OpenVAS (Open Vulnerability Assessment System, originally known as GNessUs) is the scanner component of Greenbone Vulnerability Manager (GVM), a software framework of several services and tools offering vulnerability scanning and vulnerability management.[2]
All Greenbone Vulnerability Manager products are free software, and most components are licensed under the GNU General Public License (GPL). Plugins for Greenbone Vulnerability Manager are written in the Nessus Attack Scripting Language, NASL.
Installation of Greenbone 21.04 on Debian 11 distribution.
- Upgrade system:
apt-get update
apt-get upgrade
- Creation user gvm:
useradd -r -d /opt/gvm -c "GVM User" -s /bin/bash gvm
- Creation compiler directory:
mkdir /opt/gvm && chown gvm:gvm /opt/gvm
- Install requirement packages:
apt install gcc g++ make bison flex libksba-dev curl redis libpcap-dev cmake git pkg-config libglib2.0-dev libgpgme-dev nmap libgnutls28-dev uuid-dev libssh-gcrypt-dev libldap2-dev gnutls-bin libmicrohttpd-dev libhiredis-dev zlib1g-dev libxml2-dev libnet-dev libradcli-dev clang-format libldap2-dev doxygen gcc-mingw-w64 xml-twig-tools libical-dev perl-base heimdal-dev libpopt-dev libunistring-dev graphviz libsnmp-dev python3-setuptools python3-paramiko python3-lxml python3-defusedxml python3-dev gettext python3-polib xmltoman python3-pip texlive-fonts-recommended texlive-latex-extra --no-install-recommends xsltproc sudo vim rsync -y
- Install Yarn on Debian 11:
curl -sL https://dl.yarnpkg.com/debian/pubkey.gpg | gpg --dearmor | sudo tee /usr/share/keyrings/yarnkey.gpg >/dev/null
echo "deb [signed-by=/usr/share/keyrings/yarnkey.gpg] https://dl.yarnpkg.com/debian stable main" | sudo tee /etc/apt/sources.list.d/yarn.list
apt update
apt install yarn -y
- Install postgresql database:
apt install postgresql-13 postgresql-contrib-13 postgresql-server-dev-13 -y
- Creation postgresql user e database:
sudo -Hiu postgres
createuser gvm
createdb -O gvm gvmd
- Grant PostgreSQL User DBA Roles:
psql gvmd
create role dba with superuser noinherit;
grant dba to gvm;
\q
exit
- Restart and enable postgresql:
systemctl restart postgresql
systemctl enable postgresql
- Allow the user to run the installation with sudo rights:
echo "gvm ALL = NOPASSWD: $(which make) install" > /etc/sudoers.d/gvm
- There are different tools required to install and setup GVM 21.04 on Debian 11/Debian 10. These include;
- GVM Libraries
- OpenVAS Scanner
- OSPd
- ospd-openvas
- Greenbone Vulnerability Manager
- Greenbone Security Assistant
- Python-GVM
- GVM-Tools
- OpenVAS SMB
- Switch to GVM user created above:
su - gvm
- Define versions:
export GVM=21.4.4
export GVMD=21.4.5
export OPENVAS=21.4.4
export OPENVAS_SMB=21.4.0
export OSPD=21.4.4
export OSP_OPENVAS=21.4.4
export GSA=21.4.4
export GSAD=21.4.4
- Create a directory where to download the source files to:
mkdir gvm-source
- Download the GVM source files:
cd gvm-source
curl -f -L https://github.com/greenbone/gvm-libs/archive/refs/tags/v$GVM.tar.gz -o gvm-libs.tar.gz
tar -xzvf gvm-libs.tar.gz && rm gvm-libs.tar.gz && mv gvm-libs-$GVM gvm-libs
curl -f -L https://github.com/greenbone/openvas-smb/archive/refs/tags/v$OPENVAS_SMB.tar.gz -o openvas-smb.tar.gz
tar -xzvf openvas-smb.tar.gz && rm openvas-smb.tar.gz && mv openvas-smb-$OPENVAS_SMB openvas-smb
curl -f -L https://github.com/greenbone/openvas-scanner/archive/refs/tags/v$OPENVAS.tar.gz -o openvas-scanner.tar.gz
tar -xzvf openvas-scanner.tar.gz && rm openvas-scanner.tar.gz && mv openvas-scanner-$OPENVAS openvas
curl -f -L https://github.com/greenbone/ospd/archive/v$OSPD.tar.gz -o ospd.tar.gz
tar -xzvf ospd.tar.gz && rm ospd.tar.gz && mv ospd-$OSPD ospd
curl -f -L https://github.com/greenbone/ospd-openvas/archive/refs/tags/v$OSP_OPENVAS.tar.gz -o ospd-openvas.tar.gz
tar -xzvf ospd-openvas.tar.gz && rm ospd-openvas.tar.gz && mv ospd-openvas-$OSP_OPENVAS ospd-openvas
curl -f -L https://github.com/greenbone/gvmd/archive/refs/tags/v$GVMD.tar.gz -o gvmd.tar.gz
tar -xzvf gvmd.tar.gz && rm gvmd.tar.gz && mv gvmd-$GVMD gvmd
curl -f -L https://github.com/greenbone/gsa/archive/refs/tags/v$GSA.tar.gz -o gsa.tar.gz
tar -xzvf gsa.tar.gz && rm gsa.tar.gz && mv gsa-$GSA gsa
curl -f -L https://github.com/greenbone/gsad/archive/refs/tags/v$GSAD.tar.gz -o gsad.tar.gz
tar -xzvf gsad.tar.gz && rm gsad.tar.gz && mv gsad-$GSAD gsad
- Build and install GVM library:
cd gvm-libs
mkdir build && cd build
cmake ..
make
sudo make install
- Build and install openvas:
cd ../../openvas-smb/
mkdir build && cd build
cmake ..
make
sudo make install
cd ../../openvas
[ -d build ] || mkdir build && cd build
cmake ..
make
sudo make install
- Configure Openvas scanner:
exit
ldconfig
cp /opt/gvm/gvm-source/openvas/config/redis-openvas.conf /etc/redis/
chown redis:redis /etc/redis/redis-openvas.conf
echo "db_address = /run/redis-openvas/redis.sock" > /etc/openvas/openvas.conf
usermod -aG redis gvm
- Ottimization redis:
echo "net.core.somaxconn = 1024" >> /etc/sysctl.conf
echo 'vm.overcommit_memory = 1' >> /etc/sysctl.conf
sysctl -p
cat > /etc/systemd/system/disable_thp.service << 'EOL'
[Unit]
Description=Disable Kernel Support for Transparent Huge Pages (THP)
[Service]
Type=simple
ExecStart=/bin/sh -c "echo 'never' > /sys/kernel/mm/transparent_hugepage/enabled && echo 'never' > /sys/kernel/mm/transparent_hugepage/defrag"
[Install]
WantedBy=multi-user.target
EOL
systemctl daemon-reload
systemctl enable --now disable_thp
systemctl enable --now redis-server@openvas
systemctl status redis-server@openvas
- Update Network Vulnerability Test (NVT):
chown -R gvm: /var/lib/openvas/
echo "gvm ALL = NOPASSWD: $(which openvas)" >> /etc/sudoers.d/gvm
su - gvm
greenbone-nvt-sync
sudo openvas --update-vt-info
- Build and install GVM:
cd gvm-source/gvmd
mkdir build && cd build
cmake ..
make
sudo make install
- Build and install GSA
cd ../../gsa
rm -rf build
yarn
yarn upgrade
yarn build
- Build and install GSAD:
cd ../gsad
mkdir build && cd build
cmake ..
make
sudo make install
exit
[[ -d /usr/local/share/gvm/gsad/web ]] || mkdir -p /usr/local/share/gvm/gsad/web
chown -R gvm: /usr/local/share/gvm/gsad/web
cp -rp /opt/gvm/gvm-source/gsa/build/* /usr/local/share/gvm/gsad/web
- Keeping feeds up-to-date:
chown -R gvm: /var/lib/gvm/
sudo -u gvm greenbone-feed-sync --type GVMD_DATA
sudo -u gvm greenbone-feed-sync --type SCAP
sudo -u gvm greenbone-feed-sync --type CERT
- Generation GVM certificate:
sudo -u gvm gvm-manage-certs -a
- Build and install OSPd and OSPd-Openvas:
su - gvm
pip3 install wheel
pip3 install python-gvm gvm-tools
cd /opt/gvm/gvm-source/ospd
python3 -m pip install .
cd /opt/gvm/gvm-source/ospd-openvas
python3 -m pip install .
- Running OpenVAS Scanner, GSA and GVM services:
exit
cat > /etc/systemd/system/ospd-openvas.service << 'EOL'
[Unit]
Description=OSPd Wrapper for the OpenVAS Scanner (ospd-openvas)
After=network.target networking.service redis-server@openvas.service postgresql.service
Wants=redis-server@openvas.service
ConditionKernelCommandLine=!recovery
[Service]
ExecStartPre=-rm -rf /var/run/gvm/ospd-openvas.pid /var/run/gvm/ospd-openvas.sock
Type=simple
User=gvm
Group=gvm
RuntimeDirectory=gvm
Environment=PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/opt/gvm/bin:/opt/gvm/sbin:/opt/gvm/.local/bin
ExecStart=/opt/gvm/.local/bin/ospd-openvas --pid-file /var/run/gvm/ospd-openvas.pid --log-file /var/log/gvm/ospd-openvas.log --lock-file-dir /var/run/gvm -u /var/run/gvm/ospd-openvas.sock
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
EOL
[[ -d /var/run/gvm ]] || mkdir /var/run/gvm
chown -R gvm: /var/run/gvm /var/log/gvm
systemctl enable --now ospd-openvas
systemctl status ospd-openvas.service
- Creating Systemd Service units for GVM services:
cp /lib/systemd/system/gvmd.service{,.bak}
cat > /lib/systemd/system/gvmd.service << 'EOL'
[Unit]
Description=Greenbone Vulnerability Manager daemon (gvmd)
After=network.target networking.service postgresql.service ospd-openvas.service
Wants=postgresql.service ospd-openvas.service
Documentation=man:gvmd(8)
ConditionKernelCommandLine=!recovery
[Service]
Type=forking
User=gvm
Group=gvm
RuntimeDirectory=gvmd
Environment=PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/opt/gvm/bin:/opt/gvm/sbin:/opt/gvm/.local/bin
ExecStart=/usr/local/sbin/gvmd --osp-vt-update=/var/run/gvm/ospd-openvas.sock
Restart=always
TimeoutStopSec=10
[Install]
WantedBy=multi-user.target
EOL
systemctl daemon-reload
systemctl enable --now gvmd
systemctl status gvmd
- Creating Systemd Service units for GSA services:
cp /lib/systemd/system/gsad.service{,.bak}
cat > /lib/systemd/system/gsad.service << 'EOL'
[Unit]
Description=Greenbone Security Assistant daemon (gsad)
Documentation=man:gsad(8) https://www.greenbone.net
After=network.target gvmd.service
Wants=gvmd.service
[Service]
Type=simple
User=gvm
Group=gvm
RuntimeDirectory=gsad
PIDFile=/var/run/gsad/gsad.pid
Environment=PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/opt/gvm/bin:/opt/gvm/sbin:/opt/gvm/.local/bin
ExecStart=/usr/bin/sudo /usr/local/sbin/gsad -k /var/lib/gvm/private/CA/clientkey.pem -c /var/lib/gvm/CA/clientcert.pem
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
EOL
echo "gvm ALL = NOPASSWD: $(which gsad)" >> /etc/sudoers.d/gvm
systemctl daemon-reload
systemctl enable --now gsad
systemctl status gsad
- Create GVM Scanner:
sudo -u gvm gvmd --create-scanner="LESC OpenVAS Scanner" --scanner-type="OpenVAS" --scanner-host=/var/run/gvm/ospd-openvas.sock
sudo -u gvm gvmd --get-scanners
sudo -u gvm gvmd --modify-scanner=<UUID Default Scanner> --scanner-host=/var/run/gvm/ospd-openvas.sock
- Create GVM Admin User:
sudo -u gvm gvmd --create-user USERNAME --password=PASSWORD
- Set the Feed Import Owner:
sudo -u gvm gvmd --get-users --verbose
sudo -u gvm gvmd --modify-setting 78eceaec-3385-11ea-b237-28d24461215b --value <uuid_of_user>