OpenVAS is a very useful Open Source security scanning tool.

Running a security scan on your network is strongly recommended, however if you are running scanner on your internal network, then the scan results may not reflect the situation of how your network looks to the "outside world".

To do this you should run an OpenVAS scanner from a machine that is accessing your network from the public internet, as this is a key attack path.  A simple way to do this is to spin up an OpenVAS scanner instance in AWS or other public cloud and then run your scan from there. This is relatively easy to do and you can even use free Ubuntu EC2 machine to achieve this at low cost.

For running OpenVAS on QEMU / KVM, see here for my tip on running the OpenVAS on QEMU / KVM using the "Greenbone Networks" VM applicance.

Status: As at 26 Feb 2020 - tested and running and now mostly documented so others can do this as well

Here is the how...


OpenVAS on Ubuntu on AWS

  1. If you have not already done so, setup an AWS account: https://aws.amazon.com
  2. Using AWS Management Console, create a new EC2 VM
AWS Management Console - Web Interface to Create EC2 VM

3. Setup an Ubuntu Server 18.04 64-bit (x86) VM

NOTE: Free Tier is sufficient to run a scanner, as long is you accept that it is slow

4. Using EC2 console, configure your VM firewall security and download your ssh key

For Firewall rules you should configure these so you can get acces to the following ports:

  • 22 - ssh / sftp
  • 80 / 443 - http / https
  • 4000 - port for OpenVAS Web URL

The source access addresses will be based on your particular IP address ranges and security concerns.

5. Login to your VM:

$ ssh -i "aws-YOUR-key-01.pem" ubuntu@ec2-YOUR_VM.compute.amazonaws.com
...
Usual Ubuntu Greetings...
...


$ uname -a
Linux ip-172-31-9-160 4.15.0-1060-aws #62-Ubuntu SMP Tue Feb 11 21:23:22 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
$ cat /etc/*-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=18.04
DISTRIB_CODENAME=bionic
DISTRIB_DESCRIPTION="Ubuntu 18.04.3 LTS"
NAME="Ubuntu"
VERSION="18.04.3 LTS (Bionic Beaver)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 18.04.3 LTS"
VERSION_ID="18.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=bionic
UBUNTU_CODENAME=bionic

6. Now install OpenVAS

To make this a bit more repeatable, I have put what is needed into shell script

$ cat install.sh 
#/bin/sh
sudo add-apt-repository ppa:mrazavi/openvas
sudo update
sudo apt update
sudo apt upgrade
sudo apt install sqlite3
sudo apt install openvas9
sudo apt install libopenvas9-dev
sudo greenbone-nvt-sync
sudo greenbone-scapdata-sync
sudo greenbone-certdata-sync
sudo systemctl enable openvas-scanner
sudo systemctl enable openvas-manager
sudo systemctl enable openvas-gsa
sudo systemctl start openvas-scanner
sudo systemctl start openvas-manager
sudo systemctl start openvas-gsa
sudo openvasmd --rebuild --progress

7. Connect via Web to your OpenVAS machine...

This should be availabe via the machine, AWS Address and port 4000

ie: https://ec2-YOUR_VM.compute.amazonaws.com:4000

You can now configure your scans and run them

So happy scanning....


Trouble Shooting and Operating

Here are some common operating issues...

User Administration

Use the openvasmd (OpenVAS) Manager Daemon to administor users and passwords.

$ openvasmd --help
Usage:
  openvasmd [OPTION…] - Manager of the Open Vulnerability Assessment System

Help Options:
  -h, --help                                   Show help options

Application Options:
  --backup                                     Backup the database.
  --check-alerts                               Check SecInfo alerts.
  --client-watch-interval=             Check if client connection was closed every  seconds. 0 to disable. Defaults to 1 seconds.
  -d, --database=                   Use  as database for SQLite/Postgres.
  --disable-cmds=                    Disable comma-separated .
  --disable-encrypted-credentials              Do not encrypt or decrypt credentials.
  --disable-password-policy                    Do not restrict passwords to the policy.
  --disable-scheduling                         Disable task scheduling.
  --create-user=                     Create admin user  and exit.
  --delete-user=                     Delete user  and exit.
  --get-users                                  List users and exit.
  --create-scanner=                   Create global scanner  and exit.
  --modify-scanner=              Modify scanner  and exit.
  --scanner-name=                        Name for --modify-scanner.
  --scanner-host=                Scanner host for --create-scanner and --modify-scanner. Default is /var/run/openvassd.sock.
  --otp-scanner=                   Path to scanner unix socket file. Used by --rebuild and --update
  --scanner-port=                Scanner port for --create-scanner and --modify-scanner. Default is 9391.
  --scanner-type=                Scanner type for --create-scanner and --mdoify-scanner. Either 'OpenVAS' or 'OSP'.
  --scanner-ca-pub=            Scanner CA Certificate path for --[create|modify]-scanner.
  --scanner-key-pub=       Scanner Certificate path for --[create|modify]-scanner.
  --scanner-key-priv=     Scanner private key path for --[create|modify]-scanner.
  --verify-scanner=              Verify scanner  and exit.
  --delete-scanner=              Delete scanner  and exit.
  --get-scanners                               List scanners and exit.
  --schedule-timeout=
Listen on
. --listen2=
Listen also on
. --listen-owner= Owner of the unix socket --listen-group= Group of the unix socket --listen-mode= File mode of the unix socket --max-ips-per-target= Maximum number of IPs per target. --max-email-attachment-size= Maximum size of alert email attachments, in bytes. --max-email-include-size= Maximum size of inlined content in alert emails, in bytes. --max-email-message-size= Maximum size of user-defined message text in alert emails, in bytes. -m, --migrate Migrate the database and exit. --modify-setting= Modify setting and exit. --encrypt-all-credentials (Re-)Encrypt all credentials. --new-password= Modify user's password and exit. --optimize= Run an optimization: vacuum, analyze, cleanup-config-prefs, remove-open-port-results, cleanup-port-names, cleanup-result-severities, cleanup-schedule-times, rebuild-report-cache or update-report-cache. --password= Password, for --create-user. -p, --port= Use port number . --port2= Use port number for address 2. --progress Display progress during --rebuild and --update. --rebuild Rebuild the NVT cache and exit. --role= Role for --create-user and --get-users. -u, --update Update the NVT cache and exit. -c, --unix-socket= Listen on UNIX socket at . --user= User for --new-password. --gnutls-priorities= Sets the GnuTLS priorities for the Manager socket. --dh-params= Diffie-Hellman parameters file --value= Value for --modify-setting. -v, --verbose Has no effect. See INSTALL for logging config. --version Print version and exit.

After installing OpenVAS there should be a single OpenVAS user defined (admin)

$ sudo openvasmd --get-users
admin

... now to update password

$ sudo openvasmd --user=admin --new-password=YOUR_PASSWORD

Web Connect Error

On doing web connect you get:

The request contained an unknown or invalid Host header. If you are trying to access GSA via its hostname or a proxy, make sure GSA is set up to allow it.

This is likely a result of having stopped your VM and then restarted it. If you are using a VM without a persistent URL (this is paid for feature), then the AWS URL address changes on stopping and re-starting the VM.

To address this problem you need to edit: vi /etc/default/openvas-gsa

This has a configuration for the valid access URL address header: "ALLOW_HEADER_HOST" .

Simply update this to current valid AWS DNS name and reboot machine:

$ sudo vi /etc/default/openvas-gsa
$ sudo reboot

Out of Disk Space

If you are using a free tier AWS VM then you will run out of disk space, due to historical reports and so cannot run scans.

Simply go into the Web Admin interface and purge old reports

Feed Refresh

OpenVAS need to keeps its security advisory database up to date and so you need to periodically refresh the database.

This will require you to ssh into the VM to trigger update & rebuild...

$ sudo greenbone-nvt-sync
$ sudo greenbone-scapdata-sync
$ sudo greenbone-certdata-sync
$ sudo openvasmd --rebuild --progress

...
Then on completion do reboot
...

$ sudo reboot

And we are current:

OpenVAS on AWS - Feed Status

NOTE: If you have issues getting feed update then check "Web Connect Error" note above, as this will also affect feed connection.


References & Links:

Running OpenVAS (GCE) Appliance on KVM / QEMU - my prior post on running OpenVAS via Greenbone Network VM Appliance

OpenVAS - a very valuable Open Source security scanner

AWS - Amazon Web Services is your toolkit of useful cloud computing

OpenVAS vulnerability scanner - Ubuntu PPA by Mohammad Razavi, follow link up and you will also find Docker image version as well