Provided by: openvas-scanner_21.4.4-1_amd64 
NAME
openvas - The Scanner of the Greenbone Vulnerability Management
SYNOPSIS
openvas [-V] [-h] [-c config-file] [--scan-start scan-uuid] [-u] [-s] [-y]
DESCRIPTION
Greenbone Vulnerability Management (GVM) is a vulnerability auditing and management
framework made up of several modules. The OpenVAS Scanner, openvas is in charge of
executing many security tests against many target hosts in a highly optimized way.
openvas inspects the remote hosts to list all the vulnerabilities and common
misconfigurations that affects them.
It is a command line tool with parameters to update the feed of vulnerability tests and to
start a scan. The second part of the interface is the redis store where the parameters
about a scan task need to be placed and from where the results can be retrieved.
OPTIONS
-c <config-file>, --config-file=<config-file>
Use the alternate configuration file instead of /etc/openvas/openvas.conf
-V, --version
Prints the version number and exits
-h, --help
Show a summary of the commands
--scan-start=<scan-uuid>
ID for a single scan task. The scanner will start the scan with the data already
loaded in a redis KB, which will be found using the given scan-id.
--scan-stop=<scan-uuid>
ID for a single scan task. The scanner will search the redis kb associated to the
given scan_id. It takes the pid from the kb and sends the SIGUSR1 kill signal to
stop the scan.
-u, --update-vt-info
Updates VT info into redis store from VT files.
THE CONFIGURATION FILE
The default openvas configuration file, /etc/openvas/openvas.conf contains these options:
plugins_folder
Contains the location of the plugins folder. This is usually
/var/lib/openvas/plugins, but you may change this.
max_hosts
is maximum number of hosts to test at the same time which should be given to the
client (which can override it). This value must be computed given your bandwidth,
the number of hosts you want to test, your amount of memory and the horsepower of
your processor(s).
max_checks
is the number of plugins that will run against each host being tested. Note that
the total number of process will be max_checks x max_hosts so you need to find a
balance between these two options. Note that launching too many plugins at the same
time may disable the remote host, either temporarily (ie: inetd closes its ports)
or definitely (the remote host crash because it is asked to do too many things at
the same time), so be careful.
log_whole_attack
If this option is set to 'yes', openvas will store the name, pid, date and target
of each plugin launched. This is helpful for monitoring and debugging purpose,
however this option might make openvas fill your disk rather quickly.
debug_tls
This is an scanner-only option which allows you to set the TLS log level. The
level is an integer between 0 and 9. Higher values mean more verbosity and might
make openvas fill your disk rather quickly. The default value is 0 (disabled).
Larger values should only be used with care, since they may reveal sensitive
information in the scanner logs.
Use a debug level over 10 to enable all debugging options.
log_plugins_name_at_load
If this option is set to 'yes', openvas will log the name of each plugin being
loaded at startup, or each time it receives the HUP signal.
cgi_path
By default, openvas looks for default CGIs in /cgi-bin and /scripts. You may change
these to something else to reflect the policy of your site. The syntax of this
option is the same as the shell $PATH variable: path1:path2:...
port_range
This is the default range of ports that the scanner plugins will probe. The syntax
of this option is flexible, it can be a single range ("1-1500"), several ports
("21,23,80"), several ranges of ports ("1-1500,32000-33000"). Note that you can
specify UDP and TCP ports by prefixing each range by T or U. For instance, the
following range will make openvas scan UDP ports 1 to 1024 and TCP ports 1 to 65535
: "T:1-65535,U:1-1024".
test_alive_hosts_only
If this option is set to 'yes', openvas will scan the target list for alive hosts
in a separate process while only testing those hosts which are identified as alive.
This boosts the scan speed of target ranges with a high amount of dead hosts
significantly.
optimize_test
By default, optimize_test is enabled which means openvas does trust the remote host
banners and is only launching plugins against the services they have been designed
to check. For example it will check a web server claiming to be IIS only for IIS
related flaws but will skip plugins testing for Apache flaws, and so on. This
default behavior is used to optimize the scanning performance and to avoid false
positives. If you are not sure that the banners of the remote host have been
tampered with, you can disable this option.
test_empty_vhost
If set to yes, the scanner will also test the target by using empty vhost value in
addition to the target's associated vhost values.
checks_read_timeout
Number of seconds that the security checks will wait for when doing a recv(). You
should increase this value if you are running openvas across a slow network slink
(testing a host via a dialup connection for instance)
timeout_retry
Number of retries when a socket connection attempt timesout.
open_sock_max_attempts
When a port is found as opened at the beginning of the scan, and for some reason
the status changes to filtered/closed, it will not be possible to open a socket.
This is the number of unsuccessful retries to open the socket before to set the
port as closed. This avoids to launch plugins which need the opened port as a
mandatory key, therefore it avoids an overlong scan duration. If the set value is 0
or a negative value, this option is disabled. It should be take in account that one
unsuccessful attempt needs the number of retries set in "timeout_retry".
time_between_request
Some devices do not appreciate quick connection establishment and termination
neither quick request. This option allows you to set a wait time between two
actions like to open a tcp socket, to send a request through the open tcp socket,
and to close the tcp socket. This value should be given in milliseconds. If the set
value is 0 (default value), this option is disabled and there is no wait time
between requests.
expand_vhosts
Whether to expand the target host's list of vhosts with values gathered from
sources such as reverse-lookup queries and VT checks for SSL/TLS certificates.
non_simult_ports
Some services (in particular SMB) do not appreciate multiple connections at the
same time coming from the same host. This option allows you to prevent openvas to
make two connections on the same given ports at the same time. The syntax of this
option is "port1[, port2....]". Note that you can use the KB notation of openvas to
designate a service formally. Ex: "139, Services/www", will prevent openvas from
making two connections at the same time on port 139 and on every port which hosts a
web server.
allow_simultaneous_ips
If set to no, this option prevent openvas to scan more than one different IPs (e.g.
the IPv4 and IPv6 addresses) which belong to the same host at the same time.
Default, yes.
plugins_timeout
This is the maximum lifetime, in seconds of a plugin. It may happen that some
plugins are slow because of the way they are written or the way the remote server
behaves. This option allows you to make sure your scan is never caught in an
endless loop because of a non-finishing plugin. Doesn't affect ACT_SCANNER plugins.
scanner_plugins_timeout
Like plugins_timeout, but for ACT_SCANNER plugins.
safe_checks
Most of the time, openvas attempts to reproduce an exceptional condition to
determine if the remote services are vulnerable to certain flaws. This includes the
reproduction of buffer overflows or format strings, which may make the remote
server crash. If you set this option to 'yes', openvas will disable the plugins
which have the potential to crash the remote services, and will at the same time
make several checks rely on the banner of the service tested instead of its
behavior towards a certain input. This reduces false positives and makes openvas
nicer towards your network, however this may make you miss important
vulnerabilities (as a vulnerability affecting a given service may also affect
another one).
auto_enable_dependencies
OpenVAS plugins use the result of each other to execute their job. For instance, a
plugin which logs into the remote SMB registry will need the results of the plugin
which finds the SMB name of the remote host and the results of the plugin which
attempts to log into the remote host. If you want to only select a subset of the
plugins available, tracking the dependencies can quickly become tiresome. If you
set this option to 'yes', openvas will automatically enable the plugins that are
depended on.
source_iface
Name of the network interface that will be used as the source of connections
established by OpenVAS. The scan won't be launched if the value isn't authorized
according to (sys_)ifaces_allow / (sys_)ifaces_deny if present.
ifaces_allow
Comma-separated list of interfaces names that are authorized as source_iface
values.
ifaces_deny
Comma-separated list of interfaces names that are not authorized as source_iface
values.
sys_ifaces_allow
Like ifaces_allow. Can't be overridden by the client.
sys_ifaces_deny
Like ifaces_deny. Can't be overridden by the client.
hosts_allow
Comma-separated list of the only targets that are authorized to be scanned.
Supports the same syntax as the list targets. Both target hostnames and the address
to which they resolve are checked. Hostnames in hosts_allow list are not resolved
however.
hosts_deny
Comma-separated list of targets that are not authorized to be scanned. Supports the
same syntax as the list targets. Both target hostnames and the address to which
they resolve are checked. Hostnames in hosts_deny list are not resolved however.
sys_hosts_allow
Like hosts_allow. Can't be overridden by the client.
sys_hosts_deny
Like hosts_deny. Can't be overridden by the client.
max_sysload
Maximum load on the system. Once this load is reached, no further VTs are started
until the load drops below this value again.
min_free_mem
Minimum available memory (in MB) which should be kept free on the system. Once this
limit is reached, no further VTs are started until sufficient memory is available
again.
The other options in this file can usually be redefined by the client.
NETWORK USAGE
Bear in mind that OpenVAS can be quite network intensive. Even if the OpenVAS developers
have taken every effort to avoid packet loss (including transparently resending UDP
packets, waiting for data to be received in TCP connections, etc.) so bandwidth use should
always be closely monitored, with current server hardware, bandwidth is usually the
bottleneck in a OpenVAS scan. It might not became too apparent in the final reports,
scanners will still run, holes might be detected, but you will risk to run into false
negatives (i.e. OpenVAS will not report a security hole that is present in a remote host)
Users might need to tune OpenVAS configuration if running the scanner in low bandwidth
conditions (low being 'less bandwidth that the one your hardware system can produce) or
otherwise will get erratic results. There are several parameters that can be modified to
reduce network load:
checks_read_timeout
The default value is set to 5 seconds, that can (should) be increased if network
bandwidth is low in the openvas.conf or openvasrc configuration files. Notice that
it is recommended to increase this this value, if you are running a test outside
your LAN (i.e. to Internet hosts through an Internet connection), to over 10
seconds.
max_hosts
Number of hosts to test at the same time. It can be as low as you want it to be
(obviously 1 is the minimum)
max_checks
Number of checks to test at the same time it can be as low as you want it to be and
it will also reduce network load and improve performance (obviously 1 is the
minimum) Notice that OpenVAS will spawn max_hosts * max_checks processes.
drop_privileges
If this preference is set to 'yes', OpenVAS will attempt to drop its root privilege
before launching any VT and the new process owner is 'nobody'; the default value of
this preference is 'no', meaning no change in behaviour.
nasl_drop_privileges_user
If a user is set, NASL functions can use this user to drop its root privilege. The
new process owner is set only for those process calling a nasl function which
supports a drop privileges action. This preference must not be mixed with
'drop_privileges'. If 'drop_privileges' is enabled, this option should not be used,
as 'drop_privileges' sets the owner to
vendor_version
Use the alternate vendor instead of the default one during scans.
Other options might be using the QoS features offered by your server operating
system or your network to improve the bandwidth use.
It is not easy to give a bandwidth estimate for a OpenVAS run, you will probably
need to make your own counts. However, assuming you test 65536 TCP ports. This will
require at least a single packet per port that is at least 40 bytes large. Add 14
bytes for the ethernet header and you will send 65536 * (40 + 14) = 3670016 bytes.
So for just probing all TCP ports we may need a multitude of this as nmap will try
to resend the packets twice if no response is received.
A very rough estimate is that a full scan for UDP, TCP and RPC as well as all NASL
scripts may result in 8 to 32 MB worth of traffic per scanned host. Reducing the
amount of tested part and such will reduce the amount of data to be transferred
significantly.
SEE ALSO
gvmd(8), gsad(8), ospd-openvas(8), openvas-nasl(1), openvas-nasl-lint(1), greenbone-nvt-
sync(8)
MORE INFORMATION
The canonical places where you will find more information about OpenVAS are:
Community Portal ⟨https://community.greenbone.net⟩
Development Platform ⟨https://github.com/greenbone⟩
Traditional home site ⟨https://www.openvas.org⟩
AUTHORS
openvas was forked from nessusd in 2005. Nessusd was written by Renaud Deraison
<deraison@cvs.nessus.org>. Most new code since 2005 developed by Greenbone Networks GmbH.