Installing OpenVAS on CentOS 7

Installing OpenVAS on CentOS 7

This is a walkthough for installing and configuring OpenVAS 9 on CentOS 7. OpenVAS (Open Vulnerability Assessment System) is an opensource vulnerability scanner.

Brief History

OpenVAS forked from Nessus when Tenable took the previously opensource product to closed source back in 2005. That’s worth mentioning primarily because on a side note, I’ve used Nessus for many years and I remember when it was forked. Since then, Nessus became one of the leaders in the vulnerability scanning space and a fairly polished. Nessus generates nice reports and it is/was a great product for a decent price. However, in the last few years the price has really started to creep IMO. Tenable then announced they were pulling API access to Nessus Professional, which happens to be something I use quite extensively. As a result, I was left searching for alternatives. Admittedly, I tried OpenVAS years ago, but it was a bit of a mess to setup and I wasn’t exactly enamored with the interface. I’d heard good things recently so I figured I would give it another shot.

Changelog
10June2018 – Originally posted
11June2018 – Added ‘Configuring PDF Reports’ section
22Oct2018 – Added ‘Automatic Feed Updates With Cron’ section
30Nov2018 – Added net-tools to yum install command

Installing CentOS 7

So first things first, I prefer to start with a minimal install of CentOS. The install takes less time, the filesystem takes up less space, and I despise updating packages I never use! Download the latest version of CentOS 7 and go through the standard install. If you are installing OpenVAS virtually, I would recommend at least 2 CPUs, 3GB of memory, and 30GB of hard drive (this depends on number of scan and how much data you will retain).

Configuring CentOS

OpenVAS will complain if you leave SELinux enabled so disable it using the following command.

sed -i 's/=enforcing/=disabled/' /etc/selinux/config

Open the necessary port for OpenVAS web interface right away as well.

firewall-cmd --zone=public --add-port=9392/tcp --permanent
firewall-cmd --reload

As a best practice, once you have install CentOS (or any OS for that matter), you need to do updates. You can update CentOS by using ‘yum -y update’ and then reboot. We need to reboot for the SELinux changes to take effect anyway. 😉

yum -y update && reboot

Once the system comes back up, install the wget package and then install/configure the repository from Atomic Corp. You can use the default answers when adding keys for the Atomic Corp repository. We’ll also install ‘net-tools’ specifically for the ‘netstat’ command. Adding the package here clears up some later errors when testing the setup.

yum -y install wget net-tools
wget -q -O - https://www.atomicorp.com/installers/atomic | sh

Installing/Configuring OpenVAS

Next, install OpenVAS and related dependencies. This will install over 300MB of dependencies so be patient.

yum -y install openvas

When yum completes, use the ‘sed’ command below to uncomment the following 2 unixsocket-related lines in the /etc/redis.conf file. I would recommend copying/pasting that little bit of command line kung fu to make sure you don’t miss any spaces or quotation marks.
# unixsocket /tmp/redis.sock
# unixsocketperm 700

sed -i '/^#.*unixsocket/s/^# //' /etc/redis.conf

Now, we need to enable the redis service so it starts after future reboots. We’ll also start/restart the service.

systemctl enable redis && systemctl restart redis

Run openvas-setup and accept rsync as your default. This can take a while so be patient. It is downloading GBs worth of data. In addition, after the feeds are downloaded, there are times where you think the installer is hung… It’s not! Just be patient and grab a soda or coffee! While I didn’t have any issues with the downloads, others have reported their rsync process stops during setup. If this happens, just run openvas-setup again. Also, just a reminder that rsync uses TCP port 873 so you may have to allow it outbound in your egress firewall rules and/or configure it to work with your proxy server.

openvas-setup

-- Output --
Openvas Setup, Version: 3.0

Step 1: Update NVT, CERT, and SCAP data
Please note this step could take some time.
Once completed, this will be updated automatically every 24 hours

Select download method
* wget (NVT download only)
* curl (NVT download only)
* rsync

Note: If rsync requires a proxy, you should define that before this step.
Downloader [Default: rsync]

Note: If you get the error below when running openvas-setup, go back to the very first ‘sed’ command in this tutorial to disable SELinux. Don’t forget to reboot when you’re done.

Openvas Setup, Version: 3.0

Error: Selinux is set to (Enforcing)
selinux must be disabled in order to use openvas
exiting....

Once openvas-setup completes and some keys are generated, you’ll receive the following prompt(s). When asked if you want to “Allow connections from any IP?”  you can accept the default of ‘yes’ by simply pressing enter assuming you want to access the web interface from any IP address. You can change your username (I stayed with ‘admin’) and type in the password (twice) that you want to use to access the web interface.

-- Output --
Step 2: Configure GSAD
The Greenbone Security Assistant is a Web Based front end
for managing scans. By default it is configured to only allow
connections from localhost.

Allow connections from any IP? [Default: yes]
Redirecting to /bin/systemctl restart gsad.service

Step 3: Choose the GSAD admin users password.
The admin user is used to configure accounts,
Update NVT's manually, and manage roles.

Enter administrator username [Default: admin] : 
Enter Administrator Password:
Verify Administrator Password:

The system will build/rebuild the NVT cache. This step can also take a bit of time so be patient. Rebuilding NVT is followed with a message that you can now access the interface.

-- Output --
Rebuilding NVT cache... done.

Setup complete, you can now access GSAD at:
https://<IP>:9392

Before doing that, I recommend running the command below to make sure you get the message: It seems like your OpenVAS-9 installation is OK.
There are some errors regarding PDF generation and missing LaTex packages. If you would like to create PDF reports out of OpenVAS, follow the section below on Configuring PDF Reports. Otherwise, you can skip ahead to Accessing the web interface.

openvas-check-setup --v9
-- Output --
...
Step 10: Checking presence of optional tools ...
OK: pdflatex found.
WARNING: PDF generation failed, most likely due to missing LaTeX packages. The PDF report format will not work.
SUGGEST: Install required LaTeX packages.

It seems like your OpenVAS-9 installation is OK.

Accessing the OpenVAS web interface

As mentioned in the previous message, you can now access to the web interface from any browser by going to https://<your IP address>:9392. You will receive a security prompt regarding the certificate since it is self-signed, but after that you should be able to login. Even though you can login at this point, I would highly recommend following the other sections below! It will save you time down the road!

OpenVAS web interface login

Automatic Feed Updates With Cron

OpenVAS vulnerability scans are only as good as the information/plug-ins you’re checking against. Thus, if your feeds are out-of-date, your scans are not going to reflect the true nature of the environment because you are not testing for the most recently discovered vulnerabilities. From the web interface, you can check the status of your feeds anytime via Extras -> Feed Status.

OpenVAS feed status - outdated feeds

The feeds don’t update automatically by default. You could update them manually or you can configure the feeds to update automatically via cron jobs. If you are not familiar with cron jobs, they are an easy way to tell the system to run a command at a given time. From the command line, type in ‘crontab -e’ to edit cron, which should be empty to start with. Hit the ‘i’ key to enter insert mode and then copy/paste the text in the gray box below. After your copy/paste, hit the ‘Esc’ key followed by typing in ‘:wq’ to exit. For those of you familiar with ‘vi’ that sequence of events should have been very familiar! The three commands coincide with the 3 feed types found in the Feed Status page — NVT, SCAP, and CERT. For the 3 cron jobs we just installed, the top command runs greenbone-nvt-sync at 1:35am, greenbone-scapdata-sync at 12:05am, and greenbone-certdata-sync at 1:05am.

35 1 * * * /usr/sbin/greenbone-nvt-sync > /dev/null
5 0 * * * /usr/sbin/greenbone-scapdata-sync > /dev/null
5 1 * * * /usr/sbin/greenbone-certdata-sync > /dev/null

Assuming you just installed the system (the feeds update during the install process) or your cron jobs are keeping your feeds up-to-date properly, your feed status page should appear similar to the one below. Note: It is common for the feeds to be up-to-date and still report back they are a few days old as shown in the picture. I would suggest checking this page every now and again to make sure everything is updating as expected.

OpenVAS Feed Status - Feeds Up-To-Date

Configuring PDF Reports

I found documentation for working PDF reports in OpenVAS to be lacking. I was able to pull together bits and pieces from different sites to get it working. This is what you will need to do if you create/download PDF reports in OpenVAS and the pdf files are 0 bytes.

Working PDF reports in OpenVAS

First, install additional texlive packages for CentOS 7.

yum -y install texlive-collection-fontsrecommended texlive-collection-latexrecommended texlive-changepage texlive-titlesec

The following steps were found on blogspot. It creates a directory, downloads the comment.sty file, changes permissions on the newly downloaded file, and then recreates the database with texhash. You can copy/paste the commands below into an SSH terminal window.

mkdir -p /usr/share/texlive/texmf-local/tex/latex/comment
cd /usr/share/texlive/texmf-local/tex/latex/comment
wget http://mirrors.ctan.org/macros/latex/contrib/comment/comment.sty
chmod 644 comment.sty
texhash

If you re-run the openvas-check-setup command (don’t forget –v9), you should see those PDF-related errors are cleaned up as shown below.

openvas-check-setup --v9
-- Output --
...
Step 10: Checking presence of optional tools ...
OK: pdflatex found.
OK: PDF generation successful. The PDF report format is likely to work.

Final notes

Success! From the web interface you can start a scan via Scans -> Tasks -> Task Wizard. Get comfortable with the interface! Are there some things I miss or I’m going to miss about Nessus? Of course! Nessus is like a pair of old shoes you’ve traveled a lot of miles with so it’s hard to get your feet used to something new. I have to say that so far though, I’m pretty happy with OpenVAS. Sure it’s not quite as polished and maybe it will produce some false positives others don’t, but that’s ok. Even if you already have another vulnerability scanner in your environment and you just need a second opinion, I would strongly suggest giving OpenVAS a shot if you haven’t done so recently.

Dallas Haselhorst has worked as an IT and information security consultant for over 20 years. During that time, he has owned his own businesses and worked with companies in numerous industries. Dallas holds several industry certifications and when not working or tinkering in tech, he may be found attempting to mold his daughters into card carrying nerds and organizing BSidesKC.

25 thoughts on “Installing OpenVAS on CentOS 7

    1. It’s worth mentioning that setenforce is a temporary setting that will not survive a reboot. This is contrast to the sed command above which modifies SELinux via the /etc/selinux/config file. I leave SELinux disabled because a) it will intermittently cause issues with scans and b) the openvas-setup throws up errors if you have it enabled.

  1. Hi,

    Thank you for your instructions. Really more clean than others. I have a question: any idea on how to survive to “Possible dependency cycle detected” in openvas scanner log?
    These events drive redis to fill CPU load, and consequently scanner goes down (even if doesn’t crash, tcpdump shows that network traffic stops).
    Up to now, standard software or plugin updates don’t solve the problems.

    Thanks again,
    l

  2. Thank you for this guide – it gives me hope that I am very close to having a working openvas install again on my centos 7 host. Now for the “close” part:

    The install runs until we get to starting openvassd, and hangs there until I kill the systemctl start openas-scanner command. Nothing I can do will get openvassd to actually respond to requests, write to logs, etc.

    Only error from openvas-check-setup –v9
    ERROR: The number of NVTs in the OpenVAS Manager database is too low.
    FIX: Make sure OpenVAS Scanner is running with an up-to-date NVT collection and run ‘openvasmd –rebuild’.
    WARNING: OpenVAS Scanner is NOT running!

    Thanks for any advice you may hve..

    1. Hey Walter! It sounds like your NVT feed isn’t updating. Have you tried running /usr/sbin/greenbone-nvt-sync from the command line to see if it spits back any errors that might be more helpful? I’ve seen a handful of times when the feed update was blocked by the firewall. Let me know what it is when you figure it out and I’d be happy to make changes to the guide if appropriate. Thanks!

  3. Dallas. My compliments, this was a really great guide. I have OpenVAS up and running. I have started to setup some scans and have pulled reports. However, I have a bit of an advanced configuration question regarding targets.
    See I need to setup targets for each of my subnets and I have a lot. I was doing some reading about importing XML through OMP, the OpenVAS CLI. I just can’t seem to land on the right guide to configure this properly. I figured I would run it by you, maybe you have a guide or some direction. Thanks!

    1. Thanks for the feedback Corey! I haven’t tried the XML through OMP method so I can’t offer an suggestions there. The most I’ve done is via a comma-delimited file uploaded via the web interface. You can’t specify a CIDR larger than a /24, however, you can use subnets/IPs like the example below so the possibilities are pretty endless IMO. If you already have the subnets in a spreadsheet, an export to CSV followed by some command line kung fu should get your formatting correct too. Hopefully that helps!
      10.1.0.0/24, 192.168.1.10-20, 172.16.1.0/24

  4. Thanks for the guide, it helped a lot. The only issues I had was with the scapdata sync and a login issue. After the install completed it wouldn’t let me log in with the username/password I used. I tried to re-run the command as-s but I got an error saying that username already existed. I re-ran the command and gave it a different username and it solved the login issue. The other command was “greenborne-scapdata-sync”. I am curious though. Should the scap data update itself? Or add this to a script and run it on a schedule?
    Thanks for your help

    1. Randy, thanks for stopping by. I’ve installed OpenVAS several times and I don’t believe I’ve ever ran into an issue with the login so I’m not sure on that one. Regarding feed updates… I knew I needed to add something regarding the update process to the guide and you prodded me to do that. The guide now has a section on automatic feed updates with cron. Please check it out and let me know if you run into any issues. Thanks for the nudge! 😉

  5. Thanks for the great guide, everything are explained well and works fine, but I miss a section that explains how to enable OpenVAS on CentOS to send emails. Where do I configure the OpenVAS /CentOS email settings?

    1. As you create your scan task (or if you are editing it afterward), simply click the star next to ‘alerts’ and it should be self-explanatory. Basically, name the alert, fill in your to and from address, click ‘attach report’ and select PDF from the dropdown menu. If you don’t receive the email, try sending a sample report to a non-corporate email address first. This will verify if OpenVAS is functioning properly and if your email defenses such as anti-spam or SPF/DKIM/DMARC are getting in the way. Hope this helps!

  6. Great tutorial had to go to the blog to get this line of code
    # yum -y install texlive-changepage texlive-titlesec
    for Centos 7. The rest worked like a charm and the whole thing worked after i looked at the blog page you linked.

    1. Thanks for the feedback Allen! I’m guessing the full command for installing the PDF-related packages didn’t show because of its length, i.e. it gets cutoff unless you scroll over. Either way, so happy to hear you have it working!

      yum -y install texlive-collection-fontsrecommended texlive-collection-latexrecommended texlive-changepage texlive-titlesec

Leave a Reply

Your email address will not be published.