Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
OpenVAS(8)			 User Manuals			    OpenVAS(8)

       openvas - The Scanner of	the Greenbone Vulnerability Management

       openvas [-V] [-h]  [-c config-file] [--scan-start scan-uuid]  [-u] [-s]

       Greenbone Vulnerability Management (GVM)	is  a  vulnerability  auditing
       and management framework	made up	of several modules.  The OpenVAS Scan-
       ner, openvas is in charge of executing many security tests against many
       target hosts in a highly	optimized way.

       openvas	inspects  the remote hosts to list all the vulnerabilities and
       common misconfigurations	that affects them.

       It is a command line tool with parameters to update the feed of vulner-
       ability tests and to start a scan.  The second part of the interface is
       the redis store where the parameters about  a  scan  task  need	to  be
       placed and from where the results can be	retrieved.

       -c _config-file_, --config-file=_config-file_
	      Use   the	 alternate  configuration  file	 instead  of  /usr/lo-

       -V, --version
	      Prints the version number	and exits

       -h, --help
	      Show a summary of	the commands

	      ID for a single scan task. The scanner will start	the scan  with
	      the data already loaded in a redis KB, which will	be found using
	      the given	scan-id.

	      ID for a single scan task. The scanner will search the redis  kb
	      associated  to  the  given scan_id. It takes the pid from	the kb
	      and sends	the SIGUSR1 kill signal	to stop	the scan.

       -u, --update-vt-info
	      Updates VT info into redis store from VT files.

       The default openvas  configuration  file,  /usr/local/etc/openvas/open-
       vas.conf	contains these options:

	      Contains	the  location  of  the plugins folder. This is usually
	      /var/lib/openvas/plugins,	but you	may change this.

	      is maximum number	of hosts to test at the	same time which	should
	      be  given	to the client (which can override it). This value must
	      be computed given	your bandwidth,	the number of hosts  you  want
	      to  test,	 your amount of	memory and the horsepower of your pro-

	      is the number of plugins that will run against each  host	 being
	      tested. Note that	the total number of process will be max_checks
	      x	max_hosts so you need to find a	balance	between	these two  op-
	      tions. Note that launching too many plugins at the same time may
	      disable the remote host, either temporarily  (ie:	 inetd	closes
	      its  ports)  or  definitely (the remote host crash because it is
	      asked to do too many things at the same time), so	be careful.

	      If this option is	set to 'yes', openvas  will  store  the	 name,
	      pid,  date  and  target of each plugin launched. This is helpful
	      for monitoring and debugging purpose, however this option	 might
	      make openvas fill	your disk rather quickly.

	      This  is	an scanner-only	option which allows you	to set the TLS
	      log level.  The level is an integer between 0 and	9. Higher val-
	      ues  mean	 more  verbosity and might make	openvas	fill your disk
	      rather quickly.  The default value is 0 (disabled).

	      Larger values should only	be used	with care, since they may  re-
	      veal sensitive information in the	scanner	logs.

	      Use a debug level	over 10	to enable all debugging	options.

	      If  this	option	is  set	to 'yes', openvas will log the name of
	      each plugin being	loaded at startup, or each  time  it  receives
	      the HUP signal.

	      By  default,  openvas  looks  for	 default  CGIs in /cgi-bin and
	      /scripts.	You may	change these to	something else to reflect  the
	      policy  of  your	site. The syntax of this option	is the same as
	      the shell	$PATH variable:	path1:path2:...

	      This is the default range	of ports that the scanner plugins will
	      probe. The syntax	of this	option is flexible, it can be a	single
	      range ("1-1500"),	several	ports ("21,23,80"), several ranges  of
	      ports  ("1-1500,32000-33000"). Note that you can specify UDP and
	      TCP ports	by prefixing each range	by T or	U. For	instance,  the
	      following	 range	will make openvas scan UDP ports 1 to 1024 and
	      TCP ports	1 to 65535 : "T:1-65535,U:1-1024".

	      If this option is	set to 'yes', openvas  will  scan  the	target
	      list  for	 alive	hosts in a separate process while only testing
	      those hosts which	are identified as alive. This boosts the  scan
	      speed of target ranges with a high amount	of dead	hosts signifi-

	      By default, optimize_test	is enabled which  means	 openvas  does
	      trust  the  remote  host	banners	 and is	only launching plugins
	      against the services they	have been designed to check. For exam-
	      ple  it  will check a web	server claiming	to be IIS only for IIS
	      related flaws but	will skip plugins testing  for	Apache	flaws,
	      and  so  on. This	default	behavior is used to optimize the scan-
	      ning performance and to avoid false positives. If	 you  are  not
	      sure  that  the  banners	of  the	remote host have been tampered
	      with, you	can disable this option.

	      If set to	yes, the scanner will also test	the  target  by	 using
	      empty  vhost  value in addition to the target's associated vhost

	      Number of	seconds	that the security checks will  wait  for  when
	      doing  a	recv().	You should increase this value if you are run-
	      ning openvas across a slow network slink (testing	a host	via  a
	      dialup connection	for instance)

	      Number of	retries	when a socket connection attempt timesout.

	      When  a  port   is found as opened at the	beginning of the scan,
	      and for some reason the status changes  to  filtered/closed,  it
	      will not be possible to open a socket. This is the number	of un-
	      successful retries to open the socket before to set the port  as
	      closed. This avoids to launch plugins which need the opened port
	      as a mandatory key, therefore it avoids an overlong  scan	 dura-
	      tion.  If	the set	value is 0 or a	negative value,	this option is
	      disabled.	It should be take in account that one unsuccessful at-
	      tempt needs the number of	retries	set in "timeout_retry".

	      Some  devices  do	 not appreciate	quick connection establishment
	      and termination neither quick request. This option allows	you to
	      set  a  wait time	between	two actions like to open a tcp socket,
	      to send a	request	through	the open tcp socket, and to close  the
	      tcp  socket.  This value should be given in milliseconds.	If the
	      set value	is 0 (default value),  this  option  is	 disabled  and
	      there is no wait time between requests.

	      Whether  to  expand the target host's list of vhosts with	values
	      gathered from sources such  as  reverse-lookup  queries  and  VT
	      checks for SSL/TLS certificates.

	      Some  services  (in  particular  SMB) do not appreciate multiple
	      connections at the same time coming from the same	host. This op-
	      tion  allows  you	 to prevent openvas to make two	connections on
	      the same given ports at the same time. The syntax	of this	option
	      is  "port1[,  port2....]". Note that you can use the KB notation
	      of openvas to designate  a  service  formally.  Ex:  "139,  Ser-
	      vices/www",  will	prevent	openvas	from making two	connections at
	      the same time on port 139	and on every port which	 hosts	a  web

	      If  set to no, this option prevent openvas to scan more than one
	      different	IPs (e.g. the IPv4 and IPv6 addresses) which belong to
	      the same host at the same	time. Default, yes.

	      This  is	the  maximum  lifetime,	in seconds of a	plugin.	It may
	      happen that some plugins are slow	because	of the	way  they  are
	      written or the way the remote server behaves. This option	allows
	      you to make sure your scan is never caught in  an	 endless  loop
	      because  of  a  non-finishing plugin. Doesn't affect ACT_SCANNER

	      Like plugins_timeout, but	for ACT_SCANNER	plugins.

	      Most of the time,	openvas	attempts to reproduce  an  exceptional
	      condition	 to determine if the remote services are vulnerable to
	      certain flaws. This includes the reproduction  of	 buffer	 over-
	      flows or format strings, which may make the remote server	crash.
	      If you set this option to	'yes', openvas will disable the	 plug-
	      ins  which  have the potential to	crash the remote services, and
	      will at the same time make several checks	rely on	the banner  of
	      the service tested instead of its	behavior towards a certain in-
	      put. This	reduces	false positives	and makes  openvas  nicer  to-
	      wards  your  network,  however  this may make you	miss important
	      vulnerabilities (as a vulnerability affecting  a	given  service
	      may also affect another one).

	      OpenVAS  plugins	use  the result	of each	other to execute their
	      job. For instance, a plugin which	logs into the remote SMB  reg-
	      istry  will  need	 the results of	the plugin which finds the SMB
	      name of the remote host and the results of the plugin which  at-
	      tempts to	log into the remote host. If you want to only select a
	      subset of	the plugins available, tracking	the  dependencies  can
	      quickly  become tiresome.	If you set this	option to 'yes', open-
	      vas will automatically enable the	plugins	that are depended on.

	      Name of the network interface that will be used as the source of
	      connections  established	by OpenVAS. The	scan won't be launched
	      if the value isn't authorized according to (sys_)ifaces_allow  /
	      (sys_)ifaces_deny	if present.

	      Comma-separated  list of interfaces names	that are authorized as
	      source_iface values.

	      Comma-separated list of interfaces names that are	not authorized
	      as source_iface values.

	      Like ifaces_allow. Can't be overridden by	the client.

	      Like ifaces_deny.	Can't be overridden by the client.

	      Comma-separated  list of the only	targets	that are authorized to
	      be scanned.  Supports the	same syntax as the list	targets.  Both
	      target  hostnames	 and  the  address  to	which they resolve are
	      checked. Hostnames in hosts_allow	list are not resolved however.

	      Comma-separated list of targets that are not  authorized	to  be
	      scanned. Supports	the same syntax	as the list targets. Both tar-
	      get hostnames and	the address to which they resolve are checked.
	      Hostnames	in hosts_deny list are not resolved however.

	      Like hosts_allow.	Can't be overridden by the client.

	      Like hosts_deny. Can't be	overridden by the client.

	      Maximum  load  on	the system. Once this load is reached, no fur-
	      ther VTs are started until  the  load  drops  below  this	 value

	      Minimum  available  memory  (in MB) which	should be kept free on
	      the system. Once this limit  is  reached,	 no  further  VTs  are
	      started until sufficient memory is available again.

	      The  other  options in this file can usually be redefined	by the

       Bear in mind that OpenVAS can be	quite network intensive. Even  if  the
       OpenVAS	developers  have  taken	every effort to	avoid packet loss (in-
       cluding transparently resending UDP packets, waiting for	data to	be re-
       ceived  in  TCP	connections,  etc.)  so	bandwidth use should always be
       closely monitored, with current server hardware,	bandwidth  is  usually
       the  bottleneck	in a OpenVAS scan. It might not	became too apparent in
       the final reports, scanners will	still run, holes  might	 be  detected,
       but  you	 will  risk to run into	false negatives	(i.e. OpenVAS will not
       report a	security hole that is present in a remote host)

       Users might need	to tune	OpenVAS	configuration if running  the  scanner
       in  low	bandwidth  conditions  (low being 'less	bandwidth that the one
       your hardware system can	produce) or otherwise  will  get  erratic  re-
       sults. There are	several	parameters that	can be modified	to reduce net-
       work load:

	      The default value	is set to 5 seconds, that can (should) be  in-
	      creased if network bandwidth is low in the openvas.conf or open-
	      vasrc configuration files. Notice	that it	is recommended to  in-
	      crease  this  this value,	if you are running a test outside your
	      LAN (i.e.	to Internet hosts through an Internet connection),  to
	      over 10 seconds.

	      Number  of  hosts	 to test at the	same time. It can be as	low as
	      you want it to be	(obviously 1 is	the minimum)

	      Number of	checks to test at the same time	it can be  as  low  as
	      you  want	 it to be and it will also reduce network load and im-
	      prove performance	(obviously 1 is	the minimum) Notice that Open-
	      VAS will spawn max_hosts * max_checks processes.

	      If this preference is set	to 'yes', OpenVAS will attempt to drop
	      its root privilege before	launching any VT and the  new  process
	      owner is 'nobody'; the default value of this preference is 'no',
	      meaning no change	in behaviour.

	      If a user	is set,	NASL functions can use this user to  drop  its
	      root  privilege.	 The  new  process owner is set	only for those
	      process calling a	nasl function which supports a drop privileges
	      action.	This  preference  must	not be mixed with 'drop_privi-
	      leges'. If 'drop_privileges' is enabled, this option should  not
	      be used, as 'drop_privileges' sets the owner to

	      Use  the	alternate  vendor  instead  of	the default one	during

	      Other options might be using the QoS features  offered  by  your
	      server operating system or your network to improve the bandwidth

	      It is not	easy to	give a bandwidth estimate for a	 OpenVAS  run,
	      you  will	probably need to make your own counts. However,	assum-
	      ing you test 65536 TCP ports. This will require at least a  sin-
	      gle  packet  per	port  that  is at least	40 bytes large.	Add 14
	      bytes for	the ethernet header and	you will send 65536  *	(40  +
	      14)  =  3670016  bytes. So for just probing all TCP ports	we may
	      need a multitude of this as nmap will try	to resend the  packets
	      twice if no response is received.

	      A	 very  rough estimate is that a	full scan for UDP, TCP and RPC
	      as well as all NASL scripts may result in	8 to 32	 MB  worth  of
	      traffic  per  scanned  host.  Reducing the amount	of tested part
	      and such will reduce the amount of data to be  transferred  sig-

       gvmd(8),	  gsad(8),   ospd-openvas(8),  openvas-nasl(1),	 openvas-nasl-
       lint(1),	greenbone-nvt-sync(8)

       The canonical places where you will find	more information about OpenVAS

	      Community	Portal <>
	      Development Platform <>
	      Traditional home site <>

       openvas	was forked from	nessusd	in 2005. Nessusd was written by	Renaud
       Deraison	<>. Most	new code since 2005  developed
       by Greenbone Networks GmbH.

Greenbone Vulnerability	ManagemenFebruary 2021			    OpenVAS(8)


Want to link to this manual page? Use this URL:

home | help