Greenbone Security Assistant Installation (previously "OpenVAS")

There are several tutorials and guides on how to install OpenVAS on FreeBSD; however, recently OpenVAS was renamed to Greenbone Security Assistant, spread across multiple packages and now no longer fits any of the past setup descriptions.
After wading through the documentation myself, I figured out the steps to get it running and thought, I'd save someone else the pains I had to experience.
The following installation guide was based on binary packages on FreeBSD 13.0-RELEASE; I haven't yet tested the procedure from compiled ports but assume they should be fine.

Package installations​

You'll need to install multiple packages:
  • databases/postgresql12-server - a local PostgreSQL database is required. Previous OpenVAS releases did support sqlite, apparently this was taken out recently. Remote databases are unfortunately not supported. So if you already have a PostgreSQL server, you hoped to use for this, you're SOL. Some packages depend on PostgreSQL 12, so it doesn't work when choosing the newer 13 release.
  • databases/postgresql12-client - obviously, you'll need the client utilities as well
  • databases/postgresql12-contrib - required for the uuid-ossp extension
  • security/greenbone-security-assistant - the actual greenbone assistant; this one has a lot of dependencies, so expect a lot of downloads.
  • security/gvmd - the management interface for the framework; again with a bunch of dependencies
  • security/openvas - the scanner component
  • security/py-ospd-openvas (binary: py37-ospd-openvas) - the python wrapper that's used to call the scanner

Redis setup​

Redis is an implicit dependency; it's not listed in the above packages but will be installed anyways. We need to enable it. As root run
Code:
sysrc redis_enable=YES
We switch redis to user gvm so gvm can talk to the UNIX socket.
Code:
sysrc redis_user=gvm
We also fix permissions on the log file
Code:
chown gvm:gvm /var/log/redis/redis.log
On a production server, you might want to integrate that log into newsyslog to maintain this.

Then enable redis' socket interface. Edit /usr/local/etc/redis.conf:
Code:
# Unix socket.
#
# Specify the path for the Unix socket that will be used to listen for
# incoming connections. There is no default, so Redis will not listen
# on a unix socket when not specified.
#
unixsocket /tmp/redis.sock
unixsocketperm 700
Also, turn up databases to 32:
Code:
# Set the number of databases. The default database is DB 0, you can select
# a different one on a per-connection basis using SELECT <dbid> where
# dbid is a number between 0 and 'databases'-1
databases 32
Afterwards, start the daeomn:
Code:
service redis start
To make openvas use this socket, create a file /usr/local/etc/openvas/openvas.conf with following content:
Code:
db_address = /tmp/redis.sock

Database setup​

After installating PostgreSQL, you need to initialize as usual. As root, run
Code:
su - postgres
initdb -E utf8 /var/db/postgresql/data13/
After initializing the database, return back to root user and ready/start it:
Code:
exit
sysrc postgresql_enable=YES
service postgresql start
Then, back to the postgres user postgres, create a user
Code:
su - postgres
createuser -P gvm
and provide a database password when queried. Then follow up with creating a database owned by this new user:
Code:
createdb -E utf8 -O gvm gvmd
Next, start psql and enable the uuid-ossp extension:
Code:
psql gvmd
Within psql, we enable the extension and create a "dba" role that's required for the database population later on:
Code:
create extension "uuid-ossp";
create role dba with superuser noinherit;
grant dba to gvm;
exit

Server Certificates​

The Greenbone Security Assistant exposes a web interface for management. The web server requires TLS certificates in directories that do not exist yet. Create them by running as root
Code:
mkdir -p /var/lib/gvm/CA
mkdir -p /var/lib/gvm/private/CA
Then place your certificate file into /var/lib/gvm/CA/servercert.pem and your key into /var/lib/gvm/private/CA/serverkey.pem.

Make sure to set correct permissions and ownerships:
Code:
chown gvm:gvm /var/lib/gvm/CA/servercert.pem /var/lib/gvm/private/CA/serverkey.pem
chmod 400 /var/lib/gvm/private/CA/serverkey.pem

GnuGPG setup​

Set up a GPG repository as root:
Code:
cd /var/lib/gvm/gvmd/gnupg
gpg --homedir /var/lib/gvm/gvmd/gnupg/ --list-keys
Ignore any warnings about unsafe ownerships. We'll fix that by running
Code:
chown -R gvm:gvm /var/lib/gvm/gvmd/gnupg

Directory setup​

When I first attempted to get the framework running, logs showed multiple errors for directories. So I simply created those:
Code:
mkdir -p /var/lib/gvm/cert-data
mkdir -p /var/lib/gvm/data-objects/gvmd
mkdir -p /var/lib/gvm/scap-data
chown -R gvm:gvm /var/lib/gvm

Patch and setup rc.d script​

During initial runs, gvmd did not properly work because its PATH variable seemed to be wrong. So I did some hacking, which probably could be done in some smarter fashion. I simply edited /usr/local/etc/rc.d/gvmd by adding an export statement for the PATH variable (this might be obsolete, but I left it in since it was required on my VM when I set things up):
Code:
pidfile=/var/run/gvm/gvmd.pid

export PATH=/usr/local/bin:/usr/local/sbin:$PATH

run_rc_command "$1"
Enable relevant services in /etc/rc.conf:
Code:
sysrc gsad_enable=YES
sysrc gvmd_enable=YES
sysrc ospd_openvas_enable=YES

Populate database​

We can now populate the database:
Code:
su -m gvm
gvmd -m

User setup​

Create an admin user for the management system. While still impersonating user gvm, run
Code:
gvmd --create-user=admin
Note down the password for later login. Then get the new user's UUID:
Code:
gvmd --get-users -v
Use the user's UUID. We need it to assign it as owner for the feeds, which we'll import later on:
Code:
gvmd --modify-setting 78eceaec-3385-11ea-b237-28d24461215b --value <uuid_of_user>

Sync Feeds​

The feed synchronization works via rsync. It requires a direct connection to Greenbone's servers. If your internet access usually works via a proxy, you will need to set up firewall rules to permit direct connections just for this. Proxy use is not supported.

As user gvm, run
Code:
greenbone-feed-sync --type GVMD_DATA
greenbone-scapdata-sync
greenbone-certdata-sync
cd /tmp
greenbone-nvt-sync
Do NOT start those synchronizations in parallel. If you do, you'll be blacklisted by Greenbone. You need to switch to /tmp before running greenbone-nvt-sync because it needs a directory with write permissions to start from.

You may receive messages like
Code:
/var/run/gvm/feed-update.lockexit: greenbone-nvt-sync.FWHlsAgCQ3: Permission denied
which you apparently can safely ignore.

Start Services​

Now you should be able to start your services. As root run
Code:
service gvmd start
service gsad start
service ospd_openvas start
You should now have the management web server running. You can check for port 443:
Code:
root@openvas:/usr/local/etc/openvas # sockstat -4l
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS     
gvm      redis-serv 95416 6  tcp4   127.0.0.1:6379        *:*
root     gsad       3956  5  tcp46  *:80                  *:*
root     gsad       3811  5  tcp46  *:443                 *:*
postgres postgres   42012 5  tcp4   127.0.0.1:5432        *:*
root     sshd       74818 4  tcp4   *:22                  *:*
Point your browser to
https://<servername>
and you should be greeted with Greenbone Security Assistant's login screen. Enter username and password you previously chose during setup.

Finally, check in SecInfo / NVTs, CVEs and CPEs whether all relevant data got properly imported into the database. If you see entries, you're done and can start checking your landscape! Happy hunting.
 
One more thing, I apparently missed. You also need to

Code:
chown -R gvm:gvm /var/db/redis/

otherwise, redis won't run properly.
 
This is embarrassing. One more thing to do, to make sure feed updates work later on:

Code:
root@openvas:/usr/local/etc/openvas # su - postgres
$ psql gvmd
psql (12.7)
Type "help" for help.

gvmd=# create extension pgcrypto;
CREATE EXTENSION
gvmd=#
\q
$
 
Another thing just popped up. If you've been running OpenVAS for a while, you'll be updating your system and will eventually get
Code:
gvmd: database is wrong version
in your /var/log/gvm/gvmd.log. To resolve this, you'll have to
Code:
su -m gvm
gvmd --migrate
to update the database. Be patient, this will take a while.
 
There's another one for the annals of "how to shoot yourself in the foot": if you run into the following problem
Code:
OSPD[64671] 2021-12-19 21:15:42,230: ERROR: (ospd.ospd) 791f63b3-5287-45d3-96e5-72583d1e04a6: Exception psutil.NoSuchProcess process no longer exists (pid=6908) while scanning
Traceback (most recent call last):
  File "/usr/local/lib/python3.8/site-packages/psutil/_common.py", line 447, in wrapper
    ret = self._cache[fun]
AttributeError: _cache

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/lib/python3.8/site-packages/psutil/_psbsd.py", line 550, in wrapper
    return fun(self, *args, **kwargs)
  File "/usr/local/lib/python3.8/site-packages/psutil/_common.py", line 450, in wrapper
    return fun(self)
  File "/usr/local/lib/python3.8/site-packages/psutil/_psbsd.py", line 605, in oneshot
    ret = cext.proc_oneshot_info(self.pid)
ProcessLookupError: [Errno 3] No such process (originated from sysctl(KERN_PROC_PID))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/lib/python3.8/site-packages/ospd/ospd.py", line 516, in start_scan
    self.exec_scan(scan_id)
  File "/usr/local/lib/python3.8/site-packages/ospd_openvas/daemon.py", line 1315, in exec_scan
    openvas_process_is_alive = self.is_openvas_process_alive(
  File "/usr/local/lib/python3.8/site-packages/ospd_openvas/daemon.py", line 1170, in is_openvas_process_alive
    if openvas_process.status() == psutil.STATUS_ZOMBIE:
  File "/usr/local/lib/python3.8/site-packages/psutil/__init__.py", line 682, in status
    return self._proc.status()
  File "/usr/local/lib/python3.8/site-packages/psutil/_psbsd.py", line 550, in wrapper
    return fun(self, *args, **kwargs)
  File "/usr/local/lib/python3.8/site-packages/psutil/_psbsd.py", line 809, in status
    code = self.oneshot()[kinfo_proc_map['status']]
  File "/usr/local/lib/python3.8/site-packages/psutil/_psbsd.py", line 555, in wrapper
    raise NoSuchProcess(self.pid, self._name)
psutil.NoSuchProcess: psutil.NoSuchProcess process no longer exists (pid=6908)
where the pid may obviously vary, you probably made the same mistake as me - you installed security/sudo as the documentation suggests. However, you - just like me - forgot you're running on FreeBSD and you probably turned on sysctl
Code:
security.bsd.see_other_uids=0
security.bsd.see_other_gids=0
in /etc/sysctl.conf. So, in the hopes of saving you the whole day I've been spending ripping my hairs out - do yourself a favor and either remove that sysctl or uninstall sudo.
 
Where do I get the server certificate servercert.pem and key serverkey.pem?

PS: found out # gvm-manage-certs -a needs to be run first. Then the certs and keys are created.
 
I have a new problem though:

Code:
# service ospd_openvas onestart
Starting ospd_openvas.
/usr/local/etc/rc.d/ospd_openvas: WARNING: failed to start ospd_openvas

/var/log/gvm/ospd-openvas.log reveals:
Code:
OSPD[10207] 2022-05-25 14:49:42,939: ERROR: (ospd_openvas.db) Redis Error: Not possible to connect to the kb.
 
I have a new problem though:

Code:
# service ospd_openvas onestart
Starting ospd_openvas.
/usr/local/etc/rc.d/ospd_openvas: WARNING: failed to start ospd_openvas

/var/log/gvm/ospd-openvas.log reveals:
Code:
OSPD[10207] 2022-05-25 14:49:42,939: ERROR: (ospd_openvas.db) Redis Error: Not possible to connect to the kb.
This might be a permission issue. Is your redis socket owned by the redis user? If so, you'll probably need to switch it to gvm or whichever user is running ospd.

Sorry for not being more specific; I don't have my openvas installation available at the moment.
 
Thanks, got it. Changed not only the files openvas related in /var/run and /var/log to gvm, but also the directories themselves. It was probably the /var/log/redis directory that needed change to gvm. The logfile was owned by gvm, but not the directory.
 
All seems to work well except for logging in. The webinterface says "URL not found". Any idea how to actually log into openvas?
 
Uh, that's a good one. I remember some time back, I patched the web code because I only could reach the system from localhost; you could try setting up an ssh tunnel and attempting to connect via the local tcp port on localhost.

Unfortunately, I don't have my notes with me at the moment. I'm fairly certain it had something to do how the page was served and only permitting localhost as hostname, though I'm not completely sure whether this is the issue you're looking at. I believe the situation I had back then was at least reaching the login page but failing to log in successfully.
 
Ended up installing it on Kali Linux, which went flawlessly. I don't give up though and find out later what's the culprit and use it on FreeBSD.
 
It throws this error:
Code:
ospd_openvas_enable: YES -> YES
md manage-Message: 01:43:43.984: db_extension_available: Extension 'uuid-ossp' is not available.

(gvmd:16209): md manage-WARNING **: 01:43:43.984: check_db_extensions: A required extension is not available.

(gvmd:16209): md manage-WARNING **: 01:43:43.984: init_manage_create_functions: failed to create functions

Stepping into postgres to create it showed that it already exists. But the script still failed. There had been previous efforts to install it using the referenced link { https://forums.freebsd.org/threads/...istant-installation-previously-openvas.80563/} but no luck. The error back then was with ospd-openvas. Thanks to you all for these efforts. Setting up a debian vm and running this - https://github.com/yu210148/gvm_install - works.

I guess part of the problem was trying to run it in a Jail despite that all required tweaks were applied.
 
Can you please check via pkg info whether databases/postgresql13-contrib was successfully installed? uuid-ossp should usually be provided by that package.

I noticed during my own tests, that in the meantime, the ports package for openvas et al has switched to databases/postgresql13, so version 12 from the original post probably no longer works.

The script I posted on github should actually work fine in a jail, as long as you allow raw sockets; these are required for postgresql to work. If you're still interested in getting it to run in a jail / on FreeBSD, I can post an abbreviated jails.conf later, that worked for me.
 
Top