Menu Close

OpenVAS/GVM installation and configuration from source code

Author: Martin Dvorsky

Greenbone Vulnerability Manager (formerly OpenVAS) is the most popular open source vulnerability scanner.
In this tutorial we will install, configure and prepare GVM v10 for use with CLI only.

Versions:

OS: Debian 9.8.0
GVMD: 8.0
GVM-libs: 10.0
GVM-tools: 1.4.1
OpenVAS (scanner): 6.0
OpenVAS SMB: 1.0.5

Install dependencies

sudo apt install -y git xmltoman doxygen gcc cmake pkg-config gcc-mingw-w64 libgnutls28-dev perl-base heimdal-dev libpopt-dev libglib2.0-dev libgpgme11-dev uuid-dev libssh-gcrypt-dev libhiredis-dev libpcap-dev bison libksba-dev libsnmp-dev libgcrypt20-dev libradcli-dev libldap2-dev clang-format libical-dev postgresql postgresql-contrib postgresql-server-dev-all xsltproc python3-pip redis-server gnutls-bin python3-paramiko python3-lxml python3-defusedxml haveged

Git clone and install following source codes from GitHub

Note: At the time of writing this article (10/2019) we weren’t successful in installing the latest versions (master branches) of following components. There were cross dependencies that were impossible to meet and according to developers at Greenbone community portal: “The master branch is used for development and could break at any time”, so we stayed away from that.
We used versions (branches) mentioned in the beginning of the article.

git clone -b <branch_name> <package_URL>
cd <package_name>
cmake .
sudo make install

Install gvm-tools using pip3

pip3 install gvm-tools

Link libraries

sudo ldconfig

Edit config file for Redis DB server /etc/redis/redis.conf

Change listening port to 0 (don’t listen, use Unix socket instead)

port 0

Enable Unix socket

unixsocket /tmp/redis.sock
unixsocketperm 700

Create systemd service files for openvassd and gvmd

/etc/systemd/system/openvassd.service

[Unit]
Description=OpenVas scanner
After=redis-server.service

[Service]
ExecStart=/usr/local/sbin/openvassd -f

[Install]
WantedBy=multi-user.target

/etc/systemd/system/gvmd.service

[Unit]
Description=OpenVas manager

[Service]
ExecStart=/usr/local/sbin/gvmd -f

[Install]
WantedBy=multi-user.target

Edit systemd service file for Redis DB server /lib/systemd/system/redis-server.service

Don’t create separate file system namespace

PrivateTmp=no

Grant access to Unix socket (add line into [Service] section)

ReadWriteDirectories=-/tmp

Reload service files

sudo systemctl daemon-reload

Restart Redis DB server

sudo systemctl restart redis-server.service

ls -l /tmp should give you sock file redis.sock

Update signatures (NVTs, SCAP data, CERT data)

sudo greenbone-nvt-sync
sudo greenbone-scapdata-sync
sudo greenbone-certdata-sync

Create GVM admin account and change password

sudo gvmd --create-user=admin --role=Admin
sudo gvmd --user=admin --new-password=V3ry$3cur3P@$$w0rd

(Optional) Modify OpenVAS scanner configuration

Config file for OpenVAS scanner by default doesn’t exists. You can check default configuration using command:

sudo openvas -s

If you want to modify any of this configuration (for example number of concurrently scanned vulnerabilities or hosts), use the following command and then edit the created file:

sudo openvas -s > /usr/local/etc/openvas/openvas.conf

Enable GVMD and OpenVAS scanner services and start them:

sudo systemctl enable openvassd.service
sudo systemctl enable gvmd.service
sudo systemctl start openvassd.service
sudo systemctl start gvmd.service

Signatures are now probably loading (check using ps -ef). Loading SCAP data can take more than one hour. After the loading is complete, restart the system and enjoy GVM.

An example of simple command to show all tasks:

gvm-cli --gmp-username admin --gmp-password V3ry$3cur3P@$$w0rd socket --socketpath /usr/local/var/run/gvmd.sock --xml '<get_tasks/>'

(Optional) Web GUI

For Web GUI you will need Greenbone Security Assistant (GSA) and probably a few dependencies (not tested).

https://github.com/greenbone/gsa

Rate this post

Leave a Reply

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

The reCAPTCHA verification period has expired. Please reload the page.