Author: Martin Dvorsky
Greenbone Vulnerability Manager (formerly OpenVAS) is the most popular open source vulnerability scanner.
In this tutorial we will install, configure and prepare GVM v10 for use with CLI only.
Versions:
OS: Debian 9.8.0
GVMD: 8.0
GVM-libs: 10.0
GVM-tools: 1.4.1
OpenVAS (scanner): 6.0
OpenVAS SMB: 1.0.5
Install dependencies
sudo apt install -y git xmltoman doxygen gcc cmake pkg-config gcc-mingw-w64 libgnutls28-dev perl-base heimdal-dev libpopt-dev libglib2.0-dev libgpgme11-dev uuid-dev libssh-gcrypt-dev libhiredis-dev libpcap-dev bison libksba-dev libsnmp-dev libgcrypt20-dev libradcli-dev libldap2-dev clang-format libical-dev postgresql postgresql-contrib postgresql-server-dev-all xsltproc python3-pip redis-server gnutls-bin python3-paramiko python3-lxml python3-defusedxml haveged
Git clone and install following source codes from GitHub
Note: At the time of writing this article (10/2019) we weren’t successful in installing the latest versions (master branches) of following components. There were cross dependencies that were impossible to meet and according to developers at Greenbone community portal: “The master branch is used for development and could break at any time”, so we stayed away from that.
We used versions (branches) mentioned in the beginning of the article.
- https://github.com/greenbone/openvas-smb
- https://github.com/greenbone/gvm-libs
- https://github.com/greenbone/openvas-scanner
- https://github.com/greenbone/gvmd
git clone -b <branch_name> <package_URL>
cd <package_name>
cmake .
sudo make install
Install gvm-tools using pip3
pip3 install gvm-tools
Link libraries
sudo ldconfig
Edit config file for Redis DB server /etc/redis/redis.conf
Change listening port to 0 (don’t listen, use Unix socket instead)
port 0
Enable Unix socket
unixsocket /tmp/redis.sock
unixsocketperm 700
Create systemd service files for openvassd and gvmd
/etc/systemd/system/openvassd.service
[Unit]
Description=OpenVas scanner
After=redis-server.service
[Service]
ExecStart=/usr/local/sbin/openvassd -f
[Install]
WantedBy=multi-user.target
/etc/systemd/system/gvmd.service
[Unit]
Description=OpenVas manager
[Service]
ExecStart=/usr/local/sbin/gvmd -f
[Install]
WantedBy=multi-user.target
Edit systemd service file for Redis DB server /lib/systemd/system/redis-server.service
Don’t create separate file system namespace
PrivateTmp=no
Grant access to Unix socket (add line into [Service] section)
ReadWriteDirectories=-/tmp
Reload service files
sudo systemctl daemon-reload
Restart Redis DB server
sudo systemctl restart redis-server.service
ls -l /tmp should give you sock file redis.sock
Update signatures (NVTs, SCAP data, CERT data)
sudo greenbone-nvt-sync
sudo greenbone-scapdata-sync
sudo greenbone-certdata-sync
Create GVM admin account and change password
sudo gvmd --create-user=admin --role=Admin
sudo gvmd --user=admin --new-password=V3ry$3cur3P@$$w0rd
(Optional) Modify OpenVAS scanner configuration
Config file for OpenVAS scanner by default doesn’t exists. You can check default configuration using command:
sudo openvas -s
If you want to modify any of this configuration (for example number of concurrently scanned vulnerabilities or hosts), use the following command and then edit the created file:
sudo openvas -s > /usr/local/etc/openvas/openvas.conf
Enable GVMD and OpenVAS scanner services and start them:
sudo systemctl enable openvassd.service
sudo systemctl enable gvmd.service
sudo systemctl start openvassd.service
sudo systemctl start gvmd.service
Signatures are now probably loading (check using ps -ef). Loading SCAP data can take more than one hour. After the loading is complete, restart the system and enjoy GVM.
An example of simple command to show all tasks:
gvm-cli --gmp-username admin --gmp-password V3ry$3cur3P@$$w0rd socket --socketpath /usr/local/var/run/gvmd.sock --xml '<get_tasks/>'
(Optional) Web GUI
For Web GUI you will need Greenbone Security Assistant (GSA) and probably a few dependencies (not tested).
https://github.com/greenbone/gsa