enricorossi.org

Enrico Rossi

OpenVAS scanner on Debian Stretch

Posted on in blog • 293 words • 2 minute read

OpenVAS scanner stand-alone configuration for Debian 9 Stretch.

Working example I use for deploy a distributed series of scanners which will be managed by a remote openvas-manager.

Install the scanner software, it will also install redis as a dependency.

apt install openvas-scanner

You need to update the NVT database, which by default will use the rsync protocol.

openvas-nvt-sync

Note: NVT updates can also be performed by curl or wget using an http proxy.

# Example using curl trough an http proxy, port 3128.
export http_proxy="http://proxy.example.com:3128/"
openvas-nvt-sync --curl

Communication between redis and OpenVAS inside the same server can be enabled using socket connection, both configuration file need to be modified for it.

Uncomment the following lines in /etc/redis/redis.conf

unixsocket /var/run/redis/redis.sock
unixsocketperm 700

Create the OpenVAS scanner’s default config file /etc/openvas/openvassd.conf

kb_location=/var/run/redis/redis.sock

The local installation of the scanner is now complete, but in order to connect and control the scanner you need to enable the scanner to listen to the network by changing the ExecStart line in /etc/systemd/system/multi-user.target.wants/openvas-scanner.service

ExecStart=/usr/sbin/openvassd --port=9391

and provide to an openvas-manager a security certificate.

Note: the OpenVAS-scanner is considered the server and a remote manager is considered the client .

First build the Certification Authority, the scanner certificates and relative keys.

# Create the scanner certificate
# the scanner are considered the SERVER
# so you need to create the server certificates and the
# CA

openvas-mkcert

Then the client certificates you will later install in the manager.

# Create the scanner client certificates
# this will be imported into the managers to
# be able to connect to the scanner.
# note: copy the CA.pem, and the generated client pem and key.
# to the manager.

openvas-mkcert-client

Restart the scanner

systemctl restart openvas-scanner

Check the scanner status

systemctl status openvas-scanner