Qu’est-ce qu’OpenVAS (Greenbone) ?
OpenVAS est un scanner de vulnérabilité qui permet de scruter son Système d’Information à la recherche des CVE connues.
Labo de test
Mise en place sur une Debian 12 avec 4 vCPU, 8 Go de RAM minimum (la compilation est gourmande).
Utilisateur dédié
sudo useradd -r -M -U -s /usr/sbin/nologin gvm
sudo usermod -aG gvm $USER
newgrp gvm
Installation de tous les paquets
On installe tout d’un coup plutôt que module par module :
sudo apt update && sudo apt install -y \
build-essential curl cmake pkg-config python3 python3-pip gnupg \
gcc-mingw-w64 libgnutls28-dev libglib2.0-dev libpq-dev libssh-gcrypt-dev \
libhiredis-dev libxml2-dev libpcap-dev libnet1-dev libgpgme-dev \
libksba-dev libldap2-dev libradcli-dev libmicrohttpd-dev libunistring-dev \
libpaho-mqtt-dev redis-server postgresql libcjson-dev libbsd-dev \
xsltproc xmltoman doxygen graphviz bison nmap rpm fakeroot dpkg \
rsync gpgsm wget git libgcrypt20-dev libssl-dev
Dépendances Python (pour ospd-openvas et notus-scanner) :
sudo python3 -m pip install --break-system-packages \
psutil packaging lxml defusedxml paramiko paho-mqtt gnupg
Variables d’environnement
À mettre dans ton .bashrc ou à exécuter à chaque session :
export PATH=$PATH:/usr/local/sbin
export INSTALL_PREFIX=/usr/local
export SOURCE_DIR=$HOME/gvm-source
export BUILD_DIR=$HOME/gvm-build
export INSTALL_DIR=/usr/local
mkdir -p $SOURCE_DIR $BUILD_DIR
Récupérer les dernières versions
Avant de télécharger, récupère les versions actuelles depuis GitHub :
for repo in gvm-libs gvmd pg-gvm openvas-scanner ospd-openvas notus-scanner gsa gsad; do
ver=$(curl -s "https://api.github.com/repos/greenbone/$repo/releases/latest" | grep -Po '"tag_name": "v\K[^"]+')
echo "$repo: $ver"
done
Téléchargement de tous les sources
On récupère tout maintenant, on compile après :
cd $SOURCE_DIR
# Versions (à adapter avec le résultat ci-dessus)
GVM_LIBS_VERSION=22.10.0
GVMD_VERSION=23.8.1
PG_GVM_VERSION=22.6.5
OPENVAS_SCANNER_VERSION=23.8.2
OSPD_OPENVAS_VERSION=22.7.1
NOTUS_VERSION=22.6.3
GSA_VERSION=23.2.1
GSAD_VERSION=22.11.0
curl -sSL -o gvm-libs.tar.gz https://github.com/greenbone/gvm-libs/archive/refs/tags/v$GVM_LIBS_VERSION.tar.gz
curl -sSL -o gvmd.tar.gz https://github.com/greenbone/gvmd/archive/refs/tags/v$GVMD_VERSION.tar.gz
curl -sSL -o pg-gvm.tar.gz https://github.com/greenbone/pg-gvm/archive/refs/tags/v$PG_GVM_VERSION.tar.gz
curl -sSL -o openvas-scanner.tar.gz https://github.com/greenbone/openvas-scanner/archive/refs/tags/v$OPENVAS_SCANNER_VERSION.tar.gz
curl -sSL -o ospd-openvas.tar.gz https://github.com/greenbone/ospd-openvas/archive/refs/tags/v$OSPD_OPENVAS_VERSION.tar.gz
curl -sSL -o notus-scanner.tar.gz https://github.com/greenbone/notus-scanner/archive/refs/tags/v$NOTUS_VERSION.tar.gz
curl -sSL -o gsa.tar.gz https://github.com/greenbone/gsa/archive/refs/tags/v$GSA_VERSION.tar.gz
curl -sSL -o gsad.tar.gz https://github.com/greenbone/gsad/archive/refs/tags/v$GSAD_VERSION.tar.gz
# Extraction
for f in *.tar.gz; do tar xzf $f; done
Compilation
Même logique pour tous les modules C : cmake, make, install.
gvm-libs (base commune)
cd $BUILD_DIR && mkdir -p gvm-libs && cd gvm-libs
cmake $SOURCE_DIR/gvm-libs-$GVM_LIBS_VERSION \
-DCMAKE_INSTALL_PREFIX=$INSTALL_PREFIX
make -j$(nproc)
sudo make install
sudo ldconfig
openvas-scanner
cd $BUILD_DIR && mkdir -p openvas-scanner && cd openvas-scanner
cmake $SOURCE_DIR/openvas-scanner-$OPENVAS_SCANNER_VERSION \
-DCMAKE_INSTALL_PREFIX=$INSTALL_PREFIX
make -j$(nproc)
sudo make install
pg-gvm (extension PostgreSQL)
cd $BUILD_DIR && mkdir -p pg-gvm && cd pg-gvm
cmake $SOURCE_DIR/pg-gvm-$PG_GVM_VERSION \
-DCMAKE_INSTALL_PREFIX=$INSTALL_PREFIX
make -j$(nproc)
sudo make install
gvmd (manager)
cd $BUILD_DIR && mkdir -p gvmd && cd gvmd
cmake $SOURCE_DIR/gvmd-$GVMD_VERSION \
-DCMAKE_INSTALL_PREFIX=$INSTALL_PREFIX
make -j$(nproc)
sudo make install
gsad (daemon web)
cd $BUILD_DIR && mkdir -p gsad && cd gsad
cmake $SOURCE_DIR/gsad-$GSAD_VERSION \
-DCMAKE_INSTALL_PREFIX=$INSTALL_PREFIX
make -j$(nproc)
sudo make install
Modules Python (ospd-openvas, notus-scanner)
cd $SOURCE_DIR/ospd-openvas-$OSPD_OPENVAS_VERSION
sudo python3 -m pip install --break-system-packages .
cd $SOURCE_DIR/notus-scanner-$NOTUS_VERSION
sudo python3 -m pip install --break-system-packages .
Interface web (GSA)
cd $SOURCE_DIR/gsa-$GSA_VERSION
sudo cp -r dist/* /usr/local/share/gvm/gsad/web/
Configuration Redis
sudo cp /etc/redis/redis.conf /etc/redis/redis.conf.bak
sudo tee /etc/redis/redis-openvas.conf > /dev/null << 'EOF'
unixsocket /run/redis-openvas/redis.sock
unixsocketperm 770
timeout 0
databases 16
maxclients 4096
EOF
sudo mkdir -p /run/redis-openvas
sudo chown redis:gvm /run/redis-openvas
sudo chmod 750 /run/redis-openvas
Service systemd pour Redis :
sudo tee /etc/systemd/system/redis-openvas.service > /dev/null << 'EOF'
[Unit]
Description=Redis pour OpenVAS
After=network.target
[Service]
Type=simple
User=redis
Group=gvm
ExecStart=/usr/bin/redis-server /etc/redis/redis-openvas.conf
RuntimeDirectory=redis-openvas
RuntimeDirectoryMode=0750
[Install]
WantedBy=multi-user.target
EOF
Configuration PostgreSQL
sudo -u postgres createuser -DRS gvm
sudo -u postgres createdb -O gvm gvmd
sudo -u postgres psql gvmd -c "CREATE EXTENSION \"pg-gvm\";"
Création des répertoires
sudo mkdir -p /var/lib/gvm/{scap-data,cert-data,data-objects,gvmd}
sudo mkdir -p /var/lib/notus
sudo mkdir -p /var/lib/openvas/plugins
sudo mkdir -p /var/log/gvm
sudo mkdir -p /run/gvmd /run/ospd
sudo chown -R gvm:gvm /var/lib/gvm /var/lib/notus /var/lib/openvas /var/log/gvm /run/gvmd /run/ospd
sudo chmod -R 775 /var/lib/gvm /var/lib/notus /var/lib/openvas
Configuration openvas
sudo tee /etc/openvas/openvas.conf > /dev/null << 'EOF'
db_address = /run/redis-openvas/redis.sock
EOF
Services systemd
On crée tous les services d’un coup :
# ospd-openvas
sudo tee /etc/systemd/system/ospd-openvas.service > /dev/null << 'EOF'
[Unit]
Description=OSPd OpenVAS
After=redis-openvas.service
Requires=redis-openvas.service
[Service]
Type=exec
User=gvm
Group=gvm
RuntimeDirectory=ospd
PIDFile=/run/ospd/ospd-openvas.pid
ExecStart=/usr/local/bin/ospd-openvas --pid-file /run/ospd/ospd-openvas.pid --unix-socket /run/ospd/ospd-openvas.sock --log-file /var/log/gvm/ospd-openvas.log
[Install]
WantedBy=multi-user.target
EOF
# notus-scanner
sudo tee /etc/systemd/system/notus-scanner.service > /dev/null << 'EOF'
[Unit]
Description=Notus Scanner
After=ospd-openvas.service
[Service]
Type=exec
User=gvm
Group=gvm
ExecStart=/usr/local/bin/notus-scanner --products-directory /var/lib/notus/products --log-file /var/log/gvm/notus-scanner.log
[Install]
WantedBy=multi-user.target
EOF
# gvmd
sudo tee /etc/systemd/system/gvmd.service > /dev/null << 'EOF'
[Unit]
Description=Greenbone Vulnerability Manager
After=postgresql.service ospd-openvas.service
Requires=postgresql.service ospd-openvas.service
[Service]
Type=exec
User=gvm
Group=gvm
RuntimeDirectory=gvmd
ExecStart=/usr/local/sbin/gvmd --osp-vt-update=/run/ospd/ospd-openvas.sock --listen-group=gvm
[Install]
WantedBy=multi-user.target
EOF
# gsad
sudo tee /etc/systemd/system/gsad.service > /dev/null << 'EOF'
[Unit]
Description=Greenbone Security Assistant
After=gvmd.service
Requires=gvmd.service
[Service]
Type=exec
User=gvm
Group=gvm
ExecStart=/usr/local/sbin/gsad --drop-privileges=gvm
[Install]
WantedBy=multi-user.target
EOF
Synchronisation des feeds
Première synchro (c’est long, ~15-30 min) :
sudo -u gvm greenbone-feed-sync
Création de l’admin
sudo -u gvm gvmd --create-user=admin --password=admin
Change ce mot de passe tout de suite après la première connexion.
Démarrage
sudo systemctl daemon-reload
sudo systemctl enable --now redis-openvas ospd-openvas notus-scanner gvmd gsad
Test
Accède à https://ton-serveur:9392 et connecte-toi avec admin/admin.
Si ça ne marche pas, vérifie les logs :
sudo tail -f /var/log/gvm/*.log
sudo journalctl -u gvmd -u gsad -u ospd-openvas -f
Mise à jour des feeds
À planifier en cron quotidien :
sudo crontab -u gvm -e
# Ajouter :
0 3 * * * /usr/local/bin/greenbone-feed-sync