OpenVAS scanner on Debian Stretch
OpenVAS scanner stand-alone configuration for Debian 9 Stretch.
Working example I use for deploy a distributed series of scanners which will be managed by a remote openvas-manager.
Install the scanner software, it will also install redis as a dependency.
apt install openvas-scanner
You need to update the NVT database, which by default will use the rsync protocol.
Note: NVT updates can also be performed by curl or wget using an http proxy.
# Example using curl trough an http proxy, port 3128. export http_proxy="http://proxy.example.com:3128/" openvas-nvt-sync --curl
Uncomment the following lines in /etc/redis/redis.conf
unixsocket /var/run/redis/redis.sock unixsocketperm 700
Create the OpenVAS scanner’s default config file /etc/openvas/openvassd.conf
The local installation of the scanner is now complete, but in order to connect and control the scanner you need to enable the scanner to listen to the network by changing the ExecStart line in /etc/systemd/system/multi-user.target.wants/openvas-scanner.service
and provide to an openvas-manager a security certificate.
Note: the OpenVAS-scanner is considered the server and a remote manager is considered the client .
First build the Certification Authority, the scanner certificates and relative keys.
# Create the scanner certificate # the scanner are considered the SERVER # so you need to create the server certificates and the # CA openvas-mkcert
Then the client certificates you will later install in the manager.
# Create the scanner client certificates # this will be imported into the managers to # be able to connect to the scanner. # note: copy the CA.pem, and the generated client pem and key. # to the manager. openvas-mkcert-client
Restart the scanner
systemctl restart openvas-scanner
Check the scanner status
systemctl status openvas-scanner