Greenbone Security Assistant Installation (previously "OpenVAS")

cmoerz

Member

Reaction score: 15
Messages: 46

There are several tutorials and guides on how to install OpenVAS on FreeBSD; however, recently OpenVAS was renamed to Greenbone Security Assistant, spread across multiple packages and now no longer fits any of the past setup descriptions.
After wading through the documentation myself, I figured out the steps to get it running and thought, I'd save someone else the pains I had to experience.
The following installation guide was based on binary packages on FreeBSD 13.0-RELEASE; I haven't yet tested the procedure from compiled ports but assume they should be fine.

Package installations​

You'll need to install multiple packages:
  • databases/postgresql12-server - a local PostgreSQL database is required. Previous OpenVAS releases did support sqlite, apparently this was taken out recently. Remote databases are unfortunately not supported. So if you already have a PostgreSQL server, you hoped to use for this, you're SOL. Some packages depend on PostgreSQL 12, so it doesn't work when choosing the newer 13 release.
  • databases/postgresql12-client - obviously, you'll need the client utilities as well
  • databases/postgresql12-contrib - required for the uuid-ossp extension
  • security/greenbone-security-assistant - the actual greenbone assistant; this one has a lot of dependencies, so expect a lot of downloads.
  • security/gvmd - the management interface for the framework; again with a bunch of dependencies
  • security/openvas - the scanner component
  • security/py-ospd-openvas (binary: py37-ospd-openvas) - the python wrapper that's used to call the scanner

Redis setup​

Redis is an implicit dependency; it's not listed in the above packages but will be installed anyways. We need to enable it. As root run
Code:
sysrc redis_enable=YES
We switch redis to user gvm so gvm can talk to the UNIX socket.
Code:
sysrc redis_user=gvm
We also fix permissions on the log file
Code:
chown gvm:gvm /var/log/redis/redis.log
On a production server, you might want to integrate that log into newsyslog to maintain this.

Then enable redis' socket interface. Edit /usr/local/etc/redis.conf:
Code:
# Unix socket.
#
# Specify the path for the Unix socket that will be used to listen for
# incoming connections. There is no default, so Redis will not listen
# on a unix socket when not specified.
#
unixsocket /tmp/redis.sock
unixsocketperm 700
Also, turn up databases to 32:
Code:
# Set the number of databases. The default database is DB 0, you can select
# a different one on a per-connection basis using SELECT <dbid> where
# dbid is a number between 0 and 'databases'-1
databases 32
Afterwards, start the daeomn:
Code:
service redis start
To make openvas use this socket, create a file /usr/local/etc/openvas/openvas.conf with following content:
Code:
db_address = /tmp/redis.sock

Database setup​

After installating PostgreSQL, you need to initialize as usual. As root, run
Code:
su - postgres
initdb -E utf8 /var/db/postgresql/data13/
After initializing the database, return back to root user and ready/start it:
Code:
exit
sysrc postgresql_enable=YES
service postgresql start
Then, back to the postgres user postgres, create a user
Code:
su - postgres
createuser -P gvm
and provide a database password when queried. Then follow up with creating a database owned by this new user:
Code:
createdb -E utf8 -O gvm gvmd
Next, start psql and enable the uuid-ossp extension:
Code:
psql gvmd
Within psql, we enable the extension and create a "dba" role that's required for the database population later on:
Code:
create extension "uuid-ossp";
create role dba with superuser noinherit;
grant dba to gvm;
exit

Server Certificates​

The Greenbone Security Assistant exposes a web interface for management. The web server requires TLS certificates in directories that do not exist yet. Create them by running as root
Code:
mkdir -p /var/lib/gvm/CA
mkdir -p /var/lib/gvm/private/CA
Then place your certificate file into /var/lib/gvm/CA/servercert.pem and your key into /var/lib/gvm/private/CA/serverkey.pem.

Make sure to set correct permissions and ownerships:
Code:
chown gvm:gvm /var/lib/gvm/CA/servercert.pem /var/lib/gvm/private/CA/serverkey.pem
chmod 400 /var/lib/gvm/private/CA/serverkey.pem

GnuGPG setup​

Set up a GPG repository as root:
Code:
cd /var/lib/gvm/gvmd/gnupg
gpg --homedir /var/lib/gvm/gvmd/gnupg/ --list-keys
Ignore any warnings about unsafe ownerships. We'll fix that by running
Code:
chown -R gvm:gvm /var/lib/gvm/gvmd/gnupg

Directory setup​

When I first attempted to get the framework running, logs showed multiple errors for directories. So I simply created those:
Code:
mkdir -p /var/lib/gvm/cert-data
mkdir -p /var/lib/gvm/data-objects/gvmd
mkdir -p /var/lib/gvm/scap-data
chown -R gvm:gvm /var/lib/gvm

Patch and setup rc.d script​

During initial runs, gvmd did not properly work because its PATH variable seemed to be wrong. So I did some hacking, which probably could be done in some smarter fashion. I simply edited /usr/local/etc/rc.d/gvmd by adding an export statement for the PATH variable (this might be obsolete, but I left it in since it was required on my VM when I set things up):
Code:
pidfile=/var/run/gvm/gvmd.pid

export PATH=/usr/local/bin:/usr/local/sbin:$PATH

run_rc_command "$1"
Enable relevant services in /etc/rc.conf:
Code:
sysrc gsad_enable=YES
sysrc gvmd_enable=YES
sysrc ospd_openvas_enable=YES

Populate database​

We can now populate the database:
Code:
su -m gvm
gvmd -m

User setup​

Create an admin user for the management system. While still impersonating user gvm, run
Code:
gvmd --create-user=admin
Note down the password for later login. Then get the new user's UUID:
Code:
gvmd --get-users -v
Use the user's UUID. We need it to assign it as owner for the feeds, which we'll import later on:
Code:
gvmd --modify-setting 78eceaec-3385-11ea-b237-28d24461215b --value <uuid_of_user>

Sync Feeds​

The feed synchronization works via rsync. It requires a direct connection to Greenbone's servers. If your internet access usually works via a proxy, you will need to set up firewall rules to permit direct connections just for this. Proxy use is not supported.

As user gvm, run
Code:
greenbone-feed-sync --type GVMD_DATA
greenbone-scapdata-sync
greenbone-certdata-sync
cd /tmp
greenbone-nvt-sync
Do NOT start those synchronizations in parallel. If you do, you'll be blacklisted by Greenbone. You need to switch to /tmp before running greenbone-nvt-sync because it needs a directory with write permissions to start from.

You may receive messages like
Code:
/var/run/gvm/feed-update.lockexit: greenbone-nvt-sync.FWHlsAgCQ3: Permission denied
which you apparently can safely ignore.

Start Services​

Now you should be able to start your services. As root run
Code:
service gvmd start
service gsad start
service ospd_openvas start
You should now have the management web server running. You can check for port 443:
Code:
root@openvas:/usr/local/etc/openvas # sockstat -4l
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS     
gvm      redis-serv 95416 6  tcp4   127.0.0.1:6379        *:*
root     gsad       3956  5  tcp46  *:80                  *:*
root     gsad       3811  5  tcp46  *:443                 *:*
postgres postgres   42012 5  tcp4   127.0.0.1:5432        *:*
root     sshd       74818 4  tcp4   *:22                  *:*
Point your browser to
https://<servername>
and you should be greeted with Greenbone Security Assistant's login screen. Enter username and password you previously chose during setup.

Finally, check in SecInfo / NVTs, CVEs and CPEs whether all relevant data got properly imported into the database. If you see entries, you're done and can start checking your landscape! Happy hunting.
 
OP
C

cmoerz

Member

Reaction score: 15
Messages: 46

One more thing, I apparently missed. You also need to

Code:
chown -R gvm:gvm /var/db/redis/

otherwise, redis won't run properly.
 
OP
C

cmoerz

Member

Reaction score: 15
Messages: 46

This is embarrassing. One more thing to do, to make sure feed updates work later on:

Code:
root@openvas:/usr/local/etc/openvas # su - postgres
$ psql gvmd
psql (12.7)
Type "help" for help.

gvmd=# create extension pgcrypto;
CREATE EXTENSION
gvmd=#
\q
$
 
Top