[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

RE: Nessus to be removed from Debian, please switch to OpenVAS - possibly in Non-Free repositories?



I'm all for having more tools to help settle my healthy paranoia but I'm not seeing the server package:

Lenny:~/Workbench# aptitude update
Lenny:~/Workbench# aptitude search openvas
p   libopenvas1                     - OpenVAS shared libraries
p   libopenvas1-dev                 - OpenVAS static libraries and headers
p   openvas-client                  - Remote network security auditor, the client
Lenny:~/Workbench# aptitude show openvas-server
E: Unable to locate package openvas-server

(I'll go check the site encase I'm missing a repository or some such odd thing)

Also, if upstream is not going to maintain it at all and the Debian package maintainer's time is then better spend helping with openVAS (if they so choose of course) then off it goes. It's just a heck of a heavyweight to drop completely. Between it's reports and importing the NBE into metasploit for exploit confirmation, it's a hard habit to give up. Any chance of seeing it in the Non-Free instead has upstream dropped it's upkeep completely? (Boo Nessus.. Wish they'd have kept to the FOSS lower, value added retail upper model)


Since I've been lurking on the mailing list for a while now, let me also say; thank you, thank you, thank you. After years of Mandrake/Mandriva, Debian has been like walking out into the sunshine. Fantastic distribution, thank you all who do more than my weak PR noise to keep it great.


-----Original Message-----
From: Javier Fernandez-Sanguino [mailto:javifs@gmail.com] On Behalf Of Javier Fernández-Sanguino Peña
Sent: Sunday, August 02, 2009 2:03 PM
To: Debian Security
Cc: openvas-distro-deb@wald.intevation.org
Subject: Nessus to be removed from Debian, please switch to OpenVAS


Dear All,

I've recently requested Debian Ftp maintainers [1] to remove from the archive Nessus and all its related packages (nessus-core, nessus-libraries, libnasl and nessus-plugins). The main reason for this is that upstream is more focused in maintaining it's non-free version of Nessus (labeled version '3') than the free version (the 2.2.x branch). Additionally, most of the plugins (i.e. security tests) are now non-free.

I encourage people that are looking for an alternative to Nessus to switch to OpenVAS (Open Vulnerability Assessment Scanner) which is a Nessus fork (based on the 2.2.x branch) that is actively being maintained and is now available in Debian.

No "smooth" transition will be provided from Nessus to OpenVAS, those that need to switch can, however, possibly reuse the certificates, scanner knowledgebase and custom NASL scripts used with Nessus with OpenVAS too.

Both tools can even be installed side-by-side since the OpenVAS server uses a different port than the Nessus one. 

Installing OpenVAS is Debian easy. To get both the server and the client just
run:

aptitude install openvas-server openvas-client

Currently the OpenvAS release in Debian's unstable [2] distribution (2.0.1) does not provide a way to easily download the plugins from the Internet. 

Packages for the next release (2.0.3) have been worked on at the Debconf and will be available really soon. With this release you can download the plugins running (as root) 'openvas-nvt-sync' as described in http://www.openvas.org/nvt-feeds.html

If you need help on the migration from Nessus or what more information on the Debian OpenVAS packages please use OpenVAS' mailing list (in CC:) or the general user-oriented mailing lists (see http://www.openvas.org)


Regards

Javier


[1] See the BTS: #534501, #534502, #534505, #534506 [2] OpenVAS in the stable (lenny) release is somewhat dated (1.0.2 version) but backports are being made available too.


Reply to: