OpenVAS is a very useful Open Source security scanning tool.
Running a security scan on your network is strongly recommended, however if you are running scanner on your internal network, then the scan results may not reflect the situation of how your network looks to the "outside world".
To do this you should run an OpenVAS scanner from a machine that is accessing your network from the public internet, as this is a key attack path. A simple way to do this is to spin up an OpenVAS scanner instance in AWS or other public cloud and then run your scan from there. This is relatively easy to do and you can even use free Ubuntu EC2 machine to achieve this at low cost.
For running OpenVAS on QEMU / KVM, see here for my tip on running the OpenVAS on QEMU / KVM using the "Greenbone Networks" VM applicance.
Status: As at 26 Feb 2020 - tested and running and now mostly documented so others can do this as well
Here is the how...
OpenVAS on Ubuntu on AWS
- If you have not already done so, setup an AWS account: https://aws.amazon.com
- Using AWS Management Console, create a new EC2 VM
3. Setup an Ubuntu Server 18.04 64-bit (x86) VM
NOTE: Free Tier is sufficient to run a scanner, as long is you accept that it is slow
4. Using EC2 console, configure your VM firewall security and download your ssh key
For Firewall rules you should configure these so you can get acces to the following ports:
- 22 - ssh / sftp
- 80 / 443 - http / https
- 4000 - port for OpenVAS Web URL
The source access addresses will be based on your particular IP address ranges and security concerns.
5. Login to your VM:
$ ssh -i "aws-YOUR-key-01.pem" ubuntu@ec2-YOUR_VM.compute.amazonaws.com ... Usual Ubuntu Greetings... ... $ uname -a Linux ip-172-31-9-160 4.15.0-1060-aws #62-Ubuntu SMP Tue Feb 11 21:23:22 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ cat /etc/*-release DISTRIB_ID=Ubuntu DISTRIB_RELEASE=18.04 DISTRIB_CODENAME=bionic DISTRIB_DESCRIPTION="Ubuntu 18.04.3 LTS" NAME="Ubuntu" VERSION="18.04.3 LTS (Bionic Beaver)" ID=ubuntu ID_LIKE=debian PRETTY_NAME="Ubuntu 18.04.3 LTS" VERSION_ID="18.04" HOME_URL="https://www.ubuntu.com/" SUPPORT_URL="https://help.ubuntu.com/" BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/" PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy" VERSION_CODENAME=bionic UBUNTU_CODENAME=bionic
6. Now install OpenVAS
To make this a bit more repeatable, I have put what is needed into shell script
$ cat install.sh #/bin/sh sudo add-apt-repository ppa:mrazavi/openvas sudo update sudo apt update sudo apt upgrade sudo apt install sqlite3 sudo apt install openvas9 sudo apt install libopenvas9-dev sudo greenbone-nvt-sync sudo greenbone-scapdata-sync sudo greenbone-certdata-sync sudo systemctl enable openvas-scanner sudo systemctl enable openvas-manager sudo systemctl enable openvas-gsa sudo systemctl start openvas-scanner sudo systemctl start openvas-manager sudo systemctl start openvas-gsa sudo openvasmd --rebuild --progress
7. Connect via Web to your OpenVAS machine...
This should be availabe via the machine, AWS Address and port 4000
You can now configure your scans and run them
So happy scanning....
Trouble Shooting and Operating
Here are some common operating issues...
Use the openvasmd (OpenVAS) Manager Daemon to administor users and passwords.
$ openvasmd --help Usage: openvasmd [OPTION…] - Manager of the Open Vulnerability Assessment System Help Options: -h, --help Show help options Application Options: --backup Backup the database. --check-alerts Check SecInfo alerts. --client-watch-interval=
Check if client connection was closed every seconds. 0 to disable. Defaults to 1 seconds. -d, --database= Use as database for SQLite/Postgres. --disable-cmds= Disable comma-separated . --disable-encrypted-credentials Do not encrypt or decrypt credentials. --disable-password-policy Do not restrict passwords to the policy. --disable-scheduling Disable task scheduling. --create-user= Create admin user and exit. --delete-user= Delete user and exit. --get-users List users and exit. --create-scanner= Create global scanner and exit. --modify-scanner= Modify scanner and exit. --scanner-name= Name for --modify-scanner. --scanner-host= Scanner host for --create-scanner and --modify-scanner. Default is /var/run/openvassd.sock. --otp-scanner= Path to scanner unix socket file. Used by --rebuild and --update --scanner-port= Scanner port for --create-scanner and --modify-scanner. Default is 9391. --scanner-type= Scanner type for --create-scanner and --mdoify-scanner. Either 'OpenVAS' or 'OSP'. --scanner-ca-pub= Scanner CA Certificate path for --[create|modify]-scanner. --scanner-key-pub= Scanner Certificate path for --[create|modify]-scanner. --scanner-key-priv= Scanner private key path for --[create|modify]-scanner. --verify-scanner= Verify scanner and exit. --delete-scanner= Delete scanner and exit. --get-scanners List scanners and exit. --schedule-timeout=
After installing OpenVAS there should be a single OpenVAS user defined (admin)
$ sudo openvasmd --get-users admin ... now to update password $ sudo openvasmd --user=admin --new-password=YOUR_PASSWORD
Web Connect Error
On doing web connect you get:
The request contained an unknown or invalid Host header. If you are trying to access GSA via its hostname or a proxy, make sure GSA is set up to allow it.
This is likely a result of having stopped your VM and then restarted it. If you are using a VM without a persistent URL (this is paid for feature), then the AWS URL address changes on stopping and re-starting the VM.
To address this problem you need to edit: vi /etc/default/openvas-gsa
This has a configuration for the valid access URL address header: "ALLOW_HEADER_HOST" .
Simply update this to current valid AWS DNS name and reboot machine:
$ sudo vi /etc/default/openvas-gsa $ sudo reboot
Out of Disk Space
If you are using a free tier AWS VM then you will run out of disk space, due to historical reports and so cannot run scans.
Simply go into the Web Admin interface and purge old reports
OpenVAS need to keeps its security advisory database up to date and so you need to periodically refresh the database.
This will require you to ssh into the VM to trigger update & rebuild...
$ sudo greenbone-nvt-sync $ sudo greenbone-scapdata-sync $ sudo greenbone-certdata-sync $ sudo openvasmd --rebuild --progress ... Then on completion do reboot ... $ sudo reboot
And we are current:
NOTE: If you have issues getting feed update then check "Web Connect Error" note above, as this will also affect feed connection.
References & Links:
Running OpenVAS (GCE) Appliance on KVM / QEMU - my prior post on running OpenVAS via Greenbone Network VM Appliance
OpenVAS - a very valuable Open Source security scanner
AWS - Amazon Web Services is your toolkit of useful cloud computing
OpenVAS vulnerability scanner - Ubuntu PPA by Mohammad Razavi, follow link up and you will also find Docker image version as well