Installing Greenbone for Vulnerability Assessment Scanning

Scanning servers for vulnerabilities is important to assess security. Scans should be done regularly, especially for servers that contain sensitive customer data.

At Gorges, we chose the Greenbone Vulnerability Manager (GVM) for our solution. There are commercial and open-source Greenbone versions, and we chose the latter, specifically the Greenbone Source Edition version 20. However the open-source version has to be compiled, linked, and installed manually which can be a challenge.

First of all, kudos to Kevin Lucas for publishing an installation script. Although we could not get it to work as published, it accomplished 90% of the heavy lifting.

Hours were spent trying to get the installation script working on Ubuntu 18 and Ubuntu 20, but these attempts failed because one of the sub-packages (Greenbone Security Assistant or GSA) was failing during compilation. Switching to the Debian linux distribution solved this issue and GSA compiled.

After adding server swap space and updating all Debian packages, the GVM installation script was downloaded and executed, and the computer rebooted:

$ wget https://raw.githubusercontent.com/yu210148/gvm_install/master/install_gvm.sh
$ chmod +x install_gvm.sh
$ sudo ./install_gvm.sh
$ reboot


However the GSA process kept failing and would not execute. An investigation revealed that it was expecting a certain socket file to be present to communicate with another package, specifically the OpenVAS vulnerability assessment process. Creating a symbolic link to the actual socket file worked:

$ su - gvm
$ cd var/run
$ ln -s ospd.sock gvm.sock
$ exit
$ sudo reboot


For us the default password from the installation script did not work, but modifying it to a new password was straightforward:

$ su - gvm
$ sbin/gvmd --create-user=admin
$ sbin/gvmd --user=admin --new-password=NEW_PASSWORD
$ exit


Sendmail was installed to email the completed reports to the users. Unfortunately the emails were being labelled as spam by our email filters, so Sendmail was configured to forward the email to Sendgrid SMTP service. The instructions for modifying Sendmail are located on the Sendgrid website.

$ sudo apt-get install sendmail libsasl2-modules
$ cd /etc/mail
$ sudo vi access
  (appended the following line)
  AuthInfo:smtp.sendgrid.net "U:apikey" "P:SENDGRID_KEY" "M:PLAIN"
$ sudo vi sendmail.mc
  (add these lines within)
  define(`SMART_HOST', `smtp.sendgrid.net')dnl
  define(`RELAY_MAILER_ARGS', `TCP $h 587')dnl
  define(`ESMTP_MAILER_ARGS', `TCP $h 587')dnl
$ sudo m4 sendmail.mc > sendmail.cf
$ sudo makemap hash access < access
$ sudo service sendmail restart


The scanner was now up and running, but using a self-signed certificate for encryption. For many this is acceptable, but a proper SSL certificate is better and safer. The easiest path was to use Apache2 and LetsEncrypt with a reverse proxy.

First change the existing port from 443 to an unused port such as 9390:

$ cd /etc/systemd/system/
$ sudo vi gsa.service
  (revise to the following line)
  ExecStart=/usr/bin/sudo /opt/gvm/sbin/gsad --port=9390
$ sudo systemctl daemon-reload
$ sudo systemctl restart gsa.service


Install and configure Apache:

$ sudo apt-get install apache2
$ cd /etc/apache2/mods-enabled/
$ sudo ln -s ../mods-available/proxy.conf .
$ sudo ln -s ../mods-available/proxy.load .
$ sudo ln -s ../mods-available/proxy_http.load .
$ sudo ln -s ../mods-available/rewrite.load .
$ sudo ln -s ../mods-available/socache_shmcb.load .
$ sudo ln -s ../mods-available/ssl.conf .
$ sudo ln -s ../mods-available/ssl.load .
$ cd /etc/apache2/sites-available/
$ sudo vi 000-default.conf
  ServerName gvm.YOURDOMAIN.COM
  DocumentRoot /var/www/html
  ErrorLog ${APACHE_LOG_DIR}/error.log
  CustomLog ${APACHE_LOG_DIR}/access.log combined
  SSLProxyEngine On
  SSLProxyVerify none
  SSLProxyCheckPeerCN off
  SSLProxyCheckPeerExpire off
  ProxyPass /
  ProxyPassReverse /
    Require all granted
    Options None

Open the firewall for the web services:

$ sudo ufw allow 80
$ sudo ufw allow 443
$ sudo ufw reload


Add a LetsEncrypt certificate:

$ sudo apt-get install certbot python3-certbot-apache
$ sudo certbot
  (answer certbot questions)
$ cd /etc/cron.daily/
$ sudo printf "#\!/bin/sh\ncertbot renew" > certbot

If you read the original script then there are some extra tidbits of information, such as the initial downloading of the scanning rules will take several hours.

We now have dozens of servers scheduled for automated weekly scans.

Written by Matt Clark


GORGES Web Development The owner of this website has made a commitment to accessibility and inclusion, please report any problems that you encounter using the contact form on this website. This site uses the WP ADA Compliance Check plugin to enhance accessibility.