ospd-openvas

SYNOPSIS

ospd-openvas [-v] [-h] [-c config-file] [--log-file log-file]

Greenbone Vulnerability Management (GVM) is a vulnerability auditing and management framework made up of several modules. The OSPD OpenVAS Wrapper, ospd-openvas is in charge of the communication between the scanner OpenVAS and the clients (GVMd and gvm-tools).

ospd-openvas inspects the remote hosts to list all the vulnerabilities and common misconfigurations that affects them.

It is a command line tool with parameters to start a daemon which keeps waiting for instructions to update the feed of vulnerability tests and
to start a scan. The second part of the interface is the redis store where the parameters about a scan task need to be placed and from where the results can be retrieved, being the unique communication channel between OSPD-OpenVAS and OpenVAS.

OPTIONS

-s <config-file>, --config-file <config-file>: Use the alternate configuration file instead of ~/.config/ospd.conf
--log-config <log-config-path>: Log configuration file path. Default: ~/.config/ospd-logging.conf
--version: Print the version number and exit
-h, --help: Show a summary of the commands
-p PORT, --port PORT: TCP Port to listen on. Default: 0
-b ADDRESS, --bind-address ADDRESS: Address to listen on. Default: 0.0.0.0
-u UNIX_SOCKET, --unix-socket UNIX_SOCKET: Unix file socket to listen on. Default: /var/run/ospd/ospd.sock
-m SOCKET_MODE, --socket-mode SOCKET_MODE: Unix file socket mode. Default: 0o770
--pid-file PID_FILE: Location of the file for the process ID. Default: /var/run/ospd.pid
--lock-file-dir LOCK_FILE_DIR: Directory where the feed lock file is placed. Default: /var/run/ospd
-k KEY_FILE, --key-file KEY_FILE: Server key file. Default: /usr/var/lib/gvm/private/CA/serverkey.pem
-c CERT_FILE, --cert-file CERT_FILE: Server cert file. Default: /usr/var/lib/gvm/CA/servercert.pem
--ca-file CA_FILE: CA cert file. Default: /usr/var/lib/gvm/CA/cacert.pem
-L LOG_LEVEL, --log-level LOG_LEVEL: Desired level of logging. Default: WARNING
-f, --foreground: Run in foreground and log all messages to console.
-l LOG_FILE, --log-file LOG_FILE: Path to the logging file.
-t TIMEOUT, --stream-timeout TIMEOUT: Set a timeout on socket operations. Default 10 seconds
--niceness NICENESS: Start the scan with the given niceness. Default 10
--mqtt-broker-address ADDRESS: Broker address to connect to for MQTT communication. Neccessary to get results from Notus-Scanner. Default: localhost
--mqtt-broker-port PORT: Broker port to connect to for MQTT communication. Neccessary to get results from Notus-Scanner. Default: 1883
--mqtt-broker-username USERNAME: Username to connect to MQTT broker for MQTT communication.
--mqtt-broker-password PASSWORD: Password to connect to MQTT broker for MQTT communication.
--scaninfo-store-time TIME: Time in hours a scan is stored before being considered forgotten and being delete from the scan table. Default 0, disabled.
--max-scans VALUE: Max. amount of parallel task that can be started. Default 0, disabled.
--min-free-mem-scan-queue MB: Minimum free memory in MB required to run the scan. If no enough free memory is available, the scan is queued. Default 0, disabled.
--max-queued-scans VALUE: Maximum number allowed of queued scans before starting to reject new scans. Default 0, disabled.
--feed-updater METHOD: Sets the method of updating the feed. Can either be openvas or nasl-cli. Default: openvas
-x, --signature-check: Enable feed signature check.
--notus-feed-dir DIRECTORY: Directory where notus feed is placed. Default: /var/lib/notus/advisories
--disable-notus-hashsum-verification BOOLEAN: Disable hashsum verification for notus advisories. Default: false
--list-commands: Display all protocol commands.

THE CONFIGURATION FILE

The default ospd-openvas configuration file, ~/.config/ospd.conf contains these options under the section [OSPD - openvas]:

log_config: Log configuration file path.
port: TCP port to listen on.
address: Address to listen on (this corresponds to --bind-address).
unix_socket: This option specifies the socket path.
socket_mode: This option defines the permissions on a socket. It must be set in octal format. E.g. socket_mode = 0o770
pid_file: Location of the file for the process ID.
lock_file_dir: Directory where the feed lock file is placed.
key_file: Server key file.
cert_file: Server cert file.
ca_file: CA cert file.
log_level: Desired level of logging.
foreground: Set to true to run in foreground and log all messages to console.
log_file: Path to the log file. If no log file is given, the system log facility is used by default.
stream_timeout: Set a timeout on socket operations. Default 10 seconds
niceness: Start the scan with the given niceness. Default 10
scaninfo_store_time: Time in hours a scan is stored before being considered forgotten and being delete from the scan table. Default 0, disabled.
max_scans: Maximum amount of parallel task that can be started. Default 0, disabled.
max_queued_scans: Maximum number allowed of queued scans before starting to reject new scans. Default 0, disabled.
min_free_mem_scan_queue: Minimum free memory in MB required to run the scan. If insufficient free memory is available, the scan is queued. Default 0, disabled.
mqtt_broker_address: Broker address to connect to for MQTT communication.
mqtt_broker_port: Broker port to connect to for MQTT communication.
mqtt_broker_username: Username to connect to MQTT broker for MQTT communication.
mqtt_broker_password: Password to connect to MQTT broker for MQTT communication.
feed_updater: Sets the method of updating the feed.
signature_check: Set to true to enable feed signature check.
notus_feed_dir: Directory where notus feed is placed.
disable_notus_hashsum_verification: Set to true to disable hashsum verification for notus advisories.

MORE INFORMATION

The canonical places where you will find more information about OSPD-OpenVAS are:

Community Portal
Development Platform
Traditional home site

AUTHORS

ospd-openvas code is developed by Greenbone AG.

Ubuntu Manpages