OpenVAS Vulnerability Assessment — Setup, Scanning, and Reporting

What is OpenVAS?

OpenVAS (Open Vulnerability Assessment Scanner) is the world's most advanced open-source vulnerability scanner. It's the scanning component of the Greenbone Vulnerability Management (GVM) platform, which tests network hosts for known security vulnerabilities using a regularly updated feed of over 100,000+ Network Vulnerability Tests (NVTs).

OpenVAS vs Other Scanners

| Feature | OpenVAS/GVM | Nessus | Qualys | |---------|-------------|--------|--------| | License | Open source (GPLv2) | Commercial | Commercial | | Cost | Free (Community) | $3,990+/year | Quote-based | | NVT/Plugins | 100,000+ | 200,000+ | 100,000+ | | Web Interface | Yes (GSA) | Yes | Cloud-based | | API | Yes (GMP) | Yes | Yes | | Deployment | Self-hosted | Self-hosted/Cloud | Cloud | | Updates | Community feed (daily) | Commercial feed | Commercial feed |

Architecture

┌──────────────────────────────────────────────────────┐
│                    GVM Stack                          │
│                                                      │
│  ┌─────────────────┐   ┌──────────────────────────┐ │
│  │  Greenbone       │   │  GVM Daemon (gvmd)       │ │
│  │  Security        │◄─►│  - Task management       │ │
│  │  Assistant (GSA)  │   │  - Scan scheduling       │ │
│  │  (Web UI)        │   │  - Report generation     │ │
│  └─────────────────┘   │  - User management       │ │
│                         └──────────┬───────────────┘ │
│                                    │                  │
│                         ┌──────────▼───────────────┐ │
│                         │  OpenVAS Scanner          │ │
│                         │  - Executes NVT scripts   │ │
│                         │  - Tests target hosts     │ │
│                         │  - Reports findings       │ │
│                         └──────────┬───────────────┘ │
│                                    │                  │
│                         ┌──────────▼───────────────┐ │
│                         │  NVT Feed Database        │ │
│                         │  - 100,000+ vulnerability │ │
│                         │    tests (updated daily)  │ │
│                         └──────────────────────────┘ │
└──────────────────────────────────────────────────────┘

Installation

Docker Installation (Recommended)

The easiest way to deploy OpenVAS/GVM:

# Create data directory
mkdir -p /opt/gvm/data

# Run Greenbone Community Edition
docker run -d \
  --name greenbone \
  -p 9392:9392 \
  -v /opt/gvm/data:/data \
  greenbone/community-edition:stable

# Wait for initial setup (NVT feed sync takes 30-60 minutes)
docker logs -f greenbone

# Default credentials:
# URL: https://localhost:9392
# Username: admin
# Password: admin (change immediately!)

Ubuntu/Debian Installation

# Add Greenbone repository
sudo add-apt-repository ppa:mrazavi/gvm
sudo apt update

# Install GVM
sudo apt install gvm

# Run setup (downloads NVT feed, creates database)
sudo gvm-setup

# Check installation
sudo gvm-check-setup

# Start services
sudo systemctl start gvmd
sudo systemctl start gsad
sudo systemctl start ospd-openvas

Post-Installation

# Update NVT feed
sudo greenbone-feed-sync

# Change admin password
sudo gvmd --user=admin --new-password=YourStr0ngP@ss!

# Verify services are running
sudo systemctl status gvmd gsad ospd-openvas

Configuring Scans

Creating a Target

1. Log in to the web interface (https://localhost:9392)
2. Go to Configuration → Targets → New Target
3. Configure:
   • Name: e.g., "Production Servers"
   • Hosts: IP addresses or ranges (e.g., 10.0.30.0/24)
   • Exclude hosts: Critical systems to skip
   • Port list: Select scan port range
   • Credentials: Add SSH/SMB/SNMP credentials for authenticated scans

Scan Configurations

| Scan Config | Description | Speed | Depth | |-------------|-------------|-------|-------| | Discovery | Host and service discovery only | Fast | Minimal | | Host Discovery | Ping and OS detection | Fast | Minimal | | Full and Fast | Most NVTs, optimized | Medium | High | | Full and Deep | All NVTs, thorough | Slow | Maximum | | System Discovery | OS, hardware, software inventory | Medium | Medium |

Recommended: Start with "Full and Fast" — it runs most vulnerability tests efficiently.

Creating a Task

1. Go to Scans → Tasks → New Task
2. Configure:
   • Name: "Monthly Production Scan"
   • Target: Select the target created above
   • Scanner: OpenVAS Default
   • Scan Config: Full and Fast
   • Schedule: Optional (weekly/monthly)
3. Click Create then Start

Authenticated vs Unauthenticated Scans

| Type | Access | Detection Rate | Use Case | |------|--------|---------------|----------| | Unauthenticated | External only | 40-60% of vulns | External attack surface | | Authenticated (SSH/SMB) | Inside the OS | 80-95% of vulns | Full vulnerability assessment |

Authenticated scans log in to the target and check installed packages, configurations, and file permissions — detecting far more vulnerabilities.

Understanding Results

Severity Levels

| Severity | CVSS Range | Color | Action | |----------|-----------|-------|--------| | Critical | 9.0-10.0 | Red | Fix immediately | | High | 7.0-8.9 | Orange | Fix within days | | Medium | 4.0-6.9 | Yellow | Fix within weeks | | Low | 0.1-3.9 | Blue | Fix during next cycle | | Log | 0.0 | Gray | Informational only |

Reading a Vulnerability Report

Each finding includes:

┌──────────────────────────────────────────────────┐
│  Vulnerability: OpenSSH < 9.3 - Multiple CVEs    │
│  Severity: High (CVSS: 7.5)                      │
│  Host: 10.0.30.15                                │
│  Port: 22/tcp                                    │
│                                                   │
│  Summary:                                         │
│  The OpenSSH version installed on the remote host │
│  is affected by multiple vulnerabilities...       │
│                                                   │
│  Detection:                                       │
│  SSH banner: SSH-2.0-OpenSSH_8.9p1 Ubuntu-3      │
│                                                   │
│  Solution:                                        │
│  Update to OpenSSH 9.3 or later.                 │
│  sudo apt update && sudo apt upgrade openssh-server│
│                                                   │
│  References:                                      │
│  CVE-2023-38408, CVE-2023-48795                   │
└──────────────────────────────────────────────────┘

Scan Workflows

Regular Vulnerability Assessment Cycle

1. Scope Definition
   └─→ Define targets and exclusions

2. Discovery Scan
   └─→ Identify all live hosts and services

3. Vulnerability Scan (Authenticated)
   └─→ Full and Fast scan with credentials

4. Analysis
   └─→ Review results, filter false positives

5. Reporting
   └─→ Generate reports for stakeholders

6. Remediation
   └─→ Patch, configure, or mitigate findings

7. Verification Scan
   └─→ Re-scan to confirm fixes

8. Schedule
   └─→ Set recurring scans (monthly minimum)

Handling False Positives

1. Override: Mark a specific finding as false positive with justification
2. Note: Add notes explaining why a finding doesn't apply
3. Filter: Create filters to exclude known false positives from reports
4. QoD (Quality of Detection): Filter by detection quality (>70% recommended)

Reporting

Built-in Reports

OpenVAS generates reports in multiple formats:

# Export from web UI:
# Scans → Reports → Select report → Download

Available formats:
- PDF (executive summary)
- CSV (for spreadsheet analysis)
- XML (for integration)
- TXT (plain text)
- Anonymous XML (for sharing without sensitive data)

Key Report Sections

1. Executive Summary — High-level overview with severity counts
2. Vulnerability Details — Full list with descriptions and solutions
3. Host Summary — Per-host vulnerability breakdown
4. CVE List — All CVEs found, sorted by severity

Automation with GMP API

# Using python-gvm library
from gvm.connections import TLSConnection
from gvm.protocols.gmp import Gmp
from gvm.transforms import EtreeTransform

connection = TLSConnection(hostname='localhost', port=9390)
transform = EtreeTransform()

with Gmp(connection=connection, transform=transform) as gmp:
    gmp.authenticate('admin', 'password')

    # Get all tasks
    tasks = gmp.get_tasks()

    # Start a scan
    gmp.start_task(task_id='task-uuid-here')

    # Get latest report
    reports = gmp.get_reports()

Best Practices

1. Start with discovery — Know what's on your network before scanning
2. Use authenticated scans — Much more accurate than unauthenticated
3. Schedule regular scans — Monthly minimum, weekly for critical systems
4. Update feeds daily — New vulnerabilities are discovered constantly
5. Scan during off-hours — Vulnerability scans can impact performance
6. Verify remediation — Always re-scan after patching
7. Track trends — Compare scan results over time to measure improvement
8. Integrate with ticketing — Auto-create tickets for critical findings

Conclusion

OpenVAS/GVM provides enterprise-grade vulnerability assessment capabilities at zero licensing cost. Regular vulnerability scanning is fundamental to network security — it helps you find and fix weaknesses before attackers do. Combined with NMAP for discovery and Wireshark for traffic analysis, OpenVAS completes the open-source security assessment toolkit.

Related: NMAP Network Scanning, Linux Server Hardening, and OWASP Top 25 Vulnerabilities.