per-target= Maximum number of IPs per target. --max-email-attachment-size= Maximum size of alert email attachments, in bytes. --max-email-include-size= Maximum size of inlined content in alert emails, in bytes. --max-email-message-size= Maximum size of user-defined message text in alert emails, in bytes. -m, --migrate Migrate the database and exit. --modify-setting= Modify setting and exit. --encrypt-all-credentials (Re-)Encrypt all credentials. --new-password= Modify user's password and exit. --optimize= Run an optimization: vacuum, analyze, cleanup-config-prefs, remove-open-port-results, cleanup-port-names, cleanup-result-severities, cleanup-schedule-times, rebuild-report-cache or update-report-cache. --password= Password, for --create-user. -p, --port= Use port number . --port2= Use port number for address 2. --progress Display progress during --rebuild and --update. --rebuild Rebuild the NVT cache and exit. --role= Role for --create-user and --get-users. -u, --update Update the NVT cache and exit. -c, --unix-socket= Listen on UNIX socket at . --user= User for --new-password. --gnutls-priorities= Sets the GnuTLS priorities for the Manager socket. --dh-params= Diffie-Hellman parameters file --value= Value for --modify-setting. -v, --verbose Has no effect. See INSTALL for logging config. --version Print version and exit.

After installing OpenVAS there should be a single OpenVAS user defined (admin)

$ sudo openvasmd --get-users
admin

... now to update password

$ sudo openvasmd --user=admin --new-password=YOUR_PASSWORD

Web Connect Error

On doing web connect you get:

The request contained an unknown or invalid Host header. If you are trying to access GSA via its hostname or a proxy, make sure GSA is set up to allow it.

This is likely a result of having stopped your VM and then restarted it. If you are using a VM without a persistent URL (this is paid for feature), then the AWS URL address changes on stopping and re-starting the VM.

To address this problem you need to edit: vi /etc/default/openvas-gsa

This has a configuration for the valid access URL address header: "ALLOW_HEADER_HOST" .

Simply update this to current valid AWS DNS name and reboot machine:

$ sudo vi /etc/default/openvas-gsa
$ sudo reboot

Out of Disk Space

If you are using a free tier AWS VM then you will run out of disk space, due to historical reports and so cannot run scans.

Simply go into the Web Admin interface and purge old reports

Feed Refresh

OpenVAS need to keeps its security advisory database up to date and so you need to periodically refresh the database.

This will require you to ssh into the VM to trigger update & rebuild...

$ sudo greenbone-nvt-sync
$ sudo greenbone-scapdata-sync
$ sudo greenbone-certdata-sync
$ sudo openvasmd --rebuild --progress

...
Then on completion do reboot
...

$ sudo reboot

And we are current:

OpenVAS on AWS - Feed Status

NOTE: If you have issues getting feed update then check "Web Connect Error" note above, as this will also affect feed connection.


References & Links:

Running OpenVAS (GCE) Appliance on KVM / QEMU - my prior post on running OpenVAS via Greenbone Network VM Appliance

OpenVAS - a very valuable Open Source security scanner

AWS - Amazon Web Services is your toolkit of useful cloud computing

OpenVAS vulnerability scanner - Ubuntu PPA by Mohammad Razavi, follow link up and you will also find Docker image version as well

GVM Source Install on Ubuntu 20.04 - see the following instructions on Mikes Lab blog

GVM Source Install Script - here is Ubuntu 20.04 install script from github. I have only done initial testing on this it works on with exception of need to disable ufw and reload the data

Greenbone Source Edition - when all else fails revert to source -;