Scanning Like a Ghost - OpenVAS
OpenVAS is a katana forged for vulnerability scanning:
- open source
- container-ready
- minimal noise
- maximum signal
It thrives in Docker.
But what happens in the daemonless, rootless underworld?
The Ghost maps the terrain.
Sharpen the blade
The Docker Compose file is a map. Follow it to find the way in Podman:
https://greenbone.github.io/docs/latest/_static/docker-compose.yml
podman-compose still limps. It won't create volumes for you.
volumes.txt:
gpg_data_vol scap_data_vol cert_data_vol data_objects_vol gvmd_data_vol psql_data_vol vt_data_vol notus_data_vol psql_socket_vol gvmd_socket_vol ospd_openvas_socket_vol redis_socket_vol openvas_data_vol openvas_log_data_vol
Manually carve them out:
while read i; do podman volume create $ i; done < volumes.txt
Your podman-compose.yaml must be transformed for Podman:
version: "3.8" services: vulnerability-tests: image: registry.community.greenbone.net/community/vulnerability-tests environment: FEED_RELEASE: "24.10" volumes: - vt_data_vol:/mnt notus-data: image: registry.community.greenbone.net/community/notus-data volumes: - notus_data_vol:/mnt scap-data: image: registry.community.greenbone.net/community/scap-data volumes: - scap_data_vol:/mnt cert-bund-data: image: registry.community.greenbone.net/community/cert-bund-data volumes: - cert_data_vol:/mnt dfn-cert-data: image: registry.community.greenbone.net/community/dfn-cert-data volumes: - cert_data_vol:/mnt depends_on: - cert-bund-data data-objects: image: registry.community.greenbone.net/community/data-objects environment: FEED_RELEASE: "24.10" volumes: - data_objects_vol:/mnt report-formats: image: registry.community.greenbone.net/community/report-formats environment: FEED_RELEASE: "24.10" volumes: - data_objects_vol:/mnt depends_on: - data-objects gpg-data: image: registry.community.greenbone.net/community/gpg-data volumes: - gpg_data_vol:/mnt redis-server: image: registry.community.greenbone.net/community/redis-server restart: on-failure volumes: - redis_socket_vol:/run/redis/ pg-gvm: image: registry.community.greenbone.net/community/pg-gvm:stable restart: on-failure volumes: - psql_data_vol:/var/lib/postgresql - psql_socket_vol:/var/run/postgresql gvmd: image: registry.community.greenbone.net/community/gvmd:stable restart: on-failure volumes: - gvmd_data_vol:/var/lib/gvm - scap_data_vol:/var/lib/gvm/scap-data/ - cert_data_vol:/var/lib/gvm/cert-data - data_objects_vol:/var/lib/gvm/data-objects/gvmd - vt_data_vol:/var/lib/openvas/plugins - psql_data_vol:/var/lib/postgresql - gvmd_socket_vol:/run/gvmd - ospd_openvas_socket_vol:/run/ospd - psql_socket_vol:/var/run/postgresql depends_on: pg-gvm: condition: service_started scap-data: condition: service_completed_successfully cert-bund-data: condition: service_completed_successfully dfn-cert-data: condition: service_completed_successfully data-objects: condition: service_completed_successfully report-formats: condition: service_completed_successfully gsa: image: registry.community.greenbone.net/community/gsa:stable restart: on-failure ports: - 127.0.0.1:9392:9392 volumes: - gvmd_socket_vol:/run/gvmd depends_on: - gvmd configure-openvas: image: registry.community.greenbone.net/community/openvas-scanner:stable volumes: - openvas_data_vol:/mnt - openvas_log_data_vol:/var/log/openvas command: - /bin/sh - -c - | printf "table_driven_lsc = yes\nopenvasd_server = http://openvasd:80\n" > /mnt/openvas.conf sed "s/127/128/" /etc/openvas/openvas_log.conf | sed 's/gvm/openvas/' > /mnt/openvas_log.conf chmod 644 /mnt/openvas.conf chmod 644 /mnt/openvas_log.conf touch /var/log/openvas/openvas.log chmod 666 /var/log/openvas/openvas.log openvas: image: registry.community.greenbone.net/community/openvas-scanner:stable restart: on-failure volumes: - openvas_data_vol:/etc/openvas - openvas_log_data_vol:/var/log/openvas command: - /bin/sh - -c - | cat /etc/openvas/openvas.conf tail -f /var/log/openvas/openvas.log depends_on: configure-openvas: condition: service_completed_successfully openvasd: image: registry.community.greenbone.net/community/openvas-scanner:stable restart: on-failure hostname: openvasd environment: OPENVASD_MODE: service_notus GNUPGHOME: /etc/openvas/gnupg LISTENING: 0.0.0.0:80 volumes: - openvas_data_vol:/etc/openvas - openvas_log_data_vol:/var/log/openvas - gpg_data_vol:/etc/openvas/gnupg - notus_data_vol:/var/lib/notus depends_on: vulnerability-tests: condition: service_completed_successfully configure-openvas: condition: service_completed_successfully gpg-data: condition: service_completed_successfully ospd-openvas: image: registry.community.greenbone.net/community/ospd-openvas:stable restart: on-failure hostname: ospd-openvas.local cap_add: - NET_ADMIN - NET_RAW security_opt: - seccomp=unconfined - apparmor=unconfined command: [ "ospd-openvas", "-f", "--config", "/etc/gvm/ospd-openvas.conf", "--notus-feed-dir", "/var/lib/notus/advisories", "-m", "666", ] volumes: - gpg_data_vol:/etc/openvas/gnupg - vt_data_vol:/var/lib/openvas/plugins - notus_data_vol:/var/lib/notus - ospd_openvas_socket_vol:/run/ospd - redis_socket_vol:/run/redis/ - openvas_data_vol:/etc/openvas/ - openvas_log_data_vol:/var/log/openvas depends_on: redis-server: condition: service_started gpg-data: condition: service_completed_successfully vulnerability-tests: condition: service_completed_successfully configure-openvas: condition: service_completed_successfully gvm-tools: image: registry.community.greenbone.net/community/gvm-tools volumes: - gvmd_socket_vol:/run/gvmd - ospd_openvas_socket_vol:/run/ospd depends_on: - gvmd - ospd-openvas volumes: gpg_data_vol: scap_data_vol: cert_data_vol: data_objects_vol: gvmd_data_vol: psql_data_vol: vt_data_vol: notus_data_vol: psql_socket_vol: gvmd_socket_vol: ospd_openvas_socket_vol: redis_socket_vol: openvas_data_vol: openvas_log_data_vol:
Pull in the the arsenal:
podman-compose -f podman-compose.yaml pull
OpenVAS is not monolithic.
Each container does one job.
Silent. Sharp. Modular.
Summon the system:
podman-compose -f podman-compose.yaml up -d
Some containers like vulnerability-tests, notus-data, scap-data are ghosts themselves.
They appear, inject knowledge, vanish.
In case of noise - logs never lie:
podman-compose -f podman-compose.yaml logs -f
Cut
Once online, scan like a specter.
Open browser -> http://localhost:9392
Use credentials:
admin / admin
Then change the password.
The shadows are always watching.
A Ghost's vision is limited… for now
When you log in:
You are currently using the free Greenbone Community Feed - this shows only a few vulnerabilities for business critical enterprise software such as MS Exchange, Cisco, VMware, Citrix and many more.
Over 60% of all relevant exploits remain hidden.
Translation?
You're flying low-res. The Community Feed is a shadow of the full arsenal.
Ghosts don't panic. They adapt.
If you're hunting in the enterprise jungle, you either:
- Maintain multiple scanners
- Supplement with external intel
- Or switch to the Greenbone Enterprise Feed - at a price.
In this operation we fly free.
But always remember:
60% of the cracks are in the dark.
Clean it up
No trace. No fingerprint. No echo.
Stop the containters:
podman-compose down
Purge the volumes:
while read i; do podman volume rm openvas_$ i; done < volumes.txt
Erase the images:
podman image ls |grep greenbone |awk '{print $3}' |xargs podman image rm --
The system breathes clean.
Only the ghost remains.
—
Whisper to DeadSwitch on Matrix: @deadswitch:matrix.org
Maybe the Ghost signals back.
DeadSwitch | The Silent Architect
In silence, I rise. In structure, I endure.