Installation will be located in

• /opt/gvm/ for binaries.
• /var/lib/gvm/ for gvm data CA and feed data.
• /var/lib/openvas/ for OpenVAS feed data (.nasl files)

• Dedicated to GVM, nothing else.
• Use the defaults where possible.
• Least access.
• Prepared for adding secondaries.

Note: The primary server also serves as the Certificate Authority for itself and all secondaries.

During installation a GVM user called 'admin' is created. The generated password for user admin is stored in the file /var/lib/gvm/adminuser. It is recommended that this password is changed and/or the file deleted. Do NOT delete the user admin unless you also change the feedowner to another user. This is described in the section Feed Owner.

To create a secondary see instructions later - but running the script add-secondary-2-primary.sh does the work required on the primary as well as on the secondary, hence this is the preferred method¹.

¹ You can install the complete installation on a secondary, that is include GSAD etc, but there's no good reason to. The secondary with ospd-openvas and openvas only is a small efficient thing with a smaller attack surface.

• Updated to Greenbone Community Edition 22.4.1 Bugfix release (2023-01-13).

• Upgraded GVMD to version 22.4.1 and updated some of the scripts + added a few more.

• Added scripts: Example create Targets and export reports in pdf and csv format

• Upgraded installation to 22.4.0 requiring notus-scanner and mosquitto

• Creating /run/gsd/ with tmpfiles

• GSA Web components and GSA Daemon 2 separate packages. Installation now also handles that as two functions.
• Minor changes to gsad.service, now using --drop-privileges

• In order to benefit from the security features of NGINX, GSAD is now being proxied through that.
• Connect directly to https://servername/ and NGINX will proxy to GSAD as well as redirect if you forget to specify https.

• The script add-secondary-2-primary.sh now does everything needed to get a secondary up and running.
• Provided the primary can connect to the secondary over SSH/SCP and the configured port, that is ports 22/TCP and 9390/TCP.
• Port 9390/TCP used to communicate with secondaries can be changed in the scripts.²
• Port 22 for SSH/SCP can be changed in sshd_config, however also needs changing in the script add-secondary-2-primary.sh.

² I've successfully used 3389/TCP on networks that wouldn't allow port 9390 "for security reasons" but allowed RDP across all networks. (Yeah, those stupid rules do exist).

• Add packages for nodesource to install node 14.x instead of the lesser versions in the Debian repos. According to Greenbone documentation Node >= 14 is required.

• VirtualBox and Vagrant support files.

• Version 2.0 was borked with wrong path to the ospd socket causing NVT's, scan configs and policies to not synchronize across Openvas/Redis and GVMD/Postgres.

• https://community.greenbone.net/t/new-releases-for-gvm-20-08-and-gvm-21-04/10385
• Greenbone Security Assistant (GSA) 21.4.3
• gvmd 21.4.4
• ospd-openvas 21.4.3
• openvas-scanner 21.4.3
• OpenVAS SMB v21.4.0
• gvm-libs 21.4.3
• gvm-tools 21.10.0
• python-gvm 21.11.0 (as of December 2021)

• Works with Debian 10 (Buster) and Debian 11 (Bullseye). Likely to work with most Debian based distros, but some checks in the scripts expect Debian 10 or 11.
• Debian 11 (Bullseye) is the preferred distro and the one most tests are run against.

• Changed to 21.4.0 versions, as all older versions are retired as of 2021-12-03: https://community.greenbone.net/t/greenbone-os-20-08-retired/10873.

• Modified to work with the latest releases from Greenbone: https://community.greenbone.net/t/new-releases-for-gvm-20-08-and-gvm-21-04/10385.

The overall components are depicted in the figure below. All dotted lines are transitory, existing only during installation, that is initiated by the bash scripts.

• At install time, when running the script add-secondary-2-primary.sh the primary connects to the secondary over port 22/TCP. If this is not possible, copy the created certificates to the secondary using another method and run script secondary.certs.sh on the secondary.
• During normal operations, GVMD, running on the primary, connects from an ephemeral port to port 9390/TCP on the secondary, connecting to osdp-openvas. ospd-openvas in return controls openvas-scanner on the secondary, allowing GVMD on the primary to control OpenVAS on the secondary.
• Port 9390/TCP can be changed to any available port, however you must ensure that traffic is allowed whatever port you choose.

Run install-GSE-2021.sh and wait for a (long) while.

• The primary needs at least 4Gb of RAM, preferably more. The testlab (Vagrant) assigns 5120 MB.
• Don't skimp on the hardware for the primary, however you don't need extreme performance. Test according to your requirements and select haeware based on that.

Note: Several issues with TEX, currently resolved by installing texlive-full. Installing texlive-full takes a lot of time compared to everything else installed, but Debian has a quirk here that sometimes breaks apt when not installing texlive-full.

Run install-GSE-2021-secondary.sh and wait for installation to finish.

• This works in 1Gb of RAM, but more is recommended.
• Raspberry Pi's work well, however only tested on RPi 4's with 2Gb and more. Feel free to perform your own testing on other SBC's and report back here.
• The latest RaspiOS is based on Bullseye, use the Raspberry Pi OS Lite version (it is supposed to run as a server after all, you don't want a Desktop Environment on that.

Run add-secondary-2-primary.sh on the primary.

• You need to provide the folowing to the script (both will be provided when the installation of the secondary finishes).
  • hostname or IP address of the secondary.
  • Pasword of the user Greenbone on the secondary. This is shown in the terminal when the script *install-GSE-2021-secondary.sh' finishes.
• This will add the new secondary to GVMD.
• Provided the primary can connect to the secondary over ssh (22/TCP) the certs and key needed will be copied to the secondary and ospd-openvas restarted.

The add-secondary-2-primary.sh does the following. a) Copies required certificates to the secondary. b) runs the helper script secondary-certs.sh on the secondary to ensure all certificates are in the right location. c) restarts ospd-openvas on the secondary. c) configures GVMD to use this scanner. 3. You can now verify the secondary using either the UI or gvmd with the switch '--verify-scanner=' as discussed later in this README.

If this fails, just copy the .pem files from /var/lib/gvm/secondaries/hostname_of_secondary/ to the new secondary, run secondary-certs.sh and ospd-openvas.service should start and scanner can be verified. Follow the steps under Manual Installation below.

Provided you have Vagrant and VirtualBox installed, installation is "just".

1. git clone https://github.com/martinboller/gse.git
2. cd /gse/
3. vagrant up

Packages required:

• VirtualBox https://www.virtualbox.org/
• Vagrant https://www.vagrantup.com/downloads

• Install VirtualBox on your preferred system (MacOS or Linux is preferred) as described on the VirtualBox website.
• Install the VirtualBox Extensions.

Both software titles can be downloaded from https://www.virtualbox.org/ They can also be added to your package manager, which help with keeping them up-to-date. This can also easily be changed to run with VMWare.

• Install Vagrant on your system as described on the Vagrant website.
• Vagrant is available at https://www.vagrantup.com/downloads.

This will install a primary called "manticore" and a secondary called "aboleth", which can be changed inside "Vagrantfile". Prerequisite: A DHCP server on the network, alternatively change the NIC to use a static or NAT within Vagrantfile.

• Create a directory with ample space for Virtual Machines, e.g. /mnt/mydata/VMs.
• Configure VirtualBox to use that directory for Virtual Machines by default.
• Change directory into /mnt/mydata/Environments/.
• Run git clone https://github.com/martinboller/gse.git.
• Change directory into /mnt/mydata/Environments/sf-build/.
• Execute vagrant up and wait for the OS to install.

You may have to select which NIC to use for this e.g. wl02p01. Logon to the website on the server https://manticore (if you have not changed the hostname and DNS works. If not, use the ip address).

The first install will take longer, as it needs to download the Vagrant box for Debian 11 (which this build is based on) first, however that’ll be reused in subsequent installations.

The first OpenVas scanner is always UUID: 08b69003-5fc2-4037-a479-93b440211c73. The script verifies bot the OpenVAS and the GVMD Scanner by running. For OpenVAS:

su gvm -c '/opt/gvm/sbin/gvmd --verify-scanner 08b69003-5fc2-4037-a479-93b440211c73'

Which should return this (Version Mar. 2022).

Scanner version: OpenVAS 21.4.4.

For GVM:

su gvm -c '/opt/gvm/sbin/gvmd --verify-scanner 6acd0832-df90-11e4-b9d5-28d24461215b'

Which should return this (Version Mar. 2022).

Scanner version: GVM/21.4.5.

During install an Admin user is created, and the initial password stored here:

cat /opt/gvm/lib/adminuser.

It is good security practice to change this (do it now):

/opt/gvm/sbin/gvmd --user admin --new-password 'Your new password'

The admin account is import feed owner: https://community.greenbone.net/t/gvm-20-08-missing-report-formats-and-scan-configs/6397/2 So do not delete this account, unless you reconfigure it to be another. Do remember to change its initial password as discussed here.

If you want to change feedowner, the following commands can be used to create another account and make that the feedowner. You can also just change it in install-GSE-2021.sh before running it the first time.

su gvm -c '/opt/gvm/sbin/gvmd --create-user=MyOwnUser'

Get the UUIDs of all users.

su gvm -c '/opt/gvm/sbin/gvmd --get-users --verbose'

Or just for your newly created user.

su gvm -c '/opt/gvm/sbin/gvmd --get-users --verbose | grep MyOwnUser'

Pick the UUID for the one you just created in the list provided and replace UUID of new account below.

su gvm -c '/opt/gvm/sbin/gvmd --modify-setting 78eceaec-3385-11ea-b237-28d24461215b --value UUID of new account' 

• tail -f /var/log/gvm/ospd-openvas.log < By default only provide informational logging, but enabling debug logging is great for t-shooting.
• tail -f /var/log/gvm/gvmd.log < How is GVM in general behaving, and can it communicate with both local and remote scanners (secondaries).
• tail -f /var/log/gvm/openvas-log < This is very useful when scanning, not least on a secondary.
• tail -f /var/log/syslog | grep -i gse < The installation scripts log a lot of what they do, this will follow along during installation.

create a directory for the files needed, and:

• copy the gsecert.cfg file into that directory. Modify it to reflect your certificate requirements (it works as is and creates wildcard cert)
• cd into the directory, and run the following:

/opt/gvm/sbin/gvm-manage-certs -e ./gsecert.cfg -v -d -c

Before doing the above, verify if the required certificates can be created by add-secondary-2-primary.sh, as that will still do most of the work even if not able to copy the required files to the secondary.

Copy the created secondary-cert.pem, secondary-key.pem, as well as the cacert.pem file to the secondary (the cacert.pem can be found in /var/lib/gvm/CA/ on the primary)

su gvm -c 'cp ./secondary-cert.pem /var/lib/gvm/CA/'
su gvm -c 'cp ./secondary-key.pem /var/lib/gvm/private/CA/'
su gvm -c 'cp ./cacert.pem /var/lib/gvm/CA/'

Restart ospd-openvas:

systemctl restart ospd-openvas.service

Update Openvas feed:

su gvm -c '/opt/gvm/sbin/openvas --update-vt-info'

Whereever the required files (secondary-cert.pem and secondary-key.pem) are:

chown gvm:gvm *.pem
su gvm -c '/opt/gvm/sbin/gvmd --create-scanner="OSP Scanner secondary hostname" --scanner-host=hostname --scanner-port=9390 --scanner-type="OpenVas" --scanner-ca-pub=/var/lib/gvm/CA/cacert.pem --scanner-key-pub=./secondary-cert.pem --scanner-key-priv=./secondary-key.pem'

Example:

su gvm -c '/opt/gvm/sbin/gvmd --create-scanner="OpenVAS Secondary host aboleth" --scanner-host=aboleth --scanner-port=9390 --scanner-type="OpenVas" --scanner-ca-pub=/var/lib/gvm/CA/cacert.pem --scanner-key-pub=./secondary-cert.pem --scanner-key-priv=./secondary-key.pem'

Which should output this: Scanner created.

su gvm -c '/opt/gvm/sbin/gvmd --get-scanners'

Outputting something like this (the UUID will be different for the scanner just created) 08b69003-5fc2-4037-a479-93b440211c73 OpenVAS /var/run/ospd/ospd-openvas.sock 0 OpenVAS Default 6acd0832-df90-11e4-b9d5-28d24461215b CVE 0 CVE 3e2232e3-b819-41bc-b5be-db52bfb06588 OpenVAS mysecondary 9390 OSP Scanner mysecondary

Verify the secondary just added:

su gvm -c '/opt/gvm/sbin/gvmd --verify-scanner=3e2232e3-b819-41bc-b5be-db52bfb06588'

Which, provided the scanner works, should return this:

Congrats, You have now added a secondary scanner manually

If you've created a scanner in error or have decommissioned it, remove it using --delete-scanner.

• find the UUID the same ways as described in the section 4. Verification steps on the primary.
• then run the following (replacing the UUID with the one found):

su gvm -c '/opt/gvm/sbin/gvmd --delete-scanner=f12cca78-c6b9-4fd1-ad4f-9a9eb2037d29'

Added the following scripts: -create_targets.sh. This takes the admin password as input and creates some example networks -export-csv-report.gmp.py. Creates a csv formatted report. You need to specify user, password, connection type as well as the id of the report: Examples in the script. -export-pdf-report.gmp.py. Same as above but pdf format.

Just after installation, going from empty feeds to fully up-to-date, you'll notice that postgres is being hammered by gvmd and that redis are by ospd-openvas as openvas-scanner uses Redis (on the secondary only ospd-openvas, openvas, and redis is running). When feeds are updated this isn't as obvious, as the delta is significantly less than "everything". Use ps or top to follow along - the UI also show that the feeds are updating under Administration -> Feed Status.

Primary, Web Interface:

Primary, top:

Secondary, top:

If you want to check the certificates are correct and contain the desired information, openssl is useful;

For the webserver on the primary host
openssl s_client -showcerts -servername primary_host_name -connect primary_host_name:443

For the secondary with ospd-openvas listening on 9390
openssl s_client -showcerts -servername secondary_host_name -connect secondary_host_name:9390

There's a short companion blogpost on https://blog.infosecworrier.dk/2020/12/building-your-own-greenbone.html