Ensuring the baseline security of your hosts is important and one useful tool is a network security scanner. While not as good as a focused penetration test, a network security scanner is useful for identifying simple vulnerabilities, missing patches, open ports and other issues.
One network security scanning tool you may be familiar with is Nessus, Tenable's open source/commercial hybrid tool. Nessus is over ten years old and has been a dual offering since 2005, with free use only available for non-commercial purposes. But, it is not free and since the 3.0 release is no longer open source.
Free and open network security scanning
In response to the commercialization of Nessus and the closing of the source code, the Open Vulnerability Assessment System (OpenVAS) was created. It started as a pure GPL fork of Nessus, but has now begun to develop and extend new capabilities and functionality beyond the Nessus project. Here, we're going to show you how to install OpenVAS and get started with it.
This is a very simple process and we'll quickly have you running security scans of your hosts.
The latest release of OpenVAS, 3.0.0, is forked from Nessus 2.2 (Nessus took on its proprietary license from 3.0). It combines a client-server scanning architecture with a graphical front-end and runs on a variety of Linux, Windows and other operating systems. It utilizes Network Vulnerability Tests or NVTs written in Nessus Attack Scripting Language (NASL), which is the same language the Nessus project uses to write its tests.
As of December 2009, the OpenVAS project has released 15,500 signed NVTs, all under a GPL license. The 3.0.0 release moves OpenVAS from its origins as a vulnerability scanner into a complete vulnerability management solution. OpenVAS now has a modular architecture and support for a central management scan server and console.
Let's start by installing the various OpenVAS modules. For 3.0.0 there are three core modules: openvas-libraries, openvas-scanner, and openvas-client -- and two optional modules: openvas-manager and openvas-administrator. We're going to install the three core modules. At the time of this writing, OpenVAS 3.0.0 had not been packaged for any distributions and if you want a packaged version you're limited to the 2.x branch of releases. So, because we don't have packages we're going to install from source.
A number of prerequisites need to be installed prior to compiling OpenVAS. For example, on Red Hat we'll need a compiler and the following packages, installed via yum:
$ sudo yum install gcc glib glib2 glib-dev glib2-dev gpgme gpgme-devel make bison gnutls gnutls-devel libpcap libpcap-devel cmake gtk+ gtk+-devel
On Ubuntu we would need the equivalent packages installed via apt-get. This can be done by downloading the required source tarball and unpacking it:
$ wget http://wald.intevation.org/frs/download.php/683/openvas-libraries-3.0.0.tar.gz $ tar -zxf openvas-libraries-3.0.0.tar.gz $ cd openvas-libraries-3.0.0 $ ./configure $ make $ sudo make install $ sudo ldconfig
Then repeat these steps for the following files:
Next, we need to create a server certificate for OpenVAS:
$ sudo openvas-mkcert
Follow the on-screen instructions to create your certificate.
Now, we need to create a user for OpenVAS to run as using the openvas-adduser command.
$ sudo openvas-adduser
Again, follow the on-screen instructions and provide a user name and password for the OpenVAS user. Finally, we need to install the NVTs we will use to scan. The OpenVAS command is:
$ sudo openvas-nvt-sync
This will take a while to run the first time and you'll need to run it regularly to receive updated and new tests, I usually do it once a day via cron.
Running the OpenVAS scanner
Once it is installed you can run the OpenVAS Scanner daemon:
$ sudo openvassd
The daemon will load all the NVTs into the scanner so it may take a while to start depending on the performance of your scanning host.
Running the OpenVAS client
Once the Scanner daemon is running, you can launch a client and connect to it. We've installed the client on the same host as the scanner but you can install it on any host you wish and connect remotely to the scanner. Run the client now:
This will launch the client and display it:
You can then select File => Connect to connect to the OpenVAS scanner daemon:
You will be prompted to specify the IP address of the host running the scanner daemon (the daemon runs on TCP port 9390 so you'll need to ensure this port is open on any intervening firewalls). In our case we're connecting to localhost and don't need to worry about this. You also need to provide the user and password created earlier.
Once you've connected to the OpenVAS scanner daemon you can launch scans. The easiest way to do this is using the Scan Assistant, which you can access via the File menu of the client. It will launch the Scan Assistant and you can specify what hosts you wish to target.
You can then execute your scan and review the resulting report in the OpenVAS client.
This has been a very quick introduction to OpenVAS. It has many other capabilities that you can explore including writing your own NVTs and extending its capabilities with the new Manager and Administrator modules.
If you are having issues with OpenVAS you should refer to the OpenVAS Compendium for further information (although some of the documentation is still for the 2.0.0 release and has not yet been updated for the 3.0.0 release). You can also find help at the OpenVAS mailing list. If you can't find an answer for your bug you can log a ticket using the OpenVAS bug tracker.
ABOUT THE AUTHOR: James Turnbull works for the National Australia Bank as the manager of the CERT (Computer Emergency Response Team). He is an experienced infrastructure architect with a background in Linux/Unix, AS/400, Windows, and storage systems. He has been involved in security consulting, infrastructure security design, SLA and service definition and has an abiding interest in security metrics and measurement. James is also involved in the Free and Open Source Software community as a developer and contributor.