How to Scan for Vulnerabilities with OpenVAS on RHEL 7

How to Scan for Vulnerabilities with OpenVAS on RHEL 7

OpenVAS (Open Vulnerability Assessment System), now part of the Greenbone Vulnerability Management (GVM) framework, is one of the most capable open-source vulnerability scanners available. It maintains a continuously updated feed of over 50,000 Network Vulnerability Tests (NVTs) and can detect misconfigurations, outdated software, missing patches, and exploitable weaknesses across your infrastructure. This tutorial covers installing and configuring GVM/OpenVAS on Red Hat Enterprise Linux 7 using the Atomic repository, performing your first authenticated scan against a target host, and interpreting the resulting vulnerability report to prioritize CVE remediation.

Prerequisites

• RHEL 7 server with a minimum of 4 GB RAM and 8 GB free disk space (NVT feeds are large)
• Root or sudo access
• Active RHEL subscription or EPEL repository configured
• Network access to the target host you intend to scan
• Firewalld configured to allow outbound connections for NVT sync

Step 1: Configure the Atomic Repository

The Atomic repository provides pre-built OpenVAS / GVM packages for RHEL 7. Install the Atomic repository RPM:

sudo yum install -y wget
wget -q -O - https://www.atomicorp.com/installatom | sh

If the interactive installer is unavailable in your environment, manually add the repository file:

sudo bash -c 'cat > /etc/yum.repos.d/atomic.repo <<EOF
[atomic]
name=Atomic - EL7 - x86_64
mirrorlist=http://updates.atomicorp.com/channels/mirrorlist/atomic/centos-7-x86_64
enabled=1
priority=1
protect=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY.art.txt
       file:///etc/pki/rpm-gpg/RPM-GPG-KEY.atomicorp.txt
gpgcheck=1
EOF'

Import the GPG keys and update the package cache:

sudo rpm --import https://www.atomicorp.com/RPM-GPG-KEY.art.txt
sudo rpm --import https://www.atomicorp.com/RPM-GPG-KEY.atomicorp.txt
sudo yum makecache fast

Step 2: Install OpenVAS / GVM Packages

Install the GVM suite. This includes the scanner daemon, manager daemon, Greenbone Security Assistant (GSA) web UI, and supporting libraries:

sudo yum install -y openvas

The package group installs: gvmd (Greenbone Vulnerability Manager daemon), openvas-scanner, gsad (Greenbone Security Assistant daemon), and redis which is used for inter-process communication between scanner components.

Enable and start Redis, which must be running before GVM initialises:

sudo systemctl enable redis
sudo systemctl start redis

Step 3: Run gvm-setup to Initialise the Environment

The gvm-setup script downloads the NVT feed, creates the PostgreSQL database, generates certificates, and creates the default admin user. This step requires internet access and typically takes 20–45 minutes depending on connection speed:

sudo gvm-setup

Watch for the admin password printed at the end of the output — save it immediately:

# Example output near end of gvm-setup:
[*] Creating admin user
User created with password: 'a3f8b2c1-9d4e-4f7a-b0e1-2c3d4e5f6a7b'
[*] Setup complete

If the setup was run previously and you need to reset the admin password:

sudo gvmd --user=admin --new-password='YourNewSecurePassword'

Step 4: Start GVM Services

Use the convenience script to start all GVM services in the correct order:

sudo gvm-start

Alternatively, start each component explicitly:

sudo systemctl start openvas-scanner
sudo systemctl start gvmd
sudo systemctl start gsad

Enable all services to start at boot:

sudo systemctl enable openvas-scanner gvmd gsad

Verify all three services are active:

sudo systemctl status openvas-scanner gvmd gsad

Check that GSA is listening on its default HTTPS port:

sudo ss -tlnp | grep gsad
# Expected: LISTEN  0  128  0.0.0.0:9392  0.0.0.0:*  users:(("gsad",pid=...))

Step 5: Access the Greenbone Security Assistant Web UI

Open a web browser and navigate to the GSA interface. By default it listens on HTTPS port 9392:

https://<server-ip>:9392

If firewalld is blocking the port, allow it temporarily or permanently:

sudo firewall-cmd --add-port=9392/tcp --permanent
sudo firewall-cmd --reload

Log in using the username admin and the password generated during gvm-setup. You will land on the Greenbone Security Assistant dashboard showing feed status, recent tasks, and scan results.

Step 6: Update the NVT Feed

Before running your first scan, ensure the NVT feed is current. In the GSA web UI, navigate to Administration → Feed Status and verify all feeds show a recent timestamp. To update from the command line:

sudo greenbone-nvt-sync
sudo greenbone-feed-sync --type GVMD_DATA
sudo greenbone-feed-sync --type SCAP
sudo greenbone-feed-sync --type CERT

After the sync completes, reload the NVT cache in the scanner:

sudo openvasmd --rebuild --progress

Step 7: Create a Scan Target

In the GSA interface, navigate to Configuration → Targets → New Target (the blue star icon). Fill in the form:

• Name: Internal Server - 192.168.1.50
• Hosts: 192.168.1.50 (or a range: 192.168.1.1-192.168.1.254)
• Port List: All IANA assigned TCP and UDP for comprehensive scanning
• SSH Credentials: Add SSH credentials for authenticated scanning (enables much deeper checks)

For authenticated scanning via SSH, create credentials first under Configuration → Credentials → New Credential, selecting type Username + SSH key or Username + Password.

Step 8: Create and Run a Scan Task

Navigate to Scans → Tasks → New Task. Configure the task:

• Name: Baseline Vulnerability Scan
• Scan Config: Full and fast (recommended for initial scans — balances coverage with speed)
• Target: Select the target you just created
• Scanner: OpenVAS Default

Click Create, then click the green play button next to your task to start the scan. Monitor progress in the Tasks view — a progress bar and percentage indicator show completion status. A comprehensive scan of a single host typically takes 15–60 minutes.

Step 9: Interpret the Vulnerability Report

When the task completes, the status changes to Done. Click the Results link to view the vulnerability report. Findings are categorised by severity:

• Critical (CVSS 9.0–10.0): Require immediate remediation — remote code execution, unauthenticated access
• High (CVSS 7.0–8.9): Serious vulnerabilities — privilege escalation, sensitive data exposure
• Medium (CVSS 4.0–6.9): Exploitable but typically require conditions to be met
• Low (CVSS 0.1–3.9): Minimal risk — informational or configuration notes

Each finding includes the CVE identifier, affected service, CVSS score, description, and remediation guidance. For example, a finding for an outdated OpenSSL version will reference the relevant CVE numbers and recommend the specific package update.

Step 10: CVE Remediation Workflow

For each Critical or High finding, follow this remediation workflow on the affected RHEL 7 host:

Check if a security patch is available via yum:

sudo yum updateinfo list security
sudo yum updateinfo list cves | grep CVE-2024-XXXX

Apply security updates for a specific package:

sudo yum update --security openssl
# or update all security patches:
sudo yum update --security

After applying patches, restart affected services:

sudo systemctl restart httpd
sudo systemctl restart sshd

Return to GSA and create a new task against the same target to confirm the vulnerability is resolved. In the report, use Overrides to document accepted risks or false positives that require suppression.

Conclusion

You now have a fully operational OpenVAS / GVM vulnerability scanning environment on RHEL 7. By combining authenticated scanning with RHEL 7’s yum --security patch management, you can systematically identify and remediate vulnerabilities as part of a continuous security posture programme. Schedule recurring scans using GVM’s built-in task scheduler (under Scans → Schedules) to detect newly disclosed CVEs between manual review cycles. Export reports in PDF or XML format for compliance documentation and share findings with development or operations teams for coordinated remediation.