Installing OpenVAS and Greenbone Security Assistant on Debian 8, Jessie

First, some background – in a recent attempt to get a better handle on Internet privacy I began to look at various areas from mobile operating systems, browsers to the network I was connecting to the Internet from, and the various risks all entailed. In terms of my local network I was intrigued to better understand the “health” of devices on that network, and any risks they exposed.

I started to re-visit the use of Linux, and initially rediscovered Kali Linux “2016.2.” This proved to be a nightmare within a Hyper-V machine – a memory leak consumed all available host memory (12GB) in a couple of days, plus an “apt-get dist-upgrade” resulted in a failure of Xfce on boot… all I wanted was a vulnerability scanner, not a headache! Sadly, getting OpenVas running on Kali is very easy – see here.

My next port of call was Ubuntu, however, from a privacy perspective this proved less than ideal, so I opted for a distro I had not used for many years in its original form, Debian – specifically Debian 8, or Jessie.

Pre-Requisite Installation

Firstly confirm your Debian 8 installation is up-to-date:

apt-get update
apt-get dist-upgrade

Install the necessary pre-requisites for OpenVAS using the command below.

sudo apt-get install -y build-essential cmake bison flex libpcap-dev pkg-config libglib2.0-dev libgpgme11-dev uuid-dev sqlfairy xmltoman doxygen libssh-dev libksba-dev libldap2-dev libsqlite3-dev libmicrohttpd-dev libxml2-dev libxslt1-dev xsltproc clang rsync rpm nsis alien sqlite3 libhiredis-dev libgcrypt11-dev libgnutls28-dev redis-server texlive-latex-base texlive-latex-recommended linux-headers-$(uname -r)

Download, Compile and Install OpenVAS

Use the command below to create required directories and download / compile and install the various software packages needed for this installation.

Run the commands below as root (sudo -i), or alter the script to include a sudo infront of all make install comamnds plus the ldconfig command.

Note the older version of nmap is what is required by OpenVAS, hence not using apt-get to install this.

# Make temporary directory to d/l source, extract and compile
cd ~
mkdir openvas
cd openvas

# Download Source
wget http://wald.intevation.org/frs/download.php/2351/openvas-libraries-8.0.8.tar.gz
wget http://wald.intevation.org/frs/download.php/2367/openvas-scanner-5.0.7.tar.gz
wget http://wald.intevation.org/frs/download.php/2359/openvas-manager-6.0.9.tar.gz
wget http://wald.intevation.org/frs/download.php/2363/greenbone-security-assistant-6.0.11.tar.gz
wget http://wald.intevation.org/frs/download.php/2332/openvas-cli-1.4.4.tar.gz
wget http://nmap.org/dist/nmap-5.51.6.tgz

# Extract packages
tar xvf greenbone-security-assistant-6.0.11.tar.gz
tar xvf openvas-libraries-8.0.8.tar.gz
tar xvf openvas-scanner-5.0.7.tar.gz
tar xvf openvas-manager-6.0.9.tar.gz
tar xvf openvas-cli-1.4.4.tar.gz
tar xvf nmap-5.51.6.tgz

# Compile and install packages
cd openvas-libraries-8.0.8
cmake .
make
make doc
make install
cd ..

cd openvas-manager-6.0.9/
cmake .
make
make doc
make install
cd ..

cd openvas-scanner-5.0.7/
cmake .
make
make doc
make install
cd ..

cd openvas-cli-1.4.4/
cmake .
make
make doc
make install
cd ..

cd greenbone-security-assistant-6.0.11/
cmake .
make
make doc
make install
cd ..

cd nmap-5.51.6
./configure
make
make install
cd ..

ldconfig

Setup OpenVas via Script

So this is where Kali has it nailed down, and rather than re-invent the wheel I have copied and modified the distributions “openvas-setup” script to suit Debian 8, as below – create the script ad chmod +x, then run as root, or using sudo.

#!/bin/bash
if ! grep -q "^unixsocket /tmp/redis.sock" /etc/redis/redis.conf ; then
    sed -i -e 's/^\(#.\)\?port.*$/port 0/' /etc/redis/redis.conf
    sed -i -e 's/^\(#.\)\?unixsocket \/.*$/unixsocket \/tmp\/redis.sock/' /etc/redis/redis.conf
    sed -i -e 's/^\(#.\)\?unixsocketperm.*$/unixsocketperm 700/' /etc/redis/redis.conf
fi

service redis-server restart

test -e /usr/local/var/lib/openvas/CA/cacert.pem || openvas-mkcert -q
if (openssl verify -CAfile /usr/local/var/lib/openvas/CA/cacert.pem \
    /usr/local/var/lib/openvas/CA/servercert.pem | grep -q ^error); then
    openvas-mkcert -q -f
fi

openvas-nvt-sync
openvas-scapdata-sync
openvas-certdata-sync
if ! test -e /usr/local/var/lib/openvas/CA/clientcert.pem || \
    ! test -e /usr/local/var/lib/openvas/private/CA/clientkey.pem; then
    openvas-mkcert-client -n -i
fi
if (openssl verify -CAfile /usr/local/var/lib/openvas/CA/cacert.pem \
    /usr/local/var/lib/openvas/CA/clientcert.pem |grep -q ^error); then
    openvas-mkcert-client -n -i
fi

openvassd
openvasmd --migrate
openvasmd --progress --rebuild

openvassd
openvasmd
gsad

if ! openvasmd --get-users | grep -q ^admin$ ; then
    openvasmd --create-user=admin
fi

Once the above script has executed, ensure you capture and save the output password associated witht he user “admin.”

Create Update Script

Create a new script “/usr/local/sbin/openvas-feed-update” as below, ensure you chmod+x to ensure it is executable.

#!/bin/bash
echo "Updating OpenVas Feeds"
openvas-nvt-sync
openvas-scapdata-sync
openvas-certdata-sync

Create Services

I wanted to make running the service under Debian as easy as possible, so embraced the systemctl approach by creating a service file for the relevant component parts of OpenVAS / GSA. These are all modified copies of the files used in Kali.

Create /etc/systemd/system/openvas-manager.service, chmod +x to ensure it is executable by root.

[Unit]
Description=Open Vulnerability Assessment System Manager Daemon
Documentation=man:openvasmd(8) http://www.openvas.org/
Wants=openvas-scanner.service

[Service]
Type=forking
PIDFile=/usr/local/var/run/openvasmd.pid
ExecStart=/usr/local/sbin/openvasmd --database=/usr/local/var/lib/openvas/mgr/tasks.db

ExecReload=/bin/kill -HUP $MAINPID
# Kill the main process with SIGTERM and after TimeoutStopSec (defaults to
# 1m30) kill remaining processes with SIGKILL
KillMode=mixed

[Install]
WantedBy=multi-user.target

Create /etc/systemd/system/openvas-scanner.service, chmod +x to ensure it is executable by root.

[Unit]
Description=Open Vulnerability Assessment System Scanner Daemon
Documentation=man:openvassd(8) http://www.openvas.org/
After=redis-server.service
Requires=redis-server.service

[Install]
WantedBy=multi-user.target

[Service]
Type=forking
PIDFile=/usr/local/var/run/openvassd.pid
ExecStart=/usr/local/sbin/openvassd
ExecReload=/bin/kill -HUP $MAINPID
# Kill the main process with SIGTERM and after TimeoutStopSec (defaults to
# 1m30) kill remaining processes with SIGKILL
KillMode=mixed

Create /etc/systemd/system/greenbone-security-assistant.service, chmod +x to ensure it is executable by root.

[Unit]
Description=Greenbone Security Assistant
Documentation=man:gsad(8) http://www.openvas.org/
Wants=openvas-manager.service

[Service]
Type=simple
PIDFile=/usr/local/var/run/gsad.pid
ExecStart=/usr/local/sbin/gsad --foreground

[Install]
WantedBy=multi-user.target

Check you OpenVAS Installation

Use the command below to check your OpenVAS deployment, either run as root (sudo -i) or adding sudo where to the execution stage.

cd ~ && wget --no-check-certificate https://svn.wald.intevation.org/svn/openvas/trunk/tools/openvas-check-setup 

chmod +x openvas-check-setup

./openvas-check-setup

Hopefully the setup checks will come back clean/with no issues…

Cycle OpenVAS and Start vis Systemctl

Now to confirm our service scripts are working; firslty lets kill of any OpenVAS / GSA related processes.

killall -9 gsad
killall -9 openvassd
killall -9 openvasmd

Now we’ll start the “services” using sytemctl, as below:

systemctl start openvas-manager.service
systemctl start openvas-scanner.service
systemctl start greenbone-security-assistant.service

Check the status of each service using these commands:

systemctl status openvas-manager.service
systemctl status openvas-scanner.service
systemctl status greenbone-security-assistant.service

Login to GSA

Using Firefox, browse to https://127.0.0.1 – you’ll be able to login using the username “admin” and password output and captured above (unique to your deployment).