install openvas-9 to raspbian (raspberry pi) from src - end0tknr's kipple - web写経開発

2017年に記載した上記エントリの2020年版です。

今回は、※1 を参考にしています。(というより、まるパクリです)

2020/11時点で、GVMの最新は、ver.20ですが、バグがあるらしく、 installできたものの、脆弱性SCANできなかった為、GVM 11(OpenVAS) を使用しています。

※1 　kifarunix.com

脆弱性SCANの際、以下の点にはご注意下さい。

install自体に手間取る部分はありませんが

Configuration → Alive Test = Consider Alive

デフォルトでは、pingに対しての反応がないと、サイトダウンと判定され、 scanされませんので

Scans → Tasks → Scanner=Kifarunix-demo OpenVAS Scanner

今回のインストールでは、新規にスキャナを追加していますので、 「Scanner=Kifarunix-demo OpenVAS Scanner」を指定して下さい。

また、デフォルトでは、Maximum concurrently scanned hosts=20 で過大な 気がしますので、10程度に下げた方がよいかと思います。

以降が、インストールメモです

$ cat /etc/os-release
NAME="Ubuntu"
VERSION="20.04.1 LTS (Focal Fossa)"

$ sudo apt update    ## install可能なpackageの一覧更新
$ sudo apt upgrade   ## install済のpackage更新

$ sudo useradd -r -d /opt/gvm -c "GVM User" -s /bin/bash gvm
 
$ sudo mkdir /opt/gvm
$ sudo chown gvm:gvm /opt/gvm

$ sudo apt \
    install gcc g++ make bison flex libksba-dev curl redis libpcap-dev \
    cmake git pkg-config libglib2.0-dev libgpgme-dev nmap libgnutls28-dev uuid-dev \
    libssh-gcrypt-dev libldap2-dev gnutls-bin libmicrohttpd-dev libhiredis-dev \
    zlib1g-dev libxml2-dev libradcli-dev clang-format libldap2-dev doxygen \
    gcc-mingw-w64 xml-twig-tools libical-dev perl-base heimdal-dev libpopt-dev \
    libsnmp-dev python3-setuptools python3-paramiko python3-lxml \
    python3-defusedxml python3-dev gettext python3-polib xmltoman \
    python3-pip texlive-fonts-recommended texlive-latex-extra \
    --no-install-recommends xsltproc

$ sudo su - 
# curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | apt-key add -
# echo "deb https://dl.yarnpkg.com/debian/ stable main" | tee /etc/apt/sources.list.d/yarn.list
$ sudo apt update

$ sudo apt install yarn

$ sudo apt install postgresql postgresql-contrib postgresql-server-dev-all

$ sudo -Hiu postgres
postgres$ createuser gvm
postgres$ createdb -O gvm gvmd

postgres$ psql gvmd
gvmd=# create role dba with superuser noinherit;
gvmd=# grant dba to gvm;
gvmd=# create extension "uuid-ossp";
gvmd=# \q
postgres$ exit


$ sudo systemctl restart postgresql
$ sudo systemctl enable postgresql

$ sudo vim /etc/environment
PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/opt/gvm/bin:/opt/gvm/sbin:/opt/gvm/.local/bin"

↑「/opt/gvm/bin:/opt/gvm/sbin:/opt/gvm/.local/bin」を追加

$ sudo su -
# echo "/opt/gvm/lib" > /etc/ld.so.conf.d/gvm.conf

$ sudo su - gvm

$ mkdir /opt/gvm/tmp
$ mkdir /opt/gvm/tmp/gvm-source
$ cd /opt/gvm/tmp/gvm-source

$ git clone -b gvm-libs-11.0 https://github.com/greenbone/gvm-libs.git
$ git clone https://github.com/greenbone/openvas-smb.git
$ git clone -b openvas-7.0 https://github.com/greenbone/openvas.git
$ git clone -b ospd-2.0 https://github.com/greenbone/ospd.git
$ git clone -b ospd-openvas-1.0 https://github.com/greenbone/ospd-openvas.git
$ git clone -b gvmd-9.0 https://github.com/greenbone/gvmd.git
$ git clone -b gsa-9.0 https://github.com/greenbone/gsa.git

$ export PKG_CONFIG_PATH=/opt/gvm/lib/pkgconfig:$PKG_CONFIG_PATH

$ cd gvm-libs
$ mkdir build
$ cd build
$ cmake .. -DCMAKE_INSTALL_PREFIX=/opt/gvm
$ make
$ make install

$ cd ../../openvas-smb/
$ mkdir build
$ cd build
$ cmake .. -DCMAKE_INSTALL_PREFIX=/opt/gvm
$ make
$ make install

$ cd ../../openvas
$ mkdir build
$ cd build
$ cmake .. -DCMAKE_INSTALL_PREFIX=/opt/gvm

$ vim ../../openvas/CMakeLists.txt
  #set (CMAKE_C_FLAGS_DEBUG "${CMAKE_C_FLAGS_DEBUG} ${COVERAGE_FLAGS}")
  set (CMAKE_C_FLAGS_DEBUG "${CMAKE_C_FLAGS_DEBUG} -Werror -Wno-error=deprecated-declarations")

$ make
$ make install

# ldconfig

# cp /opt/gvm/tmp/gvm-source/openvas/config/redis-openvas.conf /etc/redis/

# chown redis:redis /etc/redis/redis-openvas.conf

# echo "db_address = /run/redis-openvas/redis.sock" > /opt/gvm/etc/openvas/openvas.conf

# chown gvm:gvm /opt/gvm/etc/openvas/openvas.conf

# usermod -aG redis gvm

# echo "net.core.somaxconn = 1024" >> /etc/sysctl.conf
# echo 'vm.overcommit_memory = 1' >> /etc/sysctl.conf
# sysctl -p
net.core.somaxconn = 1024
vm.overcommit_memory = 1


# vi /etc/systemd/system/disable_thp.service

[Unit]
Description=Disable Kernel Support for Transparent Huge Pages (THP)

[Service]
Type=simple
ExecStart=/bin/sh -c "echo 'never' > /sys/kernel/mm/transparent_hugepage/enabled && echo 'never' > /sys/kernel/mm/transparent_hugepage/defrag"

[Install]
WantedBy=multi-user.target


# systemctl daemon-reload
# systemctl enable --now disable_thp
# systemctl enable --now redis-server@openvas


# echo "gvm ALL = NOPASSWD: /opt/gvm/sbin/openvas" > /etc/sudoers.d/gvm


# visudo

Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin:/opt/gvm/sbin"
※「/opt/gvm/sbin」を追加

# echo "gvm ALL = NOPASSWD: /opt/gvm/sbin/gsad" >> /etc/sudoers.d/gvm

# su - gvm
gvm$ greenbone-nvt-sync
※上記の処理には、10min程 要します

gvm$ sudo openvas --update-vt-info
※上記の処理には、2-3min程 要します

gvm$ export PKG_CONFIG_PATH=/opt/gvm/lib/pkgconfig:$PKG_CONFIG_PATH


gvm$ cd /opt/gvm/tmp/gvm-source/gvmd
gvm$ mkdir build
gvm$ cd build
gvm$ cmake .. -DCMAKE_INSTALL_PREFIX=/opt/gvm
gvm$ make
gvm$ make install

gvm$ cd ../../gsa
gvm$ mkdir build
gvm$ cd build
gvm$ cmake .. -DCMAKE_INSTALL_PREFIX=/opt/gvm
gvm$ make
gvm$ make install

gvm$ greenbone-scapdata-sync
gvm$ greenbone-certdata-sync

gvm$ gvm-manage-certs -a


gvm$ export PKG_CONFIG_PATH=/opt/gvm/lib/pkgconfig:$PKG_CONFIG_PATH

gvm$ mkdir -p /opt/gvm/lib/python3.8/site-packages/
gvm$ export PYTHONPATH=/opt/gvm/lib/python3.8/site-packages
gvm$ cd /opt/gvm/tmp/gvm-source/ospd
gvm$ python3 setup.py install --prefix=/opt/gvm

gvm$ cd ../ospd-openvas
gvm$ python3 setup.py install --prefix=/opt/gvm


gvm$ /usr/bin/python3 /opt/gvm/bin/ospd-openvas \
       --pid-file /opt/gvm/var/run/ospd-openvas.pid \
       --log-file /opt/gvm/var/log/gvm/ospd-openvas.log \
       --lock-file-dir /opt/gvm/var/run -u /opt/gvm/var/run/ospd.sock

gvm$ gvmd --osp-vt-update=/opt/gvm/var/run/ospd.sock


gvm$ sudo gsad
Oops, secure memory pool already initialized
gvm$ ps aux | grep -E "ospd-openvas|gsad|gvmd" | grep -v grep
gvm      43823 57.7  1.0 163852 43048 pts/0    Rl   09:28   0:25 \
          /usr/bin/python3 /opt/gvm/bin/ospd-openvas \
        --pid-file /opt/gvm/var/run/ospd-openvas.pid \
        --log-file /opt/gvm/var/log/gvm/ospd-openvas.log \
        --lock-file-dir /opt/gvm/var/run \
        -u /opt/gvm/var/run/ospd.sock
gvm      43825  0.0  0.6 149764 27208 pts/0    Sl   09:28   0:00 \
           /usr/bin/python3 /opt/gvm/bin/ospd-openvas \
         --pid-file /opt/gvm/var/run/ospd-openvas.pid \
         --log-file /opt/gvm/var/log/gvm/ospd-openvas.log \
         --lock-file-dir /opt/gvm/var/run \
         -u /opt/gvm/var/run/ospd.sock
gvm      43832  0.1  0.2  99608 10252 pts/0    S    09:28   0:00 \
           gvmd: Waiting for incoming connections
gvm      43854  1.3  0.0  81196  1568 ?        Ss   09:28   0:00 \
           gpg-agent --homedir /opt/gvm/var/lib/gvm/gvmd/gnupg \
                 --use-standard-socket --daemon
postgres 43860  0.0  0.6 225564 26956 ?        SLs  09:28   0:00 \
           postgres: 12/main: gvm gvmd [local] idle
root     43869  0.0  0.1 132176  5636 pts/0    Sl   09:28   0:00 gsad
root     43870  0.0  0.0 132176  3496 pts/0    Sl   09:28   0:00 gsad


# vi /etc/systemd/system/openvas.service

[Unit]
Description=Control the OpenVAS service
After=redis.service
After=postgresql.service

[Service]
ExecStartPre=-rm -rf /opt/gvm/var/run/ospd-openvas.pid /opt/gvm/var/run/ospd.sock /opt/gvm/var/run/gvmd.sock
Type=simple
User=gvm
Group=gvm
Environment=PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/opt/gvm/bin:/opt/gvm/sbin:/opt/gvm/.local/bin
Environment=PYTHONPATH=/opt/gvm/lib/python3.8/site-packages
ExecStart=/usr/bin/python3 /opt/gvm/bin/ospd-openvas \
--pid-file /opt/gvm/var/run/ospd-openvas.pid \
--log-file /opt/gvm/var/log/gvm/ospd-openvas.log \
--lock-file-dir /opt/gvm/var/run -u /opt/gvm/var/run/ospd.sock
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target


# systemctl daemon-reload

# systemctl start openvas
# systemctl status openvas
● openvas.service - Control the OpenVAS service
     Loaded: loaded (/etc/systemd/system/openvas.service; disabled; vendor preset: enabled)
     Active: active (exited) since Sat 2020-11-07 09:33:18 UTC; 13s ago
    Process: 44404 ExecStartPre=/usr/bin/rm -rf /opt/gvm/var/run/ospd-openvas.pid \
             /opt/gvm/var/run/ospd.sock /opt/gvm/var/run/gvmd.sock (code=exited, status=0/SUCCE>
    Process: 44419 ExecStart=/usr/bin/python3 /opt/gvm/bin/ospd-openvas \
             --pid-file /opt/gvm/var/run/ospd-openvas.pid \
         --log-file /opt/gvm/var/log/gvm/ospd-openvas.lo>
   Main PID: 44419 (code=exited, status=0/SUCCESS)
      Tasks: 4 (limit: 4621)
     Memory: 24.2M
     CGroup: /system.slice/openvas.service
       ├─44425 /usr/bin/python3 /opt/gvm/bin/ospd-openvas \
       │          --pid-file /opt/gvm/var/run/ospd-openvas.pid \
       │             --log-file /opt/gvm/var/log/gvm/ospd-openvas.log --lock>
       └─44427 /usr/bin/python3 /opt/gvm/bin/ospd-openvas \
                   --pid-file /opt/gvm/var/run/ospd-openvas.pid \
           --log-file /opt/gvm/var/log/gvm/ospd-openvas.log --lock>
Nov 07 09:33:18 ubuntu20 systemd[1]: Starting Control the OpenVAS service...
Nov 07 09:33:18 ubuntu20 systemd[1]: Started Control the OpenVAS service.

# systemctl enable openvas


# vi /etc/systemd/system/gsa.service

[Unit]
Description=Control the OpenVAS GSA service
After=openvas.service

[Service]
Type=simple
User=gvm
Group=gvm
Environment=PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/opt/gvm/bin:/opt/gvm/sbin:/opt/gvm/.local/bin
Environment=PYTHONPATH=/opt/gvm/lib/python3.8/site-packages
ExecStart=/usr/bin/sudo /opt/gvm/sbin/gsad
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target


# vi /etc/systemd/system/gsa.path

[Unit]
Description=Start the OpenVAS GSA service when gvmd.sock is available

[Path]
PathChanged=/opt/gvm/var/run/gvmd.sock
Unit=gsa.service

[Install]
WantedBy=multi-user.target


# vi /etc/systemd/system/gvm.service

[Unit]
Description=Control the OpenVAS GVM service
After=openvas.service

[Service]
Type=simple
User=gvm
Group=gvm
Environment=PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/opt/gvm/bin:/opt/gvm/sbin:/opt/gvm/.local/bin
Environment=PYTHONPATH=/opt/gvm/lib/python3.8/site-packages
ExecStart=/opt/gvm/sbin/gvmd --osp-vt-update=/opt/gvm/var/run/ospd.sock
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target


# vi /etc/systemd/system/gvm.path

[Unit]
Description=Start the OpenVAS GVM service when opsd.sock is available

[Path]
PathChanged=/opt/gvm/var/run/ospd.sock
Unit=gvm.service

[Install]
WantedBy=multi-user.target


# systemctl daemon-reload
# systemctl enable --now gvm.{path,service}
# systemctl enable --now gsa.{path,service}


# sudo -Hiu gvm gvmd --create-scanner="Kifarunix-demo OpenVAS Scanner" \
       --scanner-type="OpenVAS" --scanner-host=/opt/gvm/var/run/ospd.sock

# sudo -Hiu gvm gvmd --get-scanners

08b69003-5fc2-4037-a479-93b440211c73  OpenVAS  /tmp/ospd.sock  0  OpenVAS Default
6acd0832-df90-11e4-b9d5-28d24461215b  CVE    0  CVE
169efd9c-2248-415e-ba4e-5d7e78069494  OpenVAS  /opt/gvm/var/run/ospd.sock  9390  Kifarunix-demo OpenVAS Scanner

# sudo -Hiu gvm gvmd --verify-scanner=169efd9c-2248-415e-ba4e-5d7e78069494

# sudo -Hiu gvm gvmd --verify-scanner=955420e0-9a75-46f8-b778-80860f946dea
Scanner version: OpenVAS 7.0.1.

# sudo -Hiu gvm gvmd --create-user gvmadmin --password=ないしょ
User created.
# sudo -Hiu gvm gvmd --user=gvmadmin --new-password=ないしょ

# sudo -Hiu gvm gvmd --create-user admin --password=ないしょ
User created.

# ufw allow 443/tcp
Rules updated
Rules updated (v6)


# reboot

後は、ブラウザで、 https://$IPアドレス へアクセスし、お試し下さい