Install GVM 21.04 on Rocky Linux 8

3
110

In this guide, you will learn how to install  GVM 21.04 on Rocky Linux 8. Greenbone Vulnerability Management (GVM), previously known as OpenVAS, is a network security scanner which provides a set of network vulnerability tests (NVTs) to detect security loopholes in systems and applications. As of this writing, GVM 21.04 is the current stable release.

Want to use Debian 11 instead? Use the guide below;

Install GVM 21.04 on Debian 11/Debian 10

Install GVM 21.04 on Rocky Linux 8

Prerequisites

In this demo, we will install and setup GVM 21.04 on Rocky Linux 8 from source code. As such, below are the system requirements I would personally recommend.

  • At least 4 GB RAM
  • At least 4 vCPUs
  • More than 8 GB disk space (We used 16 GB in this demo)

These requirements will vary depending on your use cases, however. Just be sure to provide “enough”.

DISCLAIMER: I cannot guarantee you that this guide will work for you out of the box. So just try it.

Run System Update

To begin with, update and upgrade your system packages;

dnf update

Create GVM User on Rocky Linux

In this demo, we will run GVM 21.04 as a non privileged system user. Thus, create gvm system user account.

useradd -r -d /opt/gvm -c "GVM User" -s /bin/bash gvm

Create the GVM user directory as specified by option -d in the command above and set the user and group ownership to gvm.

mkdir /opt/gvm
chown gvm: /opt/gvm

Allow gvm user to run installation with passwordless sudo;

echo "gvm ALL = NOPASSWD: $(which make) install" > /etc/sudoers.d/gvm

Install Required Build Tools

In order to successfully build GVM 21.04 on Rocky Linux 8, you need to install a number of required dependencies and build tools.

Enable repositories that will provide additional packages;

dnf install epel-release
dnf config-manager --set-enabled powertools

Next, Install the required build tools.

dnf group install "Development Tools"
dnf install cmake glib2-devel zlib-devel gnutls-devel libuuid-devel libssh-devel libxml2-devel wget vim rsync \
libgcrypt-devel openldap-devel popt-devel redis libical-devel openssl-devel hiredis-devel radcli-devel bzip2-devel \
python3-devel libpq-devel texinfo xmltoman nmap sshpass socat mingw32-gcc ncurses-devel libunistring-devel xz-devel \
gpgme-devel libksba-devel doxygen libpcap-devel python3-polib libmicrohttpd-devel gnutls-utils libnet-devel libffi-devel

Building OpenVAS SMB requires Heimdal GSSAPI package. You need to build this package from the source.

Download Heimdal package from the releases page.

wget https://github.com/heimdal/heimdal/releases/download/heimdal-7.7.0/heimdal-7.7.0.tar.gz -P /tmp/

Extract and install Heimdal on Rocky Linux 8;

cd /tmp
tar xzf heimdal-7.7.0.tar.gz
cd heimdal-7.7.0
./configure  --enable-opt=no --disable-otp --prefix=/opt/heimdal
make
make install
cd ~
ln -s /opt/heimdal/include/ /opt/heimdal/include/heimdal
echo "/opt/heimdal/lib" > /etc/ld.so.conf.d/heimdal-gssapi.conf
ldconfig

Next, create a symbolic of the /usr/lib64/libtspi.so.1 to /usr/lib64/libtspi.so. This is needs to be done to fix the error, /usr/bin/ld: cannot find -ltspi, encountered while compiling OpenVAS SMB.

ln -s /usr/lib64/libtspi.so.1 /usr/lib64/libtspi.so

Install Python >=3.7 required to build OSPD. We choose to install Python 3.7.9 in this demo;

wget https://www.python.org/ftp/python/3.7.9/Python-3.7.9.tgz
tar xzf Python-3.7.9.tgz
cd Python-3.7.9
./configure --enable-optimizations
make altinstall
cd ~

Configure SELinux

In this demo, we have set up SELinux to run in permissive mode. I don’t recommend this, though. But i couldn’t deal with various permissions!

setenforce 0
sed -i 's/=enforcing/=permissive/' /etc/selinux/config

Install Yarn on Rocky Linux 8

Next, install Yarn JavaScript package manager by following the link below;

Install Yarn on Rocky Linux 8

Install PostgreSQL on Rocky Linux 8

GVM 21.04 uses PostgreSQL as the backend database. Hence, run the command below to install PostgreSQL on Rocky Linux 8.

sudo dnf -y install -y postgresql-server postgresql-contrib postgresql-server-devel

Once the installation is done, Initialize:

/usr/bin/postgresql-setup --initdb

Next, start it and enable it to run on system boot;

systemctl enable --now postgresql

Create PostgreSQL User and Database

Once the installation is done, create the PostgreSQL user and database for Greenbone Vulnerability Management Daemon (gvmd).

Note that the database and user should be created as PostgreSQL user, postgres.

sudo -Hiu postgres
createuser gvm
createdb -O gvm gvmd

Grant PostgreSQL User DBA Roles

psql gvmd
create role dba with superuser noinherit;
grant dba to gvm;
\q
exit

Once that is done, restart PostgreSQL;

systemctl restart postgresql

Create a symbolic link;

ln -s /usr/include /usr/include/postgresql

Building GVM 21.04 from Source

There are different tools required to install and setup GVM 21.04 on Rocky Linux 8. These include;

  • GVM Libraries
  • OpenVAS Scanner
  • OSPd
  • ospd-openvas
  • Greenbone Vulnerability Manager
  • Greenbone Security Assistant
  • Python-GVM
  • GVM-Tools
  • OpenVAS SMB

Every component has README.md and a INSTALL.md file that explains how to build and install it.

Since we are running GVM as non-privileged user, gvm, then we will install all the GVM configuration files and libraries under, /opt/gvm.

Update the PATH environment variable on /etc/environment, to include the GVM binary path such that it looks like;

echo "PATH=$PATH:/opt/gvm/bin:/opt/gvm/sbin:/opt/gvm/.local/bin" >> /etc/environment
source /etc/environment

Add GVM library path to /etc/ld.so.conf.d.

echo "/opt/gvm/lib" > /etc/ld.so.conf.d/gvm.conf

Install and Setup GVM 21.04 on Rocky Linux 8

Switch to GVM user, gvm and create a temporary directory to store GVM source files.

su - gvm
mkdir gvm-source

Download GVM 21.04 Source Files

Navigate to temporary directory created above and run the subsequent commands to clone the GVM github branch files.

cd gvm-source
git clone -b gvm-libs-21.04 https://github.com/greenbone/gvm-libs.git
git clone -b master https://github.com/greenbone/openvas-smb.git
git clone -b openvas-21.04 https://github.com/greenbone/openvas.git
git clone -b ospd-21.04 https://github.com/greenbone/ospd.git
git clone -b ospd-openvas-21.04 https://github.com/greenbone/ospd-openvas.git
git clone -b gvmd-21.04 https://github.com/greenbone/gvmd.git
git clone -b gsa-21.04 https://github.com/greenbone/gsa.git

Once the source files are in place, proceed to build and install GVM 21.04 on Rocky Linux 8.

Note the current working directory;

pwd
/opt/gvm/gvm-source
ls -1
gsa
gvmd
gvm-libs
openvas
openvas-smb
ospd
ospd-openvas

Note that we will install all GVM 21.04 files and libraries to a non-standard location, /opt/gvm. As such, you need to set the PKG_CONFIG_PATH environment variable to the location of your pkg-config files before configuring:

export PKG_CONFIG_PATH=/opt/gvm/lib/pkgconfig:$PKG_CONFIG_PATH

Be sure to replace the path, /opt/gvm, accordingly.

Build and Install GVM 11 Libraries

From within the source directory, /opt/gvm/gvm-source, in this setup, change to GVM libraries directory;

cd gvm-libs
mkdir build && cd build
cmake .. -DCMAKE_INSTALL_PREFIX=/opt/gvm
make
sudo make install

Build and Install OpenVAS scanner and OpenVAS SMB

Open Vulnerability Assessment Scanner (OpenVAS) is a full-featured scan engine that executes a continuously updated and extended feed of Network Vulnerability Tests (NVTs).

OpenVAS SMB provides modules for the OpenVAS Scanner to interface with Microsoft Windows Systems through the Windows Management Instrumentation API and a winexe binary to execute processes remotely on that system.

export PKG_CONFIG_PATH=/opt/gvm/lib/pkgconfig:/opt/heimdal/lib/pkgconfig:$PKG_CONFIG_PATH

Build and install openvas-smb;

cd ../../openvas-smb/
mkdir build && cd build
cmake .. -DCMAKE_INSTALL_PREFIX=/opt/gvm
make
sudo make install

Build and install OpenVAS scanner;

cd ../../openvas
mkdir build && cd build
cmake .. -DCMAKE_INSTALL_PREFIX=/opt/gvm
make
make install

Configuring OpenVAS Scanner

The host scan information is stored temporarily on Redis server. The default configuration of Redis server is /etc/redis/redis.conf.

Switch back to privileged user and proceed.

exit

To begin run the command below to create the cache to the installed shared libraries;

ldconfig

Next, copy OpenVAS scanner Redis configuration file, redis-openvas.conf, to the same Redis configuration file;

mv /etc/redis.conf{,.original}
cp /opt/gvm/gvm-source/openvas/config/redis-openvas.conf /etc/redis.conf

Update the ownership of the configuration.

chown redis: /etc/redis.conf

Update the path to Redis unix socket on the /etc/redis.conf:

sed -i 's#/run/redis-openvas/redis.sock#/tmp/redis.sock#' /etc/redis.conf

Similarly, specify the path to Redis socket file on the /opt/gvm/etc/openvas/openvas.conf configuration file using the db_address parameter as follows.

echo "db_address = /tmp/redis.sock" > /opt/gvm/etc/openvas/openvas.conf
chown gvm: /opt/gvm/etc/openvas/openvas.conf

Add gvm user to redis group;

usermod -aG redis gvm

You can also optimize Redis server itself improve the performance by making the following adjustments;

Increase the value of somaxconn in order to avoid slow clients connections issues.

echo "net.core.somaxconn = 1024" >> /etc/sysctl.conf

Redis background save may fail under low memory condition. To avoid this, enable memory overcommit (man 5 proc).

echo 'vm.overcommit_memory = 1' >> /etc/sysctl.conf

Reload sysctl variables created above.

sysctl -p

To avoid creation of latencies and memory usage issues with Redis, disable Linux Kernel’s support for Transparent Huge Pages (THP). To easily work around this, create a systemd service unit for this purpose.

cat > /etc/systemd/system/disable_thp.service << 'EOL'
[Unit]
Description=Disable Kernel Support for Transparent Huge Pages (THP)

[Service]
Type=simple
ExecStart=/bin/sh -c "echo 'never' > /sys/kernel/mm/transparent_hugepage/enabled && echo 'never' > /sys/kernel/mm/transparent_hugepage/defrag"

[Install]
WantedBy=multi-user.target
EOL

Reload systemd configurations;

systemctl daemon-reload

Start and enable this service to run on system boot.

systemctl enable --now disable_thp

Start and enable Redis to run on system boot;

systemctl enable --now redis

A number of Network Vulnerability Tests (NVTs) require root privileges to perform certain operations. Since openvas is launched from an ospd-openvas process, via sudo, add the line below to sudoers file to ensure that the gvm user used in this demo can run the openvas with elevated rights using passwordless sudo.

echo "gvm ALL = NOPASSWD: /opt/gvm/sbin/openvas" > /etc/sudoers.d/gvm

Also, update the secure_path to include the GVM /sbin paths, /opt/gvm/sbin.

visudo
Defaults    secure_path = /sbin:/bin:/usr/sbin:/usr/bin:/opt/gvm/sbin

Update NVTs

Update Network Vulnerability Tests feed from Greenbone Security Feed/Community Feed using the greenbone-nvt-sync command.

The greenbone-nvt-sync command must not be executed as privileged user root, hence switch back to GVM user we created above and update the NVTs.

su - gvm

Next, update the NVTs as openvas user;

greenbone-nvt-sync

Once the update is done, you need to update Redis server with the same VT info from VT files;

sudo openvas --update-vt-info

Build and Install Greenbone Vulnerability Manager

export PKG_CONFIG_PATH=/opt/gvm/lib/pkgconfig:/opt/heimdal/lib/pkgconfig:$PKG_CONFIG_PATH
cd gvm-source/gvmd
mkdir build && cd build
cmake .. -DCMAKE_INSTALL_PREFIX=/opt/gvm
make
sudo make install

Build and Install Greenbone Security Assistant

export PKG_CONFIG_PATH=/opt/gvm/lib/pkgconfig:/opt/heimdal/lib/pkgconfig:$PKG_CONFIG_PATH
cd ../../gsa
mkdir build && cd build
cmake .. -DCMAKE_INSTALL_PREFIX=/opt/gvm
make
sudo make install

Exit the gvm user;

exit

Enable gvm user to run GSA web application daemon, gsad, with passwordless sudo.

echo "gvm ALL = NOPASSWD: /opt/gvm/sbin/gsad" >> /etc/sudoers.d/gvm

Keeping the feeds up-to-date

The gvmd DataSCAP and CERT Feeds should be kept up-to-date by calling the greenbone-feed-sync script regularly (e.g. via a cron entry):

chown -R gvm: /var/lib/gvm
sudo -Hiu gvm greenbone-feed-sync --type GVMD_DATA
sudo -Hiu gvm greenbone-feed-sync --type SCAP
sudo -Hiu gvm greenbone-feed-sync --type CERT

Please note: The CERT feed sync depends on data provided by the SCAP feed and should be called after syncing the later.

Consider setting cron jobs to run the nvts, cert and scap data update scripts at your preferred frequency to pull updates from the feed servers.

Next, run the command below to generate certificates gvmd. Server certificates are used for authentication while client certificates are primarily used for authorization. More on man gvm-manage-certs.

gvm-manage-certs -a
chown -R gvm: /opt/gvm/lib

Build and Install OSPd and OSPd-OpenVAS

Open Scanner Protocol (OSP) creates a unified interface for different security scanners and makes their control flow and scan results consistently available under the central Greenbone Vulnerability Manager service.

su - gvm
export PKG_CONFIG_PATH=/opt/gvm/lib/pkgconfig:$PKG_CONFIG_PATH

Based on the current version of Python installed, set the PYTHONPATH. We use Python 3.7 in this demo.

export PYTHONPATH=/opt/gvm/lib/python3.7/site-packages
mkdir -p /opt/gvm/lib/python3.7/site-packages

Build OSPD

cd /opt/gvm/gvm-source/ospd
python3.7 setup.py install --prefix=/opt/gvm

Build OSPD-OpenVAS

cd /opt/gvm/gvm-source/ospd-openvas
python3.7 setup.py install --prefix=/opt/gvm

Running OpenVAS Scanner, GSA and GVM services

In order to make the management of OpenVAS scanner, GSA (WebUI service) and GVM daemon, create systemd service unit files for each of them as follows.

Log out as gvm user and execute the commands below as a privileged user.

exit
sudo chown -R gvm: /opt/gvm/

Creating Systemd Service units for GVM services

Create OSPD OpenVAS systemd service
cat > /etc/systemd/system/ospd-openvas.service << 'EOL'
[Unit]
Description=Description=OSPd Wrapper for the OpenVAS Scanner (ospd-openvas)
After=redis.service
After=postgresql.service

[Service]
ExecStartPre=-rm -rf /var/run/gvm/ospd-openvas.pid /var/run/gvm/ospd-openvas.sock
Type=simple
User=gvm
Group=gvm
RuntimeDirectory=gvm
Environment=PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/opt/gvm/bin:/opt/gvm/sbin
Environment=PYTHONPATH=/opt/gvm/lib/python3.7/site-packages
ExecStart=/opt/gvm/bin/ospd-openvas \
--pid-file /var/run/gvm/ospd-openvas.pid \
--log-file /var/log/gvm/ospd-openvas.log \
--lock-file-dir /var/run/gvm -u /var/run/gvm/ospd-openvas.sock
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target
EOL
chown -R gvm: /var/run/gvm /var/log/gvm

Reload systemd service unit configurations.

systemctl daemon-reload
systemctl start ospd-openvas

Check the status of the service;

systemctl status ospd-openvas
● ospd-openvas.service - Description=OSPd Wrapper for the OpenVAS Scanner (ospd-openvas)
   Loaded: loaded (/etc/systemd/system/ospd-openvas.service; enabled; vendor preset: disabled)
   Active: active (exited) since Sun 2021-08-29 22:05:17 EAT; 1min 30s ago
  Process: 12310 ExecStart=/opt/gvm/bin/ospd-openvas --pid-file /var/run/gvm/ospd-openvas.pid --log-file /var/log/gvm/ospd-openvas.log --lock-file-dir /var/run/gvm -u /var>
  Process: 12308 ExecStartPre=/usr/bin/rm -rf /var/run/gvm/ospd-openvas.pid /var/run/gvm/ospd-openvas.sock (code=exited, status=0/SUCCESS)
 Main PID: 12310 (code=exited, status=0/SUCCESS)
    Tasks: 4 (limit: 23673)
   Memory: 30.6M
   CGroup: /system.slice/ospd-openvas.service
           ├─12312 /usr/local/bin/python3.7 /opt/gvm/bin/ospd-openvas --pid-file /var/run/gvm/ospd-openvas.pid --log-file /var/log/gvm/ospd-openvas.log --lock-file-dir /va>
           └─12314 /usr/local/bin/python3.7 /opt/gvm/bin/ospd-openvas --pid-file /var/run/gvm/ospd-openvas.pid --log-file /var/log/gvm/ospd-openvas.log --lock-file-dir /va>

Aug 29 22:05:17 rocky8 systemd[1]: Starting Description=OSPd Wrapper for the OpenVAS Scanner (ospd-openvas)...
Aug 29 22:05:17 rocky8 systemd[1]: Started Description=OSPd Wrapper for the OpenVAS Scanner (ospd-openvas).

Check the logs;

tail -f /var/log/gvm/ospd-openvas.log

Enable OpenVAS scanner to run on system boot;

systemctl enable ospd-openvas
Create GVMD Systemd Service files
cp /lib/systemd/system/gvmd.service{,.bak}
cat > /lib/systemd/system/gvmd.service << 'EOL'
[Unit]
Description=Greenbone Vulnerability Manager daemon (gvmd)
After=ospd-openvas.service
Wants=postgresql.service ospd-openvas.service

[Service]
Type=simple
User=gvm
Group=gvm
RuntimeDirectory=gvm
Environment=PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/opt/gvm/bin:/opt/gvm/sbin
Environment=PYTHONPATH=/opt/gvm/lib/python3.7/site-packages
ExecStart=/opt/gvm/sbin/gvmd --osp-vt-update=/var/run/gvm/ospd-openvas.sock --unix-socket=/var/run/gvm/gvmd.sock
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target
EOL

Reload syste,d configs and start GVMD

systemctl start gvmd

Check the status;

systemctl status gvmd
● gvmd.service - Greenbone Vulnerability Manager daemon (gvmd)
   Loaded: loaded (/usr/lib/systemd/system/gvmd.service; enabled; vendor preset: disabled)
   Active: active (exited) since Sun 2021-08-29 22:46:34 EAT; 8s ago
  Process: 2283 ExecStart=/opt/gvm/sbin/gvmd --osp-vt-update=/var/run/gvm/ospd-openvas.sock --unix-socket=/var/run/gvm/gvmd.sock (code=exited, status=0/SUCCESS)
 Main PID: 2283 (code=exited, status=0/SUCCESS)
    Tasks: 1 (limit: 35667)
   Memory: 14.8M
   CGroup: /system.slice/gvmd.service
           └─2284 gvmd: Initializing

Aug 29 22:46:34 rocky8 systemd[1]: Started Greenbone Vulnerability Manager daemon (gvmd).

cat > /etc/systemd/system/gvm.path << 'EOL'
[Unit]
Description=Start the OpenVAS GVM service when opsd.sock is available

[Path]
PathChanged=/opt/gvm/var/run/ospd.sock
Unit=gvm.service

[Install]
WantedBy=multi-user.target
EOL
Create GSA systemd service Unit file
cat > /etc/systemd/system/gsa.service << 'EOL'
[Unit]
Description=GVM GSA service
After=openvas.service

[Service]
Type=simple
User=gvm
Group=gvm
PIDFile=/opt/gvm/var/run/gsa.pid
Environment=PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/opt/gvm/bin:/opt/gvm/sbin:/opt/gvm/.local/bin
Environment=PYTHONPATH=/opt/gvm/lib/python3.7/site-packages
ExecStart=/usr/bin/sudo /opt/gvm/sbin/gsad --munix-socket=/run/gvm/gvmd.sock
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target
EOL
cat >  /etc/systemd/system/gsa.path << 'EOL'
[Unit]
Description=Start the OpenVAS GSA service when gvmd.sock is available

[Path]
PathChanged=/var/run/gvmd.sock
Unit=gsa.service

[Install]
WantedBy=multi-user.target
EOL

Reload system unit configs and start the services;

systemctl daemon-reload
systemctl enable --now gvm.{path,service}
systemctl enable --now gsa.{path,service}

Checking the status;

systemctl status gvm.{path,service}
● gvm.path - Start the OpenVAS GVM service when opsd.sock is available
   Loaded: loaded (/etc/systemd/system/gvm.path; enabled; vendor preset: disabled)
   Active: active (waiting) since Tue 2021-07-27 23:30:40 EAT; 1min 40s ago

Jul 27 23:30:40 localhost.localdomain systemd[1]: Started Start the OpenVAS GVM service when opsd.sock is available.

● gvm.service - Control the OpenVAS GVM service
   Loaded: loaded (/etc/systemd/system/gvm.service; enabled; vendor preset: disabled)
   Active: active (exited) since Tue 2021-07-27 23:30:40 EAT; 1min 40s ago
 Main PID: 3869 (code=exited, status=0/SUCCESS)
    Tasks: 1 (limit: 35664)
   Memory: 95.6M
   CGroup: /system.slice/gvm.service
           └─3870 gvmd: Waiting for incoming connections

Jul 27 23:30:40 localhost.localdomain systemd[1]: Started Control the OpenVAS GVM service.
systemctl status gsa.{path,service}
● gsa.path - Start the OpenVAS GSA service when gvmd.sock is available
   Loaded: loaded (/etc/systemd/system/gsa.path; enabled; vendor preset: disabled)
   Active: active (waiting) since Tue 2021-07-27 23:32:07 EAT; 53s ago

Jul 27 23:32:07 localhost.localdomain systemd[1]: Started Start the OpenVAS GSA service when gvmd.sock is available.

● gsa.service - GVM GSA service
   Loaded: loaded (/etc/systemd/system/gsa.service; enabled; vendor preset: disabled)
   Active: active (exited) since Tue 2021-07-27 23:32:07 EAT; 53s ago
  Process: 3954 ExecStart=/usr/bin/sudo /opt/gvm/sbin/gsad --munix-socket=/run/gvm/gvmd.sock (code=exited, status=0/SUCCESS)
 Main PID: 3954 (code=exited, status=0/SUCCESS)

Jul 27 23:32:07 localhost.localdomain systemd[1]: Started GVM GSA service.
Jul 27 23:32:07 localhost.localdomain sudo[3954]:      gvm : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/opt/gvm/sbin/gsad --munix-socket=/run/gvm/gvmd.sock

Create GVM Scanner

Since we launched the scanner and set it to use our non-standard scanner host path (/opt/gvm/var/run/ospd.sock), we need to create and register our scanner;

sudo -Hiu gvm gvmd --create-scanner="Kifarunix-demo OpenVAS Scanner" --scanner-type="OpenVAS" --scanner-host=/opt/gvm/var/run/ospd.sock

Next, you need to verify your scanner. For this, you first need to get the scanner identifier;

sudo -Hiu gvm gvmd --get-scanners
08b69003-5fc2-4037-a479-93b440211c73  OpenVAS  /var/run/ospd/ospd.sock  0  OpenVAS Default
6acd0832-df90-11e4-b9d5-28d24461215b  CVE    0  CVE
50afbf2b-d854-4b6d-879f-c62aa62254d2  OpenVAS  /opt/gvm/var/run/ospd.sock  9390  Kifarunix-demo OpenVAS Scanner

Based on the output above, our scanner UUID is, 50afbf2b-d854-4b6d-879f-c62aa62254d2.

Verify the scanner;

sudo -Hiu gvm gvmd --verify-scanner=50afbf2b-d854-4b6d-879f-c62aa62254d2

Command output;

Scanner version: OpenVAS 21.4.2~dev1~git-0534359a-openvas-21.04.

Create OpenVAS (GVM) Admin User

Create OpenVAS administrative user by running the command below;

sudo -Hiu gvm gvmd --create-user admin

This command generates a random password for the user. See sample output below;

User created with password 'fee42e66-117c-42f8-9b48-429e51194a13'.

If you want to create a user and at the same time create your own password;

sudo -Hiu gvm gvmd --create-user gvmadmin [email protected]

Otherwise, you can reset the password of an already existing user;

sudo -Hiu gvm gvmd --user=<USERNAME> --new-password=<PASSWORD>

An administrator user can later create further users or administrators via clients like the Greenbone Security Assistant (GSA).

Set the Feed Import Owner

According to gvmd/INSTALL.md, certain resources that were previously part of the gvmd source code are now shipped via the feed. An example is the config “Full and Fast”.

gvmd will only create these resources if a “Feed Import Owner” is configured:

sudo -Hiu gvm gvmd --modify-setting 78eceaec-3385-11ea-b237-28d24461215b --value <uuid_of_user>

The UUIDs of all created users can be found using

sudo -Hiu gvm gvmd --get-users --verbose

Sample output;

admin 9a9e5070-d2f0-4802-971e-c9d61e682c21

Then modify the gvmd settings with the user UUID.

sudo -Hiu gvm gvmd --modify-setting 78eceaec-3385-11ea-b237-28d24461215b --value 9a9e5070-d2f0-4802-971e-c9d61e682c21

GVM Log Files

Various Log files are located under the /opt/gvm/var/log/gvm directory.

ls /opt/gvm/var/log/gvm
gsad.log  gvmd.log  openvas.log  ospd-openvas.log

Accessing GVM 21.04 (OpenVAS)

Greenbone Security Assistant (GSA) WebUI daemon opens port 443 and listens on all interfaces. If firewall is running, open this port to allow external access.

firewall-cmd --add-port=443/tcp --permanent
firewall-cmd --reload

You can now access GSA via the url https:<serverIP-OR-hostname>. Accept the self-signed SSL warning and proceed.

Install GVM 21.04 on Rocky Linux 8

Login with the administrative credentials generated above.

Install GVM 21.04 on Rocky Linux 8

Install GVM 21.04 on Rocky Linux 8

Port lists

Install and Setup GVM 21.04 on Rocky Linux 8

And there you go. That is all it take to install and Setup GVM 21.04 on Rocky Linux 8. You can now start running your scans.

NOTE: When creating a scan task, be sure to select the Scanner we created above.

Install and Setup GVM 21.04 on Rocky Linux 8

Sample Scan results;

Install GVM 21.04 on Rocky Linux 8

You can now create your target hosts to scan and schedule the scans to run at your own preferred time.

That marks the end of our tutorial on how to install and setup GVM 21.04 on Rocky Linux 8.

Did I miss anything, drop it in the comments section!! Enjoy

Reference

Source files README.md and INSTALL.md files

GVM-11 build for CentOS 8.

Other Tutorials

Install Nikto Web Scanner on Rocky Linux 8

Install and Use Nikto Web Scanner on Ubuntu 20.04

Install and setup GVM 20.08 on Debian 10

3 COMMENTS

  1. Hi,

    I am getting below same error on Centos8 and Ubuntu 20 for OpenVas 20 and 21 –

    echo “db_address = /tmp/redis.sock” > /opt/gvm/etc/openvas/openvas.conf
    -bash: /opt/gvm/etc/openvas/openvas.conf: No such file or directory

    Please help to if I am missing any steps.

    -Thanks

  2. Hi.

    In the middle of the tutorial you mention a /opt/gvm/var/run/ospd.sock that never existed before. Is this related to /var/run/gvm/ospd-openvas.sock?

    Thanks
    Ricardo

LEAVE A REPLY

Please enter your comment!
Please enter your name here