Advanced ConfigurationConfiguring OpenVAS-ServerGenerating a Server CertificateAdding New Users

Adding New Users

In order to use an OpenVAS server, a client needs to have a user account on the server. The OpenVAS-Server package provides the openvas-adduser script to simplify the creation of user accounts. Using openvas-adduser, you can specify whether the user should use a password or a certificate to authenticate himself and optionally restrict the access rights of the user.

Restricted access rights can be useful to prevent users from scanning arbitrary hosts or networks. You can specify rules that restrict an user to certain hosts or subnets or even prevent him from scanning any host but his own.

The correct syntax for user rules is:

accept|deny ip/mask

and

default accept|deny

Where mask is the CIDR netmask of the rule.

The default statement must be the last rule and defines the policy for the user.

The following rule set will allow the user to test 192.168.1.0/24, 192.168.3.0/24 and 172.22.0.0/16, but nothing else:

accept 192.168.1.0/24
accept 192.168.3.0/24
accept 172.22.0.0/16
default deny

The following rule set will allow the user to test whatever he wants, except the network 192.168.1.0/24:

deny 192.168.1.0/24
default accept

The keyword client_ip is replaced at runtime by the IP address of the user. If you want to restrict the user to be able to scan only the system he is connecting from, you can use the following ruleset:

accept client_ip
default deny

Advanced ConfigurationConfiguring OpenVAS-ServerGenerating a Server CertificateAdding New Users