Install Greenbone Vulnerability Manager 20.08 on Ubuntu 20.04

Thanks to https://sadsloth.net/post/install-gvm-20_08-src-on-debian/ for the original article. The instructions below are a tweaked version of them that contains error corrections and changes for Ubuntu (versus Debian 10).

Before Beginning

Machine/VM:

This is assuming a new fresh Ubuntu Server 20.04 image. Nothing additionally is installed except SSH server. The instructions will have you switch between a couple users, so to make things easier it’s recommended to have 2 SSH sessions open to the machine.

Networking:

Greenbone limits connections to their services. If you have a firewall and NAT it can be tricky to get everything downloaded from them. You will need TCP port 873 open from the machine to Greenbone to allow the scripts to work. It is also recommend to put a timeout on the firewall rule if it’s supported, something like 60 seconds (The higher the easier it is on their services, try not to flood their server with requests). Too much activity from your IP will get it temporarily banned.

Install Prerequisites

Note: This will change your current session to root.

sudo su -
apt update &&\
apt -y dist-upgrade &&\
apt -y autoremove &&\
apt install -y software-properties-common &&\
apt install -y build-essential cmake pkg-config libglib2.0-dev libgpgme-dev libgnutls28-dev uuid-dev libssh-gcrypt-dev libldap2-dev doxygen graphviz libradcli-dev libhiredis-dev libpcap-dev bison libksba-dev libsnmp-dev gcc-mingw-w64 heimdal-dev libpopt-dev xmltoman redis-server xsltproc libical-dev postgresql postgresql-contrib postgresql-server-dev-all gnutls-bin nmap rpm nsis curl wget fakeroot gnupg sshpass socat snmp smbclient libmicrohttpd-dev libxml2-dev python3-polib gettext rsync xml-twig-tools python3-paramiko python3-lxml python3-defusedxml python3-pip python3-psutil python3-impacket virtualenv vim git &&\
apt install -y texlive-latex-extra --no-install-recommends &&\
apt install -y texlive-fonts-recommended &&\
curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | apt-key add - &&\
echo "deb https://dl.yarnpkg.com/debian/ stable main" | tee /etc/apt/sources.list.d/yarn.list &&\
apt update &&\
apt -y install yarn &&\
yarn install &&\
yarn upgrade

Create the GVM User

echo 'export PATH="$PATH:/opt/gvm/bin:/opt/gvm/sbin:/opt/gvm/.local/bin"' | tee -a /etc/profile.d/gvm.sh &&\
chmod 0755 /etc/profile.d/gvm.sh &&\
source /etc/profile.d/gvm.sh &&\
bash -c 'cat << EOF > /etc/ld.so.conf.d/gvm.conf
# gmv libs location
/opt/gvm/lib
EOF'
mkdir /opt/gvm &&\
adduser gvm --disabled-password --home /opt/gvm/ --no-create-home --gecos '' &&\
usermod -aG redis gvm &&\
chown gvm:gvm /opt/gvm/

Here is it recommended to create another session to the machine so that this root session can stay in tact as there will be some back and forth. From now on the headers will be marked with the session user to execute them as.

sudo su - gvm

Download and Install Software (GVM)

mkdir src &&\
cd src &&\
export PKG_CONFIG_PATH=/opt/gvm/lib/pkgconfig:$PKG_CONFIG_PATH
git clone -b gvm-libs-20.08 --single-branch  https://github.com/greenbone/gvm-libs.git &&\
git clone -b openvas-20.08 --single-branch https://github.com/greenbone/openvas.git &&\
git clone -b gvmd-20.08 --single-branch https://github.com/greenbone/gvmd.git &&\
git clone -b master --single-branch https://github.com/greenbone/openvas-smb.git &&\
git clone -b gsa-20.08 --single-branch https://github.com/greenbone/gsa.git &&\
git clone -b ospd-openvas-20.08 --single-branch  https://github.com/greenbone/ospd-openvas.git &&\
git clone -b ospd-20.08 --single-branch https://github.com/greenbone/ospd.git

Install gvm-libs (GVM)

cd gvm-libs &&\
export PKG_CONFIG_PATH=/opt/gvm/lib/pkgconfig:$PKG_CONFIG_PATH &&\
mkdir build &&\
cd build &&\
cmake -DCMAKE_INSTALL_PREFIX=/opt/gvm .. &&\
make &&\
make doc &&\
make install &&\
cd /opt/gvm/src

Install openvas-smb (GVM)

cd openvas-smb &&\
export PKG_CONFIG_PATH=/opt/gvm/lib/pkgconfig:$PKG_CONFIG_PATH &&\
mkdir build &&\
cd build/ &&\
cmake -DCMAKE_INSTALL_PREFIX=/opt/gvm .. &&\
make &&\
make install &&\
cd /opt/gvm/src

Install the scanner (GVM)

cd openvas &&\
export PKG_CONFIG_PATH=/opt/gvm/lib/pkgconfig:$PKG_CONFIG_PATH &&\
mkdir build &&\
cd build/ &&\
cmake -DCMAKE_INSTALL_PREFIX=/opt/gvm .. &&\
make &&\
make doc &&\
make install &&\
cd /opt/gvm/src

Fix redis for OpenVAS Install (root)

If you are only in one session, remember to exit to get back to root, otherwise switch to the root session.

export LC_ALL="C" &&\
ldconfig &&\
cp /etc/redis/redis.conf /etc/redis/redis.orig &&\
cp /opt/gvm/src/openvas/config/redis-openvas.conf /etc/redis/ &&\
chown redis:redis /etc/redis/redis-openvas.conf &&\
echo "db_address = /run/redis-openvas/redis.sock" > /opt/gvm/etc/openvas/openvas.conf &&\
systemctl enable redis-server@openvas.service &&\
systemctl start redis-server@openvas.service
sysctl -w net.core.somaxconn=1024 &&\
sysctl vm.overcommit_memory=1 &&\
echo "net.core.somaxconn=1024"  >> /etc/sysctl.conf &&\
echo "vm.overcommit_memory=1" >> /etc/sysctl.conf
cat << EOF > /etc/systemd/system/disable-thp.service
[Unit]
Description=Disable Transparent Huge Pages (THP)

[Service]
Type=simple
ExecStart=/bin/sh -c "echo 'never' > /sys/kernel/mm/transparent_hugepage/enabled && echo 'never' > /sys/kernel/mm/transparent_hugepage/defrag"

[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload &&\
systemctl start disable-thp &&\
systemctl enable disable-thp &&\
systemctl restart redis-server

Add the /opt/gvm/sbin path to the secure_path variable:

sed 's/Defaults\s.*secure_path=\"\/usr\/local\/sbin:\/usr\/local\/bin:\/usr\/sbin:\/usr\/bin:\/sbin:\/bin:\/snap\/bin\"/Defaults secure_path=\"\/usr\/local\/sbin:\/usr\/local\/bin:\/usr\/sbin:\/usr\/bin:\/sbin:\/bin:\/snap\/bin:\/opt\/gvm\/sbin\"/g' /etc/sudoers | EDITOR='tee' visudo

Allow the user running ospd-openvas to launch with root permissions:

echo "gvm ALL = NOPASSWD: /opt/gvm/sbin/openvas" > /etc/sudoers.d/gvm
echo "gvm ALL = NOPASSWD: /opt/gvm/sbin/gsad" >> /etc/sudoers.d/gvm

Update NVT (GVM)

Make sure to switch back to the GVM session, or run sudo su – gvm to get back to the GVM user (one command at a time).

greenbone-nvt-sync

Notes:

If you get timeout errors, most likely there is a firewall in the way. Make sure to open TCP port 873. If you get connection refused errors, wait some time and try again. Most likely you have a connection to their server that is still open. It is recommended to put a connection timeout in the port forward in the firewall if supported.

This is a VERY long process and downloads over 50,000 (!!!!) files. This is a good time to get lunch, get coffee, or go for a walk. I had to run the script a couple times as I ended up getting connection refused errors after 60,000 files.

Make sure when you run the command again that there are no more downloads and no more errors.

Upload Plugins in redis with OpenVAS (GVM)

This may take a little time depending on hardware, and gives you no feedback when you run the command.

sudo openvas -u

Install Manager (GVM)

cd gvmd &&\
export PKG_CONFIG_PATH=/opt/gvm/lib/pkgconfig:$PKG_CONFIG_PATH &&\
mkdir build &&\
cd build/ &&\
cmake -DCMAKE_INSTALL_PREFIX=/opt/gvm .. &&\
make &&\
make doc &&\
make install &&\
cd /opt/gvm/src

Configure PostgreSQL (Sudoers User)

Switch to a user in sudoers (do not use root or gvm for this). The user created during install will work here. Execute one line at a time.

sudo -u postgres bash
export LC_ALL="C"
createuser -DRS gvm
createdb -O gvm gvmd

psql gvmd
create role dba with superuser noinherit;
grant dba to gvm;
create extension "uuid-ossp";
create extension "pgcrypto";
exit
exit

Fix Certificates (GVM)

Don’t forget to switch back to the GVM session or switch back to the GVM user. (sudo su – gvm)

gvm-manage-certs -a

Create Admin User (GVM)

Warning! This creates a user with a very bad password for initial setup/scan. Remember to change this later!

gvmd --create-user=admin --password=admin

Configure and Update Feeds (GVM)

For the feeds to update completely, we will need to set “Feed Import Owner” to the admin’s UUID. First, find the UUID of the new admin user

gvmd --get-users --verbose

You will get a long string of letters and numbers next to “admin”. Use this string in the next command.

gvmd --modify-setting 78eceaec-3385-11ea-b237-28d24461215b --value <string from above command>
Example:
gvm@server:/opt/gvm/src$ gvmd --get-users --verbose
admin 6f9e52bf-fb3d-4c56-9fe0-d3cb25497e1a
gvm@server:/opt/gvm/src$ gvmd --modify-setting 78eceaec-3385-11ea-b237-28d24461215b --value 6f9e52bf-fb3d-4c56-9fe0-d3cb25497e1a

Run the next 3 commands one line at a time. As above, you may get connection refused errors. Just try the command again until it succeeds (but try not to flood with requests). These commands will also take some time (SCAP seems to be the biggest). Time for another coffee break.

greenbone-feed-sync --type GVMD_DATA
greenbone-feed-sync --type SCAP
greenbone-feed-sync --type CERT

Install gsa (GVM)

cd gsa &&\
export PKG_CONFIG_PATH=/opt/gvm/lib/pkgconfig:$PKG_CONFIG_PATH &&\
mkdir build &&\
cd build/ &&\
cmake -DCMAKE_INSTALL_PREFIX=/opt/gvm .. &&\
make &&\
make doc &&\
make install &&\
touch /opt/gvm/var/log/gvm/gsad.log &&\
cd /opt/gvm/src

Set up OSPD-OpenVAS

Install the virtualenv (GVM)

Note: You may have to change –python python3.8 to match your installed python version.

cd /opt/gvm/src &&\
export PKG_CONFIG_PATH=/opt/gvm/lib/pkgconfig:$PKG_CONFIG_PATH &&\
virtualenv --python python3.8  /opt/gvm/bin/ospd-scanner/ &&\
source /opt/gvm/bin/ospd-scanner/bin/activate

Install ospd (GVM)

mkdir /opt/gvm/var/run/ospd/ &&\
cd ospd &&\
pip3 install . &&\
cd /opt/gvm/src

Install ospd-openvas (GVM)

cd ospd-openvas &&\
pip3 install . &&\
cd /opt/gvm/src

Create Startup Scripts (root)

cat << EOF > /etc/systemd/system/gvmd.service
[Unit]
Description=Open Vulnerability Assessment System Manager Daemon
Documentation=man:gvmd(8) https://www.greenbone.net
Wants=postgresql.service ospd-openvas.service
After=postgresql.service ospd-openvas.service

[Service]
Type=forking
User=gvm
Group=gvm
PIDFile=/opt/gvm/var/run/gvmd.pid
WorkingDirectory=/opt/gvm
ExecStart=/opt/gvm/sbin/gvmd --osp-vt-update=/opt/gvm/var/run/ospd.sock
ExecReload=/bin/kill -HUP $MAINPID
KillMode=mixed
Restart=on-failure
RestartSec=2min
KillMode=process
KillSignal=SIGINT
GuessMainPID=no
PrivateTmp=true

[Install]
WantedBy=multi-user.target
EOF
cat << EOF > /etc/systemd/system/gsad.service
[Unit]
Description=Greenbone Security Assistant (gsad)
Documentation=man:gsad(8) https://www.greenbone.net
After=network.target
Wants=gvmd.service


[Service]
Type=forking
PIDFile=/opt/gvm/var/run/gsad.pid
WorkingDirectory=/opt/gvm
ExecStart=/opt/gvm/sbin/gsad --drop-privileges=gvm
Restart=on-failure
RestartSec=2min
KillMode=process
KillSignal=SIGINT
GuessMainPID=no
PrivateTmp=true

[Install]
WantedBy=multi-user.target
EOF
cat << EOF > /etc/systemd/system/ospd-openvas.service 
[Unit]
Description=Job that runs the ospd-openvas daemon
Documentation=man:gvm
After=network.target redis-server@openvas.service
Wants=redis-server@openvas.service

[Service]
Environment=PATH=/opt/gvm/bin/ospd-scanner/bin:/opt/gvm/bin:/opt/gvm/sbin:/opt/gvm/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
Type=forking
User=gvm
Group=gvm
WorkingDirectory=/opt/gvm
PIDFile=/opt/gvm/var/run/ospd-openvas.pid
ExecStart=/opt/gvm/bin/ospd-scanner/bin/python /opt/gvm/bin/ospd-scanner/bin/ospd-openvas --pid-file /opt/gvm/var/run/ospd-openvas.pid --unix-socket=/opt/gvm/var/run/ospd.sock --log-file /opt/gvm/var/log/gvm/ospd-scanner.log --lock-file-dir /opt/gvm/var/run/ospd/
Restart=on-failure
RestartSec=2min
KillMode=process
KillSignal=SIGINT
GuessMainPID=no
PrivateTmp=true

[Install]
WantedBy=multi-user.target
EOF

Enable and Start the services (root)

systemctl daemon-reload &&\
systemctl enable gvmd &&\
systemctl enable gsad &&\
systemctl enable ospd-openvas &&\
systemctl start gvmd &&\
systemctl start gsad &&\
systemctl start ospd-openvas

Check the services (root)

Make sure all 3 are running.

systemctl status gvmd
systemctl status gsad
systemctl status ospd-openvas

Modify Default Scanner (GVM)

Remember to switch back to your GVM session or GVM user.

First get the UUID of the scanner that has the socket (ospd.sock)

gvmd --get-scanners

Then modify the scanner:

gvmd --modify-scanner=<UUID> --scanner-host=/opt/gvm/var/run/ospd.sock
Example:
(ospd-scanner) gvm@server:/opt/gvm/src$ gvmd --get-scanners
08b79033-5fc2-4047-a489-93b340221d73  OpenVAS  /var/run/ospd/ospd.sock  0  OpenVAS Default
6acd0832-df90-11e4-b9d5-28d24461215b  CVE    0  CVE
(ospd-scanner) gvm@server:/opt/gvm/src$ gvmd --modify-scanner=08b79033-5fc2-4047-a489-93b340221d73 --scanner-host=/opt/gvm/var/run/ospd.sock
Scanner modified.

Log in!

If you got this far with no errors, congratulations! Now you can log in with a browser with your server’s IP address (https://123.456.789) and try it out. The default login is admin/admin as set above. Remember to change that!