Configuring NVT FeedsConfiguring OpenVAS-ServerAdding New UsersAdvanced Configuration

Advanced Configuration

If you need to make changes to the default OpenVAS-Server configuration, you can do so in the configuration file located at /etc/openvas/openvasd.conf.

The following settings can be configured through the openvasd.conf configuration file (note: the default values for your distribution may differ from the default values described here):

plugins_folder
This setting configures the path where the NVT scripts can be found.

(default value: /lib/openvas/plugins)

max_hosts
The maximum number of hosts that will be tested simultaneously.

(default value: 30)

max_checks
The maximum number of checks that will run simultaneously against a given host.

(default value: 10)

be_nice
Niceness. If set to 'yes', openvasd will renice itself to 10.

(default value: no)

logfile
The file used to log activity. If this value is set to 'syslog', OpenVAS-Server will use syslogd for logging.

(default value: /var/log/openvas/openvasd.messages)

log_whole_attack
This setting controls how detailed the log should be. If this option is set to 'no', only the start and end time of the scan is logged. If set to 'yes', OpenVAS-Server will log more information, including the time each plugin took to execute. Be aware that this may cause OpenVAS-Server to use more hard disk space and to access the hard disk more often during the scan.

(default value: no)

log_plugins_name_at_load
This setting controls whether the names of the plugins that are loaded by the server should be logged.

(default value: no)

dumpfile
This option configures the name of the file that should be used for debugging output. If this option is set to '-', debugging output will be written to stdout.

(default value: /var/log/openvas/openvasd.dump)

rules
The filename for the server rules file.

(default value: /etc/openvas/openvasd.rules)

users
The filename for the user database.

(default value: /etc/openvas/openvasd.users)

cgi_path
The default CGI paths to check, separated by colons(':').

(default value: /cgi-bin:/scripts)

port_range
The range of ports that will be scanned by the port scanners. If this setting is set to 'default', OpenVAS-Server will scan the ports specified in the file found at /var/lib/openvas/openvas-services.

(default value: default)

optimize_test
Security tests may request to be launched if and only if certain information gathered by other tests exists in the knowledge base, or if and only if a given port is open. If this option is set to 'yes', it will speed up the test, but may cause the OpenVAS server to miss some vulnerabilities.

(default value: yes)

checks_read_timeout
The read timeout (in seconds) for the sockets used while scanning.

(default value: 5)

non_simult_ports
This option can be used to specify a list of ports or services against which plugins should not be run simultaneously.

(default value: 139, 445)

plugins_timeout
The maximum lifetime of a plugin (in seconds).

(default value: 320)

safe_checks
Some security checks may harm the target server, by disabling the remote service temporarily or until a reboot. If this option is set to 'yes', the OpenVAS server will rely on banners instead of actually performing a security check. This will result in a less reliable report, but is less likely to disrupt functionality on the target system during a test.

(default value: yes)

auto_enable_dependencies
If this option is set to 'yes', OpenVAS-Server will automatically enable plugins which are needed by the plugins selected by the user.

(default value: yes)

silent_dependencies
If this option is set to 'yes', output from plugins which were enabled automatically will not be send to the client.

(default value: yes)

use_mac_addr
Designate hosts by MAC address, not IP address; this can be useful in DHCP networks.

(default value: no)

save_knowledge_base
This option controls whether the knowledge base created during the scan should be saved to disk.

(default value: no)

kb_restore
This setting controls whether the knowledge base should be restored for each test.

(default value: no)

only_test_hosts_whose_kb_we_dont_have
If this option is set to 'yes', OpenVAS-Server will only test the hosts that are not yet in the knowledge base. This can be used to scan new hosts once if they appear in a subnet for the first time, for example.

(default value: no)

only_test_hosts_whose_kb_we_have
If this option is set to 'yes', OpenVAS-Server will only test the hosts that are already in the knowledge base. This is useful for scanning only a set of host that are already known to the server.

(default value: no)

kb_dont_replay_scanners
If this option is set to 'yes' and the option kb_restore has been enabled, scanner plugins will not be launched if they have already been launched in the past.

(default value: no)

kb_dont_replay_info_gathering
If this option is set to 'yes' and the option kb_restore has been enabled, information gathering plugins will not be launched if they have already been launched in the past.

(default value: no)

kb_dont_replay_attacks
If this option is set to 'yes' and the option kb_restore has been enabled, attack plugins will not be launched if they have already been launched in the past.

(default value: no)

kb_dont_replay_denials
If this option is set to 'yes' and the option kb_restore has been enable, denial of service plugins will not be launched if they have already been launched in the past.

(default value: no)

kb_max_age
This option sets the maximum age of the knowledge base (in seconds).

(default value: 864000)

slice_network_addresses
If this option is set to 'yes', OpenVAS will not scan a network sequentially (10.0.0.1, 10.0.0.2, 10.0.0.3), but will attempt to slice the workload throughout the whole network (i.e.: 10.0.0.1, 10.0.0.127, 10.0.0.2, 10.0.0.128).

(default value: no)

nasl_no_signature_check
If this option is set to 'yes', OpenVAS-Server will not check the signatures of the NASL scripts and will run scripts even if they have no or no valid signature. Be aware that setting this option to 'yes' does pose a security risk. However, at the current stage of OpenVAS development, signatures are not yet included in the openvas-plugins releases available from the OpenVAS website. If this option is set to 'no', you will only be able to use a very limited number of plugins until you have synchronized your plugin collection with an NVT Feed Service providing signatures. For this reason, this option will default to 'yes' until signatures are included with all plugins.

(default value: yes)


Configuring NVT FeedsConfiguring OpenVAS-ServerAdding New UsersAdvanced Configuration