Installing Greenbone Vulnerability Management (OpenVAS)

Print Friendly, PDF & Email

In this post we will look at the installation of GVM (Greenbone Vulnerability Management) formerly known as OpenVAS (Open Vulnerability Assessment System). A solution that will help us to know the vulnerabilities that our systems have, and in a future document we will integrate it with Centreon.

What I said, The idea is to deploy a solution that analyzes and looks for any vulnerabilities in our systems, that is updated and compared to lists or CVEs (Common Vulnerabilities and Exposures). Once the long installation, We can already use a simple web management (or also CLI) create scan tasks and we will be able to access the reports to analyze the possible security problems we face. And well, in another document we will see what you imagine, the ability to centralize from Centreon so that we can control the vulnerabilities of our machines, so if a machine does not comply with any regulations, We'll know.

We start with an Ubuntu Server machine 20.10, we start with the necessary dependencies for GVM-20.08 (OpenVAS 20.08):

sudo apt-get install build-essential cmake gnutls-bin pkg-config glib2.0 libgnutls28-dev libssh-dev libssl-dev redis-server libhiredis-dev libxml2-dev doxygen xsltproc libldap2-dev libgcrypt-dev libpcap-dev libgpgme-dev libradcli-dev graphviz bison libksba-dev libical-dev libpq-dev postgresql postgresql-contrib postgresql-server-dev-all libopenvas-dev heimdal-dev libpopt-dev xmltoman gcc-mingw-w64 nmap libmicrohttpd-dev npm nodejs virtualenv python3-paramiko python3-lxml python3-defusedxml python3-pip python3-psutil

Instalamos yarn:

sudo npm install -g yarn --prefix /usr/

Creamos el perfil para el usuario de GVM:

echo 'export PATH="$PATH:/opt/gvm/bin:/opt/gvm/sbin:/opt/gvm/.local/bin"' | sudo tee -a /etc/profile.d/gvm.sh sudo chmod 0755 /etc/profile.d/gvm.sh source /etc/profile.d/gvm.sh

We create the file /etc/ld.so.conf.d/gvm.conf with the following content:

# gmv-libs location /opt/gvm/lib

We create the GVM user, We correct permissions and log in like him:

sudo mkdir /opt/gvm
sudo adduser gvm --disabled-password --home /opt/gvm/ --no-create-home --gecos ''
sudo usermod -aG redis gvm
sudo chown gvm:gvm /opt/gvm/ sudo su - Good game.

We create the src directory and set the variable with the correct path:

mkdir /opt/gvm/src cd /opt/gvm/src/ export PKG_CONFIG_PATH=/opt/gvm/lib/pkgconfig:$PKG_CONFIG_PATH

We download and compile the GVM libraries:

git clone -b gvm-libs-20.08 --single-branch https://github.com/greenbone/gvm-libs.git cd gvm-libs/ export PKG_CONFIG_PATH=/opt/gvm/lib/pkgconfig:$PKG_CONFIG_PATH mkdir build cd build cmake -DCMAKE_INSTALL_PREFIX=/opt/gvm ..
make make doc make install cd /opt/gvm/src/

Descargamos y compilamos el paquete de samba para OpenVAS:

git clone -b master --single-branch https://github.com/greenbone/openvas-smb.git cd openvas-smb/ export PKG_CONFIG_PATH=/opt/gvm/lib/pkgconfig:$PKG_CONFIG_PATH mkdir build cd build/ cmake -DCMAKE_INSTALL_PREFIX=/opt/gvm ..
make install cd /opt/gvm/src/

Descargamos y compilamos OpenVAS Scanner:

git clone -b openvas-20.08 --single-branch https://github.com/greenbone/openvas.git cd openvas/ export PKG_CONFIG_PATH=/opt/gvm/lib/pkgconfig:$PKG_CONFIG_PATH mkdir build cd build/ cmake -DCMAKE_INSTALL_PREFIX=/opt/gvm ..
make make doc make install exit

Configuramos Redis:

sudo su export LC_ALL="C"
ldconfig cp /etc/redis/redis.conf /etc/redis/redis.orig cp /opt/gvm/src/openvas/config/redis-openvas.conf /etc/redis/ chown redis:redis /etc/redis/redis-openvas.conf echo "db_address = /run/redis-openvas/redis.sock" > /opt/gvm/etc/openvas/openvas.conf systemctl enable D**********@op*****.service
systemctl start D**********@op*****.service

Establecemos los permisos para GVM. ejecutando ‘visudo’ y añadimos lo siguiente para darle permisos de sudoers:

Defaults        env_reset Defaults        mail_badpass Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin:/opt/gvm/sbin"
...
# Allow members of group sudo to execute any command %sudo   ALL=(ALL:ALL) ALL

### Allow gvm user to run ospd-openvas and launch OpenVAS with root privileges gvm ALL = NOPASSWD: /opt/gvm/sbin/openvas gvm ALL = NOPASSWD: /opt/gvm/sbin/gsad
...

Ahora que ya tenemos los permsiso correctos, vamos a actualizar los tests de vulnerabilidades NVT (Network Vulnerability Tests) desde el feed de la comunidad de Greenbone, ojo que este proceso tardará bastante:

exit sudo su - gvm greenbone-nvt-sync

Descargamos y compilamos Greenbone Vulnerability Manager (GVM):

cd /opt/gvm/src/ git clone -b gvmd-20.08 --single-branch https://github.com/greenbone/gvmd.git cd gvmd/ export PKG_CONFIG_PATH=/opt/gvm/lib/pkgconfig:$PKG_CONFIG_PATH mkdir build cd build/ cmake -DCMAKE_INSTALL_PREFIX=/opt/gvm ..
make make doc make install exit

Configuramos la base de datos de PostgreSQL, creamos el usuario y la BD:

sudo -u postgres bash export LC_ALL="C"
createuser -DRS gvm createdb -O gvm gvmd

We fix the permissions and create the DB extensions:

psql gvmd create role dba with superuser noinherit;
Grant DBA to GVM;
create extension "uuid-ossp";
create extension "pgcrypto";
exit
exit

We generate the certificates for GVM:

sudo su - gvm gvm-manage-certs -a

We create the 'admin' account’ administrative for GVM, Do not use special characters in the password:

/opt/gvm/sbin/gvmd --create-user=admin --password=PASSWORD

We pull out and write down the UUID of the account we just created:

gvmd --get-users --verbose

Using the UUID of the admin user we modify the gvmd configuration:

gvmd --modify-setting 78eceaec-3385-11ea-b237-28d24461215b --value XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX

Updated the synchronization of Greenbone feeds, Be careful, this will take time:

greenbone-feed-sync --type GVMD_DATA greenbone-feed-sync --type SCAP greenbone-feed-sync --type CERT

Descargamos y compilamos Greenbone Security Assistant (GSA):

cd src/ git clone -b gsa-20.08 --single-branch https://github.com/greenbone/gsa.git cd gsa/ export PKG_CONFIG_PATH=/opt/gvm/lib/pkgconfig:$PKG_CONFIG_PATH mkdir build cd build/ cmake -DCMAKE_INSTALL_PREFIX=/opt/gvm ..
make make doc make install touch /opt/gvm/var/log/gvm/gsad.log

Configuramos el entorno virtual de python:

exit python3 --version sudo add-apt-repository ppa:deadsnakes/ppa sudo apt-get update sudo apt-get install python3.7 python3.7-dev -y

Instalamos el entorno virtual:

sudo su - gvm cd /opt/gvm/src export PKG_CONFIG_PATH=/opt/gvm/lib/pkgconfig:$PKG_CONFIG_PATH virtualenv --python python3.7  /opt/gvm/bin/ospd-scanner/ source /opt/gvm/bin/ospd-scanner/bin/activate

Descargamos e instalamos ospd:

git clone -b ospd-20.08 --single-branch https://github.com/greenbone/ospd.git mkdir /opt/gvm/var/run/ospd/ cd ospd/ pip3 install .
cd /opt/gvm/src

Download and install ospd-openvas:

git clone -b ospd-openvas-20.08 --single-branch https://github.com/greenbone/ospd-openvas.git CD OSPD-OpenVAS/ PiP3 install .

The next thing will be to get Greenbone Manager to start with the machine, through a service:

exit sudo su nano /etc/systemd/system/gvmd.service

And we introduce the following configuration:

[Unit]
Description=Open Vulnerability Assessment System Manager Daemon Documentation=man:Good game.(8) https://www.greenbone.net Wants=postgresql.service ospd-openvas.service After=postgresql.service ospd-openvas.service

[Service]
Type=forking User=gvm Group=gvm PIDFile=/opt/gvm/var/run/gvmd.pid WorkingDirectory=/opt/gvm ExecStart=/opt/gvm/sbin/gvmd --osp-vt-update=/opt/gvm/var/run/ospd.sock ExecReload=/bin/kill -HUP $MAINPID KillMode=mixed Restart=on-failure RestartSec=2min KillMode=process KillSignal=SIGINT GuessMainPID=no PrivateTmp=true

[Install]
WantedBy=multi-user.target

Creamos ahora el servicio para iniciar Greenbone Security Assistant (GSA) with:

nano /etc/systemd/system/gsad.service

Y pegamos esta configuración al fichero:

[Unit]
Description=Greenbone Security Assistant (gsad)
Documentation=man:gsad(8) https://www.greenbone.net After=network.target Wants=gvmd.service

[Service]
Type=forking PIDFile=/opt/gvm/var/run/gsad.pid WorkingDirectory=/opt/gvm ExecStart=/opt/gvm/sbin/gsad --drop-privileges=gvm Restart=on-failure RestartSec=2min KillMode=process KillSignal=SIGINT GuessMainPID=no PrivateTmp=true

[Install]
WantedBy=multi-user.target

Creamos en esta ocasión el servicio que levantará ospd-openvas con:

nano /etc/systemd/system/ospd-openvas.service

And the same, pegamos la siguiente configuración:

[Unit]
Description=Job that runs the ospd-openvas daemon Documentation=man:gvm After=network.target D**********@op*****.service
Wants=D**********@op*****.service

[Service]
Environment=PATH=/opt/gvm/bin/ospd-scanner/bin:/opt/gvm/bin:/opt/gvm/sbin:/opt/gvm/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin Type=forking User=gvm Group=gvm WorkingDirectory=/opt/gvm PIDFile=/opt/gvm/var/run/ospd-openvas.pid ExecStart=/opt/gvm/bin/ospd-scanner/bin/python /opt/gvm/bin/ospd-scanner/bin/ospd-openvas --pid-file /opt/gvm/var/run/ospd-openvas.pid --unix-socket=/opt/gvm/var/run/ospd.sock --log-file /opt/gvm/var/log/gvm/ospd-scanner.log --lock-file-dir /opt/gvm/var/run/ospd/ Restart=on-failure RestartSec=2min KillMode=process KillSignal=SIGINT GuessMainPID=no PrivateTmp=true

[Install]
WantedBy=multi-user.target

Una vez generados los 3 Demon Lift Services, Recharge, We enable the services to start with the system and we lift them:

systemctl daemon-reload systemctl enable gvmd systemctl enable gsad systemctl enable ospd-openvas systemctl start gvmd systemctl start gsad systemctl start ospd-openvas

We verify that the services are up and we are doing well:

Systemctl status gvmd systemctl status gsad systemctl status ospd-openvas

We will be able to open the address of our Greenbone Security Assistant with a browser: https://DIRECCIÓN_IP with the previously generated user. We will realize that in “Administration” > “Feed Status”, Will “Update in progress…”, This process will take quite a while, We have to wait for it to finish updating.

GOOD, before you can scan using tasks, we need to modify the default OpenVAS scanner, We log in from shell as the gvm user:

sudo su - Good game.

We list and copy the current UUID from the OpenVAS default scans:

cd /opt/gvm/src/ gvmd --get-scanners gvmd --modify-scanner=08b69003-5fc2-4037-a479-93b440211c73 --scanner-host=/opt/gvm/var/run/ospd.sock

Okay and finally, If we want it to be updated on a scheduled basis, we will create the following file:

nano /opt/gvm/bin/openvas-update

We put the following content:

/opt/gvm/bin/greenbone-nvt-sync /opt/gvm/sbin/greenbone-feed-sync --type GVMD_DATA /opt/gvm/sbin/greenbone-feed-sync --type SCAP /opt/gvm/sbin/greenbone-feed-sync --type CERT

We make it executable:

Chmod A+X /opt/gvm/bin/openvas-update

And we put it on cron:

crontab -e

And we leave it programmed for example daily at 0 am:

0 0 * * * /opt/gvm/bin/openvas-update

We hope you are interested, After this installation, what is left is sucked, Define the targets or destinations of the checks, Create scheduled tasks to perform vulnerability scans… And what I said, in future posts we will see how to integrate it with Centreon.

Recommended Posts

Monitoring our firewall's web UTM rules thanks to Centreon
Read
Monitorizando Tareas programadas con Centreon
Read
Monitoring Crowdsec with Centreon
Read
Monitoring Proxmox EV with Centreon
Read

Author

by Héctor Herrero 
nheobug@bujarra.com
Autor del blog Bujarra.com Cualquier necesidad que tengas, Do not hesitate to contact me, I will try to help you whenever I can, Sharing is living ;) . Enjoy documents!!!

A podcast for IT - History of a Sysadmina

15 of March of 2021

A Podcast for IT - Nextcloud 21

22 of March of 2021