Exploring the OpenVAS vulnerability scanner
Configuration
OpenVAS provides many configuration options (Figure 1), but most of the options have conservative defaults that preserve performance and support functionality. A few of the most important options follow.
- Port Range – This option sets the range of ports for scanning by the OpenVAS server. The default is to scan only ports defined in the openvas-services file, which covers all of the commonly used ports, except for some in the upper end of the port range. To get complete coverage of all ports, specify 1-65535. Scanning a smaller number of ports, including just the default range, will speed up the scan, but you might miss detecting malware such as backdoor daemons on a high number ports.
- Hosts to test concurrently – This option sets the number of hosts that can be scanned in parallel, which has the effect of limiting the load on the OpenVAS server.
- Checks to perform concurrently – This option sets the number of concurrent tests that can run on a single target at one time.
- Safe Checks – This option instructs OpenVAS to rely on banners rather than perform a potentially invasive check of the target service. Turning safe checks off could result in services becoming unavailable to the server or users (Figure 2). A good idea would be to perform a regular check with safe checks set to on, then turn off safe checks for additional scans. For example, if OpenVAS scans are scheduled every Tuesday, the first Tuesday should be run with safe checks off, with systems administrators on hand to respond to any potential disruptions.
- Port scanner – A choice of different port scanning options is available. The options range from simple TCP connection attempts (the OpenVAS TCP Scanner) to more sophisticated approaches, such as a SYN scan or an IKE scan. SYN scans can detect ports without completing the normal TCP handshake procedure. IKE scans are designed to locate IPSec, VPNs, and similar connection points.
OpenVAS offers many other configuration options. The OpenVAS website has more information on tailoring the settings to your own environment.
Local Access Credentials
Running a scan in the default configuration leads to a purely remote scan. Although you can get a lot of good information this way, the default settings essentially make OpenVAS into a glorified port scanner. By taking advantage of the local check capabilities, you can get much more accurate results. Local checks allow OpenVAS to determine the state of applications that normally might be inaccessible over the network (such as Wireshark) but that nevertheless might have vulnerabilities. Local checks also help locate vulnerable applications that you might not even know are running on your system.
Version 2.0.2 and higher of OpenVAS Client has a convenient Credentials Manager tool for entering local access credentials to scan target systems (Figure 3). SSH keys are created in RSA PKCS#8 format for compatibility across different implementations of SSH.
Once created, the keys can be installed easily on target systems via the RPM or DEB packages created by the wizard. The locations of the packages are defined during the creation procedure. A Windows installer that is also created prepares Windows targets for scanning with an SMB-based local user.
Getting to Work
Once your system is configured, it is time to run a scan by starting the OpenVAS Client. A dialog box asks for the user login (Figure 4). If this is the first login, you might be asked to save the SSL certificate. At this point, the client will also check for new plugins and plugin dependencies from the server.
Next, create a new task called Test Scans. A task is equivalent to a logical group. This grouping is completely abstract – the task could refer to a customer network, in the case of a consultant, or a grouping of nodes within a local or remote network, in the case of in an in-house systems administrator.
The next step is to create a new scope called Internal Testing. Scopes are defined within the context of a task. A scope is equivalent to a profile. For instance, a scope might include all Linux nodes or all AIX nodes. The scope can also equate to services rather than nodes, such as all machines running SSH daemons or SMB services. (Scope and tasks are entirely abstract. Currently, OpenVAS does not provide a means to automatically create a task and scope from previous scans or templates.)
With all of the pieces in place, it is time to run the first scan. First, set any desired options, such as preferred port scanners and target access credentials, then execute the scan by clicking on the Execute button. The scan begins at this point. The client will pop up an informational window with the current status of the port scan and checks (Figure 5).
Once the scan is complete, a report highlights the number of high-, moderate-, and low-priority issues (Figure 6). The client also can export a report in various formats, including HTML, XML, and PDF.
« Previous 1 2 3 Next »
Buy Linux Magazine
Direct Download
Read full article as PDF:
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Find SysAdmin Jobs
News
-
KDE Plasma 5.27 Beta is Ready for Testing
The latest beta iteration of the KDE Plasma desktop is now available and includes some important additions and fixes.
-
Netrunner OS 23 Is Now Available
The latest version of this Linux distribution is now based on Debian Bullseye and is ready for installation and finally hits the KDE 5.20 branch of the desktop.
-
New Linux Distribution Built for Gamers
With a Gnome desktop that offers different layouts and a custom kernel, PikaOS is a great option for gamers of all types.
-
System76 Beefs Up Popular Pangolin Laptop
The darling of open-source-powered laptops and desktops will soon drop a new AMD Ryzen 7-powered version of their popular Pangolin laptop.
-
Nobara Project Is a Modified Version of Fedora with User-Friendly Fixes
If you're looking for a version of Fedora that includes third-party and proprietary packages, look no further than the Nobara Project.
-
Gnome 44 Now Has a Release Date
Gnome 44 will be officially released on March 22, 2023.
-
Nitrux 2.6 Available with Kernel 6.1 and a Major Change
The developers of Nitrux have officially released version 2.6 of their Linux distribution with plenty of new features to excite users.
-
Vanilla OS Initial Release Is Now Available
A stock GNOME experience with on-demand immutability finally sees its first production release.
-
Critical Linux Vulnerability Found to Impact SMB Servers
A Linux vulnerability with a CVSS score of 10 has been found to affect SMB servers and can lead to remote code execution.
-
Linux Mint 21.1 Now Available with Plenty of Look and Feel Changes
Vera has arrived and although it is still using kernel 5.15, there are plenty of improvements sure to please everyone.