This is a walkthough for installing and configuring OpenVAS 9 on CentOS 7. OpenVAS (Open Vulnerability Assessment System) is an opensource vulnerability scanner.
OpenVAS forked from Nessus when Tenable took the previously opensource product to closed source back in 2005. That’s worth mentioning primarily because on a side note, I’ve used Nessus for many years and I remember when it was forked. Since then, Nessus became one of the leaders in the vulnerability scanning space and a fairly polished. Nessus generates nice reports and it is/was a great product for a decent price. However, in the last few years the price has really started to creep IMO. Tenable then announced they were pulling API access to Nessus Professional, which happens to be something I use quite extensively. As a result, I was left searching for alternatives. Admittedly, I tried OpenVAS years ago, but it was a bit of a mess to setup and I wasn’t exactly enamored with the interface. I’d heard good things recently so I figured I would give it another shot.
10June2018 – Originally posted
11June2018 – Added ‘Configuring PDF Reports’ section
Installing CentOS 7
So first things first, I prefer to start with a minimal install of CentOS. The install takes less time, the filesystem takes up less space, and I despise updating packages I never use! Download the latest version of CentOS 7 and go through the standard install. If you are installing OpenVAS virtually, I would recommend at least 2 CPUs, 2GB of memory, and 20GB of hard drive.
OpenVAS will complain if you leave SELinux enabled so disable it using the following command.
sed -i 's/=enforcing/=disabled/' /etc/selinux/config
Open the necessary port for OpenVAS web interface right away as well.
firewall-cmd --zone=public --add-port=9392/tcp --permanent firewall-cmd --reload
As a best practice, once you have install CentOS (or any OS for that matter), you need to do updates. You can update CentOS by using ‘yum -y update’ and then reboot. We need to reboot for the SELinux changes to take effect anyway. 😉
yum -y update && reboot
Once the system comes back up, install the wget package and then install/configure the repository from Atomic Corp. You can use the default answers when adding keys for the Atomic Corp repository.
yum -y install wget wget -q -O - https://www.atomicorp.com/installers/atomic | sh
Next, install OpenVAS and related dependencies. This will install over 300MB of dependencies so be patient.
yum -y install openvas
When yum completes, use the ‘sed’ command below to uncomment the following 2 unixsocket-related lines in the /etc/redis.conf file. I would recommend copying/pasting that little bit of command line kung fu to make sure you don’t miss any spaces or quotation marks.
# unixsocket /tmp/redis.sock
# unixsocketperm 700
sed -i '/^#.*unixsocket/s/^# //' /etc/redis.conf
Now, we need to enable the redis service so it starts after future reboots. We’ll also start/restart the service.
systemctl enable redis && systemctl restart redis
Run openvas-setup and accept rsync as your default. This can take a while so be patient. While I didn’t have any issues with the downloads, others have reported their rsync process stops during setup. If this happens, just run openvas-setup again. Also, just a reminder that rsync uses TCP port 873 so you may have to allow it outbound in your egress firewall rules and/or configure it to work with your proxy server.
openvas-setup -- Output -- Openvas Setup, Version: 3.0 Step 1: Update NVT, CERT, and SCAP data Please note this step could take some time. Once completed, this will be updated automatically every 24 hours Select download method * wget (NVT download only) * curl (NVT download only) * rsync Note: If rsync requires a proxy, you should define that before this step. Downloader [Default: rsync]
Note: If you get the error below when running openvas-setup, go back to the very first ‘sed’ command in this tutorial to disable SELinux. Don’t forget to reboot when you’re done.
Openvas Setup, Version: 3.0 Error: Selinux is set to (Enforcing) selinux must be disabled in order to use openvas exiting....
Once openvas-setup completes and some keys are generated, you’ll receive the following prompt(s). When asked if you want to “Allow connections from any IP?” you can accept the default of ‘yes’ by simply pressing enter assuming you want to access the web interface from any IP address. You can change your username (I stayed with ‘admin’) and type in the password (twice) that you want to use to access the web interface.
-- Output -- Step 2: Configure GSAD The Greenbone Security Assistant is a Web Based front end for managing scans. By default it is configured to only allow connections from localhost. Allow connections from any IP? [Default: yes] Redirecting to /bin/systemctl restart gsad.service Step 3: Choose the GSAD admin users password. The admin user is used to configure accounts, Update NVT's manually, and manage roles. Enter administrator username [Default: admin] : Enter Administrator Password: Verify Administrator Password:
The system will build/rebuild the NVT cache. This step can also take a bit of time so be patient. Rebuilding NVT is followed with a message that you can now access the interface.
-- Output -- Rebuilding NVT cache... done. Setup complete, you can now access GSAD at: https://<IP>:9392
Before doing that, I recommend running the command below to make sure you get the message: It seems like your OpenVAS-9 installation is OK.
There are some errors regarding PDF generation and missing LaTex packages. If you would like to create PDF reports out of OpenVAS, follow the section below on Configuring PDF Reports. Otherwise, you can skip ahead to Accessing the web interface.
openvas-check-setup --v9 -- Output -- ... Step 10: Checking presence of optional tools ... OK: pdflatex found. WARNING: PDF generation failed, most likely due to missing LaTeX packages. The PDF report format will not work. SUGGEST: Install required LaTeX packages. It seems like your OpenVAS-9 installation is OK.
Configuring PDF Reports
I found documentation for working PDF reports in OpenVAS to be lacking. I was able to pull together bits and pieces from different sites to get it working. This is what you will need to do if you create/download PDF reports in OpenVAS and the pdf files are 0 bytes.
First, install additional texlive packages for CentOS 7.
yum -y install texlive-collection-fontsrecommended texlive-collection-latexrecommended texlive-changepage texlive-titlesec
The following steps were found on blogspot. It creates a directory, downloads the comment.sty file, changes permissions on the newly downloaded file, and then recreates the database with texhash. You can copy/paste the commands below into an SSH terminal window.
mkdir -p /usr/share/texlive/texmf-local/tex/latex/comment cd /usr/share/texlive/texmf-local/tex/latex/comment wget http://mirrors.ctan.org/macros/latex/contrib/comment/comment.sty chmod 644 comment.sty texhash
If you re-run the openvas-check-setup command (don’t forget –v9), you should see those PDF-related errors are cleaned up as shown below.
openvas-check-setup --v9 -- Output -- ... Step 10: Checking presence of optional tools ... OK: pdflatex found. OK: PDF generation successful. The PDF report format is likely to work.
Accessing the OpenVAS web interface
As mentioned in the previous message, you can now go to the web interface from any browser by going to https://<your IP address>:9392. You will receive a security prompt regarding the certificate, but after that you should be able to login as shown below.
Success! After you login, start a scan (Scans -> Tasks -> Task Wizard), and get comfortable with the interface. Are there some things I miss or I’m going to miss about Nessus? Of course! Nessus is like a pair of old shoes you’ve traveled a lot of miles with so it’s hard to get your feet used to something new. I have to say that so far though, I’m pretty happy with OpenVAS. Sure it’s not quite as polished and maybe it will produce some false positives others don’t, but that’s ok. Even if you already have another vulnerability scanner in your environment and you just need a second opinion, I would strongly suggest giving OpenVAS a shot if you haven’t done so recently.
Dallas Haselhorst has worked as an IT and information security consultant for over 20 years. During that time, he has owned his own businesses and worked with companies in numerous industries. Dallas holds several industry certifications and when not working or tinkering in tech, he may be found attempting to mold his daughters into card carrying nerds and organizing BSidesKC.