There are a lot of very good tools on the market for vulnerability scanning, but most of them cost more than $50,000 for the basic needs of most individuals or organizations. This is also true of security tools in general. The money spent on the tool(s) doesn't help fix the knowledge of those running the tools or those who need to act upon the tools findings. I've found that smart and well trained individuals, coupled with a reasonable tool set (open source), a good process, and discipline, will far exceed what spending lots of money on tools and mediocre staff can do. With this in mind, I set out to use a scaled out OpenVAS for my vulnerability scanning solution. Instead of just downloading and installing on a generic Linux distro, I decided to install it on Kali Linux so additional tools could be available when to test vulnerabilities and have other tools available while scanning wasn't running. If you follow all of the instructions, you will have:
- a central OpenVAS node that will provide your normal OpenVAS Web GUI
- multiple nodes to take care of the heavy scanning workloads
- each node can handle defined target lists
- notify your teams of start and end scanning activities so nobody responds thinking these are unauthorized scans
- a few ways to troubleshoot or recover your OpenVAS setup
Stick with me as we will cover the basics and get into more detailed instructions. You can download your distro of choice, but for this setup, I will be using Kali Linux 64-Bit https://www.kali.org/downloads/. Use your virtualization of choice. For home use, you can use Vmware Workstation or Virtual Box. Most Enterprises will use VMware, Nutanix, or AWS. After you have downloaded and stepped through the Kali Linux installation, you will want to allow SSH to the system. It will best if you close this later, but for the rest of the setup, you won't want to use the console in your virtualization software. It can be harder to copy and paste commands or mixed results if your are connecting to global locations.
Kali Linux SSH Setup - Allow incoming SSH
For the setup phase, allow ssh connections. Open a terminal:
#Enable boot and restart SSH
systemctl enable ssh
Get the latest updates for your system and reboot.
apt-get dist-upgrade reboot
Install OpenVAS. The openvas-setup step will take some time as it will download all of the NVTs and other updates. It can take more than 30 minutes. Your connection can help, but it still take a bit of time even on the best of connections.
apt-get install openvas -y
Set the systems hostname to the FQDN
Set Hostname to your domain.
hostnamectl set-hostname openvas.givemeit.com
OpenVAS allow remote connections to web GUI
To have OpenVAS allow remote connections, append/change the listen and allow header host options on the gsad command:
Description=Greenbone Security Assistant
ExecStart=/usr/sbin/gsad --foreground --listen=0.0.0.0 --port=9392 --mlisten=127.0.0.1 --mport=9390 --allow-header-host "openvas.givemeit.com"
If you do not set the --allow-header-host option, you will see the following message in the browser window when you try to access the OpenVAS URL: "The request contained an unknown or invalid Host header. If you are trying to access GSA via its hostname or a proxy, make sure GSA is set up to allow it."
Automatically update feeds
Automatically update feeds. I've had these fail before and it will cause your scanning function to stop working, even though the scanner is responsive. We will cover how to fix this later on. Two parts are required. The feed update will download the data and the openvasmd will update the database. For the openvasmd, --rebuild could be used so it completes faster, but it will lock the database until it completes. The --update allows users to still access the database while it updates.
0 4 * * * /usr/bin/openvas-feed-update
0 5 * * * /var/lib/openvas/openvasmd --update
systemctl restart cron
systemctl restart cron
Email Settings for notifications and reports
OpenVAS will need to have postfix installed for any of the reports to work. I have a relay host specified, but your environment may or may not need it. It is also important to set inet_protocols to "ipv4" only. If you don't, postfix will try to use ipv6 first and if you don't have an ipv6 address, postfix will fail.
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = openvas.givemeit.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = $myhostname, openvas.givemeit.com
relayhost = relayhost.givemeit.com
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = ipv4
Make sure to set PostFix to start on boot and then start the service.
systemctl enable postfix
OpenVAS User Management
If you need to set or reset the admin user password, use the following openvasmd command.
openvasmd --user=admin --new-password=yournewpassword
To see all available options:
To view all of the users:
Create a new user, set the new users password, and give admin role:
openvasmd --create-user=openvasuser1 --role=Admin
Setting up OpenVAS Scanning Nodes
Check out Part 2 of the setup dedicated to Scanner Node configurations at http://www.givemeit.com/openvas-scaled-for-the-enterprise-on-kali-scann…
openvasmd help options
We will be using more of these command later in the setup process.