install openvas-9 to raspbian (raspberry pi) from src - end0tknr's kipple - web写経開発
2017年に記載した上記エントリの2020年版です。
今回は、※1 を参考にしています。(というより、まるパクリです)
2020/11時点で、GVMの最新は、ver.20ですが、バグがあるらしく、 installできたものの、脆弱性SCANできなかった為、GVM 11(OpenVAS) を使用しています。
脆弱性SCANの際、以下の点にはご注意下さい。
install自体に手間取る部分はありませんが
Configuration → Alive Test = Consider Alive
デフォルトでは、pingに対しての反応がないと、サイトダウンと判定され、 scanされませんので
Scans → Tasks → Scanner=Kifarunix-demo OpenVAS Scanner
今回のインストールでは、新規にスキャナを追加していますので、 「Scanner=Kifarunix-demo OpenVAS Scanner」を指定して下さい。
また、デフォルトでは、Maximum concurrently scanned hosts=20 で過大な 気がしますので、10程度に下げた方がよいかと思います。
以降が、インストールメモです
$ cat /etc/os-release NAME="Ubuntu" VERSION="20.04.1 LTS (Focal Fossa)" $ sudo apt update ## install可能なpackageの一覧更新 $ sudo apt upgrade ## install済のpackage更新
$ sudo useradd -r -d /opt/gvm -c "GVM User" -s /bin/bash gvm
$ sudo mkdir /opt/gvm
$ sudo chown gvm:gvm /opt/gvm
$ sudo apt \
install gcc g++ make bison flex libksba-dev curl redis libpcap-dev \
cmake git pkg-config libglib2.0-dev libgpgme-dev nmap libgnutls28-dev uuid-dev \
libssh-gcrypt-dev libldap2-dev gnutls-bin libmicrohttpd-dev libhiredis-dev \
zlib1g-dev libxml2-dev libradcli-dev clang-format libldap2-dev doxygen \
gcc-mingw-w64 xml-twig-tools libical-dev perl-base heimdal-dev libpopt-dev \
libsnmp-dev python3-setuptools python3-paramiko python3-lxml \
python3-defusedxml python3-dev gettext python3-polib xmltoman \
python3-pip texlive-fonts-recommended texlive-latex-extra \
--no-install-recommends xsltproc
$ sudo su -
# curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | apt-key add -
# echo "deb https://dl.yarnpkg.com/debian/ stable main" | tee /etc/apt/sources.list.d/yarn.list
$ sudo apt update
$ sudo apt install yarn
$ sudo apt install postgresql postgresql-contrib postgresql-server-dev-all
$ sudo -Hiu postgres
postgres$ createuser gvm
postgres$ createdb -O gvm gvmd
postgres$ psql gvmd
gvmd=# create role dba with superuser noinherit;
gvmd=# grant dba to gvm;
gvmd=# create extension "uuid-ossp";
gvmd=# \q
postgres$ exit
$ sudo systemctl restart postgresql
$ sudo systemctl enable postgresql
$ sudo vim /etc/environment PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/opt/gvm/bin:/opt/gvm/sbin:/opt/gvm/.local/bin" ↑「/opt/gvm/bin:/opt/gvm/sbin:/opt/gvm/.local/bin」を追加 $ sudo su - # echo "/opt/gvm/lib" > /etc/ld.so.conf.d/gvm.conf
$ sudo su - gvm
$ mkdir /opt/gvm/tmp
$ mkdir /opt/gvm/tmp/gvm-source
$ cd /opt/gvm/tmp/gvm-source
$ git clone -b gvm-libs-11.0 https://github.com/greenbone/gvm-libs.git
$ git clone https://github.com/greenbone/openvas-smb.git
$ git clone -b openvas-7.0 https://github.com/greenbone/openvas.git
$ git clone -b ospd-2.0 https://github.com/greenbone/ospd.git
$ git clone -b ospd-openvas-1.0 https://github.com/greenbone/ospd-openvas.git
$ git clone -b gvmd-9.0 https://github.com/greenbone/gvmd.git
$ git clone -b gsa-9.0 https://github.com/greenbone/gsa.git
$ export PKG_CONFIG_PATH=/opt/gvm/lib/pkgconfig:$PKG_CONFIG_PATH
$ cd gvm-libs
$ mkdir build
$ cd build
$ cmake .. -DCMAKE_INSTALL_PREFIX=/opt/gvm
$ make
$ make install
$ cd ../../openvas-smb/
$ mkdir build
$ cd build
$ cmake .. -DCMAKE_INSTALL_PREFIX=/opt/gvm
$ make
$ make install
$ cd ../../openvas
$ mkdir build
$ cd build
$ cmake .. -DCMAKE_INSTALL_PREFIX=/opt/gvm
$ vim ../../openvas/CMakeLists.txt
#set (CMAKE_C_FLAGS_DEBUG "${CMAKE_C_FLAGS_DEBUG} ${COVERAGE_FLAGS}")
set (CMAKE_C_FLAGS_DEBUG "${CMAKE_C_FLAGS_DEBUG} -Werror -Wno-error=deprecated-declarations")
$ make
$ make install
# ldconfig
# cp /opt/gvm/tmp/gvm-source/openvas/config/redis-openvas.conf /etc/redis/
# chown redis:redis /etc/redis/redis-openvas.conf
# echo "db_address = /run/redis-openvas/redis.sock" > /opt/gvm/etc/openvas/openvas.conf
# chown gvm:gvm /opt/gvm/etc/openvas/openvas.conf
# usermod -aG redis gvm
# echo "net.core.somaxconn = 1024" >> /etc/sysctl.conf
# echo 'vm.overcommit_memory = 1' >> /etc/sysctl.conf
# sysctl -p
net.core.somaxconn = 1024
vm.overcommit_memory = 1
# vi /etc/systemd/system/disable_thp.service
[Unit]
Description=Disable Kernel Support for Transparent Huge Pages (THP)
[Service]
Type=simple
ExecStart=/bin/sh -c "echo 'never' > /sys/kernel/mm/transparent_hugepage/enabled && echo 'never' > /sys/kernel/mm/transparent_hugepage/defrag"
[Install]
WantedBy=multi-user.target
# systemctl daemon-reload
# systemctl enable --now disable_thp
# systemctl enable --now redis-server@openvas
# echo "gvm ALL = NOPASSWD: /opt/gvm/sbin/openvas" > /etc/sudoers.d/gvm
# visudo
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin:/opt/gvm/sbin"
※「/opt/gvm/sbin」を追加
# echo "gvm ALL = NOPASSWD: /opt/gvm/sbin/gsad" >> /etc/sudoers.d/gvm
# su - gvm
gvm$ greenbone-nvt-sync
※上記の処理には、10min程 要します
gvm$ sudo openvas --update-vt-info
※上記の処理には、2-3min程 要します
gvm$ export PKG_CONFIG_PATH=/opt/gvm/lib/pkgconfig:$PKG_CONFIG_PATH
gvm$ cd /opt/gvm/tmp/gvm-source/gvmd
gvm$ mkdir build
gvm$ cd build
gvm$ cmake .. -DCMAKE_INSTALL_PREFIX=/opt/gvm
gvm$ make
gvm$ make install
gvm$ cd ../../gsa
gvm$ mkdir build
gvm$ cd build
gvm$ cmake .. -DCMAKE_INSTALL_PREFIX=/opt/gvm
gvm$ make
gvm$ make install
gvm$ greenbone-scapdata-sync
gvm$ greenbone-certdata-sync
gvm$ gvm-manage-certs -a
gvm$ export PKG_CONFIG_PATH=/opt/gvm/lib/pkgconfig:$PKG_CONFIG_PATH
gvm$ mkdir -p /opt/gvm/lib/python3.8/site-packages/
gvm$ export PYTHONPATH=/opt/gvm/lib/python3.8/site-packages
gvm$ cd /opt/gvm/tmp/gvm-source/ospd
gvm$ python3 setup.py install --prefix=/opt/gvm
gvm$ cd ../ospd-openvas
gvm$ python3 setup.py install --prefix=/opt/gvm
gvm$ /usr/bin/python3 /opt/gvm/bin/ospd-openvas \
--pid-file /opt/gvm/var/run/ospd-openvas.pid \
--log-file /opt/gvm/var/log/gvm/ospd-openvas.log \
--lock-file-dir /opt/gvm/var/run -u /opt/gvm/var/run/ospd.sock
gvm$ gvmd --osp-vt-update=/opt/gvm/var/run/ospd.sock
gvm$ sudo gsad
Oops, secure memory pool already initialized
gvm$ ps aux | grep -E "ospd-openvas|gsad|gvmd" | grep -v grep
gvm 43823 57.7 1.0 163852 43048 pts/0 Rl 09:28 0:25 \
/usr/bin/python3 /opt/gvm/bin/ospd-openvas \
--pid-file /opt/gvm/var/run/ospd-openvas.pid \
--log-file /opt/gvm/var/log/gvm/ospd-openvas.log \
--lock-file-dir /opt/gvm/var/run \
-u /opt/gvm/var/run/ospd.sock
gvm 43825 0.0 0.6 149764 27208 pts/0 Sl 09:28 0:00 \
/usr/bin/python3 /opt/gvm/bin/ospd-openvas \
--pid-file /opt/gvm/var/run/ospd-openvas.pid \
--log-file /opt/gvm/var/log/gvm/ospd-openvas.log \
--lock-file-dir /opt/gvm/var/run \
-u /opt/gvm/var/run/ospd.sock
gvm 43832 0.1 0.2 99608 10252 pts/0 S 09:28 0:00 \
gvmd: Waiting for incoming connections
gvm 43854 1.3 0.0 81196 1568 ? Ss 09:28 0:00 \
gpg-agent --homedir /opt/gvm/var/lib/gvm/gvmd/gnupg \
--use-standard-socket --daemon
postgres 43860 0.0 0.6 225564 26956 ? SLs 09:28 0:00 \
postgres: 12/main: gvm gvmd [local] idle
root 43869 0.0 0.1 132176 5636 pts/0 Sl 09:28 0:00 gsad
root 43870 0.0 0.0 132176 3496 pts/0 Sl 09:28 0:00 gsad
# vi /etc/systemd/system/openvas.service
[Unit]
Description=Control the OpenVAS service
After=redis.service
After=postgresql.service
[Service]
ExecStartPre=-rm -rf /opt/gvm/var/run/ospd-openvas.pid /opt/gvm/var/run/ospd.sock /opt/gvm/var/run/gvmd.sock
Type=simple
User=gvm
Group=gvm
Environment=PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/opt/gvm/bin:/opt/gvm/sbin:/opt/gvm/.local/bin
Environment=PYTHONPATH=/opt/gvm/lib/python3.8/site-packages
ExecStart=/usr/bin/python3 /opt/gvm/bin/ospd-openvas \
--pid-file /opt/gvm/var/run/ospd-openvas.pid \
--log-file /opt/gvm/var/log/gvm/ospd-openvas.log \
--lock-file-dir /opt/gvm/var/run -u /opt/gvm/var/run/ospd.sock
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
# systemctl daemon-reload
# systemctl start openvas
# systemctl status openvas
● openvas.service - Control the OpenVAS service
Loaded: loaded (/etc/systemd/system/openvas.service; disabled; vendor preset: enabled)
Active: active (exited) since Sat 2020-11-07 09:33:18 UTC; 13s ago
Process: 44404 ExecStartPre=/usr/bin/rm -rf /opt/gvm/var/run/ospd-openvas.pid \
/opt/gvm/var/run/ospd.sock /opt/gvm/var/run/gvmd.sock (code=exited, status=0/SUCCE>
Process: 44419 ExecStart=/usr/bin/python3 /opt/gvm/bin/ospd-openvas \
--pid-file /opt/gvm/var/run/ospd-openvas.pid \
--log-file /opt/gvm/var/log/gvm/ospd-openvas.lo>
Main PID: 44419 (code=exited, status=0/SUCCESS)
Tasks: 4 (limit: 4621)
Memory: 24.2M
CGroup: /system.slice/openvas.service
├─44425 /usr/bin/python3 /opt/gvm/bin/ospd-openvas \
│ --pid-file /opt/gvm/var/run/ospd-openvas.pid \
│ --log-file /opt/gvm/var/log/gvm/ospd-openvas.log --lock>
└─44427 /usr/bin/python3 /opt/gvm/bin/ospd-openvas \
--pid-file /opt/gvm/var/run/ospd-openvas.pid \
--log-file /opt/gvm/var/log/gvm/ospd-openvas.log --lock>
Nov 07 09:33:18 ubuntu20 systemd[1]: Starting Control the OpenVAS service...
Nov 07 09:33:18 ubuntu20 systemd[1]: Started Control the OpenVAS service.
# systemctl enable openvas
# vi /etc/systemd/system/gsa.service
[Unit]
Description=Control the OpenVAS GSA service
After=openvas.service
[Service]
Type=simple
User=gvm
Group=gvm
Environment=PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/opt/gvm/bin:/opt/gvm/sbin:/opt/gvm/.local/bin
Environment=PYTHONPATH=/opt/gvm/lib/python3.8/site-packages
ExecStart=/usr/bin/sudo /opt/gvm/sbin/gsad
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
# vi /etc/systemd/system/gsa.path
[Unit]
Description=Start the OpenVAS GSA service when gvmd.sock is available
[Path]
PathChanged=/opt/gvm/var/run/gvmd.sock
Unit=gsa.service
[Install]
WantedBy=multi-user.target
# vi /etc/systemd/system/gvm.service
[Unit]
Description=Control the OpenVAS GVM service
After=openvas.service
[Service]
Type=simple
User=gvm
Group=gvm
Environment=PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/opt/gvm/bin:/opt/gvm/sbin:/opt/gvm/.local/bin
Environment=PYTHONPATH=/opt/gvm/lib/python3.8/site-packages
ExecStart=/opt/gvm/sbin/gvmd --osp-vt-update=/opt/gvm/var/run/ospd.sock
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
# vi /etc/systemd/system/gvm.path
[Unit]
Description=Start the OpenVAS GVM service when opsd.sock is available
[Path]
PathChanged=/opt/gvm/var/run/ospd.sock
Unit=gvm.service
[Install]
WantedBy=multi-user.target
# systemctl daemon-reload
# systemctl enable --now gvm.{path,service}
# systemctl enable --now gsa.{path,service}
# sudo -Hiu gvm gvmd --create-scanner="Kifarunix-demo OpenVAS Scanner" \
--scanner-type="OpenVAS" --scanner-host=/opt/gvm/var/run/ospd.sock
# sudo -Hiu gvm gvmd --get-scanners
08b69003-5fc2-4037-a479-93b440211c73 OpenVAS /tmp/ospd.sock 0 OpenVAS Default
6acd0832-df90-11e4-b9d5-28d24461215b CVE 0 CVE
169efd9c-2248-415e-ba4e-5d7e78069494 OpenVAS /opt/gvm/var/run/ospd.sock 9390 Kifarunix-demo OpenVAS Scanner
# sudo -Hiu gvm gvmd --verify-scanner=169efd9c-2248-415e-ba4e-5d7e78069494
# sudo -Hiu gvm gvmd --verify-scanner=955420e0-9a75-46f8-b778-80860f946dea
Scanner version: OpenVAS 7.0.1.
# sudo -Hiu gvm gvmd --create-user gvmadmin --password=ないしょ
User created.
# sudo -Hiu gvm gvmd --user=gvmadmin --new-password=ないしょ
# sudo -Hiu gvm gvmd --create-user admin --password=ないしょ
User created.
# ufw allow 443/tcp
Rules updated
Rules updated (v6)
# reboot
後は、ブラウザで、 https://$IPアドレス へアクセスし、お試し下さい
