About

OpenVAS
Constitution
OpenVAS-Server
OpenVAS-Client
OpenVAS NVT Feed

Information/Howtos

Integrated Tools
Related Tools
Sources For Security Issues
Creation Process For NVTs
Trusted NVTs
NVT Feeds
Performing Local Security Checks
Articles/Studies
OpenVAS Compendium (en)
OpenVAS Compendium (de)

Support

Team & Tasks

Bug Tracker

Mailinglist Discussion:
Archive | Subscribe
Mailinglist Announcements:
Archive | Subscribe

Online Chat

FAQ

Professional Services

Developers Corner

Development Platform
Code quality
Change requests
Internal Architecture
Assigning OIDs for NVTS
DevCon2
DevCon2 - Minutes
Code Documenation

Mailinglist Development:
Archive | Subscribe
Mailinglist Writing NVTs:
Archive | Subscribe
Mailinglist Packaging/Distributing:
Archive | Subscribe
Mailinglist Source Code Commits:
Archive | Subscribe

Download

OpenVAS 3.0:
openvas-libraries 3.0.4
openvas-scanner 3.0.1
openvas-client 3.0.0
Optional:
openvas-manager 1.0.0-beta5
openvas-administrator 0.7.0
gsa 1.0.0-beta5

OpenVAS 2.0:
Server components:
openvas-libraries 2.0.4
openvas-libnasl 2.0.2
openvas-server 2.0.3
openvas-plugins 1.0.7
Client:
openvas-client 2.0.5

Documentation:
OpenVAS Compendium 1.0.1
PDF (en)
PDF (de)

More downloads...

NVT Lookup by OID

(replace 61039 by any other old-style ID)

Howto: Perform local security checks

This text explains how to run local security checks with OpenVAS. So far, this procedure has been tested only with Debian local security checks.

Create users for local security checks

First, you need a key with certificate:

$ ssh-keygen -t rsa -f ~/.ssh/id_rsa_sshovas -C "OpenVAS-Local-Security-Checks-Key"
$ openssl pkcs8 -topk8 -v2 des3 -in ~/.ssh/id_rsa_sshovas -out sshovas_rsa.p8

Note: The comment (here: "OpenVAS-Local-Security-Checks-Key") should not contain spaces.
Currently, you need a rsa pkcs8 key for OpenVAS local security checks.

Note: openssl will ask you for an "Encryption key" when generating your key with the command described above. This is the passphrase you will need to remember when using this key with OpenVAS, not the passphrase you entered when running the ssh-keygen command.

Important: If you plan on using this key with OpenVAS versions from the 1.0.x series, be aware that there is a bug within OpenVAS which prevents logins with PCKS8 key with passphrases consisting only of numbers. If you get an "Unable to load key" error, be sure to include at least one non-numerical character in your passphrase.

Now, for each target system:

# adduser --disabled-password sshovas
  Name: OpenVAS Local Security Checks
# su - sshovas
$ mkdir .ssh
$ cp /some/path/id_rsa_sshovas.pub .ssh/authorized_keys
$ chmod 500 .ssh
$ chmod 400 .ssh/authorized_keys

Configure the local security checks in OpenVAS-Clients

In Preferences, configure SSH Authorization: 

SSH login name: sshovas
SSH private key: ~/.ssh/sshovas_rsa.p8
SSH key passphrase: ********
SSH public key: ssh/id_rsa_sshovas.pub

Note: It is actually not necessary to submit the public key, but currently this is necessary due to a bug inherited from Nessus.

Next, make sure you select at least these plugins:

Debian Local Security Checks/*
Misc/Determine List of installed packages via SSH login
Service Detection/Services
Settings/Global variable settings
Settings/SSH Authorization

or ensure dependencies are resolved at runtime (see checkboxes) if you select only some local security checks.