Setting up GVM11: Difference between revisions
(Created page with "= Greenbone Vulnerability Management (GVM) 11 = = Introduction = OpenVAS with version 11 has been renamed in Greenbone Vulnerability Management and it is available in communi...") |
m (Change link to Repositories page) |
||
(14 intermediate revisions by 3 users not shown) | |||
Line 7: | Line 7: | ||
= Install = | = Install = | ||
[[ | [[Repositories#Enabling_the_community_repository|Enable the community repository]] and install the required packages: | ||
{{Cmd|apk add openvas openvas-config gvmd gvm-libs greenbone-security-assistant ospd-openvas}} | {{Cmd|apk add openvas openvas-config gvmd gvm-libs greenbone-security-assistant ospd-openvas}} | ||
Line 33: | Line 33: | ||
create extension "pgcrypto"; | create extension "pgcrypto"; | ||
exit | exit | ||
exit | |||
== GVMd == | == GVMd == | ||
Line 41: | Line 41: | ||
su - gvm | su - gvm | ||
gvm-manage-certs -a | gvm-manage-certs -a | ||
exit | |||
Create credentials used to interact with gvmd: | Create credentials used to interact with gvmd: | ||
rc-service gvmd start | |||
su - gvm | |||
gvmd --create-user=admin --password=admin | gvmd --create-user=admin --password=admin | ||
Certain resources that were previously part of the gvmd source code are now shipped via the feed. An example is the config "Full and Fast". | |||
gvmd will only create these resources if a "Feed Import Owner" is configured: | |||
gvmd --modify-setting 78eceaec-3385-11ea-b237-28d24461215b --value <uuid_of_user> | |||
The UUIDs of all created users can be found using | |||
gvmd --get-users --verbose | |||
Make sure that gvmd responds with "USER CREATED". If you run through these steps fast, and gvm is in the middle of something, it may not create the user until it is done with what it is computing. | |||
== Update GVM definitions == | == Update GVM definitions == | ||
Download the GVM definitions and start GVMd, as | Download the GVM definitions and start GVMd, as gvm user. | ||
Be patient...it will take a while: | Be patient...it will take a while: | ||
su - gvm | |||
greenbone-feed-sync --type GVMD_DATA | |||
greenbone-feed-sync --type SCAP | |||
greenbone-feed-sync --type CERT | |||
exit | |||
This three feeds needs to be scheduled via cron. | |||
Add gvmd to start on boot: | Add gvmd to start on boot: | ||
Line 59: | Line 77: | ||
rc-update add gvmd | rc-update add gvmd | ||
NVT definitions | Download NVT definitions: | ||
su - gvm | su - gvm | ||
Line 68: | Line 86: | ||
Configure Greenbone Security Assistant (GSAD) to listen to other interfaces rather than localhost only, so it is reachable from other hosts. | Configure Greenbone Security Assistant (GSAD) to listen to other interfaces rather than localhost only, so it is reachable from other hosts. | ||
Create '''/etc/conf.d/gsad:''' with: | |||
echo 'GSAD_LISTEN_ADDRESS="0.0.0.0"' > /etc/conf.d/gsad | |||
Start GSAD and add it to default runlevel: | Start GSAD and add it to default runlevel: | ||
Line 78: | Line 93: | ||
rc-update add gsad | rc-update add gsad | ||
Open the browser at the IP address where GSAD is running, on port 9392, and login with the credentials previously created. | Open the browser at the IP address where GSAD is running, on http port 9392, and login with the credentials previously created. | ||
Happy vulnerability assestment! | Happy vulnerability assestment! | ||
=Troubleshooting= | |||
==greenbone-nvt-sync can't create /run/ospd/feed-update.lock== | |||
If during the first greenbone-nvt-sync, or greenbone-feed-sync, you get an error about can't create /run/ospd/feed-update.lock permission denied you might've run ospd / openvas too early. In /var/log/gvm/openvas.log there will be a loop where ospd is looking for the feed files which don't exist. Kill the process, then manually remove the lock file. However, if it looks like it is actively syncing the feed (iftop), then let it complete the sync first. | |||
[[Category:Server]] | [[Category:Server]] | ||
[[Category:Monitoring]] | [[Category:Monitoring]] |
Latest revision as of 04:26, 27 June 2022
Greenbone Vulnerability Management (GVM) 11
Introduction
OpenVAS with version 11 has been renamed in Greenbone Vulnerability Management and it is available in community repository.
This How-To will guide you to install a complete server solution for vulnerability scanning and vulnerability management solution.
Install
Enable the community repository and install the required packages:
apk add openvas openvas-config gvmd gvm-libs greenbone-security-assistant ospd-openvas
Configuration
PostgreSQL
OpenVAS relies on PostgreSQL, that now is mandatory.
Start PostgreSQL and add it to default runlevel:
rc-service postgresql setup rc-service postgresql start rc-update add postgresql
Create and configure the gvm database:
su - postgres createuser -DRS gvm createdb -O gvm gvmd psql gvmd create role dba with superuser noinherit; grant dba to gvm; create extension if not exists "uuid-ossp"; create extension "pgcrypto"; exit exit
GVMd
GVMd run as gvm user. Generate the certificate. The certificate infrastructure enables GVMd to communicate in a secure manner and is used for authentication and authorization before establishing TLS connections between the daemons. You can setup the certificate automatically with:
su - gvm gvm-manage-certs -a exit
Create credentials used to interact with gvmd:
rc-service gvmd start su - gvm gvmd --create-user=admin --password=admin
Certain resources that were previously part of the gvmd source code are now shipped via the feed. An example is the config "Full and Fast".
gvmd will only create these resources if a "Feed Import Owner" is configured:
gvmd --modify-setting 78eceaec-3385-11ea-b237-28d24461215b --value <uuid_of_user>
The UUIDs of all created users can be found using
gvmd --get-users --verbose
Make sure that gvmd responds with "USER CREATED". If you run through these steps fast, and gvm is in the middle of something, it may not create the user until it is done with what it is computing.
Update GVM definitions
Download the GVM definitions and start GVMd, as gvm user. Be patient...it will take a while:
su - gvm greenbone-feed-sync --type GVMD_DATA greenbone-feed-sync --type SCAP greenbone-feed-sync --type CERT exit
This three feeds needs to be scheduled via cron.
Add gvmd to start on boot:
rc-update add gvmd
Download NVT definitions:
su - gvm greenbone-nvt-sync
Greenbone Security Assistant (GSAD)
Configure Greenbone Security Assistant (GSAD) to listen to other interfaces rather than localhost only, so it is reachable from other hosts.
Create /etc/conf.d/gsad: with:
echo 'GSAD_LISTEN_ADDRESS="0.0.0.0"' > /etc/conf.d/gsad
Start GSAD and add it to default runlevel:
rc-service gsad start rc-update add gsad
Open the browser at the IP address where GSAD is running, on http port 9392, and login with the credentials previously created.
Happy vulnerability assestment!
Troubleshooting
greenbone-nvt-sync can't create /run/ospd/feed-update.lock
If during the first greenbone-nvt-sync, or greenbone-feed-sync, you get an error about can't create /run/ospd/feed-update.lock permission denied you might've run ospd / openvas too early. In /var/log/gvm/openvas.log there will be a loop where ospd is looking for the feed files which don't exist. Kill the process, then manually remove the lock file. However, if it looks like it is actively syncing the feed (iftop), then let it complete the sync first.