Skip to main content

Getting Started with OpenVAS on CentOS - an open source vulnerability scanner

The Open Vulnerability Assessment System (OpenVAS) is a framework of several services and tools offering a comprehensive and powerful vulnerability scanning and vulnerability management solution. (Taken from the OpenVAS website, which is at )

This blog entry will introduce OpenVAS version 3.1, walk through installation on CentOS and is intended as a "getting started" guide. I'll also do a guide for installing on Ubuntu later.

OpenVAS is an open-source alternative to using online services like "McAfee Secure" which scan your site daily for numerous vulerabilities.  There is no claim that it is BETTER than those paid services (not likely to be the case), but it is actively maintained, so updates get pushed out often, so this should be a good choice for organizations that don't have the money for a commercial service, or if, like me, you are a DIY kind of person.

As is often the case, documentation is sparse, and is often the last thing to get done with open source projects.  This is precisely why I am documenting things here to help the other people in the world that may not have time to "figure it out."

A word of caution:  My review/documentation comes with no warranties.  I didn't write OpenVAS, I'm just trying to figure it out and document it for you.  Also, don't be a fool -- backup your server, or work in a development environment the first time you set this up.  Don't crash a production server because you cut corners.


I haven't been able to confirm whether OpenVAS actually has feature-complete software for Windows, but clearly they are predominantly supporting linux.  As such, I decided to install on one of my Linux VMs which happens to run CentOS.

The first thing to do is add the repository to yum so you can install/update packages:

wget -q -O - | sh

Once that is done, you can actually install the packages using yum like so:

yum install libopenvas3 openvas-scanner openvas-cli openvas-administrator openvas-manager greenbone-security-asssitant gsd libmicrohttpd10 libnet1 gpg greenbone-security-assistant libxslt gcc

Depending on what you installed on your server, yum will likely want to either update or install other packages due to dependancies in the openvas packages.  You should allow this.

Generate a Client and Server SSL Certificate and "om" user

OpenVAS requires that all communication happen through secure connections, so you will need to generate an SSL certificate.  They provide a utility to help:


Follow the on-screen prompts, which is a lot like generating an SSL cert for Apache.

When you are done, it generates files in a temporary location.  It will say something like this:

Your client certificates are in /tmp/openvas-mkcert-client.xxxx .

You now need to copy the important files to the right places:

cp key_om.pem /var/lib/openvas/private/CA/clientkey.pem 
cp cert_om.pem /var/lib/openvas/CA/clientcert.pem

Adding a User

The next step is to add a user to OpenVAS which you can use to configure and manage the system.

A script is included to assist with this as well (located in /usr/sbin):


Follow the on-screen prompts to create your user.  You can require authentication using a cert or a password.  I have not tried using a cert, so if you are just getting started, choose password authentication.

When asked about "User rules", you can be very restrictive or very open.  For testing purposes, I entered a default rule of "default allow" so that my user can do anything.  If I let others use the system, I would change this.  Refer to this page for more information about how to write rules:  Remember to type Control-D to finish entering rules.

It will ask you to confirm your info and then will create the account.

Advanced Configuration Options

I'm not going to go into this, but you can tweak a lot of settings for the configuration file.  The reference to some of those settings is available online here:

Setting up NVT Feeds

NVTs are "Network Vulnerability Tests", and an NVT feed is a source for NVT definitions and updates.

There is a command line utility that handles all the heavy lifting to synchronize the NVT definitions.


When you run it, you will see a ton of lines like this:

        4922 100%    7.29kB/s    0:00:00 (xfer#7447, to-check=32263/39714)

This is all normal.  Let it do it's thing.

Just run this utility periodically, or automate it with cron.  There are some docs on how to do that here:

Set Trust Level For NVTs

Run these commands to set default trust for the rules you just downloaded.

mkdir /etc/openvas/gnupg
gpg --homedir=/etc/openvas/gnupg --import OpenVAS_TI.asc

For more documentation on how to manage the trust levels in more depth, see

Side Step (sqlite)

Turns out that my CentOS5 (or RHEL 5) has sqlite 3.3.x installed, but openvas needs 3.5 or newer.  In order to not break dependencies on other software, I nabbed a new sqlite from source and compiled it like so:

tar xzvf sqlite-autoconf-xxxxxxxx.tar.gz
cd sqlite-autoconf-xxxxxxxxx
./configure --prefix=/opt/sqlite
make install
export LD_LIBRARY_PATH=/opt/sqlite/lib
i also added the export statement to /etc/profile so that it gets picked up after reboot, or next time I log in.

Start 'er up

/usr/sbin/openvassd -p 9390 -q

You can verify that it is running by typing this command:

ps -ef |grep openvas

Which will show you a running process if it is there.

Also, lets start the greenbone security assistant.  heh, i chuckled about the name too.


Now you should be able to log into the greenbone web interface at:  (note the "s" in https..)

Note:  Because you created your own certificate and CA (Certificate Authority), your browser will not automatically accept the SSL certificate you are using.  You can either pay for your own cert from a CA like Verisign or GoDaddy, or just add a security exception in your browser, which is what I did.

If you can't log in (i had problems the first time), make sure you check the logs in /var/logs/openvas.  The openvassd log said something about needing to initialize or rebuild the database, so  to do that, I ran this command:

openvasmd --sport 9390 -u --rebuild -v
and then restarted openvassd and gsad, which took care of it.

Popular posts from this blog

Making Macbook Air with 128GB SSD usable with Bootcamp

I recently got a new Macbook Air 11" (the 2012 version) and loaded it with goodies like 8GB ram and 2GHz Core i7.  What I DIDN'T upgrade was the internal SSD.  My config came with 128GB SSD and I refused to pay $300+ to upgrade it to 256GB.  Yeah I know, some call me cheap, but SSds cost $75-$150 for 240GB, so adding another 128GB for $300 seemed way too steep for me.  I figured "ok, I'm going to make 128G work!"

Here is the story of how that went...

Installing python 3.4.x on OSX El Capitan

I love "brew" package manager, but sometimes being too progressive breaks things.  I have several python apps that I maintain that get deployed to AWS using Elastic Beanstalk.  AWS eb can deploy with python 2.7 or 3.4.  Any recent 'brew install python3" will get 3.5.1. #annoying

Dell XPS M1330 + Snow Leopard Hackintosh

I have been working with a Dell XPS M1330 laptop for a few years now.  It doesn't quite match up to the newest notebooks in terms of performance, but it certainly still has some life in it.  I had previously installed OSX 10.5.x on it as an experiment, and had moderate success.  I decided to revisit this idea again to install Snow Leopard (OSX 10.6) on the Dell M1330, and keep some notes for those of you brave enough to Hackintosh your own machine...