How to install OpenVas on Ubuntu 22.4

Building 22.4 from Source

Building the Greenbone Community Edition from source requires knowledge about:

Using a terminal
Shell programming basics
Installing software via apt or dnf
Using a C compiler
Using CMake and make
The Linux File System Hierarchy
Running services via systemd

Additionally, a basic knowledge about the architecture of the Greenbone Community Edition is required to follow this guide.

Note

This guide is intended for developers who want to try out the newest features and/or want to get familiar with the source code.

It is not intended for production setups.

Currently, the docs support the following distributions:

Ubuntu 22.04 LTS.

Hardware Requirements

Minimal:

CPU Cores: 2
Random-Access Memory: 4GB
Hard Disk: 50GB free

Recommended:

CPU Cores: 4
Random-Access Memory: 8GB
Hard Disk: 100GB free

Prerequisites

Note

Please follow the guide step by step. Later steps might require settings or output of a previous command.

The command sudo is used for executing commands that require privileged access on the system.

The command sudo is used for executing commands that require privileged access on the system.

Creating a User and a Group

The services provided by the Greenbone Community Edition should run as a dedicated user and group.

Therefore, a gvm user and a group with the same name will be created.

Creating a gvm system user and group

sudo useradd -r -M -U -G sudo -s /usr/sbin/nologin gvm

Adjusting the Current User

To allow the current user to run gvmd, they must be added to the gvm group. To make the group change effective, either logout and login again or use su.

Add the current user to the gvm group

sudo usermod -aG gvm $USER
su $USER

Choosing an Install Prefix

Before building the software stack, a (root) directory must be chosen where the built software will finally be installed. For example, when building packages, the distribution developers set this path to /usr.

By default, it is /usr/local, which is also used in this guide. This directory will be stored in an environment variable INSTALL_PREFIX to be able to reference it later.

Setting an install prefix environment variable

export INSTALL_PREFIX=/usr/local

Setting the PATH

On Debian systems, the locations /sbin, /usr/sbin, and /usr/local/sbin are not in the PATH of normal users. To run gvmd, which is located in /usr/local/sbin, the PATH environment variable should be adjusted.

Adjusting PATH for running gvmd

export PATH=$PATH:$INSTALL_PREFIX/sbin

Creating a Source, Build, and Install Directory

To separate the sources and the build artifacts, a source and a build directory must be created.

This source directory will be used later in this guide via an environment variable SOURCE_DIR. Accordingly, a variable BUILD_DIR will be set for the build directory. Both can be set to any directory to which the current user has write permissions. Therefore, directories in the current user’s home directory are chosen in this guide.

Choosing a source directory

export SOURCE_DIR=$HOME/source
mkdir -p $SOURCE_DIR

Choosing a build directory

export BUILD_DIR=$HOME/build
mkdir -p $BUILD_DIR

Additionally, an install directory will be set as an environment variable INSTALL_DIR. It is used as a temporary installation directory before moving all built artifacts to the final destination.

Choosing a temporary install directory

export INSTALL_DIR=$HOME/install
mkdir -p $INSTALL_DIR

Choosing the Installation Source

For building the GVM software stack, three different sources can be chosen depending on the desired stability:

Building from release tarballs
Building from git tags
Building from release branches

Linux distributions use the release tarballs because it is the most common and well-known method to share source code. Newer build systems may stick with the git tags. If you are a developer and very familiar with building from source already, you may also try out using the git release branches. These have the advantage that they contain the newest fixes which may not yet be included in the release tarballs or git tags. As a downside, the release branches may contain only partially fixed issues and need to be updated more often.

This guide will use the tarballs to build the software.

Installing Common Build Dependencies

For downloading, configuring, building, and installing the Greenbone Community Edition components, several tools and applications are required. To install these requirements, the following commands can be used:

Installing common build dependencies

sudo apt update
sudo apt install --no-install-recommends --assume-yes \
build-essential \
curl \
cmake \
pkg-config \
python3 \
python3-pip \
gnupg

Importing the Greenbone Signing Key

To validate the integrity of the downloaded source files, GnuPG is used. It requires downloading the Greenbone Community Signing public key and importing it into the current user’s keychain.

Importing the Greenbone Community Signing key

curl -f -L https://www.greenbone.net/GBCommunitySigningKey.asc -o /tmp/GBCommunitySigningKey.asc
gpg --import /tmp/GBCommunitySigningKey.asc

For understanding the validation output of the gpg tool, it is best to mark the Greenbone Community Signing key as fully trusted.

Setting the trust level for the Greenbone Community Signing key

echo "8AE4BE429B60A59B311C2E739823FAA60ED1E580:6:" | gpg --import-ownertrust

Building and Installing the Components

Note: The components should be built and installed in the listed order.

gvm-libs

gvm-libs is a C library providing basic functionality like XML parsing and network communication. It is used in openvas-scanner, gvmd, gsad, and pg-gvm.

Setting the gvm-libs version to use

export GVM_LIBS_VERSION=22.7.1

Required dependencies for gvm-libs

sudo apt install -y \
libglib2.0-dev \
libgpgme-dev \
libgnutls28-dev \
uuid-dev \
libssh-gcrypt-dev \
libhiredis-dev \
libxml2-dev \
libpcap-dev \
libnet1-dev \
libpaho-mqtt-dev

Optional dependencies for gvm-libs

sudo apt install -y \
libldap2-dev \
libradcli-dev

Downloading the gvm-libs sources

curl -f -L https://github.com/greenbone/gvm-libs/archive/refs/tags/v$GVM_LIBS_VERSION.tar.gz -o $SOURCE_DIR/gvm-libs-$GVM_LIBS_VERSION.tar.gz
curl -f -L https://github.com/greenbone/gvm-libs/releases/download/v$GVM_LIBS_VERSION/gvm-libs-v$GVM_LIBS_VERSION.tar.gz.asc -o $SOURCE_DIR/gvm-libs-$GVM_LIBS_VERSION.tar.gz.asc

Verifying the source file

gpg --verify $SOURCE_DIR/gvm-libs-$GVM_LIBS_VERSION.tar.gz.asc $SOURCE_DIR/gvm-libs-$GVM_LIBS_VERSION.tar.gz

The output of the last command should be similar to:

gpg: Signature made Fri Apr 16 08:31:02 2021 UTC
gpg: using RSA key 9823FAA60ED1E580
gpg: Good signature from "Greenbone Community Feed integrity key" [ultimate]

If the signature is valid, the tarball can be extracted.

tar -C $SOURCE_DIR -xvzf $SOURCE_DIR/gvm-libs-$GVM_LIBS_VERSION.tar.gz

Afterwards, gvm-libs can be built and installed.

Building gvm-libs

mkdir -p $BUILD_DIR/gvm-libs && cd $BUILD_DIR/gvm-libs

cmake $SOURCE_DIR/gvm-libs-$GVM_LIBS_VERSION \
-DCMAKE_INSTALL_PREFIX=$INSTALL_PREFIX \
-DCMAKE_BUILD_TYPE=Release \
-DSYSCONFDIR=/etc \
-DLOCALSTATEDIR=/var

make -j$(nproc)

Installing gvm-libs

mkdir -p $INSTALL_DIR/gvm-libs

make DESTDIR=$INSTALL_DIR/gvm-libs install

sudo cp -rv $INSTALL_DIR/gvm-libs/* /

gvmd

The Greenbone Vulnerability Management Daemon (gvmd) is the main service of the Greenbone Community Edition. It handles authentication, scan management, vulnerability information, reporting, alerting, scheduling, and much more. As a storage backend, it uses a PostgreSQL database.

Setting the gvmd version to use

export GVMD_VERSION=22.9.0

Required dependencies for gvmd

sudo apt install -y \
libglib2.0-dev \
libgnutls28-dev \
libpq-dev \
postgresql-server-dev-15 \
libical-dev \
xsltproc \
rsync \
libbsd-dev \
libgpgme-dev

Optional dependencies for gvmd

sudo apt install -y --no-install-recommends \
texlive-latex-extra \
texlive-fonts-recommended \
xmlstarlet \
zip \
rpm \
fakeroot \
dpkg \
nsis \
gnupg \
gpgsm \
wget \
sshpass \
openssh-client \
socat \
snmp \
python3 \
smbclient \
python3-lxml \
gnutls-bin \
xml-twig-tools

Details about the optional dependencies can be found at this link.

Downloading the gvmd sources

curl -f -L https://github.com/greenbone/gvmd/archive/refs/tags/v$GVMD_VERSION.tar.gz -o $SOURCE_DIR/gvmd-$GVMD_VERSION.tar.gz
curl -f -L https://github.com/greenbone/gvmd/releases/download/v$GVMD_VERSION/gvmd-$GVMD_VERSION.tar.gz.asc -o $SOURCE_DIR/gvmd-$GVMD_VERSION.tar.gz.asc

Verifying the source file

gpg --verify $SOURCE_DIR/gvmd-$GVMD_VERSION.tar.gz.asc $SOURCE_DIR/gvmd-$GVMD_VERSION.tar.gz

The output of the last command should be similar to:

gpg: Signature made Fri Apr 16 08:31:02 2021 UTC
gpg: using RSA key 9823FAA60ED1E580
gpg: Good signature from "Greenbone Community Feed integrity key" [ultimate]

If the signature is valid, the tarball can be extracted.

tar -C $SOURCE_DIR -xvzf $SOURCE_DIR/gvmd-$GVMD_VERSION.tar.gz

Building gvmd

mkdir -p $BUILD_DIR/gvmd && cd $BUILD_DIR/gvmd

cmake $SOURCE_DIR/gvmd-$GVMD_VERSION \
-DCMAKE_INSTALL_PREFIX=$INSTALL_PREFIX \
-DCMAKE_BUILD_TYPE=Release \
-DLOCALSTATEDIR=/var \
-DSYSCONFDIR=/etc \
-DGVM_DATA_DIR=/var \
-DGVMD_RUN_DIR=/run/gvmd \
-DOPENVAS_DEFAULT_SOCKET=/run/ospd/ospd-openvas.sock \
-DGVM_FEED_LOCK_PATH=/var/lib/gvm/feed-update.lock \
-DSYSTEMD_SERVICE_DIR=/lib/systemd/system \
-DLOGROTATE_DIR=/etc/logrotate.d

make -j$(nproc)

Installing gvmd

mkdir -p $INSTALL_DIR/gvmd

make DESTDIR=$INSTALL_DIR/gvmd install

sudo cp -rv $INSTALL_DIR/gvmd/* /

pg-gvm

pg-gvm is a PostgreSQL server extension that adds several functions used by gvmd, e.g., iCalendar and host range evaluation. In previous versions, these functions were managed directly by gvmd, while pg-gvm uses the extension management built into PostgreSQL.

Setting the pg-gvm version to use

export PG_GVM_VERSION=22.6.1

Required dependencies for pg-gvm

sudo apt install -y \
libglib2.0-dev \
postgresql-server-dev-15 \
libical-dev

Downloading the pg-gvm sources

curl -f -L https://github.com/greenbone/pg-gvm/archive/refs/tags/v$PG_GVM_VERSION.tar.gz -o $SOURCE_DIR/pg-gvm-$PG_GVM_VERSION.tar.gz
curl -f -L https://github.com/greenbone/pg-gvm/releases/download/v$PG_GVM_VERSION/pg-gvm-$PG_GVM_VERSION.tar.gz.asc -o $SOURCE_DIR/pg-gvm-$PG_GVM_VERSION.tar.gz.asc

Verifying the source file

gpg --verify $SOURCE_DIR/pg-gvm-$PG_GVM_VERSION.tar.gz.asc $SOURCE_DIR/pg-gvm-$PG_GVM_VERSION.tar.gz

The output of the last command should be similar to:

gpg: Signature made Fri Apr 16 08:31:02 2021 UTC
gpg: using RSA key 9823FAA60ED1E580
gpg: Good signature from "Greenbone Community Feed integrity key" [ultimate]

If the signature is valid, the tarball can be extracted.

tar -C $SOURCE_DIR -xvzf $SOURCE_DIR/pg-gvm-$PG_GVM_VERSION.tar.gz

Afterwards, pg-gvm can be built and installed.

Building pg-gvm

mkdir -p $BUILD_DIR/pg-gvm && cd $BUILD_DIR/pg-gvm

cmake $SOURCE_DIR/pg-gvm-$PG_GVM_VERSION \
-DCMAKE_BUILD_TYPE=Release

make -j$(nproc)

Installing pg-gvm

mkdir -p $INSTALL_DIR/pg-gvm

make DESTDIR=$INSTALL_DIR/pg-gvm install

sudo cp -rv $INSTALL_DIR/pg-gvm/* /

Greenbone Security Assistant

The Greenbone Security Assistant (GSA) sources consist of two parts:

Web server gsad
Web application GSA

GSA

The web application is written in JavaScript and relies on the React framework. It uses Node.js for building the application and Yarn for maintaining the JavaScript dependencies. Because the installation of Yarn and the specific Node.js version requires a setup of external package repositories, and the build process takes a lot of time, pre-built distributable files are available. These pre-built distributable files are used in this documentation.

Setting the GSA version to use

export GSA_VERSION=22.7.1

Downloading the GSA sources

curl -f -L https://github.com/greenbone/gsa/releases/download/v$GSA_VERSION/gsa-dist-$GSA_VERSION.tar.gz -o $SOURCE_DIR/gsa-$GSA_VERSION.tar.gz
curl -f -L https://github.com/greenbone/gsa/releases/download/v$GSA_VERSION/gsa-dist-$GSA_VERSION.tar.gz.asc -o $SOURCE_DIR/gsa-$GSA_VERSION.tar.gz.asc

Verifying the source files

gpg --verify $SOURCE_DIR/gsa-$GSA_VERSION.tar.gz.asc $SOURCE_DIR/gsa-$GSA_VERSION.tar.gz

The output of both commands should be similar to:

gpg: Signature made Fri Apr 16 08:31:02 2021 UTC
gpg: using RSA key 9823FAA60ED1E580
gpg: Good signature from "Greenbone Community Feed integrity key" [ultimate]

If the signatures are valid, the two tarballs can be extracted.

mkdir -p $SOURCE_DIR/gsa-$GSA_VERSION
tar -C $SOURCE_DIR/gsa-$GSA_VERSION -xvzf $SOURCE_DIR/gsa-$GSA_VERSION.tar.gz

Installing GSA

sudo mkdir -p $INSTALL_PREFIX/share/gvm/gsad/web/
sudo cp -rv $SOURCE_DIR/gsa-$GSA_VERSION/* $INSTALL_PREFIX/share/gvm/gsad/web/

gsad

The web server gsad is written in the C programming language. It serves static content like images and provides an API for the web application. Internally, it communicates with gvmd using GMP.

Setting the gsad version to use

export GSAD_VERSION=22.6.0

Required dependencies for gsad

sudo apt install -y \
libmicrohttpd-dev \
libxml2-dev \
libglib2.0-dev \
libgnutls28-dev

Downloading the gsad sources

curl -f -L https://github.com/greenbone/gsad/archive/refs/tags/v$GSAD_VERSION.tar.gz -o $SOURCE_DIR/gsad-$GSAD_VERSION.tar.gz
curl -f -L https://github.com/greenbone/gsad/releases/download/v$GSAD_VERSION/gsad-$GSAD_VERSION.tar.gz.asc -o $SOURCE_DIR/gsad-$GSAD_VERSION.tar.gz.asc

Verifying the source files

gpg --verify $SOURCE_DIR/gsad-$GSAD_VERSION.tar.gz.asc $SOURCE_DIR/gsad-$GSAD_VERSION.tar.gz

The output of both commands should be similar to:

gpg: Signature made Fri Apr 16 08:31:02 2021 UTC
gpg: using RSA key 9823FAA60ED1E580
gpg: Good signature from "Greenbone Community Feed integrity key" [ultimate]

If the signatures are valid, the two tarballs can be extracted.

tar -C $SOURCE_DIR -xvzf $SOURCE_DIR/gsad-$GSAD_VERSION.tar.gz

Building gsad

mkdir -p $BUILD_DIR/gsad && cd $BUILD_DIR/gsad

cmake $SOURCE_DIR/gsad-$GSAD_VERSION \
-DCMAKE_INSTALL_PREFIX=$INSTALL_PREFIX \
-DCMAKE_BUILD_TYPE=Release \
-DSYSCONFDIR=/etc \
-DLOCALSTATEDIR=/var \
-DGVMD_RUN_DIR=/run/gvmd \
-DGSAD_RUN_DIR=/run/gsad \
-DLOGROTATE_DIR=/etc/logrotate.d

make -j$(nproc)

Installing gsad

mkdir -p $INSTALL_DIR/gsad

make DESTDIR=$INSTALL_DIR/gsad install

sudo cp -rv $INSTALL_DIR/gsad/* /

openvas-smb

openvas-smb is a helper module for openvas-scanner. It includes libraries (openvas-wmiclient/openvas-wincmd) to interface with Microsoft Windows Systems through the Windows Management Instrumentation API and a winexe binary to execute processes remotely on that system. It is an optional dependency of openvas-scanner but is required for scanning Windows-based systems.

Warning

openvas-smb doesn’t work on CentOS at the moment! It is not a hard requirement.

Setting the openvas-smb version to use

export OPENVAS_SMB_VERSION=22.5.3

Required dependencies for openvas-smb

sudo apt install -y \
gcc-mingw-w64 \
libgnutls28-dev \
libglib2.0-dev \
libpopt-dev \
libunistring-dev \
heimdal-dev \
perl-base

Downloading the openvas-smb sources

curl -f -L https://github.com/greenbone/openvas-smb/archive/refs/tags/v$OPENVAS_SMB_VERSION.tar.gz -o $SOURCE_DIR/openvas-smb-$OPENVAS_SMB_VERSION.tar.gz
curl -f -L https://github.com/greenbone/openvas-smb/releases/download/v$OPENVAS_SMB_VERSION/openvas-smb-v$OPENVAS_SMB_VERSION.tar.gz.asc -o $SOURCE_DIR/openvas-smb-$OPENVAS_SMB_VERSION.tar.gz.asc

Verifying the source file

gpg --verify $SOURCE_DIR/openvas-smb-$OPENVAS_SMB_VERSION.tar.gz.asc $SOURCE_DIR/openvas-smb-$OPENVAS_SMB_VERSION.tar.gz

The output of the last command should be similar to:

gpg: Signature made Fri Apr 16 08:31:02 2021 UTC
gpg: using RSA key 9823FAA60ED1E580
gpg: Good signature from "Greenbone Community Feed integrity key" [ultimate]

If the signature is valid, the tarball can be extracted.

tar -C $SOURCE_DIR -xvzf $SOURCE_DIR/openvas-smb-$OPENVAS_SMB_VERSION.tar.gz

Building openvas-smb

mkdir -p $BUILD_DIR/openvas-smb && cd $BUILD_DIR/openvas-smb

cmake $SOURCE_DIR/openvas-smb-$OPENVAS_SMB_VERSION \
-DCMAKE_INSTALL_PREFIX=$INSTALL_PREFIX \
-DCMAKE_BUILD_TYPE=Release

make -j$(nproc)

Installing openvas-smb

mkdir -p $INSTALL_DIR/openvas-smb

make DESTDIR=$INSTALL_DIR/openvas-smb install

sudo cp -rv $INSTALL_DIR/openvas-smb/* /

openvas-scanner

openvas-scanner is a full-featured scan engine that executes a continuously updated and extended feed of Vulnerability Tests (VTs). The feed consists of thousands of NASL (Network Attack Scripting Language) scripts that implement all kinds of vulnerability checks.

Setting the openvas-scanner version to use

export OPENVAS_SCANNER_VERSION=22.7.5

Required dependencies for openvas-scanner

sudo apt install -y \
bison \
libglib2.0-dev \
libgnutls28-dev \
libgcrypt20-dev \
libpcap-dev \
libgpgme-dev \
libksba-dev \
rsync \
nmap \
libjson-glib-dev \
libbsd-dev

Additional dependencies for openvas-scanner

sudo apt install -y \
python3-impacket \
libsnmp-dev

Downloading the openvas-scanner sources

curl -f -L https://github.com/greenbone/openvas-scanner/archive/refs/tags/v$OPENVAS_SCANNER_VERSION.tar.gz -o $SOURCE_DIR/openvas-scanner-$OPENVAS_SCANNER_VERSION.tar.gz
curl -f -L https://github.com/greenbone/openvas-scanner/releases/download/v$OPENVAS_SCANNER_VERSION/openvas-scanner-v$OPENVAS_SCANNER_VERSION.tar.gz.asc -o $SOURCE_DIR/openvas-scanner-$OPENVAS_SCANNER_VERSION.tar.gz.asc

Verifying the source file

gpg --verify $SOURCE_DIR/openvas-scanner-$OPENVAS_SCANNER_VERSION.tar.gz.asc $SOURCE_DIR/openvas-scanner-$OPENVAS_SCANNER_VERSION.tar.gz

The output of the last command should be similar to:

gpg: Signature made Fri Apr 16 08:31:02 2021 UTC
gpg: using RSA key 9823FAA60ED1E580
gpg: Good signature from "Greenbone Community Feed integrity key" [ultimate]

If the signature is valid, the tarball can be extracted.

tar -C $SOURCE_DIR -xvzf $SOURCE_DIR/openvas-scanner-$OPENVAS_SCANNER_VERSION.tar.gz

Building openvas-scanner

mkdir -p $BUILD_DIR/openvas-scanner && cd $BUILD_DIR/openvas-scanner

cmake $SOURCE_DIR/openvas-scanner-$OPENVAS_SCANNER_VERSION \
-DCMAKE_INSTALL_PREFIX=$INSTALL_PREFIX \
-DCMAKE_BUILD_TYPE=Release \
-DINSTALL_OLD_SYNC_SCRIPT=OFF \
-DSYSCONFDIR=/etc \
-DLOCALSTATEDIR=/var \
-DOPENVAS_FEED_LOCK_PATH=/var/lib/openvas/feed-update.lock \
-DOPENVAS_RUN_DIR=/run/ospd

make -j$(nproc)

Installing openvas-scanner

mkdir -p $INSTALL_DIR/openvas-scanner

make DESTDIR=$INSTALL_DIR/openvas-scanner install

sudo cp -rv $INSTALL_DIR/openvas-scanner/* /

ospd-openvas

ospd-openvas is an OSP server implementation that allows gvmd to remotely control an openvas-scanner. It runs as a daemon and waits for incoming OSP requests from gvmd.

Setting the ospd-openvas version to use

export OSPD_OPENVAS_VERSION=22.6.0

Required dependencies for ospd-openvas

sudo apt install -y \
python3 \
python3-pip \
python3-setuptools \
python3-packaging \
python3-wrapt \
python3-cffi \
python3-psutil \
python3-lxml \
python3-defusedxml \
python3-paramiko \
python3-redis \
python3-gnupg \
python3-paho-mqtt

Downloading the ospd-openvas sources

curl -f -L https://github.com/greenbone/ospd-openvas/archive/refs/tags/v$OSPD_OPENVAS_VERSION.tar.gz -o $SOURCE_DIR/ospd-openvas-$OSPD_OPENVAS_VERSION.tar.gz
curl -f -L https://github.com/greenbone/ospd-openvas/releases/download/v$OSPD_OPENVAS_VERSION/ospd-openvas-v$OSPD_OPENVAS_VERSION.tar.gz.asc -o $SOURCE_DIR/ospd-openvas-$OSPD_OPENVAS_VERSION.tar.gz.asc

Verifying the source files

gpg --verify $SOURCE_DIR/ospd-openvas-$OSPD_OPENVAS_VERSION.tar.gz.asc $SOURCE_DIR/ospd-openvas-$OSPD_OPENVAS_VERSION.tar.gz

The output of the last command should be similar to:

gpg: Signature made Fri Apr 16 08:31:02 2021 UTC
gpg: using RSA key 9823FAA60ED1E580
gpg: Good signature from "Greenbone Community Feed integrity key" [ultimate]

If the signatures are valid, the tarballs can be extracted.

tar -C $SOURCE_DIR -xvzf $SOURCE_DIR/ospd-openvas-$OSPD_OPENVAS_VERSION.tar.gz

Installing ospd-openvas

cd $SOURCE_DIR/ospd-openvas-$OSPD_OPENVAS_VERSION

mkdir -p $INSTALL_DIR/ospd-openvas

python3 -m pip install –root=$INSTALL_DIR/ospd-openvas –no-warn-script-location .

sudo cp -rv $INSTALL_DIR/ospd-openvas/* /

notus-scanner

notus-scanner is used for detecting vulnerable products by evaluating internal system information gathered by openvas-scanner. It communicates with openvas-scanner and ospd-openvas via MQTT. It runs as a daemon.

Setting the notus version to use

export NOTUS_VERSION=22.6.0

Required dependencies for notus-scanner

sudo apt install -y \
python3 \
python3-pip \
python3-setuptools \
python3-paho-mqtt \
python3-psutil \
python3-gnupg

Downloading the notus-scanner sources

curl -f -L https://github.com/greenbone/notus-scanner/archive/refs/tags/v$NOTUS_VERSION.tar.gz -o $SOURCE_DIR/notus-scanner-$NOTUS_VERSION.tar.gz
curl -f -L https://github.com/greenbone/notus-scanner/releases/download/v$NOTUS_VERSION/notus-scanner-v$NOTUS_VERSION.tar.gz.asc -o $SOURCE_DIR/notus-scanner-$NOTUS_VERSION.tar.gz.asc

Verifying the source files

gpg --verify $SOURCE_DIR/notus-scanner-$NOTUS_VERSION.tar.gz.asc $SOURCE_DIR/notus-scanner-$NOTUS_VERSION.tar.gz

The output of the last command should be similar to:

gpg: Signature made Fri Apr 16 08:31:02 2021 UTC
gpg: using RSA key 9823FAA60ED1E580
gpg: Good signature from "Greenbone Community Feed integrity key" [ultimate]

If the signatures are valid, the tarballs can be extracted.

tar -C $SOURCE_DIR -xvzf $SOURCE_DIR/notus-scanner-$NOTUS_VERSION.tar.gz

Installing notus-scanner

cd $SOURCE_DIR/notus-scanner-$NOTUS_VERSION

mkdir -p $INSTALL_DIR/notus-scanner

python3 -m pip install –root=$INSTALL_DIR/notus-scanner –no-warn-script-location .

sudo cp -rv $INSTALL_DIR/notus-scanner/* /

greenbone-feed-sync

The greenbone-feed-sync tool is a Python-based script used to download all feed data from the Greenbone Community Feed to your local machine. It is an improved version of two former shell scripts.

Required dependencies for greenbone-feed-sync

sudo apt install -y \
python3 \
python3-pip

The latest version of greenbone-feed-sync can be installed using the standard Python installation tool, pip. To install it system-wide for all users without running pip as a root user, use the following commands:

Installing greenbone-feed-sync system-wide for all users

mkdir -p $INSTALL_DIR/greenbone-feed-sync

python3 -m pip install –root=$INSTALL_DIR/greenbone-feed-sync –no-warn-script-location greenbone-feed-sync

sudo cp -rv $INSTALL_DIR/greenbone-feed-sync/* /

gvm-tools

The Greenbone Vulnerability Management Tools, or gvm-tools in short, are a collection of tools that help control Greenbone Community Edition installations or Greenbone Enterprise Appliances remotely. These tools aid in accessing the communication protocols Greenbone Management Protocol (GMP) and Open Scanner Protocol (OSP). gvm-tools are optional and not required for a functional GVM stack.

Required dependencies for gvm-tools

sudo apt install -y \
python3 \
python3-pip \
python3-venv \
python3-setuptools \
python3-packaging \
python3-lxml \
python3-defusedxml \
python3-paramiko

The latest version of gvm-tools can be installed for each user via the standard Python installation tool, pip. Alternatively, to install it system-wide without running pip as a root user, you can use the following commands:

Installing gvm-tools system-wide

mkdir -p $INSTALL_DIR/gvm-tools

python3 -m pip install –root=$INSTALL_DIR/gvm-tools –no-warn-script-location gvm-tools

sudo cp -rv $INSTALL_DIR/gvm-tools/* /

Performing a System Setup

Setting up the Redis Data Store

In the architecture, the Redis key/value storage is used by the scanner (openvas-scanner and ospd-openvas) for handling VT information and scan results.

Installing the Redis server

sudo apt install -y redis-server

After installing the Redis server package, a specific configuration for the openvas-scanner must be added.

Adding configuration for running the Redis server for the scanner

sudo cp $SOURCE_DIR/openvas-scanner-$OPENVAS_SCANNER_VERSION/config/redis-openvas.conf /etc/redis/
sudo chown redis:redis /etc/redis/redis-openvas.conf
echo "db_address = /run/redis-openvas/redis.sock" | sudo tee -a /etc/openvas/openvas.conf

Starting Redis with openvas config

sudo systemctl start [email protected]

Ensuring Redis with openvas config is started on every system startup

sudo systemctl enable [email protected]

Additionally, the gvm user must be able to access the Redis Unix socket at /run/redis-openvas/redis.sock.

Adding the gvm user to the Redis group

sudo usermod -aG redis gvm

Setting up the Mosquitto MQTT Broker

The Mosquitto MQTT broker is used for communication between ospd-openvas, openvas-scanner, and notus-scanner.

Installing the Mosquitto broker

sudo apt install -y mosquitto

This concludes the setup steps for your system.

Vulnerability Tests Data

If the log file of ospd-openvas (/var/log/gvm/ospd-openvas.log) contains the following output, the OpenVAS Scanner starts to load the new VT data:

ospd-openvas VT loading log message

Loading VTs. Scans will be [requested|queued] until VTs are loaded. This may
take a few minutes, please wait ...

The loading of the VT data is finished if the following log message can be found:

ospd-openvas VTs loading finished log message

Finished loading VTs. The VT cache has been updated from version X to Y.

After the scanner is aware of the VT data, the data will be requested by gvmd. This will result in the following log message in /var/log/gvm/gvmd.log:

gvmd VTs loading log message

OSP service has different VT status (version X) from database (version (Y), Z VTs). Starting update ...

When gvmd has finished loading all VTs, the following message appears:

gvmd VTs loading finished log message

Updating VTs in the database ... done (X VTs).

SCAP Data

gvmd starts loading the SCAP data containing CPE and CVE information when the following message can be found in the logs (/var/log/gvm/gvmd.log):

gvmd SCAP data loading log message

update_scap: Updating data from feed

The SCAP data is loaded and the synchronization is finished when the (gvmd) log contains the following message:

gvmd SCAP data loading finished log message

update_scap_end: Updating SCAP info succeeded

CERT Data

gvmd starts loading the CERT data containing DFN-CERT and CERT-Bund advisories when the following message can be found in the logs (/var/log/gvm/gvmd.log):

gvmd CERT data loading log message

sync_cert: Updating data from feed

The CERT data is loaded and the synchronization is finished when the (gvmd) log contains the following message:

gvmd CERT data finished loading log message

sync_cert: Updating CERT info succeeded.

GVMD Data

The log (/var/log/gvm/gvmd.log) contains several messages when the gvmd data is loaded. For port lists, these messages are similar to:

gvmd port list loaded log message

Port list All IANA assigned TCP (33d0cd82-57c6-11e1-8ed1-406186ea4fc5) has been created by admin

For report formats:

gvmd report format loaded log message

Report format XML (a994b278-1f62-11e1-96ac-406186ea4fc5) has been created by admin

Hint: Scan Configs can only be loaded if the VT data is available in gvmd and a Feed Import Owner is set.

For scan configs:

gvmd scan config loaded log message

mathematica

Scan config Full and fast (daba56c8-73ec-11df-a475-002264764cea) has been created by admin

Starting the Vulnerability Management

After the services have started and all data has been loaded, the Greenbone Security Assistant web interface – GSA – can be opened in the browser.

Opening Greenbone Security Assistant in the browser

xdg-open "http://127.0.0.1:9392" 2>/dev/null >/dev/null &

The browser will show the login page of GSA, and after using the credentials created in the “Setting Up an Admin User” chapter, you can start with vulnerability scanning.

Launching Greenbone Security Assistant for the first time

Securing Openvas using HTTPS

We use Let’s Encrypt Certificate Using DNS Validation with acme-dns-certbot on Ubuntu

Introduction:

Let’s Encrypt provides a straightforward way to obtain SSL/TLS certificates for your websites through HTTP validation. However, this method is not always suitable for load-balanced websites or issuing wildcard certificates. In such cases, DNS validation offers a solution by verifying certificate requests through DNS records.

Prerequisites:

A domain name for which you can acquire a TLS certificate, including the ability to add DNS records.
Access to the server with your non-root user account.

Step 1 — Installing Certbot

Begin by adding the Certbot repository and installing Certbot. It is recommended to use the repository maintained by the Certbot developers for the latest version and configuration hostname:

sudo apt-add-repository ppa:certbot/certbot
sudo apt install certbot

Check the installation:

certbot --version

sudo nano /etc/hosts

10.10.10.1 scanner scanner.example.com

#change the example.com to your domain name

hostnamectl set-hostname scanner.example.com

Step 2 — Installing acme-dns-certbot

Now, download and install acme-dns-certbot to allow Certbot to operate in DNS validation mode:

wget https://github.com/joohoi/acme-dns-certbot-joohoi/raw/master/acme-dns-auth.py
chmod +x acme-dns-auth.py
nano acme-dns-auth.py

Edit the first line to use Python 3:

#!/usr/bin/env python3

Move the script to the Certbot directory:

sudo mv acme-dns-auth.py /etc/letsencrypt/

Step 3 — Setting Up acme-dns-certbot

Begin using acme-dns-certbot by running Certbot to issue a certificate using DNS validation:

sudo certbot certonly --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth.py --preferred-challenges dns --debug-challenges -d \*.example.com -d example.com

Add the required DNS CNAME record, and then press ENTER to validate the certificate request.

Step 4 — Using acme-dns-certbot

Now that you have successfully issued at least one certificate using acme-dns-certbot, you can issue more certificates for the same DNS names without adding another DNS CNAME record. However, for new subdomains or domains, you will need to add CNAME records as prompted.

You can issue certificates as follows:

sudo certbot certonly --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth.py --preferred-challenges dns --debug-challenges -d \*.your-domain

For subdomains or new domains, you’ll be prompted to add a CNAME record for verification.

Note: above step will ask you to create a cname on your cloudflare or any domain controler.

Account registered.

Requesting a certificate for *.example.com

Hook ‘–manual-auth-hook’ for e.cxample.com ran with output:

Please add the following CNAME record to your main DNS zone:

_acme-challenge.example.com CNAME a3a13260-3939-424f-a7be-safsdeweds.auth.acme-dns.io.

You have you create the cname using above inofrmation

click continue the installation after you have successfully created the cname

Successfully received certificate.

Certificate is saved at: /etc/letsencrypt/live/example.com/fullchain.pem

Key is saved at: /etc/letsencrypt/live/example.com/privkey.pem

Its time to congiure our gsd service to change from http to https

sudo nano /etc/systemd/system/gsad.service

make it looks like below code

[Unit]
Description=Greenbone Security Assistant daemon (gsad)
Documentation=man:gsad(8) https://www.greenbone.net
After=network.target gvmd.service
Wants=gvmd.service

[Service]
Type=exec
RuntimeDirectory=gsad
RuntimeDirectoryMode=2775
PIDFile=/run/gsad/gsad.pid
ExecStart=/usr/local/sbin/gsad –foreground –listen=youriphere –port=443 –ssl-private-key=/etc/letsencrypt/live/example.com/privkey.pem –ssl-certificate=/etc/letsencrypt/live/example.om/fullchain.pem
Restart=always
TimeoutStopSec=10

[Install]
WantedBy=multi-user.target
Alias=greenbone-security-assistant.service

save and exit

reload the systemd daemon to apply the changes:
sudo systemctl daemon-reload
Finally, restart the gsad service:
sudo systemctl restart gsad.service

This will save the configuration, reload the systemd daemon to recognize the changes, and restart the gsad service with the updated settings.

Please make sure that you’ve correctly configured the gsad.service file with the appropriate settings for your environment and needs before executing these commands.

building OpenVAS (Greenbone Community Edition) from scratch on an Ubuntu 22.04 system can be a rewarding process for those who want to have full control over the installation and configuration of this powerful open-source vulnerability scanner. However, it is essential to highlight a few key takeaways from this process:

Development and Learning: This guide is primarily intended for developers and individuals who want to explore the newest features, get familiar with the source code, and deepen their understanding of the architecture behind OpenVAS. It is not recommended for production setups.
Hardware Requirements: Ensure your system meets the hardware requirements for OpenVAS, including CPU cores, RAM, and disk space. These requirements are crucial for the efficient functioning of the scanner.
Prerequisites: Be prepared with a basic knowledge of terminal usage, shell scripting, installing software packages, using a C compiler, working with CMake and Make, understanding the Linux file system hierarchy, and managing services through systemd. Also, familiarity with the architecture of OpenVAS is beneficial.
Use of acme-dns-certbot: OpenVAS relies on TLS certificates for secure communication, and the acme-dns-certbot tool simplifies the process of obtaining and renewing certificates using DNS validation. This is particularly useful when dealing with load-balanced setups and wildcard certificates.
DNS Validation: The use of DNS validation in OpenVAS allows for the issuance of certificates for a cluster of web servers behind load balancers and systems not directly accessible over the internet. It’s especially handy for wildcard certificates.
Maintenance: Once set up, OpenVAS services should be regularly updated and maintained. Automatic renewal of TLS certificates should be configured to prevent expiration issues.
Security: Be mindful of the security implications when using acme-dns-certbot and granting it access to your DNS configuration. Ensure proper access control and monitoring of the tools used for certificate management.
Documentation and Community Support: While this guide provides essential steps for building OpenVAS from source, the project’s official documentation and the OpenVAS community can be valuable resources for troubleshooting, learning, and staying up-to-date with best practices.

In summary, building OpenVAS from scratch on Ubuntu 22.04 is a valuable learning experience for those interested in vulnerability scanning and network security. With the right knowledge and preparation, you can set up a robust environment for discovering and mitigating security issues in your systems. Always consider your specific use case and security requirements when implementing OpenVAS.

Building a vulnerability scanner from scratch on an Ubuntu 22.04 system can be a rewarding process for those who want to have full control over the installation and configuration of this powerful open-source vulnerability scanner. However, it is essential to highlight a few key takeaways from this process:

Angurs

How to install OpenVas on Ubuntu 22.4