openvas_commander for OpenVAS installation and management

upd. 29.09.2018 Unfortunately, the script does not work after Greenbone moved the sources from their internal repository to GitHub. It’s necessary to edit the script. Stay tuned.

If you will search articles about OpenVAS most of them will be about installation: installation in Kali (in 3 lines) and various bash scripts for installing it from the sources.

OpenVAS commander

Pros of using installation the sources:

  • It is the the fastest way to obtain current stable and beta version OpenVAS for every day use and testing.
  • Security reasons. As soon as there are no official OpenVAS packages you need to rely on some individuals who provide packages for popular distributions and in some cases it is not the option.
  • Some scripting for updating OpenVAS database and managing OpenVAS services will be required anyway. Starting the OpenVAS is still a quest: you need to check the statuses of database, start the services in a right order.
  • This is the first step towards the full automation of OpenVAS scanning and testing.

Cons:

  • You will need to install lot’s of additional packages to build OpenVAS binaries. More than 2Gb of files should be downloaded. It may take hours to install configure all this packages on a slow machine (especially all those TeX packages).
  • Building all packages also takes time. It takes as much time as knowledge base update.

I wrote a small bash script to simplify OpenVAS installation and management of  – openvas_commander.sh. Tested on Debian 8.5, should work on Ubuntu and Kali.

Upd 10.04.2017 Read how to use this script to install OpenVAS 9 on Debian in the post “Installing OpenVAS 9 from the sources“.

wget https://raw.githubusercontent.com/leonov-av/openvas-commander/master/openvas_commander.sh
chmod +x openvas_commander.sh

What are its advantages over other similar scripts?

1. openvas_commander gets the packages from http://openvas.org/install-source.html

Openvas source code archives

So when Greenbones will release a new version of OpenVAS, it won’t be necessary to change anything in the script. Of course, if the page structure won’t change significantly (it remains the same for many years).

And yeah, I know that parsing html with regular expressions is a sin.

# ./openvas_commander.sh  --show-releases
OpenVAS-8
OpenVAS-9 BETA

# ./openvas_commander.sh  --show-sources "OpenVAS-8"
http://wald.intevation.org/frs/download.php/2291/openvas-libraries-8.0.7.tar.gz
http://wald.intevation.org/frs/download.php/2266/openvas-scanner-5.0.5.tar.gz
http://wald.intevation.org/frs/download.php/2295/openvas-manager-6.0.8.tar.gz
http://wald.intevation.org/frs/download.php/2299/greenbone-security-assistant-6.0.10.tar.gz
http://wald.intevation.org/frs/download.php/2332/openvas-cli-1.4.4.tar.gz
http://wald.intevation.org/frs/download.php/1975/openvas-smb-1.0.1.tar.gz
http://wald.intevation.org/frs/download.php/2177/ospd-1.0.2.tar.gz
http://wald.intevation.org/frs/download.php/2005/ospd-ancor-1.0.0.tar.gz
http://wald.intevation.org/frs/download.php/2097/ospd-debsecan-1.0.0.tar.gz
http://wald.intevation.org/frs/download.php/2003/ospd-ovaldi-1.0.0.tar.gz
http://wald.intevation.org/frs/download.php/2149/ospd-paloalto-1.0b1.tar.gz
http://wald.intevation.org/frs/download.php/2004/ospd-w3af-1.0.0.tar.gz
http://wald.intevation.org/frs/download.php/2181/ospd-acunetix-1.0b1.tar.gz
http://wald.intevation.org/frs/download.php/2185/ospd-ikescan-1.0b1.tar.gz
http://wald.intevation.org/frs/download.php/2204/ospd-ikeprobe-1.0b1.tar.gz
http://wald.intevation.org/frs/download.php/2213/ospd-ssh-keyscan-1.0b1.tar.gz
http://wald.intevation.org/frs/download.php/2219/ospd-netstat-1.0b1.tar.gz

2. Script uses “checkinstall”, not “make install”. It will create and install debian packages for openvas-smb, openvas-libraries, openvas-scanner, openvas-manager, openvas-cli and greenbone-security-assistant. These packages may be easily removed using “dpkg -r”.

# dpkg --list | egrep "(openvas|green)"
ii  greenbone-security-assistant      6.0.10-1                             i386         Package created with checkinstall 1.6.2
ii  openvas-cli                       1.4.4-1                              i386         Package created with checkinstall 1.6.2
ii  openvas-libraries                 8.0.7-1                              i386         Package created with checkinstall 1.6.2
ii  openvas-manager                   6.0.8-1                              i386         Package created with checkinstall 1.6.2
ii  openvas-scanner                   5.0.5-1                              i386         Package created with checkinstall 1.6.2
ii  openvas-smb                       1.0.1-1                              i386         Package created with checkinstall 1.6.2

The whole installation and configuration process (run as root):

./openvas_commander.sh  --install-dependencies

./openvas_commander.sh  --show-releases
OpenVAS-8
OpenVAS-9 BETA

./openvas_commander.sh --download-sources "OpenVAS-8" 
./openvas_commander.sh --create-folders
./openvas_commander.sh --install-all
./openvas_commander.sh --configure-all
./openvas_commander.sh --update-content
./openvas_commander.sh --rebuild-content
./openvas_commander.sh --start-all

Then go to https://<ip>/login/login.html

OpenVAS login screen

OpenVAS GUI

If something goes wrong “–check-status” (openvas-check-setup) will show the errors:

# ./openvas_commander.sh --check-status
openvas-check-setup 2.3.3
  Test completeness and readiness of OpenVAS-8
  (add '--v6' or '--v7' or '--v9'
   if you want to check for another OpenVAS version)

  Please report us any non-detected problems and
  help us to improve this check routine:
  http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss

  Send us the log-file (/tmp/openvas-check-setup.log) to help analyze the problem.

Step 1: Checking OpenVAS Scanner ... 
        OK: OpenVAS Scanner is present in version 5.0.5.
        OK: OpenVAS Scanner CA Certificate is present as /usr/local/var/lib/openvas/CA/cacert.pem.
[...]

It’s also useful to check the process. openvassd need time to reload all the plugins (NVTs). BTW, I don’t know why gsad runs two processes.

# ./openvas_commander.sh --check-proc
root 1570 2.3 9.2 135008 71228 pts/0 SL 12:41 0:01 openvasmd
root 1572 91.9 2.2 41848 17160 ? Rs 12:41 1:02 openvassd: Reloaded 29950 of 47766 NVTs (62% / ETA: 00:39)
root 1573 0.0 0.1 31716 1344 ? S 12:41 0:00 openvassd (Loading Handler)
root 1575 0.1 0.7 28372 5816 pts/0 Sl 12:41 0:00 /usr/local/sbin/gsad
root 1576 0.0 0.4 28372 3356 pts/0 Sl 12:41 0:00 /usr/local/sbin/gsad
root 1618 0.0 0.2 4528 1696 pts/0 S+ 12:42 0:00 grep -E (openvas.d|gsad)

If you want to restart OpenVAS use “–kill-all”, than “–start-all”

Unfortunately, OSPd components are out pf scope now. But it is planned.

 


Couple of words about VirtualBox testing stand I used.

40 GB hard disk.

Two network interfaces: Nat and Host Only Adapter.

Host only network configuration:

File -> Preferences -> Netowork -> Host only network->new

vboxnet0 -> DHCP Server:

VirtualBox network configuration

Standard Debian install from Debian 8.5 ISO.

Choose primary interface eth0 (NAT) cause I need to download packages

Software to install

Debian software selection

After installation is complete you may need to add this lines to /etc/network/interfaces file:

allow-hotplug eth1
iface eth1 inet dhcp

And make

# service networking restart

Otherwise, Debian will not see Host Only Adapter.

Results:

$ ssh vmuser@192.168.56.101
The authenticity of host '192.168.56.101 (192.168.56.101)' can't be established.
ECDSA key fingerprint is SHA256:TtMghC06KxQfiPVlkZHkZ9Ca5rZKK2/tGpOwt8NqrtQ.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.56.101' (ECDSA) to the list of known hosts.
vmuser@192.168.56.101's password:

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sat Jun 25 12:25:37 2016
vmuser@openvas:~$

 

10 thoughts on “openvas_commander for OpenVAS installation and management

  1. Pingback: Tenable Nessus: registration, installation, scanning and reporting | Alexander V. Leonov

  2. Pingback: OpenVAS plugins in Vulners.com | Alexander V. Leonov

  3. Maineffort

    HI, many thanks for your comprehensive article.
    Do you have any ideas on using this approach to provision networked OpenVAS
    servers that share a common database for example ?

    Reply
  4. Pingback: Nessus Manager and Agents | Alexander V. Leonov

  5. Pingback: Seccubus installation and GUI overview | Alexander V. Leonov

  6. Pingback: Who wants to be a PCI ASV? | Alexander V. Leonov

  7. Pingback: Installing OpenVAS 9 from the sources | Alexander V. Leonov

  8. Pingback: Vulnerability Management for Network Perimeter | Alexander V. Leonov

  9. Juan Machado

    Alexander,
    I get this error in Ubuntu 16.04:

    root@openvas:/tmp# ./openvas_commander.sh –install-dependencies
    Reading package lists… Done
    Building dependency tree
    Reading state information… Done
    Note, selecting ‘libsql-translator-perl’ instead of ‘sqlfairy’
    E: Unable to locate package mingw32

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.