OpenVAS / Greenbone: Open-Source Vulnerability Scanning

Introduction

Knowing what weaknesses exist in your systems before an attacker exploits them is the foundation of any proactive security program. Vulnerability scanning lets you prioritize patching, configuration hardening, and compensating controls based on real data — not guesswork.

Greenbone Community Edition (GCE) — the open-source successor to OpenVAS — is a full-featured vulnerability management platform trusted by security teams worldwide. It ships with tens of thousands of Network Vulnerability Tests (NVTs) maintained by Greenbone Networks and the community, covering CVEs, misconfigurations, default credentials, outdated software, and more.

In this guide you will:

• Deploy Greenbone Community Edition using Docker Compose
• Configure SSH and SMB credentials for authenticated scanning
• Define scan targets and create your first scan task
• Run a scan, interpret results using CVSS v3 severity ratings
• Export PDF reports and schedule recurring scans

Prerequisites

Before you begin, confirm you have:

• A Linux host (Ubuntu 22.04 LTS or Debian 12 recommended)
• Docker ≥ 24 and Docker Compose v2 installed (docker compose version)
• Your user account in the docker group (sudo usermod -aG docker $USER)
• Minimum 8 GB RAM — 16 GB is recommended for scanning subnets larger than /24
• At least 20 GB free disk space for the NVT feed and scan data
• Network-level access from the scanner host to your targets (allow ICMP + common TCP ports)

Step 1 — Prepare the Host

Update the system and install helper tools:

sudo apt update && sudo apt upgrade -y
sudo apt install -y curl git

Create a working directory for the Greenbone stack:

mkdir -p ~/greenbone && cd ~/greenbone

Step 2 — Download the Docker Compose File

Greenbone publishes an official community compose configuration. Download the latest stable release:

curl -fsSL https://greenbone.github.io/docs/latest/_static/docker-compose-22.4.yml \
  -o docker-compose.yml

Review the file to understand the services before starting them:

cat docker-compose.yml | grep "container_name:"

You should see: gvmd, ospd-openvas, gsad, pg-gvm, notus-scanner, and greenbone-feed-sync.

Step 3 — Set the Admin Password

Set a strong admin password before the stack starts. Create a .env file so the value persists:

cat > .env <<'EOF'
GVMD_PASSWORD=YourSecurePassword123!
EOF

Restrict permissions on the file:

chmod 600 .env

Step 4 — Start the Greenbone Stack

Pull all container images and start the services in the background:

docker compose up -d

Check that all containers start without errors:

docker compose ps

Expected output — all services should reach healthy status within 1–3 minutes:

NAME                    STATUS
gvmd                    healthy
ospd-openvas            healthy
gsad                    healthy
pg-gvm                  healthy
notus-scanner           healthy
greenbone-feed-sync     exited (0)   ← exits cleanly after sync

If any container shows starting for more than five minutes, check its logs with docker compose logs <service>.

Step 5 — Wait for NVT Feed Synchronization

On first run, Greenbone downloads and indexes the full NVT feed (~200,000+ vulnerability tests). This takes 10–30 minutes depending on your internet connection.

Monitor feed sync progress:

docker compose logs -f greenbone-feed-sync

The sync is complete when you see lines like:

rsync: Sync complete for /var/lib/openvas/plugins
rsync: Sync complete for /var/lib/gvm/data-objects/gvmd

Confirm the NVTs loaded into the scanner:

docker compose logs ospd-openvas | grep "Finished loading"

Step 6 — Access the Web Interface

Open your browser and navigate to the Greenbone Security Assistant (GSA):

https://<your-host-ip>:9392

Accept the self-signed certificate warning (or replace it with a trusted cert later). Log in with:

• Username: admin
• Password: the value you set in GVMD_PASSWORD

You will land on the main dashboard showing scan task status, recent reports, and overall system health.

Step 7 — Configure Scan Credentials

Authenticated scanning dramatically improves accuracy. When the scanner can log in to a target, it enumerates installed packages, registry keys, and service configurations — catching far more vulnerabilities than unauthenticated banner-grabbing alone.

Add SSH Credentials (Linux/Unix targets)

1. Navigate to Configuration → Credentials
2. Click the New Credential icon (blue star)
3. Fill in the form:
   • Name: SSH – Production Servers
   • Type: Username + SSH Key (or Username + Password)
   • Username: your scanner service account (e.g. svc-scanner)
   • Private Key (or Password): paste your SSH private key or password
4. Click Save

Tip: Create a dedicated, read-only service account (svc-scanner) with sudo access restricted to id, uname, rpm, dpkg, and apt commands to minimise the blast radius if credentials are ever compromised.

Add SMB Credentials (Windows targets)

1. Create another credential entry:
   • Type: Username + Password
   • Username: DOMAIN\svc-scanner
   • Password: the account password
2. Click Save

This credential is used for Windows authenticated checks via SMB, WMI, and registry enumeration.

Step 8 — Create a Scan Target

A target tells the scanner which hosts and ports to probe.

1. Navigate to Configuration → Targets
2. Click New Target
3. Configure the target:

4. Click Save

You can specify hosts as CIDR blocks, IP ranges (10.0.0.1-10.0.0.50), or comma-separated individual addresses.

Step 9 — Create and Run a Scan Task

1. Navigate to Scans → Tasks
2. Click New Task
3. Configure the task:

4. Click Save

Start the scan immediately by clicking the Play (▶) button next to the task name. The status column shows percentage completion in real time.

A /24 subnet with mixed Linux and Windows hosts typically takes 30–90 minutes for a full authenticated scan.

Step 10 — Analyze Results and Export a Report

Once the scan shows Done, click the task name to open the results.

Severity Classification (CVSS v3)

For each finding you can view:

• The affected host and port
• The CVE identifier(s) and CVSS vector
• Greenbone's plain-English description and remediation advice
• The exact NVT test that triggered the finding

Export a PDF Report

1. Click Reports within the task view
2. Select the most recent report by date
3. Click Download and choose PDF
4. Attach the PDF to your change management ticket or share with system owners

Step 11 — Schedule Recurring Scans

Automate scanning to catch newly disclosed CVEs and configuration drift without manual intervention.

1. Navigate to Configuration → Schedules
2. Click New Schedule
3. Configure:

4. Click Save
5. Edit your scan task, assign the schedule, and save

Greenbone will now launch the scan automatically each week and retain a rolling history of reports so you can track vulnerability trends over time.

Verification and Testing

Confirm the stack is healthy and the scanner is functional end-to-end:

# All containers healthy
docker compose ps
 
# GVM daemon responds to XML commands
docker compose exec gvmd gvm-cli \
  --gmp-username admin \
  --gmp-password "$(grep GVMD_PASSWORD .env | cut -d= -f2)" \
  socket --socketpath /run/gvmd/gvmd.sock \
  --xml "<get_version/>"
 
# NVT count loaded in Redis (should be 70 000+)
docker compose exec ospd-openvas \
  redis-cli -s /run/redis-openvas/redis.sock KEYS 'nvt:*' | wc -l

Expected results:

• get_version returns an XML response containing the GVM version number
• NVT key count is well above 70,000 — a low count means the feed sync is incomplete

Troubleshooting

Feed sync never completes

docker compose restart greenbone-feed-sync
docker compose logs greenbone-feed-sync | grep -i error

Ensure outbound TCP 443 and TCP 873 (rsync) are open to feed.community.greenbone.net from your host.

Web UI returns 502 Bad Gateway

The gsad container may have started before gvmd finished initialising. Restart GSA:

docker compose restart gsad

Scan tasks stuck at 0%

The scanner may still be loading NVTs into Redis. Allow a few more minutes then check:

docker compose logs ospd-openvas | grep "Loading NVTs"

If NVT loading never completes, force a reload:

docker compose exec ospd-openvas openvas --update-vt-info

Authenticated scan shows fewer results than expected

• Verify the service account can log in from the scanner's IP: ssh svc-scanner@<target> from the scanner host
• Confirm host-based firewalls (UFW, Windows Firewall) allow the scanner's source IP for SMB (TCP 445) and SSH (TCP 22)
• Check that the credential is assigned to the target in Configuration → Targets

Container runs out of memory (OOM killed)

Add swap space to give the OS room to breathe:

sudo fallocate -l 8G /swapfile
sudo chmod 600 /swapfile
sudo mkswap /swapfile
sudo swapon /swapfile
# Persist across reboots
echo '/swapfile none swap sw 0 0' | sudo tee -a /etc/fstab

Summary

You now have a fully operational Greenbone Community Edition vulnerability scanner:

1. Deployed the GCE stack via Docker Compose with a persistent .env configuration
2. Configured SSH and SMB credentials for deep, authenticated scanning
3. Defined scan targets and created a Full and Fast task
4. Analysed results mapped to CVSS v3 severity tiers and exported a PDF report
5. Automated weekly scanning with the built-in scheduler

Greenbone gives your team continuous visibility into the attack surface without enterprise scanner licensing costs. The open NVT feed receives daily updates from Greenbone Networks, so new CVEs are covered within hours of disclosure.

Next steps to explore:

• Integrate Greenbone reports into Wazuh or Microsoft Sentinel via the GMP API for centralised remediation tracking
• Build compliance-focused scan configs targeting PCI-DSS or CIS Benchmarks
• Add SNMP credentials to scan network devices (switches, routers, firewalls)
• Enable delta reports to automatically highlight which vulnerabilities appeared or were fixed between two scan runs