Installing OpenVAS 9 from the sources

In last month Greenbone Networks and OpenVAS development team have finally presented new OpenVAS 9 with new GUI, improved multi-scanner support, improved asset management, etc. We have been waiting for this release for 2 years!

For installing OpenVAS 9 from the sources I used the same script as for OpenVAS 8 installation last year. More details about this script and why you may need it you can read in the post “openvas_commander for OpenVAS installation and management“.

OpenVAS 9 Dashboards

I fixed the script a bit because of these changes in OpenVAS9:

  • openvas-nvt-syncwas renamed to greenbone-nvt-sync
  • openvas-mkcert и openvas-mkcert-client were replaced by openvas-manage-certs

For this installation I took latest version of Debian: http://cdimage.debian.org/debian-cd/current/i386/iso-cd/debian-8.7.1-i386-netinst.iso and created a VirtualBox virtual machine “OpenVAS 9”:

  • 32-bit
  • 1024 mb RAM
  • 30 GB HDD
  • NAT interface and host only network

During the OS installation, I made the following settings:

  • Primary interface eth0 (NAT)
  • Hostname openvas9
  • Standard set of components + SSH Server

When Debian installation was finished, I, for some reason, had the same connection active used for two network interfaces (NAT and host only), and only one interface, NAT, really worked. With nmtui I made one more connection and for each connection I set particular interfaces: eth0 for one, eth1 for another. I also set static ip address 192.168.56.120 for the host.

ssh vmuser@192.168.56.120.
su -

Warning! When elevating privileges, use `su -` to avoid problems with the locale.

Ok, now we are ready to install OpenVAS9 on this host.

# wget https://raw.githubusercontent.com/leonov-av/openvas-commander/master/openvas_commander.sh
# chomod +x openvas_commander.sh

Install dependencies (the longest operation):

# ./openvas_commander.sh --install-dependencies

Available versions of OpenVAS:

# ./openvas_commander.sh --show-releases
OpenVAS-8
OpenVAS-9

Available source archives for OpenVAS 9:

# ./openvas_commander.sh --show-sources "OpenVAS-9"
http://wald.intevation.org/frs/download.php/2420/openvas-libraries-9.0.1.tar.gz
http://wald.intevation.org/frs/download.php/2423/openvas-scanner-5.1.1.tar.gz
http://wald.intevation.org/frs/download.php/2426/openvas-manager-7.0.1.tar.gz
http://wald.intevation.org/frs/download.php/2429/greenbone-security-assistant-7.0.2.tar.gz
http://wald.intevation.org/frs/download.php/2397/openvas-cli-1.4.5.tar.gz
http://wald.intevation.org/frs/download.php/2377/openvas-smb-1.0.2.tar.gz
http://wald.intevation.org/frs/download.php/2401/ospd-1.2.0.tar.gz
http://wald.intevation.org/frs/download.php/2405/ospd-debsecan-1.2b1.tar.gz

Download and unpack:

# ./openvas_commander.sh --download-sources "OpenVAS-9"
# ./openvas_commander.sh --create-folders

Everything is in place and we are ready for actual installation:

# ls openvas
greenbone-security-assistant-7.0.2 openvas-scanner-5.1.1
greenbone-security-assistant-7.0.2.tar.gz openvas-scanner-5.1.1.tar.gz
openvas-cli-1.4.5 openvas-smb-1.0.2
openvas-cli-1.4.5.tar.gz openvas-smb-1.0.2.tar.gz
openvas-libraries-9.0.1 ospd-1.2.0
openvas-libraries-9.0.1.tar.gz ospd-1.2.0.tar.gz
openvas-manager-7.0.1 ospd-debsecan-1.2b1
openvas-manager-7.0.1.tar.gz ospd-debsecan-1.2b1.tar.gz

Install the components:

# ./openvas_commander.sh --install-all

NB: If you are afraid that something might go wrong, you can start separately:

# ./openvas_commander.sh --install-component "openvas-smb"
# ./openvas_commander.sh --install-component "openvas-libraries"
# ./openvas_commander.sh --install-component "openvas-scanner"
# ./openvas_commander.sh --install-component "openvas-manager"
# ./openvas_commander.sh --install-component "openvas-cli"
# ./openvas_commander.sh --install-component "greenbone-security-assistant"

Create certificates and a user:

# ./openvas_commander.sh --configure-all

Update and rebuild content:

# ./openvas_commander.sh --update-content
# ./openvas_commander.sh --rebuild-content

Launch the OpenVAS processes:

# ./openvas_commander.sh --kill-all
# ./openvas_commander.sh --start-all

Check, that everything is started, wait for openvassd:

# ./openvas_commander.sh --check-proc
root 10404 15.5 7.2 142980 74724 pts/0 SL 18:17 0:00 openvasmd
root 10422 59.0 1.0 35424 11004 ? Rs 18:17 0:01 openvassd: Reloaded 14250 of 52652 NVTs (27% / ETA: 00:08)
root 10424 0.0 0.2 31536 2732 ? S 18:17 0:00 openvassd (Loading Handler)
root 10425 0.6 0.5 28452 6056 pts/0 Sl 18:17 0:00 /usr/local/sbin/gsad
root 10426 0.0 0.3 28452 3424 pts/0 Sl 18:17 0:00 /usr/local/sbin/gsad
root 10439 0.0 0.2 4556 2184 pts/0 S+ 18:17 0:00 grep -E (openvas.d|gsad)

n a few minutes all NVTs are reloaded:

# ./openvas_commander.sh --check-proc
root 10404 0.8 7.2 142980 74724 pts/0 SL 18:17 0:00 openvasmd
root 10422 8.2 1.0 35556 11132 ? Ss 18:17 0:05 openvassd: Waiting for incoming connections
root 10425 0.0 0.5 28452 6056 pts/0 Sl 18:17 0:00 /usr/local/sbin/gsad
root 10426 0.0 0.3 28452 3424 pts/0 Sl 18:17 0:00 /usr/local/sbin/gsad
root 10463 0.0 0.2 4556 2204 pts/0 S+ 18:19 0:00 grep -E (openvas.d|gsad)

If something goes wrong, you can always find out what to do next with:
# ./openvas_commander.sh --check-status v9

If everything is OK, the output of the command should be like this:

openvas-check-setup 2.3.7
Test completeness and readiness of OpenVAS-9

Please report us any non-detected problems and
help us to improve this check routine:
http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss

Send us the log-file (/tmp/openvas-check-setup.log) to help analyze the problem.

Step 1: Checking OpenVAS Scanner ...
OK: OpenVAS Scanner is present in version 5.1.1.
OK: redis-server is present in version v=2.8.17.
OK: scanner (kb_location setting) is configured properly using the redis-server socket: /tmp/redis.sock
OK: redis-server is running and listening on socket: /tmp/redis.sock.
OK: redis-server configuration is OK and redis-server is running.
OK: NVT collection in /usr/local/var/lib/openvas/plugins contains 52652 NVTs.
WARNING: Signature checking of NVTs is not enabled in OpenVAS Scanner.
SUGGEST: Enable signature checking (see http://www.openvas.org/trusted-nvts.html).
OK: The NVT cache in /usr/local/var/cache/openvas contains 52652 files for 52652 NVTs.
Step 2: Checking OpenVAS Manager ...
OK: OpenVAS Manager is present in version 7.0.1.
OK: OpenVAS Manager database found in /usr/local/var/lib/openvas/mgr/tasks.db.
OK: Access rights for the OpenVAS Manager database are correct.
OK: sqlite3 found, extended checks of the OpenVAS Manager installation enabled.
OK: OpenVAS Manager database is at revision 184.
OK: OpenVAS Manager expects database at revision 184.
OK: Database schema is up to date.
OK: OpenVAS Manager database contains information about 52652 NVTs.
OK: At least one user exists.
OK: OpenVAS SCAP database found in /usr/local/var/lib/openvas/scap-data/scap.db.
OK: OpenVAS CERT database found in /usr/local/var/lib/openvas/cert-data/cert.db.
OK: xsltproc found.
Step 3: Checking user configuration ...
WARNING: Your password policy is empty.
SUGGEST: Edit the /usr/local/etc/openvas/pwpolicy.conf file to set a password policy.
Step 4: Checking Greenbone Security Assistant (GSA) ...
OK: Greenbone Security Assistant is present in version 7.0.2.
OK: Your OpenVAS certificate infrastructure passed validation.
Step 5: Checking OpenVAS CLI ...
SKIP: Skipping check for OpenVAS CLI.
Step 6: Checking Greenbone Security Desktop (GSD) ...
SKIP: Skipping check for Greenbone Security Desktop.
Step 7: Checking if OpenVAS services are up and running ...
OK: netstat found, extended checks of the OpenVAS services enabled.
OK: OpenVAS Scanner is running and listening on a Unix domain socket.
OK: OpenVAS Manager is running and listening on a Unix domain socket.
OK: Greenbone Security Assistant is listening on port 80, which is the default port.
Step 8: Checking nmap installation ...
WARNING: Your version of nmap is not fully supported: 6.47
SUGGEST: You should install nmap 5.51 if you plan to use the nmap NSE NVTs.
Step 10: Checking presence of optional tools ...
OK: pdflatex found.
OK: PDF generation successful. The PDF report format is likely to work.
OK: ssh-keygen found, LSC credential generation for GNU/Linux targets is likely to work.
OK: rpm found, LSC credential package generation for RPM based targets is likely to work.
OK: alien found, LSC credential package generation for DEB based targets is likely to work.
OK: nsis found, LSC credential package generation for Microsoft Windows targets is likely to work.

It seems like your OpenVAS-9 installation is OK.

If you think it is not OK, please report your observation
and help us to improve this check routine:
http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Please attach the log-file (/tmp/openvas-check-setup.log) to help us analyze the problem.

Now we can go to https://192.168.56.120 and here is the invitation for login. Default login and password: admin/1

OpenVAS9 login screen

In the case of debugging, OpenVAS logs are located here: /usr/local/var/log/openvas/

2 thoughts on “Installing OpenVAS 9 from the sources

  1. Pingback: openvas_commander for OpenVAS installation and management | Alexander V. Leonov

  2. Hans

    Great post, and the script does wonders for installing.

    It might be worth mentioning somewhere in the post that the entire procedure for separating scanners onto separate hardware/distributed hardware in different datacenters has changed completely – and that it’s a good idea to get familiar with this new procedure prior to upgrading to OpenVAS 9. 🙂

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *