Home » Security » How to Install GVM Vulnerability Scanner on Ubuntu 20.04

How to Install GVM Vulnerability Scanner on Ubuntu 20.04

GVM (Greenbone Vulnerability Management) is an open-source solution for vulnerability scanning and vulnerability management. GVM was previously known as OpenVAS.

Greenbone Vulnerability Manager and OpenVAS are widely used by a number of people in the World including security experts and common users alike who used this all in one suite of tools that works together to run the tests against client computers using its own database of known weaknesses and exploits.

In this article, we will show How to install and setup GVM on Ubuntu 20.04 to make sure that your servers are protected against attacks.

Base System

We will setup Greenbone Vulnerability Manager 20.08 with the basic installation of system packages on Ubuntu 20.04.

Install Prerequisites

First install the following dependencies packages.

sudo su -
apt update &&\
apt -y dist-upgrade &&\
apt -y autoremove &&\
apt install -y software-properties-common &&\
apt install -y build-essential cmake pkg-config libglib2.0-dev libgpgme-dev libgnutls28-dev uuid-dev libssh-gcrypt-dev libldap2-dev doxygen graphviz libradcli-dev libhiredis-dev libpcap-dev bison libksba-dev libsnmp-dev gcc-mingw-w64 heimdal-dev libpopt-dev xmltoman redis-server xsltproc libical-dev postgresql postgresql-contrib postgresql-server-dev-all gnutls-bin nmap rpm nsis curl wget fakeroot gnupg sshpass socat snmp smbclient libmicrohttpd-dev libxml2-dev python3-polib gettext rsync xml-twig-tools python3-paramiko python3-lxml python3-defusedxml python3-pip python3-psutil python3-impacket virtualenv vim git &&\
apt install -y texlive-latex-extra --no-install-recommends &&\
apt install -y texlive-fonts-recommended &&\
curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | apt-key add - &&\
echo "deb https://dl.yarnpkg.com/debian/ stable main" | tee /etc/apt/sources.list.d/yarn.list &&\
apt update &&\
apt -y install yarn &&\
yarn install &&\
yarn upgrade

Create the GVM User

Paste the following commands to terminal to create the gvm user which will be used in the installation and compilation process:

echo 'export PATH="$PATH:/opt/gvm/bin:/opt/gvm/sbin:/opt/gvm/.local/bin"' | tee -a /etc/profile.d/gvm.sh &&\
chmod 0755 /etc/profile.d/gvm.sh &&\
source /etc/profile.d/gvm.sh &&\
bash -c 'cat < /etc/ld.so.conf.d/gvm.conf
# gmv libs location
/opt/gvm/lib
EOF'
mkdir /opt/gvm &&\
adduser gvm --disabled-password --home /opt/gvm/ --no-create-home --gecos '' &&\
usermod -aG redis gvm &&\
chown gvm:gvm /opt/gvm/

Now login as gvm user. From now on, the title headers will be marked with which user is needed to execute commands as.

sudo su - gvm

Download and Install Software (GVM)

Now create the src folder and git clone the GVM source code:

mkdir src &&\
cd src &&\
export PKG_CONFIG_PATH=/opt/gvm/lib/pkgconfig:$PKG_CONFIG_PATH
git clone -b gvm-libs-20.08 --single-branch  https://github.com/greenbone/gvm-libs.git &&\
git clone -b openvas-20.08 --single-branch https://github.com/greenbone/openvas.git &&\
git clone -b gvmd-20.08 --single-branch https://github.com/greenbone/gvmd.git &&\
git clone -b master --single-branch https://github.com/greenbone/openvas-smb.git &&\
git clone -b gsa-20.08 --single-branch https://github.com/greenbone/gsa.git &&\
git clone -b ospd-openvas-20.08 --single-branch  https://github.com/greenbone/ospd-openvas.git &&\
git clone -b ospd-20.08 --single-branch https://github.com/greenbone/ospd.git

Install gvm-libs (GVM)

In this step we will compile the gvm-libs from the github:

cd gvm-libs &&\
export PKG_CONFIG_PATH=/opt/gvm/lib/pkgconfig:$PKG_CONFIG_PATH &&\
mkdir build &&\
cd build &&\
cmake -DCMAKE_INSTALL_PREFIX=/opt/gvm .. &&\
make &&\
make doc &&\
make install &&\
cd /opt/gvm/src

Install openvas-smb (GVM)

Now enter openvas-smb directory and compile the source code:

cd openvas-smb &&\
export PKG_CONFIG_PATH=/opt/gvm/lib/pkgconfig:$PKG_CONFIG_PATH &&\
mkdir build &&\
cd build/ &&\
cmake -DCMAKE_INSTALL_PREFIX=/opt/gvm .. &&\
make &&\
make install &&\
cd /opt/gvm/src

Install the scanner (GVM)

Like in the previous steps, we will now build and install openvas scanner:

cd openvas &&\
export PKG_CONFIG_PATH=/opt/gvm/lib/pkgconfig:$PKG_CONFIG_PATH &&\
mkdir build &&\
cd build/ &&\
cmake -DCMAKE_INSTALL_PREFIX=/opt/gvm .. &&\
make &&\
make doc &&\
make install &&\
cd /opt/gvm/src

Fix redis for OpenVAS Install (root)

Now we must log out of the current session to get back to the privilege user by Type 'exit' in the terminal.
Now paste the following code to terminal:

export LC_ALL="C" &&\
ldconfig &&\
cp /etc/redis/redis.conf /etc/redis/redis.orig &&\
cp /opt/gvm/src/openvas/config/redis-openvas.conf /etc/redis/ &&\
chown redis:redis /etc/redis/redis-openvas.conf &&\
echo "db_address = /run/redis-openvas/redis.sock" > /opt/gvm/etc/openvas/openvas.conf &&\
systemctl enable redis-server@openvas.service &&\
systemctl start redis-server@openvas.service
sysctl -w net.core.somaxconn=1024 &&\
sysctl vm.overcommit_memory=1 &&\
echo "net.core.somaxconn=1024"  >> /etc/sysctl.conf &&\
echo "vm.overcommit_memory=1" >> /etc/sysctl.conf
cat << /etc/systemd/system/disable-thp.service
[Unit]
Description=Disable Transparent Huge Pages (THP)

[Service]
Type=simple
ExecStart=/bin/sh -c "echo 'never' > /sys/kernel/mm/transparent_hugepage/enabled && echo 'never' > /sys/kernel/mm/transparent_hugepage/defrag"

[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload &&\
systemctl start disable-thp &&\
systemctl enable disable-thp &&\
systemctl restart redis-server

Add the /opt/gvm/sbin path to the secure_path variable:

sed 's/Defaults\s.*secure_path=\"\/usr\/local\/sbin:\/usr\/local\/bin:\/usr\/sbin:\/usr\/bin:\/sbin:\/bin:\/snap\/bin\"/Defaults secure_path=\"\/usr\/local\/sbin:\/usr\/local\/bin:\/usr\/sbin:\/usr\/bin:\/sbin:\/bin:\/snap\/bin:\/opt\/gvm\/sbin\"/g' /etc/sudoers | EDITOR='tee' visudo

Allow the user running ospd-openvas to launch with root permissions:

echo "gvm ALL = NOPASSWD: /opt/gvm/sbin/openvas" > /etc/sudoers.d/gvm
echo "gvm ALL = NOPASSWD: /opt/gvm/sbin/gsad" >> /etc/sudoers.d/gvm

Update NVT (GVM)

We will now run the greenbone-nvt-sync to update the vulnerability file definitions.
First switch back to the GVM user session:

sudo su – gvm

And run the following:

greenbone-nvt-sync

If you get timeout errors, it is most likely that there is a firewall in the way. Make sure to open TCP port 873. If you get connection refused errors, wait some time and try again.

This takes a very long time, so you'll have to be patient.

Upload Plugins in redis with OpenVAS (GVM)

This may take a little time depending on your hardware, and gives you no feedback when you run the command.

sudo openvas -u

Note: If you get missing library errors, type the following (one line at the time):

exit
echo "/opt/gvm/lib > /etc/ld.so.conf.d/gvm.conf 
ldconfig
sudo su - gvm

Install Manager (GVM)

Now enter the gvmd directory to build and install Greenbone Manager:

cd /opt/gvm/src/gvmd &&\
export PKG_CONFIG_PATH=/opt/gvm/lib/pkgconfig:$PKG_CONFIG_PATH &&\
mkdir build &&\
cd build/ &&\
cmake -DCMAKE_INSTALL_PREFIX=/opt/gvm .. &&\
make &&\
make doc &&\
make install &&\
cd /opt/gvm/src

Configure PostgreSQL (Sudoers User)

Switch to a user in sudoers (do not use root or gvm for this). The user session will be switched with "sudo -u postgres bash" command bellow.
Execute one line at a time.

exit
cd /
sudo -u postgres bash
export LC_ALL="C"
createuser -DRS gvm
createdb -O gvm gvmd

psql gvmd
create role dba with superuser noinherit;
grant dba to gvm;
create extension "uuid-ossp";
create extension "pgcrypto";
exit
exit

Fix Certificates (GVM)

Type one line at the time:

sudo su - gvm
gvm-manage-certs -a

Create Admin User (GVM)

This will create an initial username and password. Remember to change it later.

gvmd --create-user=admin --password=admin

Configure and Update Feeds (GVM)

For the feeds to update completely, we will need to set “Feed Import Owner” to the admin’s UUID. First, find the UUID of the new admin user

gvmd --get-users --verbose

You should get something like this:

admin fb019c52-75ec-4cb6-b176-5a55a9b360bf

Use the string next to the admin in the next command:

gvmd --modify-setting 78eceaec-3385-11ea-b237-28d24461215b --value (output string from the above command fb019c52-75ec-4cb6-b176-5a55a9b360bf)

So the example command would be:

$ gvmd --get-users --verbose
admin fb019c52-75ec-4cb6-b176-5a55a9b360bf
$ gvmd --modify-setting 78eceaec-3385-11ea-b237-28d24461215b --value fb019c52-75ec-4cb6-b176-5a55a9b360bf

Run the next three commands one line at a time. If you get connection refused errors, try the command again until it succeeds. These commands will also take some time.

greenbone-feed-sync --type GVMD_DATA
greenbone-feed-sync --type SCAP
greenbone-feed-sync --type CERT

Install gsa (GVM)

Again as in earlier steps, enter the gsa folder and compile gsa source code:

cd /opt/gvm/src/gsa &&\
export PKG_CONFIG_PATH=/opt/gvm/lib/pkgconfig:$PKG_CONFIG_PATH &&\
mkdir build &&\
cd build/ &&\
cmake -DCMAKE_INSTALL_PREFIX=/opt/gvm .. &&\
make &&\
make doc &&\
make install &&\
touch /opt/gvm/var/log/gvm/gsad.log &&\
cd /opt/gvm/src

Set up OSPD-OpenVAS

Install the virtualenv (GVM)

Note: You may have to change –python python3.8 to match your installed python version.

cd /opt/gvm/src &&\
export PKG_CONFIG_PATH=/opt/gvm/lib/pkgconfig:$PKG_CONFIG_PATH &&\
virtualenv --python python3.8  /opt/gvm/bin/ospd-scanner/ &&\
source /opt/gvm/bin/ospd-scanner/bin/activate

Install ospd (GVM)

We will install ospd using pip installer:

mkdir /opt/gvm/var/run/ospd/ &&\
cd ospd &&\
pip3 install . &&\
cd /opt/gvm/src

Install ospd-openvas (GVM)

Again for the ospd-openvas we will be using pip installer with the package we cloned from github:

cd ospd-openvas &&\
pip3 install . &&\
cd /opt/gvm/src

Create Startup Scripts (root)

First type exit to loguout to root session, then paste the following in terminal:

cat << EOF > /etc/systemd/system/gvmd.service
[Unit]
Description=Open Vulnerability Assessment System Manager Daemon
Documentation=man:gvmd(8) https://www.greenbone.net
Wants=postgresql.service ospd-openvas.service
After=postgresql.service ospd-openvas.service

[Service]
Type=forking
User=gvm
Group=gvm
PIDFile=/opt/gvm/var/run/gvmd.pid
WorkingDirectory=/opt/gvm
ExecStart=/opt/gvm/sbin/gvmd --osp-vt-update=/opt/gvm/var/run/ospd.sock
ExecReload=/bin/kill -HUP $MAINPID
KillMode=mixed
Restart=on-failure
RestartSec=2min
KillMode=process
KillSignal=SIGINT
GuessMainPID=no
PrivateTmp=true

[Install]
WantedBy=multi-user.target
EOF
cat << EOF > /etc/systemd/system/gsad.service
[Unit]
Description=Greenbone Security Assistant (gsad)
Documentation=man:gsad(8) https://www.greenbone.net
After=network.target
Wants=gvmd.service


[Service]
Type=forking
PIDFile=/opt/gvm/var/run/gsad.pid
WorkingDirectory=/opt/gvm
ExecStart=/opt/gvm/sbin/gsad --drop-privileges=gvm
Restart=on-failure
RestartSec=2min
KillMode=process
KillSignal=SIGINT
GuessMainPID=no
PrivateTmp=true

[Install]
WantedBy=multi-user.target
EOF
cat << EOF > /etc/systemd/system/ospd-openvas.service 
[Unit]
Description=Job that runs the ospd-openvas daemon
Documentation=man:gvm
After=network.target redis-server@openvas.service
Wants=redis-server@openvas.service

[Service]
Environment=PATH=/opt/gvm/bin/ospd-scanner/bin:/opt/gvm/bin:/opt/gvm/sbin:/opt/gvm/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
Type=forking
User=gvm
Group=gvm
WorkingDirectory=/opt/gvm
PIDFile=/opt/gvm/var/run/ospd-openvas.pid
ExecStart=/opt/gvm/bin/ospd-scanner/bin/python /opt/gvm/bin/ospd-scanner/bin/ospd-openvas --pid-file /opt/gvm/var/run/ospd-openvas.pid --unix-socket=/opt/gvm/var/run/ospd.sock --log-file /opt/gvm/var/log/gvm/ospd-scanner.log --lock-file-dir /opt/gvm/var/run/ospd/
Restart=on-failure
RestartSec=2min
KillMode=process
KillSignal=SIGINT
GuessMainPID=no
PrivateTmp=true

[Install]
WantedBy=multi-user.target
EOF

Enable and Start the services (root)

We will now enable and start the GVM services, also as root user:

systemctl daemon-reload &&\
systemctl enable gvmd &&\
systemctl enable gsad &&\
systemctl enable ospd-openvas &&\
systemctl start gvmd &&\
systemctl start gsad &&\
systemctl start ospd-openvas

Check the services (root)

Make sure all three services are running (type one line at the time).

systemctl status gvmd
systemctl status gsad
systemctl status ospd-openvas

Modify Default Scanner (GVM)

Switch back to your GVM session.

sudo su - gvm

First, get the UUID of the scanner that has the socket (ospd.sock)

gvmd --get-scanners

Then modify the scanner:

gvmd --modify-scanner=(INSERT SCANNER UUID HERE) --scanner-host=/opt/gvm/var/run/ospd.sock

Example:

gvmd --get-scanners
08b69003-5fc2-4037-a479-93b440211c73  OpenVAS  /var/run/ospd/ospd.sock  0  OpenVAS Default
6acd0832-df90-11e4-b9d5-28d24461215b  CVE    0  CVE

gvmd --modify-scanner=08b69003-5fc2-4037-a479-93b440211c73 --scanner-host=/opt/gvm/var/run/ospd.sock
Scanner modified.

That is it. You can now login to GVM web interface.

GVM
OpenVas
GVM

Conclusion

We have successfully completed the GVM installation on Ubuntu 20.04. You can now log in using your server IP address. The default login is admin/admin as set above. Let us know what you think about the tutorial in the comments below.

Leave a Comment