GVM (Greenbone Vulnerability Management) is an open-source solution for vulnerability scanning and vulnerability management. GVM was previously known as OpenVAS.
Greenbone Vulnerability Manager and OpenVAS are widely used by a number of people in the World including security experts and common users alike who used this all in one suite of tools that works together to run the tests against client computers using its own database of known weaknesses and exploits.
In this article, we will show How to install and setup GVM on Ubuntu 20.04 to make sure that your servers are protected against attacks.
Base System
We will setup Greenbone Vulnerability Manager 20.08 with the basic installation of system packages on Ubuntu 20.04.
Install Prerequisites
First install the following dependencies packages.
sudo su - apt update && apt -y dist-upgrade && apt -y autoremove && apt install -y software-properties-common && apt install -y build-essential cmake pkg-config libglib2.0-dev libgpgme-dev libgnutls28-dev uuid-dev libssh-gcrypt-dev libldap2-dev doxygen graphviz libradcli-dev libhiredis-dev libpcap-dev bison libksba-dev libsnmp-dev gcc-mingw-w64 heimdal-dev libpopt-dev xmltoman redis-server xsltproc libical-dev postgresql postgresql-contrib postgresql-server-dev-all gnutls-bin nmap rpm nsis curl wget fakeroot gnupg sshpass socat snmp smbclient libmicrohttpd-dev libxml2-dev python3-polib gettext rsync xml-twig-tools python3-paramiko python3-lxml python3-defusedxml python3-pip python3-psutil python3-impacket virtualenv vim git && apt install -y texlive-latex-extra --no-install-recommends && apt install -y texlive-fonts-recommended && curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | apt-key add - && echo "deb https://dl.yarnpkg.com/debian/ stable main" | tee /etc/apt/sources.list.d/yarn.list && apt update && apt -y install yarn && yarn install && yarn upgrade
Create the GVM User
Paste the following commands to terminal to create the gvm user which will be used in the installation and compilation process:
echo 'export PATH="$PATH:/opt/gvm/bin:/opt/gvm/sbin:/opt/gvm/.local/bin"' | tee -a /etc/profile.d/gvm.sh && chmod 0755 /etc/profile.d/gvm.sh && source /etc/profile.d/gvm.sh && bash -c 'cat < /etc/ld.so.conf.d/gvm.conf # gmv libs location /opt/gvm/lib EOF'
mkdir /opt/gvm && adduser gvm --disabled-password --home /opt/gvm/ --no-create-home --gecos '' && usermod -aG redis gvm && chown gvm:gvm /opt/gvm/
Now login as gvm user. From now on, the title headers will be marked with which user is needed to execute commands as.
sudo su - gvm
Download and Install Software (GVM)
Now create the src folder and git clone the GVM source code:
mkdir src && cd src && export PKG_CONFIG_PATH=/opt/gvm/lib/pkgconfig:$PKG_CONFIG_PATH
git clone -b gvm-libs-20.08 --single-branch https://github.com/greenbone/gvm-libs.git && git clone -b openvas-20.08 --single-branch https://github.com/greenbone/openvas.git && git clone -b gvmd-20.08 --single-branch https://github.com/greenbone/gvmd.git && git clone -b master --single-branch https://github.com/greenbone/openvas-smb.git && git clone -b gsa-20.08 --single-branch https://github.com/greenbone/gsa.git && git clone -b ospd-openvas-20.08 --single-branch https://github.com/greenbone/ospd-openvas.git && git clone -b ospd-20.08 --single-branch https://github.com/greenbone/ospd.git
Install gvm-libs (GVM)
In this step we will compile the gvm-libs from the github:
cd gvm-libs && export PKG_CONFIG_PATH=/opt/gvm/lib/pkgconfig:$PKG_CONFIG_PATH && mkdir build && cd build && cmake -DCMAKE_INSTALL_PREFIX=/opt/gvm .. && make && make doc && make install && cd /opt/gvm/src
Install openvas-smb (GVM)
Now enter openvas-smb directory and compile the source code:
cd openvas-smb && export PKG_CONFIG_PATH=/opt/gvm/lib/pkgconfig:$PKG_CONFIG_PATH && mkdir build && cd build/ && cmake -DCMAKE_INSTALL_PREFIX=/opt/gvm .. && make && make install && cd /opt/gvm/src
Install the scanner (GVM)
Like in the previous steps, we will now build and install openvas scanner:
cd openvas && export PKG_CONFIG_PATH=/opt/gvm/lib/pkgconfig:$PKG_CONFIG_PATH && mkdir build && cd build/ && cmake -DCMAKE_INSTALL_PREFIX=/opt/gvm .. && make && make doc && make install && cd /opt/gvm/src
Fix redis for OpenVAS Install (root)
Now we must log out of the current session to get back to the privilege user by Type ‘exit’ in the terminal.
Now paste the following code to terminal:
export LC_ALL="C" && ldconfig && cp /etc/redis/redis.conf /etc/redis/redis.orig && cp /opt/gvm/src/openvas/config/redis-openvas.conf /etc/redis/ && chown redis:redis /etc/redis/redis-openvas.conf && echo "db_address = /run/redis-openvas/redis.sock" > /opt/gvm/etc/openvas/openvas.conf && systemctl enable [email protected] && systemctl start [email protected]
sysctl -w net.core.somaxconn=1024 && sysctl vm.overcommit_memory=1 && echo "net.core.somaxconn=1024" >> /etc/sysctl.conf && echo "vm.overcommit_memory=1" >> /etc/sysctl.conf
cat << /etc/systemd/system/disable-thp.service [Unit] Description=Disable Transparent Huge Pages (THP) [Service] Type=simple ExecStart=/bin/sh -c "echo 'never' > /sys/kernel/mm/transparent_hugepage/enabled && echo 'never' > /sys/kernel/mm/transparent_hugepage/defrag" [Install] WantedBy=multi-user.target EOF
systemctl daemon-reload && systemctl start disable-thp && systemctl enable disable-thp && systemctl restart redis-server
Add the /opt/gvm/sbin path to the secure_path variable:
sed 's/Defaultss.*secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"/Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin:/opt/gvm/sbin"/g' /etc/sudoers | EDITOR='tee' visudo
Allow the user running ospd-openvas to launch with root permissions:
echo "gvm ALL = NOPASSWD: /opt/gvm/sbin/openvas" > /etc/sudoers.d/gvm echo "gvm ALL = NOPASSWD: /opt/gvm/sbin/gsad" >> /etc/sudoers.d/gvm
Update NVT (GVM)
We will now run the greenbone-nvt-sync to update the vulnerability file definitions.
First switch back to the GVM user session:
sudo su – gvm
And run the following:
greenbone-nvt-sync
If you get timeout errors, it is most likely that there is a firewall in the way. Make sure to open TCP port 873. If you get connection refused errors, wait some time and try again.
This takes a very long time, so you’ll have to be patient.
Upload Plugins in redis with OpenVAS (GVM)
This may take a little time depending on your hardware, and gives you no feedback when you run the command.
sudo openvas -u
Note: If you get missing library errors, type the following (one line at the time):
exit echo "/opt/gvm/lib > /etc/ld.so.conf.d/gvm.conf ldconfig sudo su - gvm
Install Manager (GVM)
Now enter the gvmd directory to build and install Greenbone Manager:
cd /opt/gvm/src/gvmd && export PKG_CONFIG_PATH=/opt/gvm/lib/pkgconfig:$PKG_CONFIG_PATH && mkdir build && cd build/ && cmake -DCMAKE_INSTALL_PREFIX=/opt/gvm .. && make && make doc && make install && cd /opt/gvm/src
Configure PostgreSQL (Sudoers User)
Switch to a user in sudoers (do not use root or gvm for this). The user session will be switched with “sudo -u postgres bash” command bellow.
Execute one line at a time.
exit cd / sudo -u postgres bash export LC_ALL="C" createuser -DRS gvm createdb -O gvm gvmd psql gvmd create role dba with superuser noinherit; grant dba to gvm; create extension "uuid-ossp"; create extension "pgcrypto"; exit exit
Fix Certificates (GVM)
Type one line at the time:
sudo su - gvm gvm-manage-certs -a
Create Admin User (GVM)
This will create an initial username and password. Remember to change it later.
gvmd --create-user=admin --password=admin
Configure and Update Feeds (GVM)
For the feeds to update completely, we will need to set “Feed Import Owner” to the admin’s UUID. First, find the UUID of the new admin user
gvmd --get-users --verbose
You should get something like this:
admin fb019c52-75ec-4cb6-b176-5a55a9b360bf
Use the string next to the admin in the next command:
gvmd --modify-setting 78eceaec-3385-11ea-b237-28d24461215b --value (output string from the above command fb019c52-75ec-4cb6-b176-5a55a9b360bf)
So the example command would be:
$ gvmd --get-users --verbose admin fb019c52-75ec-4cb6-b176-5a55a9b360bf $ gvmd --modify-setting 78eceaec-3385-11ea-b237-28d24461215b --value fb019c52-75ec-4cb6-b176-5a55a9b360bf
Run the next three commands one line at a time. If you get connection refused errors, try the command again until it succeeds. These commands will also take some time.
greenbone-feed-sync --type GVMD_DATA greenbone-feed-sync --type SCAP greenbone-feed-sync --type CERT
Install gsa (GVM)
Again as in earlier steps, enter the gsa folder and compile gsa source code:
cd /opt/gvm/src/gsa && export PKG_CONFIG_PATH=/opt/gvm/lib/pkgconfig:$PKG_CONFIG_PATH && mkdir build && cd build/ && cmake -DCMAKE_INSTALL_PREFIX=/opt/gvm .. && make && make doc && make install && touch /opt/gvm/var/log/gvm/gsad.log && cd /opt/gvm/src
Set up OSPD-OpenVAS
Install the virtualenv (GVM)
Note: You may have to change –python python3.8 to match your installed python version.
cd /opt/gvm/src && export PKG_CONFIG_PATH=/opt/gvm/lib/pkgconfig:$PKG_CONFIG_PATH && virtualenv --python python3.8 /opt/gvm/bin/ospd-scanner/ && source /opt/gvm/bin/ospd-scanner/bin/activate
Install ospd (GVM)
We will install ospd using pip installer:
mkdir /opt/gvm/var/run/ospd/ && cd ospd && pip3 install . && cd /opt/gvm/src
Install ospd-openvas (GVM)
Again for the ospd-openvas we will be using pip installer with the package we cloned from github:
cd ospd-openvas && pip3 install . && cd /opt/gvm/src
Create Startup Scripts (root)
First type exit to loguout to root session, then paste the following in terminal:
cat << EOF > /etc/systemd/system/gvmd.service [Unit] Description=Open Vulnerability Assessment System Manager Daemon Documentation=man:gvmd(8) https://www.greenbone.net Wants=postgresql.service ospd-openvas.service After=postgresql.service ospd-openvas.service [Service] Type=forking User=gvm Group=gvm PIDFile=/opt/gvm/var/run/gvmd.pid WorkingDirectory=/opt/gvm ExecStart=/opt/gvm/sbin/gvmd --osp-vt-update=/opt/gvm/var/run/ospd.sock ExecReload=/bin/kill -HUP $MAINPID KillMode=mixed Restart=on-failure RestartSec=2min KillMode=process KillSignal=SIGINT GuessMainPID=no PrivateTmp=true [Install] WantedBy=multi-user.target EOF
cat << EOF > /etc/systemd/system/gsad.service [Unit] Description=Greenbone Security Assistant (gsad) Documentation=man:gsad(8) https://www.greenbone.net After=network.target Wants=gvmd.service [Service] Type=forking PIDFile=/opt/gvm/var/run/gsad.pid WorkingDirectory=/opt/gvm ExecStart=/opt/gvm/sbin/gsad --drop-privileges=gvm Restart=on-failure RestartSec=2min KillMode=process KillSignal=SIGINT GuessMainPID=no PrivateTmp=true [Install] WantedBy=multi-user.target EOF
cat << EOF > /etc/systemd/system/ospd-openvas.service [Unit] Description=Job that runs the ospd-openvas daemon Documentation=man:gvm After=network.target [email protected] [email protected] [Service] Environment=PATH=/opt/gvm/bin/ospd-scanner/bin:/opt/gvm/bin:/opt/gvm/sbin:/opt/gvm/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin Type=forking User=gvm Group=gvm WorkingDirectory=/opt/gvm PIDFile=/opt/gvm/var/run/ospd-openvas.pid ExecStart=/opt/gvm/bin/ospd-scanner/bin/python /opt/gvm/bin/ospd-scanner/bin/ospd-openvas --pid-file /opt/gvm/var/run/ospd-openvas.pid --unix-socket=/opt/gvm/var/run/ospd.sock --log-file /opt/gvm/var/log/gvm/ospd-scanner.log --lock-file-dir /opt/gvm/var/run/ospd/ Restart=on-failure RestartSec=2min KillMode=process KillSignal=SIGINT GuessMainPID=no PrivateTmp=true [Install] WantedBy=multi-user.target EOF
Enable and Start the services (root)
We will now enable and start the GVM services, also as root user:
systemctl daemon-reload && systemctl enable gvmd && systemctl enable gsad && systemctl enable ospd-openvas && systemctl start gvmd && systemctl start gsad && systemctl start ospd-openvas
Check the services (root)
Make sure all three services are running (type one line at the time).
systemctl status gvmd systemctl status gsad systemctl status ospd-openvas
Modify Default Scanner (GVM)
Switch back to your GVM session.
sudo su - gvm
First, get the UUID of the scanner that has the socket (ospd.sock)
gvmd --get-scanners
Then modify the scanner:
gvmd --modify-scanner=(INSERT SCANNER UUID HERE) --scanner-host=/opt/gvm/var/run/ospd.sock
Example:
gvmd --get-scanners 08b69003-5fc2-4037-a479-93b440211c73 OpenVAS /var/run/ospd/ospd.sock 0 OpenVAS Default 6acd0832-df90-11e4-b9d5-28d24461215b CVE 0 CVE gvmd --modify-scanner=08b69003-5fc2-4037-a479-93b440211c73 --scanner-host=/opt/gvm/var/run/ospd.sock Scanner modified.
That is it. You can now login to GVM web interface.
Conclusion
We have successfully completed the GVM installation on Ubuntu 20.04. You can now log in using your server IP address. The default login is admin/admin as set above. Let us know what you think about the tutorial in the comments below.
