1OpenVAS(8)                       User Manuals                       OpenVAS(8)
2
3
4

NAME

6       openvas - The Scanner of the Greenbone Vulnerability Management
7

SYNOPSIS

9       openvas [-v] [-h]  [-c config-file] [--scan-start scan-uuid]  [-u] [-s]
10       [-y]
11
12

DESCRIPTION

14       Greenbone Vulnerability Management (GVM) is  a  vulnerability  auditing
15       and management framework made up of several modules.  The OpenVAS Scan‐
16       ner, openvas is in charge of executing many security tests against many
17       target hosts in a highly optimized way.
18
19
20       openvas  inspects  the remote hosts to list all the vulnerabilities and
21       common misconfigurations that affects them.
22
23       It is a command line tool with parameters to update the feed of vulner‐
24       ability tests and to start a scan.  The second part of the interface is
25       the redis store where the parameters about  a  scan  task  need  to  be
26       placed and from where the results can be retrieved.
27
28

OPTIONS

30       -c <config-file>, --config-file=<config-file>
31              Use  the  alternate  configuration  file  instead  of /etc/open‐
32              vas/openvas.conf
33
34
35       -v, --version
36              Prints the version number and exits
37
38
39       -h, --help
40              Show a summary of the commands
41
42
43       --scan-start=<scan-uuid>
44              ID for a single scan task. The scanner will start the scan  with
45              the data already loaded in a redis KB, which will be found using
46              the given scan-id.
47
48
49       --scan-stop=<scan-uuid>
50              ID for a single scan task. The scanner will search the redis  kb
51              associated  to  the  given scan_id. It takes the pid from the kb
52              and sends the SIGUSR2 kill signal to stop the scan.
53
54
55       -u, --update-vt-info
56              Updates VT info into redis store from VT files.
57
58

THE CONFIGURATION FILE

60       The default openvas configuration file, /etc/openvas/openvas.conf  con‐
61       tains these options:
62
63
64       plugins_folder
65              Contains  the  location  of  the plugins folder. This is usually
66              /var/lib/openvas/plugins, but you may change this.
67
68
69       max_hosts
70              is maximum number of hosts to test at the same time which should
71              be  given to the client (which can override it). This value must
72              be computed given your bandwidth, the number of hosts  you  want
73              to  test,  your amount of memory and the horsepower of your pro‐
74              cessor(s).
75
76
77       max_checks
78              is the number of plugins that will run against each  host  being
79              tested. Note that the total number of process will be max_checks
80              x max_hosts so you need to find  a  balance  between  these  two
81              options.  Note  that launching too many plugins at the same time
82              may disable the  remote  host,  either  temporarily  (ie:  inetd
83              closes  its  ports) or definitely (the remote host crash because
84              it is asked to do too many things at the same time), so be care‐
85              ful.
86
87
88       log_whole_attack
89              If  this  option  is  set to 'yes', openvas will store the name,
90              pid, date and target of each plugin launched.  This  is  helpful
91              for  monitoring and debugging purpose, however this option might
92              make openvas fill your disk rather quickly.
93
94
95       log_plugins_name_at_load
96              If this option is set to 'yes', openvas will  log  the  name  of
97              each  plugin  being  loaded at startup, or each time it receives
98              the HUP signal.
99
100
101       cgi_path
102              By default, openvas looks  for  default  CGIs  in  /cgi-bin  and
103              /scripts.  You may change these to something else to reflect the
104              policy of your site. The syntax of this option is  the  same  as
105              the shell $PATH variable: path1:path2:...
106
107
108       port_range
109              This is the default range of ports that the scanner plugins will
110              probe. The syntax of this option is flexible, it can be a single
111              range  ("1-1500"), several ports ("21,23,80"), several ranges of
112              ports ("1-1500,32000-33000"). Note that you can specify UDP  and
113              TCP  ports  by prefixing each range by T or U. For instance, the
114              following range will make openvas scan UDP ports 1 to  1024  and
115              TCP ports 1 to 65535 : "T:1-65535,U:1-1024".
116
117
118       optimize_test
119              By  default,  openvas does not trust the remote host banners. It
120              means that it will check a webserver  claiming  to  be  IIS  for
121              Apache flaws, and so on. This behavior might generate false pos‐
122              itive and will slow the scan down somehow. If you are  sure  the
123              banners  of the remote host have not been tampered with, you can
124              safely enable this option, which will force the plugins to  per‐
125              form their job only against the services they have been designed
126              to check.
127
128
129       test_empty_vhost
130              If set to yes, the scanner will also test the  target  by  using
131              empty  vhost  value in addition to the target's associated vhost
132              values.
133
134
135       checks_read_timeout
136              Number of seconds that the security checks will  wait  for  when
137              doing  a  recv(). You should increase this value if you are run‐
138              ning openvas across a slow network slink (testing a host  via  a
139              dialup connection for instance)
140
141
142       timeout_retry
143              Number of retries when a socket connection attempt timesout.
144
145
146       open_sock_max_attempts
147              When  a  port   is found as opened at the beginning of the scan,
148              and for some reason the status changes  to  filtered/closed,  it
149              will  not  be  possible  to open a socket. This is the number of
150              unsuccessful retries to open the socket before to set  the  port
151              as  closed.  This avoids to launch plugins which need the opened
152              port as a mandatory key, therefore it avoids  an  overlong  scan
153              duration. If the set value is 0 or a negative value, this option
154              is disabled. It should be take in account that one  unsuccessful
155              attempt needs the number of retries set in "timeout_retry".
156
157
158       time_between_request
159              Some  devices  do  not appreciate quick connection establishment
160              and termination neither quick request. This option allows you to
161              set  a  wait time between two actions like to open a tcp socket,
162              to send a request through the open tcp socket, and to close  the
163              tcp  socket.  This value should be given in milliseconds. If the
164              set value is 0 (default value),  this  option  is  disabled  and
165              there is no wait time between requests.
166
167
168       expand_vhosts
169              Whether  to  expand the target host's list of vhosts with values
170              gathered from sources such  as  reverse-lookup  queries  and  VT
171              checks for SSL/TLS certificates.
172
173
174       non_simult_ports
175              Some  services  (in  particular  SMB) do not appreciate multiple
176              connections at the same time coming from  the  same  host.  This
177              option  allows you to prevent openvas to make two connections on
178              the same given ports at the same time. The syntax of this option
179              is  "port1[,  port2....]". Note that you can use the KB notation
180              of openvas to designate  a  service  formally.  Ex:  "139,  Ser‐
181              vices/www",  will prevent openvas from making two connections at
182              the same time on port 139 and on every port which  hosts  a  web
183              server.
184
185
186       plugins_timeout
187              This  is  the  maximum  lifetime, in seconds of a plugin. It may
188              happen that some plugins are slow because of the  way  they  are
189              written or the way the remote server behaves. This option allows
190              you to make sure your scan is never caught in  an  endless  loop
191              because  of  a  non-finishing plugin. Doesn't affect ACT_SCANNER
192              plugins.
193
194
195       scanner_plugins_timeout
196              Like plugins_timeout, but for ACT_SCANNER plugins.
197
198
199       safe_checks
200              Most of the time, openvas attempts to reproduce  an  exceptional
201              condition  to determine if the remote services are vulnerable to
202              certain flaws. This includes the reproduction  of  buffer  over‐
203              flows or format strings, which may make the remote server crash.
204              If you set this option to 'yes', openvas will disable the  plug‐
205              ins  which  have the potential to crash the remote services, and
206              will at the same time make several checks rely on the banner  of
207              the  service  tested  instead  of its behavior towards a certain
208              input. This reduces false  positives  and  makes  openvas  nicer
209              towards  your  network, however this may make you miss important
210              vulnerabilities (as a vulnerability affecting  a  given  service
211              may also affect another one).
212
213
214       auto_enable_dependencies
215              OpenVAS  plugins  use  the result of each other to execute their
216              job. For instance, a plugin which logs into the remote SMB  reg‐
217              istry  will  need  the results of the plugin which finds the SMB
218              name of the remote host and the  results  of  the  plugin  which
219              attempts to log into the remote host. If you want to only select
220              a subset of the plugins available, tracking the dependencies can
221              quickly  become tiresome. If you set this option to 'yes', open‐
222              vas will automatically enable the plugins that are depended on.
223
224
225       source_iface
226              Name of the network interface that will be used as the source of
227              connections  established  by OpenVAS. The scan won't be launched
228              if the value isn't authorized according to (sys_)ifaces_allow  /
229              (sys_)ifaces_deny if present.
230
231
232       ifaces_allow
233              Comma-separated  list of interfaces names that are authorized as
234              source_iface values.
235
236
237       ifaces_deny
238              Comma-separated list of interfaces names that are not authorized
239              as source_iface values.
240
241
242       sys_ifaces_allow
243              Like ifaces_allow. Can't be overridden by the client.
244
245
246       sys_ifaces_deny
247              Like ifaces_deny. Can't be overridden by the client.
248
249
250       hosts_allow
251              Comma-separated  list of the only targets that are authorized to
252              be scanned.  Supports the same syntax as the list targets.  Both
253              target  hostnames  and  the  address  to  which they resolve are
254              checked. Hostnames in hosts_allow list are not resolved however.
255
256
257       hosts_deny
258              Comma-separated list of targets that are not  authorized  to  be
259              scanned. Supports the same syntax as the list targets. Both tar‐
260              get hostnames and the address to which they resolve are checked.
261              Hostnames in hosts_deny list are not resolved however.
262
263
264       sys_hosts_allow
265              Like hosts_allow. Can't be overridden by the client.
266
267
268       sys_hosts_deny
269              Like hosts_deny. Can't be overridden by the client.
270
271              The  other  options in this file can usually be redefined by the
272              client.
273
274

NETWORK USAGE

276       Bear in mind that OpenVAS can be quite network intensive. Even  if  the
277       OpenVAS  developers  have  taken  every  effort  to  avoid  packet loss
278       (including transparently resending UDP packets, waiting for data to  be
279       received  in  TCP  connections, etc.) so bandwidth use should always be
280       closely monitored, with current server hardware, bandwidth  is  usually
281       the  bottleneck  in a OpenVAS scan. It might not became too apparent in
282       the final reports, scanners will still run, holes  might  be  detected,
283       but  you  will  risk to run into false negatives (i.e. OpenVAS will not
284       report a security hole that is present in a remote host)
285
286       Users might need to tune OpenVAS configuration if running  the  scanner
287       in  low  bandwidth  conditions  (low being 'less bandwidth that the one
288       your hardware  system  can  produce)  or  otherwise  will  get  erratic
289       results.  There  are  several parameters that can be modified to reduce
290       network load:
291
292
293       checks_read_timeout
294              The default value is set to 5  seconds,  that  can  (should)  be
295              increased  if  network  bandwidth  is low in the openvas.conf or
296              openvasrc configuration files. Notice that it is recommended  to
297              increase this this value, if you are running a test outside your
298              LAN (i.e. to Internet hosts through an Internet connection),  to
299              over 10 seconds.
300
301
302       max_hosts
303              Number  of  hosts  to test at the same time. It can be as low as
304              you want it to be (obviously 1 is the minimum)
305
306
307       max_checks
308              Number of checks to test at the same time it can be  as  low  as
309              you  want  it  to  be  and  it will also reduce network load and
310              improve performance (obviously 1 is  the  minimum)  Notice  that
311              OpenVAS will spawn max_hosts * max_checks processes.
312
313
314       vendor_version
315              Use  the  alternate  vendor  instead  of  the default one during
316              scans.
317
318              Other options might be using the QoS features  offered  by  your
319              server operating system or your network to improve the bandwidth
320              use.
321
322              It is not easy to give a bandwidth estimate for a  OpenVAS  run,
323              you  will probably need to make your own counts. However, assum‐
324              ing you test 65536 TCP ports. This will require at least a  sin‐
325              gle  packet  per  port  that  is at least 40 bytes large. Add 14
326              bytes for the ethernet header and you will send 65536  *  (40  +
327              14)  =  3670016  bytes. So for just probing all TCP ports we may
328              need a multitude of this as nmap will try to resend the  packets
329              twice if no response is received.
330
331              A  very  rough estimate is that a full scan for UDP, TCP and RPC
332              as well as all NASL scripts may result in 8 to 32  MB  worth  of
333              traffic  per  scanned  host.  Reducing the amount of tested part
334              and such will reduce the amount of data to be  transferred  sig‐
335              nificantly.
336
337

MORE INFORMATION ABOUT Greenbone Vulnerability Management

339       The canonical places where you will find more information about OpenVAS
340       are:
341
342              https://community.greenbone.net ⟨⟩ (Community site)
343              https://github.com/greenbone/ ⟨⟩ (Development site)
344              https://www.openvas.org/ ⟨⟩ (Traditional home site)
345
346

AUTHORS

348       openvas was forked from nessusd in 2005. Nessusd was written by  Renaud
349       Deraison  <deraison@cvs.nessus.org>. Most new code since 2005 developed
350       by Greenbone Networks GmbH.
351
352
353
354Greenbone Vulnerability Management June 2019                        OpenVAS(8)
Impressum