Greenbone Vulnerability Management (GVM)

From Gentoo Wiki
Jump to: navigation, search
Resources

GVM stands for Open Vulnerability Assessment System (OpenVAS) and is a network security scanner with associated tools like a graphical user front-end. The core component is a server with a set of network vulnerability tests (NVTs) to detect security problems in remote systems and applications.

This guide provides instructions on installing a complete server solution for vulnerability scanning and vulnerability management.

Introduction

OpenVAS with version 10 has been renamed in Greenbone Vulnerability Management (GVM-10). Also OpenVAS component's name has been renamed, you can check the recent package naming schema with the below table.

GVM10-RESOLVER PACKAGE NAME GVM10-CORE COMPONENTS PACKAGE NAMES
Old Package Name New Package Name Old Package Name New Package Name
net-analyzer/openvas net-analyzer/gvm net-analyzer/openvas-libraries net-analyzer/gvm-libs
net-analyzer/openvas-scanner net-analyzer/openvas-scanner
net-analyzer/openvas-manager net-analyzer/gvmd
net-analyzer/greenbone-security-assistant net-analyzer/greenbone-security-assistant
net-analyzer/openvas-cli net-analyzer/gvm-tools

Installation

net-analyzer/gvm is the resolver package of core GVM components and has several USE flags that may be desired for certain bigger setups. As this article aims at installing and configuring a basic GVM setup.

USE flags

USE flags for net-analyzer/gvm Greenbone Vulnerability Management,previously named OpenVAS

cli Command Line Interface for OpenVAS Scanner
cron A cron job to update GVM's vulnerability feeds daily
extras Extra fonts, pdf-results! and html docs support
gsa Greenbone Security Assistant (WebUI)
ldap Add LDAP support (Lightweight Directory Access Protocol)
ospd Enable support for scanner wrappers
postgres Add support for the postgresql database
radius Add support for RADIUS authentication
sqlite Add support for sqlite - embedded sql database

Emerge

root #emerge --ask net-analyzer/gvm

Configuration

Redis

Openvas-scanner relies on Redis. Redis should be configured to listen to a socket.

Modify /etc/redis.conf by setting :

FILE /etc/redis.conf
unixsocket /tmp/redis.sock 
unixsocketperm 700 
port 0 
#save 900 1 
#save 300 10 
#save 60 10000 
#maxmemory 64mb

Then start redis and enable it:

OpenRC

root #rc-service redis start
root #rc-update add redis

systemd

root #systemctl start redis.service
root #systemctl enable redis.service

PostgreSQL backend

Note
SQLite support will be dropped in next version of Greenbone Vulnerability Manager (gvmd-9). Therefore, the use of PostgreSQL is highly recommended.
Note
Keep in mind that we run GVM under user and group 'gvm'. So we create a database-user named 'gvm' and database named 'gvmd'.
Warning
For creating "uuid-ossp" extension you need to compile PostgreSQL with 'uuid' use flag!. Otherwise you will get error.

Readers preferring PostgreSQL (recommended) instead of SQLite need to create user and database first then give a necessary permission to user:

root #sudo -u postgres bash
CODE PostgreSQL Operations
createuser -DRS gvm
createdb -O gvm gvmd
psql gvmd
create role dba with superuser noinherit;
grant dba to gvm;
create extension "uuid-ossp";
\q
exit

Greenbone Vulnerability Tests (NVTs)

Upgrade the NVT (Network Vulnerability Tests) archives:

Warning
The following commands must be executed sequentially under user gvm
Note
You need to enable RSYNC (TCP/873) without NAT and Proxy to greenbone IPv6/IPv4 feed server [feed.community.greenbone.net]. SSH port 24 or 443 is only supported if you use the GSF (Paying Greenbone Customer). You should check with your firewall that a connection is active. Please note if you share your IP with other Systems one feed-sync per IP is the limit for the GCF. You can check by telneting to the Port 873 if your communication works.
root #sudo -u gvm bash
user $greenbone-nvt-sync
user $greenbone-scapdata-sync
user $greenbone-certdata-sync

Be patient...it will take a while. If you get these errors:

user $greenbone-nvt-sync
rsync: failed to connect to feed.openvas.org (89.146.224.58): Connection refused (111)
rsync: failed to connect to feed.openvas.org (2a01:130:2000:127::d1): Network unreachable (101)
rsync error: error in socket IO (code 10) at clientserver.c(127) [Receiver=3.1.3] 

then try to append --rsync or --curl arg, like:

user $greenbone-nvt-sync --curl
user $greenbone-scapdata-sync --rsync
user $greenbone-certdata-sync --rsync

Now, generate the certificate for gvmd.

The certificate infrastructure enables GVM daemons to communicate in a secure manner and is used for authentication and authorization before establishing TLS connections between the daemons.

You can setup the certificate automatically with:

user $gvm-manage-certs -a

Starting Greenbone daemons

After redis configuration & Greenbone Vulnerability feed rsync tasks completed we will start daemons.

Note
  • Start services sequentially -> openvassd > gvmd > gsad
  • Greenbone daemons ignores SIGHUP. So restart and reload commands not work as expected.

Openvas Scanner (openvassd)

Start openvas scanner daemon:

OpenRC

root #rc-service openvassd start
root #rc-update add openvassd

systemd

root #systemctl start openvassd.service
root #systemctl enable openvassd.service

This will take a while, since OpenVAS here is loading all NVT definition downloaded. Check the status of openvassd that completed loading NVTs before starting gvmd:

root #ps aux | grep openvassd
openvassd: Waiting for incoming connections
openvassd: Serving /var/run/openvassd.sock

Greenbone Vulnerability Manager (gvmd)

Start greenbone vulnerability manager daemon:

OpenRC

root #rc-service gvmd start
root #rc-update add gvmd

systemd

root #systemctl start gvmd.service
root #systemctl enable gvmd.service

This will take a while, since 'gvmd' here is rebuilding his database with all NVT definition downloaded. You will see with ```ps aux``` the gvmd process in "Syncing SCAP" state. Don't worry, after a while gvmd will load scapdata. This is normal to take long time.

Create a new user with Admin role, and take note of the generated password under user gvm:

root #sudo -u gvm bash
user $gvmd --create-user=admin --role=Admin
User created with password '18664575-7101-4ceb-8a94-429a376824e6 
Tip
If you want to change the password you can run:
user $gvmd --user=admin --new-password=MyNewVeryStrongPassword

Greenbone Vulnerability Assistant WebUI (gsad)

Greenbone Security Assistant (GSA) WebUI listens port 9392 default on localhost. If you wish you can configure Greenbone Security Assistant (GSAD) to listen to other interfaces rather than localhost only, so it is reachable from other hosts.

FILE /etc/conf.d/gsadOpenRC
GSAD_LISTEN_ADDRESS="--listen=0.0.0.0"
FILE /etc/gvm/sysconfig/gsad-daemon.confSystemd
GSAD_LISTEN_ADDRESS="--listen=0.0.0.0"

Or, in one shot:

CODE OpenRC
sed -i -e "s/127\.0\.0\.1/0\.0\.0\.0/g" /etc/conf.d/gsad
CODE Systemd
sed -i -e "s/127\.0\.0\.1/0\.0\.0\.0/g" /etc/gvm/sysconfig/gsad-daemon.conf
Tip
If you prefer reverse proxying with NGINX check out -> /etc/openvas/gsa.nginx.reverse.proxy.example

Start greenbone vulnerability assistant daemon:

OpenRC

root #rc-service gsad start
root #rc-update add gsad

Systemd

root #systemctl start gsad.service
root #systemctl enable gsad.service

Open the browser at the IP address or domain name where GSAD is running, on port 9392, and login with the credentials previously created.

Happy vulnerability assestment!

Misc

Migrating Version OpenVAS 9.0 to GVM-10.0

GVM-10 is a major update so updating from OpenVAS-9 is not possible but we are still able to migrate old database. If you are upgrading from OpenVAS-9 to GVM-10 before starting gvmd 8.0.1 for the first time you need to move some files to the new locations where they are expected now. If you do not do this, the files are freshly initialized and it gets more complicated to transfer the old data properly.

root #mv /etc/openvas/pwpolicy.conf /etc/gvm/
root #mv /etc/openvas/openvasmd_log.conf /etc/gvm/gvmd_log.conf
root #cp /etc/openvas/gsf-access-key /etc/gvm/
root #mv /var/lib/openvas/scap-data /var/lib/gvm/scap-data
root #mv /var/lib/openvas/cert-data /var/lib/gvm/cert-data
root #mv /var/lib/openvas/openvasmd /var/lib/gvm/gvmd
root #mv /var/lib/openvas/CA /var/lib/gvm/CA
root #mv /var/lib/openvas/private /var/lib/gvm/private

SQLite

root #mv /var/lib/openvas/mgr/tasks.db /var/lib/gvm/gvmd/gvmd.db

PostgreSQL

root #sudo -u postgres bash
root #psql --command='ALTER DATABASE tasks RENAME TO gvmd;'

Migrating the Database

If you have used Manager before, you might need to migrate the database to the current data model. Use this command to run the migration:

root #gvmd --migrate

Configure Trusted NVTs

Sum-up: https://community.greenbone.net/t/gcf-managing-the-digital-signatures/101 :

Trusted NVTs

"Signed NVTs are usually provided by NVT Feed Services. For example, the NVTs contained in the OpenVAS NVT Feed are signed by the "OpenVAS Transfer Integrity" key which you can find at the bottom of this page. If you have already installed OpenVAS, you can use the "greenbone-nvt-sync" command to synchronize your NVT collection with the OpenVAS NVT Feed and receive signatures for all NVTs."

Create key

You need to choose Realname, Email and a Password. Example:

root #gpg --homedir=/etc/openvas/gnupg --gen-key
Realname: openvas 
Email: openvas@localhost
Password: admin

Add a certificate to OpenVAS Scanner Keyring

Add the OpenVAS scanner Integrity Key:

root #gpg --homedir=/etc/openvas/gnupg --import GBCommunitySigningKey.asc

Set trust

To mark a certificate as trusted for your purpose, you have to sign it. The preferred way is to use local signatures that remain only in the keyring of your OpenVAS Scanner installation.

To finally sign a certificate you need to know its KEY_ID. You either get it from the table at the bottom or via a "list-keys" command.

Then you can locally sign:

root #gpg --homedir=/etc/openvas/gnupg --list-keys
root #gpg --homedir=/etc/openvas/gnupg --lsign-key KEY_ID

For example, to express your trust in the OpenVAS Transfer Integrity you imported above, you could use the following command:

root #gpg --homedir=/etc/openvas/gnupg --lsign-key 0ED1E580

Before signing you should be absolutely sure that you are signing the correct certificate. You may use its fingerprint and other methods to convince yourself.

To enable NVT signing on openvassd:

CODE enable NVT signing
sed -i -e "s/nasl_no_signature_check.*/nasl_no_signature_check = no/g" /etc/openvas/openvassd.conf

As last step, restart openvassd service:

root #rc-service openvassd restart

Troubleshooting

If you encounter a problem on fresh installation , first stop greenbone daemons (openvassd,gvmd and gsad) and clear redis cache:

root #redis-cli -s /tmp/redis.sock FLUSHDB
root #redis-cli -s /tmp/redis.sock FLUSHALL

Clean pre-generated NVTs and database;

root #rm -rf /var/lib/gvm/*

Then follow the instructions again.

See Also

  • PostgreSQL — a free and open source relational database management system (RDBMS).
  • Nmap — an open source recon tool used to check for open ports, what is running on those ports, and metadata about the daemons servicing those ports.
  • Security Handbook — a step-by-step hardening guide for Gentoo Linux.