1OpenVAS(8) User Manuals OpenVAS(8)
2
6 openvas - The Scanner of the Greenbone Vulnerability Management
7
9 openvas [-v] [-h] [-c config-file] [--scan-start scan-uuid] [-u] [-s]
10 [-y]
11
14 Greenbone Vulnerability Management (GVM) is a vulnerability auditing
15 and management framework made up of several modules. The OpenVAS Scan‐
16 ner, openvas is in charge of executing many security tests against many
17 target hosts in a highly optimized way.
18 openvas inspects the remote hosts to list all the vulnerabilities and
21 common misconfigurations that affects them.
22 It is a command line tool with parameters to update the feed of vulner‐
24 ability tests and to start a scan. The second part of the interface is
25 the redis store where the parameters about a scan task need to be
26 placed and from where the results can be retrieved.
27
30 -c <config-file>, --config-file=<config-file>
31 Use the alternate configuration file instead of /etc/open‐
32 vas/openvas.conf
33 -v, --version
36 Prints the version number and exits
37 -h, --help
40 Show a summary of the commands
41 --scan-start=<scan-uuid>
44 ID for a single scan task. The scanner will start the scan with
45 the data already loaded in a redis KB, which will be found using
46 the given scan-id.
47 --scan-stop=<scan-uuid>
50 ID for a single scan task. The scanner will search the redis kb
51 associated to the given scan_id. It takes the pid from the kb
52 and sends the SIGUSR2 kill signal to stop the scan.
53 -u, --update-vt-info
56 Updates VT info into redis store from VT files.
57
60 The default openvas configuration file, /etc/openvas/openvas.conf con‐
61 tains these options:
62 plugins_folder
65 Contains the location of the plugins folder. This is usually
66 /var/lib/openvas/plugins, but you may change this.
67 max_hosts
70 is maximum number of hosts to test at the same time which should
71 be given to the client (which can override it). This value must
72 be computed given your bandwidth, the number of hosts you want
73 to test, your amount of memory and the horsepower of your pro‐
74 cessor(s).
75 max_checks
78 is the number of plugins that will run against each host being
79 tested. Note that the total number of process will be max_checks
80 x max_hosts so you need to find a balance between these two
81 options. Note that launching too many plugins at the same time
82 may disable the remote host, either temporarily (ie: inetd
83 closes its ports) or definitely (the remote host crash because
84 it is asked to do too many things at the same time), so be care‐
85 ful.
86 log_whole_attack
89 If this option is set to 'yes', openvas will store the name,
90 pid, date and target of each plugin launched. This is helpful
91 for monitoring and debugging purpose, however this option might
92 make openvas fill your disk rather quickly.
93 log_plugins_name_at_load
96 If this option is set to 'yes', openvas will log the name of
97 each plugin being loaded at startup, or each time it receives
98 the HUP signal.
99 cgi_path
102 By default, openvas looks for default CGIs in /cgi-bin and
103 /scripts. You may change these to something else to reflect the
104 policy of your site. The syntax of this option is the same as
105 the shell $PATH variable: path1:path2:...
106 port_range
109 This is the default range of ports that the scanner plugins will
110 probe. The syntax of this option is flexible, it can be a single
111 range ("1-1500"), several ports ("21,23,80"), several ranges of
112 ports ("1-1500,32000-33000"). Note that you can specify UDP and
113 TCP ports by prefixing each range by T or U. For instance, the
114 following range will make openvas scan UDP ports 1 to 1024 and
115 TCP ports 1 to 65535 : "T:1-65535,U:1-1024".
116 optimize_test
119 By default, openvas does not trust the remote host banners. It
120 means that it will check a webserver claiming to be IIS for
121 Apache flaws, and so on. This behavior might generate false pos‐
122 itive and will slow the scan down somehow. If you are sure the
123 banners of the remote host have not been tampered with, you can
124 safely enable this option, which will force the plugins to per‐
125 form their job only against the services they have been designed
126 to check.
127 test_empty_vhost
130 If set to yes, the scanner will also test the target by using
131 empty vhost value in addition to the target's associated vhost
132 values.
133 checks_read_timeout
136 Number of seconds that the security checks will wait for when
137 doing a recv(). You should increase this value if you are run‐
138 ning openvas across a slow network slink (testing a host via a
139 dialup connection for instance)
140 timeout_retry
143 Number of retries when a socket connection attempt timesout.
144 open_sock_max_attempts
147 When a port is found as opened at the beginning of the scan,
148 and for some reason the status changes to filtered/closed, it
149 will not be possible to open a socket. This is the number of
150 unsuccessful retries to open the socket before to set the port
151 as closed. This avoids to launch plugins which need the opened
152 port as a mandatory key, therefore it avoids an overlong scan
153 duration. If the set value is 0 or a negative value, this option
154 is disabled. It should be take in account that one unsuccessful
155 attempt needs the number of retries set in "timeout_retry".
156 time_between_request
159 Some devices do not appreciate quick connection establishment
160 and termination neither quick request. This option allows you to
161 set a wait time between two actions like to open a tcp socket,
162 to send a request through the open tcp socket, and to close the
163 tcp socket. This value should be given in milliseconds. If the
164 set value is 0 (default value), this option is disabled and
165 there is no wait time between requests.
166 expand_vhosts
169 Whether to expand the target host's list of vhosts with values
170 gathered from sources such as reverse-lookup queries and VT
171 checks for SSL/TLS certificates.
172 non_simult_ports
175 Some services (in particular SMB) do not appreciate multiple
176 connections at the same time coming from the same host. This
177 option allows you to prevent openvas to make two connections on
178 the same given ports at the same time. The syntax of this option
179 is "port1[, port2....]". Note that you can use the KB notation
180 of openvas to designate a service formally. Ex: "139, Ser‐
181 vices/www", will prevent openvas from making two connections at
182 the same time on port 139 and on every port which hosts a web
183 server.
184 plugins_timeout
187 This is the maximum lifetime, in seconds of a plugin. It may
188 happen that some plugins are slow because of the way they are
189 written or the way the remote server behaves. This option allows
190 you to make sure your scan is never caught in an endless loop
191 because of a non-finishing plugin. Doesn't affect ACT_SCANNER
192 plugins.
193 scanner_plugins_timeout
196 Like plugins_timeout, but for ACT_SCANNER plugins.
197 safe_checks
200 Most of the time, openvas attempts to reproduce an exceptional
201 condition to determine if the remote services are vulnerable to
202 certain flaws. This includes the reproduction of buffer over‐
203 flows or format strings, which may make the remote server crash.
204 If you set this option to 'yes', openvas will disable the plug‐
205 ins which have the potential to crash the remote services, and
206 will at the same time make several checks rely on the banner of
207 the service tested instead of its behavior towards a certain
208 input. This reduces false positives and makes openvas nicer
209 towards your network, however this may make you miss important
210 vulnerabilities (as a vulnerability affecting a given service
211 may also affect another one).
212 auto_enable_dependencies
215 OpenVAS plugins use the result of each other to execute their
216 job. For instance, a plugin which logs into the remote SMB reg‐
217 istry will need the results of the plugin which finds the SMB
218 name of the remote host and the results of the plugin which
219 attempts to log into the remote host. If you want to only select
220 a subset of the plugins available, tracking the dependencies can
221 quickly become tiresome. If you set this option to 'yes', open‐
222 vas will automatically enable the plugins that are depended on.
223 source_iface
226 Name of the network interface that will be used as the source of
227 connections established by OpenVAS. The scan won't be launched
228 if the value isn't authorized according to (sys_)ifaces_allow /
229 (sys_)ifaces_deny if present.
230 ifaces_allow
233 Comma-separated list of interfaces names that are authorized as
234 source_iface values.
235 ifaces_deny
238 Comma-separated list of interfaces names that are not authorized
239 as source_iface values.
240 sys_ifaces_allow
243 Like ifaces_allow. Can't be overridden by the client.
244 sys_ifaces_deny
247 Like ifaces_deny. Can't be overridden by the client.
248 hosts_allow
251 Comma-separated list of the only targets that are authorized to
252 be scanned. Supports the same syntax as the list targets. Both
253 target hostnames and the address to which they resolve are
254 checked. Hostnames in hosts_allow list are not resolved however.
255 hosts_deny
258 Comma-separated list of targets that are not authorized to be
259 scanned. Supports the same syntax as the list targets. Both tar‐
260 get hostnames and the address to which they resolve are checked.
261 Hostnames in hosts_deny list are not resolved however.
262 sys_hosts_allow
265 Like hosts_allow. Can't be overridden by the client.
266 sys_hosts_deny
269 Like hosts_deny. Can't be overridden by the client.
270 The other options in this file can usually be redefined by the
272 client.
273
276 Bear in mind that OpenVAS can be quite network intensive. Even if the
277 OpenVAS developers have taken every effort to avoid packet loss
278 (including transparently resending UDP packets, waiting for data to be
279 received in TCP connections, etc.) so bandwidth use should always be
280 closely monitored, with current server hardware, bandwidth is usually
281 the bottleneck in a OpenVAS scan. It might not became too apparent in
282 the final reports, scanners will still run, holes might be detected,
283 but you will risk to run into false negatives (i.e. OpenVAS will not
284 report a security hole that is present in a remote host)
285 Users might need to tune OpenVAS configuration if running the scanner
287 in low bandwidth conditions (low being 'less bandwidth that the one
288 your hardware system can produce) or otherwise will get erratic
289 results. There are several parameters that can be modified to reduce
290 network load:
291 checks_read_timeout
294 The default value is set to 5 seconds, that can (should) be
295 increased if network bandwidth is low in the openvas.conf or
296 openvasrc configuration files. Notice that it is recommended to
297 increase this this value, if you are running a test outside your
298 LAN (i.e. to Internet hosts through an Internet connection), to
299 over 10 seconds.
300 max_hosts
303 Number of hosts to test at the same time. It can be as low as
304 you want it to be (obviously 1 is the minimum)
305 max_checks
308 Number of checks to test at the same time it can be as low as
309 you want it to be and it will also reduce network load and
310 improve performance (obviously 1 is the minimum) Notice that
311 OpenVAS will spawn max_hosts * max_checks processes.
312 vendor_version
315 Use the alternate vendor instead of the default one during
316 scans.
317 Other options might be using the QoS features offered by your
319 server operating system or your network to improve the bandwidth
320 use.
321 It is not easy to give a bandwidth estimate for a OpenVAS run,
323 you will probably need to make your own counts. However, assum‐
324 ing you test 65536 TCP ports. This will require at least a sin‐
325 gle packet per port that is at least 40 bytes large. Add 14
326 bytes for the ethernet header and you will send 65536 * (40 +
327 14) = 3670016 bytes. So for just probing all TCP ports we may
328 need a multitude of this as nmap will try to resend the packets
329 twice if no response is received.
330 A very rough estimate is that a full scan for UDP, TCP and RPC
332 as well as all NASL scripts may result in 8 to 32 MB worth of
333 traffic per scanned host. Reducing the amount of tested part
334 and such will reduce the amount of data to be transferred sig‐
335 nificantly.
336
339 The canonical places where you will find more information about OpenVAS
340 are:
341 https://community.greenbone.net ⟨⟩ (Community site)
343 https://github.com/greenbone/ ⟨⟩ (Development site)
344 https://www.openvas.org/ ⟨⟩ (Traditional home site)
345
348 openvas was forked from nessusd in 2005. Nessusd was written by Renaud
349 Deraison <deraison@cvs.nessus.org>. Most new code since 2005 developed
350 by Greenbone Networks GmbH.
351Greenbone Vulnerability Management June 2019 OpenVAS(8)