In this blog we will learn how to install OpenVAS scanner on Rocky Linux or other Red Hat based Linux distributions.
Introduction
OpenVAS , Open Vulnerability Assessment System is the scanner component of Greenbone Vulnerability Manager (GVM) , a framework of different services and tools for vulnerability scanning and vulnerability management. With vulnerability management, you look through the eyes of a potential attacker at your infrastructure. The goal is to find potential security issues before attackers will find them.
All Greenbone Vulnerability Manager products are free software, and most components are licensed under the GNU General Public License (GPL). Plugins for Greenbone Vulnerability Manager are written in the Nessus Attack Scripting Language, NASL.
Greenbone Vulnerability Manager began under the name of OpenVAS, and before that the name GNessUs, as a fork of the previously open source Nessus scanning tool, after its developers Tenable Network Security changed it to a proprietary (closed source) license in October 2005.
Refer the official documentation Greenbone
Pre-requisite
Need to have one Rocky Linux installed host with below resources (minimum)
- CPU – 2 cores
- Memory – 4 GB
- Storage – 100 GB
- Operating System – Rocky Linux release 8 or 9
- Hostname – openvas-01.rockylinux.com
- IP Address – 192.168.88.128/24
If you need to install a Rocky Linux host follow the post How to Install Rocky Linux 8
Configuring Host server
Login to the host using ssh with root user and set a fully qualified domain name (FQDN)
# hostnamectl set-hostname openvas-01.rockylinux.comEdit the host file using editor of your choice
# vi /etc/hostsAdd the lines below to have the name resolution
192.168.88.128 openvas-01.rockylinux.com openvas-01Install the packages after refreshing the cache
# dnf makecache
# dnf update -yIf the above actions would have upgraded the kernel please reboot the system to have the installed kernel effective
# rebootDisable the SELinux services
# sed -i 's/^SELINUX=enforcing$/SELINUX=disabled/' /etc/selinux/config
# grubby --update-kernel ALL --args selinux=0
# rebootEnabling 3rd Party Repositories
We may need to have packages installed for OpenVAS which is not included in the standard yum repositories. Enable the CRB (Power Tools) and EPEL (Extra Packages for Enterprise Linux) yum repositories.
# dnf config-manager --set-enabled crb
# dnf install -y epel-release epel-next-releaseDownload and install Atomic yum repository
# wget -q -O - https://updates.atomicorp.com/installers/atomic | sudo sh
Atomic Free Unsupported Archive installer, version 7.0.2
BY INSTALLING THIS SOFTWARE AND BY USING ANY AND ALL SOFTWARE
PROVIDED BY ATOMICORP LIMITED YOU ACKNOWLEDGE AND AGREE:
THIS SOFTWARE AND ALL SOFTWARE PROVIDED IN THIS REPOSITORY IS
PROVIDED BY ATOMICORP LIMITED AS IS, IS UNSUPPORTED AND ANY
EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL ATOMICORP LIMITED, THE
COPYRIGHT OWNER OR ANY CONTRIBUTOR TO ANY AND ALL SOFTWARE PROVIDED
BY OR PUBLISHED IN THIS REPOSITORY BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
OF THE POSSIBILITY OF SUCH DAMAGE.
For supported software packages please contact us at:
sales@atomicorp.com
Do you agree to these terms? (yes/no) [Default: yes]
Configuring the [atomic] repo archive for this system
Installing the Atomic GPG keys: OK
Downloading atomic-release-1.0-23.el9.art.noarch.rpm: Verifying... ################################# [100%]
Preparing... ################################# [100%]
Updating / installing...
1:atomic-release-1.0-23.el9.art ################################# [100%]
Enable repo by default? (yes/no) [Default: yes]:
For supported software packages please contact us at:
sales@atomicorp.com
Do you agree to these terms? (yes/no) [Default: yes]
Configuring the [atomic] repo archive for this system
Installing the Atomic GPG keys: OK
Downloading atomic-release-1.0-23.el9.art.noarch.rpm: Verifying... ################################# [100%]
Preparing... ################################# [100%]
Updating / installing...
1:atomic-release-1.0-23.el9.art ################################# [100%]
Enable repo by default? (yes/no) [Default: yes]:Rebuild the cache
# dnf makecache
Rocky / Red Hat Enterprise Linux 8 - atomic 1.1 kB/s | 3.0 kB 00:02
Extra Packages for Enterprise Linux 8 - x86_64 4.8 kB/s | 8.9 kB 00:01
Extra Packages for Enterprise Linux 8 - Next - 15 kB/s | 8.9 kB 00:00
Rocky Linux 8 - BaseOS 733 B/s | 4.1 kB 00:05
Rocky Linux 8 - AppStream 2.2 kB/s | 4.5 kB 00:02
Rocky Linux 8 - CRB 258 kB/s | 2.1 MB 00:08
Rocky Linux 8 - Extras 586 B/s | 2.9 kB 00:05
Metadata cache created.OpenVAS Installation
During installation, gvm updates Network Vulnerability Tests feed from the Greenbone Security Feed/Community Feed. It may takes a few more minutes, depends upon your Internet connection speed
# dnf install -y gvm
# gvm-setup
#####################################
GVM Setup, Version: 6.1.0
Atomicorp, Inc.
#####################################
cannot access /var/lib/alternatives/python: No such file or directory
* Initializing database in '/var/lib/pgsql/data'
* Initialized, logs are in /var/lib/pgsql/initdb_postgresql.log
Created symlink /etc/systemd/system/multi-user.target.wants/postgresql.service → /usr/lib/systemd/system/postgresql.service.
Created symlink /etc/systemd/system/multi-user.target.wants/redis.service → /usr/lib/systemd/system/redis.service.
net.core.somaxconn = 1024
vm.overcommit_memory = 1
Update NVT, CERT, and SCAP data
Please note this step could take some time.
Once completed, this will be updated automatically every 24 hours
Updating NVTs....
/usr/bin/greenbone-nvt-sync
---
---
---
sent 727 bytes received 99,598,473 bytes 991,036.82 bytes/sec
total size is 99,554,950 speedup is 1.00
/usr/sbin/greenbone-feed-sync --type CERT success
Updating OpenVAS Manager certificates: Complete
GVMD startup: Done
Set the GSAD admin users password.
The admin user is used to configure accounts,
Update NVT's manually, and manage roles.
Enter Administrator Password:
Verify Administrator Password:
Created symlink /etc/systemd/system/multi-user.target.wants/ospd-openvas.service → /usr/lib/systemd/system/ospd-openvas.service.
Created symlink /etc/systemd/system/multi-user.target.wants/notus-scanner.service → /usr/lib/systemd/system/notus-scanner.service.
Created symlink /etc/systemd/system/openvas-manager.service → /usr/lib/systemd/system/gvmd.service.
Created symlink /etc/systemd/system/multi-user.target.wants/gvmd.service → /usr/lib/systemd/system/gvmd.service.
Created symlink /etc/systemd/system/greenbone-security-assistant.service → /usr/lib/systemd/system/gsad.service.
Created symlink /etc/systemd/system/multi-user.target.wants/gsad.service → /usr/lib/systemd/system/gsad.service.
Created symlink /etc/systemd/system/multi-user.target.wants/mosquitto.service → /usr/lib/systemd/system/mosquitto.service.
success
success
#####################################
Setup complete
Log in to GSAD at https://localhost
#####################################Adapting the firewall rules for the OpenVAS
# firewall-cmd --permanent --add-service=https
success
# firewall-cmd --reload
success
Access the OpenVAS Security Assistant Web GUI
Open URL https://openvas-01.rockylinux.com in a web browser.
Login as admin user, you can use the password that you have set during execution of gvm-setup command.