Difference between revisions of "Setting up GVM10"

From Alpine Linux
Jump to: navigation, search
m (Install)
(Updated the page with GVM-11)
Line 1: Line 1:
= Greenbone Vulnerability Management (GVM) 10 =
+
= Greenbone Vulnerability Management (GVM) 11 =
 
= Introduction =
 
= Introduction =
  
OpenVAS with version 10 has been renamed in Greenbone Vulnerability Management and it is available in community repository starting from Alpine 3.10.
+
OpenVAS with version 11 has been renamed in Greenbone Vulnerability Management and it is available in community repository.
  
 
This How-To will guide you to install a complete server solution for vulnerability scanning and vulnerability management solution.
 
This How-To will guide you to install a complete server solution for vulnerability scanning and vulnerability management solution.
Line 9: Line 9:
 
[[Enable_Community_Repository|Enable the community repository]] and install the required packages:
 
[[Enable_Community_Repository|Enable the community repository]] and install the required packages:
  
{{Cmd|apk add gvmd gnutls-utils openvas-scanner greenbone-security-assistant python3 redis}}
+
{{Cmd|apk add openvas openvas-config gvmd gvm-libs greenbone-security-assistant ospd-openvas}}
  
 
= Configuration =  
 
= Configuration =  
  
== Redis ==
+
== PostgreSQL  ==
  
OpenVAS relies on Redis. Redis should be configured to listen to a socket.
+
OpenVAS relies on PostgreSQL, that now is mandatory.
  
Modify '''/etc/redis.conf''' by setting :
+
Start PostgreSQL and add it to default runlevel:
  unixsocket /tmp/redis.sock
+
  rc-service postgresql setup
  unixsocketperm 700
+
  rc-service postgresql start
  port 0
+
  rc-update add postgresql
  
Then start redis and add it to default runlevel:
+
Create and configure the gvm database:
rc-service redis start
 
rc-update add redis
 
  
== Greenbone Vulnerability Manager ==
+
su - postgres
 +
createuser -DRS gvm
 +
createdb -O gvm gvmd
 +
psql gvmd
 +
create role dba with superuser noinherit;
 +
grant dba to gvm;
 +
create extension if not exists "uuid-ossp";
 +
create extension "pgcrypto";
 +
exit
  
Upgrade the NVT (Network Vulnerability Tests) archives:
+
== GVMd ==
  greenbone-nvt-sync
 
greenbone-scapdata-sync --rsync
 
greenbone-certdata-sync
 
 
 
Be patient...it will take a while.
 
If you get these errors:
 
rsync: failed to connect to feed.openvas.org (89.146.224.58): Connection refused (111)
 
rsync: failed to connect to feed.openvas.org (2a01:130:2000:127::d1): Network unreachable (101)
 
rsync error: error in socket IO (code 10) at clientserver.c(127) [Receiver=3.1.3]
 
 
 
then try to append --rsync arg, like:
 
 
 
greenbone-scapdata-sync --rsync
 
 
 
Now, generate the certificate for gvmd.
 
  
The certificate infrastructure enables OpenVAS daemons to communicate in a secure manner and is used for authentication and authorization before establishing TLS connections between the daemons.
+
GVMd run as gvm user. Generate the certificate.
 +
The certificate infrastructure enables GVMd to communicate in a secure manner and is used for authentication and authorization before establishing TLS connections between the daemons.
 
You can setup the certificate automatically with:
 
You can setup the certificate automatically with:
 
+
su - gvm
 
  gvm-manage-certs -a
 
  gvm-manage-certs -a
  
Create a new user with Admin role, and take note of the generated password:
+
Create credentials used to interact with gvmd:
gvmd --create-user=admin --role=Admin
 
  
  User created with password '18664575-7101-4ceb-8a94-429a376824e6
+
  gvmd --create-user=admin --password=admin
  
'''Note:''' if you want to change the password you can run:
+
== Update GVM definitions ==
gvmd --user=admin --new-password=MyNewVeryStrongPassword
 
  
Start Greenbone Vulnerability Manager and add it to default runlevel
+
Download the GVM definitions and start GVMd, as root user.
 +
Be patient...it will take a while:
  
 +
greenbone-scapdata-sync
 +
greenbone-certdata-sync
 
  rc-service gvmd start
 
  rc-service gvmd start
 
This will take a while, since OpenVAS here is rebuilding his database with all NVT definition downloaded.
 
You will see with ```ps aux``` the gvmd process in "Syncing SCAP" state.
 
  
rc-service gvmd restart
+
Add gvmd to start on boot:
 +
 
 
  rc-update add gvmd
 
  rc-update add gvmd
  
== OpenVAS Scanner ==
+
NVT definitions can be downloaded as gvm user:
  
Generate the OpenVAS Scanner cache:
+
  su - gvm
rc-service openvassd stop
+
  greenbone-nvt-sync
  rc-service openvassd create_cache
 
  rc-service openvassd start
 
 
 
Add the OpenVAS services to default runlevel:
 
rc-update add openvassd
 
  
 
== Greenbone Security Assistant (GSAD) ==
 
== Greenbone Security Assistant (GSAD) ==
Line 95: Line 81:
  
 
Happy vulnerability assestment!
 
Happy vulnerability assestment!
 
= Misc =
 
 
== Configure Trusted NVTs ==
 
 
Sum-up: https://community.greenbone.net/t/gcf-managing-the-digital-signatures/101 :
 
 
"Signed NVTs are usually provided by NVT Feed Services. For example, the NVTs contained in the OpenVAS NVT
 
Feed are signed by the "OpenVAS Transfer Integrity" key which you can find at the bottom of this page. If
 
you have already installed OpenVAS, you can use the "greenbone-nvt-sync" command to synchronize your NVT
 
collection with the OpenVAS NVT Feed and receive signatures for all NVTs."
 
 
=== Create key ===
 
  gpg --homedir=/etc/openvas/gnupg --gen-key
 
 
You need to choose Realname, Email and a Password.
 
Example:
 
Realname: openvas
 
Email: openvas@localhost
 
Password: admin
 
 
=== Add a certificate to OpenVAS Scanner Keyring ===
 
 
Add the OpenVAS scanner Integrity Key:
 
 
wget https://www.greenbone.net/GBCommunitySigningKey.asc
 
gpg --homedir=/etc/openvas/gnupg --import GBCommunitySigningKey.asc
 
 
=== Set trust ===
 
 
To mark a certificate as trusted for your purpose, you have to sign it.
 
The preferred way is to use local signatures that remain only in the keyring of your OpenVAS Scanner installation.
 
 
To finally sign a certificate you need to know its '''KEY_ID.'''
 
 
You either get it from the table at the bottom or via a "list-keys" command.
 
 
Then you can locally sign:
 
gpg --homedir=/etc/openvas/gnupg --list-keys
 
gpg --homedir=/etc/openvas/gnupg --lsign-key KEY_ID
 
 
For example, to express your trust in the OpenVAS Transfer Integrity you imported above, you could use the following command:
 
gpg --homedir=/etc/openvas/gnupg --lsign-key 0ED1E580
 
 
Before signing you should be absolutely sure that you are signing the correct certificate. You may use its fingerprint and other methods to convince yourself.
 
 
To '''enable''' NVT signing on openvassd:
 
sed -i -e "s/nasl_no_signature_check.*/nasl_no_signature_check = no/g" /etc/openvas/openvassd.conf
 
 
As last step, restart openvassd service:
 
rc-service openvassd restart
 
  
 
[[Category:Server]]
 
[[Category:Server]]
 
[[Category:Monitoring]]
 
[[Category:Monitoring]]

Revision as of 16:39, 15 May 2020

Greenbone Vulnerability Management (GVM) 11

Introduction

OpenVAS with version 11 has been renamed in Greenbone Vulnerability Management and it is available in community repository.

This How-To will guide you to install a complete server solution for vulnerability scanning and vulnerability management solution.

Install

Enable the community repository and install the required packages:

apk add openvas openvas-config gvmd gvm-libs greenbone-security-assistant ospd-openvas

Configuration

PostgreSQL

OpenVAS relies on PostgreSQL, that now is mandatory.

Start PostgreSQL and add it to default runlevel:

rc-service postgresql setup
rc-service postgresql start
rc-update add postgresql

Create and configure the gvm database:

su - postgres
createuser -DRS gvm
createdb -O gvm gvmd
psql gvmd
create role dba with superuser noinherit;
grant dba to gvm;
create extension if not exists "uuid-ossp";
create extension "pgcrypto";
exit

GVMd

GVMd run as gvm user. Generate the certificate. The certificate infrastructure enables GVMd to communicate in a secure manner and is used for authentication and authorization before establishing TLS connections between the daemons. You can setup the certificate automatically with:

su - gvm
gvm-manage-certs -a

Create credentials used to interact with gvmd:

gvmd --create-user=admin --password=admin

Update GVM definitions

Download the GVM definitions and start GVMd, as root user. Be patient...it will take a while:

greenbone-scapdata-sync
greenbone-certdata-sync
rc-service gvmd start

Add gvmd to start on boot:

rc-update add gvmd

NVT definitions can be downloaded as gvm user:

su - gvm
greenbone-nvt-sync

Greenbone Security Assistant (GSAD)

Configure Greenbone Security Assistant (GSAD) to listen to other interfaces rather than localhost only, so it is reachable from other hosts.

Modify /etc/conf.d/gsad: with:

GSAD_LISTEN="--listen=0.0.0.0" 

Or, in one shot:

sed -i -e "s/127\.0\.0\.1/0\.0\.0\.0/g" /etc/conf.d/gsad

Start GSAD and add it to default runlevel:

rc-service gsad start
rc-update add gsad

Open the browser at the IP address where GSAD is running, on port 9392, and login with the credentials previously created.

Happy vulnerability assestment!