Install GVM 21.04 on Debian 11/Debian 10

0
36

In this guide, you will learn how to install GVM 21.04 on Debian 11/Debian 10. Greenbone Vulnerability Management (GVM), previously known as OpenVAS, is a network security scanner which provides a set of network vulnerability tests (NVTs) to detect security loopholes in systems and applications. As of this writing, GVM 21.04 is the current stable release.

Want to use Rocky Linux 8 instead?

Install GVM 21.04 on Rocky Linux 8

Install GVM 21.04 on Debian 11/Debian 10

Prerequisites

In this demo, we will install and setup GVM 21.04 on Debian 11/Debian 10 from source code. As such, below are the system requirements I would personally recommend.

  • At least 4 GB RAM
  • At least 4 vCPUs
  • More than 8 GB disk space (We used 16 GB in this demo)

These requirements will vary depending on your use cases, however. Just be sure to provide “enough”.

Run System Update

To begin with, update and upgrade your system packages;

apt update
apt upgrade

Create GVM User on Ubuntu

In this demo, we will run GVM 21.08 as a non privileged system user. Thus, create gvm system user account.

useradd -r -d /opt/gvm -c "GVM User" -s /bin/bash gvm

Create the GVM user directory as specified by option -d in the command above and set the user and group ownership to gvm.

mkdir /opt/gvm && chown gvm: /opt/gvm

Install Required Build Tools

In order to successfully build GVM 21.04 on Debian 11/Debian 10, you need to install a number of required dependencies and build tools.

apt install gcc g++ make bison flex libksba-dev \
curl redis libpcap-dev cmake git pkg-config libglib2.0-dev libgpgme-dev \
nmap libgnutls28-dev uuid-dev libssh-gcrypt-dev libldap2-dev gnutls-bin \
libmicrohttpd-dev libhiredis-dev zlib1g-dev libxml2-dev libnet-dev libradcli-dev \
clang-format libldap2-dev doxygen gcc-mingw-w64 xml-twig-tools libical-dev perl-base \
heimdal-dev libpopt-dev libunistring-dev graphviz libsnmp-dev python3-setuptools \
python3-paramiko python3-lxml python3-defusedxml python3-dev gettext python3-polib \
xmltoman python3-pip texlive-fonts-recommended \
texlive-latex-extra --no-install-recommends xsltproc sudo vim rsync

Install Yarn on Debian 11/Debian 10

Next, install Yarn JavaScript package manager

curl -sL https://dl.yarnpkg.com/debian/pubkey.gpg | gpg --dearmor | sudo tee /usr/share/keyrings/yarnkey.gpg >/dev/null
echo "deb [signed-by=/usr/share/keyrings/yarnkey.gpg] https://dl.yarnpkg.com/debian stable main" | sudo tee /etc/apt/sources.list.d/yarn.list
apt update
apt install yarn -y

Install PostgreSQL on Debian 11/Debian 10

GVM 21.04 uses PostgreSQL as the backend database. We use version 11 in this setup. Therefore, run the command below to install PostgreSQL on Debian 11/Debian 10;

apt install postgresql-11 postgresql-contrib-11 postgresql-server-dev-11 -y

For Debian 11, you need to add the repository and rerun the installation command above;

For Debian 11, you need postgresql-server-dev-11, which can be installed as follows;

echo "deb http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" > /etc/apt/sources.list.d/pgdg.list
curl -sL https://www.postgresql.org/media/keys/ACCC4CF8.asc | sudo tee /etc/apt/trusted.gpg.d/pgdg.asc >/dev/null
apt update
apt install postgresql-11 postgresql-contrib-11 postgresql-server-dev-11 -y

Create PostgreSQL User and Database

Once the installation is done, create the PostgreSQL user and database for Greenbone Vulnerability Management Daemon (gvmd).

Note that the database and user should be created as PostgreSQL user, postgres.

sudo -Hiu postgres
createuser gvm
createdb -O gvm gvmd

Grant PostgreSQL User DBA Roles

psql gvmd
create role dba with superuser noinherit;
grant dba to gvm;
\q
exit

Once that is done, restart PostgreSQL;

systemctl restart postgresql
systemctl enable postgresql

Allow the user to run the installation with sudo rights;

echo "gvm ALL = NOPASSWD: $(which make) install" > /etc/sudoers.d/gvm

Building GVM 21.04 from Source Code

There are different tools required to install and setup GVM 21.04 on Debian 11/Debian 10. These include;

  • GVM Libraries
  • OpenVAS Scanner
  • OSPd
  • ospd-openvas
  • Greenbone Vulnerability Manager
  • Greenbone Security Assistant
  • Python-GVM
  • GVM-Tools
  • OpenVAS SMB

Every component has README.md and a INSTALL.md file that explains how to build and install it.

Build and Install GVM 21.04 on Debian 11/Debian 10

Switch to GVM user created above;

su - gvm

Create a directory where to download the source files to;

mkdir gvm-source

Download GVM 21.04 Source Files

Navigate to temporary directory created above and run the subsequent commands to clone the GVM github branch files.

cd gvm-source
git clone -b gvm-libs-21.04 https://github.com/greenbone/gvm-libs.git
git clone -b master https://github.com/greenbone/openvas-smb.git
git clone -b openvas-21.04 https://github.com/greenbone/openvas.git
git clone -b ospd-21.04 https://github.com/greenbone/ospd.git
git clone -b ospd-openvas-21.04 https://github.com/greenbone/ospd-openvas.git
git clone -b gvmd-21.04 https://github.com/greenbone/gvmd.git
git clone -b gsa-21.04 https://github.com/greenbone/gsa.git

Once the source files are in place, proceed to build and install GVM 21.04 on Debian 11/Debian 10.

Note the current working directory;

pwd
/opt/gvm/gvm-source
ls -1
gsa
gvmd
gvm-libs
openvas
openvas-smb
ospd
openvas-smb

I would suggest you take a snapshot of your machine at this point, just in case things don’t work out, you can revert to this stage without having to start from scratch!

Note that we will install all GVM 21.04 files and libraries to the default location, /usr/local.

Build and Install GVM 11 Libraries

whoami
gvm

From within the source directory, /opt/gvm/gvm-source, in this setup, change to GVM libraries directory;

cd gvm-libs
mkdir build && cd build
cmake ..
make
sudo make install

Build and Install OpenVAS scanner and OpenVAS SMB

Open Vulnerability Assessment Scanner (OpenVAS) is a full-featured scan engine that executes a continuously updated and extended feed of Network Vulnerability Tests (NVTs).

OpenVAS SMB provides modules for the OpenVAS Scanner to interface with Microsoft Windows Systems through the Windows Management Instrumentation API and a winexe binary to execute processes remotely on that system.

Build and install openvas-smb;

cd ../../openvas-smb/
mkdir build && cd build
cmake ..
make
sudo make install

Build and install OpenVAS scanner;

cd ../../openvas
mkdir build && cd build
cmake ..
make
sudo make install

Configuring OpenVAS Scanner

The host scan information is stored temporarily on Redis server.

To begin run the command below to create the cache to the installed shared libraries;

exit
ldconfig

The default configuration of Redis server is /etc/redis/redis.conf.

Next, copy OpenVAS scanner Redis configuration file from the OpenVAS source directory, redis-openvas.conf, to the Redis config directory;

cp /opt/gvm/gvm-source/openvas/config/redis-openvas.conf /etc/redis/

Update the ownership of the configuration.

chown redis:redis /etc/redis/redis-openvas.conf

Update the path to Redis unix socket on the /etc/openvas/openvas.conf using the db_address parameter.

To get the path to the Redis unix socket, run the command;

openvas -s | grep db_address

Sample output;

db_address = /run/redis/redis.sock

Once you get the path to Redis unix socket, run the command;

echo "db_address = /run/redis-openvas/redis.sock" > /etc/openvas/openvas.conf

Add gvm user to redis group;

usermod -aG redis gvm

Optimize Redis Performance

You can also optimize Redis server itself improve the performance by making the following adjustments;

Increase the value of somaxconn in order to avoid slow clients connections issues.

echo "net.core.somaxconn = 1024" >> /etc/sysctl.conf

Redis background save may fail under low memory condition. To avoid this, enable memory overcommit (man 5 proc).

echo 'vm.overcommit_memory = 1' >> /etc/sysctl.conf

Reload sysctl variables created above.

sysctl -p

To avoid creation of latencies and memory usage issues with Redis, disable Linux Kernel’s support for Transparent Huge Pages (THP). To easily work around this, create a systemd service unit for this purpose.

cat > /etc/systemd/system/disable_thp.service << 'EOL'
[Unit]
Description=Disable Kernel Support for Transparent Huge Pages (THP)

[Service]
Type=simple
ExecStart=/bin/sh -c "echo 'never' > /sys/kernel/mm/transparent_hugepage/enabled && echo 'never' > /sys/kernel/mm/transparent_hugepage/defrag"

[Install]
WantedBy=multi-user.target
EOL

Reload systemd configurations;

systemctl daemon-reload

Start and enable this service to run on system boot.

systemctl enable --now disable_thp

Restart OpenVAS Redis server

systemctl enable --now [email protected]

Confirm the status;

systemctl status [email protected]
[email protected] - Advanced key-value store (openvas)
     Loaded: loaded (/lib/systemd/system/[email protected]; enabled; vendor preset: enabled)
     Active: active (running) since Sat 2021-08-28 09:40:06 EAT; 5s ago
       Docs: http://redis.io/documentation,
             man:redis-server(1)
   Main PID: 9001 (redis-server)
     Status: "Ready to accept connections"
      Tasks: 5 (limit: 4679)
     Memory: 2.9M
        CPU: 42ms
     CGroup: /system.slice/system-redis\x2dserver.slice/[email protected]
             └─9001 /usr/bin/redis-server 127.0.0.1:0

Aug 28 09:40:06 bullseye.kifarunix-demo.com redis-server[9001]:   `-._    `-._`-.__.-'_.-'    _.-'
Aug 28 09:40:06 bullseye.kifarunix-demo.com redis-server[9001]:       `-._    `-.__.-'    _.-'
Aug 28 09:40:06 bullseye.kifarunix-demo.com redis-server[9001]:           `-._        _.-'
Aug 28 09:40:06 bullseye.kifarunix-demo.com redis-server[9001]:               `-.__.-'
Aug 28 09:40:06 bullseye.kifarunix-demo.com redis[9001]:                 _._                                                  
                                                                    _.-``__ ''-._                                             
                                                               _.-``    `.  `_.  ''-._           Redis 6.0.15 (00000000/0) 64 bit
                                                           .-`` .-```.  ```\/    _.,_ ''-._                                   
                                                          (    '      ,       .-`  | `,    )     Running in standalone mode
                                                          |`-._`-...-` __...-.``-._|'` _.-'|     Port: 0
                                                          |    `-._   `._    /     _.-'    |     PID: 9001
                                                           `-._    `-._  `-./  _.-'    _.-'                                   
                                                          |`-._`-._    `-.__.-'    _.-'_.-'|                                  
                                                          |    `-._`-._        _.-'_.-'    |           http://redis.io        
                                                           `-._    `-._`-.__.-'_.-'    _.-'                                   
                                                          |`-._`-._    `-.__.-'    _.-'_.-'|                                  
                                                          |    `-._`-._        _.-'_.-'    |                                  
                                                           `-._    `-._`-.__.-'_.-'    _.-'                                   
                                                               `-._    `-.__.-'    _.-'                                       
                                                                   `-._        _.-'                                           
                                                                       `-.__.-'
Aug 28 09:40:06 bullseye.kifarunix-demo.com redis-server[9001]: 9001:M 28 Aug 2021 09:40:06.710 # Server initialized
Aug 28 09:40:06 bullseye.kifarunix-demo.com redis[9001]: Server initialized
Aug 28 09:40:06 bullseye.kifarunix-demo.com redis-server[9001]: 9001:M 28 Aug 2021 09:40:06.711 * The server is now ready to accept connections at /run/redis-openvas/redis>
Aug 28 09:40:06 bullseye.kifarunix-demo.com redis[9001]: The server is now ready to accept connections at /run/redis-openvas/redis.sock
Aug 28 09:40:06 bullseye.kifarunix-demo.com systemd[1]: Started Advanced key-value store (openvas).

Update Network Vulnerability Tests (NVTs)

Update Network Vulnerability Tests feed from Greenbone Security Feed/Community Feed using the greenbone-nvt-sync command. rsync tool is required for a successful synchronization.

Note that greenbone-nvt-sync must not be executed as privileged user root. For this reason, update the NVTs as gvm user created above.

Ensure that user can write to OpenVAS libraries directory, /var/lib/openvas/, directory.

chown -R gvm: /var/lib/openvas/

Also, allow GVM user to run openvas with sudo rights.

echo "gvm ALL = NOPASSWD: $(which openvas)" >> /etc/sudoers.d/gvm

Next, update the NVTs GVM user;

su - gvm
greenbone-nvt-sync

If the command fails with:

rsync: [receiver] read error: Connection reset by peer (104)
rsync error: error in socket IO (code 10) at io.c(784) [receiver=3.2.3]
rsync: connection unexpectedly closed (1913648 bytes received so far) [generator]
rsync error: error in rsync protocol data stream (code 12) at io.c(228) [generator=3.2.3]

Then append --rsync option and rerun the command.

greenbone-nvt-sync --rsync

Once the update is done, you need to upload the plugins into Redis server;

sudo openvas --update-vt-info

Build and Install Greenbone Vulnerability Manager

cd gvm-source/gvmd
mkdir build && cd build
cmake ..
make
sudo make install

Build and Install Greenbone Security Assistant

cd ../../gsa
mkdir build && cd build
cmake ..
make
sudo make install

Keeping the feeds up-to-date

The gvmd DataSCAP and CERT Feeds should be kept up-to-date by calling the greenbone-feed-sync script regularly (e.g. via a cron entry):

exit
chown -R gvm: /var/lib/gvm/
sudo -u gvm greenbone-feed-sync --type GVMD_DATA
sudo -u gvm greenbone-feed-sync --type SCAP
sudo -u gvm greenbone-feed-sync --type CERT

Please note: The CERT feed sync depends on data provided by the SCAP feed and should be called after syncing the later.

Also, in case the commands fail with such an error;

rsync: read error: Connection reset by peer (104)
rsync error: error in socket IO (code 10) at io.c(794) [receiver=3.1.3]
rsync: connection unexpectedly closed (1047 bytes received so far) [generator]
rsync error: error in rsync protocol data stream (code 12) at io.c(235) [generator=3.1.3]

Try adding --rsync option to the command, for example;

sudo -u gvm greenbone-feed-sync --type CERT --rsync

Consider setting cron jobs to run the nvts, cert and scap data update scripts at your preferred frequency to pull updates from the feed servers.

Generate GVM Certificates

Next, run the command below to generate certificates gvmd.

Server certificates are used for authentication while client certificates are primarily used for authorization. More on man gvm-manage-certs.

sudo -u gvm gvm-manage-certs -a

Build and Install OSPd and OSPd-OpenVAS

Open Scanner Protocol (OSP) creates a unified interface for different security scanners and makes their control flow and scan results consistently available under the central Greenbone Vulnerability Manager service.

su - gvm
pip3 install wheel
pip3 install python-gvm gvm-tools
cd /opt/gvm/gvm-source/ospd
python3 -m pip install .
cd /opt/gvm/gvm-source/ospd-openvas
python3 -m pip install .

Running OpenVAS Scanner, GSA and GVM services

In order to make the management of OpenVAS scanner, GSA (WebUI service) and GVM daemon, create systemd service unit files for each of them as follows.

Log out as gvm user and execute the commands below as a privileged user.

exit

Create Systemd Service unit for OpenVAS OSPD

You can copy the service unit file from the source directory to systemd service unit files directory and modify it accordingly. We use the service unit below in this setup.

cat > /etc/systemd/system/ospd-openvas.service << 'EOL'
[Unit]
Description=OSPd Wrapper for the OpenVAS Scanner (ospd-openvas)
After=network.target networking.service [email protected] postgresql.service
[email protected]
ConditionKernelCommandLine=!recovery

[Service]
ExecStartPre=-rm -rf /var/run/gvm/ospd-openvas.pid /var/run/gvm/ospd-openvas.sock
Type=simple
User=gvm
Group=gvm
RuntimeDirectory=gvm
Environment=PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/opt/gvm/bin:/opt/gvm/sbin:/opt/gvm/.local/bin
ExecStart=/opt/gvm/.local/bin/ospd-openvas \
--pid-file /var/run/gvm/ospd-openvas.pid \
--log-file /var/log/gvm/ospd-openvas.log \
--lock-file-dir /var/run/gvm -u /var/run/gvm/ospd-openvas.sock
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target
EOL

Set the user/group owner of the directories, /var/run/gvm and /var/log/gvm to user gvm.

[[ -d /var/run/gvm ]] || mkdir /var/run/gvm
chown -R gvm: /var/run/gvm /var/log/gvm

Reload systemd configs;

systemctl daemon-reload

Start and enable OSPD openvas wrapper service;

systemctl enable --now ospd-openvas

Check the status;

systemctl status ospd-openvas.service
● ospd-openvas.service - OSPd Wrapper for the OpenVAS Scanner (ospd-openvas)
     Loaded: loaded (/etc/systemd/system/ospd-openvas.service; enabled; vendor preset: enabled)
     Active: active (exited) since Sat 2021-08-28 11:26:07 EAT; 6s ago
    Process: 11142 ExecStartPre=rm -rf /var/run/gvm/ospd-openvas.pid /var/run/gvm/ospd-openvas.sock (code=exited, status=0/SUCCESS)
    Process: 11143 ExecStart=/opt/gvm/.local/bin/ospd-openvas --pid-file /var/run/gvm/ospd-openvas.pid --log-file /var/log/gvm/ospd-openvas.log --lock-file-dir /var/run/gvm -u /ru>
   Main PID: 11143 (code=exited, status=0/SUCCESS)
      Tasks: 4 (limit: 4679)
     Memory: 28.3M
        CPU: 463ms
     CGroup: /system.slice/ospd-openvas.service
             ├─11145 /usr/bin/python3 /opt/gvm/.local/bin/ospd-openvas --pid-file /var/run/gvm/ospd-openvas.pid --log-file /var/log/gvm/ospd-openvas.log --lock-file-dir /run/g>
             └─11147 /usr/bin/python3 /opt/gvm/.local/bin/ospd-openvas --pid-file /var/run/gvm/ospd-openvas.pid --log-file /var/log/gvm/ospd-openvas.log --lock-file-dir /run/g>

Aug 28 11:26:07 bullseye.kifarunix-demo.com systemd[1]: Starting OSPd Wrapper for the OpenVAS Scanner (ospd-openvas)...
Aug 28 11:26:07 bullseye.kifarunix-demo.com systemd[1]: Started OSPd Wrapper for the OpenVAS Scanner (ospd-openvas).

Be sure to also check the logs;

tail -f /var/log/gvm/ospd-openvas.log

Creating Systemd Service units for GVM services

When run, the installer creates GVM daemon service unit, /lib/systemd/system/gvmd.service.

Let us modify this service unit file;

cp /lib/systemd/system/gvmd.service{,.bak}
cat > /lib/systemd/system/gvmd.service << 'EOL'
[Unit]
Description=Greenbone Vulnerability Manager daemon (gvmd)
After=network.target networking.service postgresql.service ospd-openvas.service
Wants=postgresql.service ospd-openvas.service
Documentation=man:gvmd(8)
ConditionKernelCommandLine=!recovery

[Service]
Type=forking
User=gvm
Group=gvm
Environment=PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/opt/gvm/bin:/opt/gvm/sbin:/opt/gvm/.local/bin
ExecStart=/usr/local/sbin/gvmd --osp-vt-update=/var/run/gvm/ospd-openvas.sock
Restart=always
TimeoutStopSec=10

[Install]
WantedBy=multi-user.target
EOL

Reload system unit configs and start the services;

systemctl daemon-reload
systemctl enable --now gvmd

Checking the status;

systemctl status gvmd
● gvmd.service - Greenbone Vulnerability Manager daemon (gvmd)
     Loaded: loaded (/lib/systemd/system/gvmd.service; enabled; vendor preset: enabled)
     Active: active (running) since Sat 2021-08-28 11:29:25 EAT; 1min 15s ago
       Docs: man:gvmd(8)
    Process: 11259 ExecStart=/usr/local/sbin/gvmd --osp-vt-update=/var/run/gvm/ospd-openvas.sock (code=exited, status=0/SUCCESS)
   Main PID: 11261 (gvmd)
      Tasks: 9 (limit: 4679)
     Memory: 608.8M
        CPU: 18.131s
     CGroup: /system.slice/gvmd.service
             ├─11261 gvmd: Waiting for incoming connections
             ├─11299 gpg-agent --homedir /var/lib/gvm/gvmd/gnupg --use-standard-socket --daemon
             ├─11311 gvmd: Reloading NVTs
             ├─11312 gvmd: Syncing SCAP: Updating CPEs
             ├─11313 gvmd: OSP: Updating NVT cache
             ├─11314 gvmd: Syncing CERT
             ├─11326 sh -c xml_split -s40Mb split.xml && head -n 2 split-00.xml > head.xml && echo '' > tail.xml && for F in split-*.xml; do    awk 'NR>3 {print>
             ├─11327 /usr/bin/perl -w /usr/bin/xml_split -s40Mb split.xml
             └─11334 gvmd: Synchronizing feed data

Aug 28 11:29:25 bullseye.kifarunix-demo.com systemd[1]: Starting Greenbone Vulnerability Manager daemon (gvmd)...
Aug 28 11:29:25 bullseye.kifarunix-demo.com systemd[1]: Started Greenbone Vulnerability Manager daemon (gvmd).

Check the logs;

tail -f /var/log/gvm/gvmd.log

Creating Systemd Service units for GSA services

When run, the installer creates GSA daemon service unit, /lib/systemd/system/gsad.service.

Let us modify this service unit file;

cp /lib/systemd/system/gsad.service{,.bak}
cat > /lib/systemd/system/gsad.service << 'EOL'
[Unit]
Description=Greenbone Security Assistant daemon (gsad)
Documentation=man:gsad(8) https://www.greenbone.net
After=network.target gvmd.service
Wants=gvmd.service

[Service]
Type=simple
User=gvm
Group=gvm
Environment=PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/opt/gvm/bin:/opt/gvm/sbin:/opt/gvm/.local/bin
ExecStart=/usr/bin/sudo /usr/local/sbin/gsad -k /var/lib/gvm/private/CA/clientkey.pem -c /var/lib/gvm/CA/clientcert.pem
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target
EOL

The option, -k /var/lib/gvm/private/CA/clientkey.pem -c /var/lib/gvm/CA/clientcert.pem, is as per the certificates path generated by running the gvm-manage-certs command above.

Enable GVM user to run gsad with sudo rights;

echo "gvm ALL = NOPASSWD: $(which gsad)" >> /etc/sudoers.d/gvm

Reload system unit configs and start the services;

systemctl daemon-reload
systemctl enable --now gsad

Checking the status;

systemctl status gsad
● gsad.service - Greenbone Security Assistant daemon (gsad)
     Loaded: loaded (/lib/systemd/system/gsad.service; enabled; vendor preset: enabled)
     Active: active (exited) since Sat 2021-08-28 11:46:14 EAT; 55s ago
       Docs: man:gsad(8)
             https://www.greenbone.net
    Process: 11954 ExecStart=/usr/bin/sudo /usr/local/sbin/gsad -k /var/lib/gvm/private/CA/clientkey.pem -c /var/lib/gvm/CA/clientcert.pem (code=exited, status=0/SUCCESS)
   Main PID: 11954 (code=exited, status=0/SUCCESS)
      Tasks: 4 (limit: 4679)
     Memory: 4.1M
        CPU: 66ms
     CGroup: /system.slice/gsad.service
             ├─11957 /usr/local/sbin/gsad -k /var/lib/gvm/private/CA/clientkey.pem -c /var/lib/gvm/CA/clientcert.pem
             └─11958 /usr/local/sbin/gsad -k /var/lib/gvm/private/CA/clientkey.pem -c /var/lib/gvm/CA/clientcert.pem

Aug 28 11:46:14 bullseye.kifarunix-demo.com systemd[1]: Stopping Greenbone Security Assistant daemon (gsad)...
Aug 28 11:46:14 bullseye.kifarunix-demo.com sudo[11954]:      gvm : PWD=/ ; USER=root ; COMMAND=/usr/local/sbin/gsad -k /var/lib/gvm/private/CA/clientkey.pem -c /var/lib/g>
Aug 28 11:46:14 bullseye.kifarunix-demo.com systemd[1]: Started Greenbone Security Assistant daemon (gsad).
Aug 28 11:46:14 bullseye.kifarunix-demo.com sudo[11954]: pam_unix(sudo:session): session opened for user root(uid=0) by (uid=998)
Aug 28 11:46:15 bullseye.kifarunix-demo.com sudo[11955]: Oops, secure memory pool already initialized
Aug 28 11:46:15 bullseye.kifarunix-demo.com sudo[11954]: pam_unix(sudo:session): session closed for user root

Check the logs;

tail /usr/local/var/log/gvm/gsad.log

Create GVM Scanner

Since we launched the scanner and set it to use our non-standard scanner host path (/var/run/gvm/ospd-openvas.sock), we need to create and register our scanner;

sudo -u gvm gvmd --create-scanner="Kifarunix-demo OpenVAS Scanner" --scanner-type="OpenVAS" --scanner-host=/var/run/gvm/ospd-openvas.sock
Scanner created.

Next, you need to verify your scanner. For this, you first need to get the scanner identifier;

sudo -u gvm gvmd --get-scanners
08b69003-5fc2-4037-a479-93b440211c73  OpenVAS  /run/ospd/ospd-openvas.sock  0  OpenVAS Default
6acd0832-df90-11e4-b9d5-28d24461215b  CVE    0  CVE
6e0c2bec-9688-430d-b8da-f59a7c27fbe7  OpenVAS  /var/run/gvm/ospd-openvas.sock  9390  Kifarunix-demo OpenVAS Scanner

Based on the output above, our scanner UUID is, 6e0c2bec-9688-430d-b8da-f59a7c27fbe7.

Verify the scanner;

sudo -u gvm gvmd --verify-scanner=6e0c2bec-9688-430d-b8da-f59a7c27fbe7

Command output;

Scanner version: OpenVAS 21.4.3~dev1~git-3e7b6d3f-openvas-21.04.

Create GVM Admin User

Create GVM administrative user by running the command below;

sudo -u gvm gvmd --create-user admin

This command generates a random password for the user. See sample output below;

User created with password '3ae45864-0d6a-4a53-938f-730a1bb5d959'.

If you want to create a user and at the same time create your own password;

sudo -u gvm gvmd --create-user gvmadmin [email protected]

Otherwise, you can reset the password of an already existing user;

sudo -u gvm gvmd --user=<USERNAME> --new-password=<PASSWORD>

An administrator user can later create further users or administrators via clients like the Greenbone Security Assistant (GSA).

Set the Feed Import Owner

According to gvmd/INSTALL.md, certain resources that were previously part of the gvmd source code are now shipped via the feed. An example is the config “Full and Fast”.

gvmd will only create these resources if a “Feed Import Owner” is configured:

sudo -u gvm gvmd --modify-setting 78eceaec-3385-11ea-b237-28d24461215b --value <uuid_of_user>

The UUIDs of all created users can be found using

sudo -u gvm gvmd --get-users --verbose

Sample output;

admin bb3bd8a6-6b77-464f-9f9b-1afe4835be15

Then modify the gvmd settings with the user UUID.

sudo -u gvm gvmd --modify-setting 78eceaec-3385-11ea-b237-28d24461215b --value bb3bd8a6-6b77-464f-9f9b-1afe4835be15

Accessing GVM 21.04 Web Interface

Greenbone Security Assistant (GSA) WebUI daemon opens port 443 and listens on all interfaces.

ss -altnp | grep 443
LISTEN 0      1024               *:443             *:*    users:(("gsad",pid=11957,fd=10))

If firewall is running, open this port to allow external access.

ufw allow 443/tcp

You can now access GSA via the url https:<serverIP-OR-hostname>.

Accept the self-signed SSL warning and proceed.

Install GVM 21.04 on Debian 11/Debian 10

Dashboard

Install GVM 21.04 on Debian 11/Debian 10

Feed Status

Install GVM 21.04 on Debian 11/Debian 10

SecInfo

Install GVM 21.04 on Debian 11/Debian 10

And that is it on how to install GVM 21.04 on Debian 11/Debian 10.

And hey, dont forget to choose your default scanner created above, when scanning your hosts;

Install GVM 21.04 on Debian 11/Debian 10

You can now start scanning your assets.

Sample Scan Report

Install GVM 21.04 on Debian 11/Debian 10

Other Tutorials

Install Nikto Web Scanner on Rocky Linux 8

Install and Setup Nessus Scanner on Ubuntu 20.04

LEAVE A REPLY

Please enter your comment!
Please enter your name here