Installing OpenVAS

Lets get down and dirty installing OpenVAS. OpenVAS is a free to use vulnerability scanner from Greenbone that was originally forked from the opensource Nessus project. One of the most common complaints I receive from my students is that OpenVAS is next to impossible to install. So here are my instructions on how to do it. If you have been following along in my Pentest Workstation series you will have built your Ubuntu workstation. In my case, that is Ubuntu 20.04 LTS based on a server. No GUI.

Installing OpenVAS
Installing OpenVAS

Of course, we are not going to use the package manager version. We will install from source with the latest version.

Now, a really big caveat. This will take AGES! Make sure you have plenty of tea at the ready.

Installing OpenVAS – The Guide

Step 1 – Create a GVM User

We run GVM as a non privileged system user, so we need to create that user:

useradd -r -d /opt/gvm -c "GVM User" -s /bin/bash gvm
mkdir /opt/gvm
chown -R gvm:gvm /opt/gvm

Step 2 – The Dependencies

As ever, there is a list of dependencies as long as your arm. At the time of writing, the dependencies were 1.3GB of download. Time for a cup of tea.

apt install gcc g++ make bison flex libksba-dev curl redis libpcap-dev cmake git pkg-config libglib2.0-dev libgpgme-dev nmap libgnutls28-dev uuid-dev libssh-gcrypt-dev libldap2-dev gnutls-bin libmicrohttpd-dev libhiredis-dev zlib1g-dev libxml2-dev libradcli-dev clang-format libldap2-dev doxygen gcc-mingw-w64 xml-twig-tools libical-dev perl-base heimdal-dev libpopt-dev libsnmp-dev python3-setuptools python3-paramiko python3-lxml python3-defusedxml python3-dev gettext python3-polib xmltoman python3-pip texlive-fonts-recommended texlive-latex-extra --no-install-recommends xsltproc

Installing Yarn

Now we need to install Yarn. Yarn is a Javascript package manager.

curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | apt-key add -
echo "deb https://dl.yarnpkg.com/debian/ stable main" | tee /etc/apt/sources.list.d/yarn.list
apt update
apt install yarn -y

Installing PostgreSQL

Historically, OpenVAS used sqlite3 but with GVM11, the project has moved to PostgreSQL. Installing PostgreSQL is very easy:

apt install postgresql postgresql-contrib postgresql-server-dev-all

Once the installation is done, create the PostgreSQL user and database for Greenbone Vulnerability Management Daemon (gvmd). Note that the database and user should be created as PostgreSQL user, postgres.

sudo -Hiu postgres
createuser gvm
createdb -O gvm gvmd

Nest we need to grant PostgreSQL User DBA roles:

psql gvmd
create role dba with superuser noinherit;
grant dba to gvm;
create extension "uuid-ossp";
\q
exit

Now restart PostgreSQL and enable it on boot:

systemctl restart postgresql
systemctl enable postgresql

Step 3 – Installing OpenVAS

There are different tools required to install and setup GVM 11 on Ubuntu 20.04. These include;

  • GVM Libraries
  • OpenVAS Scanner
  • OSPd
  • ospd-openvas
  • Greenbone Vulnerability Manager
  • Greenbone Security Assistant
  • Python-GVM
  • GVM-Tools
  • OpenVAS SMB

Every component has README.md and a INSTALL.md file that explains how to build and install it.

Since we are running GVM as non-privileged user, gvm, then we will install all the GVM configuration files and libraries under, /opt/gvm.

Update the PATH environment variable on /etc/environment using your favourate editor to include the GVM binary path such that it looks like;

PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/opt/gvm/bin:/opt/gvm/sbin:/opt/gvm/.local/bin"

You are adding /opt/gvm/bin:/opt/gvm/sbin:/opt/gvm/.local/bin to the end of the line.

Building OpenVAS

Switch to GVM user, gvm and create a temporary directory to store GVM source files.

su - gvm
mkdir /tmp/gvm-source
cd /tmp/gvm-source
git clone -b gvm-libs-11.0 https://github.com/greenbone/gvm-libs.git
git clone https://github.com/greenbone/openvas-smb.git
git clone -b openvas-7.0 https://github.com/greenbone/openvas.git
git clone -b ospd-2.0 https://github.com/greenbone/ospd.git
git clone -b ospd-openvas-1.0 https://github.com/greenbone/ospd-openvas.git
git clone -b gvmd-9.0 https://github.com/greenbone/gvmd.git
git clone -b gsa-9.0 https://github.com/greenbone/gsa.git

With all the source files downloaded, we can build.

export PKG_CONFIG_PATH=/opt/gvm/lib/pkgconfig:$PKG_CONFIG_PATH
cd gvm-libs
mkdir build && cd build && cmake .. -DCMAKE_INSTALL_PREFIX=/opt/gvm && make && make install

Building & Installing OpenVAS SMB

cd ../../openvas-smb/
mkdir build && cd build
cmake .. -DCMAKE_INSTALL_PREFIX=/opt/gvm
make && make install

Building & Installing OpenVAS Scanner

cd ../../openvas
mkdir build && cd build 
cmake .. -DCMAKE_INSTALL_PREFIX=/opt/gvm 
make && make install

You might encounter the following error:

...error: ‘pcap_lookupdev’ is deprecated: use 'pcap_findalldevs'...

If you do edit the CMakeLists.txt file. Replace the line as shown below.

#set (CMAKE_C_FLAGS_DEBUG "${CMAKE_C_FLAGS_DEBUG} ${COVERAGE_FLAGS}")
set (CMAKE_C_FLAGS_DEBUG "${CMAKE_C_FLAGS_DEBUG} -Werror -Wno-error=deprecated-declarations")

Configuring OpenVAS

The host scan information is stored temporarily on Redis server. The default configuration of Redis server is /etc/redis/redis.conf. Switch back to privileged user and proceed.

exit

To begin run the command below to create the cache to the installed shared libraries;

ldconfig

Next, copy OpenVAS scanner Redis configuration file, redis-openvas.conf, to the same Redis config directory;

cp /tmp/gvm-source/openvas/config/redis-openvas.conf /etc/redis/

Update the ownership of the configuration.

chown redis:redis /etc/redis/redis-openvas.conf

Update the path to Redis unix socket on the /opt/gvm/etc/openvas/openvas.conf using the db_address parameter as follows;

echo "db_address = <strong>/run/redis-openvas/redis.sock</strong>" &gt; /opt/gvm/etc/openvas/openvas.conf

Note, the Unix socket path is defined on /etc/redis/redis-openvas.conf file.

chown gvm:gvm /opt/gvm/etc/openvas/openvas.conf

Add gvm user to redis group;

usermod -aG redis gvm

You can also optimize Redis server itself improve the performance by making the following adjustments;

Increase the value of somaxconn in order to avoid slow clients connections issues.

echo "net.core.somaxconn = 1024" >> /etc/sysctl.conf

Redis background save may fail under low memory condition. To avoid this, enable memory overcommit (man 5 proc).

echo 'vm.overcommit_memory = 1' >> /etc/sysctl.conf

Reload sysctl variables created above.

sysctl -p

To avoid creation of latencies and memory usage issues with Redis, disable Linux Kernel’s support for Transparent Huge Pages (THP). To easily work around this, create a systemd service unit for this purpose.

Use your favourate editor to create the file:

/etc/systemd/system/disable_thp.service
[Unit]
Description=Disable Kernel Support for Transparent Huge Pages (THP)

[Service]
Type=simple
ExecStart=/bin/sh -c "echo 'never' > /sys/kernel/mm/transparent_hugepage/enabled &amp;&amp; echo 'never' > /sys/kernel/mm/transparent_hugepage/defrag"

[Install]
WantedBy=multi-user.target

Reload systemd configurations;

systemctl daemon-reload

Start and enable this service to run on system boot.

systemctl enable --now disable_thp

Restart OpenVAS Redis server

systemctl enable --now redis-server@openvas

A number of Network Vulnerability Tests (NVTs) require root privileges to perform certain operations. Since openvas is launched from an ospd-openvas process, via sudo, add the line below to sudoers file to ensure that the gvm user used in this demo can run the openvas with elevated rights using passwordless sudo.

echo "gvm ALL = NOPASSWD: /opt/gvm/sbin/openvas" > /etc/sudoers.d/gvm

Also, update the secure_path to include the GVM /sbin paths, /opt/gvm/sbin.

visudo
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin:/opt/gvm/sbin"

Also, enable gvm user to run GSA web application daemon, gsad, with passwordless sudo.

echo "gvm ALL = NOPASSWD: /opt/gvm/sbin/gsad" >> /etc/sudoers.d/gvm

Update NVTs

Update Network Vulnerability Tests feed from Greenbone Security Feed/Community Feed using the greenbone-nvt-sync command.

The greenbone-nvt-sync command must not be executed as privileged user root, hence switch back to GVM user we created above and update the NVTs.

su - gvm

Check that the /etc/ld.so.conf.d/gvm.conf file contains /opt/gvm/lib and then update the NVTs as openvas user;

greenbone-nvt-sync

This is another point that takes some time, so use this opportunity to make a nice pot of tea. You could probably nip down to the shops to buy some biscuits too.

Once the update is done, you need to update Redis server with the same VT info from VT files;

sudo openvas --update-vt-info

Build Greenbone Vulnerability Manager

export PKG_CONFIG_PATH=/opt/gvm/lib/pkgconfig:$PKG_CONFIG_PATH
cd /tmp/gvm-source/gvmd
mkdir build && cd build
cmake .. -DCMAKE_INSTALL_PREFIX=/opt/gvm
make && make install

Build Greenbone Security Assistance

cd ../../gsa
mkdir build && cd build
cmake .. -DCMAKE_INSTALL_PREFIX=/opt/gvm
make && make install

Update GVM CERT and SCAP data from the feed servers;

greenbone-scapdata-sync
greenbone-certdata-sync

Consider setting cron jobs to run the nvts, cert and scap data update scripts at your preferred frequency to pull updates from the feed servers.

Next, run the command below to generate certificates gvmd. Server certificates are used for authentication while client certificates are primarily used for authorization. More on man gvm-manage-certs.

gvm-manage-certs -a

Installing OSPd and OSPd-OpenVAS

Open Scanner Protocol (OSP) creates a unified interface for different security scanners and makes their control flow and scan results consistently available under the central Greenbone Vulnerability Manager service.

export PKG_CONFIG_PATH=/opt/gvm/lib/pkgconfig:$PKG_CONFIG_PATH
mkdir -p /opt/gvm/lib/python3.8/site-packages/
export PYTHONPATH=/opt/gvm/lib/python3.8/site-packages
cd /tmp/gvm-source/ospd
python3 setup.py install --prefix=/opt/gvm
cd ../ospd-openvas
python3 setup.py install --prefix=/opt/gvm

export PKG_CONFIG_PATH=/opt/gvm/lib/pkgconfig:$PKG_CONFIG_PATH
export PYTHONPATH=/opt/gvm/lib/python3.8/site-packages

Start OpenVAS Scanner, GSA & GVM services

Run the commands below as gvm user to start OpenVAS scanner, GSA (WebUI service) and GVM daemon. Execute the commands in the presented order.

Start OpenVAS

/usr/bin/python3 /opt/gvm/bin/ospd-openvas --pid-file /opt/gvm/var/run/ospd-openvas.pid --log-file /opt/gvm/var/log/gvm/ospd-openvas.log --lock-file-dir /opt/gvm/var/run -u /opt/gvm/var/run/ospd.sock

Start GVM

gvmd --osp-vt-update=<strong>/opt/gvm/var/run/ospd.sock</strong>

Start GSA

sudo gsad

Consider creating systemd service unit files for these services to enable you manage them easily. See below

Check the status;

ps aux | grep -E "ospd-openvas|gsad|gvmd" | grep -v grep

Sample output;

OpenVAS

You can also find the logs at, <install-prefix>/var/log/gvm/, which in this case is /opt/gvm/var/log/gvm.

Creating Systemd Service units for GVM services

Create OpenVAS service

vim /etc/systemd/system/openvas.service
[Unit]
Description=Control the OpenVAS service
After=redis.service
After=postgresql.service

[Service]
ExecStartPre=-rm -rf /opt/gvm/var/run/ospd-openvas.pid /opt/gvm/var/run/ospd.sock /opt/gvm/var/run/gvmd.sock
Type=simple
User=gvm
Group=gvm
Environment=PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/opt/gvm/bin:/opt/gvm/sbin:/opt/gvm/.local/bin
Environment=PYTHONPATH=/opt/gvm/lib/python3.8/site-packages
ExecStart=/usr/bin/python3 /opt/gvm/bin/ospd-openvas \
--pid-file /opt/gvm/var/run/ospd-openvas.pid \
--log-file /opt/gvm/var/log/gvm/ospd-openvas.log \
--lock-file-dir /opt/gvm/var/run -u /opt/gvm/var/run/ospd.sock
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target

Save and exit the file and start OpenVas.

systemctl daemon-reload
systemctl start openvas

Check the status of the service;

systemctl status openvas
● openvas.service - Control the OpenVAS service
     Loaded: loaded (/etc/systemd/system/openvas.service; disabled; vendor preset: enabled)
     Active: active (exited) since Fri 2020-08-28 05:16:50 UTC; 4s ago
    Process: 27483 ExecStartPre=/usr/bin/rm -rf /opt/gvm/var/run/ospd-openvas.pid /opt/gvm/var/run/ospd.sock /opt/gvm/var/run/gvmd.sock (code=exited, status=0/SUCCESS)
    Process: 27484 ExecStart=/usr/bin/python3 /opt/gvm/bin/ospd-openvas --pid-file /opt/gvm/var/run/ospd-openvas.pid --log-file /opt/gvm/var/log/gvm/ospd-openvas.log --loc>
   Main PID: 27484 (code=exited, status=0/SUCCESS)
      Tasks: 1 (limit: 2282)
     Memory: 42.8M
     CGroup: /system.slice/openvas.service
             └─27501 /usr/bin/python3 /opt/gvm/bin/ospd-openvas --pid-file /opt/gvm/var/run/ospd-openvas.pid --log-file /opt/gvm/var/log/gvm/ospd-openvas.log --lock-file-d>

Aug 28 05:16:50 ubuntu20 systemd[1]: Starting Control the OpenVAS service...
Aug 28 05:16:50 ubuntu20 systemd[1]: Started Control the OpenVAS service.

Enable OpenVAS scanner to run on system boot;

systemctl enable openvas

Create GSA Service Unit file

vim /etc/systemd/system/gsa.service
[Unit]
Description=Control the OpenVAS GSA service
After=openvas.service

[Service]
Type=simple
User=gvm
Group=gvm
Environment=PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/opt/gvm/bin:/opt/gvm/sbin:/opt/gvm/.local/bin
Environment=PYTHONPATH=/opt/gvm/lib/python3.8/site-packages
ExecStart=/usr/bin/sudo /opt/gvm/sbin/gsad
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target
vim /etc/systemd/system/gsa.path
[Unit]
Description=Start the OpenVAS GSA service when gvmd.sock is available

[Path]
PathChanged=/opt/gvm/var/run/gvmd.sock
Unit=gsa.service

[Install]
WantedBy=multi-user.target

Create GVM Service unit file

vim /etc/systemd/system/gvm.service
[Unit]
Description=Control the OpenVAS GVM service
After=openvas.service

[Service]
Type=simple
User=gvm
Group=gvm
Environment=PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/opt/gvm/bin:/opt/gvm/sbin:/opt/gvm/.local/bin
Environment=PYTHONPATH=/opt/gvm/lib/python3.8/site-packages
ExecStart=/opt/gvm/sbin/gvmd --osp-vt-update=/opt/gvm/var/run/ospd.sock
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target
vim /etc/systemd/system/gvm.path
[Unit]
Description=Start the OpenVAS GVM service when opsd.sock is available

[Path]
PathChanged=/opt/gvm/var/run/ospd.sock
Unit=gvm.service

[Install]
WantedBy=multi-user.target
Reload system unit configs and start the services;
systemctl daemon-reload
systemctl enable --now gvm.{path,service}
systemctl enable --now gsa.{path,service}

Create GVM Scanner

Since we launched the scanner and set it to use our non-standard scanner host path (/opt/gvm/var/run/ospd.sock), we need to create and register our scanner;

sudo -Hiu gvm gvmd --create-scanner="Bumblebee OpenVAS Scanner" --scanner-type="OpenVAS" --scanner-host=/opt/gvm/var/run/ospd.sock

Next, you need to verify your scanner. For this, you first need to get the scanner identifier;

sudo -Hiu gvm gvmd --get-scanners
OpenVAS screenshot

Based on the output above, our scanner UUID is, 4f2fc393-c689-4dc5-adaf-15d4a8007ae4.

Verify the scanner;

sudo -Hiu gvm gvmd --verify-scanner=4f2fc393-c689-4dc5-adaf-15d4a8007ae4

Create OpenVAS (GVM 11) Admin User

Create OpenVAS administrative user by running the command below;

sudo -Hiu gvm gvmd --create-user gvmadmin

This command generates a random password for the user.

If you want to create a user and at the same time create your own password;

sudo -Hiu gvm gvmd --create-user gvmadmin --password=MakeItAStrong1!

Otherwise, you can reset the password of an already existing user;

sudo -Hiu gvm gvmd --user=<USERNAME> --new-password=<PASSWORD>

Accessing GVM 11 (OpenVAS)

Greenbone Security Assistant (GSA) WebUI daemon opens port 443 and listens on all interfaces. If firewall is running, open this port to allow external access.

ufw allow 443/tcp

You can now access GSA via the url https:<serverIP-OR-hostname>. Accept the self-signed SSL warning and proceed.

Greenbone Security Assistant

Login with the administrative credentials generated above.

And there you go. That is all it take to install and Setup GVM 11 on Ubuntu 20.04. You can now start running your scans.

Enjoy

Remember, for all your Penetration Testing requirements, Hedgehog Security is here to help.