Install Greenbone Vulnerability Management (GVM) on Debian 12

In this guide, you will learn how to install Greenbone Vulnerability Management (GVM) on Debian 12. Greenbone Vulnerability Management (GVM), previously known as OpenVAS, is a network security scanner which provides a set of network vulnerability tests (NVTs) to detect security loopholes in systems and applications. As of this writing, GVM 23.7.0 is the current release. This is the version GVM we will be installing on Debian 12.

Installing GVM on Debian 12

System Hardware Requirements

In this demo, we will install and setup Greenbone Vulnerability Management (GVM) on Debian. As such, below are the system requirements I would personally recommend.

• At least 8 GB RAM
• At least 4 vCPUs
• More than 8 GB disk space (We used 40+ GB in this demo)

These requirements will vary depending on your use cases, however. Just be sure to provide “enough”.

Run System Update

To begin with, update and upgrade your system packages;

apt update

apt upgrade

Run system reboot is necessary;

[ -f /run/reboot-required ] && systemctl reboot -i

Install Required Build Tools

In order to successfully build Greenbone Vulnerability Management (GVM) on Debian 12, you need to install a number of required dependencies and build tools.

apt install gcc \
	g++ \
	make \
	bison \
	flex \
	libksba-dev \
	curl \
	redis \
	libpcap-dev \
	cmake \
	git \
	pkg-config \
	libglib2.0-dev \
	libgpgme-dev \
	nmap \
	libgnutls28-dev \
	uuid-dev \
	libssh-gcrypt-dev \
	libldap2-dev \
	gnutls-bin \
	libmicrohttpd-dev \
	libhiredis-dev \
	zlib1g-dev \
	libxml2-dev \
	libnet-dev \
	libradcli-dev \
	clang-format \
	libldap2-dev \
	doxygen \
	gcc-mingw-w64 \
	xml-twig-tools \
	libical-dev \
	perl-base \
	heimdal-dev \
	libpopt-dev \
	libunistring-dev \
	graphviz \
	libsnmp-dev \
	python3-setuptools \
	python3-paramiko \
	python3-lxml \
	python3-defusedxml \
	python3-dev \
	gettext \
	python3-polib \
	xmltoman \
	python3-pip \
	texlive-fonts-recommended \
	texlive-latex-extra \
	xsltproc \
	rsync \
        libpaho-mqtt-dev \
        libbsd-dev \
        libjson-glib-dev \
	python3-packaging \
	python3-wrapt \
	python3-cffi \
	python3-psutil \
	python3-redis \
	python3-gnupg \
	python3-paho-mqtt \
        mosquitto \
	--no-install-recommends -y

Install Yarn on Debian 12

Next, install Yarn JavaScript package manager

curl -sL https://dl.yarnpkg.com/debian/pubkey.gpg | gpg --dearmor -o /etc/apt/trusted.gpg.d/yarnkey.gpg

echo "deb  https://dl.yarnpkg.com/debian stable main" > /etc/apt/sources.list.d/yarn.list

apt update

apt install yarn -y

Install PostgreSQL on Debian 12

GVM uses PostgreSQL as the backend database. We use version 15 in this setup, which is the default version available on Debian 12 Bookworm repos as of this writing.

On Debian 10, run the command below to install PostgreSQL;

apt install postgresql postgresql-contrib postgresql-server-dev-15 -y

Create PostgreSQL User and Database

Once the installation is done, create the PostgreSQL user and database for Greenbone Vulnerability Management Daemon (gvmd).

Note that the database and user should be created as PostgreSQL user, postgres.

sudo -Hiu postgres createuser gvm

sudo -Hiu postgres createdb -O gvm gvmd

Grant PostgreSQL User DBA Roles

sudo -Hiu postgres psql gvmd -c "create role dba with superuser noinherit;"

sudo -Hiu postgres psql gvmd -c "grant dba to gvm;"

Once that is done, restart PostgreSQL;

systemctl restart postgresql

systemctl enable postgresql

You can check status;

systemctl status postgresql

Create GVM User on Ubuntu

In this demo, we will run GVM as a non privileged system user. Thus, create gvm system user account.

useradd -r -d /opt/gvm -c "GVM User" -s /bin/bash gvm

Create the GVM user directory as specified by option -d in the command above and set the user and group ownership to gvm.

mkdir /opt/gvm && chown gvm: /opt/gvm

Allow the user to run the installation with sudo rights;

echo "gvm ALL = NOPASSWD: $(which make) install" > /etc/sudoers.d/gvm

Confirm validity of this command;

visudo -c -f /etc/sudoers.d/gvm

Output should be Okay.

Building GVM from Source Code

There are different tools required to install and setup Greenbone Vulnerability Management (GVM) on Debian 12. These include;

• GVM Libraries
• OpenVAS Scanner
• OSPD OpenVAS
• Greenbone Vulnerability Manager
• Greenbone Security Assistant
• Python-GVM
• Notus Scanner
• GVM-Tools
• OpenVAS SMB

Every component has README.md and a INSTALL.md file that explains how to build and install it.

Switch to GVM user created above;

su - gvm

Create a directory where to download the source files to;

mkdir gvm-source

Note that we will install all GVM files and libraries to the default location, /usr/local.

Build and Install GVM Libraries

GVM-libs is a set of shared libraries that provide common functionality for the Greenbone Vulnerability Management (GVM) suite. It includes libraries for network communication, database access, and data parsing. GVM-libs is used by all GVM components, including the vulnerability scanner, the web-based management interface, and the database.

whoami

gvm

From within the source directory, /opt/gvm/gvm-source, download, extract the GVM libraries source code and install them as follows;

cd ~/gvm-source

GVM_LIBS=22.7.0
wget https://github.com/greenbone/gvm-libs/archive/refs/tags/v${GVM_LIBS}.tar.gz \
-O gvm-libs-v${GVM_LIBS}.tar.gz

tar xzf gvm-libs-v${GVM_LIBS}.tar.gz;cd gvm-libs-${GVM_LIBS}

mkdir build && cd build

cmake ..

 Compile and install GVM libraries

make && sudo make install

Build and Install Greenbone Vulnerability Manager

GVM daemon serves as the central manager for scans, tasks, and the overall vulnerability management process. It communicates with other GVM components, such as the Greenbone Security Assistant (GSA) web interface, the OpenVAS Scanner, and the various databases used for storing vulnerability data and scan results.

cd ~/gvm-source

GVMD=22.8.0
wget https://github.com/greenbone/gvmd/archive/refs/tags/v${GVMD}.tar.gz \
-O gvmd-v${GVMD}.tar.gz

tar xzf gvmd-v${GVMD}.tar.gz;cd gvmd-${GVMD}

mkdir build && cd build
cmake ..
make
sudo make install

Build and Install GVM PostgreSQL Extension

pg-gvm is a PostgreSQL extension that adds several functions used by gvmd, e.g., iCalendar and host range evaluation. In previous versions of GVM, these functions were managed directly by gvmd while pg-gvm uses the extension management built into PostgreSQL.

cd ~/gvm-source

PG_GVM=22.6.1
wget https://github.com/greenbone/pg-gvm/archive/refs/tags/v${PG_GVM}.tar.gz \
-O pg-gvm-v${PG_GVM}.tar.gz

tar xzf pg-gvm-v${PG_GVM}.tar.gz;cd pg-gvm-${PG_GVM}

mkdir build && cd build
cmake ..
make
sudo make install

Build and Install Greenbone Security Assistant

The Greenbone Security Assistant is the web interface developed for the Greenbone Security Manager

cd ~/gvm-source

GSA=22.6.0
wget https://github.com/greenbone/gsa/archive/refs/tags/v${GSA}.tar.gz \
-O gsa-v${GSA}.tar.gz

tar xzf gsa-v${GSA}.tar.gz;cd gsa-${GSA}

rm -rf build

yarn

yarn build

All content of the production build can be shipped with every web server. For providing GSA via gsad web server, the files need to be copied into the /usr/local/share/gvm/gsad/web/.

Build and Install Greenbone Security Assistant HTTP server

The Greenbone Security Assistant HTTP Server is the server developed for the communication with the Greenbone Security Manager appliances. It connects to the Greenbone Vulnerability Manager Daemon gvmd to provide a full-featured user interface for vulnerability management.

cd ~/gvm-source

GSAD=22.5.2
wget https://github.com/greenbone/gsad/archive/refs/tags/v${GSAD}.tar.gz \
-O gsad-v${GSAD}.tar.gz

tar xzf gsad-v${GSAD}.tar.gz;cd gsad-${GSAD}

mkdir build && cd build
cmake ..
make
sudo make install

Next, copy the web interface configs. Replace kifarunix user with your privileged user.

[[ -d /usr/local/share/gvm/gsad/web ]] || su -c "sudo mkdir -p /usr/local/share/gvm/gsad/web" kifarunix

su -c "sudo chown -R gvm: /usr/local/share/gvm/gsad/web" kifarunix

cp -rp /opt/gvm/gvm-source/gsa-${GSA}/build/* /usr/local/share/gvm/gsad/web

ls -1 /usr/local/share/gvm/gsad/web

img
index.html
locales
robots.txt
static

Build and Install OpenVAS scanner and OpenVAS SMB

Open Vulnerability Assessment Scanner (OpenVAS) is a full-featured scan engine that executes a continuously updated and extended feed of Network Vulnerability Tests (NVTs).

OpenVAS SMB provides modules for the OpenVAS Scanner to interface with Microsoft Windows Systems through the Windows Management Instrumentation API and a winexe binary to execute processes remotely on that system.

Build and install openvas-smb;

cd ~/gvm-source

OPENVAS_SMB=22.5.3
wget https://github.com/greenbone/openvas-smb/archive/refs/tags/v${OPENVAS_SMB}.tar.gz -O openvas-smb-v${OPENVAS_SMB}.tar.gz

tar xzf openvas-smb-v${OPENVAS_SMB}.tar.gz;cd openvas-smb-${OPENVAS_SMB}

mkdir build && cd build
cmake ..
make
sudo make install

Build and install OpenVAS scanner;

cd ~/gvm-source

OPENVAS_SCANNER=22.7.3
wget https://github.com/greenbone/openvas-scanner/archive/refs/tags/v${OPENVAS_SCANNER}.tar.gz \
-O openvas-scanner-v${OPENVAS_SCANNER}.tar.gz

tar xzf openvas-scanner-v${OPENVAS_SCANNER}.tar.gz;cd openvas-scanner-${OPENVAS_SCANNER}

mkdir build && cd build
cmake ..
make
sudo make install

Build and Install OSPD-OpenVAS

Open Scanner Protocol (OSP) creates a unified interface for different security scanners and makes their control flow and scan results consistently available under the central Greenbone Vulnerability Manager service.

cd ~/gvm-source

OSPD_OPENVAS=22.5.4
wget https://github.com/greenbone/ospd-openvas/archive/refs/tags/v${OSPD_OPENVAS}.tar.gz \
-O ospd-openvas-v${OSPD_OPENVAS}.tar.gz

tar xzf ospd-openvas-v${OSPD_OPENVAS}.tar.gz;cd ospd-openvas-${OSPD_OPENVAS}

mkdir build
python3 -m pip install --root=./build --no-warn-script-location .

su -c "sudo cp ./build/usr/local/local/bin/ospd-openvas /usr/local/bin/" kifarunix

su -c "sudo cp ./build/usr/local/lib/python3.11/* /usr/local/lib/python3.11/" kifarunix

Build and Install Notus Scanner

Notus scanner is a scanner that is integrated into the Greenbone Vulnerability Management framework and can be used to detect vulnerable products by evaluating internal system information, such as the installed software packages and their versions.

cd ~/gvm-source

NOTUS_SCANNER=22.5.0
wget https://github.com/greenbone/notus-scanner/archive/refs/tags/v${NOTUS_SCANNER}.tar.gz \
-O notus-scanner-v${NOTUS_SCANNER}.tar.gz

tar xzf notus-scanner-v${NOTUS_SCANNER}.tar.gz;cd notus-scanner-${NOTUS_SCANNER}

mkdir build
python3 -m pip install --root=./build --no-warn-script-location .

su -c "sudo cp ./build/usr/local/bin/* /usr/local/bin/" kifarunix

su -c "sudo cp -r ./build/usr/local/lib/python3.11/dist-packages/* /usr/local/lib/python3.11/dist-packages/" kifarunix

Install GVM NVTs Feed Synchronization tool

greenbone-feed-sync is GVM python script that can be used to download the latest version of the Greenbone Community Feed, or to update an existing feed. It can be installed as follows;

cd ~/gvm-source && mkdir greenbone-feed-sync && cd greenbone-feed-sync

python3 -m pip install --root=. --no-warn-script-location greenbone-feed-sync

su -c "sudo cp ./usr/local/bin/* /usr/local/bin/" kifarunix

su -c "sudo cp -r ./usr/local/lib/python3.11/dist-packages/* /usr/local/lib/python3.11/dist-packages/" kifarunix

Install GVM Tools

The Greenbone Vulnerability Management Tools are a collection of tools that help with remote controlling GVM installations. Such tools include;

• gvm-cli: This tool sends plain GMP/OSP commands and prints the result to the standard output.
• gvm-script: This tool has a lot more features than the simple gvm-cli client. It can be used to create scripts that automate tasks, such as scanning for vulnerabilities or creating reports.
• gvm-pyshell: This tool is for running gmp or osp scripts interactively. It provides the same API as gvm-script using the python-gvm library.
• gvm-api: This tool provides a Python API for accessing the GMP and OSP protocols. This API can be used to develop custom tools and applications that interact with GVM.

To install GVM tools;

cd ~/gvm-source && mkdir gvm-tools && cd gvm-tools

python3 -m pip install --root=. --no-warn-script-location gvm-tools

su -c "sudo cp ./usr/local/bin/* /usr/local/bin/" kifarunix

su -c "sudo cp -r ./usr/local/lib/python3.11/dist-packages/* /usr/local/lib/python3.11/dist-packages/" kifarunix

Configuring OpenVAS Scanner Redis Data Store

Redis is used to store information about vulnerabilities, such as their severity, exploitability, and remediation steps.

To begin run the command below to create the cache to the installed shared libraries;

exit

ldconfig

The default configuration of Redis server is /etc/redis/redis.conf.

Next, copy OpenVAS scanner Redis configuration file from the OpenVAS source directory, redis-openvas.conf, to the Redis config directory;

cd 

OPENVAS_SCANNER=22.7.3
cp /opt/gvm/gvm-source/openvas-scanner-${OPENVAS_SCANNER}/config/redis-openvas.conf /etc/redis/

Update the ownership of the configuration.

chown redis:redis /etc/redis/redis-openvas.conf

Update the path to Redis unix socket on the /etc/openvas/openvas.conf using the db_address parameter.

To get the path to the Redis unix socket, run the command;

grep unixsocket /etc/redis/redis-openvas.conf

Sample output;

unixsocket /run/redis-openvas/redis.sock
unixsocketperm 770

Once you get the path to Redis unix socket, run the command;

echo "db_address = /run/redis-openvas/redis.sock" > /etc/openvas/openvas.conf

Add gvm user to redis group;

usermod -aG redis gvm

Optimize Redis Performance

You can also optimize Redis server itself improve the performance by making the following adjustments;

Increase the value of somaxconn in order to avoid slow clients connections issues.

echo "net.core.somaxconn = 1024" >> /etc/sysctl.conf

Redis background save may fail under low memory condition. To avoid this, enable memory overcommit (man 5 proc).

echo 'vm.overcommit_memory = 1' >> /etc/sysctl.conf

Reload sysctl variables created above.

sysctl -p

To avoid creation of latencies and memory usage issues with Redis, disable Linux Kernel’s support for Transparent Huge Pages (THP). To easily work around this, create a systemd service unit for this purpose.

cat > /etc/systemd/system/disable_thp.service << 'EOL'
[Unit]
Description=Disable Kernel Support for Transparent Huge Pages (THP)

[Service]
Type=simple
ExecStart=/bin/sh -c "echo 'never' > /sys/kernel/mm/transparent_hugepage/enabled && echo 'never' > /sys/kernel/mm/transparent_hugepage/defrag"

[Install]
WantedBy=multi-user.target
EOL

Reload systemd configurations;

systemctl daemon-reload

Start and enable this service to run on system boot.

systemctl enable --now disable_thp

Restart OpenVAS Redis server

systemctl enable --now redis-server@openvas

Confirm the status;

systemctl status redis-server@openvas

● [email protected] - Advanced key-value store (openvas)
     Loaded: loaded (/lib/systemd/system/[email protected]; enabled; preset: enabled)
     Active: active (running) since Thu 2023-08-17 13:00:47 EDT; 33s ago
       Docs: http://redis.io/documentation,
             man:redis-server(1)
   Main PID: 23028 (redis-server)
     Status: "Ready to accept connections"
      Tasks: 5 (limit: 4641)
     Memory: 4.0M
        CPU: 122ms
     CGroup: /system.slice/system-redis\x2dserver.slice/[email protected]
             └─23028 "/usr/bin/redis-server unixsocket:/run/redis-openvas/redis.sock"

Aug 17 13:00:47 debian redis-server[23028]:   `-._    `-._`-.__.-'_.-'    _.-'
Aug 17 13:00:47 debian redis-server[23028]:       `-._    `-.__.-'    _.-'
Aug 17 13:00:47 debian redis-server[23028]:           `-._        _.-'
Aug 17 13:00:47 debian redis-server[23028]:               `-.__.-'
Aug 17 13:00:47 debian redis-server[23028]: 23028:M 17 Aug 2023 13:00:47.328 # Server initialized
Aug 17 13:00:47 debian redis[23028]:                 _._                                                  
                                                _.-``__ ''-._                                             
                                           _.-``    `.  `_.  ''-._           Redis 7.0.11 (00000000/0) 64 bit
                                       .-`` .-```.  ```\/    _.,_ ''-._                                  
                                      (    '      ,       .-`  | `,    )     Running in standalone mode
                                      |`-._`-...-` __...-.``-._|'` _.-'|     Port: 0
                                      |    `-._   `._    /     _.-'    |     PID: 23028
                                       `-._    `-._  `-./  _.-'    _.-'                                   
                                      |`-._`-._    `-.__.-'    _.-'_.-'|                                  
                                      |    `-._`-._        _.-'_.-'    |           https://redis.io       
                                       `-._    `-._`-.__.-'_.-'    _.-'                                   
                                      |`-._`-._    `-.__.-'    _.-'_.-'|                                  
                                      |    `-._`-._        _.-'_.-'    |                                  
                                       `-._    `-._`-.__.-'_.-'    _.-'                                   
                                           `-._    `-.__.-'    _.-'                                       
                                               `-._        _.-'                                           
                                                   `-.__.-'
Aug 17 13:00:47 debian redis-server[23028]: 23028:M 17 Aug 2023 13:00:47.329 * The server is now ready to accept connections at /run/redis-openvas/redis.sock
Aug 17 13:00:47 debian systemd[1]: Started [email protected] - Advanced key-value store (openvas).
Aug 17 13:00:47 debian redis[23028]: Server initialized
Aug 17 13:00:47 debian redis[23028]: The server is now ready to accept connections at /run/redis-openvas/redis.sock

Configure Mosquitto MQTT Broker for GVM

MQTT Broker is used for communication between notus-scanner, openvas-scanner and ospd-openvas.

Configure OpenVAS scanner to use MQTT by defining the address to MQTT as well as the vulnerability scannig approach.

echo "mqtt_server_uri = localhost:1883
table_driven_lsc = yes" >> /etc/openvas/openvas.conf

Next, start and enable Mosquitto service to run on system boot;

systemctl enable --now mosquitto

Check status;

systemctl status mosquitto

● mosquitto.service - Mosquitto MQTT Broker
     Loaded: loaded (/lib/systemd/system/mosquitto.service; enabled; preset: enabled)
     Active: active (running) since Thu 2023-08-17 13:03:14 EDT; 52min ago
       Docs: man:mosquitto.conf(5)
             man:mosquitto(8)
   Main PID: 23194 (mosquitto)
      Tasks: 1 (limit: 4641)
     Memory: 1.2M
        CPU: 2.124s
     CGroup: /system.slice/mosquitto.service
             └─23194 /usr/sbin/mosquitto -c /etc/mosquitto/mosquitto.conf

Aug 17 13:03:14 debian systemd[1]: Starting mosquitto.service - Mosquitto MQTT Broker...
Aug 17 13:03:14 debian systemd[1]: Started mosquitto.service - Mosquitto MQTT Broker.

Check the ports;

ss -antpl | grep :1883

LISTEN 0      100        127.0.0.1:1883      0.0.0.0:*    users:(("mosquitto",pid=23194,fd=5))  
LISTEN 0      100            [::1]:1883         [::]:*    users:(("mosquitto",pid=23194,fd=6))

Update GVM Directories Ownership and Permissions

Update GVM libraries ownership and permissions as follows;

mkdir -p /var/lib/notus /run/gvmd

chown -R gvm:gvm /var/lib/gvm \
	/var/lib/openvas \
	/var/lib/notus \
	/var/log/gvm \
	/run/gvmd

Update Network Vulnerability Tests (NVTs)

Update Network Vulnerability Tests feed from Greenbone Security Feed/Community Feed using the greenbone-nvt-sync command. rsync tool is required for a successful synchronization.

Note that greenbone-nvt-sync must not be executed as privileged user root. For this reason, update the NVTs as gvm user created above.

Also, allow GVM user to run openvas with sudo rights.

echo "gvm ALL = NOPASSWD: $(which openvas)" >> /etc/sudoers.d/gvm

Next, update the NVTs as GVM user;

sudo -Hiu gvm greenbone-nvt-sync

Sample output;

Trying to acquire lock on /var/lib/openvas/feed-update.lock
Acquired lock on /var/lib/openvas/feed-update.lock
⠦ Downloading Notus files from rsync://feed.community.greenbone.net/community/vulnerability-feed/22.04/vt-data/notus/ to /var/lib/notus
⠧ Downloading NASL files from rsync://feed.community.greenbone.net/community/vulnerability-feed/22.04/vt-data/nasl/ to /var/lib/openvas/plugins
Releasing lock on /var/lib/openvas/feed-update.lock

If the command fails with:

rsync: [receiver] read error: Connection reset by peer (104)
rsync error: error in socket IO (code 10) at io.c(784) [receiver=3.2.3]
rsync: connection unexpectedly closed (1913648 bytes received so far) [generator]
rsync error: error in rsync protocol data stream (code 12) at io.c(228) [generator=3.2.3]

Then append --rsync option and rerun the command.

sudo -Hiu gvm greenbone-nvt-sync --rsync

Once the update is done, you need to upload the plugins into Redis server;

sudo -Hiu gvm sudo openvas --update-vt-info

Keeping the feeds up-to-date

The gvmd Data, SCAP and CERT Feeds should be kept up-to-date by calling the greenbone-feed-sync script regularly (e.g. via a cron entry):

sudo -Hiu gvm greenbone-feed-sync --type GVMD_DATA

sudo -Hiu gvm greenbone-feed-sync --type SCAP

sudo -Hiu gvm greenbone-feed-sync --type CERT

Please note: The CERT feed sync depends on data provided by the SCAP feed and should be called after syncing the later.

Also, in case the commands fail with such an error;

rsync: read error: Connection reset by peer (104)
rsync error: error in socket IO (code 10) at io.c(794) [receiver=3.1.3]
rsync: connection unexpectedly closed (1047 bytes received so far) [generator]
rsync error: error in rsync protocol data stream (code 12) at io.c(235) [generator=3.1.3]

Try adding --rsync option to the command, for example;

sudo -Hiu gvm greenbone-feed-sync --type CERT --rsync

Consider setting cron jobs to run the nvts, cert and scap data update scripts at your preferred frequency to pull updates from the feed servers.

Configure GVM Feed Validation

Run the commands below install the GnuPG keychain with the Greenbone Community Feed integrity key for validating the feed content;

wget https://www.greenbone.net/GBCommunitySigningKey.asc

gpg --homedir=/etc/openvas/gnupg --import GBCommunitySigningKey.asc

echo "8AE4BE429B60A59B311C2E739823FAA60ED1E580:6:" | \
gpg --import-ownertrust --homedir=/etc/openvas/gnupg

List the keys;

gpg --homedir=/etc/openvas/gnupg --list-keys

Running OpenVAS Scanner, GSA and GVM services

In order to make the management of OpenVAS scanner, GSA (WebUI service) and GVM daemon, create systemd service unit files for each of them as follows.

Create Systemd Service unit for OpenVAS OSPD

You can copy the service unit file from the source directory to systemd service unit files directory and modify it accordingly. We use the service unit below in this setup.

cat > /etc/systemd/system/ospd-openvas.service << 'EOL'
[Unit]
Description=OSPd Wrapper for the OpenVAS Scanner (ospd-openvas)
Documentation=man:ospd-openvas(8) man:openvas(8)
After=network.target networking.service [email protected] mosquitto.service
[email protected] mosquitto.service notus-scanner.service
ConditionKernelCommandLine=!recovery

[Service]
Type=exec
User=gvm
Group=gvm
RuntimeDirectory=ospd
RuntimeDirectoryMode=2775
PIDFile=/run/ospd/ospd-openvas.pid
ExecStartPre=-rm -rf /run/ospd/ospd-openvas.pid /run/ospd/ospd-openvas.sock
ExecStart=/usr/local/bin/ospd-openvas --foreground \
	--unix-socket /run/ospd/ospd-openvas.sock \
	--pid-file /run/ospd/ospd-openvas.pid \
	--log-file /var/log/gvm/ospd-openvas.log \
	--lock-file-dir /var/lib/openvas \
	--socket-mode 0770 \
	--mqtt-broker-address localhost \
	--mqtt-broker-port 1883 \
	--notus-feed-dir /var/lib/notus/advisories
SuccessExitStatus=SIGKILL
Restart=always
RestartSec=60

[Install]
WantedBy=multi-user.target
EOL

Reload systemd configs;

systemctl daemon-reload

Start and enable OSPD openvas wrapper service;

systemctl enable --now ospd-openvas

Check the status;

systemctl status ospd-openvas.service

● ospd-openvas.service - OSPd Wrapper for the OpenVAS Scanner (ospd-openvas)
     Loaded: loaded (/etc/systemd/system/ospd-openvas.service; enabled; preset: enabled)
     Active: active (running) since Thu 2023-08-17 15:57:12 EDT; 7s ago
       Docs: man:ospd-openvas(8)
             man:openvas(8)
    Process: 24915 ExecStartPre=rm -rf /run/ospd/ospd-openvas.pid /run/ospd/ospd-openvas.sock (code=exited, status=0/SUCCESS)
   Main PID: 24916 (ospd-openvas)
      Tasks: 5 (limit: 4641)
     Memory: 28.5M
        CPU: 353ms
     CGroup: /system.slice/ospd-openvas.service
             ├─24916 /usr/bin/python3 /usr/local/bin/ospd-openvas --foreground --unix-socket /run/ospd/ospd-openvas.sock --pid-file /run/ospd/ospd-openvas.pid --log->
             └─24922 /usr/bin/python3 /usr/local/bin/ospd-openvas --foreground --unix-socket /run/ospd/ospd-openvas.sock --pid-file /run/ospd/ospd-openvas.pid --log->

Aug 17 15:57:12 debian systemd[1]: Starting ospd-openvas.service - OSPd Wrapper for the OpenVAS Scanner (ospd-openvas)...
Aug 17 15:57:12 debian systemd[1]: Started ospd-openvas.service - OSPd Wrapper for the OpenVAS Scanner (ospd-openvas).
Aug 17 15:57:12 debian ospd-openvas[24916]: OSPD[24916] 2023-08-17 19:57:12,609: INFO: (ospd.main) Starting OSPd OpenVAS version 22.5.4.
Aug 17 15:57:12 debian ospd-openvas[24916]: OSPD[24916] 2023-08-17 19:57:12,612: INFO: (ospd_openvas.messaging.mqtt) Successfully connected to MQTT broker

Be sure to also check the logs;

tail -f /var/log/gvm/ospd-openvas.log

Sample logs;

...
OSPD[24916] 2023-08-17 19:59:59,590: INFO: (ospd_openvas.daemon) VTs were up to date. Feed version is 202308170613.
OSPD[24916] 2023-08-17 20:06:07,082: INFO: (ospd.main) Shutting-down server ...
OSPD[25043] 2023-08-17 20:06:07,814: INFO: (ospd.main) Starting OSPd OpenVAS version 22.5.4.
OSPD[25043] 2023-08-17 20:06:07,817: INFO: (ospd_openvas.messaging.mqtt) Successfully connected to MQTT broker
OSPD[25043] 2023-08-17 20:06:17,981: INFO: (ospd_openvas.daemon) Loading VTs. Scans will be [requested|queued] until VTs are loaded. This may take a few minutes, please wait...
OSPD[25043] 2023-08-17 20:07:44,236: INFO: (ospd_openvas.daemon) VTs were up to date. Feed version is 202308170613.

Create Notus Scanner Systemd Service Unit

Execute the command below to install Notus scanner systemd service unit

cat > /etc/systemd/system/notus-scanner.service << 'EOL'
[Unit]
Description=Notus Scanner
After=mosquitto.service
Wants=mosquitto.service
ConditionKernelCommandLine=!recovery

[Service]
Type=exec
User=gvm
RuntimeDirectory=notus-scanner
RuntimeDirectoryMode=2775
PIDFile=/run/notus-scanner/notus-scanner.pid
ExecStart=/usr/local/bin/notus-scanner --foreground \
	--products-directory /var/lib/notus/products \
	--log-file /var/log/gvm/notus-scanner.log
SuccessExitStatus=SIGKILL
Restart=always
RestartSec=60

[Install]
WantedBy=multi-user.target
EOL

Reload systemd configs, start and enable the service.

systemctl daemon-reload

systemctl enable --now notus-scanner

Check the status;

systemctl status notus-scanner

● notus-scanner.service - Notus Scanner
     Loaded: loaded (/etc/systemd/system/notus-scanner.service; enabled; preset: enabled)
     Active: active (running) since Thu 2023-08-17 16:22:30 EDT; 10s ago
   Main PID: 25199 (notus-scanner)
      Tasks: 1 (limit: 4641)
     Memory: 14.5M
        CPU: 118ms
     CGroup: /system.slice/notus-scanner.service
             └─25199 /usr/bin/python3 /usr/local/bin/notus-scanner --foreground --products-directory /var/lib/notus/products --log-file /var/log/gvm/notus-scanner.log

Aug 17 16:22:30 debian systemd[1]: Starting notus-scanner.service - Notus Scanner...
Aug 17 16:22:30 debian systemd[1]: Started notus-scanner.service - Notus Scanner.
Aug 17 16:22:30 debian notus-scanner[25199]: 2023-08-17 16:22:30,660 notus-scanner: INFO: (notus.scanner.daemon) Starting notus-scanner version 22.5.0.

check logs;

tail -f /var/log/gvm/notus-scanner.log

Creating Systemd Service units for GVM services

When run, the installer creates GVM daemon service unit, /lib/systemd/system/gvmd.service.

Let us modify this service unit file;

cp /lib/systemd/system/gvmd.service{,.bak}

cat > /lib/systemd/system/gvmd.service << 'EOL'
[Unit]
Description=Greenbone Vulnerability Manager daemon (gvmd)
After=network.target networking.service postgresql.service ospd-openvas.service
Wants=postgresql.service ospd-openvas.service
Documentation=man:gvmd(8)
ConditionKernelCommandLine=!recovery

[Service]
Type=exec
User=gvm
Group=gvm
PIDFile=/run/gvmd/gvmd.pid
RuntimeDirectory=gvmd
RuntimeDirectoryMode=2775
ExecStart=/usr/local/sbin/gvmd --foreground \
	--osp-vt-update=/run/ospd/ospd-openvas.sock \
	--listen-group=gvm
Restart=always
TimeoutStopSec=10

[Install]
WantedBy=multi-user.target
EOL

Reload system unit configs and start the services;

systemctl daemon-reload
systemctl enable --now gvmd

Checking the status;

systemctl status gvmd

● gvmd.service - Greenbone Vulnerability Manager daemon (gvmd)
     Loaded: loaded (/lib/systemd/system/gvmd.service; enabled; preset: enabled)
     Active: active (running) since Thu 2023-08-17 16:24:32 EDT; 7s ago
       Docs: man:gvmd(8)
   Main PID: 25261 (gvmd)
      Tasks: 1 (limit: 4641)
     Memory: 5.0M
        CPU: 55ms
     CGroup: /system.slice/gvmd.service
             └─25261 "gvmd: gvmd: Initiali" --foreground --osp-vt-update=/run/ospd/ospd-openvas.sock --listen-group=gvm

Aug 17 16:24:32 debian systemd[1]: Starting gvmd.service - Greenbone Vulnerability Manager daemon (gvmd)...
Aug 17 16:24:32 debian systemd[1]: Started gvmd.service - Greenbone Vulnerability Manager daemon (gvmd).

Check the logs;

tail -f /var/log/gvm/gvmd.log

Creating Systemd Service units for GSA services

When run, the installer creates GSA daemon service unit, /lib/systemd/system/gsad.service.

Let us modify this service unit file;

cp /lib/systemd/system/gsad.service{,.bak}

cat > /lib/systemd/system/gsad.service << 'EOL'
[Unit]
Description=Greenbone Security Assistant daemon (gsad)
Documentation=man:gsad(8) https://www.greenbone.net
After=network.target gvmd.service
Wants=gvmd.service

[Service]
Type=exec
User=gvm
Group=gvm
RuntimeDirectory=gsad
RuntimeDirectoryMode=2775
PIDFile=/run/gsad/gsad.pid
ExecStart=/usr/bin/sudo /usr/local/sbin/gsad -k /var/lib/gvm/private/CA/clientkey.pem -c /var/lib/gvm/CA/clientcert.pem
Restart=always
TimeoutStopSec=10

[Install]
WantedBy=multi-user.target
Alias=greenbone-security-assistant.service
EOL

Generate GVM Certificates

Next, run the command below to generate certificates gvmd.

Server certificates are used for authentication while client certificates are primarily used for authorization. More on man gvm-manage-certs.

sudo -Hiu gvm gvm-manage-certs -a

Sample output;

Generated private key in /tmp/tmp.7H0Mdu8bpw/cakey.pem.
Generated self signed certificate in /tmp/tmp.7H0Mdu8bpw/cacert.pem.
Installed private key to /var/lib/gvm/private/CA/cakey.pem.
Installed certificate to /var/lib/gvm/CA/cacert.pem.
Generated private key in /tmp/tmp.7H0Mdu8bpw/serverkey.pem.
Generated certificate request in /tmp/tmp.7H0Mdu8bpw/serverrequest.pem.
Signed certificate request in /tmp/tmp.7H0Mdu8bpw/serverrequest.pem with CA certificate in /var/lib/gvm/CA/cacert.pem to generate certificate in /tmp/tmp.7H0Mdu8bpw/servercert.pem
Installed private key to /var/lib/gvm/private/CA/serverkey.pem.
Installed certificate to /var/lib/gvm/CA/servercert.pem.
Generated private key in /tmp/tmp.7H0Mdu8bpw/clientkey.pem.
Generated certificate request in /tmp/tmp.7H0Mdu8bpw/clientrequest.pem.
Signed certificate request in /tmp/tmp.7H0Mdu8bpw/clientrequest.pem with CA certificate in /var/lib/gvm/CA/cacert.pem to generate certificate in /tmp/tmp.7H0Mdu8bpw/clientcert.pem
Installed private key to /var/lib/gvm/private/CA/clientkey.pem.
Installed certificate to /var/lib/gvm/CA/clientcert.pem.
Removing temporary directory /tmp/tmp.7H0Mdu8bpw.

Enable GVM user to run gsad with sudo rights;

echo "gvm ALL = NOPASSWD: $(which gsad)" >> /etc/sudoers.d/gvm

Reload system unit configs and start the services;

systemctl daemon-reload
systemctl enable --now gsad

Checking the status;

systemctl status gsad

Check the logs;

tail /var/log/gvm/gsad.log

Create GVM Scanner

Since we launched the scanner and set it to use our non-standard scanner host path (/run/ospd/ospd-openvas.sock), we need to create and register our scanner;

sudo -Hiu gvm /usr/local/sbin/gvmd \
	--create-scanner="Kifarunix-demo OpenVAS Scanner" \
	--scanner-type="OpenVAS" \
	--scanner-host=/run/ospd/ospd-openvas.sock

Scanner created.

Next, you need to verify your scanner. For this, you first need to get the scanner identifier;

sudo -Hiu gvm /usr/local/sbin/gvmd --get-scanners

08b69003-5fc2-4037-a479-93b440211c73  OpenVAS  /run/ospd/ospd-openvas.sock  0  OpenVAS Default
6acd0832-df90-11e4-b9d5-28d24461215b  CVE    0  CVE
3017834c-835b-41d9-8377-d8fb4d855aac  OpenVAS  /run/ospd/ospd-openvas.sock  9390  Kifarunix-demo OpenVAS Scanner

Based on the output above, our scanner UUID is, 3017834c-835b-41d9-8377-d8fb4d855aac.

Verify the scanner;

sudo -Hiu gvm /usr/local/sbin/gvmd --verify-scanner=3017834c-835b-41d9-8377-d8fb4d855aac

Command output;

Scanner version: OpenVAS 22.7.3.

Create GVM Admin User

Create GVM administrative user by running the command below;

sudo -Hiu gvm /usr/local/sbin/gvmd --create-user admin

This command generates a random password for the user. See sample output below;

User created with password 'dcc80f4b-5d72-42ec-bd4b-dcff83a2cdb4'.

If you want to create a user and at the same time create your own password;

sudo -Hiu gvm /usr/local/sbin/gvmd --create-user USERNAME --password=PASSWORD

Otherwise, you can reset the password of an already existing user;

sudo -Hiu gvm /usr/local/sbin/gvmd --user=<USERNAME> --new-password=<PASSWORD>

An administrator user can later create further users or administrators via clients like the Greenbone Security Assistant (GSA).

Set the Feed Import Owner

According to gvmd/INSTALL.md, certain resources that were previously part of the gvmd source code are now shipped via the feed. An example is the config “Full and Fast”.

gvmd will only create these resources if a “Feed Import Owner” is configured:

sudo -Hiu gvm /usr/local/sbin/gvmd --modify-setting 78eceaec-3385-11ea-b237-28d24461215b --value <uuid_of_user>

Thus, get the UUIDs of all created users;

sudo -Hiu gvm /usr/local/sbin/gvmd --get-users --verbose

Sample output;

admin 75089717-efc1-48be-a3ce-520a9fa457ed

Then modify the gvmd settings with the admin user UUID.

sudo -Hiu gvm /usr/local/sbin/gvmd --modify-setting 78eceaec-3385-11ea-b237-28d24461215b --value 75089717-efc1-48be-a3ce-520a9fa457ed

Accessing GVM Web Interface

Greenbone Security Assistant (GSA) WebUI daemon opens port 443 and listens on all interfaces.

ss -altnp | grep 443

LISTEN 0      1024               *:443             *:*    users:(("gsad",pid=11957,fd=10))

If firewall is running, open this port to allow external access.

ufw allow 443/tcp

You can now access GSA via the url https:<serverIP-OR-hostname>.

Accept the self-signed SSL warning and proceed.

Dashboard

Feed Status

SecInfo

And that is it on how to install GVM on Debian 12.

And hey, don’t forget to choose your default scanner created above, when scanning your hosts;

You can now start scanning your assets.

Other Tutorials

Install GVM 21.04 on Debian 11/Debian 10

Install Nikto Web Scanner on Rocky Linux 8

Install and Setup Nessus Scanner on Ubuntu 20.04