OpenVAS replacing Nessus in Debian

By Jake Edge
August 12, 2009

For many years, the Nessus network vulnerability scanner was a tool in the toolbox of most free-software-oriented administrators. It provided a very useful, GPL-licensed scanner to detect various network vulnerabilities, misconfigurations, and other types of security problems in the network. But, starting in late 2005 that all began to change, when Nessus 3.0 switched licenses, so folks looking for a free software network scanner had to turn elsewhere.

There have been a number of attempts to fork the last GPL version of the Nessus software (2.2), but the most successful to date has been the Open Vulnerability Assessment System (or OpenVAS). The forked scanner has been making great strides to the point where Debian's Nessus maintainer, Javier Fernández-Sanguino Peña, asked that Nessus be removed from the unstable branch in favor of OpenVAS. In his message, he noted:

The main reason for this is that upstream is more focused in maintaining it's non-free version of Nessus (labeled version '3') than the free version (the 2.2.x branch). Additionally, most of the plugins (i.e. security tests) are now non-free.

There are really two parts to a vulnerability scanner, a core scanner and a set of plugins that implement network vulnerability tests (or NVTs). Much like virus scanners, NVTs are constantly being added and updated, and are available via network feeds. For a vulnerability scanner to be really usable, NVTs must be available for older vulnerabilities as well as being developed for new ones as they come along. In the thread on the debian-security mailing list, Tim Brown reports that OpenVAS has reached that point:

In specific relation to remote testing, it has almost everything the old Nessus 2 GPL feed had plus a good deal more. There are a number of plugin developers who are [focused] only on this part of the picture. I can tell you for example that there are checks that are in OpenVAS that are *not* in Nessus 3/4 for example.

AFAIK the only plugins that are in Nessus 2 but not in OpenVAS are those which Tenable have since claimed are not GPL and for these the OpenVAS team are actively developing replacements.

Where Debian goes, other distributions are likely to follow, so we may see Nessus removed in favor of OpenVAS elsewhere as well. It is unfortunate that Tenable, the company behind Nessus, was unable to find a way to continue with a GPL-licensed Nessus, but the rise of OpenVAS shows the power of code that is available under a free software license. That is not to say that Tenable did anything wrong, it was their code and thus their choice; in fact, the community should be grateful that they provided the core of a nice tool for as long as they did. But, because the GPL allows forks like OpenVAS, Nessus users still had a free software path to follow once Tenable decided to go in a different direction.

The main stumbling block to getting to this point has been the NVTs released for Nessus. Those are governed by a separate license, that made it somewhat legally dubious, at best, to use them in OpenVAS. So, the OpenVAS developers had to tackle that problem themselves. Based on Brown's message, it would seem they have gotten most of the way there, and have an active community to continue that work into the future.

Index entries for this article
Security	Distribution security
Security	Tools/Network vulnerability scanner

OpenVAS replacing Nessus in Debian

Posted Aug 13, 2009 9:22 UTC (Thu) by ber (subscriber, #2142) [Link]

The company Greenbone Networks is offering a professional security feed, based on OpenVAS. See their FAQ. Greenbone and its partners contribute their developments as Free Software into the OpenVAS community, which they are a part of. (Full Disclosure: My company partly owns Greenbone Networks GmbH.)