# Greenbone Security Assistant Installation (previously "OpenVAS")



## cmoerz (May 22, 2021)

There are several tutorials and guides on how to install OpenVAS on FreeBSD; however, recently OpenVAS was renamed to Greenbone Security Assistant, spread across multiple packages and now no longer fits any of the past setup descriptions.
After wading through the documentation myself, I figured out the steps to get it running and thought, I'd save someone else the pains I had to experience.
The following installation guide was based on binary packages on FreeBSD 13.0-RELEASE; I haven't yet tested the procedure from compiled ports but assume they should be fine.
Package installations​You'll need to install multiple packages:

databases/postgresql12-server - a local PostgreSQL database is required. Previous OpenVAS releases did support sqlite, apparently this was taken out recently. Remote databases are unfortunately not supported. So if you already have a PostgreSQL server, you hoped to use for this, you're SOL. Some packages depend on PostgreSQL 12, so it doesn't work when choosing the newer 13 release.
databases/postgresql12-client - obviously, you'll need the client utilities as well
databases/postgresql12-contrib - required for the uuid-ossp extension
security/greenbone-security-assistant - the actual greenbone assistant; this one has a lot of dependencies, so expect a lot of downloads.
security/gvmd - the management interface for the framework; again with a bunch of dependencies
security/openvas - the scanner component
security/py-ospd-openvas (binary: py37-ospd-openvas) - the python wrapper that's used to call the scanner
Redis setup​Redis is an implicit dependency; it's not listed in the above packages but will be installed anyways. We need to enable it. As root run

```
sysrc redis_enable=YES
```
We switch redis to user gvm so gvm can talk to the UNIX socket.

```
sysrc redis_user=gvm
```
We also fix permissions on the log file

```
chown gvm:gvm /var/log/redis/redis.log
```
On a production server, you might want to integrate that log into `newsyslog` to maintain this.

Then enable redis' socket interface. Edit /usr/local/etc/redis.conf:

```
# Unix socket.
#
# Specify the path for the Unix socket that will be used to listen for
# incoming connections. There is no default, so Redis will not listen
# on a unix socket when not specified.
#
unixsocket /tmp/redis.sock
unixsocketperm 700
```
Also, turn up databases to 32:

```
# Set the number of databases. The default database is DB 0, you can select
# a different one on a per-connection basis using SELECT <dbid> where
# dbid is a number between 0 and 'databases'-1
databases 32
```
Afterwards, start the daeomn:

```
service redis start
```
To make openvas use this socket, create a file /usr/local/etc/openvas/openvas.conf with following content:

```
db_address = /tmp/redis.sock
```
Database setup​After installating PostgreSQL, you need to initialize as usual. As root, run

```
su - postgres
initdb -E utf8 /var/db/postgresql/data13/
```
After initializing the database, return back to root user and ready/start it:

```
exit
sysrc postgresql_enable=YES
service postgresql start
```
Then, back to the postgres user postgres, create a user

```
su - postgres
createuser -P gvm
```
and provide a database password when queried. Then follow up with creating a database owned by this new user:

```
createdb -E utf8 -O gvm gvmd
```
Next, start psql and enable the uuid-ossp extension:

```
psql gvmd
```
Within `psql`, we enable the extension and create a "dba" role that's required for the database population later on:

```
create extension "uuid-ossp";
create role dba with superuser noinherit;
grant dba to gvm;
exit
```
Server Certificates​The Greenbone Security Assistant exposes a web interface for management. The web server requires TLS certificates in directories that do not exist yet. Create them by running as root

```
mkdir -p /var/lib/gvm/CA
mkdir -p /var/lib/gvm/private/CA
```
Then place your certificate file into /var/lib/gvm/CA/servercert.pem and your key into /var/lib/gvm/private/CA/serverkey.pem.

Make sure to set correct permissions and ownerships:

```
chown gvm:gvm /var/lib/gvm/CA/servercert.pem /var/lib/gvm/private/CA/serverkey.pem
chmod 400 /var/lib/gvm/private/CA/serverkey.pem
```
GnuGPG setup​Set up a GPG repository as root:

```
cd /var/lib/gvm/gvmd/gnupg
gpg --homedir /var/lib/gvm/gvmd/gnupg/ --list-keys
```
Ignore any warnings about unsafe ownerships. We'll fix that by running

```
chown -R gvm:gvm /var/lib/gvm/gvmd/gnupg
```
Directory setup​When I first attempted to get the framework running, logs showed multiple errors for directories. So I simply created those:

```
mkdir -p /var/lib/gvm/cert-data
mkdir -p /var/lib/gvm/data-objects/gvmd
mkdir -p /var/lib/gvm/scap-data
chown -R gvm:gvm /var/lib/gvm
```
Patch and setup rc.d script​During initial runs, gvmd did not properly work because its PATH variable seemed to be wrong. So I did some hacking, which probably could be done in some smarter fashion. I simply edited /usr/local/etc/rc.d/gvmd by adding an export statement for the PATH variable (this might be obsolete, but I left it in since it was required on my VM when I set things up):

```
pidfile=/var/run/gvm/gvmd.pid

export PATH=/usr/local/bin:/usr/local/sbin:$PATH

run_rc_command "$1"
```
Enable relevant services in /etc/rc.conf:

```
sysrc gsad_enable=YES
sysrc gvmd_enable=YES
sysrc ospd_openvas_enable=YES
```
Populate database​We can now populate the database:

```
su -m gvm
gvmd -m
```
User setup​Create an admin user for the management system. While still impersonating user gvm, run

```
gvmd --create-user=admin
```
Note down the password for later login. Then get the new user's UUID:

```
gvmd --get-users -v
```
Use the user's UUID. We need it to assign it as owner for the feeds, which we'll import later on:

```
gvmd --modify-setting 78eceaec-3385-11ea-b237-28d24461215b --value <uuid_of_user>
```
Sync Feeds​The feed synchronization works via rsync. It requires a direct connection to Greenbone's servers. If your internet access usually works via a proxy, you will need to set up firewall rules to permit direct connections just for this. Proxy use is not supported.

As user gvm, run

```
greenbone-feed-sync --type GVMD_DATA
greenbone-scapdata-sync
greenbone-certdata-sync
cd /tmp
greenbone-nvt-sync
```
Do NOT start those synchronizations in parallel. If you do, you'll be blacklisted by Greenbone. You need to switch to /tmp before running greenbone-nvt-sync because it needs a directory with write permissions to start from.

You may receive messages like

```
/var/run/gvm/feed-update.lockexit: greenbone-nvt-sync.FWHlsAgCQ3: Permission denied
```
which you apparently can safely ignore.
Start Services​Now you should be able to start your services. As root run

```
service gvmd start
service gsad start
service ospd_openvas start
```
You should now have the management web server running. You can check for port 443:

```
root@openvas:/usr/local/etc/openvas # sockstat -4l
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS     
gvm      redis-serv 95416 6  tcp4   127.0.0.1:6379        *:*
root     gsad       3956  5  tcp46  *:80                  *:*
root     gsad       3811  5  tcp46  *:443                 *:*
postgres postgres   42012 5  tcp4   127.0.0.1:5432        *:*
root     sshd       74818 4  tcp4   *:22                  *:*
```
Point your browser to
https://<servername>
and you should be greeted with Greenbone Security Assistant's login screen. Enter username and password you previously chose during setup.

Finally, check in SecInfo / NVTs, CVEs and CPEs whether all relevant data got properly imported into the database. If you see entries, you're done and can start checking your landscape! Happy hunting.


----------



## cmoerz (Jun 28, 2021)

One more thing, I apparently missed. You also need to


```
chown -R gvm:gvm /var/db/redis/
```

otherwise, redis won't run properly.


----------



## cmoerz (Jun 28, 2021)

This is embarrassing. One more thing to do, to make sure feed updates work later on:


```
root@openvas:/usr/local/etc/openvas # su - postgres
$ psql gvmd
psql (12.7)
Type "help" for help.

gvmd=# create extension pgcrypto;
CREATE EXTENSION
gvmd=#
\q
$
```


----------



## rm1984 (Oct 29, 2021)

Thanks thanks thanks thanks!  Did I already say thanks?


----------



## cmoerz (Dec 18, 2021)

Another thing just popped up. If you've been running OpenVAS for a while, you'll be updating your system and will eventually get

```
gvmd: database is wrong version
```
in your /var/log/gvm/gvmd.log. To resolve this, you'll have to

```
su -m gvm
gvmd --migrate
```
to update the database. Be patient, this will take a while.


----------



## cmoerz (Dec 19, 2021)

There's another one for the annals of "how to shoot yourself in the foot": if you run into the following problem

```
OSPD[64671] 2021-12-19 21:15:42,230: ERROR: (ospd.ospd) 791f63b3-5287-45d3-96e5-72583d1e04a6: Exception psutil.NoSuchProcess process no longer exists (pid=6908) while scanning
Traceback (most recent call last):
  File "/usr/local/lib/python3.8/site-packages/psutil/_common.py", line 447, in wrapper
    ret = self._cache[fun]
AttributeError: _cache

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/lib/python3.8/site-packages/psutil/_psbsd.py", line 550, in wrapper
    return fun(self, *args, **kwargs)
  File "/usr/local/lib/python3.8/site-packages/psutil/_common.py", line 450, in wrapper
    return fun(self)
  File "/usr/local/lib/python3.8/site-packages/psutil/_psbsd.py", line 605, in oneshot
    ret = cext.proc_oneshot_info(self.pid)
ProcessLookupError: [Errno 3] No such process (originated from sysctl(KERN_PROC_PID))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/lib/python3.8/site-packages/ospd/ospd.py", line 516, in start_scan
    self.exec_scan(scan_id)
  File "/usr/local/lib/python3.8/site-packages/ospd_openvas/daemon.py", line 1315, in exec_scan
    openvas_process_is_alive = self.is_openvas_process_alive(
  File "/usr/local/lib/python3.8/site-packages/ospd_openvas/daemon.py", line 1170, in is_openvas_process_alive
    if openvas_process.status() == psutil.STATUS_ZOMBIE:
  File "/usr/local/lib/python3.8/site-packages/psutil/__init__.py", line 682, in status
    return self._proc.status()
  File "/usr/local/lib/python3.8/site-packages/psutil/_psbsd.py", line 550, in wrapper
    return fun(self, *args, **kwargs)
  File "/usr/local/lib/python3.8/site-packages/psutil/_psbsd.py", line 809, in status
    code = self.oneshot()[kinfo_proc_map['status']]
  File "/usr/local/lib/python3.8/site-packages/psutil/_psbsd.py", line 555, in wrapper
    raise NoSuchProcess(self.pid, self._name)
psutil.NoSuchProcess: psutil.NoSuchProcess process no longer exists (pid=6908)
```
where the pid may obviously vary, you probably made the same mistake as me - you installed security/sudo as the documentation suggests. However, you - just like me - forgot you're running on FreeBSD and you probably turned on sysctl

```
security.bsd.see_other_uids=0
security.bsd.see_other_gids=0
```
in /etc/sysctl.conf. So, in the hopes of saving you the whole day I've been spending ripping my hairs out - do yourself a favor and either remove that sysctl or uninstall sudo.


----------



## MarcoB (May 24, 2022)

Where do I get the server certificate servercert.pem and key serverkey.pem?

PS: found out `# gvm-manage-certs -a` needs to be run first. Then the certs and keys are created.


----------



## MarcoB (May 24, 2022)

I have a new problem though:


```
# service ospd_openvas onestart
Starting ospd_openvas.
/usr/local/etc/rc.d/ospd_openvas: WARNING: failed to start ospd_openvas
```

/var/log/gvm/ospd-openvas.log reveals:

```
OSPD[10207] 2022-05-25 14:49:42,939: ERROR: (ospd_openvas.db) Redis Error: Not possible to connect to the kb.
```


----------



## cmoerz (May 25, 2022)

MarcoB said:


> I have a new problem though:
> 
> 
> ```
> ...


This might be a permission issue. Is your redis socket owned by the redis user? If so, you'll probably need to switch it to gvm or whichever user is running ospd.

Sorry for not being more specific; I don't have my openvas installation available at the moment.


----------



## MarcoB (May 25, 2022)

Thanks, got it. Changed not only the files openvas related in /var/run and /var/log to gvm, but also the directories themselves. It was probably the /var/log/redis directory that needed change to gvm. The logfile was owned by gvm, but not the directory.


----------



## MarcoB (May 25, 2022)

All seems to work well except for logging in. The webinterface says "URL not found". Any idea how to actually log into openvas?


----------



## cmoerz (May 25, 2022)

Uh, that's a good one. I remember some time back, I patched the web code because I only could reach the system from localhost; you could try setting up an ssh tunnel and attempting to connect via the local tcp port on localhost.

Unfortunately, I don't have my notes with me at the moment. I'm fairly certain it had something to do how the page was served and only permitting localhost as hostname, though I'm not completely sure whether this is the issue you're looking at. I believe the situation I had back then was at least reaching the login page but failing to log in successfully.


----------



## MarcoB (May 26, 2022)

Ended up installing it on Kali Linux, which went flawlessly. I don't give up though and find out later what's the culprit and use it on FreeBSD.


----------



## cmoerz (Jun 12, 2022)

I've created a simplified installation script for a fresh FreeBSD install for myself. Figured others might want to either use or have a look at it as well:









						GitHub - christian-moerz/openvas: OpenVAS installation for FreeBSD
					

OpenVAS installation for FreeBSD. Contribute to christian-moerz/openvas development by creating an account on GitHub.




					github.com


----------



## Lamia (Jun 13, 2022)

It throws this error:

```
ospd_openvas_enable: YES -> YES
md manage-Message: 01:43:43.984: db_extension_available: Extension 'uuid-ossp' is not available.

(gvmd:16209): md manage-WARNING **: 01:43:43.984: check_db_extensions: A required extension is not available.

(gvmd:16209): md manage-WARNING **: 01:43:43.984: init_manage_create_functions: failed to create functions
```

Stepping into postgres to create it showed that it already exists. But the script still failed. There had been previous efforts to install it using the referenced link { https://forums.freebsd.org/threads/...istant-installation-previously-openvas.80563/} but no luck. The error back then was with ospd-openvas. Thanks to you all for these efforts. Setting up a debian vm and running this - https://github.com/yu210148/gvm_install - works. 

I guess part of the problem was trying to run it in a Jail despite that all required tweaks were applied.


----------



## cmoerz (Jun 14, 2022)

Can you please check via `pkg info` whether databases/postgresql13-contrib was successfully installed? uuid-ossp should usually be provided by that package.

I noticed during my own tests, that in the meantime, the ports package for openvas et al has switched to databases/postgresql13, so version 12 from the original post probably no longer works.

The script I posted on github should actually work fine in a jail, as long as you allow raw sockets; these are required for postgresql to work. If you're still interested in getting it to run in a jail / on FreeBSD, I can post an abbreviated jails.conf later, that worked for me.


----------



## SirDice (Jun 14, 2022)

The default PostgreSQL version changed some time ago (and a couple of months after this how-to was written):






						ports - FreeBSD ports tree
					






					cgit.freebsd.org


----------



## cmoerz (Oct 16, 2022)

Dependencies have changed yet again, i.e. net/mosquitto is a required install as well now. Unfortunately, there's also two bugs that break the whole suite - you cannot create users for the web interface and for some reason, even if you do get it working, the username is not picked up by the web server and fails all logins.

I've added a patch on my github that allows you to add an admin user and login as admin. It's a bit of a hack, but at least, it will allow you to get started, if you're looking at a brand new install.









						GitHub - christian-moerz/openvas: OpenVAS installation for FreeBSD
					

OpenVAS installation for FreeBSD. Contribute to christian-moerz/openvas development by creating an account on GitHub.




					github.com


----------

