1OpenVASSD(8) User Manuals OpenVASSD(8)
2
6 openvassd - The Scanner of the Open Vulnerability Assessment System
7 (OpenVAS)
8
10 openvassd [-v] [-h] [-c config-file] [-S ip[,ip2,...]] [-a address ]
11 [-p port-number] [-D] [-R] [-P] [-q] [-f]
12
15 OpenVAS is a security auditing framework made up of several modules.
16 The Scanner, openvassd is in charge of executing many security tests
17 against many target hosts in a highly optimized way.
18 openvassd inspects the remote hosts and attempts to list all the vul‐
21 nerabilities and common misconfigurations that affects them. Note that
22 openvassd will run in daemon mode by default (unless you specify -f as
23 an option).
24
27 -c <config-file>, --config-file=<config-file>
28 Use the alternate configuration file instead of /etc/open‐
29 vas/openvassd.conf
30 -a <address>, --listen=<address>
33 Tell the scanner to only listen to connections on the address
34 <address> which is an IP, not a machine name. For instance,
35 "openvassd -a 192.168.1.1" will make openvassd only listen to
36 requests going to 192.168.1.1 This option is useful if you are
37 running openvassd on a gateway and if you don't want people on
38 the outside to connect to your openvassd.
39 -S <ip[,ip2,...]>, --src-ip=<ip[,ip2,...]>
42 Force the source IP of the connections established by OpenVAS to
43 <ip> checks need to fully establish a connection to the remote
44 host. This option is only useful if you have a multi-homed
45 machine with multiple public IP addresses that you would like to
46 use instead of the default one. Example : openvassd -S
47 192.168.1.1,192.168.1.2,192.168.1.3,192.168.1.4 will make open‐
48 vassd establish connections with a source IP of one among those
49 listed above. For this setup to work, the host running open‐
50 vassd should have multiple NICs with these IP addresses set.
51 -p <port-number>, --port=<port-number>
54 Tell the scanner to listen on connection on the port <port-num‐
55 ber> rather than listening on port 9391 (default).
56 -f, --foreground
59 Make the scanner stay in foreground (non-daemon mode)
60 -q, --quiet
63 Prevent the scanner from printing the loading status of the
64 plugins at startup
65 -v, --version
68 Writes the version number and exits
69 -h, --help
72 Show a summary of the commands
73
76 The default openvassd configuration file, /etc/openvas/openvassd.conf
77 contains these options:
78 plugins_folder
81 Contains the location of the plugins folder. This is usually
82 /var/lib/openvas/plugins, but you may change this.
83 logfile
85 path to the logfile. You can enter syslog if you want the open‐
86 vassd messages to be logged via syslogd You may also enter
87 stderr if you want the openvassd logs to be written on stderr.
88 Because openvassd is a sensitive program, you should keep your
89 logs.
90 max_hosts
93 is maximum number of hosts to test at the same time which should
94 be given to the client (which can override it). This value must
95 be computed given your bandwidth, the number of hosts you want
96 to test, your amount of memory and the horsepower of your pro‐
97 cessor(s).
98 max_checks
101 is the number of plugins that will run against each host being
102 tested. Note that the total number of process will be max_checks
103 x max_hosts so you need to find a balance between these two
104 options. Note that launching too many plugins at the same time
105 may disable the remote host, either temporarily (ie: inetd
106 closes its ports) or definitely (the remote host crash because
107 it is asked to do too many things at the same time), so be care‐
108 ful.
109 be_nice
112 If this option is set to 'yes', then each child forked by open‐
113 vassd will nice(2) itself to a very low priority. This may speed
114 up your scan as the main openvassd process will be able to con‐
115 tinue to spew processes, and this guarantees that openvassd does
116 not deprives other important processes from their resources.
117 log_whole_attack
120 If this option is set to 'yes', openvassd will store the name,
121 pid, date and target of each plugin launched. This is helpful
122 for monitoring and debugging purpose, however this option might
123 make openvassd fill your disk rather quickly.
124 log_plugins_name_at_load
127 If this option is set to 'yes', openvassd will log the name of
128 each plugin being loaded at startup, or each time it receives
129 the HUP signal.
130 dumpfile
133 Some plugins might issue messages, most of the time to inform
134 you that something went wrong. If you want to read these mes‐
135 sages, set this value to a given file name. If you want to save
136 space, set this option value to /dev/null
137 cgi_path
140 By default, openvassd looks for default CGIs in /cgi-bin and
141 /scripts. You may change these to something else to reflect the
142 policy of your site. The syntax of this option is the same as
143 the shell $PATH variable: path1:path2:...
144 port_range
147 This is the default range of ports that the scanner plugins will
148 probe. The syntax of this option is flexible, it can be a single
149 range ("1-1500"), several ports ("21,23,80"), several ranges of
150 ports ("1-1500,32000-33000"). Note that you can specify UDP and
151 TCP ports by prefixing each range by T or U. For instance, the
152 following range will make openvassd scan UDP ports 1 to 1024 and
153 TCP ports 1 to 65535 : "T:1-65535,U:1-1024".
154 optimize_test
157 By default, openvassd does not trust the remote host banners. It
158 means that it will check a webserver claiming to be IIS for
159 Apache flaws, and so on. This behavior might generate false pos‐
160 itive and will slow the scan down somehow. If you are sure the
161 banners of the remote host have not been tampered with, you can
162 safely enable this option, which will force the plugins to per‐
163 form their job only against the services they have been designed
164 to check.
165 checks_read_timeout
168 Number of seconds that the security checks will wait for when
169 doing a recv(). You should increase this value if you are run‐
170 ning openvassd across a slow network slink (testing a host via a
171 dialup connection for instance)
172 non_simult_ports
175 Some services (in particular SMB) do not appreciate multiple
176 connections at the same time coming from the same host. This
177 option allows you to prevent openvassd to make two connections
178 on the same given ports at the same time. The syntax of this
179 option is "port1[, port2....]". Note that you can use the KB
180 notation of openvassd to designate a service formally. Ex: "139,
181 Services/www", will prevent openvassd from making two connec‐
182 tions at the same time on port 139 and on every port which hosts
183 a web server.
184 plugins_timeout
187 This is the maximum lifetime, in seconds of a plugin. It may
188 happen that some plugins are slow because of the way they are
189 written or the way the remote server behaves. This option allows
190 you to make sure your scan is never caught in an endless loop
191 because of a non-finishing plugin.
192 safe_checks
195 Most of the time, openvassd attempts to reproduce an exceptional
196 condition to determine if the remote services are vulnerable to
197 certain flaws. This includes the reproduction of buffer over‐
198 flows or format strings, which may make the remote server crash.
199 If you set this option to 'yes', openvassd will disable the
200 plugins which have the potential to crash the remote services,
201 and will at the same time make several checks rely on the banner
202 of the service tested instead of its behavior towards a certain
203 input. This reduces false positives and makes openvassd nicer
204 towards your network, however this may make you miss important
205 vulnerabilities (as a vulnerability affecting a given service
206 may also affect another one).
207 auto_enable_dependencies
210 OpenVAS plugins use the result of each other to execute their
211 job. For instance, a plugin which logs into the remote SMB reg‐
212 istry will need the results of the plugin which finds the SMB
213 name of the remote host and the results of the plugin which
214 attempts to log into the remote host. If you want to only select
215 a subset of the plugins available, tracking the dependencies can
216 quickly become tiresome. If you set this option to 'yes', open‐
217 vassd will automatically enable the plugins that are depended
218 on.
219 use_mac_addr
222 Set this option to 'yes' if you are testing your local network
223 and each local host has a dynamic IP address (affected by DHCP
224 or BOOTP), and all the tested hosts will be referred to by their
225 MAC address.
226 rules path to the rules database
229 The other options in this file can usually be redefined by the
231 client.
232
235 The utility openvas-adduser(8) creates new openvassd users. Each open‐
236 vassd user is attributed a "home", in /var/lib/openvas/users/<user‐
237 name>. This home contains the following directories :
238 auth/ This directory contains the authentication information for this
240 user. It might contain the file 'dname' if the user is authenti‐
241 cating using a certificate, or 'hash' (or 'passwd') if the user
242 is authenticating using a password. The file 'hash' contains a
243 MD5 hash of the user password, as well as a random seed. The
244 file 'password' should contain the password in clear text.
245 This directory also contains the file 'rules' which contains the
247 rules which apply to this user.
248 The content of this directory can not be altered by the user in
250 any way whatsoever
251 kbs/ This directory contains the knowledge base (KB) of each host
254 tested by this user, if the user has enable the option
255 'save_kb'.
256 When a user attempts to log in, openvassd first checks that the
260 directory /var/lib/openvas/users/<username> exists, then hashes
261 the password sent by the user with the random salt found in
262 <username>/auth/hash, and compares it with the password hash
263 stored in the same file. If the users authenticates using a cer‐
264 tificate, then openvassd checks that the certificate has been
265 signed by a recognized authority, and makes sure that the dname
266 of the certificate shown by the user is the same as the one in
267 <username>/dname.
268 To remove a given user, use the command openvas-rmuser(8).
271
274 A rule has always the same format which is:
275 keyword IP/mask
276 Keyword is one of reject , accept or default
279 In addition to this, the IP address may be preceded by an exclamation
281 mark (!) which means: “not” There are three sources of rules:
282 · the rules database, which applies to every users
285 · the users database rules, which applies to one user
287 · the users rules, defined by the user in the client
289 You must know that there is a priority in the rules: the user
291 can not extend its privileges, but can only lower them. (that
292 it, it can only restrict the set of hosts he is allowed to
293 test).
294
297 The rules database contains the system-wide rules, which applies for
298 every user. Its syntax has been defined in the previous section. Exam‐
299 ple:
300 accept 127.0.0.0/8
302 reject 192.168.1.1/32
303 reject !192.168.0.0/16
304 default reject
305 This allows the user to test localhost, and all the hosts on
307 192.168.0.0/16, except 192.168.1.1/32.
308 The rules accept the special keyword client_ip which is replaced, at
309 connection time, by the IP of the user who logs in. If you want every‐
310 one to test his own box only, then you can do:
311 accept client_ip/32
313 default reject
314
317 Bear in mind that OpenVAS can be quite network intensive. Even if the
318 OpenVAS developers have taken every effort to avoid packet loss
319 (including transparently resending UDP packets, waiting for data to be
320 received in TCP connections, etc.) so bandwidth use should always be
321 closely monitored, with current server hardware, bandwidth is usually
322 the bottleneck in a OpenVAS scan. It might not became too apparent in
323 the final reports, scanners will still run, holes might be detected,
324 but you will risk to run into false negatives (i.e. OpenVAS will not
325 report a security hole that is present in a remote host)
326 Users might need to tune OpenVAS configuration if running the scanner
328 in low bandwidth conditions (low being 'less bandwidth that the one
329 your hardware system can produce) or otherwise will get erratic
330 results. There are several parameters that can be modified to reduce
331 network load:
332 checks_read_timeout
335 (Introduced in OpenVAS 0.99.4) The default value is set to 5
336 seconds, that can (should) be increased if network bandwidth is
337 low in the openvassd.conf or openvasrc configuration files.
338 Notice that it is recommended to increase this this value, if
339 you are running a test outside your LAN (i.e. to Internet hosts
340 through an Internet connection), to over 10 seconds.
341 max_hosts
344 Number of hosts to test at the same time (this value is set by
345 the OpenVAS GUI client or by .openvasrc) it can be as low as you
346 want it to be (obviously 1 is the minimum)
347 max_checks
350 Number of checks to test at the same time (this value is also
351 set by the OpenVAS GUI client or by .openvasrc ) it can be as
352 low as you want it to be and it will also reduce network load
353 and improve performance (obviously 1 is the minimum) Notice that
354 the OpenVAS scanner will spawn max_hosts * max_checks processes.
355 Other options might be using the QoS features offered by your
357 server operating system or your network to improve the bandwidth
358 use.
359 It is not easy to give a bandwidth estimate for a OpenVAS run,
361 you will probably need to make your own counts. However, assum‐
362 ing you test 65536 TCP ports. This will require at least a sin‐
363 gle packet per port that is at least 40 bytes large. Add 14
364 bytes for the ethernet header and you will send 65536 * (40 +
365 14) = 3670016 bytes. So for just probing all TCP ports we may
366 need a multitude of this as nmap will try to resend the packets
367 twice if no response is received.
368 A very rough estimate is that a full scan for UDP, TCP and RPC
370 as well as all NASL scripts may result in 8 to 32 MB worth of
371 traffic per scanned host. Reducing the amount of tested part
372 and such will reduce the amount of data to be transfered signif‐
373 icantly.
374
377 openvas(1), openvas-adduser(8), openvas-rmuser(8), openvas-mkcert(8)
378
381 The canonical places where you will find more information about the
382 OpenVAS project are:
383 http://www.openvas.org/ ⟨⟩ (Official site)
385 http://wald.intevation.org/projects/openvas/ ⟨⟩ (Developers
386 site)
387 http://bugs.openvas.org ⟨⟩ (Bug Tracker)
388
391 openvassd was forked from nessusd in 2005. Nessusd was written by
392 Renaud Deraison <deraison@cvs.nessus.org>. Since 2005 the OpenVAS
393 development team improved and extended the tool.
394The OpenVAS Project January 2011 OpenVASSD(8)