πŸ” How to Install GVM Vulnerability Scanner on Ubuntu 20.04

GVM (Greenbone Vulnerability Management) is an open source vulnerability scanning solution.

The GVM was formerly called OpenVAS.

Greenbone Vulnerability Manager and OpenVAS are widely used all over the world, including security experts and general users.

In this article, we will show you how to install and configure GVM on Ubuntu 20.04 to make sure your servers are protected from attacks.

Basic system

We will set up Greenbone Vulnerability Manager 20.08 with a basic installation of system packages on Ubuntu 20.04.

Install the necessary components

Install the following dependency packages first.

sudo su -
apt update &&
apt -y dist-upgrade &&
apt -y autoremove &&
apt install -y software-properties-common &&
apt install -y build-essential cmake pkg-config libglib2.0-dev libgpgme-dev libgnutls28-dev uuid-dev libssh-gcrypt-dev libldap2-dev doxygen graphviz libradcli-dev libhiredis-dev libpcap-dev bison libksba-dev libsnmp-dev gcc-mingw-w64 heimdal-dev libpopt-dev xmltoman redis-server xsltproc libical-dev postgresql postgresql-contrib postgresql-server-dev-all gnutls-bin nmap rpm nsis curl wget fakeroot gnupg sshpass socat snmp smbclient libmicrohttpd-dev libxml2-dev python3-polib gettext rsync xml-twig-tools python3-paramiko python3-lxml python3-defusedxml python3-pip python3-psutil python3-impacket virtualenv vim git &&
apt install -y texlive-latex-extra --no-install-recommends &&
apt install -y texlive-fonts-recommended &&
curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | apt-key add - &&
echo "deb https://dl.yarnpkg.com/debian/ stable main" | tee /etc/apt/sources.list.d/yarn.list &&
apt update &&
apt -y install yarn &&
yarn install &&
yarn upgrade

Create a GVM user

Paste the following commands into a terminal to create a gvm user that will be used during installation and compilation:

echo 'export PATH="$PATH:/opt/gvm/bin:/opt/gvm/sbin:/opt/gvm/.local/bin"' | tee -a /etc/profile.d/gvm.sh &&
chmod 0755 /etc/profile.d/gvm.sh &&
source /etc/profile.d/gvm.sh &&
bash -c 'cat < /etc/ld.so.conf.d/gvm.conf
# gmv libs location
/opt/gvm/lib
EOF'
mkdir /opt/gvm &&
adduser gvm --disabled-password --home /opt/gvm/ --no-create-home --gecos '' &&
usermod -aG redis gvm &&
chown gvm:gvm /opt/gvm/

Now login as user gvm.

sudo su - gvm

Download and install the software (GVM)

mkdir src &&
cd src &&
export PKG_CONFIG_PATH=/opt/gvm/lib/pkgconfig:$PKG_CONFIG_PATH
git clone -b gvm-libs-20.08 --single-branch  https://github.com/greenbone/gvm-libs.git &&
git clone -b openvas-20.08 --single-branch https://github.com/greenbone/openvas.git &&
git clone -b gvmd-20.08 --single-branch https://github.com/greenbone/gvmd.git &&
git clone -b master --single-branch https://github.com/greenbone/openvas-smb.git &&
git clone -b gsa-20.08 --single-branch https://github.com/greenbone/gsa.git &&
git clone -b ospd-openvas-20.08 --single-branch  https://github.com/greenbone/ospd-openvas.git &&
git clone -b ospd-20.08 --single-branch https://github.com/greenbone/ospd.git

Install gvm-libs (GVM)

In this step, we will compile gvm-lib from github:

cd gvm-libs &&
export PKG_CONFIG_PATH=/opt/gvm/lib/pkgconfig:$PKG_CONFIG_PATH &&
mkdir build &&
cd build &&
cmake -DCMAKE_INSTALL_PREFIX=/opt/gvm .. &&
make &&
make doc &&
make install &&
cd /opt/gvm/src

Now go into the openvas-smb directory and compile from the source:

cd openvas-smb &&
export PKG_CONFIG_PATH=/opt/gvm/lib/pkgconfig:$PKG_CONFIG_PATH &&
mkdir build &&
cd build/ &&
cmake -DCMAKE_INSTALL_PREFIX=/opt/gvm .. &&
make &&
make install &&
cd /opt/gvm/src

As in the previous steps, we will create and install the openvas scanner:

cd openvas &&
export PKG_CONFIG_PATH=/opt/gvm/lib/pkgconfig:$PKG_CONFIG_PATH &&
mkdir build &&
cd build/ &&
cmake -DCMAKE_INSTALL_PREFIX=/opt/gvm .. &&
make &&
make doc &&
make install &&
cd /opt/gvm/src

Configure redis to install OpenVAS (root)

We now need to log out of the current session in order to return to the root user by typing β€œexit” in the terminal.

Now paste the following code into the terminal:

export LC_ALL="C" &&
ldconfig &&
cp /etc/redis/redis.conf /etc/redis/redis.orig &&
cp /opt/gvm/src/openvas/config/redis-openvas.conf /etc/redis/ &&
chown redis:redis /etc/redis/redis-openvas.conf &&
echo "db_address = /run/redis-openvas/redis.sock" > /opt/gvm/etc/openvas/openvas.conf &&
systemctl enable [email protected] &&
systemctl start [email protected]
sysctl -w net.core.somaxconn=1024 &&
sysctl vm.overcommit_memory=1 &&
echo "net.core.somaxconn=1024"  >> /etc/sysctl.conf &&
echo "vm.overcommit_memory=1" >> /etc/sysctl.conf
cat << /etc/systemd/system/disable-thp.service
[Unit]
Description=Disable Transparent Huge Pages (THP)

[Service]
Type=simple
ExecStart=/bin/sh -c "echo 'never' > /sys/kernel/mm/transparent_hugepage/enabled && echo 'never' > /sys/kernel/mm/transparent_hugepage/defrag"

[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload &&
systemctl start disable-thp &&
systemctl enable disable-thp &&
systemctl restart redis-server

Add the path / opt / gvm / sbin to the secure_path variable:

sed 's/Defaultss.*secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"/Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin:/opt/gvm/sbin"/g' /etc/sudoers | EDITOR='tee' visudo

Add rights:

echo "gvm ALL = NOPASSWD: /opt/gvm/sbin/openvas" > /etc/sudoers.d/gvm
echo "gvm ALL = NOPASSWD: /opt/gvm/sbin/gsad" >> /etc/sudoers.d/gvm

Update NVT (GVM)

We will now run greenbone-nvt-sync to update the vulnerability database.

First go back to your GVM user session:

sudo su – gvm

and run:

greenbone-nvt-sync

If you’re getting timeout errors, chances are there’s a firewall in the way.

Make sure to open TCP port 873.

If you receive a connection refused message, please wait a while and try again.

This takes a very long time, so you have to be patient.

Load plugins into Redis with OpenVAS (GVM)

This may take a while depending on your hardware and does not provide feedback when running the command.

sudo openvas -u

Note. If you get error messages in the library, enter the following (one line at a time):

exit
echo "/opt/gvm/lib > /etc/ld.so.conf.d/gvm.conf 
ldconfig
sudo su - gvm

Installation Manager (GVM)

Now go to the gvmd directory to build and install Greenbone Manager:

cd /opt/gvm/src/gvmd &&
export PKG_CONFIG_PATH=/opt/gvm/lib/pkgconfig:$PKG_CONFIG_PATH &&
mkdir build &&
cd build/ &&
cmake -DCMAKE_INSTALL_PREFIX=/opt/gvm .. &&
make &&
make doc &&
make install &&
cd /opt/gvm/src

Configuring PostgreSQL (user Sudoers)

Switch to user in sudoers (don’t use root or gvm for this).

The user session will be switched with the below command β€œsudo -u postgres bash”.

Do this one line at a time.

exit
cd /
sudo -u postgres bash
export LC_ALL="C"
createuser -DRS gvm
createdb -O gvm gvmd

psql gvmd
create role dba with superuser noinherit;
grant dba to gvm;
create extension "uuid-ossp";
create extension "pgcrypto";
exit
exit

Configure certificates (GVM)

Enter one line at a time:

sudo su - gvm
gvm-manage-certs -a

Create an Administrator User (GVM)

Don’t forget to change your password:

gvmd --create-user=admin --password=admin

Setting up and updating feeds (GVM)

In order for the feeds to update completely, we need to set “Feed Import Owner” to the admin UUID.

First find the UUID of the new admin user

gvmd --get-users --verbose

You should end up with something like this:

admin fb019c52-75ec-4cb6-b176-5a55a9b360bf

Next enter:

gvmd --modify-setting 78eceaec-3385-11ea-b237-28d24461215b --value (output string from the above command fb019c52-75ec-4cb6-b176-5a55a9b360bf)

So an example command would be like this:

$ gvmd --get-users --verbose
admin fb019c52-75ec-4cb6-b176-5a55a9b360bf
$ gvmd --modify-setting 78eceaec-3385-11ea-b237-28d24461215b --value fb019c52-75ec-4cb6-b176-5a55a9b360bf

Run the next three commands in turn.

If you get a connection refused message, try running the command again until it is successful

… These commands will also take some time.

greenbone-feed-sync --type GVMD_DATA
greenbone-feed-sync --type SCAP
greenbone-feed-sync --type CERT

Install gsa (GVM)

As in the previous steps, go into the gsa folder and compile the gsa source:

cd /opt/gvm/src/gsa &&
export PKG_CONFIG_PATH=/opt/gvm/lib/pkgconfig:$PKG_CONFIG_PATH &&
mkdir build &&
cd build/ &&
cmake -DCMAKE_INSTALL_PREFIX=/opt/gvm .. &&
make &&
make doc &&
make install &&
touch /opt/gvm/var/log/gvm/gsad.log &&
cd /opt/gvm/src

Configuring OSPD-OpenVAS

Install virtualenv (GVM)

Note. You may need to change –python python3.8 to match your installed python version.

cd /opt/gvm/src &&
export PKG_CONFIG_PATH=/opt/gvm/lib/pkgconfig:$PKG_CONFIG_PATH &&
virtualenv --python python3.8  /opt/gvm/bin/ospd-scanner/ &&
source /opt/gvm/bin/ospd-scanner/bin/activate

We will install ospd using the pip installer:

mkdir /opt/gvm/var/run/ospd/ &&
cd ospd &&
pip3 install . &&
cd /opt/gvm/src

Install ospd-openvas (GVM)

Again for ospd-openvas, we will use the pip installer with the package we cloned from github:

cd ospd-openvas &&
pip3 install . &&
cd /opt/gvm/src

Create a startup script (root)

First enter exit to log out to your root session, then paste the following into your terminal:

cat << EOF > /etc/systemd/system/gvmd.service
[Unit]
Description=Open Vulnerability Assessment System Manager Daemon
Documentation=man:gvmd(8) https://www.greenbone.net
Wants=postgresql.service ospd-openvas.service
After=postgresql.service ospd-openvas.service

[Service]
Type=forking
User=gvm
Group=gvm
PIDFile=/opt/gvm/var/run/gvmd.pid
WorkingDirectory=/opt/gvm
ExecStart=/opt/gvm/sbin/gvmd --osp-vt-update=/opt/gvm/var/run/ospd.sock
ExecReload=/bin/kill -HUP $MAINPID
KillMode=mixed
Restart=on-failure
RestartSec=2min
KillMode=process
KillSignal=SIGINT
GuessMainPID=no
PrivateTmp=true

[Install]
WantedBy=multi-user.target
EOF
cat << EOF > /etc/systemd/system/gsad.service
[Unit]
Description=Greenbone Security Assistant (gsad)
Documentation=man:gsad(8) https://www.greenbone.net
After=network.target
Wants=gvmd.service


[Service]
Type=forking
PIDFile=/opt/gvm/var/run/gsad.pid
WorkingDirectory=/opt/gvm
ExecStart=/opt/gvm/sbin/gsad --drop-privileges=gvm
Restart=on-failure
RestartSec=2min
KillMode=process
KillSignal=SIGINT
GuessMainPID=no
PrivateTmp=true

[Install]
WantedBy=multi-user.target
EOF
cat << EOF > /etc/systemd/system/ospd-openvas.service 
[Unit]
Description=Job that runs the ospd-openvas daemon
Documentation=man:gvm
After=network.target [email protected]
[email protected]

[Service]
Environment=PATH=/opt/gvm/bin/ospd-scanner/bin:/opt/gvm/bin:/opt/gvm/sbin:/opt/gvm/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
Type=forking
User=gvm
Group=gvm
WorkingDirectory=/opt/gvm
PIDFile=/opt/gvm/var/run/ospd-openvas.pid
ExecStart=/opt/gvm/bin/ospd-scanner/bin/python /opt/gvm/bin/ospd-scanner/bin/ospd-openvas --pid-file /opt/gvm/var/run/ospd-openvas.pid --unix-socket=/opt/gvm/var/run/ospd.sock --log-file /opt/gvm/var/log/gvm/ospd-scanner.log --lock-file-dir /opt/gvm/var/run/ospd/
Restart=on-failure
RestartSec=2min
KillMode=process
KillSignal=SIGINT
GuessMainPID=no
PrivateTmp=true

[Install]
WantedBy=multi-user.target
EOF

Enable and start services (root)

We will now enable and start the GVM services, also as root:

systemctl daemon-reload &&
systemctl enable gvmd &&
systemctl enable gsad &&
systemctl enable ospd-openvas &&
systemctl start gvmd &&
systemctl start gsad &&
systemctl start ospd-openvas

Check services (root)

Make sure all three services are running (type one line at a time).

systemctl status gvmd
systemctl status gsad
systemctl status ospd-openvas

Change the default scanner (GVM)

Return to your GVM session.

sudo su - gvm

First get the UUID of the scanner that has the socket (ospd.sock)

gvmd --get-scanners

Then modify the scanner:

gvmd --modify-scanner=(INSERT SCANNER UUID HERE) --scanner-host=/opt/gvm/var/run/ospd.sock

Example:

gvmd --get-scanners
08b69003-5fc2-4037-a479-93b440211c73  OpenVAS  /var/run/ospd/ospd.sock  0  OpenVAS Default
6acd0832-df90-11e4-b9d5-28d24461215b  CVE    0  CVE

gvmd --modify-scanner=08b69003-5fc2-4037-a479-93b440211c73 --scanner-host=/opt/gvm/var/run/ospd.sock
Scanner modified.

That’s all. You can now log into the GVM web interface.

πŸ” How to Install GVM Vulnerability Scanner on Ubuntu 20.04

Conclusion

We have successfully completed the GVM installation on Ubuntu 20.04.

You can now log in using your server’s IP address.

The default login is admin / admin as above.

Let us know what you think of the guide in the comments below.

Sidebar