Installing Greenbone for Vulnerability Assessment Scanning

February 1, 2021
Fitbit Map

Scanning servers for vulnerabilities is important to assess security. Scans should be done regularly, especially for servers that contain sensitive customer data.

At Gorges, we chose the Greenbone Vulnerability Manager (GVM) for our solution. There are commercial and open-source Greenbone versions, and we chose the latter, specifically the Greenbone Source Edition version 20. However the open-source version has to be compiled, linked, and installed manually which can be a challenge.

First of all, kudos to Kevin Lucas for publishing an installation script. Although we could not get it to work as published, it accomplished 90% of the heavy lifting.

Hours were spent trying to get the installation script working on Ubuntu 18 and Ubuntu 20, but these attempts failed because one of the sub-packages (Greenbone Security Assistant or GSA) was failing during compilation. Switching to the Debian linux distribution solved this issue and GSA compiled.

After adding server swap space and updating all Debian packages, the GVM installation script was downloaded and executed, and the computer rebooted:

$ wget https://raw.githubusercontent.com/yu210148/gvm_install/master/install_gvm.sh
$ chmod +x install_gvm.sh
$ sudo ./install_gvm.sh
$ reboot

 

However the GSA process kept failing and would not execute. An investigation revealed that it was expecting a certain socket file to be present to communicate with another package, specifically the OpenVAS vulnerability assessment process. Creating a symbolic link to the actual socket file worked:

$ su - gvm
$ cd var/run
$ ln -s ospd.sock gvm.sock
$ exit
$ sudo reboot

 

For us the default password from the installation script did not work, but modifying it to a new password was straightforward:

$ su - gvm
$ sbin/gvmd --create-user=admin
$ sbin/gvmd --user=admin --new-password=NEW_PASSWORD
$ exit

 

Sendmail was installed to email the completed reports to the users. Unfortunately the emails were being labelled as spam by our email filters, so Sendmail was configured to forward the email to Sendgrid SMTP service. The instructions for modifying Sendmail are located on the Sendgrid website.

$ sudo apt-get install sendmail libsasl2-modules
$ cd /etc/mail
$ sudo vi access
  (appended the following line)
  AuthInfo:smtp.sendgrid.net "U:apikey" "P:SENDGRID_KEY" "M:PLAIN"
$ sudo vi sendmail.mc
  (add these lines within)
  define(`SMART_HOST', `smtp.sendgrid.net')dnl
  FEATURE(`access_db')dnl
  define(`RELAY_MAILER_ARGS', `TCP $h 587')dnl
  define(`ESMTP_MAILER_ARGS', `TCP $h 587')dnl
$ sudo m4 sendmail.mc > sendmail.cf
$ sudo makemap hash access < access
$ sudo service sendmail restart

 

The scanner was now up and running, but using a self-signed certificate for encryption. For many this is acceptable, but a proper SSL certificate is better and safer. The easiest path was to use Apache2 and LetsEncrypt with a reverse proxy.

First change the existing port from 443 to an unused port such as 9390:

$ cd /etc/systemd/system/
$ sudo vi gsa.service
  (revise to the following line)
  ExecStart=/usr/bin/sudo /opt/gvm/sbin/gsad --port=9390
$ sudo systemctl daemon-reload
$ sudo systemctl restart gsa.service

 

Install and configure Apache:

$ sudo apt-get install apache2
$ cd /etc/apache2/mods-enabled/
$ sudo ln -s ../mods-available/proxy.conf .
$ sudo ln -s ../mods-available/proxy.load .
$ sudo ln -s ../mods-available/proxy_http.load .
$ sudo ln -s ../mods-available/rewrite.load .
$ sudo ln -s ../mods-available/socache_shmcb.load .
$ sudo ln -s ../mods-available/ssl.conf .
$ sudo ln -s ../mods-available/ssl.load .
$ cd /etc/apache2/sites-available/
$ sudo vi 000-default.conf
  (add)
  ServerName gvm.YOURDOMAIN.COM
  ServerAdmin YOUR@EMAIL.ADDRESS
  DocumentRoot /var/www/html
  ErrorLog ${APACHE_LOG_DIR}/error.log
  CustomLog ${APACHE_LOG_DIR}/access.log combined
  SSLProxyEngine On
  SSLProxyVerify none
  SSLProxyCheckPeerCN off
  SSLProxyCheckPeerExpire off
  ProxyPass / https://127.0.0.1:9390/
  ProxyPassReverse / https://127.0.0.1:9390/
  <Proxy http://127.0.0.1:9390/>
    Require all granted
    Options None
  </Proxy>
$ sudo service apache2 restart

 

Map time Open the firewall for the web services:

$ sudo ufw allow 80
$ sudo ufw allow 443
$ sudo ufw reload

 

Add a LetsEncrypt certificate:

$ sudo apt-get install certbot python3-certbot-apache
$ sudo certbot
  (answer certbot questions)
$ cd /etc/cron.daily/
$ sudo printf "#\!/bin/sh\ncertbot renew" > certbot

 

If you read the original script then there are some extra tidbits of information, such as the initial downloading of the scanning rules will take several hours.

We now have dozens of servers scheduled for automated weekly scans.

Written By
Matt Clark

Matt Clark

CEO / Application Developer