Building GVM 20.08

Building the GVM stack from source requires knowledge about:

  • Using a terminal

  • Shell programming basic

  • Installing software via apt

  • Using a C compiler

  • Using CMake and make

  • The Linux File System Hierarchy

  • Running services via systemd

Additionally, a basic knowledge about the GVM architecture is required to follow this guide.

Note

This guide is intended for developers who want to try out the newest features and/or want to get familiar with the source code. It is not intended for production setups.

This guide assumes that Debian Stable (Buster) is used as the Linux distribution. Most likely, a Debian derivate like Ubuntu and Kali will also work with only minor adjustments required.

The command sudo is used for executing commands that require privileged access on the system.

Prerequisites

Note

Please follow the guide step by step. Later steps might require settings or output of a previous command.

Creating a User and a Group

The services provided by the GVM framework should run as a dedicated user and group. Therefore a gvm user and a group with the same name will be created.

Creating a gvm system user and group
sudo useradd -r -M -U -G sudo -s /usr/sbin/nologin gvm

Adjusting the Current User

To allow the current user to run gvmd he must be added to the gvm group. To make the group change effective either logout and login again or use su.

Add current user to gvm group
sudo usermod -aG gvm $USER

su $USER

Setting the PATH

On Debian systems the locations /sbin, /usr/sbin and /usr/local/sbin are not in the PATH of normal users. To run gvmd which is located in /usr/local/sbin the PATH environment variable should be adjusted.

Adjusting PATH for running gvmd
export PATH=$PATH:/usr/local/sbin

Choosing an Install Prefix

Before building the software stack, a (root) directory must be chosen where the built software will finally be installed. For example, when building packages, the distribution developers set this path to /usr.

By default, it is /usr/local which is also used in this guide. This directory will be stored in an environment variable INSTALL_PREFIX to be able to reference it later.

Setting an install prefix environment variable
export INSTALL_PREFIX=/usr/local

Creating a Source, Build and Install Directory

To separate the sources and the build artifacts, a source and a build directory must be created.

This source directory will be used later in this guide via an environment variable SOURCE_DIR. Accordingly, a variable BUILD_DIR will be set for the build directory. Both can be set to any directory to which the current user has write permissions. Therefore directories in the current user’s home directory are chosen in this guide.

Choosing a source directory
export SOURCE_DIR=$HOME/source
mkdir -p $SOURCE_DIR
Choosing a build directory
export BUILD_DIR=$HOME/build
mkdir -p $BUILD_DIR

Additionally, an install directory will be set as an environment variable INSTALL_DIR. It is used as a temporary installation directory before moving all built artifacts to the final destination.

Choosing a temporary install directory
export INSTALL_DIR=$HOME/install
mkdir -p $INSTALL_DIR

Choosing the Installation Source

For building the GVM software stack, three different sources can be chosen depending on the desired stability:

  • Building from release tarballs

  • Building from git tags

  • Building from release branches

Linux distributions use the release tarballs because it is the most common and well known method to share source code.

Newer build systems may stick with the git tags.

If you are a developer and very familiar with building from source already, you may also try out using the git release branches. These have the advantage that they contain the newest fixes which may not yet be included in the release tarballs or git tags. As a downside, the release branches may contain only partially fixed issues and need to be updated more often.

This guide will use the tarballs to build the software.

Installing Common Build Dependencies

For downloading, configuring, building and installing the GVM components, several tools and applications are required. To install this requirements via apt, the following command can be used:

Installing common build dependencies
sudo apt update
sudo apt install --no-install-recommends --assume-yes \
  build-essential \
  curl \
  cmake \
  pkg-config \
  python3 \
  python3-pip \
  gnupg

Importing the Greenbone Signing Key

To validate the integrity of the downloaded source files, GnuPG is used. It requires downloading the Greenbone Community Signing public key and importing it into the current user’s keychain.

Importing the Greenbone Community Signing key
curl -O https://www.greenbone.net/GBCommunitySigningKey.asc
gpg --import GBCommunitySigningKey.asc

For understanding the validation output of the gpg tool, it is best to mark the Greenbone Community Signing key as fully trusted.

Setting the trust level for the Greenbone Community Signing key
gpg --edit-key 9823FAA60ED1E580

pub  rsa4096/9823FAA60ED1E580
   created: 2017-09-06  expires: never       usage: SC
   trust: unknown       validity: unknown
[ unknown] (1). Greenbone Community Feed integrity key

gpg> trust

pub  rsa4096/9823FAA60ED1E580
   created: 2017-09-06  expires: never       usage: SC
   trust: unknown       validity: unknown
[ unknown] (1). Greenbone Community Feed integrity key

Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)

  1 = I don't know or won't say
  2 = I do NOT trust
  3 = I trust marginally
  4 = I trust fully
  5 = I trust ultimately
  m = back to the main menu

Your decision? 5
Do you really want to set this key to ultimate trust? (y/N) y

pub  rsa4096/9823FAA60ED1E580
   created: 2017-09-06  expires: never       usage: SC
   trust: ultimate      validity: ultimate
[ultimate] (1). Greenbone Community Feed integrity key

gpg> quit

Setting the Version

To make the downloading easier, an environment variable for the desired release version will be set. Using a variable allows adjusting the version easily after a new release.

Setting a GVM version as environment variable
export GVM_VERSION=20.8.2

Building and Installing the Components

Note

The components should be build and installed in the listed order.

gvm-libs

gvm-libs is a C library providing basic functionality like XML parsing and network communication. It is used in openvas-scanner, gvmd and gsad.

Setting the gvm-libs version to use
export GVM_LIBS_VERSION=$GVM_VERSION
Required dependencies for gvm-libs
sudo apt install -y \
  libglib2.0-dev \
  libgpgme-dev \
  libgnutls28-dev \
  uuid-dev \
  libssh-gcrypt-dev \
  libhiredis-dev \
  libxml2-dev \
  libpcap-dev \
  libnet1-dev
Optional dependencies for gvm-libs
sudo apt install -y \
  libldap2-dev \
  libradcli-dev
Downloading the gvm-libs sources
curl -L https://github.com/greenbone/gvm-libs/archive/refs/tags/v$GVM_LIBS_VERSION.tar.gz -o $SOURCE_DIR/gvm-libs-$GVM_LIBS_VERSION.tar.gz
curl -L https://github.com/greenbone/gvm-libs/releases/download/v$GVM_LIBS_VERSION/gvm-libs-$GVM_LIBS_VERSION.tar.gz.asc -o $SOURCE_DIR/gvm-libs-$GVM_LIBS_VERSION.tar.gz.asc
Verifying the source file
gpg --verify $SOURCE_DIR/gvm-libs-$GVM_LIBS_VERSION.tar.gz.asc $SOURCE_DIR/gvm-libs-$GVM_LIBS_VERSION.tar.gz

The output of the last command should be similar to:

gpg: Signature made Fri Apr 16 08:31:02 2021 UTC
gpg:                using RSA key 9823FAA60ED1E580
gpg: Good signature from "Greenbone Community Feed integrity key" [ultimate]

If the signature is valid, the tarball can be extracted.

tar -C $SOURCE_DIR -xvzf $SOURCE_DIR/gvm-libs-$GVM_LIBS_VERSION.tar.gz

Afterwards, gvm-libs can be build and installed.

Building gvm-libs
mkdir -p $BUILD_DIR/gvm-libs && cd $BUILD_DIR/gvm-libs

cmake $SOURCE_DIR/gvm-libs-$GVM_LIBS_VERSION \
  -DCMAKE_INSTALL_PREFIX=$INSTALL_PREFIX \
  -DCMAKE_BUILD_TYPE=Release \
  -DSYSCONFDIR=/etc \
  -DLOCALSTATEDIR=/var \
  -DGVM_PID_DIR=/run/gvm

make -j$(nproc)
Installing gvm-libs
make DESTDIR=$INSTALL_DIR install

sudo cp -rv $INSTALL_DIR/* /

rm -rf $INSTALL_DIR/*

gvmd

The Greenbone Vulnerability Management Daemon (gvmd) is the main service of the current GVM stack. It handles authentication, scan management, vulnerability information, reporting, alerting, scheduling and much more. As a storage backend, it uses a PostgreSQL database.

Setting the gvmd version to use
export GVMD_VERSION=$GVM_VERSION
Required dependencies for gvmd
sudo apt install -y \
  libglib2.0-dev \
  libgnutls28-dev \
  libpq-dev \
  postgresql-server-dev-11 \
  libical-dev \
  xsltproc \
  rsync
Optional dependencies for gvmd
sudo apt install -y --no-install-recommends \
  texlive-latex-extra \
  texlive-fonts-recommended \
  xmlstarlet \
  zip \
  rpm \
  fakeroot \
  dpkg \
  nsis \
  gnupg \
  gpgsm \
  wget \
  sshpass \
  openssh-client \
  socat \
  snmp \
  python3 \
  smbclient \
  python3-lxml \
  gnutls-bin \
  xml-twig-tools

Details about the optional dependencies can be found at https://github.com/greenbone/gvmd/blob/gvmd-20.08/INSTALL.md#prerequisites-for-optional-features

Downloading the gvmd sources
curl -L https://github.com/greenbone/gvmd/archive/refs/tags/v$GVMD_VERSION.tar.gz -o $SOURCE_DIR/gvmd-$GVMD_VERSION.tar.gz
curl -L https://github.com/greenbone/gvmd/releases/download/v$GVMD_VERSION/gvmd-$GVMD_VERSION.tar.gz.asc -o $SOURCE_DIR/gvmd-$GVMD_VERSION.tar.gz.asc
Verifying the source file
gpg --verify $SOURCE_DIR/gvmd-$GVMD_VERSION.tar.gz.asc $SOURCE_DIR/gvmd-$GVMD_VERSION.tar.gz

The output of the last command should be similar to:

gpg: Signature made Fri Apr 16 08:31:02 2021 UTC
gpg:                using RSA key 9823FAA60ED1E580
gpg: Good signature from "Greenbone Community Feed integrity key" [ultimate]

If the signature is valid the tarball can be extracted.

tar -C $SOURCE_DIR -xvzf $SOURCE_DIR/gvmd-$GVMD_VERSION.tar.gz
Building gvmd
mkdir -p $BUILD_DIR/gvmd && cd $BUILD_DIR/gvmd

cmake $SOURCE_DIR/gvmd-$GVMD_VERSION \
  -DCMAKE_INSTALL_PREFIX=$INSTALL_PREFIX \
  -DCMAKE_BUILD_TYPE=Release \
  -DLOCALSTATEDIR=/var \
  -DSYSCONFDIR=/etc \
  -DGVM_DATA_DIR=/var \
  -DGVM_RUN_DIR=/run/gvm \
  -DOPENVAS_DEFAULT_SOCKET=/run/ospd/ospd-openvas.sock \
  -DSYSTEMD_SERVICE_DIR=/lib/systemd/system \
  -DDEFAULT_CONFIG_DIR=/etc/default \
  -DLOGROTATE_DIR=/etc/logrotate.d

make -j$(nproc)
Installing gvmd
make DESTDIR=$INSTALL_DIR install

sudo cp -rv $INSTALL_DIR/* /

rm -rf $INSTALL_DIR/*

GSA

The Greenbone Security Assistant (GSA) sources consist of two parts:

  • Web server gsad

  • Web application GSA

The web server gsad is written in the C programming language. It serves static content like images and provides an API for the web application. Internally it communicates with gvmd using GMP.

The web application is written in JavaScript and uses the react framework. It requires nodejs for building the application and yarn (or npm) for maintaining the JavaScript dependencies.

Setting the GSA version to use
export GSA_VERSION=$GVM_VERSION
Required dependencies for gsad
sudo apt install -y \
  libmicrohttpd-dev \
  libxml2-dev \
  libglib2.0-dev \
  libgnutls28-dev
Required dependencies for GSA
sudo apt install -y \
  nodejs \
  yarnpkg

Building the web application GSA requires the installation of several JavaScript dependencies. These dependencies can be downloaded automatically by yarn (or npm) during the build process.

However, for offline build and reliability, all GSA releases provide a tarball with all required dependencies that can be used to avoid additional downloads via yarn.

Downloading the gsa sources
curl -L https://github.com/greenbone/gsa/archive/refs/tags/v$GSA_VERSION.tar.gz -o $SOURCE_DIR/gsa-$GSA_VERSION.tar.gz
curl -L https://github.com/greenbone/gsa/releases/download/v$GSA_VERSION/gsa-$GSA_VERSION.tar.gz.asc -o $SOURCE_DIR/gsa-$GSA_VERSION.tar.gz.asc
curl -L https://github.com/greenbone/gsa/releases/download/v$GSA_VERSION/gsa-node-modules-$GSA_VERSION.tar.gz -o $SOURCE_DIR/gsa-node-modules-$GSA_VERSION.tar.gz
curl -L https://github.com/greenbone/gsa/releases/download/v$GSA_VERSION/gsa-node-modules-$GSA_VERSION.tar.gz.asc -o $SOURCE_DIR/gsa-node-modules-$GSA_VERSION.tar.gz.asc
Verifying the source files
gpg --verify $SOURCE_DIR/gsa-$GSA_VERSION.tar.gz.asc $SOURCE_DIR/gsa-$GSA_VERSION.tar.gz
gpg --verify $SOURCE_DIR/gsa-node-modules-$GSA_VERSION.tar.gz.asc $SOURCE_DIR/gsa-node-modules-$GSA_VERSION.tar.gz

The output of both commands should be similar to:

gpg: Signature made Fri Apr 16 08:31:02 2021 UTC
gpg:                using RSA key 9823FAA60ED1E580
gpg: Good signature from "Greenbone Community Feed integrity key" [ultimate]

If the signatures are valid, the two tarballs can be extracted.

tar -C $SOURCE_DIR -xvzf $SOURCE_DIR/gsa-$GSA_VERSION.tar.gz
tar -C $SOURCE_DIR/gsa-$GSA_VERSION/gsa -xvzf $SOURCE_DIR/gsa-node-modules-$GSA_VERSION.tar.gz
Building gsa
mkdir -p $BUILD_DIR/gsa && cd $BUILD_DIR/gsa

cmake $SOURCE_DIR/gsa-$GSA_VERSION \
  -DCMAKE_INSTALL_PREFIX=$INSTALL_PREFIX \
  -DCMAKE_BUILD_TYPE=Release \
  -DSYSCONFDIR=/etc \
  -DLOCALSTATEDIR=/var \
  -DGVM_RUN_DIR=/run/gvm \
  -DGSAD_PID_DIR=/run/gvm \
  -DLOGROTATE_DIR=/etc/logrotate.d

make -j$(nproc)
Installing gsa
make DESTDIR=$INSTALL_DIR install

sudo cp -rv $INSTALL_DIR/* /

rm -rf $INSTALL_DIR/*

openvas-smb

openvas-smb is a helper module for openvas-scanner. It includes libraries (openvas-wmiclient/openvas-wincmd) to interface with Microsoft Windows Systems through the Windows Management Instrumentation API and a winexe binary to execute processes remotely on that system.

It is an optional dependency of openvas-scanner but is required for scanning Windows-based systems.

Note

openvas-smb is released independently of the GVM framework. Therefore, the newest compatible version is used.

Required dependencies for openvas-smb
sudo apt install -y \
  gcc-mingw-w64 \
  libgnutls28-dev \
  libglib2.0-dev \
  libpopt-dev \
  libunistring-dev \
  heimdal-dev \
  perl-base
Setting the openvas-smb version to use
export OPENVAS_SMB_VERSION=21.4.0
Downloading the openvas-smb sources
curl -L https://github.com/greenbone/openvas-smb/archive/refs/tags/v$OPENVAS_SMB_VERSION.tar.gz -o $SOURCE_DIR/openvas-smb-$OPENVAS_SMB_VERSION.tar.gz
curl -L https://github.com/greenbone/openvas-smb/releases/download/v$OPENVAS_SMB_VERSION/openvas-smb-$OPENVAS_SMB_VERSION.tar.gz.asc -o $SOURCE_DIR/openvas-smb-$OPENVAS_SMB_VERSION.tar.gz.asc
Verifying the source file
gpg --verify $SOURCE_DIR/openvas-smb-$OPENVAS_SMB_VERSION.tar.gz.asc $SOURCE_DIR/openvas-smb-$OPENVAS_SMB_VERSION.tar.gz

The output of the last command should be similar to:

gpg: Signature made Fri Apr 16 08:31:02 2021 UTC
gpg:                using RSA key 9823FAA60ED1E580
gpg: Good signature from "Greenbone Community Feed integrity key" [ultimate]

If the signature is valid, the tarball can be extracted.

tar -C $SOURCE_DIR -xvzf $SOURCE_DIR/openvas-smb-$OPENVAS_SMB_VERSION.tar.gz
Building openvas-smb
mkdir -p $BUILD_DIR/openvas-smb && cd $BUILD_DIR/openvas-smb

cmake $SOURCE_DIR/openvas-smb-$OPENVAS_SMB_VERSION \
  -DCMAKE_INSTALL_PREFIX=$INSTALL_PREFIX \
  -DCMAKE_BUILD_TYPE=Release

make -j$(nproc)
Installing openvas-smb
make DESTDIR=$INSTALL_DIR install

sudo cp -rv $INSTALL_DIR/* /

rm -rf $INSTALL_DIR/*

openvas-scanner

openvas-scanner is a full-featured scan engine that executes a continuously updated and extended feed of Vulnerability Tests (VTs). The feed consist of thousands of NASL (Network Attack Scripting Language) scripts which implement all kind of vulnerability checks.

Setting the openvas-scanner version to use
export OPENVAS_SCANNER_VERSION=$GVM_VERSION
Required dependencies for openvas-scanner
sudo apt install -y \
  bison \
  libglib2.0-dev \
  libgnutls28-dev \
  libgcrypt20-dev \
  libpcap-dev \
  libgpgme-dev \
  libksba-dev \
  rsync \
  nmap
Optional dependencies for openvas-scanner
sudo apt install -y \
  python-impacket \
  libsnmp-dev
Downloading the openvas-scanner sources
curl -L https://github.com/greenbone/openvas-scanner/archive/refs/tags/v$OPENVAS_SCANNER_VERSION.tar.gz -o $SOURCE_DIR/openvas-scanner-$OPENVAS_SCANNER_VERSION.tar.gz
curl -L https://github.com/greenbone/openvas-scanner/releases/download/v$OPENVAS_SCANNER_VERSION/openvas-scanner-$OPENVAS_SCANNER_VERSION.tar.gz.asc -o $SOURCE_DIR/openvas-scanner-$OPENVAS_SCANNER_VERSION.tar.gz.asc
Verifying the source file
gpg --verify $SOURCE_DIR/openvas-scanner-$OPENVAS_SCANNER_VERSION.tar.gz.asc $SOURCE_DIR/openvas-scanner-$OPENVAS_SCANNER_VERSION.tar.gz

The output of the last command should be similar to:

gpg: Signature made Fri Apr 16 08:31:02 2021 UTC
gpg:                using RSA key 9823FAA60ED1E580
gpg: Good signature from "Greenbone Community Feed integrity key" [ultimate]

If the signature is valid, the tarball can be extracted.

tar -C $SOURCE_DIR -xvzf $SOURCE_DIR/openvas-scanner-$OPENVAS_SCANNER_VERSION.tar.gz
Building openvas-scanner
mkdir -p $BUILD_DIR/openvas-scanner && cd $BUILD_DIR/openvas-scanner

cmake $SOURCE_DIR/openvas-scanner-$OPENVAS_SCANNER_VERSION \
  -DCMAKE_INSTALL_PREFIX=$INSTALL_PREFIX \
  -DCMAKE_BUILD_TYPE=Release \
  -DSYSCONFDIR=/etc \
  -DLOCALSTATEDIR=/var \
  -DOPENVAS_FEED_LOCK_PATH=/var/lib/openvas/feed-update.lock \
  -DOPENVAS_RUN_DIR=/run/ospd

make -j$(nproc)
Installing openvas-scanner
make DESTDIR=$INSTALL_DIR install

sudo cp -rv $INSTALL_DIR/* /

rm -rf $INSTALL_DIR/*

ospd-openvas

ospd-openvas is an OSP server implementation to allow GVM to remotely control an openvas-scanner. It is running as a daemon and waits for incoming OSP requests from gvmd.

Setting the ospd and ospd-openvas versions to use
export OSPD_VERSION=20.8.3
export OSPD_OPENVAS_VERSION=$GVM_VERSION
Required dependencies for ospd-openvas
sudo apt install -y \
  python3 \
  python3-pip \
  python3-setuptools \
  python3-packaging \
  python3-wrapt \
  python3-cffi \
  python3-psutil \
  python3-lxml \
  python3-defusedxml \
  python3-paramiko \
  python3-redis
Downloading the ospd sources
curl -L https://github.com/greenbone/ospd/archive/refs/tags/v$OSPD_VERSION.tar.gz -o $SOURCE_DIR/ospd-$OSPD_VERSION.tar.gz
curl -L https://github.com/greenbone/ospd/releases/download/v$OSPD_VERSION/ospd-$OSPD_VERSION.tar.gz.asc -o $SOURCE_DIR/ospd-$OSPD_VERSION.tar.gz.asc
Downloading the ospd-openvas sources
curl -L https://github.com/greenbone/ospd-openvas/archive/refs/tags/v$OSPD_OPENVAS_VERSION.tar.gz -o $SOURCE_DIR/ospd-openvas-$OSPD_OPENVAS_VERSION.tar.gz
curl -L https://github.com/greenbone/ospd-openvas/releases/download/v$OSPD_OPENVAS_VERSION/ospd-openvas-$OSPD_OPENVAS_VERSION.tar.gz.asc -o $SOURCE_DIR/ospd-openvas-$OSPD_OPENVAS_VERSION.tar.gz.asc
Verifying the source files
gpg --verify $SOURCE_DIR/ospd-$OSPD_VERSION.tar.gz.asc $SOURCE_DIR/ospd-$OSPD_VERSION.tar.gz
gpg --verify $SOURCE_DIR/ospd-openvas-$OSPD_OPENVAS_VERSION.tar.gz.asc $SOURCE_DIR/ospd-openvas-$OSPD_OPENVAS_VERSION.tar.gz

The output of the last command should be similar to:

gpg: Signature made Fri Apr 16 08:31:02 2021 UTC
gpg:                using RSA key 9823FAA60ED1E580
gpg: Good signature from "Greenbone Community Feed integrity key" [ultimate]

If the signatures are valid, the tarballs can be extracted.

tar -C $SOURCE_DIR -xvzf $SOURCE_DIR/ospd-$OSPD_VERSION.tar.gz
tar -C $SOURCE_DIR -xvzf $SOURCE_DIR/ospd-openvas-$OSPD_OPENVAS_VERSION.tar.gz
Installing ospd
cd $SOURCE_DIR/ospd-$OSPD_VERSION

python3 -m pip install . --prefix=$INSTALL_PREFIX --root=$INSTALL_DIR
Installing ospd-openvas
cd $SOURCE_DIR/ospd-openvas-$OSPD_OPENVAS_VERSION

python3 -m pip install . --prefix=$INSTALL_PREFIX --root=$INSTALL_DIR --no-warn-script-location

sudo cp -rv $INSTALL_DIR/* /

rm -rf $INSTALL_DIR/*

gvm-tools

The Greenbone Vulnerability Management Tools, or gvm-tools in short, are a collection of tools that help with controlling the Greenbone Vulnerability Management stack remotely.

Essentially, the tools aid accessing the communication protocols Greenbone Management Protocol (GMP) and Open Scanner Protocol (OSP).

gvm-tools are optional and not required for a functional GVM stack.

Note

gvm-tools is released independently of the GVM framework. Therefore, the newest version is used.

Required dependencies for gvm-tools
sudo apt install -y \
  python3 \
  python3-pip \
  python3-setuptools \
  python3-packaging \
  python3-lxml \
  python3-defusedxml \
  python3-paramiko

The latest version of gvm-tools can be installed for each user via the standard Python installation tool pip.

Installing gvm-tools for the current user
python3 -m pip install --user gvm-tools

To install it system-wide without running pip as root user, the following commands can be used:

Installing gvm-tools system-wide
python3 -m pip install --prefix=$INSTALL_PREFIX --root=$INSTALL_DIR --no-warn-script-location gvm-tools

sudo cp -rv $INSTALL_DIR/* /

rm -rf $INSTALL_DIR/*

Performing a System Setup for GVM

Setting up the Redis Data Store

Looking at the GVM Architecture, the Redis key/value storage is used by the scanner (openvas-scanner and ospd-openvas) for handling the VT information and scan results.

Installing the Redis server
sudo apt install -y redis-server

After installing the Redis server package, a specific configuration for the openvas-scanner must be added.

Adding configuration for running the Redis server for the scanner
sudo cp $SOURCE_DIR/openvas-scanner-$GVM_VERSION/config/redis-openvas.conf /etc/redis/
sudo chown redis:redis /etc/redis/redis-openvas.conf
echo "db_address = /run/redis-openvas/redis.sock" | sudo tee -a /etc/openvas/openvas.conf

# start redis with openvas config
sudo systemctl start redis-server@openvas.service

# ensure redis with openvas config is started on every system startup
sudo systemctl enable redis-server@openvas.service

Additionally the gvm user must be able to access the redis unix socket at /run/redis-openvas/redis.sock.

Adding the gvm user to the redis group
sudo usermod -aG redis gvm

Adjusting Permissions

For a system-wide multi-user installation, it must be ensured that the directory permissions are set correctly and are matching the group setup. All users of the group gvm should be able to read and write logs, lock files and data like VTs.

Adjusting directory permissions
sudo chown -R gvm:gvm /var/lib/gvm
sudo chown -R gvm:gvm /var/lib/openvas
sudo chown -R gvm:gvm /var/log/gvm

sudo chmod -R g+srw /var/lib/gvm
sudo chmod -R g+srw /var/lib/openvas
sudo chmod -R g+srw /var/log/gvm

To allow all users of the group gvm access to the postgres database via the various gvmd commands, the permissions of the gvmd executable will be adjusted to always run as the gvm user and under the gvm group.

Adjusting gvmd permissions
sudo chown gvm:gvm /usr/local/sbin/gvmd
sudo chmod 6750 /usr/local/sbin/gvmd

Additionally the feed sync script permissions should be adjusted to only allow gvm user to execute them. Otherwise the permissions of the synced files will be broken.

Adjusting feed sync script permissions
sudo chown gvm:gvm /usr/local/bin/greenbone-nvt-sync
sudo chmod 740 /usr/local/sbin/greenbone-feed-sync
sudo chown gvm:gvm /usr/local/sbin/greenbone-*-sync
sudo chmod 740 /usr/local/sbin/greenbone-*-sync

Setting up sudo for Scanning

For vulnerability scanning, it is required to have several capabilities for which only root users are authorized, e.g., creating raw sockets. Therefore, a configuration will be added to allow the users of the gvm group to run the openvas-scanner application as root user via sudo.

Warning

Make sure that only necessary users have access to the gvm group. Each user of the gvm group has access to can manipulate the Vulnerability Test (VT) scripts (.nasl files). These scripts are run with root privileges and therefore can be used for exploits. See https://csal.medium.com/pentesters-tricks-local-privilege-escalation-in-openvas-fe933d7f161f.

sudo visudo

...

# allow users of the gvm group run openvas
%gvm ALL = NOPASSWD: /usr/local/sbin/openvas

Setting up PostgreSQL

The PostgreSQL database management system is used as a central storage for user and scan information. gvmd connects to a PostgreSQL database and queries the data. This database must be created and configured.

Installing the PostgreSQL server
sudo apt install -y postgresql

If necessary the PostgreSQL database server needs to be started manually

Starting the PostgreSQL database server
sudo systemctl start postgresql@11-main
Setting up PostgreSQL user and database
sudo -u postgres bash
createuser -DRS gvm
createdb -O gvm gvmd
exit
Setting up database permissions and extensions
sudo -u postgres bash
psql gvmd
create role dba with superuser noinherit;
grant dba to gvm;

create extension "uuid-ossp";
create extension "pgcrypto";
exit
exit

Setting up an Admin User

For accessing and configuring the vulnerability data, an administrator user needs to be created. This user can log in via the Greenbone Security Assistant (GSA) web interface. They will have access to all data and will later be configured to act as the Feed Import Owner.

Creating an administrator user with generated password
gvmd --create-user=admin

The new administrator user’s password is printed on success. An administrator user can later create further users or administrators via the GSA web interface.

To create the administrator user with a password of your choice instead of the generated password, the following command can be used:

Creating an administrator user with provided password
gvmd --create-user=admin --password=<password>

If the output doesn’t show

User created.

you need to look at the /var/log/gvm/gvmd.log for errors.

Setting the Feed Import Owner

Certain resources that were previously part of the gvmd source code are now shipped via the feed. An example is the scan configuration “Full and Fast”.

Currently every resource needs an owner to apply the permissions and manage the access to the resources.

Therefore, gvmd will only create these resources if a Feed Import Owner is configured. Here the previously created admin user will be used as the Feed Import Owner.

Setting the Feed Import Owner
gvmd --modify-setting 78eceaec-3385-11ea-b237-28d24461215b --value `gvmd --get-users --verbose | grep admin | awk '{print $2}'`

Performing an Initial Feed Synchronization

For the actual vulnerability scanning, Vulnerability Test scripts, security information like CVEs, port lists and scan configurations are required. All this data is provided by the Greenbone Community Feed and needs to be download initially before starting the services.

Note

Downloading the data during the initial synchronization may take a while depending on the network connection and server resources.

Syncing VTs processed by the scanner
sudo -u gvm greenbone-nvt-sync

Note

The CERT feed synchronization depends on the data provided by the SCAP feed and should be called after synchronizing the latter.

Syncing the data processed by gvmd
sudo -u gvm greenbone-feed-sync --type SCAP
sudo -u gvm greenbone-feed-sync --type CERT
sudo -u gvm greenbone-feed-sync --type GVMD_DATA

Starting Services with Systemd

Systemd is used to start the daemons ospd-openvas, gvmd and gsad. Therefore, service files are required.

Systemd service file for ospd-openvas
cat << EOF > $BUILD_DIR/ospd-openvas.service
[Unit]
Description=OSPd Wrapper for the OpenVAS Scanner (ospd-openvas)
Documentation=man:ospd-openvas(8) man:openvas(8)
After=network.target networking.service redis-server@openvas.service
Wants=redis-server@openvas.service
ConditionKernelCommandLine=!recovery

[Service]
Type=forking
User=gvm
Group=gvm
RuntimeDirectory=ospd
RuntimeDirectoryMode=2775
PIDFile=/run/ospd/ospd-openvas.pid
ExecStart=/usr/local/bin/ospd-openvas --unix-socket /run/ospd/ospd-openvas.sock --pid-file /run/ospd/ospd-openvas.pid --log-file /var/log/gvm/ospd-openvas.log --lock-file-dir /var/lib/openvas --socket-mode 0o770
SuccessExitStatus=SIGKILL
Restart=always
RestartSec=60

[Install]
WantedBy=multi-user.target
EOF

sudo cp $BUILD_DIR/ospd-openvas.service /etc/systemd/system/
Systemd service file for gvmd
cat << EOF > $BUILD_DIR/gvmd.service
[Unit]
Description=Greenbone Vulnerability Manager daemon (gvmd)
After=network.target networking.service postgresql.service ospd-openvas.service
Wants=postgresql.service ospd-openvas.service
Documentation=man:gvmd(8)
ConditionKernelCommandLine=!recovery

[Service]
Type=forking
User=gvm
Group=gvm
PIDFile=/run/gvm/gvmd.pid
RuntimeDirectory=gvm
RuntimeDirectoryMode=2775
ExecStart=/usr/local/sbin/gvmd --osp-vt-update=/run/ospd/ospd-openvas.sock --listen-group=gvm
Restart=always
TimeoutStopSec=10

[Install]
WantedBy=multi-user.target
EOF

sudo cp $BUILD_DIR/gvmd.service /etc/systemd/system/
Systemd service file for gsad
cat << EOF > $BUILD_DIR/gsad.service
[Unit]
Description=Greenbone Security Assistant daemon (gsad)
Documentation=man:gsad(8) https://www.greenbone.net
After=network.target gvmd.service
Wants=gvmd.service

[Service]
Type=forking
User=gvm
Group=gvm
PIDFile=/run/gvm/gsad.pid
ExecStart=/usr/local/sbin/gsad --listen=127.0.0.1 --port=9392 --http-only
Restart=always
TimeoutStopSec=10

[Install]
WantedBy=multi-user.target
Alias=greenbone-security-assistant.service
EOF

sudo cp $BUILD_DIR/gsad.service /etc/systemd/system/

Afterwards, the services need to be activated and started.

Making systemd aware of the new service files
sudo systemctl daemon-reload
Ensuring services are run at every system startup
sudo systemctl enable ospd-openvas
sudo systemctl enable gvmd
sudo systemctl enable gsad

Warning

Please be aware, even if the systemctl start commands are returning immediately, the first startup of the services may take several minutes or even hours!

At the first start the scanner needs to load all VTs into Redis and gvmd must process the CERT and SCAP data. gvmd requests all VT information from the scanner after they are loaded by the scanner. The scan configurations are only available if a Feed Import Owner is set, gvmd can connect to the scanner and the VTs are fully loaded by both services.

Running a vulnerability scan when not all data has been loaded may lead to empty or erroneous reports. You can check the /var/log/gvm/gvmd.log file for activity and also have a look at the SecInfo pages (for example SecInfo ‣ NVTs).

Finally starting the services
sudo systemctl start ospd-openvas
sudo systemctl start gvmd
sudo systemctl start gsad
Checking the status of the services
sudo systemctl status ospd-openvas
sudo systemctl status gvmd
sudo systemctl status gsad

Starting the Vulnerability Management

After the services have started and all data has been loaded, the Greenbone Security Manager web interface – GSA – can be opened in the browser.

Opening Greenbone Security Assistant in the browser
xdg-open "http://127.0.0.1:9392" 2>/dev/null >/dev/null &

The browser will show the login page of GSA and after using the credentials created in the Setting Up an Admin User chapter, it is possible to start with the vulnerability scanning.

Launching Greenbone Security Assistant for the first time

Greenbone Security Assistant after logging in for the first time