Building 22.4 from Source#

Building the Greenbone Community Edition from source requires knowledge about:

  • Using a terminal

  • Shell programming basics

  • Installing software via apt or dnf

  • Using a C compiler

  • Using CMake and make

  • The Linux File System Hierarchy

  • Running services via systemd

Additionally, a basic knowledge about the architecture of the Greenbone Community Edition is required to follow this guide.

Note

This guide is intended for developers who want to try out the newest features and/or want to get familiar with the source code. It is not intended for production setups.

Currently the docs support the following distributions

  • Debian stable (bullseye)

  • Ubuntu 22.04 LTS

  • Fedora 35 and 36

  • CentOS 9 Stream

Most likely, other Debian derivatives like Mint and Kali will also work with only minor adjustments required.

Hardware Requirements#

Minimal:

  • CPU Cores: 2

  • Random-Access Memory: 4GB

  • Hard Disk: 20GB free

Recommended:

  • CPU Cores: 4

  • Random-Access Memory: 8GB

  • Hard Disk: 60GB free

Prerequisites#

Note

Please follow the guide step by step. Later steps might require settings or output of a previous command.

The command sudo is used for executing commands that require privileged access on the system.

Creating a User and a Group#

The services provided by the Greenbone Community Edition should run as a dedicated user and group. Therefore a gvm user and a group with the same name will be created.

Creating a gvm system user and group#
sudo useradd -r -M -U -G sudo -s /usr/sbin/nologin gvm

Adjusting the Current User#

To allow the current user to run gvmd he must be added to the gvm group. To make the group change effective either logout and login again or use su.

Add current user to gvm group#
sudo usermod -aG gvm $USER

su $USER

Choosing an Install Prefix#

Before building the software stack, a (root) directory must be chosen where the built software will finally be installed. For example, when building packages, the distribution developers set this path to /usr.

By default, it is /usr/local which is also used in this guide. This directory will be stored in an environment variable INSTALL_PREFIX to be able to reference it later.

Setting an install prefix environment variable#
export INSTALL_PREFIX=/usr/local

Setting the PATH#

On Debian systems the locations /sbin, /usr/sbin and /usr/local/sbin are not in the PATH of normal users. To run gvmd which is located in /usr/local/sbin the PATH environment variable should be adjusted.

Adjusting PATH for running gvmd#
export PATH=$PATH:$INSTALL_PREFIX/sbin

Creating a Source, Build and Install Directory#

To separate the sources and the build artifacts, a source and a build directory must be created.

This source directory will be used later in this guide via an environment variable SOURCE_DIR. Accordingly, a variable BUILD_DIR will be set for the build directory. Both can be set to any directory to which the current user has write permissions. Therefore directories in the current user’s home directory are chosen in this guide.

Choosing a source directory#
export SOURCE_DIR=$HOME/source
mkdir -p $SOURCE_DIR
Choosing a build directory#
export BUILD_DIR=$HOME/build
mkdir -p $BUILD_DIR

Additionally, an install directory will be set as an environment variable INSTALL_DIR. It is used as a temporary installation directory before moving all built artifacts to the final destination.

Choosing a temporary install directory#
export INSTALL_DIR=$HOME/install
mkdir -p $INSTALL_DIR

Choosing the Installation Source#

For building the GVM software stack, three different sources can be chosen depending on the desired stability:

  • Building from release tarballs

  • Building from git tags

  • Building from release branches

Linux distributions use the release tarballs because it is the most common and well known method to share source code.

Newer build systems may stick with the git tags.

If you are a developer and very familiar with building from source already, you may also try out using the git release branches. These have the advantage that they contain the newest fixes which may not yet be included in the release tarballs or git tags. As a downside, the release branches may contain only partially fixed issues and need to be updated more often.

This guide will use the tarballs to build the software.

Installing Common Build Dependencies#

For downloading, configuring, building and installing the Greenbone Community Edition components, several tools and applications are required. To install this requirements the following commands can be used:

Installing common build dependencies#
sudo apt update
sudo apt install --no-install-recommends --assume-yes \
  build-essential \
  curl \
  cmake \
  pkg-config \
  python3 \
  python3-pip \
  gnupg

Importing the Greenbone Signing Key#

To validate the integrity of the downloaded source files, GnuPG is used. It requires downloading the Greenbone Community Signing public key and importing it into the current user’s keychain.

Importing the Greenbone Community Signing key#
curl -f -L https://www.greenbone.net/GBCommunitySigningKey.asc -o /tmp/GBCommunitySigningKey.asc
gpg --import /tmp/GBCommunitySigningKey.asc

For understanding the validation output of the gpg tool, it is best to mark the Greenbone Community Signing key as fully trusted.

Setting the trust level for the Greenbone Community Signing key#
echo "8AE4BE429B60A59B311C2E739823FAA60ED1E580:6:" > /tmp/ownertrust.txt
gpg --import-ownertrust < /tmp/ownertrust.txt

Setting the Version#

To make the downloading easier, an environment variable for the desired release version will be set. Using a variable allows adjusting the version easily after a new release.

Setting a GVM version as environment variable#
export GVM_VERSION=22.4.1

Building and Installing the Components#

Note

The components should be build and installed in the listed order.

gvm-libs#

gvm-libs is a C library providing basic functionality like XML parsing and network communication. It is used in openvas-scanner, gvmd, gsad and pg-gvm.

Setting the gvm-libs version to use#
export GVM_LIBS_VERSION=22.4.4
Required dependencies for gvm-libs#
sudo apt install -y \
  libglib2.0-dev \
  libgpgme-dev \
  libgnutls28-dev \
  uuid-dev \
  libssh-gcrypt-dev \
  libhiredis-dev \
  libxml2-dev \
  libpcap-dev \
  libnet1-dev \
  libpaho-mqtt-dev
Optional dependencies for gvm-libs#
sudo apt install -y \
  libldap2-dev \
  libradcli-dev
Downloading the gvm-libs sources#
curl -f -L https://github.com/greenbone/gvm-libs/archive/refs/tags/v$GVM_LIBS_VERSION.tar.gz -o $SOURCE_DIR/gvm-libs-$GVM_LIBS_VERSION.tar.gz
curl -f -L https://github.com/greenbone/gvm-libs/releases/download/v$GVM_LIBS_VERSION/gvm-libs-$GVM_LIBS_VERSION.tar.gz.asc -o $SOURCE_DIR/gvm-libs-$GVM_LIBS_VERSION.tar.gz.asc
Verifying the source file#
gpg --verify $SOURCE_DIR/gvm-libs-$GVM_LIBS_VERSION.tar.gz.asc $SOURCE_DIR/gvm-libs-$GVM_LIBS_VERSION.tar.gz

The output of the last command should be similar to:

gpg: Signature made Fri Apr 16 08:31:02 2021 UTC
gpg:                using RSA key 9823FAA60ED1E580
gpg: Good signature from "Greenbone Community Feed integrity key" [ultimate]

If the signature is valid, the tarball can be extracted.

tar -C $SOURCE_DIR -xvzf $SOURCE_DIR/gvm-libs-$GVM_LIBS_VERSION.tar.gz

Afterwards, gvm-libs can be build and installed.

Building gvm-libs#
mkdir -p $BUILD_DIR/gvm-libs && cd $BUILD_DIR/gvm-libs

cmake $SOURCE_DIR/gvm-libs-$GVM_LIBS_VERSION \
  -DCMAKE_INSTALL_PREFIX=$INSTALL_PREFIX \
  -DCMAKE_BUILD_TYPE=Release \
  -DSYSCONFDIR=/etc \
  -DLOCALSTATEDIR=/var

make -j$(nproc)
Installing gvm-libs#
mkdir -p $INSTALL_DIR/gvm-libs

make DESTDIR=$INSTALL_DIR/gvm-libs install

sudo cp -rv $INSTALL_DIR/gvm-libs/* /

gvmd#

The Greenbone Vulnerability Management Daemon (gvmd) is the main service of the Greenbone Community Edition. It handles authentication, scan management, vulnerability information, reporting, alerting, scheduling and much more. As a storage backend, it uses a PostgreSQL database.

Setting the gvmd version to use#
export GVMD_VERSION=22.4.2
Required dependencies for gvmd#
sudo apt install -y \
  libglib2.0-dev \
  libgnutls28-dev \
  libpq-dev \
  postgresql-server-dev-13 \
  libical-dev \
  xsltproc \
  rsync \
  libbsd-dev \
  libgpgme-dev
Optional dependencies for gvmd#
sudo apt install -y --no-install-recommends \
  texlive-latex-extra \
  texlive-fonts-recommended \
  xmlstarlet \
  zip \
  rpm \
  fakeroot \
  dpkg \
  nsis \
  gnupg \
  gpgsm \
  wget \
  sshpass \
  openssh-client \
  socat \
  snmp \
  python3 \
  smbclient \
  python3-lxml \
  gnutls-bin \
  xml-twig-tools

Details about the optional dependencies can be found at https://github.com/greenbone/gvmd/blob/stable/INSTALL.md#prerequisites-for-optional-features

Downloading the gvmd sources#
curl -f -L https://github.com/greenbone/gvmd/archive/refs/tags/v$GVMD_VERSION.tar.gz -o $SOURCE_DIR/gvmd-$GVMD_VERSION.tar.gz
curl -f -L https://github.com/greenbone/gvmd/releases/download/v$GVMD_VERSION/gvmd-$GVMD_VERSION.tar.gz.asc -o $SOURCE_DIR/gvmd-$GVMD_VERSION.tar.gz.asc
Verifying the source file#
gpg --verify $SOURCE_DIR/gvmd-$GVMD_VERSION.tar.gz.asc $SOURCE_DIR/gvmd-$GVMD_VERSION.tar.gz

The output of the last command should be similar to:

gpg: Signature made Fri Apr 16 08:31:02 2021 UTC
gpg:                using RSA key 9823FAA60ED1E580
gpg: Good signature from "Greenbone Community Feed integrity key" [ultimate]

If the signature is valid the tarball can be extracted.

tar -C $SOURCE_DIR -xvzf $SOURCE_DIR/gvmd-$GVMD_VERSION.tar.gz
Building gvmd#
mkdir -p $BUILD_DIR/gvmd && cd $BUILD_DIR/gvmd

cmake $SOURCE_DIR/gvmd-$GVMD_VERSION \
  -DCMAKE_INSTALL_PREFIX=$INSTALL_PREFIX \
  -DCMAKE_BUILD_TYPE=Release \
  -DLOCALSTATEDIR=/var \
  -DSYSCONFDIR=/etc \
  -DGVM_DATA_DIR=/var \
  -DGVMD_RUN_DIR=/run/gvmd \
  -DOPENVAS_DEFAULT_SOCKET=/run/ospd/ospd-openvas.sock \
  -DGVM_FEED_LOCK_PATH=/var/lib/gvm/feed-update.lock \
  -DSYSTEMD_SERVICE_DIR=/lib/systemd/system \
  -DLOGROTATE_DIR=/etc/logrotate.d

make -j$(nproc)
Installing gvmd#
mkdir -p $INSTALL_DIR/gvmd

make DESTDIR=$INSTALL_DIR/gvmd install

sudo cp -rv $INSTALL_DIR/gvmd/* /

pg-gvm#

pg-gvm is a PostgreSQL server extension that adds several functions used by gvmd, e.g., iCalendar and host range evaluation. In previous versions, these functions were managed directly by gvmd while pg-gvm uses the extension management built into PostgreSQL.

Setting the pg-gvm version to use#
export PG_GVM_VERSION=22.4.0
Required dependencies for pg-gvm#
sudo apt install -y \
  libglib2.0-dev \
  postgresql-server-dev-13 \
  libical-dev
Downloading the pg-gvm sources#
curl -f -L https://github.com/greenbone/pg-gvm/archive/refs/tags/v$PG_GVM_VERSION.tar.gz -o $SOURCE_DIR/pg-gvm-$PG_GVM_VERSION.tar.gz
curl -f -L https://github.com/greenbone/pg-gvm/releases/download/v$PG_GVM_VERSION/pg-gvm-$PG_GVM_VERSION.tar.gz.asc -o $SOURCE_DIR/pg-gvm-$PG_GVM_VERSION.tar.gz.asc
Verifying the source file#
gpg --verify $SOURCE_DIR/pg-gvm-$PG_GVM_VERSION.tar.gz.asc $SOURCE_DIR/pg-gvm-$PG_GVM_VERSION.tar.gz

The output of the last command should be similar to:

gpg: Signature made Fri Apr 16 08:31:02 2021 UTC
gpg:                using RSA key 9823FAA60ED1E580
gpg: Good signature from "Greenbone Community Feed integrity key" [ultimate]

If the signature is valid the tarball can be extracted.

tar -C $SOURCE_DIR -xvzf $SOURCE_DIR/pg-gvm-$PG_GVM_VERSION.tar.gz

Afterwards, pg-gvm can be build and installed.

Building pg-gvm#
mkdir -p $BUILD_DIR/pg-gvm && cd $BUILD_DIR/pg-gvm

cmake $SOURCE_DIR/pg-gvm-$PG_GVM_VERSION \
  -DCMAKE_BUILD_TYPE=Release

make -j$(nproc)
Installing pg-gvm#
mkdir -p $INSTALL_DIR/pg-gvm

make DESTDIR=$INSTALL_DIR/pg-gvm install

sudo cp -rv $INSTALL_DIR/pg-gvm/* /

Greenbone Security Assistant#

The Greenbone Security Assistant (GSA) sources consist of two parts:

  • Web server gsad

  • Web application GSA

GSA#

The web application is written in JavaScript and uses the react framework. It requires nodejs for building the application and yarn (or npm) for maintaining the JavaScript dependencies.

Setting the GSA version to use#
export GSA_VERSION=$GVM_VERSION

Note

GSA is a JavaScript based web application. For maintaining the JavaScript dependencies, yarn is used.

Install nodejs 14#
export NODE_VERSION=node_14.x
export KEYRING=/usr/share/keyrings/nodesource.gpg
export DISTRIBUTION="$(lsb_release -s -c)"

curl -fsSL https://deb.nodesource.com/gpgkey/nodesource.gpg.key | gpg --dearmor | sudo tee "$KEYRING" >/dev/null
gpg --no-default-keyring --keyring "$KEYRING" --list-keys

echo "deb [signed-by=$KEYRING] https://deb.nodesource.com/$NODE_VERSION $DISTRIBUTION main" | sudo tee /etc/apt/sources.list.d/nodesource.list
echo "deb-src [signed-by=$KEYRING] https://deb.nodesource.com/$NODE_VERSION $DISTRIBUTION main" | sudo tee -a /etc/apt/sources.list.d/nodesource.list


sudo apt update
sudo apt install -y nodejs
Install yarn#
curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | sudo apt-key add -
echo "deb https://dl.yarnpkg.com/debian/ stable main" | sudo tee /etc/apt/sources.list.d/yarn.list

sudo apt update
sudo apt install -y yarn

Building the web application GSA requires the installation of several JavaScript dependencies. These dependencies have to be downloaded automatically by yarn (or npm) during the build process.

Downloading the gsa sources#
curl -f -L https://github.com/greenbone/gsa/archive/refs/tags/v$GSA_VERSION.tar.gz -o $SOURCE_DIR/gsa-$GSA_VERSION.tar.gz
curl -f -L https://github.com/greenbone/gsa/releases/download/v$GSA_VERSION/gsa-$GSA_VERSION.tar.gz.asc -o $SOURCE_DIR/gsa-$GSA_VERSION.tar.gz.asc
Verifying the source files#
gpg --verify $SOURCE_DIR/gsa-$GSA_VERSION.tar.gz.asc $SOURCE_DIR/gsa-$GSA_VERSION.tar.gz

The output of both commands should be similar to:

gpg: Signature made Fri Apr 16 08:31:02 2021 UTC
gpg:                using RSA key 9823FAA60ED1E580
gpg: Good signature from "Greenbone Community Feed integrity key" [ultimate]

If the signatures are valid, the two tarballs can be extracted.

tar -C $SOURCE_DIR -xvzf $SOURCE_DIR/gsa-$GSA_VERSION.tar.gz
Building gsa#
cd $SOURCE_DIR/gsa-$GSA_VERSION

rm -rf build

yarn
yarn build
Installing gsa#
sudo mkdir -p $INSTALL_PREFIX/share/gvm/gsad/web/
sudo cp -rv build/* $INSTALL_PREFIX/share/gvm/gsad/web/

gsad#

The web server gsad is written in the C programming language. It serves static content like images and provides an API for the web application. Internally it communicates with gvmd using GMP.

Setting the GSAd version to use#
export GSAD_VERSION=$GVM_VERSION
Required dependencies for gsad#
sudo apt install -y \
  libmicrohttpd-dev \
  libxml2-dev \
  libglib2.0-dev \
  libgnutls28-dev
Downloading the gsad sources#
curl -f -L https://github.com/greenbone/gsad/archive/refs/tags/v$GSAD_VERSION.tar.gz -o $SOURCE_DIR/gsad-$GSAD_VERSION.tar.gz
curl -f -L https://github.com/greenbone/gsad/releases/download/v$GSAD_VERSION/gsad-$GSAD_VERSION.tar.gz.asc -o $SOURCE_DIR/gsad-$GSAD_VERSION.tar.gz.asc
Verifying the source files#
gpg --verify $SOURCE_DIR/gsad-$GSAD_VERSION.tar.gz.asc $SOURCE_DIR/gsad-$GSAD_VERSION.tar.gz

The output of both commands should be similar to:

gpg: Signature made Fri Apr 16 08:31:02 2021 UTC
gpg:                using RSA key 9823FAA60ED1E580
gpg: Good signature from "Greenbone Community Feed integrity key" [ultimate]

If the signatures are valid, the two tarballs can be extracted.

tar -C $SOURCE_DIR -xvzf $SOURCE_DIR/gsad-$GSAD_VERSION.tar.gz
Building gsad#
mkdir -p $BUILD_DIR/gsad && cd $BUILD_DIR/gsad

cmake $SOURCE_DIR/gsad-$GSAD_VERSION \
  -DCMAKE_INSTALL_PREFIX=$INSTALL_PREFIX \
  -DCMAKE_BUILD_TYPE=Release \
  -DSYSCONFDIR=/etc \
  -DLOCALSTATEDIR=/var \
  -DGVMD_RUN_DIR=/run/gvmd \
  -DGSAD_RUN_DIR=/run/gsad \
  -DLOGROTATE_DIR=/etc/logrotate.d

make -j$(nproc)
Installing gsad#
mkdir -p $INSTALL_DIR/gsad

make DESTDIR=$INSTALL_DIR/gsad install

sudo cp -rv $INSTALL_DIR/gsad/* /

openvas-smb#

openvas-smb is a helper module for openvas-scanner. It includes libraries (openvas-wmiclient/openvas-wincmd) to interface with Microsoft Windows Systems through the Windows Management Instrumentation API and a winexe binary to execute processes remotely on that system.

It is an optional dependency of openvas-scanner but is required for scanning Windows-based systems.

Note

openvas-smb is released independently of the Greenbone Community Edition. Therefore, the newest compatible version is used.

Warning

openvas-smb doesn’t work on CentOS at the moment! It is not a hard requirement.

Setting the openvas-smb version to use#
export OPENVAS_SMB_VERSION=22.4.0
Required dependencies for openvas-smb#
sudo apt install -y \
  gcc-mingw-w64 \
  libgnutls28-dev \
  libglib2.0-dev \
  libpopt-dev \
  libunistring-dev \
  heimdal-dev \
  perl-base
Downloading the openvas-smb sources#
curl -f -L https://github.com/greenbone/openvas-smb/archive/refs/tags/v$OPENVAS_SMB_VERSION.tar.gz -o $SOURCE_DIR/openvas-smb-$OPENVAS_SMB_VERSION.tar.gz
curl -f -L https://github.com/greenbone/openvas-smb/releases/download/v$OPENVAS_SMB_VERSION/openvas-smb-$OPENVAS_SMB_VERSION.tar.gz.asc -o $SOURCE_DIR/openvas-smb-$OPENVAS_SMB_VERSION.tar.gz.asc
Verifying the source file#
gpg --verify $SOURCE_DIR/openvas-smb-$OPENVAS_SMB_VERSION.tar.gz.asc $SOURCE_DIR/openvas-smb-$OPENVAS_SMB_VERSION.tar.gz

The output of the last command should be similar to:

gpg: Signature made Fri Apr 16 08:31:02 2021 UTC
gpg:                using RSA key 9823FAA60ED1E580
gpg: Good signature from "Greenbone Community Feed integrity key" [ultimate]

If the signature is valid, the tarball can be extracted.

tar -C $SOURCE_DIR -xvzf $SOURCE_DIR/openvas-smb-$OPENVAS_SMB_VERSION.tar.gz
Building openvas-smb#
mkdir -p $BUILD_DIR/openvas-smb && cd $BUILD_DIR/openvas-smb

cmake $SOURCE_DIR/openvas-smb-$OPENVAS_SMB_VERSION \
  -DCMAKE_INSTALL_PREFIX=$INSTALL_PREFIX \
  -DCMAKE_BUILD_TYPE=Release

make -j$(nproc)
Installing openvas-smb#
mkdir -p $INSTALL_DIR/openvas-smb

make DESTDIR=$INSTALL_DIR/openvas-smb install

sudo cp -rv $INSTALL_DIR/openvas-smb/* /

openvas-scanner#

openvas-scanner is a full-featured scan engine that executes a continuously updated and extended feed of Vulnerability Tests (VTs). The feed consist of thousands of NASL (Network Attack Scripting Language) scripts which implement all kind of vulnerability checks.

Setting the openvas-scanner version to use#
export OPENVAS_SCANNER_VERSION=$GVM_VERSION
Required dependencies for openvas-scanner#
sudo apt install -y \
  bison \
  libglib2.0-dev \
  libgnutls28-dev \
  libgcrypt20-dev \
  libpcap-dev \
  libgpgme-dev \
  libksba-dev \
  rsync \
  nmap \
  libjson-glib-dev \
  libbsd-dev
Debian optional dependencies for openvas-scanner#
sudo apt install -y \
  python3-impacket \
  libsnmp-dev
Downloading the openvas-scanner sources#
curl -f -L https://github.com/greenbone/openvas-scanner/archive/refs/tags/v$OPENVAS_SCANNER_VERSION.tar.gz -o $SOURCE_DIR/openvas-scanner-$OPENVAS_SCANNER_VERSION.tar.gz
curl -f -L https://github.com/greenbone/openvas-scanner/releases/download/v$OPENVAS_SCANNER_VERSION/openvas-scanner-$OPENVAS_SCANNER_VERSION.tar.gz.asc -o $SOURCE_DIR/openvas-scanner-$OPENVAS_SCANNER_VERSION.tar.gz.asc
Verifying the source file#
gpg --verify $SOURCE_DIR/openvas-scanner-$OPENVAS_SCANNER_VERSION.tar.gz.asc $SOURCE_DIR/openvas-scanner-$OPENVAS_SCANNER_VERSION.tar.gz

The output of the last command should be similar to:

gpg: Signature made Fri Apr 16 08:31:02 2021 UTC
gpg:                using RSA key 9823FAA60ED1E580
gpg: Good signature from "Greenbone Community Feed integrity key" [ultimate]

If the signature is valid, the tarball can be extracted.

tar -C $SOURCE_DIR -xvzf $SOURCE_DIR/openvas-scanner-$OPENVAS_SCANNER_VERSION.tar.gz
Building openvas-scanner#
mkdir -p $BUILD_DIR/openvas-scanner && cd $BUILD_DIR/openvas-scanner

cmake $SOURCE_DIR/openvas-scanner-$OPENVAS_SCANNER_VERSION \
  -DCMAKE_INSTALL_PREFIX=$INSTALL_PREFIX \
  -DCMAKE_BUILD_TYPE=Release \
  -DSYSCONFDIR=/etc \
  -DLOCALSTATEDIR=/var \
  -DOPENVAS_FEED_LOCK_PATH=/var/lib/openvas/feed-update.lock \
  -DOPENVAS_RUN_DIR=/run/ospd

make -j$(nproc)
Installing openvas-scanner#
mkdir -p $INSTALL_DIR/openvas-scanner

make DESTDIR=$INSTALL_DIR/openvas-scanner install

sudo cp -rv $INSTALL_DIR/openvas-scanner/* /

ospd-openvas#

ospd-openvas is an OSP server implementation to allow gvmd to remotely control an openvas-scanner. It is running as a daemon and waits for incoming OSP requests from gvmd.

Setting the ospd and ospd-openvas versions to use#
export OSPD_OPENVAS_VERSION=22.4.6
Required dependencies for ospd-openvas#
sudo apt install -y \
  python3 \
  python3-pip \
  python3-setuptools \
  python3-packaging \
  python3-wrapt \
  python3-cffi \
  python3-psutil \
  python3-lxml \
  python3-defusedxml \
  python3-paramiko \
  python3-redis \
  python3-gnupg \
  python3-paho-mqtt
Downloading the ospd-openvas sources#
curl -f -L https://github.com/greenbone/ospd-openvas/archive/refs/tags/v$OSPD_OPENVAS_VERSION.tar.gz -o $SOURCE_DIR/ospd-openvas-$OSPD_OPENVAS_VERSION.tar.gz
curl -f -L https://github.com/greenbone/ospd-openvas/releases/download/v$OSPD_OPENVAS_VERSION/ospd-openvas-$OSPD_OPENVAS_VERSION.tar.gz.asc -o $SOURCE_DIR/ospd-openvas-$OSPD_OPENVAS_VERSION.tar.gz.asc
Verifying the source files#
gpg --verify $SOURCE_DIR/ospd-openvas-$OSPD_OPENVAS_VERSION.tar.gz.asc $SOURCE_DIR/ospd-openvas-$OSPD_OPENVAS_VERSION.tar.gz

The output of the last command should be similar to:

gpg: Signature made Fri Apr 16 08:31:02 2021 UTC
gpg:                using RSA key 9823FAA60ED1E580
gpg: Good signature from "Greenbone Community Feed integrity key" [ultimate]

If the signatures are valid, the tarballs can be extracted.

tar -C $SOURCE_DIR -xvzf $SOURCE_DIR/ospd-openvas-$OSPD_OPENVAS_VERSION.tar.gz
Installing ospd-openvas#
cd $SOURCE_DIR/ospd-openvas-$OSPD_OPENVAS_VERSION

mkdir -p $INSTALL_DIR/ospd-openvas

python3 -m pip install --prefix=$INSTALL_PREFIX --root=$INSTALL_DIR/ospd-openvas --no-warn-script-location .

sudo cp -rv $INSTALL_DIR/ospd-openvas/* /

notus-scanner#

notus-scanner is used for detecting vulnerable products by evaluating internal system information gathered by openvas-scanner. It communicates with openvas-scanner and ospd-openvas via MQTT. It is running as a daemon.

Setting the notus version to use#
export NOTUS_VERSION=22.4.4
Required dependencies for notus-scanner#
sudo apt install -y \
  python3 \
  python3-pip \
  python3-setuptools \
  python3-paho-mqtt \
  python3-psutil \
  python3-gnupg
Downloading the notus-scanner sources#
curl -f -L https://github.com/greenbone/notus-scanner/archive/refs/tags/v$NOTUS_VERSION.tar.gz -o $SOURCE_DIR/notus-scanner-$NOTUS_VERSION.tar.gz
curl -f -L https://github.com/greenbone/notus-scanner/releases/download/v$NOTUS_VERSION/notus-scanner-$NOTUS_VERSION.tar.gz.asc -o $SOURCE_DIR/notus-scanner-$NOTUS_VERSION.tar.gz.asc
Verifying the source files#
gpg --verify $SOURCE_DIR/notus-scanner-$NOTUS_VERSION.tar.gz.asc $SOURCE_DIR/notus-scanner-$NOTUS_VERSION.tar.gz

The output of the last command should be similar to:

gpg: Signature made Fri Apr 16 08:31:02 2021 UTC
gpg:                using RSA key 9823FAA60ED1E580
gpg: Good signature from "Greenbone Community Feed integrity key" [ultimate]

If the signatures are valid, the tarballs can be extracted.

tar -C $SOURCE_DIR -xvzf $SOURCE_DIR/notus-scanner-$NOTUS_VERSION.tar.gz
Installing notus-scanner#
cd $SOURCE_DIR/notus-scanner-$NOTUS_VERSION

mkdir -p $INSTALL_DIR/notus-scanner

python3 -m pip install --prefix=$INSTALL_PREFIX --root=$INSTALL_DIR/notus-scanner --no-warn-script-location .

sudo cp -rv $INSTALL_DIR/notus-scanner/* /

greenbone-feed-sync#

The greenbone-feed-sync tool is a Python based script to download all feed data from the Greenbone Community Feed to your local machine. It is an improved version of two former shell scripts.

Note

greenbone-feed-sync is released independently of the Greenbone Community Edition. Therefore, the newest version is used.

Required dependencies for greenbone-feed-sync#
sudo apt install -y \
  python3 \
  python3-pip

The latest version of greeenbone-feed-sync can be installed by using standard Python installation tool pip.

To install it system-wide for all users without running pip as root user, the following commands can be used:

Installing greenbone-feed-sync system-wide for all users#
mkdir -p $INSTALL_DIR/greenbone-feed-sync

python3 -m pip install --prefix $INSTALL_PREFIX --root=$INSTALL_DIR/greenbone-feed-sync --no-warn-script-location greenbone-feed-sync

sudo cp -rv $INSTALL_DIR/greenbone-feed-sync/* /

gvm-tools#

The Greenbone Vulnerability Management Tools, or gvm-tools in short, are a collection of tools that help with controlling Greenbone Community Edition installations or Greenbone Enterprise Appliances remotely.

Essentially, the tools aid accessing the communication protocols Greenbone Management Protocol (GMP) and Open Scanner Protocol (OSP).

gvm-tools are optional and not required for a functional GVM stack.

Note

gvm-tools is released independently of the Greenbone Community Edition. Therefore, the newest version is used.

Required dependencies for gvm-tools#
sudo apt install -y \
  python3 \
  python3-pip \
  python3-venv \
  python3-setuptools \
  python3-packaging \
  python3-lxml \
  python3-defusedxml \
  python3-paramiko

The latest version of gvm-tools can be installed for each user via the standard Python installation tool pip.

Installing gvm-tools for the current user#
python3 -m pip install --user gvm-tools

To install it system-wide without running pip as root user, the following commands can be used:

Installing gvm-tools system-wide#
mkdir -p $INSTALL_DIR/gvm-tools

python3 -m pip install --prefix=$INSTALL_PREFIX --root=$INSTALL_DIR/gvm-tools --no-warn-script-location gvm-tools

sudo cp -rv $INSTALL_DIR/gvm-tools/* /
Installing gvm-tools system-wide#
mkdir -p $INSTALL_DIR/gvm-tools

python3 -m pip install --root=$INSTALL_DIR/gvm-tools --no-warn-script-location gvm-tools

sudo cp -rv $INSTALL_DIR/gvm-tools/* /

Performing a System Setup#

Setting up the Redis Data Store#

Looking at the Architecture, the Redis key/value storage is used by the scanner (openvas-scanner and ospd-openvas) for handling the VT information and scan results.

Installing the Redis server#
sudo apt install -y redis-server

After installing the Redis server package, a specific configuration for the openvas-scanner must be added.

Adding configuration for running the Redis server for the scanner#
sudo cp $SOURCE_DIR/openvas-scanner-$GVM_VERSION/config/redis-openvas.conf /etc/redis/
sudo chown redis:redis /etc/redis/redis-openvas.conf
echo "db_address = /run/redis-openvas/redis.sock" | sudo tee -a /etc/openvas/openvas.conf
Start redis with openvas config#
sudo systemctl start redis-server@openvas.service
Ensure redis with openvas config is started on every system startup#
sudo systemctl enable redis-server@openvas.service

Additionally the gvm user must be able to access the redis unix socket at /run/redis-openvas/redis.sock.

Adding the gvm user to the redis group#
sudo usermod -aG redis gvm

Setting up the Mosquitto MQTT Broker#

The Mosquitto MQTT broker is used for communication between ospd-openvas, openvas-scanner and notus-scanner.

Installing the Mosquitto broker#
sudo apt install -y mosquitto

After installing the Mosquitto broker package, the broker must be started and the server uri must be added to the openvas-scanner configuration.

Starting the broker and adding the server uri to the openvas-scanner configuration#
sudo systemctl start mosquitto.service
sudo systemctl enable mosquitto.service
echo "mqtt_server_uri = localhost:1883\ntable_driven_lsc = yes" | sudo tee -a /etc/openvas/openvas.conf

Adjusting Permissions#

For a system-wide multi-user installation, it must be ensured that the directory permissions are set correctly and are matching the group setup. All users of the group gvm should be able to read and write logs, lock files and data like VTs.

Adjusting directory permissions#
sudo mkdir -p /var/lib/notus
sudo mkdir -p /run/gvmd

sudo chown -R gvm:gvm /var/lib/gvm
sudo chown -R gvm:gvm /var/lib/openvas
sudo chown -R gvm:gvm /var/lib/notus
sudo chown -R gvm:gvm /var/log/gvm
sudo chown -R gvm:gvm /run/gvmd

sudo chmod -R g+srw /var/lib/gvm
sudo chmod -R g+srw /var/lib/openvas
sudo chmod -R g+srw /var/log/gvm

To allow all users of the group gvm access to the postgres database via the various gvmd commands, the permissions of the gvmd executable will be adjusted to always run as the gvm user and under the gvm group.

Adjusting gvmd permissions#
sudo chown gvm:gvm /usr/local/sbin/gvmd
sudo chmod 6750 /usr/local/sbin/gvmd

Additionally the feed sync script permissions should be adjusted to allow gvm user to execute them. The feed sync should always be run as the gvm user otherwise the permissions of the synced files may be broken.

Adjusting feed sync script permissions#
sudo chown gvm:gvm /usr/local/bin/greenbone-feed-sync
sudo chmod 740 /usr/local/bin/greenbone-feed-sync

Feed Validation#

For validating the feed content, a GnuPG keychain with the Greenbone Community Feed integrity key needs to be created.

Creating a GPG keyring for feed content validation#
export GNUPGHOME=/tmp/openvas-gnupg
mkdir -p $GNUPGHOME

gpg --import /tmp/GBCommunitySigningKey.asc
gpg --import-ownertrust < /tmp/ownertrust.txt

export OPENVAS_GNUPG_HOME=/etc/openvas/gnupg
sudo mkdir -p $OPENVAS_GNUPG_HOME
sudo cp -r /tmp/openvas-gnupg/* $OPENVAS_GNUPG_HOME/
sudo chown -R gvm:gvm $OPENVAS_GNUPG_HOME

Setting up sudo for Scanning#

For vulnerability scanning, it is required to have several capabilities for which only root users are authorized, e.g., creating raw sockets. Therefore, a configuration will be added to allow the users of the gvm group to run the openvas-scanner application as root user via sudo.

Warning

Make sure that only necessary users have access to the gvm group. Each user of the gvm group can manipulate the Vulnerability Test (VT) scripts (.nasl files). These scripts are run with root privileges and therefore can be used for exploits. See https://csal.medium.com/pentesters-tricks-local-privilege-escalation-in-openvas-fe933d7f161f.

sudo visudo

...

# allow users of the gvm group run openvas
%gvm ALL = NOPASSWD: /usr/local/sbin/openvas

Setting up PostgreSQL#

The PostgreSQL database management system is used as a central storage for user and scan information. gvmd connects to a PostgreSQL database and queries the data. This database must be created and configured.

Installing the PostgreSQL server#
sudo apt install -y postgresql

If necessary the PostgreSQL database server needs to be started manually

Starting the PostgreSQL database server#
sudo systemctl start postgresql@13-main

For setting up the PostgreSQL database it is required to become the postgres user.

Changing to the postgres user#
sudo -u postgres bash
Setting up PostgreSQL user and database for the Greenbone Community Edition#
createuser -DRS gvm
createdb -O gvm gvmd
Setting up database permissions and extensions#
psql gvmd -c "create role dba with superuser noinherit; grant dba to gvm;"

exit

Setting up an Admin User#

For accessing and configuring the vulnerability data, an administrator user needs to be created. This user can log in via the Greenbone Security Assistant (GSA) web interface. They will have access to all data and will later be configured to act as the Feed Import Owner.

Creating an administrator user with generated password#
/usr/local/sbin/gvmd --create-user=admin

The new administrator user’s password is printed on success. An administrator user can later create further users or administrators via the GSA web interface.

To create the administrator user with a password of your choice instead of the generated password, the following command can be used:

Creating an administrator user with provided password#
/usr/local/sbin/gvmd --create-user=admin --password=<password>

If the output doesn’t show

User created.

you need to look at the /var/log/gvm/gvmd.log for errors.

Setting the Feed Import Owner#

Certain resources that were previously part of the gvmd source code are now shipped via the feed. An example is the scan configuration “Full and Fast”.

Currently every resource needs an owner to apply the permissions and manage the access to the resources.

Therefore, gvmd will only create these resources if a Feed Import Owner is configured. Here the previously created admin user will be used as the Feed Import Owner.

Setting the Feed Import Owner#
/usr/local/sbin/gvmd --modify-setting 78eceaec-3385-11ea-b237-28d24461215b --value `/usr/local/sbin/gvmd --get-users --verbose | grep admin | awk '{print $2}'`

Setting up Services for Systemd#

Systemd is used to start the daemons ospd-openvas, notus-scanner, gvmd and gsad. Therefore, service files are required.

Systemd service file for ospd-openvas#
cat << EOF > $BUILD_DIR/ospd-openvas.service
[Unit]
Description=OSPd Wrapper for the OpenVAS Scanner (ospd-openvas)
Documentation=man:ospd-openvas(8) man:openvas(8)
After=network.target networking.service redis-server@openvas.service mosquitto.service
Wants=redis-server@openvas.service mosquitto.service notus-scanner.service
ConditionKernelCommandLine=!recovery

[Service]
Type=exec
User=gvm
Group=gvm
RuntimeDirectory=ospd
RuntimeDirectoryMode=2775
PIDFile=/run/ospd/ospd-openvas.pid
ExecStart=/usr/local/bin/ospd-openvas --foreground --unix-socket /run/ospd/ospd-openvas.sock --pid-file /run/ospd/ospd-openvas.pid --log-file /var/log/gvm/ospd-openvas.log --lock-file-dir /var/lib/openvas --socket-mode 0o770 --mqtt-broker-address localhost --mqtt-broker-port 1883 --notus-feed-dir /var/lib/notus/advisories
SuccessExitStatus=SIGKILL
Restart=always
RestartSec=60

[Install]
WantedBy=multi-user.target
EOF
Install systemd service file for ospd-openvas#
sudo cp -v $BUILD_DIR/ospd-openvas.service /etc/systemd/system/
Systemd service file for notus-scanner#
cat << EOF > $BUILD_DIR/notus-scanner.service
[Unit]
Description=Notus Scanner
Documentation=https://github.com/greenbone/notus-scanner
After=mosquitto.service
Wants=mosquitto.service
ConditionKernelCommandLine=!recovery

[Service]
Type=exec
User=gvm
RuntimeDirectory=notus-scanner
RuntimeDirectoryMode=2775
PIDFile=/run/notus-scanner/notus-scanner.pid
ExecStart=/usr/local/bin/notus-scanner --foreground --products-directory /var/lib/notus/products --log-file /var/log/gvm/notus-scanner.log
SuccessExitStatus=SIGKILL
Restart=always
RestartSec=60

[Install]
WantedBy=multi-user.target
EOF
Install systemd service file for notus-scanner#
sudo cp -v $BUILD_DIR/notus-scanner.service /etc/systemd/system/
Systemd service file for gvmd#
cat << EOF > $BUILD_DIR/gvmd.service
[Unit]
Description=Greenbone Vulnerability Manager daemon (gvmd)
After=network.target networking.service postgresql.service ospd-openvas.service
Wants=postgresql.service ospd-openvas.service
Documentation=man:gvmd(8)
ConditionKernelCommandLine=!recovery

[Service]
Type=exec
User=gvm
Group=gvm
PIDFile=/run/gvmd/gvmd.pid
RuntimeDirectory=gvmd
RuntimeDirectoryMode=2775
ExecStart=/usr/local/sbin/gvmd --foreground --osp-vt-update=/run/ospd/ospd-openvas.sock --listen-group=gvm
Restart=always
TimeoutStopSec=10

[Install]
WantedBy=multi-user.target
EOF
Install systemd service file for gvmd#
sudo cp -v $BUILD_DIR/gvmd.service /etc/systemd/system/
Systemd service file for gsad#
cat << EOF > $BUILD_DIR/gsad.service
[Unit]
Description=Greenbone Security Assistant daemon (gsad)
Documentation=man:gsad(8) https://www.greenbone.net
After=network.target gvmd.service
Wants=gvmd.service

[Service]
Type=exec
User=gvm
Group=gvm
RuntimeDirectory=gsad
RuntimeDirectoryMode=2775
PIDFile=/run/gsad/gsad.pid
ExecStart=/usr/local/sbin/gsad --foreground --listen=127.0.0.1 --port=9392 --http-only
Restart=always
TimeoutStopSec=10

[Install]
WantedBy=multi-user.target
Alias=greenbone-security-assistant.service
EOF
Install systemd service file for gsad#
sudo cp -v $BUILD_DIR/gsad.service /etc/systemd/system/

Afterwards, the services need to be activated and started.

Making systemd aware of the new service files#
sudo systemctl daemon-reload
Ensuring services are run at every system startup#
sudo systemctl enable notus-scanner
sudo systemctl enable ospd-openvas
sudo systemctl enable gvmd
sudo systemctl enable gsad

Performing a Feed Synchronization#

For the actual vulnerability scanning, Vulnerability Test scripts, security information like CVEs, port lists and scan configurations are required. All this data is provided by the Greenbone Community Feed and should be downloaded initially before starting the services.

A synchronization always consists of two parts:

  1. Downloading the changes via rsync

  2. Loading the changes into memory and a database by a daemon

Both steps may take a while, from several minutes up to hours, especially for the initial synchronization. Only if both steps are finished, the synchronized data is up-to-date and can be used.

The first step is done via the greenbone-feed-sync script. The second step is done automatically when the daemons are started.

Downloading the Data#

Note

Downloading the data during the synchronization may take a while depending on the network connection and server resources.

The downloaded data consist of four different kind of data:

  • VT data

  • SCAP data

  • CERT data

  • GVMD data

VT data contain .nasl and .notus files for creating results during a vulnerability scan. The .nasl files are processed by the OpenVAS Scanner and the .notus files by the Notus Scanner.

SCAP data contains CPE and CVE information.

CERT data contain vulnerability information from the German DFN-CERT and CERT-Bund agencies.

GVMD data (or also called “data objects”) are scan configurations, compliance policies, port lists and report formats.

Downloading the data from the Greenbone Community Feed#
sudo /usr/local/bin/greenbone-feed-sync

Starting the Greenbone Community Edition Services#

Important

When the feed content has been downloaded, the new data must be loaded by the corresponding daemons. This may take several minutes up to hours, especially for the initial loading of the data. Without loaded data, scans will contain incomplete and erroneous results.

After starting the Greenbone Community Edition services via systemd, the running daemons will pick up the feed content and load the data automatically.

Warning

Please be aware, even if the systemctl start commands are returning immediately, the first startup of the services may take several minutes or even hours!

Finally starting the services#
sudo systemctl start notus-scanner
sudo systemctl start ospd-openvas
sudo systemctl start gvmd
sudo systemctl start gsad
Checking the status of the services#
sudo systemctl status notus-scanner
sudo systemctl status ospd-openvas
sudo systemctl status gvmd
sudo systemctl status gsad

Vulnerability Tests Data#

If the log file of ospd-openvas (/var/log/gvm/ospd-openvas.log) contains the following output, the OpenVAS Scanner starts to load the new VT data:

ospd-openvas VT loading log message#
Loading VTs. Scans will be [requested|queued] until VTs are loaded. This may
take a few minutes, please wait ...

The loading of the VT data is finished if the following log message can be found:

ospd-openvas VTs loading finished log message#
Finished loading VTs. The VT cache has been updated from version X to Y.

After the scanner is aware of the VT data, the data will be requested by gvmd. This will result in the following log message in /var/log/gvm/gvmd.log:

gvmd VTs loading log message#
OSP service has different VT status (version X) from database (version (Y), Z VTs). Starting update ...

When gvmd has finished loading all VTs, the following message appears:

gvmd VTs loading finished log message#
Updating VTs in database ... done (X VTs).

SCAP Data#

gvmd starts loading the SCAP data containing CPE and CVE information when the following message can be found in the logs (/var/log/gvm/gvmd.log):

gvmd SCAP data loading log message#
update_scap: Updating data from feed

The SCAP data is loaded and the synchronization is finished when the (gvmd) log contains the following message:

gvmd SCAP data loading finished log message#
update_scap_end: Updating SCAP info succeeded

CERT Data#

gvmd starts loading the CERT data containing DFN-CERT and CERT-Bund advisories when the following message can be found in the logs (/var/log/gvm/gvmd.log):

gvmd CERT data loading log message#
sync_cert: Updating data from feed

The CERT data is loaded and the synchronization is finished when the (gvmd) log contains the following message:

gvmd CERT data finished loading log message#
sync_cert: Updating CERT info succeeded.

GVMD Data#

The log (/var/log/gvm/gvmd.log) contains several messages when the gvmd data is loaded. For port lists, these messages are similar to:

gvmd port list loaded log message#
 Port list All IANA assigned TCP (33d0cd82-57c6-11e1-8ed1-406186ea4fc5) has been created by admin

For report formats:

gvmd report format loaded log message#
Report format XML (a994b278-1f62-11e1-96ac-406186ea4fc5) has been created by admin

Hint

Scan Configs can only be loaded if the VT data is available in gvmd and a Feed Import Owner is set.

For scan configs:

gvmd scan config loaded log message#
Scan config Full and fast (daba56c8-73ec-11df-a475-002264764cea) has been created by admin

Starting the Vulnerability Management#

After the services have started and all data has been loaded, the Greenbone Security Assistant web interface – GSA – can be opened in the browser.

Opening Greenbone Security Assistant in the browser#
xdg-open "http://127.0.0.1:9392" 2>/dev/null >/dev/null &

The browser will show the login page of GSA and after using the credentials created in the Setting Up an Admin User chapter, it is possible to start with the vulnerability scanning.

Launching Greenbone Security Assistant for the first time

Greenbone Security Assistant after logging in for the first time#