Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
04
linode.com/docs/security/install-openvas-on-ubuntu-16-04/
OpenVAS, the Open Vulnerability Assessment System, is a framework of tools that allow
you to scan your system for thousands of known vulnerabilities. This guide will show you
how to install OpenVAS 8 on Ubuntu 16.04.
For more information about the architecture of the software, refer to the OpenVAS
website.
Caution
OpenVAS is a powerful security tool that is capable of scanning remote hosts as well as
your local machine. This guide is intended to allow you to monitor vulnerabilities on
machines that you control or have permission to scan. If you use OpenVAS to scan remote
servers owned by others, be sure that you have a full understanding of the responsibilities
involved and the potential consequences.
1/9
2. Complete the sections of our Securing Your Server guide to create a standard user
account, harden SSH access and remove unnecessary network services.
Note
This guide is written for a non-root user. Commands that require elevated privileges are
prefixed with sudo . If you’re not familiar with the sudo command, see the Users and
Groups guide.
Install OpenVAS
The openvas repository and its packages are not officially supported by Ubuntu. If you’d
like to review its contents, signing key, and fingerprint before installing OpenVAS, you
can do so in the Ubuntu package archive.
1. Since OpenVAS is not included in the default Ubuntu repositories, install its PPA:
gpg: key 4AA450E0: public key "Launchpad PPA for Mohammad Razavi" imported
2. After adding the repository, update your system packages and install the openvas
package:
2/9
3. Install the SQLite 3 database package. This is used to store the Common
Vulnerabilities and Exposures (CVE) data we’ll obtain in Step 5:
4. Sync the OpenVAS NVT feed. This allows your installation to access tests for the
most current vulnerabilities and exposures:
sudo openvas-nvt-sync
Note
This feed is maintained by OpenVAS and is updated about once per week. To keep
your NVT feed current, we recommend running this command regularly, or setting
up a cron job to automate the process.
sudo openvas-scapdata-sync
sudo openvas-certdata-sync
7. Finally, rebuild the OpenVAS database, so the manager can access the NVT data
downloaded previously:
Configure OpenVAS
3/9
Remote Access
To access the Greenbone Security Assistant web interface remotely, you must configure
it to listen on your Linode’s public IP address. You can do so by editing its configuration
file under the /etc/init.d/openvas-gsa , and specifying your public IP address on the
DAEMON_ARGS line. Replace 198.51.100.221 with your Linode’s public address:
/etc/init.d/openvas-gsa
1 DAEMON_ARGS= --listen
"198.51.100.221"
From your Linode, replace your_password in the following example with your new
password:
This changes the password for the admin user to a value of your choosing. You can
also create a new administrative user by replacing new_user in the following command:
This method creates a random password even if you specify one. To change the
password for a newly created user, use the syntax of the first command, substituting the
username and your desired password. To create a new guest user without admin
privileges, use the gsad (Greenbone Security Assistant Daemon) tool:
Replace new_user and your_password with the appropriate values. For a complete list
of administrative features available with the OpenVAS CLI, use openvasmd --help and
gsad --help .
In most browsers, you will first encounter a security warning. This happens
because OpenVAS generates a self-signed SSL certificate upon installation and
your host is not recognized as a trusted certificate authority.
Click the warning icon next to https:// in the URL bar, and choose
“Details” under the message that is displayed.
In the “Security Overview” pane, click the “View Certificate” button.
A small window will appear with information about the self-signed certificate.
Click “Details” to expand the window and show more information.
Scroll to the bottom and find the SHA 1 Fingerprint.
On your Linode, run sudo openssl x509 -noout -in
/var/lib/openvas/CA/servercert.pem -fingerprint -sha1 .
Compare the two fingerprints. If they match, it’s safe to ignore the warning
and proceed.
To verify the certificate in Firefox:
5/9
3. The welcome screen will
display instructions on how to
use the tool. OpenVAS uses
“Tasks” to manage scans, but
to start running one right away,
simply enter a hostname or IP
address in the text box under
“Quick Start,” and then click
“Start Scan.” This schedules a
scan of the specified host to
start immediately and sets the
page contents to refresh every
30 seconds, so you can see
the progress in real time.
6/9
Note
The Quick Start screen will not appear on login after you’ve scheduled 3 or more
tasks. To access this screen at any time, click the “Scan Management” tab at the top
of the screen, select “Tasks,” and hover over the purple magic wand icon in the top
bar. From there, you can select “Task Wizard” or “Advanced Task Wizard” to create
a new task quickly and easily.
4. The reports showing results of your tasks can be accessed at any time while the
scan is in progress. The time a scan takes to complete will depend on the services
running on a host, and may vary significantly. To view the results of a scan, select
“Scan Management” in the top navigation bar, and click “Reports.”
To view the details of a specific task, click its name under “Task.” In the example
below, it was called “Immediate scan of IP localhost” when we created it with the
Task Wizard:
5. A “Task Details” screen will be displayed, showing information such as status, and
the number of vulnerabilities detected. To view the details of any vulnerabilities
that were found, click the number next to “Results.” In our example, there were 33:
6. The “Results” page will list potential vulnerabilities found in the scan. To sort them,
click the heading of any column at the top of the page. Note that if you run scans
on multiple servers, you’ll need to sort the results by host to determine which
servers are affected by vulnerabilities.
7/9
To view details of a vulnerability, such as the method of detection, impact to your
system, and in some cases a solution, click the name of the vulnerability. In the
example below, OpenVAS has detected that we haven’t changed the default login
credentials, and it tells us how to resolve the issue:
Once you resolve a vulnerability, return to the “Tasks” screen, and click the green
play button icon under “Actions” to run the scan again. When the task completes,
the vulnerability should no longer be present in your results.
Troubleshooting
Occasionally, you may receive a 502 Bad Gateway error when you try to connect via
browser. In most cases, this is caused by one of the OpenVAS daemons stopping.
These lines represent the OpenVAS scanner, the Greenbone Security Assistant, and the
OpenVAS manager, respectively. If one of these lines is not present, simply start the
daemon and try to reconnect. For example, if the gsad program is stopped, run sudo
service openvas-gsa restart . Here are the names of the relevant daemons, as well
as the commands you can use to restart them:
See Also
This guide is published under a CC BY-ND 4.0 license.
9/9