Sign up to save your podcasts
Or
Share OpenVas/GVM: An open source vulnerability scanning and management system
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
OpenVas/GVM: An open source vulnerability scanning and management system
Note: The audio version doesn't include code or commands. Those parts of the post can be seen in the text version.
Vulnerability scanning is one of the foundations of standard enterprise security. An enterprise with a good security posture will have: a firewall, some type of asset mapping, a vulnerability scanner and possibly even a security team that does some type of pentesting. Keep in mind that the list above is not exhaustive, but the rudimentary outline of an enterprise with a few good security measures in place.
Vulnerability scanners, in particular, are critical for ensuring that any threats that may have made it past the firewall are picked up before they can infect and destroy entire networks.
The enterprise proprietary vulnerability scanner market is filled with competitors (such as Qualysguard or Nessus), and while some companies prefer running proprietary enterprise scanners, there are also many companies that prefer using collective intelligence and open source scanners.
One such product is ** OpenVas** (now renamed Greenbone Vulnerability Management or gvm). In this post we'll refer to OpenVas gvm interchangeably, as the old name is still used to identify the software.
What is OpenVas gvm?
** OpenVas gvm** is a fully featured vulnerability scanner, but it's also one component of the larger "Greenbone Security Manager" (gsm).
OpenVas dates back to 2009 and the project is maintained by a commercial open source company. With its focus on the enterprise market and its long history, any risks of enterprises adopting a technology that might become abandoned are greatly reduced.
Here are some notable positives of OpenVas gvm:
Has a long history (since 2009) with daily updates and over 50000 vulnerability tests.
Is backed by an enterprise software security company.
Can perform various types of authenticated unauthenticated tests.
Supports a variety of high and low level Internet and industrial protocols.
Has an internal programming language that can be used for implementing custom vulnerability tests.
Who should use it?
OpenVas gvm is useful for companies' Devops security teams. In most scenarios it would be used by people in a blue team environment.
While pentesters and people doing bug bounties can use it as well, other available tools may be preferable, geared toward their areas of expertise.
Installing OpenVas gvm
There are multiple methods for installing OpenVas gvm. We'll discuss the two most popular methods before proceeding with the installation.
*Note: It is always important to use some type of sandboxing environment when installing new software. You can opt for a virtual machine (VM), container or a remote test server.*
Compiling from source
This is probably the most complicated method for installing OpenVas gvm. If you are comfortable compiling software written in C, this shouldn't prove too challenging for you. However, we recommend not doing this because OpenVas is a large piece of software with many parts.
We've compiled software before in previous software reviews, see Masscan, but OpenVas does have two great alternatives: it's pre packaged on Kali and has a PPA for Ubuntu.
Installing on Kali Linux
Installing OpenVas on Kali requires just a few commands:
Kali runs as root, so there is no need for sudo. The second part of the setup on Kali will be similar to the Ubuntu install. We will mention at which point you can run the commands on Kali to achieve the same setup on Ubuntu.
Installing on Ubuntu 20.04
Our first discovery when attempting an install on Ubuntu was that much of the existing documentation discusses the ' OpenVas' PPA.* The problem encountered here is that OpenVas was renamed gvm (Greenbone Vulnerability Management), so we need to adjust the commands appropriately. We'll use Ubuntu 20.04 to install gvm.
First we update Ubuntu itself:
Now let's install the required package that will enable us to add the PPA.*
A prompt like the follo...
View all episodes
By SecurityTrailsNote: The audio version doesn't include code or commands. Those parts of the post can be seen in the text version.
Vulnerability scanning is one of the foundations of standard enterprise security. An enterprise with a good security posture will have: a firewall, some type of asset mapping, a vulnerability scanner and possibly even a security team that does some type of pentesting. Keep in mind that the list above is not exhaustive, but the rudimentary outline of an enterprise with a few good security measures in place.
Vulnerability scanners, in particular, are critical for ensuring that any threats that may have made it past the firewall are picked up before they can infect and destroy entire networks.
The enterprise proprietary vulnerability scanner market is filled with competitors (such as Qualysguard or Nessus), and while some companies prefer running proprietary enterprise scanners, there are also many companies that prefer using collective intelligence and open source scanners.
One such product is ** OpenVas** (now renamed Greenbone Vulnerability Management or gvm). In this post we'll refer to OpenVas gvm interchangeably, as the old name is still used to identify the software.
What is OpenVas gvm?
** OpenVas gvm** is a fully featured vulnerability scanner, but it's also one component of the larger "Greenbone Security Manager" (gsm).
OpenVas dates back to 2009 and the project is maintained by a commercial open source company. With its focus on the enterprise market and its long history, any risks of enterprises adopting a technology that might become abandoned are greatly reduced.
Here are some notable positives of OpenVas gvm:
Has a long history (since 2009) with daily updates and over 50000 vulnerability tests.
Is backed by an enterprise software security company.
Can perform various types of authenticated unauthenticated tests.
Supports a variety of high and low level Internet and industrial protocols.
Has an internal programming language that can be used for implementing custom vulnerability tests.
Who should use it?
OpenVas gvm is useful for companies' Devops security teams. In most scenarios it would be used by people in a blue team environment.
While pentesters and people doing bug bounties can use it as well, other available tools may be preferable, geared toward their areas of expertise.
Installing OpenVas gvm
There are multiple methods for installing OpenVas gvm. We'll discuss the two most popular methods before proceeding with the installation.
*Note: It is always important to use some type of sandboxing environment when installing new software. You can opt for a virtual machine (VM), container or a remote test server.*
Compiling from source
This is probably the most complicated method for installing OpenVas gvm. If you are comfortable compiling software written in C, this shouldn't prove too challenging for you. However, we recommend not doing this because OpenVas is a large piece of software with many parts.
We've compiled software before in previous software reviews, see Masscan, but OpenVas does have two great alternatives: it's pre packaged on Kali and has a PPA for Ubuntu.
Installing on Kali Linux
Installing OpenVas on Kali requires just a few commands:
Kali runs as root, so there is no need for sudo. The second part of the setup on Kali will be similar to the Ubuntu install. We will mention at which point you can run the commands on Kali to achieve the same setup on Ubuntu.
Installing on Ubuntu 20.04
Our first discovery when attempting an install on Ubuntu was that much of the existing documentation discusses the ' OpenVas' PPA.* The problem encountered here is that OpenVas was renamed gvm (Greenbone Vulnerability Management), so we need to adjust the commands appropriately. We'll use Ubuntu 20.04 to install gvm.
First we update Ubuntu itself:
Now let's install the required package that will enable us to add the PPA.*
A prompt like the follo...