install openvas-9 to raspbian (raspberry pi) from src - end0tknr's kipple - web写経開発
2017年に記載した上記エントリの2020年版です。
今回は、※1 を参考にしています。(というより、まるパクリです)
2020/11時点で、GVMの最新は、ver.20ですが、バグがあるらしく、 installできたものの、脆弱性SCANできなかった為、GVM 11(OpenVAS) を使用しています。
脆弱性SCANの際、以下の点にはご注意下さい。
install自体に手間取る部分はありませんが
Configuration → Alive Test = Consider Alive
デフォルトでは、pingに対しての反応がないと、サイトダウンと判定され、 scanされませんので
Scans → Tasks → Scanner=Kifarunix-demo OpenVAS Scanner
今回のインストールでは、新規にスキャナを追加していますので、 「Scanner=Kifarunix-demo OpenVAS Scanner」を指定して下さい。
また、デフォルトでは、Maximum concurrently scanned hosts=20 で過大な 気がしますので、10程度に下げた方がよいかと思います。
以降が、インストールメモです
$ cat /etc/os-release NAME="Ubuntu" VERSION="20.04.1 LTS (Focal Fossa)" $ sudo apt update ## install可能なpackageの一覧更新 $ sudo apt upgrade ## install済のpackage更新
$ sudo useradd -r -d /opt/gvm -c "GVM User" -s /bin/bash gvm $ sudo mkdir /opt/gvm $ sudo chown gvm:gvm /opt/gvm $ sudo apt \ install gcc g++ make bison flex libksba-dev curl redis libpcap-dev \ cmake git pkg-config libglib2.0-dev libgpgme-dev nmap libgnutls28-dev uuid-dev \ libssh-gcrypt-dev libldap2-dev gnutls-bin libmicrohttpd-dev libhiredis-dev \ zlib1g-dev libxml2-dev libradcli-dev clang-format libldap2-dev doxygen \ gcc-mingw-w64 xml-twig-tools libical-dev perl-base heimdal-dev libpopt-dev \ libsnmp-dev python3-setuptools python3-paramiko python3-lxml \ python3-defusedxml python3-dev gettext python3-polib xmltoman \ python3-pip texlive-fonts-recommended texlive-latex-extra \ --no-install-recommends xsltproc $ sudo su - # curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | apt-key add - # echo "deb https://dl.yarnpkg.com/debian/ stable main" | tee /etc/apt/sources.list.d/yarn.list $ sudo apt update $ sudo apt install yarn $ sudo apt install postgresql postgresql-contrib postgresql-server-dev-all $ sudo -Hiu postgres postgres$ createuser gvm postgres$ createdb -O gvm gvmd postgres$ psql gvmd gvmd=# create role dba with superuser noinherit; gvmd=# grant dba to gvm; gvmd=# create extension "uuid-ossp"; gvmd=# \q postgres$ exit $ sudo systemctl restart postgresql $ sudo systemctl enable postgresql
$ sudo vim /etc/environment PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/opt/gvm/bin:/opt/gvm/sbin:/opt/gvm/.local/bin" ↑「/opt/gvm/bin:/opt/gvm/sbin:/opt/gvm/.local/bin」を追加 $ sudo su - # echo "/opt/gvm/lib" > /etc/ld.so.conf.d/gvm.conf
$ sudo su - gvm $ mkdir /opt/gvm/tmp $ mkdir /opt/gvm/tmp/gvm-source $ cd /opt/gvm/tmp/gvm-source $ git clone -b gvm-libs-11.0 https://github.com/greenbone/gvm-libs.git $ git clone https://github.com/greenbone/openvas-smb.git $ git clone -b openvas-7.0 https://github.com/greenbone/openvas.git $ git clone -b ospd-2.0 https://github.com/greenbone/ospd.git $ git clone -b ospd-openvas-1.0 https://github.com/greenbone/ospd-openvas.git $ git clone -b gvmd-9.0 https://github.com/greenbone/gvmd.git $ git clone -b gsa-9.0 https://github.com/greenbone/gsa.git $ export PKG_CONFIG_PATH=/opt/gvm/lib/pkgconfig:$PKG_CONFIG_PATH $ cd gvm-libs $ mkdir build $ cd build $ cmake .. -DCMAKE_INSTALL_PREFIX=/opt/gvm $ make $ make install $ cd ../../openvas-smb/ $ mkdir build $ cd build $ cmake .. -DCMAKE_INSTALL_PREFIX=/opt/gvm $ make $ make install $ cd ../../openvas $ mkdir build $ cd build $ cmake .. -DCMAKE_INSTALL_PREFIX=/opt/gvm $ vim ../../openvas/CMakeLists.txt #set (CMAKE_C_FLAGS_DEBUG "${CMAKE_C_FLAGS_DEBUG} ${COVERAGE_FLAGS}") set (CMAKE_C_FLAGS_DEBUG "${CMAKE_C_FLAGS_DEBUG} -Werror -Wno-error=deprecated-declarations") $ make $ make install # ldconfig # cp /opt/gvm/tmp/gvm-source/openvas/config/redis-openvas.conf /etc/redis/ # chown redis:redis /etc/redis/redis-openvas.conf # echo "db_address = /run/redis-openvas/redis.sock" > /opt/gvm/etc/openvas/openvas.conf # chown gvm:gvm /opt/gvm/etc/openvas/openvas.conf # usermod -aG redis gvm # echo "net.core.somaxconn = 1024" >> /etc/sysctl.conf # echo 'vm.overcommit_memory = 1' >> /etc/sysctl.conf # sysctl -p net.core.somaxconn = 1024 vm.overcommit_memory = 1 # vi /etc/systemd/system/disable_thp.service [Unit] Description=Disable Kernel Support for Transparent Huge Pages (THP) [Service] Type=simple ExecStart=/bin/sh -c "echo 'never' > /sys/kernel/mm/transparent_hugepage/enabled && echo 'never' > /sys/kernel/mm/transparent_hugepage/defrag" [Install] WantedBy=multi-user.target # systemctl daemon-reload # systemctl enable --now disable_thp # systemctl enable --now redis-server@openvas # echo "gvm ALL = NOPASSWD: /opt/gvm/sbin/openvas" > /etc/sudoers.d/gvm # visudo Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin:/opt/gvm/sbin" ※「/opt/gvm/sbin」を追加 # echo "gvm ALL = NOPASSWD: /opt/gvm/sbin/gsad" >> /etc/sudoers.d/gvm # su - gvm gvm$ greenbone-nvt-sync ※上記の処理には、10min程 要します gvm$ sudo openvas --update-vt-info ※上記の処理には、2-3min程 要します gvm$ export PKG_CONFIG_PATH=/opt/gvm/lib/pkgconfig:$PKG_CONFIG_PATH gvm$ cd /opt/gvm/tmp/gvm-source/gvmd gvm$ mkdir build gvm$ cd build gvm$ cmake .. -DCMAKE_INSTALL_PREFIX=/opt/gvm gvm$ make gvm$ make install gvm$ cd ../../gsa gvm$ mkdir build gvm$ cd build gvm$ cmake .. -DCMAKE_INSTALL_PREFIX=/opt/gvm gvm$ make gvm$ make install gvm$ greenbone-scapdata-sync gvm$ greenbone-certdata-sync gvm$ gvm-manage-certs -a gvm$ export PKG_CONFIG_PATH=/opt/gvm/lib/pkgconfig:$PKG_CONFIG_PATH gvm$ mkdir -p /opt/gvm/lib/python3.8/site-packages/ gvm$ export PYTHONPATH=/opt/gvm/lib/python3.8/site-packages gvm$ cd /opt/gvm/tmp/gvm-source/ospd gvm$ python3 setup.py install --prefix=/opt/gvm gvm$ cd ../ospd-openvas gvm$ python3 setup.py install --prefix=/opt/gvm gvm$ /usr/bin/python3 /opt/gvm/bin/ospd-openvas \ --pid-file /opt/gvm/var/run/ospd-openvas.pid \ --log-file /opt/gvm/var/log/gvm/ospd-openvas.log \ --lock-file-dir /opt/gvm/var/run -u /opt/gvm/var/run/ospd.sock gvm$ gvmd --osp-vt-update=/opt/gvm/var/run/ospd.sock gvm$ sudo gsad Oops, secure memory pool already initialized gvm$ ps aux | grep -E "ospd-openvas|gsad|gvmd" | grep -v grep gvm 43823 57.7 1.0 163852 43048 pts/0 Rl 09:28 0:25 \ /usr/bin/python3 /opt/gvm/bin/ospd-openvas \ --pid-file /opt/gvm/var/run/ospd-openvas.pid \ --log-file /opt/gvm/var/log/gvm/ospd-openvas.log \ --lock-file-dir /opt/gvm/var/run \ -u /opt/gvm/var/run/ospd.sock gvm 43825 0.0 0.6 149764 27208 pts/0 Sl 09:28 0:00 \ /usr/bin/python3 /opt/gvm/bin/ospd-openvas \ --pid-file /opt/gvm/var/run/ospd-openvas.pid \ --log-file /opt/gvm/var/log/gvm/ospd-openvas.log \ --lock-file-dir /opt/gvm/var/run \ -u /opt/gvm/var/run/ospd.sock gvm 43832 0.1 0.2 99608 10252 pts/0 S 09:28 0:00 \ gvmd: Waiting for incoming connections gvm 43854 1.3 0.0 81196 1568 ? Ss 09:28 0:00 \ gpg-agent --homedir /opt/gvm/var/lib/gvm/gvmd/gnupg \ --use-standard-socket --daemon postgres 43860 0.0 0.6 225564 26956 ? SLs 09:28 0:00 \ postgres: 12/main: gvm gvmd [local] idle root 43869 0.0 0.1 132176 5636 pts/0 Sl 09:28 0:00 gsad root 43870 0.0 0.0 132176 3496 pts/0 Sl 09:28 0:00 gsad # vi /etc/systemd/system/openvas.service [Unit] Description=Control the OpenVAS service After=redis.service After=postgresql.service [Service] ExecStartPre=-rm -rf /opt/gvm/var/run/ospd-openvas.pid /opt/gvm/var/run/ospd.sock /opt/gvm/var/run/gvmd.sock Type=simple User=gvm Group=gvm Environment=PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/opt/gvm/bin:/opt/gvm/sbin:/opt/gvm/.local/bin Environment=PYTHONPATH=/opt/gvm/lib/python3.8/site-packages ExecStart=/usr/bin/python3 /opt/gvm/bin/ospd-openvas \ --pid-file /opt/gvm/var/run/ospd-openvas.pid \ --log-file /opt/gvm/var/log/gvm/ospd-openvas.log \ --lock-file-dir /opt/gvm/var/run -u /opt/gvm/var/run/ospd.sock RemainAfterExit=yes [Install] WantedBy=multi-user.target # systemctl daemon-reload # systemctl start openvas # systemctl status openvas ● openvas.service - Control the OpenVAS service Loaded: loaded (/etc/systemd/system/openvas.service; disabled; vendor preset: enabled) Active: active (exited) since Sat 2020-11-07 09:33:18 UTC; 13s ago Process: 44404 ExecStartPre=/usr/bin/rm -rf /opt/gvm/var/run/ospd-openvas.pid \ /opt/gvm/var/run/ospd.sock /opt/gvm/var/run/gvmd.sock (code=exited, status=0/SUCCE> Process: 44419 ExecStart=/usr/bin/python3 /opt/gvm/bin/ospd-openvas \ --pid-file /opt/gvm/var/run/ospd-openvas.pid \ --log-file /opt/gvm/var/log/gvm/ospd-openvas.lo> Main PID: 44419 (code=exited, status=0/SUCCESS) Tasks: 4 (limit: 4621) Memory: 24.2M CGroup: /system.slice/openvas.service ├─44425 /usr/bin/python3 /opt/gvm/bin/ospd-openvas \ │ --pid-file /opt/gvm/var/run/ospd-openvas.pid \ │ --log-file /opt/gvm/var/log/gvm/ospd-openvas.log --lock> └─44427 /usr/bin/python3 /opt/gvm/bin/ospd-openvas \ --pid-file /opt/gvm/var/run/ospd-openvas.pid \ --log-file /opt/gvm/var/log/gvm/ospd-openvas.log --lock> Nov 07 09:33:18 ubuntu20 systemd[1]: Starting Control the OpenVAS service... Nov 07 09:33:18 ubuntu20 systemd[1]: Started Control the OpenVAS service. # systemctl enable openvas # vi /etc/systemd/system/gsa.service [Unit] Description=Control the OpenVAS GSA service After=openvas.service [Service] Type=simple User=gvm Group=gvm Environment=PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/opt/gvm/bin:/opt/gvm/sbin:/opt/gvm/.local/bin Environment=PYTHONPATH=/opt/gvm/lib/python3.8/site-packages ExecStart=/usr/bin/sudo /opt/gvm/sbin/gsad RemainAfterExit=yes [Install] WantedBy=multi-user.target # vi /etc/systemd/system/gsa.path [Unit] Description=Start the OpenVAS GSA service when gvmd.sock is available [Path] PathChanged=/opt/gvm/var/run/gvmd.sock Unit=gsa.service [Install] WantedBy=multi-user.target # vi /etc/systemd/system/gvm.service [Unit] Description=Control the OpenVAS GVM service After=openvas.service [Service] Type=simple User=gvm Group=gvm Environment=PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/opt/gvm/bin:/opt/gvm/sbin:/opt/gvm/.local/bin Environment=PYTHONPATH=/opt/gvm/lib/python3.8/site-packages ExecStart=/opt/gvm/sbin/gvmd --osp-vt-update=/opt/gvm/var/run/ospd.sock RemainAfterExit=yes [Install] WantedBy=multi-user.target # vi /etc/systemd/system/gvm.path [Unit] Description=Start the OpenVAS GVM service when opsd.sock is available [Path] PathChanged=/opt/gvm/var/run/ospd.sock Unit=gvm.service [Install] WantedBy=multi-user.target # systemctl daemon-reload # systemctl enable --now gvm.{path,service} # systemctl enable --now gsa.{path,service} # sudo -Hiu gvm gvmd --create-scanner="Kifarunix-demo OpenVAS Scanner" \ --scanner-type="OpenVAS" --scanner-host=/opt/gvm/var/run/ospd.sock # sudo -Hiu gvm gvmd --get-scanners 08b69003-5fc2-4037-a479-93b440211c73 OpenVAS /tmp/ospd.sock 0 OpenVAS Default 6acd0832-df90-11e4-b9d5-28d24461215b CVE 0 CVE 169efd9c-2248-415e-ba4e-5d7e78069494 OpenVAS /opt/gvm/var/run/ospd.sock 9390 Kifarunix-demo OpenVAS Scanner # sudo -Hiu gvm gvmd --verify-scanner=169efd9c-2248-415e-ba4e-5d7e78069494 # sudo -Hiu gvm gvmd --verify-scanner=955420e0-9a75-46f8-b778-80860f946dea Scanner version: OpenVAS 7.0.1. # sudo -Hiu gvm gvmd --create-user gvmadmin --password=ないしょ User created. # sudo -Hiu gvm gvmd --user=gvmadmin --new-password=ないしょ # sudo -Hiu gvm gvmd --create-user admin --password=ないしょ User created. # ufw allow 443/tcp Rules updated Rules updated (v6) # reboot
後は、ブラウザで、 https://$IPアドレス へアクセスし、お試し下さい