Automate Your Vulnerability Management: Deploy OpenVAS on Debian 13 in Minutes – A Cybersecurity Quick Win + Video

Listen to this Post

Featured Image

Introduction:

In today’s threat landscape, new vulnerabilities emerge daily, making continuous assessment essential—yet many organizations rely solely on governance without hands-on technical validation. OpenVAS (Open Vulnerability Assessment System) provides a free, powerful scanner, but manual setup often deters adoption. By using an automated deployment script on a clean Debian 13 VM, you can establish a repeatable, low-effort vulnerability scanning capability that delivers regular reports and permanent exposure tracking as a quick win for any information system.

Learning Objectives:

  • Automate OpenVAS deployment on Debian 13 using a community-maintained shell script to eliminate configuration friction.
  • Perform scheduled vulnerability scans, interpret CVSS-based results, and generate professional compliance reports.
  • Integrate lightweight vulnerability scanning into existing security governance without expensive commercial tools.

You Should Know

1. Deploying OpenVAS Instantly with the Easy-openvas Script

This section walks you through setting up a dedicated Debian 13 virtual machine and running the open-source script from GitHub. The script handles dependencies, Greenbone Vulnerability Management (GVM) installation, and service initialization.

Step‑by‑step guide:

  1. Download Debian 13 (netinst ISO) and create a VM (4 GB RAM, 40 GB disk, bridged networking).
  2. Boot and install minimal system with SSH server enabled.

3. Update the base system and install git:

sudo apt update && sudo apt upgrade -y
sudo apt install git -y

4. Clone the Easy-openvas repository:

git clone https://github.com/cedricdicesare/Easy-openvas.git
cd Easy-openvas

5. Make the script executable and run it (as root or with sudo):

chmod +x setup-openvas.sh
sudo ./setup-openvas.sh

6. Wait for completion (15–30 minutes depending on network speed). The script will:
– Add the official Greenbone community repository.
– Install gvm, openvas-scanner, gvmd, and greenbone-security-assistant.
– Sync Network Vulnerability Tests (NVTs) and SCAP data.
– Set up a default admin account (credentials shown at the end).

7. Verify the service:

sudo systemctl status gvmd
sudo netstat -tulpn | grep 9392

The Greenbone Security Assistant (GSA) web interface will be available at https://<VM_IP>:9392.

  1. Running Your First Vulnerability Scan – From Setup to Report

Once OpenVAS is live, you need to configure a target and execute a scan. The web interface provides both quick and detailed scan profiles.

Step‑by‑step guide:

  1. Access GSA from a browser: https://<VM_IP>:9392. Accept the self-signed certificate.
  2. Log in with the admin credentials (displayed after script completion; change them immediately).

3. Create a target:

  • Navigate to Configuration → Targets → New Target.
  • Enter IP range or single host (e.g., 192.168.1.0/24).
  • Leave port list as default (or specify e.g., T:22,80,443,445).

4. Launch a scan task:

  • Go to Scans → Tasks → New Task.
  • Name the task, select your target, and choose scan config. For a quick win, pick Full and fast.
  • Optionally schedule it (daily/weekly).
  1. Monitor progress – The task changes from Requested to Running. Wait for completion (time depends on network size).

6. Generate a report:

  • Click on the finished task → Reports tab.
  • Select Download → PDF, HTML, or CSV. The PDF includes CVSS scores, affected hosts, and remediation references.

Linux command alternative (using `gvm-cli`):

gvm-cli --gmp-username admin --gmp-password yourpass --socket /var/run/gvmd.sock --xml '<create_task>...</create_task>'
  1. Automating Regular Scans with Cron and OpenVAS CLI

Manual scans are not enough; continuous monitoring requires automation. You can script scan creation and use cron to run recurring assessments.

Step‑by‑step guide:

1. Install gvm-cli (if not already present):

sudo apt install gvmd-tools -y

2. Create a scan template via CLI. Save this XML as weekly_scan.xml:

<create_task>
<name>Weekly Auto Scan</name>
<comment>Scheduled vulnerability scan</comment>
<target id="YOUR_TARGET_UUID"/>
<config id="daba56c8-73ec-11df-a475-002264764cea"/> <!-- Full and fast -->
</create_task>

3. Submit the task:

TASK_UUID=$(gvm-cli --gmp-username admin --gmp-password pass --socket /var/run/gvmd.sock --xml "$(cat weekly_scan.xml)" | grep -oP '(?<=id=")[^"]+')

4. Schedule with cron for every Sunday at 2 AM:

sudo crontab -e
 Add line:
0 2   0 /usr/bin/gvm-cli --gmp-username admin --gmp-password pass --socket /var/run/gvmd.sock --xml "<start_task task_id='$TASK_UUID'/>"

5. Export results automatically after scan – write a post‑scan script that downloads the latest report via `gvm-cli` and emails it to your security team.

  1. Hardening Your Scan Environment – Firewall and Secure Access

An OpenVAS instance itself must be protected. Default installations expose the web UI on all interfaces. Use UFW and SSH tunneling to restrict access.

Step‑by‑step guide:

  1. Install UFW (Uncomplicated Firewall) and allow only SSH from your management network:
    sudo apt install ufw -y
    sudo ufw default deny incoming
    sudo ufw allow from 192.168.1.0/24 to any port 22 proto tcp
    sudo ufw allow from 192.168.1.0/24 to any port 9392 proto tcp
    sudo ufw enable
    
  2. Disable default admin password and create a new user:
    sudo -u gvm gvmd --user=admin --new-password='ComplexNewPass!'
    
  3. Set up SSH tunneling for secure remote access – never expose port 9392 directly to the internet:
    On your local workstation:
    ssh -L 9392:localhost:9392 user@openvas-vm -N
    

    Then browse to `https://localhost:9392`.
    4. Apply system hardening – disable root SSH login, install fail2ban, and keep Debian updated weekly.

    5. Interpreting Scan Results and Remediation Strategies

    A vulnerability report is only valuable if you act on it. OpenVAS outputs CVSS scores, NVTs, and solution references. Prioritize fixes based on exploitability and asset criticality.

    Step‑by‑step guide:

    1. Export results to CSV from GSA (Reports → Download → CSV).
    2. Filter by CVSS score – focus on ≥7.0 (High/Critical). Use grep or Excel:

    grep -E "CVSS: [7-9]\." report.csv
    

    3. Categorize findings using NVT families (e.g., “Web Server”, “Windows SMB”, “Database”).
    4. Apply patches – For Linux hosts, run `apt list –upgradableandsudo apt upgrade -y`. For Windows, use WSUS or PowerShell:

    Get-WindowsUpdate -Install -AcceptAll
    
  4. Rescan the target after remediation to confirm closure. Create a new task or reuse the same one.
  5. Maintain a vulnerability register – track open findings, responsible owner, and due dates. Use OpenVAS tags or export to a ticketing system.

  6. Windows-Based Workflow: Running OpenVAS from WSL or Remote Client

You don’t need a Linux physical machine. Windows users can leverage WSL2 to deploy OpenVAS alongside their existing environment.

Step‑by‑step guide:

1. Enable WSL2 on Windows 10/11 (admin PowerShell):

dism.exe /online /enable-feature /featurename:Microsoft-Windows-Subsystem-Linux /all /norestart
dism.exe /online /enable-feature /featurename:VirtualMachinePlatform /all /norestart
wsl --set-default-version 2

2. Install Debian 13 distribution from Microsoft Store or via wsl --install -d Debian.
3. Launch Debian WSL and follow the same script steps (Section 1). Note: WSL2 uses a virtual network, so GSA will be accessible at http://localhost:9392` after forwarding.
4. Access the web UI from Windows browser using
http://localhost:9392`.
5. For production scanning, use a dedicated Linux VM instead of WSL (better network isolation and performance).

7. Integrating OpenVAS with SIEM and Ticketing Systems

Mature security programs automate reporting. Convert OpenVAS XML into JSON and forward findings to Jira, TheHive, or a SIEM.

Step‑by‑step guide:

  1. Export the latest scan as XML from GSA or via CLI:
    gvm-cli --gmp-username admin --gmp-password pass --socket /var/run/gvmd.sock --xml '<get_reports report_id="X" format="5057e5cc-bac4-11df-860a-002264764cea"/>' > results.xml
    
  2. Parse XML with a Python script – extract IP, NVT name, CVSS, and solution:
    import xml.etree.ElementTree as ET
    tree = ET.parse('results.xml')
    for result in tree.findall('.//result'):
    host = result.find('host').text
    nvt = result.find('nvt/name').text
    cvss = result.find('nvt/cvss_base').text
    print(f"{host} - {nvt} (CVSS: {cvss})")
    
  3. Create Jira tickets automatically using the REST API (example with curl):
    curl -u username:api_token -X POST -H "Content-Type: application/json" -d '{"fields":{"project":{"key":"SEC"},"summary":"Vulnerability found on host X","description":"OpenVAS detected ..."}}' https://your-domain.atlassian.net/rest/api/3/issue
    
  4. Forward to SIEM (Splunk/ELK) using syslog or HTTP Event Collector – include severity and remediation steps.

What Undercode Say

  • Key Takeaway 1: Automated deployment scripts dramatically lower the barrier to continuous vulnerability scanning, enabling even resource‑constrained teams to adopt OpenVAS as a practical quick win.
  • Key Takeaway 2: Regular scanning combined with actionable reporting and remediation workflows transforms raw findings into measurable risk reduction—no expensive commercial licenses required.

Analysis: The open‑source ecosystem continues to democratize security testing. Cedric’s script addresses a common pain point: the complexity of Greenbone/OpenVAS setup. By reducing installation to a single command, it allows defenders to focus on interpreting results rather than fighting dependencies. However, organizations must not treat automated scanning as a silver bullet; false positives, scan footprint on production systems, and credential management for authenticated scans remain challenges. Pairing OpenVAS with periodic penetration testing and asset inventory ensures comprehensive coverage. The trend toward “compliance as code” and infrastructure‑as‑scan aligns perfectly with this approach. Expect more pre‑packaged, containerized scanning appliances to emerge, but the fundamental need for skilled analysis will never be fully automated.

Prediction: Within 24 months, lightweight vulnerability scanners like OpenVAS will integrate AI‑assisted prioritization and automatic remediation suggestions, moving from detection to guided response. The line between commercial and open‑source capabilities will blur, forcing vendors to differentiate through managed services rather than core scanning engines. Organizations that establish automated scanning baselines today will lead in vulnerability response maturity tomorrow.

▶️ Related Video (76% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: C%C3%A9dric Di – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky