CyBrainZ
Published on

OpenVAS on Qubes OS

Authors

Install the OpenVAS vulnerability scanner on the Qubes operating system.

securing_nextcloud_banner_1200x630.png

OpenVAS, the Open Vulnerability Assessment System as part of Greenbone Vulnerability Manager is built on the same foundations as the Nessus scanner, which has become a close-sourced part of the Tenable vulnerability management toolkit. This guide builds and installs the Greenbone Community Edition, where Greenbone AG continues to maintain OpenVAS as opensource.

Versions:

  • GVM_LIBS_VERSION=22.7.3
  • GVMD_VERSION=23.0.1
  • PG_GVM_VERSION=22.6.1
  • GSA_VERSION=22.8.0
  • GSAD_VERSION=22.7.0
  • OPENVAS_SMB_VERSION=22.5.3
  • OPENVAS_SCANNER_VERSION=22.7.6
  • OSPD_OPENVAS_VERSION=22.6.1
  • NOTUS_VERSION=22.6.0

Qubes OS is a desktop Linux distribution focused on security through isolation. This Linux distribution comes with Fedora and Debian as the main user environments, but easily runs Whonix or the Kali Linux. This guide uses the Qubes OS 4.1 template and Debian 12 as the base operating system.

VM requirements

  • 8 GB of memory
  • 6 processors
  • Debian 12 template

Setup

  • Create a Standalone vm based on the Debian 12 template
  • Set system storage to 20GB and private to 10GB
  • Start the newly created VM and open a terminal.

To create the VM, feel free to run this command in dom0 and continue in the spawned terminal.

qvm-create --verbose --standalone --template=debian-12 --prop=name=gsa_2024_01 --prop=vcpus=6 --label=gray --prop=memory=1000 --prop=maxmem=8000;qvm-start --verbose gsa_2024_01;sleep 10;sudo qvm-volume extend gsa_2024_01:root 20G;sudo qvm-volume extend gsa_2024_01:private 10G;qvm-run -q -a --service -- gsa_2024_01 qubes.StartApp+org.gnome.Terminal

Create a gvm user and make your current user a member of the gvm group

sudo useradd -r -M -U -G sudo -s /usr/sbin/nologin gvm
sudo usermod -aG gvm $USER

Reopen the shell so that your session is aware of the new group.

exec su -l $USER

Check, download and run the install script

git clone https://github.com/mendo1024/OpenVAS.git
OpenVAS/debian_11_build_gsa.sh

Expect more than 30 minutes of text scrolling, but you should see a browser when it's done.

openvas_on_qubesos_4.png

The admin password is in file /tmp/pgadmin.pwd

Go to Administration -> Feed status and wait for the update is complete.

openvas_on_qubesos_5.png

The update shouldn't take more than another 30 minutes. Then, your personal scanner is ready to use.