In this guide, we are going to learn how to install and setup GVM 11 on Ubuntu 20.04. Greenbone Vulnerability Management (GVM), was previously known as OpenVAS, is a network security scanner which provides a set of network vulnerability tests (NVTs) to detect security loopholes in systems and applications. As of this writing, GVM 11 is the current stable release.
Well, GVM 11 was set to retire by end of 2020. Try to new GVM 20.08 by following the links below;
Install and setup GVM 20.08 on Debian 10
Install and Setup GVM 20.08 on Ubuntu 20.04
Installing GVM 11 on Ubuntu 20.04
Prerequisites
In this demo, we will be building GVM 11 on Ubuntu 20.04 from source code. As such, below are the system requirements I would personally recommend.
- At least 4 GB RAM
- At least 4 vCPUs
- More than 8 GB disk space (We used 16 GB in this demo)
These requirements will vary depending on your use cases, however. Just be sure to give “enough”.
Run System Update
To begin with, update and upgrade your system packages;
apt updateapt upgradeCreate GVM User
In this demo, we are going to run GVM as a non privileged system user. As such, we are going to create gvm user and group.
useradd -r -d /opt/gvm -c "GVM User" -s /bin/bash gvmCreate the GVM user directory as specified by option -d in the command above and set the user and group ownership to gvm.
mkdir /opt/gvmchown gvm:gvm /opt/gvmInstall Required Build Tools
In order to successfully build GVM 11 on Ubuntu 20.04, you need to install a number of required dependencies and build tools.
apt install gcc g++ make bison flex libksba-dev curl redis libpcap-dev \
cmake git pkg-config libglib2.0-dev libgpgme-dev nmap libgnutls28-dev uuid-dev \
libssh-gcrypt-dev libldap2-dev gnutls-bin libmicrohttpd-dev libhiredis-dev \
zlib1g-dev libxml2-dev libradcli-dev clang-format libldap2-dev doxygen \
gcc-mingw-w64 xml-twig-tools libical-dev perl-base heimdal-dev libpopt-dev \
libsnmp-dev python3-setuptools python3-paramiko python3-lxml python3-defusedxml python3-dev gettext python3-polib xmltoman \
python3-pip texlive-fonts-recommended texlive-latex-extra --no-install-recommends xsltprocInstall Yarn on Ubuntu 20.04
Next, install Yarn JavaScript package manager
curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | apt-key add -echo "deb https://dl.yarnpkg.com/debian/ stable main" | tee /etc/apt/sources.list.d/yarn.listapt updateapt install yarn -yInstall PostgreSQL on#install-postgresql-ubuntu20.04 Ubuntu 20.04
GVM 11 has dropped support for sqlite3 and it currently support only PostgreSQL as the backend database. Therefore, you need to install PostgreSQL on Ubuntu 20.04;
apt install postgresql postgresql-contrib postgresql-server-dev-allCreate PostgreSQL User and Database
Once the installation is done, create the PostgreSQL user and database for Greenbone Vulnerability Management Daemon (gvmd). Note that the database and user should be created as PostgreSQL user, postgres.
sudo -Hiu postgres
createuser gvm
createdb -O gvm gvmdGrant PostgreSQL User DBA Roles
psql gvmd
create role dba with superuser noinherit;
grant dba to gvm;
create extension "uuid-ossp";
\q
exitOnce that is done, restart PostgreSQL;
systemctl restart postgresqlsystemctl enable postgresqlBuilding GVM 11 from Source Code
There are different tools required to install GVM 11. These include;
- GVM Libraries
- OpenVAS Scanner
- OSPd
- ospd-openvas
- Greenbone Vulnerability Manager
- Greenbone Security Assistant
- Python-GVM
- GVM-Tools
- OpenVAS SMB
Every component has README.md and a INSTALL.md file that explains how to build and install it.
Since we are running GVM as non-privileged user, gvm, then we will install all the GVM configuration files and libraries under, /opt/gvm.
Update the PATH environment variable on /etc/environment, to include the GVM binary path such that it looks like;
vim /etc/environmentPATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/opt/gvm/bin:/opt/gvm/sbin:/opt/gvm/.local/bin"Add GVM library path to /etc/ld.so.conf.d.
echo "/opt/gvm/lib" > /etc/ld.so.conf.d/gvm.confBuild and Install GVM 11
Switch to GVM user, gvm and create a temporary directory to store GVM source files.
su - gvmmkdir /tmp/gvm-sourceDownload GVM Source Files
Navigate to temporary directory created above and run the subsequent commands to clone the GVM github branch files.
cd /tmp/gvm-sourcegit clone -b gvm-libs-11.0 https://github.com/greenbone/gvm-libs.gitgit clone https://github.com/greenbone/openvas-smb.gitgit clone -b openvas-7.0 https://github.com/greenbone/openvas.gitgit clone -b ospd-2.0 https://github.com/greenbone/ospd.gitgit clone -b ospd-openvas-1.0 https://github.com/greenbone/ospd-openvas.gitgit clone -b gvmd-9.0 https://github.com/greenbone/gvmd.gitgit clone -b gsa-9.0 https://github.com/greenbone/gsa.gitOnce the source files are in place, proceed to build and install GVM on Ubuntu 20.04.
gvm@ubuntu20:/tmp/gvm-source$ ls
gsa gvmd gvm-libs openvas openvas-smb ospd ospd-openvasNote that we will install all GVM files and libraries to a non-standard location, /opt/gvm. As such, you need to set the PKG_CONFIG_PATH environment variable to the location of your pkg-config
files before configuring:
export PKG_CONFIG_PATH=/opt/gvm/lib/pkgconfig:$PKG_CONFIG_PATHBe sure to replace the path, /opt/gvm, accordingly.
Build and Install GVM 11 Libraries
Change to GVM libraries directory;
cd gvm-libsCreate a build directory and change into it;
mkdir build
cd buildConfigure the build;
cmake .. -DCMAKE_INSTALL_PREFIX=/opt/gvmNext, compile and install GVM libraries
makemake installBuild and Install OpenVAS scanner and OpenVAS SMB
Open Vulnerability Assessment Scanner (OpenVAS) is a full-featured scan engine that executes a continuously updated and extended feed of Network Vulnerability Tests (NVTs).
OpenVAS SMB provides modules for the OpenVAS Scanner to interface with Microsoft Windows Systems through the Windows Management Instrumentation API and a winexe binary to execute processes remotely on that system.
Build and install openvas-smb;
cd ../../openvas-smb/
mkdir build
cd build
cmake .. -DCMAKE_INSTALL_PREFIX=/opt/gvm
make
make installBuild and install OpenVAS scanner;
cd ../../openvasProceed to build and install openvas.
mkdir build
cd build
cmake .. -DCMAKE_INSTALL_PREFIX=/opt/gvm
make
make installIf you encounter the error, ...error: ‘pcap_lookupdev’ is deprecated: use 'pcap_findalldevs'... while compiling openvas, edit the CMakeLists.txt file and replace the line as shown below.
vim ../../openvas/CMakeLists.txt...
#set (CMAKE_C_FLAGS_DEBUG "${CMAKE_C_FLAGS_DEBUG} ${COVERAGE_FLAGS}")
set (CMAKE_C_FLAGS_DEBUG "${CMAKE_C_FLAGS_DEBUG} -Werror -Wno-error=deprecated-declarations")
...Once done, save and exit the file and rerun the installation.
Configuring OpenVAS Scanner
The host scan information is stored temporarily on Redis server. The default configuration of Redis server is /etc/redis/redis.conf.
Switch back to privileged user and proceed.
exitTo begin run the command below to create the cache to the installed shared libraries;
ldconfigNext, copy OpenVAS scanner Redis configuration file, redis-openvas.conf, to the same Redis config directory;
cp /tmp/gvm-source/openvas/config/redis-openvas.conf /etc/redis/Update the ownership of the configuration.
chown redis:redis /etc/redis/redis-openvas.confUpdate the path to Redis unix socket on the /opt/gvm/etc/openvas/openvas.conf using the db_address parameter as follows;
echo "db_address = /run/redis-openvas/redis.sock" > /opt/gvm/etc/openvas/openvas.confNote, the Unix socket path is defined on /etc/redis/redis-openvas.conf file.
chown gvm:gvm /opt/gvm/etc/openvas/openvas.confAdd gvm user to redis group;
usermod -aG redis gvmYou can also optimize Redis server itself improve the performance by making the following adjustments;
Increase the value of somaxconn in order to avoid slow clients connections issues.
echo "net.core.somaxconn = 1024" >> /etc/sysctl.confRedis background save may fail under low memory condition. To avoid this, enable memory overcommit (man 5 proc).
echo 'vm.overcommit_memory = 1' >> /etc/sysctl.confReload sysctl variables created above.
sysctl -pTo avoid creation of latencies and memory usage issues with Redis, disable Linux Kernel’s support for Transparent Huge Pages (THP). To easily work around this, create a systemd service unit for this purpose.
vim /etc/systemd/system/disable_thp.service[Unit]
Description=Disable Kernel Support for Transparent Huge Pages (THP)
[Service]
Type=simple
ExecStart=/bin/sh -c "echo 'never' > /sys/kernel/mm/transparent_hugepage/enabled && echo 'never' > /sys/kernel/mm/transparent_hugepage/defrag"
[Install]
WantedBy=multi-user.targetReload systemd configurations;
systemctl daemon-reloadStart and enable this service to run on system boot.
systemctl enable --now disable_thpRestart OpenVAS Redis server
systemctl enable --now redis-server@openvasA number of Network Vulnerability Tests (NVTs) require root privileges to perform certain operations. Since openvas is launched from an ospd-openvas process, via sudo, add the line below to sudoers file to ensure that the gvm user used in this demo can run the openvas with elevated rights using passwordless sudo.
echo "gvm ALL = NOPASSWD: /opt/gvm/sbin/openvas" > /etc/sudoers.d/gvmAlso, update the secure_path to include the GVM /sbin paths, /opt/gvm/sbin.
visudoDefaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin:/opt/gvm/sbin"Also, enable gvm user to run GSA web application daemon, gsad, with passwordless sudo.
echo "gvm ALL = NOPASSWD: /opt/gvm/sbin/gsad" >> /etc/sudoers.d/gvmUpdate NVTs
Update Network Vulnerability Tests feed from Greenbone Security Feed/Community Feed using the greenbone-nvt-sync command.
The greenbone-nvt-sync command must not be executed as privileged user root, hence switch back to GVM user we created above and update the NVTs.
su - gvmNext, update the NVTs as openvas user;
greenbone-nvt-syncOnce the update is done, you need to update Redis server with the same VT info from VT files;
sudo openvas --update-vt-infoBuild and Install Greenbone Vulnerability Manager
export PKG_CONFIG_PATH=/opt/gvm/lib/pkgconfig:$PKG_CONFIG_PATHcd /tmp/gvm-source/gvmd
mkdir build
cd build
cmake .. -DCMAKE_INSTALL_PREFIX=/opt/gvm
make
make installBuild and Install Greenbone Security Assistant
cd ../../gsa
mkdir build
cd build
cmake .. -DCMAKE_INSTALL_PREFIX=/opt/gvm
make
make installUpdate GVM CERT and SCAP data from the feed servers;
greenbone-scapdata-sync
greenbone-certdata-syncConsider setting cron jobs to run the nvts, cert and scap data update scripts at your preferred frequency to pull updates from the feed servers.
Next, run the command below to generate certificates gvmd. Server certificates are used for authentication while client certificates are primarily used for authorization. More on man gvm-manage-certs.
gvm-manage-certs -aBuild and Install OSPd and OSPd-OpenVAS
Open Scanner Protocol (OSP) creates a unified interface for different security scanners and makes their control flow and scan results consistently available under the central Greenbone Vulnerability Manager service.
export PKG_CONFIG_PATH=/opt/gvm/lib/pkgconfig:$PKG_CONFIG_PATHmkdir -p /opt/gvm/lib/python3.8/site-packages/
export PYTHONPATH=/opt/gvm/lib/python3.8/site-packages
cd /tmp/gvm-source/ospd
python3 setup.py install --prefix=/opt/gvmcd ../ospd-openvas
python3 setup.py install --prefix=/opt/gvmStart OpenVAS Scanner, GSA and GVM services
Run the commands below as gvm user to start OpenVAS scanner, GSA (WebUI service) and GVM daemon. Execute the commands in the presented order.
Start OpenVAS
/usr/bin/python3 /opt/gvm/bin/ospd-openvas \
--pid-file /opt/gvm/var/run/ospd-openvas.pid \
--log-file /opt/gvm/var/log/gvm/ospd-openvas.log \
--lock-file-dir /opt/gvm/var/run -u /opt/gvm/var/run/ospd.sockStart GVM
gvmd --osp-vt-update=/opt/gvm/var/run/ospd.sockStart GSA
sudo gsadConsider creating systemd service unit files for these services to enable you manage them easily. See below
Check the status;
ps aux | grep -E "ospd-openvas|gsad|gvmd" | grep -v grepSample output;
gvm 8221 0.0 0.0 81196 1436 ? Ss 10:47 0:00 gpg-agent --homedir /opt/gvm/var/lib/gvm/gvmd/gnupg --use-standard-socket --daemon
gvm 8475 2.0 6.0 382248 122184 pts/0 Sl 10:54 1:23 /usr/bin/python3 /opt/gvm/bin/ospd-openvas --pid-file /opt/gvm/var/run/ospd-openvas.pid --log-file /opt/gvm/var/log/gvm/ospd-openvas.log --lock-file-dir /opt/gvm/var/run -u /opt/gvm/var/run/ospd.sock
gvm 8523 0.1 10.1 295648 206108 pts/0 S 10:57 0:06 gvmd: Waiting for incoming connections
postgres 8541 0.1 7.7 225436 157888 ? SLs 10:57 0:05 postgres: 12/main: gvm gvmd [local] idle
root 8599 0.0 0.8 664696 17064 pts/0 Sl 10:58 0:00 gsad
root 8600 0.0 0.1 205912 3608 pts/0 Sl 10:58 0:00 gsad
gvm 11911 0.0 9.7 295648 198056 pts/0 S 12:01 0:00 gvmd: Reloading NVTs
gvm 11913 0.0 9.8 295648 201172 pts/0 S 12:01 0:00 gvmd: OSP: Updating NVT cache
postgres 11917 0.1 0.9 217796 19544 ? Ss 12:01 0:00 postgres: 12/main: gvm gvmd [local] idleYou can also find the logs at, <install-prefix>/var/log/gvm/, which in this case is /opt/gvm/var/log/gvm.
Creating Systemd Service units for GVM services
The services below are based on what Kevin (in the comments section) did on his script.
If you had run the services commands above, be sure to stop them before you can rerun using systemd.
Create OpenVAS service
vim /etc/systemd/system/openvas.service[Unit]
Description=Control the OpenVAS service
After=redis.service
After=postgresql.service
[Service]
ExecStartPre=-rm -rf /opt/gvm/var/run/ospd-openvas.pid /opt/gvm/var/run/ospd.sock /opt/gvm/var/run/gvmd.sock
Type=simple
User=gvm
Group=gvm
Environment=PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/opt/gvm/bin:/opt/gvm/sbin:/opt/gvm/.local/bin
Environment=PYTHONPATH=/opt/gvm/lib/python3.8/site-packages
ExecStart=/usr/bin/python3 /opt/gvm/bin/ospd-openvas \
--pid-file /opt/gvm/var/run/ospd-openvas.pid \
--log-file /opt/gvm/var/log/gvm/ospd-openvas.log \
--lock-file-dir /opt/gvm/var/run -u /opt/gvm/var/run/ospd.sock
RemainAfterExit=yes
[Install]
WantedBy=multi-user.targetSave and exit the file and start OpenVas.
systemctl daemon-reloadsystemctl start openvasCheck the status of the service;
systemctl status openvas● openvas.service - Control the OpenVAS service
Loaded: loaded (/etc/systemd/system/openvas.service; disabled; vendor preset: enabled)
Active: active (exited) since Fri 2020-08-28 05:16:50 UTC; 4s ago
Process: 27483 ExecStartPre=/usr/bin/rm -rf /opt/gvm/var/run/ospd-openvas.pid /opt/gvm/var/run/ospd.sock /opt/gvm/var/run/gvmd.sock (code=exited, status=0/SUCCESS)
Process: 27484 ExecStart=/usr/bin/python3 /opt/gvm/bin/ospd-openvas --pid-file /opt/gvm/var/run/ospd-openvas.pid --log-file /opt/gvm/var/log/gvm/ospd-openvas.log --loc>
Main PID: 27484 (code=exited, status=0/SUCCESS)
Tasks: 1 (limit: 2282)
Memory: 42.8M
CGroup: /system.slice/openvas.service
└─27501 /usr/bin/python3 /opt/gvm/bin/ospd-openvas --pid-file /opt/gvm/var/run/ospd-openvas.pid --log-file /opt/gvm/var/log/gvm/ospd-openvas.log --lock-file-d>
Aug 28 05:16:50 ubuntu20 systemd[1]: Starting Control the OpenVAS service...
Aug 28 05:16:50 ubuntu20 systemd[1]: Started Control the OpenVAS service.Enable OpenVAS scanner to run on system boot;
systemctl enable openvasCreate GSA Service Unit file
vim /etc/systemd/system/gsa.service[Unit]
Description=Control the OpenVAS GSA service
After=openvas.service
[Service]
Type=simple
User=gvm
Group=gvm
Environment=PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/opt/gvm/bin:/opt/gvm/sbin:/opt/gvm/.local/bin
Environment=PYTHONPATH=/opt/gvm/lib/python3.8/site-packages
ExecStart=/usr/bin/sudo /opt/gvm/sbin/gsad
RemainAfterExit=yes
[Install]
WantedBy=multi-user.targetvim /etc/systemd/system/gsa.path[Unit]
Description=Start the OpenVAS GSA service when gvmd.sock is available
[Path]
PathChanged=/opt/gvm/var/run/gvmd.sock
Unit=gsa.service
[Install]
WantedBy=multi-user.targetCreate GVM Service unit file
vim /etc/systemd/system/gvm.service[Unit]
Description=Control the OpenVAS GVM service
After=openvas.service
[Service]
Type=simple
User=gvm
Group=gvm
Environment=PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/opt/gvm/bin:/opt/gvm/sbin:/opt/gvm/.local/bin
Environment=PYTHONPATH=/opt/gvm/lib/python3.8/site-packages
ExecStart=/opt/gvm/sbin/gvmd --osp-vt-update=/opt/gvm/var/run/ospd.sock
RemainAfterExit=yes
[Install]
WantedBy=multi-user.targetvim /etc/systemd/system/gvm.path[Unit]
Description=Start the OpenVAS GVM service when opsd.sock is available
[Path]
PathChanged=/opt/gvm/var/run/ospd.sock
Unit=gvm.service
[Install]
WantedBy=multi-user.targetReload system unit configs and start the services;
systemctl daemon-reload
systemctl enable --now gvm.{path,service}
systemctl enable --now gsa.{path,service}Create GVM Scanner
Since we launched the scanner and set it to use our non-standard scanner host path (/opt/gvm/var/run/ospd.sock), we need to create and register our scanner;
sudo -Hiu gvm gvmd --create-scanner="Kifarunix-demo OpenVAS Scanner" --scanner-type="OpenVAS" --scanner-host=/opt/gvm/var/run/ospd.sockNext, you need to verify your scanner. For this, you first need to get the scanner identifier;
sudo -Hiu gvm gvmd --get-scanners08b69003-5fc2-4037-a479-93b440211c73 OpenVAS /tmp/ospd.sock 0 OpenVAS Default
6acd0832-df90-11e4-b9d5-28d24461215b CVE 0 CVE
9c6f2214-eb7c-4613-96bd-21551b259cf1 OpenVAS /opt/gvm/var/run/ospd.sock 9390 Kifarunix-demo OpenVAS ScannerBased on the output above, our scanner UUID is, 9c6f2214-eb7c-4613-96bd-21551b259cf1.
Verify the scanner;
sudo -Hiu gvm gvmd --verify-scanner=9c6f2214-eb7c-4613-96bd-21551b259cf1Create OpenVAS (GVM 11) Admin User
Create OpenVAS administrative user by running the command below;
sudo -Hiu gvm gvmd --create-user gvmadminThis command generates a random password for the user.
If you want to create a user and at the same time create your own password;
sudo -Hiu gvm gvmd --create-user gvmadmin --password=StronGP@SSOtherwise, you can reset the password of an already existing user;
sudo -Hiu gvm gvmd --user=<USERNAME> --new-password=<PASSWORD>Accessing GVM 11 (OpenVAS)
Greenbone Security Assistant (GSA) WebUI daemon opens port 443 and listens on all interfaces. If firewall is running, open this port to allow external access.
ufw allow 443/tcpYou can now access GSA via the url https:<serverIP-OR-hostname>. Accept the self-signed SSL warning and proceed.
Login with the administrative credentials generated above.
And there you go. That is all it take to install and Setup GVM 11. You can now start running your scans.
NOTE: When creating a scan task, be sure to select the Scanner we created above.
See example scan report below for Windows 7.
Vulnerability report;
Did I miss anything, drop it in the comments section!! Enjoy
Reference
Source files README.md and INSTALL.md files
Related Tutorials
Install OpenVAS 10 (GVM) on Debian 10 Buster
Install OpenVAS 9 with PostgreSQL in Ubuntu 18.04
How to Add and Scan a Target for Vulnerabilities on OpenVAS Scanner
How to Install and Setup OpenVAS 9 Vulnerability Scanner on Ubuntu 18.04
How to Install and Use WPScan WordPress Vulnerability Scanner Ubuntu 18.04
Thank you for making this guide. it is the best I have found, clear concise and explains the steps.
Most importantly at the end I have a working system.
Thank you for your feedback ade.
I am stuck at the su – gvm step. I am getting the error-“su:failed to execute /bin/bash/: Not a directory”
hi koromicha,I set up this system according to your tutorial, but encountered the following error when starting gsad: Oops, secure memory pool already initialized; and when performing a scan after ignoring this error, the scanner could not be connected.
md manage: WARNING: 2020-04-29 11h56.32 CST: 69734: Could not connect to Scanner at /tmp/ospd.sock
md manage: WARNING: 2020-04-29 11h56.33 CST: 69734: OSP start_scan a32d00f0-7cb1-445c-8f59-f33379ccf80b: Could not connect to Scanner
Have you ever encountered this situation? My English is not good, please understand
Hello Carle, in regards to;
1. Oops, secure memory pool already initialized, i would say ignore this.
2. For Scanner, you need to choose your scanner when creating a task and select your scanner that you created.
Try and let us know how it goes.
Thank you for your suggestion, this problem has been solved, but now there is a new problem, all scan tasks I performed have Severity of 0.0, and the following prompt appears in the report:
The report is empty. The filter does not match any of the 10 results.
The following filter is currently applied:
apply_overrides = 0 levels = hml rows = 100 min_qod = 70 first = 1 sort-reverse = severity
Is my method or procedure wrong? I found this problem while installing GVM 10 and it has not been solved
facing same issue
is this issue resolved for 0.0 log severity for every scan
I am receiving the same results with the scan I created during the install. Have any of you gotten past this?
Hi koromicha,
your post is great!! I have followed your instruction and completed the installation but I got the issue when performing the task, Wizar task not working… perform the task with multiple or singer host will get the issue is “Could not connect to Scanner” and “Severity” will be “error”
Could you advise how to resolving it?
Thanks and regards,
Thanks for the feedback. Did you select the scanner you created while setting us a task?
Yes. I did. Still error, do I need run any command to start scanner?
I have the same problem. Wizar task not working
I have the same problem task wizard does not work, if someone solves it, please tell us the solution
Great Guide! Came across an error when running the “python3 setup.py install –prefix=/opt/gvm” command saying that the directory did not support .pth files. It was showing that this command was trying to use 3.8 whereas it was installed with 3.6. Adding the 3.6 path it was mentioning to the PYTHONPATH variable seemed to allow it to proceed. This is a brand new dedicated build of 18.04 not 20.04 so not sure if that was any issue 🙂
hi, i’ve a problem when i try to start opevans:
—/tmp/gvm-source/ospd-openvas$ /usr/bin/python3 /opt/gvm/bin/ospd-openvas \
> –pid-file /opt/gvm/var/run/ospd-openvas.pid \
> –log-file /opt/gvm/var/log/gvm/ospd-openvas.log \
> –lock-file-dir /opt/gvm/var/run -u /opt/gvm/var/run/ospd.sock
ERROR: get_db_connection: Not possible to run openvas. [Errno 2] No such file or directory: ‘openvas’
I think the issue othin ran into is that the PYTHONPATH isn’t set. I ran into the same thing while I was creating a systemd unit file for it. Re-running “export PYTHONPATH=/opt/gvm/lib/python3.8/site-packages” as the gvm user should allow it to start.
Hi Kevin,
I am also getting the error which othin saw, I have re-run the “export PYTHONPATH=/opt/gvm/lib/python3.8/site-packages” as you suggested.
gvm@gvm:/tmp/gvm-source/ospd-openvas$ /usr/bin/python3 /opt/gvm/bin/ospd-openvas \
> –pid-file /opt/gvm/var/run/ospd-openvas.pid \
> –log-file /opt/gvm/var/log/gvm/ospd-openvas.log \
> –lock-file-dir /opt/gvm/var/run -u /opt/gvm/var/run/ospd.sock
ERROR: get_db_connection: Not possible to run openvas. [Errno 2] No such file or directory: ‘openvas’
Is there anything else i can do to resolve this so i can continue with the setup?
Thanks
Shane
Hi Shane, sounds like you skipped the compilation and installation of openvas scanner?
I tried all these mentioned recommendation, but no luck.
/usr/bin/python3 /opt/gvm/bin/ospd-openvas \
> –pid-file /opt/gvm/var/run/ospd-openvas.pid \
> –log-file /opt/gvm/var/log/gvm/ospd-openvas.log \
> –lock-file-dir /opt/gvm/var/run -u /opt/gvm/var/run/ospd.sock
Similarly:
# gvmd –osp-vt-update=/opt/gvm/var/run/ospd.sock
bash: gvmd: command not found
# sudo gsad
sudo: gsad: command not found
Can someone really help here?
I wrote up a script based on this guide to install it on a machine running Ubuntu server 20.04.
You won’t learn as much if you use it rather than going through the guide but if you just want to get it going it’s available here: https://github.com/yu210148/gvm_install.
Thanks for going extra step Kevin.
Managed to get GVM running thanks to your script Kevin.
However, I’m not able to run any scan tasks as it will give an error “Could not connect to Scanner”. Do you face issue as well?
Hi Khairi,
I got something similar where I ran the original version of the script on a fresh Ubuntu 20.04 server install. It was complaining about nmap not being installed. Seems it’s not included by default. I’ve updated the script to install nmap along with its other apt-get installs but if you’ve already run the installer try ‘sudo apt-get install nmap’. Then, be sure to select the ‘Created OpenVAS Scanner’ from the drop-down when creating a task.
when I run script I get following error:
openvas@openvas:~$ sudo ./install_gvm.sh
./install_gvm.sh: 7: Syntax error: newline unexpected
openvas@openvas:~$
Can you help me please?
Thank you
Hi Maurizio,
Humm, that’s odd. Lines 2 through 16 are all comments in it so I’m not sure why it would be complaining about something on line 7 for you. I should’ve mentioned doing a chmod u+x on it as I didn’t have the executable permission set but I don’t think that’s the issue you’re running into.
Open the file in a text editor and take a look at line 7 to see if there’s an unexpected newline in your copy of it.
kev.
Hello Maurizio,
You’re copying the link straight from github and downloading the html page. You need to click on install_gvm.sh on the main github page and then at the top right of the file preview there will be a button titled raw. Use the link from that instead.
https://raw.githubusercontent.com/yu210148/gvm_install/master/install_gvm.sh
Daniel
Hello,
Excellent Guide!!!! I have only one problem, I can’t export in PDF, I obtain a file with 0 bytes.
I assume I don’t have some dependency for the report, could you tell me which are the dependencies to create it?
Thanks
Alejandro
Hi,
I had the same issue; I think xsltproc was missing..
apt-get install xsltproc
Hello !
First thank you for the good job ! 😮
Just a question, who are the services you need to start for make it work after a reboot of the server ? :/
Thank again 🙂
Thanks Matth.
All the three services. You can create systemd service unit files for them and enable them to start on system boot.
Hi Koromicha,
Many thanks for such a comprehensive and clear installation guide, much appreciated. Installing OpenVas following this guide was a blast!
One question: You created user gvm in Postgres database without a password. Is that correct? Is that database being accessed only locally by gvmd?
Cheers!!
Hello eMarcel, thanks for the feedback.
The database is used locally by GVM to store various configs.
Cheers!
Thanks for the guide. However, during the greenbone-nvt-sync connection gets lost and no NVT’s are loaded. I tried 3 times (including running the install script in the comments).
When I download the NVT’s manually i see the feed in feed info but still no NVT’s are loaded.
Hi Pieter,
Did you try to append the –curl or –rsync option to the nvt update command, as in,
greenbone-nvt-sync --curl?Yes, does nothing at all
Hi Pieter,
It could be that the server was having issues. There’s also the fact that they only ever allow one connection at a time so if you’re behind an IPv4 NAT it seems that the connection can be held open even after the machine is done with it. That’s why I put all those sleep commands in the installer. It’s a kludgy workaround that worked for me but if your NAT device is holding the connection open longer than mine it may fail on its subsequent connections after the initial one.
kev.
Greenbones officially states that IPv6 should be mainly used instead of IPv4. In a NAT environment, the problems you stated are common.
Simple trick:
ssh -D 4711 CLOUD_SERVER
apt install proxychains
edit /etc/proxychains to use SOCKS5 as localhost:4711
proxychains greenbone-certdata-sync works now perfectly. Same with scapdata.
BR from CTG, Thomas
Try deleting the PID file in /opt/gvm/var/run (it gets left there when nvt-sync doesn’t complete). That should get the script going itself. The other thing I found is that the permissions (700) on the ospd.sock file in /opt/gvm/var/run were insufficient to allow the load of the VTs from the feed. Try setting that file to 777
Hello, first of all enorabuena for this fantastic post.
I have followed this tutorial as is and it throws me this error, and I don’t know what to do. I have tried to find it but I cannot solve it. thanks to everyone
Archive /opt/gvm/var/log/gvm/gvmd.log
md manage:WARNING:2020-05-19 16h10.41 utc:5368: manage_update_nvt_cache_osp: failed to connect to /opt/gvm/var/run/ospd.sock
Hi Rafael,
Is OpenVAS scanner running? Also, ensure that redis is running.
Openvas does not run the scans, I just saw that when it starts a scan on the web interface (https: // localhost / login) just later in the state of the same it reports an error. I don’t know what to do the truth
Hi Rafael,
Ya, I started getting this too now. It was going after I first set it up–even did a scan with it. Checked that it was working after a reboot too. Then, left it off for a few days. When I fired it up again the other day I started getting this in gvmd.log too.
Humm…
kev.
Okay, I think I’ve got this sorted out. In the “Configuring the OpenVAS Scanner” section one of the lines is “systemctl start redis-server@openvas” but there’s not a “systemctl enable redis-server@openvas” line. So, when a reboot happens redis-server@openvas doesn’t get started and /var/run/redis-openvas doesn’t get created which is where the socket is supposed to be. So, when the openvas.service goes looking for it, it doesn’t find the redis socket. Which in turn causes it to fail to open it’s ospd socket which GVM then is unable to connect to. This generates the messages in /opt/gvm/var/log/gvm/gvmd.log that we’re seeing.
So doing “sudo systemctl enable redis-server@openvas” seems to be a fix.
Well, it was a fix for a while at least. It worked for a few reboots but now I’m getting the ‘failed to connect to /opt/gvm/var/run/ospd.sock’ messages showing up in /opt/gvm/var/log/gvm/gvmd.log again.
I’ve also noticed as others have pointed out that the task wizard doesn’t seem to be functioning. I suspect that it’s broken in the code cloned from the git repos at the moment. I’d open an issue if there isn’t one already but I’m not sure which component is responsible for it.
kev.
See my above relating to permissions in case you’re still stuck
Hi @Kevin
I have followed your instructions, as prescribed to othin May 8, 2020 At 10:37, the export does the trick but still gets the error “failed to connect to /opt/gvm/var/run/ospd.sock” as per below:
gvm@util-openvas:~$ export PYTHONPATH=/opt/gvm/lib/python3.8/site-packages
gvm@util-openvas:~$ /usr/bin/python3 /opt/gvm/bin/ospd-openvas –pid-file /opt/gvm/var/run/ospd-openvas.pid –log-file /opt/gvm/var/log/gvm/ospd-openvas.log –lock-file-dir /opt/gvm/var/run -u /opt/gvm/var/run/ospd.sock
gvm@util-openvas:~$ tail -f /opt/gvm/var/log/gvm/gvmd.log
md manage:WARNING:2020-05-21 09h22.46 utc:64620: manage_update_nvt_cache_osp: failed to connect to /opt/gvm/var/run/ospd.sock
md manage:WARNING:2020-05-21 09h22.56 utc:64627: manage_update_nvt_cache_osp: failed to connect to /opt/gvm/var/run/ospd.sock
^C
Oops, never saw you left a comment yesterday 🙂
Thank for the guide!
I installed everything, without any error, but I cannot run any scan.
Better, I can run a scan but it’ll only last a few seconds and it’ll be done with no results.
I’m using the created scanner.
Anyone experiencing issue where all the tasks report with 0.0 severity?
koromicha can you give me a help into this? I have my taskss configured but every task is reporting 0.0 even if I change QoD to like 30%.
Hello Diogo,
Looks this is an issue everyone is facing, we will look further into the issue and we will advise as soon as possible.
Thanks for this, great guide! I had an issue where I ran out of disk space during install – you may wish to add a system requirement of >8GB.
A question: how can I add a domain name to the SSL cert to avoid the invalid certificate message when visiting the web UI?
Hi everyone,
I installed Openvas according to the instructions and get the same error after restarting the server:
manage_update_nvt_cache_osp: failed to connect to /opt/gvm/var/run/ospd.sock
In the WebUI: Could not connect to Scanner
Directly after the installation the first test works.
I have executed the command sudo systemctl enable redis-server@openvas during the installation. /var/run/redis-openvas also exists after a restart.
Does anyone have an idea?
On the Web UI, you need to select the scanner that you created.
I am using the “OpenVAS Default”. I didn’t create one.
Hi,
Koromicha, Gen_too and Kevin.
This is an excellent guide at setting up this complicated system and the best I have found anywhere on the web. I’m just so frustrated at that last hurdle that everyone else is also experiencing, ie: “manage_update_nvt_cache_osp: failed to connect to /opt/gvm/var/run/ospd.sock” I set up the system, as well as with Kevin’s fix by enabling the “redis-server@openva” I ran a scan and it worked beautifully but somehow that dreaded failure to connect to ospd.sock happened again for me.
Just wanted to say thank you for your efforts in trying to resolve this issue.
Sal
Not sure why it keeps failing. But try to ensure that ospd-openvas as well as redis are running and retry.
Hi Gen_too,
I re-installed the GVM setup, thinking maybe there might be a corruption, somewhere, but I get the exact same issue. The Server is a fresh install of Ubuntu 20.04 and followed the setup to the tee. I get exactly the same issue. Even the Task Wizard gives me this error:
I’m officially stumped, after 2 weeks of constantly trying (and re-installing OS & GVM) and scouring the web for additional supprt, it just doesn’t work for me:
gvm@util-openvas:/root$ ps aux | grep -E “ospd-openvas|gsad|gvmd” | grep -v grep
root 1093 0.0 0.4 558180 27492 ? Sl Jun01 0:03 /opt/gvm/sbin/gsad
root 1094 0.0 0.0 132180 3604 ? Sl Jun01 0:00 /opt/gvm/sbin/gsad
gvm 1096 0.1 2.3 297764 142944 ? S Jun01 0:59 gvmd: Waiting for incoming connections
postgres 1130 0.0 0.5 225768 30548 ? SLs Jun01 0:24 postgres: 12/main: gvm gvmd [local] idle
root 40898 0.0 0.0 132180 5668 pts/0 Sl 08:15 0:00 gsad
gvm 42427 8.8 10.8 751588 660956 ? S 08:42 0:20 gvmd: Syncing SCAP: Updating CVEs
postgres 42429 68.0 3.7 428340 225024 ? Rs 08:42 2:37 postgres: 12/main: gvm gvmd [local] DELETE
redis-server@openvas service is running
gvm@util-openvas:/root$ gvmd –verify-scanner=79918dd2-6bd3-4fbd-9e37-417f5ba8571f
Failed to verify scanner.
It is a fresh install of Ubuntu 20.04 and followed this how to, to the tee. I see just a few people are reporting on this issue, are the rest of the people’s systems working? Even before starting anything or tampering with the system, I also see that the Task Wizard doesn’t work. Is your system working Gen_too?
Same issue here with fresh install. Something is not complete with install script.
Hello Andras, with the script Kevin should be able to advice. However, did you get any issue with the steps outlined on the tutorial?
Hi,
when I trying to run this command () I receiving a lot of data but the script stops because it stops at this line with error: Connection refused
230 100% 0.22kB/s 0:00:01 (xfr#59863, to-chk=0/60608)
sent 1,145,002 bytes received 275,471,743 bytes 204,825.43 bytes/sec
total size is 270,428,720 speedup is 0.98
rsync: failed to connect to feed.community.greenbone.net (45.135.106.142): Connection refused (111)
rsync: failed to connect to feed.community.greenbone.net (2a0e:6b40:20:106:20c:29ff:fe67:cbb5): Network is unreachable (101)
rsync error: error in socket IO (code 10) at clientserver.c(127) [Receiver=3.1.3]
I tried to restart script but it do nothing.
Please can you help me to solve this problem?
Thank you
Hi Maurizio, please try to add
--rsyncoption to the command and try again.Hi Maurizio,
From what I’ve read that message usually is caused by the fact that the server that hosts the data only every allows one connection at a time from any one source. So, if you’re on IPv4 behind a NAT router what ends up happening is your machine tells the gateway router that it wants a connection to the host. The router then sets that up and the data starts flowing to your machine. When it’s done your computer tells the router that it’s done with the connection but some routers in some configurations will hold that connection open for a certain amount of time in case the machine wants to reuse it. When the update scripts start a second download though rather than re-using the existing connection they try to start a new one. That second connection gets refused because of how their server is configured to only every allow one connection at a time.
So, I’ve read some posts suggesting that the problem doesn’t exist on IPv6 because each machine gets it’s own public IP address and manages it’s own connection rather than relying on a NAT. I’m set up with only IPv4 myself so I can neither confirm nor deny if this resolves the issue. What I’ve tried to do in the script is to add enough time between calls to the server to allow the NAT router to fully close the connection before it tries to open another. However, it may or may not be enough depending on your circumstance. Adjusting the lines with the sleep commands in it before running may help.
I tried but it do nothing also with this option.
Excellent guide, thanks for your work. I have an issue though with emailing reports with attached PDFs using alerts. I get an email with the following message and not attachment: “Note: This report exceeds the maximum length of 1048576 characters and thus was truncated.”. I have tried running below commands with different values, rebooting as well, and still the same issue. Anyone has any ideas to make alerts send reports with attachments? Emails with reports attached are successfully received with smaller tasks with few hosts to scan but larger ones come up with the above truncated message and no PDF attachment.
The commands i’ve run without any impact are these:
gvmd –max-email-attachment-size=40000000
gvmd –max-email-include-size=40000000
gvmd –max-email-message-size=40000000
Hi.
Almost everything works well.
But the postgres process with the xml_split process in turn constantly uses 100% of the one CPU core. Without scanning.
cat /opt/gvm/var/log/gvm/gvmd.log contains repeating lines every 5 minutes:
md manage: INFO:2020-06-01 15h52.37 utc:358685: update_scap: Updating data from feed
md manage: INFO:2020-06-01 15h52.37 utc:358685: Updating CPEs
md manage: INFO:2020-06-01 15h53.16 utc:358685: Updating /opt/gvm/var/lib/gvm/scap-data/nvdcve-2.0-*.xml
How do you set this up to run openvas at startup?
I’m now getting the following error when trying to start openvas:
pkg_resources.DistributionNotFound: The ‘ospd-openvas==1.0.1’ distribution was not found and is required by the application
Any ideas as to how to fix?
Hello Chris,
You might need to rerun the installation of ospd-openvas, and check again.
Same error here. After installation works, but after first reboot it fails to start. Something is messed up in the install script and I cant figure out what it is.
Hi there,
The step by step guide is very helpful, thank you for it.
After having this error after reboot, I repeated the entire installation process from scratch, assuming I had made a mistake, but I sill end up in pkg_resources.DistributionNotFound: The ‘ospd-openvas==1.0.1’ distribution was not found and is required by the application after the host is rebooted.
Did anyone manage to find out which part of the installation actions is not persistent?
Thank you,
Zsolt
I got the same error.. has anyone figured out a solution for this?
I had the same error, after reboot the web interface was running but not the daemon. The problem is the export missing as someone found. If you followed the above guide, the fastest and easiest solution is to edit
/etc/systemd/system/openvas.service
and insert this line
Environment=PKG_CONFIG_PATH=/opt/gvm/lib/pkgconfig:$PKG_CONFIG_PATH
Between the last Environment line and before the ExecStart line.
after saving don’t forget to run
systemctl daemon-reload
for the modified script to be used
After reboot it takes some 5 minutes on my machine for the socket to be created and running, pretty slow start but eventually it works.
I am having the same issue. Did anyone find a solution to this?
I got this working my performing the exports again.
export PKG_CONFIG_PATH=/opt/gvm/lib/pkgconfig:$PKG_CONFIG_PATH
export PYTHONPATH=/opt/gvm/lib/python3.8/site-packages
But I am not seeing gpg-agent working
Here my 2 cents! 😀
At every reboot you need to initialize path again using:
export PKG_CONFIG_PATH=/opt/gvm/lib/pkgconfig:$PKG_CONFIG_PATH
export PYTHONPATH=/opt/gvm/lib/python3.8/site-packages
But this solution is a crap so starting for these install scripts:
https://community.greenbone.net/t/full-gvm-11-build-guide-for-centos-8/5425
I’ve modified the first script, to start ospd-openvas daemon at boot.
Here my /etc/systemd/system/ospd.service:
[Unit]
Description=Job that runs the ospd-openvas daemon
Documentation=man:gvm
After=postgresql.service
[Service]
Environment=PATH=/opt/gvm/bin/ospd-
scanner/bin:/opt/gvm/bin:/opt/gvm/sbin:/opt/gvm/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
Environment=PYTHONPATH=/opt/gvm/lib/python3.8/site-packages
Type=simple
User=gvm
Group=gvm
WorkingDirectory=/opt/gvm
PIDFile=/opt/gvm/var/run/ospd-openvas.pid
ExecStartPre=-rm /opt/gvm/var/run/ospd-openvas.pid /opt/gvm/var/run/ospd.sock /opt/gvm/var/run/gvmd.sock
ExecStartPre=bash -c “export PKG_CONFIG_PATH=/opt/gvm/lib/pkgconfig:$PKG_CONFIG_PATH”
ExecStart=/usr/bin/python3 /opt/gvm/bin/ospd-openvas –pid-file /opt/gvm/var/run/ospd-openvas.pid –unix-socket /opt/gvm/var/run/ospd.sock —
log-file /opt/gvm/var/log/gvm/ospd-openvas.log –lock-file-dir /opt/gvm/var/run
[Install]
WantedBy=multi-user.target
EOF
For gvm and gsa I’ve used the unmodified script founded here:
https://community.greenbone.net/t/full-gvm-11-build-guide-for-centos-8/5425
Bye
Alessandro
Hi all. Thanks for this guide! 🙂
After install i have some problems:
1) scanning does not start, although I chose the scanner that I created myself.
2) I can’t open the task wizard, it just doesn’t respond to pressing
Sorry for my English 🙂
Hi,
After struggling long and hard, finally got my scans to work but does anyone have a clue what this error means?
event task:MESSAGE:2020-06-03 20h00.12 UTC:101674: Status of task Test Environment Scan (99ae1367-244f-452c-adba-ce7142727865) has changed to Requested
event task:MESSAGE:2020-06-03 20h00.12 UTC:101674: Task Test Environment Scan (99ae1367-244f-452c-adba-ce7142727865) has been requested to start by gvmadmin
event task:MESSAGE:2020-06-03 20h01.03 UTC:101677: Status of task Test Environment Scan (99ae1367-244f-452c-adba-ce7142727865) has changed to Running
md gmp:WARNING:2020-06-03 20h11.45 utc:136432: Authentication failure for ‘admin’ from unix_socket
md gmp:WARNING:2020-06-03 20h11.45 utc:136445: Authentication failure for ‘sadmin’ from unix_socket
md gmp:WARNING:2020-06-03 20h11.45 utc:136455: Authentication failure for ‘admin’ from unix_socket
md gmp:WARNING:2020-06-03 20h11.45 utc:136459: Authentication failure for ‘gmp’ from unix_socket
md gmp:WARNING:2020-06-03 20h11.45 utc:136468: Authentication failure for ‘omp’ from unix_socket
md gmp:WARNING:2020-06-03 20h11.45 utc:136476: Authentication failure for ‘observer’ from unix_socket
md gmp:WARNING:2020-06-03 20h11.45 utc:136486: Authentication failure for ‘webadmin’ from unix_socket
event task:MESSAGE:2020-06-03 20h33.44 UTC:101677: Status of task Test Environment Scan (99ae1367-244f-452c-adba-ce7142727865) has changed to Done
S
Very helpful!
My machine was complaining about the missing package xsltproc at ‘cmake .. -DCMAKE_INSTALL_PREFIX=/opt/gvm’ for the build of gvmd.
I did the automated installation with the help of Kevin, but I can’t scan, it always shows an error, does anyone have the same error?
Hello Danilo,
Am sure Kevin should be able to help on this. But please paste the error that you get.
when I use the command gvmd –verify-scanner = 08b69003-5fc2-4037-a479-93b440211c73
Failed to verify scanner.
Displays the message, Failed to verify scanner.
in check OpenVAS scanner displays the following message, Error Service unavailable
Same error here. It will be nice to have a fix. Even after created another scanner it cannot verify or use it.
also getting the same issue
I’ve been getting this now too. I suspect it’s related to the “failed to connect to /opt/gvm/var/run/ospd.sock” that myself and others have run into. I’m starting to wonder if something’s broken in the master branches of one or more of the github repos we’re cloning out of.
Thank you very much Kevin, are you still looking for a solution? I realize that several people encounter the same problem.
Hi,
Try this (it works for me 😉 ):
sudo chown gvm.gvm /opt/gvm/var/log/gvm/openvas.log
sudo systemctl stop gvmd
sudo systemctl stop gsad
sudo systemctl stop ospd-openvas
Remove the lock file in the directory /opt/gvm/var/run/ospd/
Do the NVT update:
sudo su – gvm
/opt/gvm/bin/greenbone-nvt-sync
/opt/gvm/sbin/greenbone-certdata-sync
/opt/gvm/sbin/greenbone-scapdata-sync
/opt/gvm/sbin/openvas –update-vt-info
Check if the “file” /run/redis-openvas/redis.sock exists.
Run service ospd-openvas (as gvm user):
systemctl start ospd-openvas
Wait until NVT are reloaded (you can see the progress using “systemctl status ospd-openvas”). Wait until the “file” appears /opt/gvm/var/run/ospd.sock
Run services (as gvm user) gvmd and gsad:
systemctl start gvmd
systemctl start gsad
You can also try /opt/gvm/sbin/gvmd –rebuild
Regards,
Bogdan
Thanks for sharing this Bogdan. This is definitely going to help someone. Cheer!
Bogdan,
Do you mind sharing what you have configured for your gvmd, gsad, and ospd-openvas unit files?
Thanks for the steps.
I’ve got a fix for this. The issue is that not all of the runtime files are cleaned up properly on exit. If these runtime files exist the scanner fails to launch properly. To resolve the issue in the openvas.service file insert the line:
ExecStartPre=-rm /opt/gvm/var/run/ospd-openvas.pid /opt/gvm/var/run/ospd.sock /opt/gvm/var/run/gvmd.sock
This will delete the files if they exist and allow the service to come up cleanly after a server restart.
Thanks Nova, I’ve merged a pull request into the install script over on Github.
Hello Kevin Good morning friend, with your help to successfully complete the installation, but unfortunately I can’t make a scanner after the installation, always displays the error information.
Hi Kevin Good morning friend, with your help to complete the installation successfully, but unfortunately I can’t make a scanner after installation, it starts the scanner, takes a few seconds, but always displays the error information,
Severity error, when creating the task I chose Openvas.
I’m sorry for the bad English.
when ever i run any scan it get stop automatically with error in severity
in check OpenVAS scanner displays the following message, Error Service unavailable
thx for the tuto but i have
-bash: greenbone-nvt-sync : commande introuvable
thx for help
It is a real pleasure to find information of such good quality. Clear, efficient, thank you for this work !
Hello!
I installed and it works but it seems like something is going wrong after server gets a reboot.
This is expected unless you create systemd services for the OpenVAS, gmvd and gsad to auto start them on boot.
Any guidance on how this can be done?
I have this same problem…. I created service files using Kevin’s script but GVMD doesn’t seem to want to start.. When I try to log in, I get GMP service is down. Can someone post complete functional service files for this?
I have this same problem. I installed Kevin’s script, but when I ligin in system I got a message: “GMP Service is down”. When I check status gvmd I saw that the service is active, but also got a message: ” gvm rm[39809]: /usr/bin/rm: cannot remove ‘/opt/gvm/var/run/ospd.sock’: No such file or directory”.
How can this be fixed?
Hi,
In first, I’m sorry form y english… i’ve a problem when i try to start opevans:
—/tmp/gvm-source/ospd-openvas$ /usr/bin/python3 /opt/gvm/bin/ospd-openvas \
> –pid-file /opt/gvm/var/run/ospd-openvas.pid \
> –log-file /opt/gvm/var/log/gvm/ospd-openvas.log \
> –lock-file-dir /opt/gvm/var/run -u /opt/gvm/var/run/ospd.sock
ERROR: get_db_connection: Not possible to run openvas. [Errno 2] No such file or directory: ‘openvas’
I have to re running Re-running “export PYTHONPATH=/opt/gvm/lib/python3.8/site-packages but the problem persists… Can you help me please?
Finaly it’s okay! 😉
Hi Guys,
My issue is that everything seems to be running but:
1. I can’t update NVTs the script does nothing when run it simply does not start:
gvm@openvas:~$ greenbone-nvt-sync –verbose
gvm@openvas:~$ …. nothing happens :/
2. SCAP and CERT update is working fine.
What might be the problem? I tried all of above and that dem script is not doing anything.
Hi,
already had the same problem.
My solution was to remove the feed-update.lock file.
$install_prefix/var/run/feed-update.lock
See if this helps.
Hi Kevin,
i just installed GVM11, thanks to your script.
Everything is working fine, except one little problem.
I tried to connect GVM11 to Splunk, i configured everything correct, but as soon as i test the Alert i receive the Testen of the alert “Connection_test_splunk” has failed. Alert script failed.
Do you know any solution?
Thank you!
Guide was easy to follow and my task is running with the scan I have configured. The scan quickly finishes(1minute) and provides 0 severity and the report is blank.
The server I am scanning has hits on the firewall from the scanner. Here are the dports it hits in order:
65533
65534
0
111
Firewall log then gets a PROTO=63
Previous versions, the scan would hit the firewall on lots of ports and take a long time to complete/supply results.
Any ideas?
I personally scanned a windows system, and it worked as shown on the report. Will try to scan a different system and check.
For anyone curious I fixed this by installing nmap.
Hi,
When i had to do this command :
“greenbone-vt-sync”
This error occured :
“Command ‘greenbone-nvt-sync’ not found, but can be installed with:
apt install openvas-scanner
Please ask your administrator.”
i tried to do sudo su so but i have this :
“Sorry, user gvm is not allowed to execute ‘/usr/bin/su’ as root on openvas.”
Please help me.
Hi
Please check if you skipped the Build and install OpenVAS scanner step.
hi koromicha
I have done the whole process and the system loads very well, however, when performing the scan it is not generating results. I have chosen the scanner that was previously created in the step by step. Is it possible that something else is needed?
Thank you
Cristian, did you install nmap on your server ?
this is a port scanner mandatory to make the whole show working 🙂
Excellent tutorial ! very good job 🙂
From far the best I have seen.
Therefore a simple remark : you should add ‘nmap’ in the list of mandatory packages ; else the scanner will return each time a 0.0 (log) and, for a not curious user, he can imagine everything is perfect (even if the tool is complaining about missing port scanner in report).
Thank you !
Eric
We missed that? Thanks for catching that Eric.
For everyone having trouble creating (or not knowing how like me) systemd service files: Kevin’s script referenced above has segments to create the files. https://kifarunix.com/install-and-setup-gvm-11-on-ubuntu-20-04/#comment-11052
Thanks so much, Kevin. Really appreciate the help!
When running OpenVAS and GVM in the instructions, they’re both set to bind to ospd.sock. Is that correct? I was seeing this error in /opt/gvm/var/log/gvm/gvmd.log: manage_update_nvt_cache_osp: failed to connect to /opt/gvm/var/run/ospd.sock. I changed my gvm to bind to gvmd.sock and I’m not seeing that error anymore.
I am seeing these errors in my /opt/gvm/var/log/gvm/gvmd.log “osp_get_vts_version: element VTS missing.” and “manage_update_nvt_cache_osp: failed to get scanner_version”
On my Scans/Tasks page I’m getting the error “An internal error occurred while getting resources list. The current list of resources is not available. Diagnostics: Failure to receive response from manager daemon.”
I’m not sure that these errors are connected. Can anyone help?
I performed the installation through the script and when performing a scanner I get the error message: Could not connect to Scanner
Below is the error that occurred during the execution of the script.
Using / usr / lib / python3 / dist-packages
Finished processing dependencies for ospd-openvas == 1.0.1
Oops, secure memory pool already initialized
Scanner created.
08b69003-5fc2-4037-a479-93b440211c73 OpenVAS /tmp/ospd.sock 0 OpenVAS Default
6acd0832-df90-11e4-b9d5-28d24461215b CVE 0 CVE
ccd96c36-ab7e-4a91-91e9-94bd0fa7a7d8 OpenVAS /opt/gvm/var/run/ospd.sock 9390 Created OpenVAS Scanner
Failed to verify scanner.
What to do to solve this problem
I am also having a problem with this, there is a discussion that refers to this problem (https://github.com/greenbone/ospd-openvas/issues/175) by creating an OSP scanner and using the related certificates but I haven’t had any luck in creating the OSP scanner myself as I’m very new to Linux. Anyone else have any success with this? I was able to update the source code files to 11.0.1 and all other relevant source code files but this is my only hold up from completing the fully up to date installation.
I tried to run the scanner manually and got this error, how to solve this problem
/ usr / bin / python3 / opt / gvm / bin / ospd-openvas \
> –pid-file /opt/gvm/var/run/ospd-openvas.pid \
> –log-file /opt/gvm/var/log/gvm/ospd-openvas.log \
> –lock-file-dir / opt / gvm / var / run -u /opt/gvm/var/run/ospd.sock
Traceback (most recent call last):
File “/ opt / gvm / bin / ospd-openvas”, line 6, in
from pkg_resources import load_entry_point
File “/usr/lib/python3/dist-packages/pkg_resources/__init__.py”, line 3254, in
def _initialize_master_working_set ():
File “/usr/lib/python3/dist-packages/pkg_resources/__init__.py”, line 3237, in _call_aside
f (* args, ** kwargs)
File “/usr/lib/python3/dist-packages/pkg_resources/__init__.py”, line 3266, in _initialize_master_working_set
working_set = WorkingSet._build_master ()
File “/usr/lib/python3/dist-packages/pkg_resources/__init__.py”, line 584, in _build_master
ws.require (__ requires__)
File “/usr/lib/python3/dist-packages/pkg_resources/__init__.py”, line 901, in require
needed = self.resolve (parse_requirements (requirements))
File “/usr/lib/python3/dist-packages/pkg_resources/__init__.py”, line 787, in resolve
raise DistributionNotFound (req, requirers)
pkg_resources.DistributionNotFound: The ‘ospd-openvas == 1.0.1’ distribution was not found and is required by the application
Hi,
i got exactly the same. Moreover no services are running, no services can be started and the whole “gvm-source”-directory is gone.
Weird thing is, i can reach openVAS via IP. All accounts i set arent working so i cant login.
If i try to start a service i get the message “ospd-openvas.service could not be found.”
Everything was working and I was scanning but I had to do a system reboot and now I get the error “Could not connect to Scanner” and I have no idea why or how to fix it. None of my scans that previously working work anymore. I installed it via the script Kevin had provided.
Hello all,
I’m missing the Network Source Interface information. I tired to add manually but it’s not working. Can someone tell me how to fix?
Hi Kevin,
I messed up my ubuntu, im new to linux so im looking for a quick guide to uninstall this from my computer. I’ve done my research but couldn’t find the right direction to completely and safely remove it. Thanks in advance.
The instruction is flawless during installation. However I am getting this error after rebooting the server and restarting the service:
ospd-openvas -f –pid-file /opt/gvm/var/run/ospd-openvas.pid \
> –unix-socket=/opt/gvm/var/run/ospd.sock \
> –log-file /opt/gvm/var/log/gvm/ospd-scanner.log \
> –log-level DEBUG
Traceback (most recent call last):
File “/opt/gvm/bin/ospd-openvas”, line 6, in
from pkg_resources import load_entry_point
File “/usr/lib/python3/dist-packages/pkg_resources/__init__.py”, line 3254, in
def _initialize_master_working_set():
File “/usr/lib/python3/dist-packages/pkg_resources/__init__.py”, line 3237, in _call_aside
f(*args, **kwargs)
File “/usr/lib/python3/dist-packages/pkg_resources/__init__.py”, line 3266, in _initialize_master_working_set
working_set = WorkingSet._build_master()
File “/usr/lib/python3/dist-packages/pkg_resources/__init__.py”, line 584, in _build_master
ws.require(__requires__)
File “/usr/lib/python3/dist-packages/pkg_resources/__init__.py”, line 901, in require
needed = self.resolve(parse_requirements(requirements))
File “/usr/lib/python3/dist-packages/pkg_resources/__init__.py”, line 787, in resolve
raise DistributionNotFound(req, requirers)
pkg_resources.DistributionNotFound: The ‘ospd-openvas==1.0.1’ distribution was not found and is required by the application
Hi everyone,
I’m having trouble getting passed by the “createuser gvm”.
It’s asking for postgres password?. I’ve been trying many ways but i can’t find nor the password, does anyone know what i might be doing wrong?
did you already have postgres installed?
There is a step to install PostgreSQL Damian.
Hi.
I used script to install the Openvas. But terminal wanted to me gvm password 2 times at the installiation process.
I didn’t assign any password for gvm user before. I tried several known passwords including blank.
How can ı solve this issue?
Hi
I did
gvmd –create-user admin –password=admin
but from GUI (https://127.0.0.1:9392/login) would let me login.
Can someone help please.
Hi Koromicha,
Thanks for the superb crystal clear step by step guide setup. I just finished it with ease and running like a charm. The tips is make sure not to missed or skip the steps and just ignore the “Oops, secure memory pool already initialized” when you run the “sudo gsad” command.
Keep up the good work. Appreciate it.
Thanks for feedback Rayzach. We are glad the tutorial helped you. Enjoy
Thanks man, I change the python path to 3.6 on Ubuntu 18.04.1 and it all went well. Bit slow on the scanner check but its working none the less.
Great guide/.
Do i need to add the GVM stuff to the init.d to start it at boot?
Damian
Yes you can so you can have the services autostart automatically on boot. See the comments above. Someone made the service files
hi there ,
when i create a new user with gvmd , it takes too much time and i don’t get a response ,
has anyone here faced this error
thanks
Hi there,
first of all, thank you for this detailed guide its awesome and easy to understand.
unfortunately i got an error at point “Build and Install Greenbone Vulnerability Manager”.
I run make and get 2 errors in manage.c
Can someone help me with this or can give me some advice please?
best regards,
Noah
— Found Git: /usr/bin/git (found version “2.25.1”)
[ 0%] Built target revisiontag
[ 4%] Building C object src/CMakeFiles/gvmd.dir/manage.c.o
/tmp/gvm-source/gvmd/src/manage.c: In function ‘launch_osp_openvas_task’:
/tmp/gvm-source/gvmd/src/manage.c:4181:16: error: too few arguments to function ‘osp_target_new’
4181 | osp_target = osp_target_new (hosts_str, ports_str, exclude_hosts_str);
| ^~~~~~~~~~~~~~
In file included from /tmp/gvm-source/gvmd/src/manage.h:40,
from /tmp/gvm-source/gvmd/src/manage.c:50:
/opt/gvm/include/gvm/osp/osp.h:203:1: note: declared here
203 | osp_target_new (const char *, const char *, const char *, int, int, int);
| ^~~~~~~~~~~~~~
/tmp/gvm-source/gvmd/src/manage.c:4415:18: error: ‘osp_start_scan_opts_t’ {aka ‘struct ’} has no member named ‘parallel’
4415 | start_scan_opts.parallel = 1;
| ^
make[2]: *** [src/CMakeFiles/gvmd.dir/build.make:115: src/CMakeFiles/gvmd.dir/manage.c.o] Error 1
make[1]: *** [CMakeFiles/Makefile2:159: src/CMakeFiles/gvmd.dir/all] Error 2
make: *** [Makefile:163: all] Error 2
You figure out a solution for this. Getting the same thing…
btw – figured it out – libunistring-dev was not installed
Hello,
I have followed exactly the same steps but could not verify the scanner. One more thing I was not able to sync the certdata as well. Still i proceed further into this. and get stuck at the verification. Below are the results of the command
gvmd –get-scanners
Output :
08b69003-5fc2-4037-a479-93b440211c73 OpenVAS /tmp/ospd.sock 0 OpenVAS Default
6acd0832-df90-11e4-b9d5-28d24461215b CVE 0 CVE
24297757-83f1-442e-90f4-2539a4334350 OpenVAS /opt/gvm/var/run/ospd.sock 9390 Kifarunix-demo OpenVAS Scanner
Then
gvmd –verify-scanner=24297757-83f1-442e-90f4-2539a4334350
But it says as below :
Failed to verify scanner.
Though I have created the users but the openvas i.e. GSA 11 is not opening using the local ip of the machine.
—
Please help the with the same.
Hi. Thank you for this detailed guide its awesome and easy to understand. But now I have a problem with scaner. I recived “Error” when I start new scan.
When I did it: cat /opt/gvm/var/log/gvm/gvmd.log
I recived:
md manage:WARNING:2020-08-28 07h52.38 UTC:11631: Could not connect to Scanner at /tmp/ospd.sock
md manage:WARNING:2020-08-28 07h52.38 UTC:11631: OSP start_scan b737ee29-2d81-44b2-b698-1eea7a7468c9: Could not connect to Scanner
event task:MESSAGE:2020-08-28 07h52.38 UTC:11631: Status of task Unnamed (5a7e8dba-fcb4-4968-a29b-1a8e01961070) has changed to Done
Please help the with the same.
I followed all the steps and it authenticates me but my scanner does not work, by giving it: sudo -Hiu gvm gvmd –verify-scanner = bdb4fd8d-df6f-4b21-bbf1-b42dcd0e9678
Failed to verify scanner
Someone with the same problem? We could create a telegram group to carry out tests and put it to work. Sorry my bad english.
Hi,
after insatll I get this msg”GMP-Dienst ist nicht erreichbar.”
can man help`?
Hi,
until now everything is without the error, but when am I running:’sudo -Hiu gvm gvmd –get-scanners’ by root, I can`t get any UUID, I try to use the gvm user to re-run it, it shows the gvm user don’t have permission to run /bin/bash -c gvmd –get-scanners, do I miss something?
Did you create the scanners? What if you switch to gvm user and try get scanners? like,
su - gvm && gvmd --get-scanners?/tmp/gvm-source/openvas/nasl/CMakeLists.txt also needs the deprecated -Wno-error=deprecated-declarations flag in the CMAKE_C_FLAGS_DEBUG line. Otherwise make won’t succeed due to the same pcap_lookupdev deprecated errors.
Thanks for the feedback, enzored!
Hi koromicha,
While building greenbone security assistant, i am facing below error.
“Browserslist:canisuse-lite is outdated.Please run next command ‘yarn upgrade’.
I upgraded yarn but facing same error. Also my system seems to go in hang state while executing make command for gsa.
Thanks for the great tutorial, with gvm 11 everything is perfect.
Now my question:
I have installed gvm 20.08 in a new ubuntu 20.04
git clone -b gvm-libs-20.08 https://github.com/greenbone/gvm-libs.git
git clone https://github.com/greenbone/openvas-smb.git
git clone -b openvas-20.08 https://github.com/greenbone/openvas.git
git clone -b ospd-20.08 https://github.com/greenbone/ospd.git
git clone -b ospd-openvas-20.08 https://github.com/greenbone/ospd-openvas.git
git clone -b gvmd-20.08 https://github.com/greenbone/gvmd.git
git clone -b gsa-20.08 https://github.com/greenbone/gsa.git
After the start the NVT, CVE and CPE are here,
but no Ports, no Scan Configurations and no Reports
have someone an idea what I make wrong?
Thanks
Im stuck at su – gvm command. I am getting the error -” su:failed to execute /bin/bash/:Not a directory”
Hello koromicha , thanks for the crustal clear step by step guide , founding it very helpful .
question??
sudo GSAD is asking sudo password for GVM .
Can anyone suggest what is the password .
I tried with no password.
Thanks for the feedback Ali. But, actually, that is the password for the user with which your running sudo as.
If anyone else runs into issues with the setup please refer to the the logs in /opt/gvm/var/log/gvm
I had lots of /tmp/ospd.sock not found
It looks like the guide/script doesn’t change the socket from the default.
I fixed using a CentOS reference guide at https://community.greenbone.net/t/full-gvm-11-build-guide-for-centos-8/5425
Look for the section for “modify the default scanner with the new socket location”
Adjust the commands accordingly: gvmd –get-scanners
Becomes: sudo -Hiu gvm gvmd –getscanners
If this works then perhaps the script can be updated we can all have a quick easy install script.
HI thanks for this amazing guide, and im stuck with username & password challenge “GVM SERVICE DOWN”
Any suggestion?
is gvmd running? how about the postgresql db?
Thank you so much for this guide.. I did have one small snag while using the guide:
“sudo -u openvas –update-vt-info”
I think should read: “sudo openvas –update-vt-info”
Thanks again!
Yes Gary, correct
This was unbelievably helpful. Thank you for sharing this tutorial. I had nearly given up and gone to look for another solution before I found this page. Can’t thank you enough.
We are glad the tutorial helped you. You should check gvm 20.08 installation as well, -:)
Hello Koromicha,
thanks for the guide.
I noticed that I keep getting this error in my /opt/gvm/var/log/gvm/gvmd.log file:
manage_update_nvt_cache_osp: failed to connect to /opt/gvm/var/run/ospd.sock
and actually file /opt/gvm/var/run/ospd.sock is not present.
Also command “/opt/gvm/bin/ospd-openvas -u /opt/gvm/var/run/ospd.sock” returns me
pkg_resources.DistributionNotFound: The ‘ospd-openvas==1.0.1’ distribution was not found and is required by the application
Can you please help me fix it? This is the content of my /etc/systemd/system/ospd.service file:
[Unit]
Description=Job that runs the ospd-openvas daemon
Documentation=man:gvm
After=postgresql.service
[Service]
Environment=PATH=/opt/gvm/bin/ospd-scanner/bin:/opt/gvm/bin:/opt/gvm/sbin:/opt/gvm/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
Environment=PYTHONPATH=/opt/gvm/lib/python3.6/site-packages
Type=simple
User=gvm
Group=gvm
WorkingDirectory=/opt/gvm
PIDFile=/opt/gvm/var/run/ospd-openvas.pid
ExecStart=/usr/bin/python3 /opt/gvm/bin/ospd-openvas –pid-file /opt/gvm/var/run/ospd-openvas.pid –unix-socket /opt/gvm/var/run/ospd.sock –log-file /opt/gvm/var/log/gvm/ospd-openvas.log –lock-file-dir /opt/gvm/var/run
[Install]
WantedBy=multi-user.target
Hi Robert, we will check and revert.
In the meantime, would you consider using GVM 20.08, GVM 11 is retiring, -:)