Greenbone Vulnerability Management

Greenbone Vulnerability Management (GVM) is Article description::a network security scanner with associated tools like a graphical user front-end. The core component is a server with a set of network vulnerability tests (NVTs) to detect security problems in remote systems and applications.

GVM was previously known as Open Vulnerability Assessment System (OpenVAS). OpenVAS was a fork of Nessus, the popular corporate security scanner maintained by Tenable. Both OpenVAS and Nessus were originally built from the nmap port scanner.

This guide provides instructions on installing a complete server solution for vulnerability scanning and vulnerability management.

Introduction
As mentioned above, OpenVAS with version 10 has been renamed in Greenbone Vulnerability Management (GVM-10). Also OpenVAS component's name has been renamed. The recent package naming schema can be referenced in the below table.

Installation
is the resolver package of core GVM components and has several USE flags that may be desired for certain bigger setups. As this article aims at installing and configuring a basic GVM setup.

Redis
Openvas-scanner relies on Redis. Redis should be configured to listen to a socket.

Modify by setting :

Then start redis and enable it:

PostgreSQL backend
Readers preferring PostgreSQL (recommended) instead of SQLite need to create user and database first then give a necessary permission to user:

Network Vulnerability Tests (NVTs)
Upgrade the NVT (Network Vulnerability Tests) archives:

Be patient...it will take a while.

If experiencing the following error:

Try to append  or   options, like:

Now, generate the certificate for gvmd.

The certificate infrastructure enables GVM daemons to communicate in a secure manner and is used for authentication and authorization before establishing TLS connections between the daemons.

Setup the certificate automatically by running:

Starting Greenbone daemons
After redis configuration and Greenbone Vulnerability Feed rsync tasks completed we will start daemons.

Openvas Scanner (openvassd)
Start openvas scanner daemon:

systemd
This will take a while, since OpenVAS here is loading all NVT definition downloaded. Check the status of openvassd that completed loading NVTs before starting gvmd:

Greenbone Vulnerability Manager (gvmd)
Start Greenbone Vulnerability Manager daemon:

systemd
This will take a while, since 'gvmd' here is rebuilding his database with all NVT definition downloaded. You will see with ```ps aux``` the gvmd process in "Syncing SCAP" state. Don't worry, after a while gvmd will load scapdata. This is normal to take long time.

Create a new user with Admin role, and take note of the generated password under user gvm:

Greenbone Vulnerability Assistant WebUI (gsad)
Greenbone Security Assistant (GSA) WebUI listens port 9392 default on localhost. If you wish you can configure Greenbone Security Assistant (GSAD) to listen to other interfaces rather than localhost only, so it is reachable from other hosts.

Or, in one shot:

Start greenbone vulnerability assistant daemon:

systemd
Open the browser at the IP address or domain name where GSAD is running, on port 9392, and login with the credentials previously created.

Happy vulnerability assessment!

Migrating version OpenVAS 9.0 to GVM-10.0
GVM-10 is a major update so updating from OpenVAS-9 is not possible but we are still able to migrate old database. If you are upgrading from OpenVAS-9 to GVM-10 before starting gvmd 8.0.1 for the first time you need to move some files to the new locations where they are expected now. If you do not do this, the files are freshly initialized and it gets more complicated to transfer the old data properly.

Migrating the database
If you have used Manager before, you might need to migrate the database to the current data model. Use this command to run the migration:

Configure trusted NVTs
Sum-up: https://community.greenbone.net/t/gcf-managing-the-digital-signatures/101 :

Create key
You need to choose Realname, Email and a Password. Example:

Add a certificate to OpenVAS Scanner keyring
Add the OpenVAS scanner Integrity Key:

Set trust
To mark a certificate as trusted for your purpose, you have to sign it. The preferred way is to use local signatures that remain only in the keyring of your OpenVAS Scanner installation.

To finally sign a certificate you need to know its KEY_ID. You either get it from the table at the bottom or via a "list-keys" command.

Then you can locally sign:

For example, to express your trust in the OpenVAS Transfer Integrity you imported above, you could use the following command:

Before signing you should be absolutely sure that you are signing the correct certificate. You may use its fingerprint and other methods to convince yourself.

To enable NVT signing on openvassd:

As last step, restart openvassd service:

Troubleshooting
If you encounter a problem on fresh installation, first stop greenbone daemons (openvassd,gvmd and gsad) and clear redis cache:

Clean pre-generated NVTs and database;

Then follow the instructions again.