This is the second part of a series on OpenVAS, the open-source vulnerability scanner. In my last post, I walked you through compiling the various pieces of OpenVAS and getting it up and running. Now it's time to talk about the fundamentals. For this and future posts, we'll be using the web front-end to OpenVAS, called Greenbone Security Assistant, and we'll assume it's running on your local machine.
Why bother with OpenVAS, or vulnerability scanning in general?
echo "Starting OpenVAS Scanner Daemon..."/usr/local/sbin/openvassd && echo [ OK ]echo "Starting OpenVAS Manager Daemon..."/usr/local/sbin/openvasmd && echo [ OK ]echo "Starting OpenVAS Administrator Daemon..."/usr/local/sbin/openvasad && echo [ OK ]echo "Starting Greenbone Security Assistant Web Interface..."/usr/local/sbin/gsad --http-only && echo [ OK ]echo "Downloading NVT Updates..."/usr/local/sbin/openvas-nvt-sync && echo [ OK ]
0 4 * * * /usr/local/sbin/openvas-nvt-sync
You don't need to create a custom scan config to get started with OpenVAS, but If you decide to create a new Scan Config, you'll have the ability to edit it (the wrench will not be greyed out)
and you'll be faced with a huge assortment of scanning options allowing you to fine-tune your scan. You'll also see options for so-called NASL Wrappers, which are scripts that help OpenVAS utilize third-party tools such as nmap, nikto, w3af and others. Tuning your scan parameters is important, but complicated enough that it's beyond the scope of this series. Most vulnerability scanners I've used (Nessus, ISS, etc...) have a configuration section like this, and it's always a very, very deep rabbit-hole. Mastering this is a bit of an art, but I usually break the enterprise up into "classes" so that like-systems are scanned with relevant checks so I'm not throwing 5,000 futile Windows checks at the Linux servers in the DMZ, for example. Feel free to leave me a comment if you want me to discuss this kind of classification setup in more detail.
When building custom configs, I recommend using the existing scan configs as a template, and tweaking things from there to get your bearings. Try the "Full and very deep" scan first if you have any doubts. It's unlikely to knock anything off the network, but be careful! The "Trend" radio button selects whether this scan config will grow and import new NVT plugins or remain static with only the plugins you selected for that particular plugin family. If you start using OpenVAS frequently, you'll probably want to become familiar with tuning scan configs to get rid of false positives or enable more features.