post/install-gvm11-src_part1/

[utterances-bot]

Install Greenbone Vulnerability Manager 11 on Ubuntu 19.04 from source... Part 1 · sadsloth.net

undefined

https://sadsloth.net/post/install-gvm11-src_part1/

[drmendes]

Many thanks Falk. I am a total rookie in the fields but I believe the error on Iana update is a bug. They have been renaming openvassd to openvas. Basically because openvassd was the name of the scanner in the latter versions whereas openvas was what is now called gvm. Again, this is my understanding.

[falkowich]

@apilynx, Thanks.

My thoughts too. I will see if a bug is opened upstream.

-- Regards Falk

[drmendes]

@falkowich https://github.com/greenbone/gvmd/pull/802 (:

[falkowich]

@apilynx thanks for the link to the bugreport!

[PickingUpPieces]

Thanks for the great tutorial :D Are you planning to create a docker-compose out of it btw? :)

[falkowich]

@PickingUpPieces Thnx, Yes, as soon as possible :tm: :)

Perhaps within the next week I can have something up and running.

[PickingUpPieces]

Wow would be awesome - appreciate it a lot :D

[falkowich]

Finally this is a sorta working guide :)

Now I can continue with the docker build process :)

[drmendes]

Great work Falk Problem with Default scanner is that its default host is not in /var... but /opt/gvm/var..., its uuid is hardcoded so one can hammer it with: sudo -u gvm gvmd --modify-scanner=08b69003-5fc2-4037-a479-93b440211c73 --scanner-host=/opt/gvm/var/run/ospd.sock Not the best for sure. I have a working docker but I am having some trouble separating it into different dockers.

[drmendes]

*You can also create a symlink for the socket

[en3rgetic]

Thanks for the great manual.

I hope you can help me. I can't update my iana ports because I have no gvmd.db on my machine. I did a find (as root) to find it, but unfortunately there is no db. :-(

[en3rgetic]

Sorry, I missed the line in the caveats, so please ignore my question. :-)

[Car10sH]

@en3rgetic / all: if you want to manually update the IANA port names, you can run the following after downloading the xml file with wget (basically does what the broken script is supposed to do): xsltproc /opt/gvm/share/gvm/gvmd/portnames_update.xsl service-names-port-numbers.xml | sed "s/^<.*>$//g" | psql -v ON_ERROR_STOP=1 -q --pset pager=off --no-align -d gvmd -t

[falkowich]

Car10sH , thanks for the help! And en3rgetic, thanks for the kind words!

[en3rgetic]

@Car10sH, Thanks for the work around. It did the trick.

[Car10sH]

@falkowich @en3rgetic no problem, glad to help. I'd like to say thanks for the guide as well @falkowich, it's been very helpful. I've not built a lot of stuff from source before, so having it broken down into steps is immensely useful and has helped me to understand the processes involved. Cheers!

[en3rgetic]

Hi, I'm missing the HTML report. Can someone tell me where I can find it and add it. Thanks

[Car10sH]

@en3rgetic: Looks like that report isn't available/included anymore (as of GVM 10): https://stackoverflow.com/questions/56182931/openvas-html-report/56471870#56471870

"Nevertheless the a HTML report isn't included in GVM 10 anymore. A new customizable HTML report will only be available for Greenbone customers."

So it would appear that you need to be a paying customer to have access to HTML reports. :(

[drmendes]

@en3rgetic you can still check ''' /opt/gvm/src/gvmd-9.0.0/report_formats ''' Here you should have HTML folder format as well as a README file explaining how to generate the format which you then upload. I couldn't get it to work but I tried for 2 minutes and I am a rookie. Also check fossies and the outdated report generation webpage.

[theraulmillan]

This step is not very clear, and in my environment is failing:

install the virtualenv cd src ;\ export PKG_CONFIG_PATH=/opt/gvm/lib/pkgconfig:$PKG_CONFIG_PATH ;\ virtualenv --python python3.7 /opt/gvm/bin/ospd-scanner/ ;\ source /opt/gvm/bin/ospd-scanner/bin/activate

Results: The path python3.7 (from --python=python3.7) does not exist bash: /opt/gvm/bin/ospd-scanner/bin/activate: No such file or directory

Any ideas?

Also this result in a non working scanner service gvmd --verify-scanner=39ba65fb-f68d-4171-8c4c-3c7ffa3e12c0 Failed to verify scanner.

The installation also fails to list the NVTs in the GUI interface.

[s4m3sh]

@Falk thanks for the great write up. @apilynx have you done anything for the report formatting?

[drmendes]

@s4m3sh unfortunately I did not got back at that HTML issue

[dagostoo]

Hi! After creating sudo user, it still asks me for password. Any help? Thanks

[dagostoo]

sorry, ignore last question. User was created, all good, but when I try sudo su, it asks me for password. Any help?

[drmendes]

@tarietaguraiuja You most likely forgot to include the dash in

sudo su - gvm

Check here to know the difference if its the case. Should that not be the case, check if you include --disabled-password on the creation.

[dagostoo]

yes, I do include --disabled-password.. Followed all the steps. sudo su -gvm still asks for password.

[drmendes]

Keep in mind that it should ask for a password but it's your root's password.

[sarritzu]

Do you have a working docker container to share?

[falkowich]

@sarritzu Only GVM10 so far. I had hopes that I could have some time over last weekend, but real life has come between :)

But hopefully something usable is coming in the weekend :tm:

-- Regards Falk

[sarritzu]

@falkowich It would be great! Thank you!

[falkowich]

@sarritzu Now there is a "dev" branch in https://github.com/falkowich/gvm-docker The first dev image is up and "running" :)

[sarritzu]

@falkowich

Thank you very much! Just few quick questions (I'm not a docker expert).

With another openvas container I used to run the container with the following command:

docker run -d -p 443:443 -p 9390:9390 -v /var/lib/openvas:/var/lib/openvas/mgr -e OV_PASSWORD=password -e OV_UPDATE=yes --name openvas

1) I would need to bind a volume (-v option) to the host in order to access the reports and send them to my logstash server (with vulnwhisperer and filebeat as an instance). How can I do? What's the correct path to use with the "-v" option?

2) I also need to forward the web service to the port 443 of the host (so I can access gvmd externally). I see the command "EXPOSE 443 9391" in the docker file. I suppose I just need to use the option "-p 443:443". Can you please confirm?

3) In order to change the admin password I suppose I just have to change the "entrypoint.sh" before the first run:

else echo "---> Creating admin with new password" su - gvm sh -c "/opt/gvm/sbin/gvmd --create-user=admin --password=admin" fi

Can you please confirm? Any better way to change the admin password?

4) In the "Update section" (the ugly one lol) I see you don't use "greenbone-nvt-sync". Why?

Thank you so much!!!!

[falkowich]

Thank you very much! Just few quick questions (I'm not a docker expert). Me nether :)

I'm a big fan of docker-compose, and there is an example docker-compose.yml in the dev repo.

1. I would need to bind a volume (-v option) to the host in order to access the reports and send them to my logstash server (with vulnwhisperer and filebeat as an instance). How can I do? What's the correct path to use with the "-v" option?

In the compose file there are a volume bind. If it is the logs you want to get you can make a volume like

    volumes:
      - logs:/opt/gvm/var/log/gvm/
      - psql:/var/lib/postgresql/

Then they are mounted /var/lib/docker/volumes/gvm-docker_logs/_data/ or

    volumes:
      - /where/you/want/to/place/logs:/opt/gvm/var/log/gvm/
      - psql:/var/lib/postgresql/

Then they mount into that directory. With that kind of mount there are more permission problems thou..

2. I also need to forward the web service to the port 443 of the host (so I can access gvmd externally). I see the command "EXPOSE 443 9391" in the docker file. I suppose I just need to use the option "-p 443:443". Can you please confirm?

In the docker-compose.yml it is listening on 443

3. In order to change the admin password I suppose I just have to change the "entrypoint.sh" before the first run: Can you please confirm? Any better way to change the admin password?

I usually use docker-compose, and then you can use:

docker exec -i gvm10 sh -c "/usr/local/sbin/gvmd -v --create-user=scanner-user"

1. In the "Update section" (the ugly one lol) I see you don't use "greenbone-nvt-sync". Why? Thank you so much!!!!

It's done before in the build process. There is a greenbone-nvt-sync further up.

And yeah, I'm, not so proud of those temporary lines :D

-- Regards Falk

[markeclaudio]

You miss mkdir /run/redis-openvas/ Thanks for your guide

[sarritzu]

@falkowich

Thank you for the great work. I've just installed a working container. Do you know where can I found the tasks (or reports) db? A long time ago it was /var/lib/openvas/tasks.db. But now I don't know how it works :( I would also suggest to include the installation of the GVM tools for the user "gvm"...

Thank you very much :)

[dagostoo]

hi guys! Great tutorial! Got all working!! But I got one question. How can I set my API port to 9390? Thanks!

[dagostoo]

and also with my last question. I got all working, can access to web interface, but when i run command "systemctl status gsad" i have a little error. gsad.service: Can't open PID file /opt/gvm/var/run/gsad.pid (yet?) after start: No such file or directory. Actually when I go to /opt/gvm/var/run/, there is a file gsad.pid. Why it drops me such error?

[falkowich]

@dagostoo Do you run it as sudo, or as gvm?

gsad starts as a priv user.

[dagostoo]

yes, thanks, when i run as gvm, error is gone. But three more questions.

1. IANA update, where should I create iana folder? when I create it in gvm path, it gives me output: [e] Error: openvas is not in the path, could not determine the Manager directory.
2. In gvmd logs I got this error: manage_update_nvt_cache_osp: failed to connect to /tmp/ospd.sock My ospd.sock is not in tmp folder. I moved ospd.sock to /tmp, but still i get same error.
3. in gsad logs I got this error: MHD: Error: received handshake message out of context I am pretty new at gvm, need some startup help..

[robisonr]

I'm experiencing issues with the line systemctl start gvmd ;\ when creating the startup scripts.

It fails and returns the following: Job for gvmd.service failed because the control process exited with error code. See "systemctl status gvmd.service" and "journalctl -xe" for details.

When I look in systemctl status gvmd.service and journalctl -xe they have the following:

   Loaded: loaded (/etc/systemd/system/gvmd.service; enabled; vendor preset: enabled)
   Active: activating (auto-restart) (Result: exit-code) since Mon 2020-01-06 19:35:21 UTC; 32s ago
     Docs: man:gvm
  Process: 28943 ExecStart=/opt/gvm/sbin/gvmd --osp-vt-update=/opt/gvm/var/run/ospd.sock (code=exited, status=1/FAILURE)
    Tasks: 4 (limit: 4915)
   CGroup: /system.slice/gvmd.service
           ├─27654 gvmd: Waiting for incoming connections
           ├─27684 gpg-agent --homedir /opt/gvm/var/lib/gvm/gvmd/gnupg --use-standard-socket --daemon
           ├─28955 gvmd: Reloading NVTs
           └─28957 gvmd: OSP: Updating NVT cache

Jan 06 19:41:49 devt-openvas01 systemd[1]: gvmd.service: Control process exited, code=exited status=1
Jan 06 19:41:49 devt-openvas01 systemd[1]: gvmd.service: Failed with result 'exit-code'.
Jan 06 19:41:49 devt-openvas01 systemd[1]: Failed to start Job that runs the gvm daemon.
-- Subject: Unit gvmd.service has failed
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
--
-- Unit gvmd.service has failed.
--
-- The result is RESULT.

[sarritzu]

@falkowich

I've installed the gvm-tools but when I try to run the in socket mode I get this error:

gvm.errors.GvmError: Socket /var/run/gvmd.sock does not exist

Any hint about how to fix it?

gvm@8b480bba09e3:~$ gvm-pyshell socket Traceback (most recent call last): File "/opt/gvm/.local/bin/gvm-pyshell", line 10, in <module> sys.exit(main()) File "/opt/gvm/.local/lib/python3.7/site-packages/gvmtools/pyshell.py", line 134, in main with protocol_class(connection, transform=transform) as protocol: File "/opt/gvm/.local/lib/python3.7/site-packages/gvm/protocols/gmp.py", line 79, in __enter__ self.connect() File "/opt/gvm/.local/lib/python3.7/site-packages/gvm/protocols/base.py", line 107, in connect self._connection.connect() File "/opt/gvm/.local/lib/python3.7/site-packages/gvm/connections.py", line 353, in connect ) from None gvm.errors.GvmError: Socket /var/run/gvmd.sock does not exist gvm@8b480bba09e3:~$

[drmendes]

@sarritzu 1) Check if you have the socket in /opt/var/run/ 1.1) Make sure you are specifying the path on the connection:

connection = UnixSocketConnection(path="your_path_to_gvmd_socket")

2) If there there is no socket it should mean something is wrong with gvmd, is it running at all? -> Check gvmd.log

[dagostoo]

@falkowich

Hi! I'm all is working, but when I try to scan, all scans gives me error. In logs I can see next: manage_update_nvt_cache_osp: failed to connect to /opt/gvm/var/run/ospd.sock md manage:WARNING:2020-01-08 16h34.41 utc:3321: manage_update_nvt_cache_osp: failed to connect to /opt/gvm/var/run/ospd.sock md main:MESSAGE:2020-01-08 16h37.52 utc:3638: Greenbone Vulnerability Manager version 9.0.0 (DB revision 221) md manage:WARNING:2020-01-08 16h37.52 utc:3648: database must be initialised from scanner util gpgme:MESSAGE:2020-01-08 16h37.52 utc:3648: Setting GnuPG dir to '/opt/gvm/var/lib/gvm/gvmd/gnupg' util gpgme:MESSAGE:2020-01-08 16h37.52 utc:3648: Using OpenPGP engine version '2.2.4' md gmp:WARNING:2020-01-08 16h38.39 utc:3731: Authentication failure for 'admin' from 127.0.0.1 md gmp:WARNING:2020-01-08 16h38.47 utc:3734: Authentication failure for 'admin' from 127.0.0.1 md gmp:WARNING:2020-01-08 16h38.49 utc:3745: Authentication failure for 'admin' from 127.0.0.1 event task:MESSAGE:2020-01-08 16h39.57 UTC:3901: Status of task BT04 (2c41d5be-10e2-407d-91d6-d2d56bf14916) has changed to Requested event task:MESSAGE:2020-01-08 16h39.57 UTC:3901: Task BT04 (2c41d5be-10e2-407d-91d6-d2d56bf14916) has been requested to start by admin md manage:WARNING:2020-01-08 16h40.02 UTC:3908: Could not connect to Scanner at /tmp/ospd.sock md manage:WARNING:2020-01-08 16h40.02 UTC:3908: OSP start_scan b0874e99-e0df-456d-ab92-84ff40e8535d: Could not connect to Scanner event task:MESSAGE:2020-01-08 16h40.02 UTC:3908: Status of task BT04 (2c41d5be-10e2-407d-91d6-d2d56bf14916) has changed to Done

Ignore authentication failure any help please?

[robisonr]

@dagostoo

When scanning are you using “TEST OPENVAS Scanner” or "OpenVAS Default"?

The latter won't work.

[dagostoo]

sorry, my head is too full. How can I check it? @robisonr I'm thankful to you

[robisonr]

Whenever you create a new task in the web interface one of the options is called Scanner. That's where you would select which scanner to use and you should use the one you setup and not "OpenVAS Default". If you followed this guide you most likely created one called "TEST OPENVAS Scanner" if you didn't change anything.

[dagostoo]

nope, my scan is OpenVAS Default, just checked

[robisonr]

@dagostoo you should be able to change it to "TEST OPENVAS Scanner" in the dropdown menu. You should then be able to run a scan.

[dagostoo]

it still drops me error, in logs: event task:MESSAGE:2020-01-08 17h35.07 UTC:11090: Status of task test1 (c8aef3f2-d904-4fda-9946-eafe3fad9d04) has changed to Requested event task:MESSAGE:2020-01-08 17h35.07 UTC:11090: Task test1 (c8aef3f2-d904-4fda-9946-eafe3fad9d04) has been requested to start by admin md manage:WARNING:2020-01-08 17h35.11 UTC:11093: Could not connect to Scanner at /tmp/ospd.sock md manage:WARNING:2020-01-08 17h35.11 UTC:11093: OSP start_scan af8f148e-1455-4a42-99d7-84fa3ec52005: Could not connect to Scanner event task:MESSAGE:2020-01-08 17h35.11 UTC:11093: Status of task test1 (c8aef3f2-d904-4fda-9946-eafe3fad9d04) has changed to Done

how can I change socket path? Or why it could not connect to scanner? @robisonr

[dagostoo]

in conf files all is ok and all systems are running

gvm@openvas:/opt/gvm$ systemctl status gvmd gsad ospd-openvas ● gvmd.service - Job that runs the gvm daemon Loaded: loaded (/etc/systemd/system/gvmd.service; enabled; vendor preset: enabled) Active: active (running) since Wed 2020-01-08 16:38:02 UTC; 1h 2min ago Docs: man:gvm Process: 3638 ExecStart=/opt/gvm/sbin/gvmd --osp-vt-update=/opt/gvm/var/run/ospd.sock --listen=0.0.0.0 -p 9390 (code=exited, status=0/SUCCESS) Main PID: 3648 (gvmd) Tasks: 1 (limit: 4659) CGroup: /system.slice/gvmd.service └─3648 gvmd: Waiting for incoming connections

● gsad.service - Job that runs the gsa daemon Loaded: loaded (/etc/systemd/system/gsad.service; enabled; vendor preset: enabled) Active: active (running) since Wed 2020-01-08 16:37:56 UTC; 1h 2min ago Docs: man:gsa Process: 3675 ExecStart=/opt/gvm/sbin/gsad --drop-privileges=gvm --mlisten=127.0.0.1 --mport 9390 -p 9392 --listen 0.0.0.0 --no-redirect (code=exited, status=0/SUCCESS) Main PID: 3682 (gsad) Tasks: 8 (limit: 4659) CGroup: /system.slice/gsad.service └─3682 /opt/gvm/sbin/gsad --drop-privileges=gvm --mlisten=127.0.0.1 --mport 9390 -p 9392 --listen 0.0.0.0 --no-redirect

● ospd-openvas.service - Job that runs the ospd-openvas daemon Loaded: loaded (/etc/systemd/system/ospd-openvas.service; enabled; vendor preset: enabled) Active: active (running) since Wed 2020-01-08 16:34:11 UTC; 1h 5min ago Docs: man:gvm Main PID: 3292 (python) Tasks: 2 (limit: 4659) CGroup: /system.slice/ospd-openvas.service └─3292 /opt/gvm/bin/ospd-scanner/bin/python /opt/gvm/bin/ospd-scanner/bin/ospd-openvas --pid-file /opt/gvm/var/run/ospd-openvas.pid --unix-socket=/opt/gvm/var/run/ospd.sock --log