When Tenable took Nessus through a code re-write and closed its source, the old code was forked a few times. As far as I can tell, OpenVAS is the strongest surviving variant. There's a really old version in most Linux distributions' package repositories, but it's out of date, the 2.x version.
I wanted to get the new version up and running. It turns out that compiling it for the first time was a gigantic clustercoitus of library dependencies and unnecessary branches in the OpenVAS subversion repository. So, I did what I usually do when I meet a challenge worth dissecting: I set up a VM, take some snapshots, and document it.
There are four components to OpenVAS: The scanner, administrator and managers, and then a client program. There are three clients to choose from:
- Greenbone Security Desktop, which looks a lot like the older Nessus GUI
- Greenbone Security Assistant, a clean web UI similar to the new Nessus, except more feature rich
- OpenVAS-cli, a tool that's good for lightweight scheduled scanning
There are well over 100 dependencies to get OpenVAS installed, but this big pile knocked them all out on both Ubuntu 10.10 server and desktop versions:
sudo apt-get install build-essential libpcap-dev subversion cmake libgpgme11-dev libglib2.0-dev uuid-dev doxygen libgnutls-dev libmicrohttpd-dev bison xmltoman libsqlite3-dev sqlfairy libxslt-dev texlive-latex-extra xsltproc
One last thing: If you really want to use the Greenbone Security Desktop GUI, there's a whole lot more you'll need, but they're all dependencies of libq4-dev. I have grown to really like the Web GUI, so you may want to play with that first before you decide to go with GSD.
sudo apt-get install libqt4-dev
If you pull up the SVN repository, you'll see the following branches. You do not need all of them, and some of them are absolutely massive. It's a big waste of bandwidth, drive space and time to check out everything.
# bindings/
# doc/
# gsa/
# gsd/
# image-packages/
# openvas-administrator/
# openvas-cli/
# openvas-client/
# openvas-compendium/
# openvas-libraries/
# openvas-manager/
# openvas-packaging/
# openvas-plugins/
# openvas-scanner/
# sladinstaller/
# tools/
# winslad/
We only want openvas-libraries, openvas-scanner, openvas-manager, openvas-administrator, openvas-cli, gsa and gsd. When you first run subversion, you'll have to accept the SSL certificate from OpenVAS.
mkdir openvas-source
cd openvas-source
svn checkout https://svn.wald.intevation.org/svn/openvas/trunk/openvas-libraries openvas-libraries
svn checkout https://svn.wald.intevation.org/svn/openvas/trunk/openvas-scanner openvas-scanner
svn checkout https://svn.wald.intevation.org/svn/openvas/trunk/openvas-manager openvas-manager
svn checkout https://svn.wald.intevation.org/svn/openvas/trunk/openvas-administrator openvas-administrator
svn checkout https://svn.wald.intevation.org/svn/openvas/trunk/openvas-cli openvas-cli
svn checkout https://svn.wald.intevation.org/svn/openvas/trunk/gsa gsa
svn checkout https://svn.wald.intevation.org/svn/openvas/trunk/gsd gsd
OpenVAS uses cmake, which is actually pretty slick as long as your dependencies are in order. Simply go into each of the directories above, and run the following commands to compile and install. I'll use openvas-libraries as an example:
cd openvas-libraries
cmake .
make
sudo make install
cd ..
One thing to keep in mind is that several libraries are deployed with the openvas-libraries package, and those are needed for the other packages. Make sure you run ldconfig to update the library cache before compiling the other packages.
sudo ldconfig
Do the same for openvas-scanner, openvas-manager, openvas-administrator, openvas-cli, gsa and (if you want to use the native gui), gsd.
Once everything is installed, you need to do a few quick things to set everything up. First, start the OpenVAS Scanner Daemon:
sudo openvassd
update the plugins. This takes a long time the first time you run it.
sudo openvas-nvt-sync
Create a CA (walk through the prompts):
sudo openvas-mkcert
Create a CA (walk through the prompts):
sudo openvas-mkcert
Create a client certificate for OpenVAS Manager (om):
sudo openvas-mkcert-client -n om -i
Rebuild the OpenVAS Manager database, then start OpenVAS Manager
sudo openvasmd --rebuild
sudo openvasmd
Start OpenVAS Administrator, then create an administrator account for yourself:
sudo openvasmd
sudo openvasad -c 'add_user' -n Admin (or other desired username) - It will prompt you for details.
Launch a client tool. I noticed that on Ubuntu, libmicrohttpd (a library the web UI uses) had some issues with SSL. I'm generally averse to running over plain HTTP, but if you make sure you run it locally or through a tunnel, you should be fine. I had to start Greenbone Security Assistant in http-only mode:
sudo gsad --http-only
Point your browser at http://localhost/ - It looks like this, if you have everything working properly. Here, I'm in the middle of a test scan.
Alternatively, you can run GSD:
gsd
Which looks a bit like this. You use the tabs to navigate it, export reports and all that.
I had trouble getting either GSD or GSA to export the report in PDF format. There may be a library or CLI tool that I'm missing. The HTML export works like a champ.
Update: Poking through the errors I found in /tmp, I discovered that I needed some files provided by LaTeX. Installing texlive-latex-extra and its dependencies got PDF export working, thus I've included it in the list of packages to install with apt-get at the beginning of this post.
In summary, OpenVAS works, and it's come a long way since the original fork of Nessus. It's difficult (and honestly, pointless) to compare OpenVAS to Nessus in their current states. They're not the same, and they likely have different strengths. I've spent quite a bit of time working with the latest versions of Nessus, so OpenVAS is new territory for me. Now that I have it up and running, I look forward to putting it through the paces.
I'll be talking about OpenVAS more in the coming days (or weeks, if things stay as busy as they have been lately). There are some interesting aspects of OpenVAS' architecture I'm playing with.
Posts
