Building an OpenVAS Scanner for Periodic CVE Scanning

afret23 · June 30, 2023, 1:54pm

Hello everyone!
I’m seeking guidance on how to create an OpenVAS scanner that can perform periodic scans for CVEs released within the current week.

Any advice, suggestions, or personal experiences related to building an OpenVAS scanner for periodic CVE scanning would be highly appreciated. Please feel free to share any resources, scripts, or configurations that could assist in achieving this goal.

Thank you in advance for your support and expertise!

rippledj · July 3, 2023, 10:05pm

What you want to do here is very specific and I think it can only be done using python-gvm library or interacting with the GMP protocol directly.

I think the workflow would be something like this:

Fetch CVE’s programmatically using a filter for CVEs created in the past week using the Gmp.get_cves() function (docs here) with a filter like created>{Date and time in ISO 8601 format}
Next use the Gmp.get_nvts() function (docs here) with a filter to select NVTs that have the CVEs returned in step 1. NOTE: You can see from the filter keyword docs (docs here) that NVTs can be filtered by the CVE they pertain to with the keyword cve (at the very bottom of document).
Create a new scan config with the Gmp.create_scan_config() (docs here) which you will next configure
Modify the new scan config returned in step 3 with the Gmp.modify_scan_config_set_nvt_preference() function to add all the NVTs discovered in step 2 (docs here)

From here you should have a scan config that you can create a task with.

afret23 · July 4, 2023, 11:25am

Thanks for your reply!
I’ll try this approach and get back with the results!

rippledj · July 4, 2023, 6:47pm

You are welcome. Also, thanks for sharing the results. If you run into trouble along the way I can help you troubleshoot.

nfenech · July 4, 2023, 10:48pm

Disclaimer, this may not be the best way.

At a high level my set is:

light VM only used for this docker stack. (well, not that light)
Docker compose
Update containers, and scan every week.

So, using the docker compose script provided on the site, it sets up all the correct containers.
The only thing is that the docker containers is also how it gets the feed updates. So yo have to update those to get the new CVEs.

Easiest thing, if doing manually is having that docker-compose.ylm file, and just using “docker-compose pull”, then “docker-compose up -d”
That would update the relevant containers.

So I have that, and a bash script, that a cron job uses every friday to update, then a schedule within greenbone to scan every Saturday morning (1am).
This means that the containers get updated on the friday night, and enough time to sync the CVE updates, then the scan runs.

cron job:
30 17 * * 5 /root/openvas/OpenVASUpdate.sh > /root/openvas/cronjob.log 2>&1

And yes, I should not run this in root, you should set it up correctly.

OpenVASUpdate.sh:

cd /root/openvas/
/usr/local/bin/docker-compose -f /root/openvas/docker-compose.yml pull
/usr/local/bin/docker-compose -f /root/openvas/docker-compose.yml up -d

Hope this helps someone get their setup and running with an automated update and schedule.