1OpenVASSD(8) User Manuals OpenVASSD(8)
2
6 openvassd - The Scanner of the Open Vulnerability Assessment System
7 (OpenVAS)
8
10 openvassd [-v] [-h] [-c config-file] [-D] [-R] [-P] [-q] [-f]
11
14 OpenVAS is a security auditing framework made up of several modules.
15 The Scanner, openvassd is in charge of executing many security tests
16 against many target hosts in a highly optimized way.
17 openvassd inspects the remote hosts and attempts to list all the vul‐
20 nerabilities and common misconfigurations that affects them. Note that
21 openvassd will run in daemon mode by default (unless you specify -f as
22 an option).
23
26 -c <config-file>, --config-file=<config-file>
27 Use the alternate configuration file instead of /etc/open‐
28 vas/openvassd.conf
29 -f, --foreground
32 Make the scanner stay in foreground (non-daemon mode)
33 -v, --version
36 Writes the version number and exits
37 -h, --help
40 Show a summary of the commands
41
44 The default openvassd configuration file, /etc/openvas/openvassd.conf
45 contains these options:
46 plugins_folder
49 Contains the location of the plugins folder. This is usually
50 /var/lib/openvas/plugins, but you may change this.
51 logfile
53 path to the logfile. You can enter syslog if you want the open‐
54 vassd messages to be logged via syslogd You may also enter
55 stderr if you want the openvassd logs to be written on stderr.
56 Because openvassd is a sensitive program, you should keep your
57 logs.
58 max_hosts
61 is maximum number of hosts to test at the same time which should
62 be given to the client (which can override it). This value must
63 be computed given your bandwidth, the number of hosts you want
64 to test, your amount of memory and the horsepower of your pro‐
65 cessor(s).
66 max_checks
69 is the number of plugins that will run against each host being
70 tested. Note that the total number of process will be max_checks
71 x max_hosts so you need to find a balance between these two
72 options. Note that launching too many plugins at the same time
73 may disable the remote host, either temporarily (ie: inetd
74 closes its ports) or definitely (the remote host crash because
75 it is asked to do too many things at the same time), so be care‐
76 ful.
77 be_nice
80 If this option is set to 'yes', then each child forked by open‐
81 vassd will nice(2) itself to a very low priority. This may speed
82 up your scan as the main openvassd process will be able to con‐
83 tinue to spew processes, and this guarantees that openvassd does
84 not deprives other important processes from their resources.
85 log_whole_attack
88 If this option is set to 'yes', openvassd will store the name,
89 pid, date and target of each plugin launched. This is helpful
90 for monitoring and debugging purpose, however this option might
91 make openvassd fill your disk rather quickly.
92 log_plugins_name_at_load
95 If this option is set to 'yes', openvassd will log the name of
96 each plugin being loaded at startup, or each time it receives
97 the HUP signal.
98 dumpfile
101 Some plugins might issue messages, most of the time to inform
102 you that something went wrong. If you want to read these mes‐
103 sages, set this value to a given file name. If you want to save
104 space, set this option value to /dev/null
105 cgi_path
108 By default, openvassd looks for default CGIs in /cgi-bin and
109 /scripts. You may change these to something else to reflect the
110 policy of your site. The syntax of this option is the same as
111 the shell $PATH variable: path1:path2:...
112 port_range
115 This is the default range of ports that the scanner plugins will
116 probe. The syntax of this option is flexible, it can be a single
117 range ("1-1500"), several ports ("21,23,80"), several ranges of
118 ports ("1-1500,32000-33000"). Note that you can specify UDP and
119 TCP ports by prefixing each range by T or U. For instance, the
120 following range will make openvassd scan UDP ports 1 to 1024 and
121 TCP ports 1 to 65535 : "T:1-65535,U:1-1024".
122 optimize_test
125 By default, openvassd does not trust the remote host banners. It
126 means that it will check a webserver claiming to be IIS for
127 Apache flaws, and so on. This behavior might generate false pos‐
128 itive and will slow the scan down somehow. If you are sure the
129 banners of the remote host have not been tampered with, you can
130 safely enable this option, which will force the plugins to per‐
131 form their job only against the services they have been designed
132 to check.
133 checks_read_timeout
136 Number of seconds that the security checks will wait for when
137 doing a recv(). You should increase this value if you are run‐
138 ning openvassd across a slow network slink (testing a host via a
139 dialup connection for instance)
140 timeout_retry
143 Number of retries when a socket connection attempt timesout.
144 time_between_request
147 Some devices do not appreciate quick connection establishment
148 and termination neither quick request. This option allows you to
149 set a wait time between two actions like to open a tcp socket,
150 to send a request trought the open tcp socket, and to close the
151 tcp socket. This value should be given in miliseconds. If the
152 set value is 0 (default value), this option is disabled and
153 there is no wait time between requests.
154 non_simult_ports
157 Some services (in particular SMB) do not appreciate multiple
158 connections at the same time coming from the same host. This
159 option allows you to prevent openvassd to make two connections
160 on the same given ports at the same time. The syntax of this
161 option is "port1[, port2....]". Note that you can use the KB
162 notation of openvassd to designate a service formally. Ex: "139,
163 Services/www", will prevent openvassd from making two connec‐
164 tions at the same time on port 139 and on every port which hosts
165 a web server.
166 plugins_timeout
169 This is the maximum lifetime, in seconds of a plugin. It may
170 happen that some plugins are slow because of the way they are
171 written or the way the remote server behaves. This option allows
172 you to make sure your scan is never caught in an endless loop
173 because of a non-finishing plugin. Doesn't affect ACT_SCANNER
174 plugins.
175 scanner_plugins_timeout
178 Like plugins_timeout, but for ACT_SCANNER plugins.
179 safe_checks
182 Most of the time, openvassd attempts to reproduce an exceptional
183 condition to determine if the remote services are vulnerable to
184 certain flaws. This includes the reproduction of buffer over‐
185 flows or format strings, which may make the remote server crash.
186 If you set this option to 'yes', openvassd will disable the
187 plugins which have the potential to crash the remote services,
188 and will at the same time make several checks rely on the banner
189 of the service tested instead of its behavior towards a certain
190 input. This reduces false positives and makes openvassd nicer
191 towards your network, however this may make you miss important
192 vulnerabilities (as a vulnerability affecting a given service
193 may also affect another one).
194 auto_enable_dependencies
197 OpenVAS plugins use the result of each other to execute their
198 job. For instance, a plugin which logs into the remote SMB reg‐
199 istry will need the results of the plugin which finds the SMB
200 name of the remote host and the results of the plugin which
201 attempts to log into the remote host. If you want to only select
202 a subset of the plugins available, tracking the dependencies can
203 quickly become tiresome. If you set this option to 'yes', open‐
204 vassd will automatically enable the plugins that are depended
205 on.
206 use_mac_addr
209 Set this option to 'yes' if you are testing your local network
210 and each local host has a dynamic IP address (affected by DHCP
211 or BOOTP), and all the tested hosts will be referred to by their
212 MAC address.
213 source_iface
216 Name of the network interface that will be used as the source of
217 connections established by OpenVAS. The scan won't be launched
218 if the value isn't authorized according to (sys_)ifaces_allow /
219 (sys_)ifaces_deny if present.
220 ifaces_allow
223 Comma-separated list of interfaces names that are authorized as
224 source_iface values.
225 ifaces_deny
228 Comma-separated list of interfaces names that are not authorized
229 as source_iface values.
230 sys_ifaces_allow
233 Like ifaces_allow. Can't be overridden by the client.
234 sys_ifaces_deny
237 Like ifaces_deny. Can't be overridden by the client.
238 hosts_allow
241 Comma-separated list of the only targets that are authorized to
242 be scanned. Supports the same syntax as the list targets. Both
243 target hostnames and the address to which they resolve are
244 checked. Hostnames in hosts_allow list are not resolved however.
245 hosts_deny
248 Comma-separated list of targets that are not authorized to be
249 scanned. Supports the same syntax as the list targets. Both tar‐
250 get hostnames and the address to which they resolve are checked.
251 Hostnames in hosts_deny list are not resolved however.
252 sys_hosts_allow
255 Like hosts_allow. Can't be overridden by the client.
256 sys_hosts_deny
259 Like hosts_deny. Can't be overridden by the client.
260 The other options in this file can usually be redefined by the
262 client.
263 At log in attempt, openvassd checks that the certificate has
265 been signed by a recognized authority.
266
269 Bear in mind that OpenVAS can be quite network intensive. Even if the
270 OpenVAS developers have taken every effort to avoid packet loss
271 (including transparently resending UDP packets, waiting for data to be
272 received in TCP connections, etc.) so bandwidth use should always be
273 closely monitored, with current server hardware, bandwidth is usually
274 the bottleneck in a OpenVAS scan. It might not became too apparent in
275 the final reports, scanners will still run, holes might be detected,
276 but you will risk to run into false negatives (i.e. OpenVAS will not
277 report a security hole that is present in a remote host)
278 Users might need to tune OpenVAS configuration if running the scanner
280 in low bandwidth conditions (low being 'less bandwidth that the one
281 your hardware system can produce) or otherwise will get erratic
282 results. There are several parameters that can be modified to reduce
283 network load:
284 checks_read_timeout
287 (Introduced in OpenVAS 0.99.4) The default value is set to 5
288 seconds, that can (should) be increased if network bandwidth is
289 low in the openvassd.conf or openvasrc configuration files.
290 Notice that it is recommended to increase this this value, if
291 you are running a test outside your LAN (i.e. to Internet hosts
292 through an Internet connection), to over 10 seconds.
293 max_hosts
296 Number of hosts to test at the same time (this value is set by
297 the OpenVAS GUI client or by .openvasrc) it can be as low as you
298 want it to be (obviously 1 is the minimum)
299 max_checks
302 Number of checks to test at the same time (this value is also
303 set by the OpenVAS GUI client or by .openvasrc ) it can be as
304 low as you want it to be and it will also reduce network load
305 and improve performance (obviously 1 is the minimum) Notice that
306 the OpenVAS scanner will spawn max_hosts * max_checks processes.
307 Other options might be using the QoS features offered by your
309 server operating system or your network to improve the bandwidth
310 use.
311 It is not easy to give a bandwidth estimate for a OpenVAS run,
313 you will probably need to make your own counts. However, assum‐
314 ing you test 65536 TCP ports. This will require at least a sin‐
315 gle packet per port that is at least 40 bytes large. Add 14
316 bytes for the ethernet header and you will send 65536 * (40 +
317 14) = 3670016 bytes. So for just probing all TCP ports we may
318 need a multitude of this as nmap will try to resend the packets
319 twice if no response is received.
320 A very rough estimate is that a full scan for UDP, TCP and RPC
322 as well as all NASL scripts may result in 8 to 32 MB worth of
323 traffic per scanned host. Reducing the amount of tested part
324 and such will reduce the amount of data to be transferred sig‐
325 nificantly.
326
329 The canonical places where you will find more information about the
330 OpenVAS project are:
331 http://www.openvas.org/ ⟨⟩ (Official site)
333 http://wald.intevation.org/projects/openvas/ ⟨⟩ (Developers
334 site)
335 http://bugs.openvas.org ⟨⟩ (Bug Tracker)
336
339 openvassd was forked from nessusd in 2005. Nessusd was written by
340 Renaud Deraison <deraison@cvs.nessus.org>. Since 2005 the OpenVAS
341 development team improved and extended the tool.
342The OpenVAS Project January 2011 OpenVASSD(8)