About

OpenVAS
Constitution
OpenVAS-Server
OpenVAS-Client
OpenVAS NVT Feed

Information/Howto's

Integrated tools
Security info sources
NVT creation process
Trusted NVTs
Local Security Checks
NVT Feed Services
OpenVAS Compendium

Support

Mailinglist Discussion:
Archive | Subscribe
Mailinglist Announcements:
Archive | Subscribe

Online Chat

Professional Services

Developers Corner

Development Platform
Code quality
Change requests
Internal Architecture
Assigning OIDs for NVTS

Mailinglist Development:
Archive | Subscribe
Mailinglist Writing NVTs:
Archive | Subscribe
Mailinglist Packaging/Distributing:
Archive | Subscribe
Mailinglist Source Code Commits:
Archive | Subscribe

Download

Client:
OpenVAS-Client 1.0.4

Server components:
openvas-libraries 1.0.2
openvas-libnasl 1.0.1
openvas-server 1.0.2
openvas-plugins 1.0.3

Documentation:
OpenVAS Compendium 1.0-rc1

OpenVAS 2.0 BETA:
openvas-libraries 2.0-beta1
openvas-libnasl 2.0-beta1
openvas-server 2.0-beta1
openvas-client 2.0-beta1
openvas-plugins: Use 1.0.x

NVT Lookup by OID

(replace 61039 by any other old-style ID)

Howto: Perform local security checks

This text explains how to run local security checks with OpenVAS. So far, this procedure has been tested only with Debian local security checks.

Prerequisites (if you don't have a running OpenVAS Server yet)

You need to compile and install at least these packages (minimum versions given):

openvas-libraries 1.0.0, openvas-libnasl 0.9.2, openvas-server 0.9.2, openvas-plugins 0.9.1

and have a certificate and a user:

# openvas-mkcert
# openvas-adduser

See OpenVAS Server for more information on installation.

Create users for local security checks

First, you need a key with certificate:

$ ssh-keygen -t rsa -f ~/.ssh/id_rsa_sshovas -C "OpenVAS-Local-Security-Checks-Key"
$ openssl pkcs8 -topk8 -v2 des3 -in ~/.ssh/id_rsa_sshovas -out sshovas_rsa.p8

Note: The comment (here: "OpenVAS-Local-Security-Checks-Key") should not contain spaces.
Currently, you need a rsa pkcs8 key for OpenVAS local security checks.

Now, for each target system:

# adduser --disabled-password sshovas
  Name: OpenVAS Local Security Checks
# su - sshovas
$ mkdir .ssh
$ cp /some/path/id_rsa_sshovas.pub .ssh/authorized_keys
$ chmod 500 .ssh
$ chmod 400 .ssh/authorized_keys

Configure the local security checks in OpenVAS-Clients

In Preferences, configure SSH Authorization:

SSH login name: sshovas
SSH private key: ~/.ssh/sshovas_rsa.p8
SSH key passphrase: ********
SSH public key: ssh/id_rsa_sshovas.pub

Note: It is actually not necessary to submit the public key, but currently this is necessary due to a bug inherited from Nessus.

Next, make sure you select at least these plugins:

Debian Local Security Checks/*
Misc/Determine List of installed packages via SSH login
Service Detection/Services
Settings/Global variable settings
Settings/SSH Authorization

or ensure dependencies are resolved at runtime (see checkboxes) if you select only some local security checks.