Here you go folks. I have been working on this for a few days now. We’re a CentOS shop, and I have not come across any full CentOS-related build documents for GVM source code. I hope to make this a trend.
Disclaimers:
- I am a systems administrator, not a programmer. There’s probably some better ways to fix things up.
- The following is based on a fresh install of CentOS 8.1.1911, “minimal” install.
- I am going to just use whatever formatting the forum does to my document. If it’s not pretty, my apologies. But it should be functional.
- Clearly, there’s Ubuntu/Debian assumptions in the source code I had to work around. But the few workarounds are NOT difficult.
- Much of this guide was based on previosuly-published guides out there for Ubuntu and Debian. My thanks to the authors, LOTS of good stuff that’s there is also HERE.
- I welcome feedback or corrections if needed. Thanks all!
On to the recipe:
Set up python 3
AS ROOT:
yum install python3
Use alternatives to make python3 the default:
alternatives --config python
There are 2 programs which provide ‘python’.
Selection Command
- 1 /usr/libexec/no-python
- 2 /usr/bin/python3 <====== ** make sure to choose this one and hit ENTER **
Enter to keep the current selection[+], or type selection number: 2
Enable EPEL Repository:
AS ROOT:
yum install epel-release
ENABLE Centos-Powertools repository
AS ROOT:
yum config-manager --set-enabled PowerTools
Install Centos Development tools (includes gcc and a whole bunch of stuff for compiling and building things)
AS ROOT:
yum groupinstall -y “development tools”
Install required centos packages (most come from Centos-Base, a few come from EPEL and Centos-PowerTools)
AS ROOT:
yum install -y cmake glib2-devel zlib-devel gnutls-devel libuuid-devel libssh-devel libxml2-devel libgcrypt-devel openldap-devel popt-devel redis libical-devel openssl-devel hiredis-devel radcli-devel gpgme-devel libksba-devel doxygen libpcap-devel nodejs python3-polib libmicrohttpd-devel gnutls-utils python3-devel libpq-devel texinfo xmltoman nmap sshpass socat mingw32-gcc ncurses-devel
(*) It’s probable you can try mingw64-gcc instead of mingw32-gcc, I did not try this.
Install postgres database server
AS ROOT:
yum install -y postgresql-server postgresql-contrib postgresql-server-devel
/usr/bin/postgresql-setup --initdb
systemctl enable postgresql
systemctl start postgresql
Configure postgres database
(not secure, on to-do list is to configure this with a password…)
AS ROOT:
sudo -Hiu postgres
createuser gvm
createdb -O gvm gvmd
psql gvmd
create role dba with superuser noinherit;
grant dba to gvm;
create extension “uuid-ossp”;
create extension “pgcrypto”;
\q
exit
systemctl restart postgresql
Add gvm libraries to systemwide setup:
AS ROOT:
echo “/opt/gvm/lib” > /etc/ld.so.conf.d/gvm.conf
ldconfig
add non-privileged GVM user and create the directory structure where everything will go
AS ROOT:
useradd -r -d /opt/gvm -c “GVM (OpenVAS) User” -s /bin/bash gvm
mkdir /opt/gvm
mkdir /opt/gvm/src
chown -R gvm:gvm /opt/gvm
add gvm path PATH to /etc/profile
AS ROOT:
vim /etc/profile
Add these lines (near bottom just before pathmunge is undefined)
pathmunge /opt/gvm/bin after
pathmunge /opt/gvm/sbin after
- This is my preferred way, you can also edit /etc/environment and include ALL paths there…
Fetch the gvm packages: (GVM-11 stable as of 5/20/2020)
AS GVM USER:
cd /opt/gvm/src
wget -O gvm-libs-11.0.1.tar.gz https://github.com/greenbone/gvm-libs/archive/v11.0.1.tar.gz
wget -O openvas-7.0.1.tar.gz https://github.com/greenbone/openvas/archive/v7.0.1.tar.gz
wget -O ospd-2.0.1.tar.gz https://github.com/greenbone/ospd/archive/v2.0.1.tar.gz
wget -O ospd-openvas-1.0.1.tar.gz https://github.com/greenbone/ospd-openvas/archive/v1.0.1.tar.gz
wget -O gvmd-9.0.1.tar.gz https://github.com/greenbone/gvmd/archive/v9.0.1.tar.gz
wget -O gsa-9.0.1.tar.gz https://github.com/greenbone/gsa/archive/v9.0.1.tar.gz
wget -O openvas-smb-1.0.5.tar.gz https://github.com/greenbone/openvas-smb/archive/v1.0.5.tar.gz
Decompress the source files
cd /opt/gvm/src
find . -name *.gz -exec tar xvfz {} ;
Now build each package:
gvm-libs
AS GVM
cd /opt/gvm/src
export PKG_CONFIG_PATH=/opt/gvm/lib/pkgconfig
cd gvm-libs-11.0.1
mkdir build
cd build
cmake … -DCMAKE_INSTALL_PREFIX=/opt/gvm
make
make doc
make install
openvas-smb prerequisite: Heimdal:
The heimdal-devel package that is available for Centos7/8 from EPEL is NOT pkgconfig-aware (which is annoying), as such it will not
work with openvas-smb. Instead, we need to build and install heimdel from source.
(NOTES: There is an issue with otp support, so it needs to be disabled. For some reason --disable-otp does not work but --enable-otp=no does)
(The includedir special location is set up match what the gvm code expects. I believe it’s a debian-specific layout that differs from the usual default)
AS ROOT
cd /usr/local/src
wget https://github.com/heimdal/heimdal/releases/download/heimdal-7.7.0/heimdal-7.7.0.tar.gz
tar xvfz heimdal-7.7.0.tar.gz
cd heimdal-7.7.0
./configure --enable-otp=no --prefix=/opt/heimdal
make
<>
make install
openvas-smb code expects the include files in (includedir)/heimdal/… I have not found a way to both build heimdal AND have openvas-smb successfully
find the header files, so my solution is a soft link as follows:
AS ROOT
ln -s /opt/heimdal/include /opt/heimdal/include/heimdal
Add heimdal libraries to systemwide setup:
AS ROOT
echo “/opt/heimdal/lib” > /etc/ld.so.conf.d/heimdal.conf
ldconfig
openvas-smb
(Note: PKG_CONFIG_PATH now adds where the heimdal goodies are too)
AS GVM
cd /opt/gvm/src
export PKG_CONFIG_PATH=/opt/gvm/lib/pkgconfig:/opt/heimdal/lib/pkgconfig
cd openvas-smb-1.0.5
mkdir build
cd build/
cmake … -DCMAKE_INSTALL_PREFIX=/opt/gvm
make
make install
scanner
AS GVM
Without the following edit, you will encounter this error: …error: ‘pcap_lookupdev’ is deprecated: use ‘pcap_findalldevs’… while compiling openvas.
Edit the CMakeLists.txt file and replace the line as shown below and rerun the installation;
vim /opt/gvm/src/openvas-7.0.1/CMakeLists.txt
Comment out this line and add the line following instead:
#set (CMAKE_C_FLAGS_DEBUG “${CMAKE_C_FLAGS_DEBUG} ${COVERAGE_FLAGS}”)
set (CMAKE_C_FLAGS_DEBUG “${CMAKE_C_FLAGS_DEBUG} -Werror -Wno-error=deprecated-declarations”)
cd /opt/gvm/src
export PKG_CONFIG_PATH=/opt/gvm/lib/pkgconfig
cd openvas-7.0.1
mkdir build
cd build
cmake … -DCMAKE_INSTALL_PREFIX=/opt/gvm
make
make doc
make install
Set up redis using the distibuted config file
AS ROOT:
cp /etc/redis.conf /etc/redis.conf.orig
cp /opt/gvm/src/openvas-7.0.1/config/redis-openvas.conf /etc/redis.conf
chown redis /etc/redis.conf
EDIT /etc/redis.conf change location of unixsocket to: /tmp/redis.sock
The two unix socket lines should look like this:
unixsocket /tmp/redis.sock
unixsocketperm 770
Configure openvas to match how redis under centos works:
AS GVM
echo “db_address = /tmp/redis.sock” > /opt/gvm/etc/openvas/openvas.conf
AS ROOT
systemctl enable redis
systemctl start redis
Disable transparent huge pages:
AS ROOT:
cat << EOF > /etc/systemd/system/disable-thp.service
[Unit]
Description=Disable Transparent Huge Pages (THP)
[Service]
Type=simple
ExecStart=/bin/sh -c “echo ‘never’ > /sys/kernel/mm/transparent_hugepage/enabled && echo ‘never’ > /sys/kernel/mm/transparent_hugepage/defrag”
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl start disable-thp
systemctl enable disable-thp
Add gvm to the redis group (also restart redis)
AS ROOT:
usermod -aG redis gvm
systemctl restart redis
Add these lines to the /etc/sudoers via “visudo” AS ROOT
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin:/opt/gvm/sbin"
#Allow the user running ospd-openvas, to launch openvas with root permissions
gvm ALL = NOPASSWD: /opt/gvm/sbin/openvas
gvm ALL = NOPASSWD: /opt/gvm/sbin/gsad
Add a few more system tuning bits:
AS ROOT:
echo “net.core.somaxconn = 1024” >> /etc/sysctl.conf
echo ‘vm.overcommit_memory = 1’ >> /etc/sysctl.conf
sysctl -p
ldconfig
Synchronize nvt data
AS USER GVM (always)
greenbone-nvt-sync
<< refill your cup of coffee >>
CHECK:
find /opt/gvm/var/lib/openvas/plugins | wc -l
You should see somewhere in the neighborhood of 60,000+ as the file count
Update the vt info
AS GVM
openvas --update-vt-info
Let’s continue building:
gvmd
The centos default postgres-devel package puts include files in /usr/include, rather than /usr/include/postgresql, the latter which is where the code
expects them. We can either hack the code, or just add a soft link, which I prefer as it’s easier:
AS ROOT:
ln -s /usr/include /usr/include/postgresql
(code wants “postgresql/libpq-fe.h”)
AS GVM:
For centos, “libpq” is required but is unfortunately not included in the cmake setup. We need to add it:
(alternate: I think you can do this with an environment variable too…)
add -lpq in /opt/gvm/src/gvmd-9.0.1/CMakeLists.txt
change this:
set (CMAKE_C_FLAGS “${CMAKE_C_FLAGS} -Wall -D_BSD_SOURCE -D_ISOC99_SOURCE -D_SVID_SOURCE -D_DEFAULT_SOURCE -D_FILE_OFFSET_BITS=64”)
to this:
set (CMAKE_C_FLAGS “${CMAKE_C_FLAGS} -Wall -lpq -D_BSD_SOURCE -D_ISOC99_SOURCE -D_SVID_SOURCE -D_DEFAULT_SOURCE -D_FILE_OFFSET_BITS=64”)
(Note the complicated cmake below: we have to be very specific to educate cmake where all the postgres goodies are)
cd /opt/gvm/src
export PKG_CONFIG_PATH=/opt/gvm/lib/pkgconfig
cd gvmd-9.0.1
mkdir build
cd build
cmake … -DCMAKE_INSTALL_PREFIX=/opt/gvm/ -DPostgreSQL_TYPE_INCLUDE_DIR=/usr/include/pgsql/server -DPostgreSQL_INCLUDE_DIR=/usr/include/pgsql/server -DPostgreSQL_LIBRARY=/usr/lib64/pgsql
make
make doc
make install
Install yarn, a prerequisite for building gsa
AS ROOT
npm install -g yarn
gsa
AS GVM
cd /opt/gvm/src
export PKG_CONFIG_PATH=/opt/gvm/lib/pkgconfig
cd gsa-9.0.1
mkdir build
cd build
cmake … -DCMAKE_INSTALL_PREFIX=/opt/gvm
make
make doc
make install
AS GVM
greenbone-scapdata-sync
greenbone-certdata-sync
gvm-manage-certs -a
ospd and ospa-openvas are actually python packages. We need to set up our python packages directory:
AS GVM
mkdir -p /opt/gvm/lib/python3.6/site-packages
Build and Install OSPd and OSPd-OpenVAS
AS GVM
cd /opt/gvm/src
export PYTHONPATH=/opt/gvm/lib/python3.6/site-packages
export PKG_CONFIG_PATH=/opt/gvm/lib/pkgconfig
cd ospd-2.0.1
python3 setup.py install --prefix=/opt/gvm
cd /opt/gvm/src
export PYTHONPATH=/opt/gvm/lib/python3.6/site-packages
export PKG_CONFIG_PATH=/opt/gvm/lib/pkgconfig
cd ospd-openvas-1.0.1
python3 setup.py install --prefix=/opt/gvm
add install scripts
AS ROOT
cat << EOF > /etc/systemd/system/ospd.service
[Unit]
Description=Job that runs the ospd-openvas daemon
Documentation=man:gvm
After=postgresql.service
[Service]
Environment=PATH=/opt/gvm/bin/ospd-scanner/bin:/opt/gvm/bin:/opt/gvm/sbin:/opt/gvm/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
Environment=PYTHONPATH=/opt/gvm/lib/python3.6/site-packages
Type=simple
User=gvm
Group=gvm
WorkingDirectory=/opt/gvm
PIDFile=/opt/gvm/var/run/ospd-openvas.pid
ExecStart=/usr/bin/python3 /opt/gvm/bin/ospd-openvas --pid-file /opt/gvm/var/run/ospd-openvas.pid --unix-socket /opt/gvm/var/run/ospd.sock --log-file /opt/gvm/var/log/gvm/ospd-openvas.log --lock-file-dir /opt/gvm/var/run
[Install]
WantedBy=multi-user.target
EOF
cat << EOF > /etc/systemd/system/gvmd.service
[Unit]
Description=Job that runs the gvm daemon
Documentation=man:gvm
After=ospd.service
[Service]
Type=forking
User=gvm
Group=gvm
PIDFile=/opt/gvm/var/run/gvmd.pid
WorkingDirectory=/opt/gvm
ExecStartPre=/bin/sleep 60
ExecStart=/opt/gvm/sbin/gvmd --osp-vt-update=/opt/gvm/var/run/ospd.sock
[Install]
WantedBy=multi-user.target
EOF
cat << EOF > /etc/systemd/system/gsad.service
[Unit]
Description=Job that runs the gsa daemon
Documentation=man:gsa
After=postgresql.service
[Service]
Type=forking
PIDFile=/opt/gvm/var/run/gsad.pid
WorkingDirectory=/opt/gvm
ExecStart=/opt/gvm/sbin/gsad --listen=0.0.0.0
[Install]
WantedBy=multi-user.target
EOF
Get stuff installed so PDF reports actually work
AS ROOT
yum -y install texlive-collection-fontsrecommended texlive-collection-latexrecommended texlive-changepage texlive-titlesec
mkdir -p /usr/share/texlive/texmf-local/tex/latex/comment
cd /usr/share/texlive/texmf-local/tex/latex/comment
wget http://mirrors.ctan.org/macros/latex/contrib/comment/comment.sty
chmod 644 comment.sty
texhash
ADD THESE CRON JOBS AS GVM (change the times to fit your preference)
0 21 * * * /opt/gvm/bin/greenbone-nvt-sync
0 22 * * * /opt/gvm/sbin/greenbone-certdata-sync
0 23 * * * /opt/gvm/sbin/greenbone-scapdata-sync
Enable services:
AS ROOT:
systemctl daemon-reload
systemctl enable ospd
systemctl enable gvmd
systemctl enable gsad
Start Services:
AS ROOT:
systemctl start ospd
systemctl start gvmd
systemctl start gsad
check logs: /opt/gvm/var/log/gvm
especially gvmd.log, wait until everything has finished updating the first time before proceeding. It will take a few minutes.
AS GVM: modify the default scanner with the new socket location: (use the UUID that’s actually shown however)
THIS IS AN EXAMPLE:
gvmd --get-scanners
08b69003-5fc2-4037-a479-93b440211c73 OpenVAS /tmp/ospd.sock 0 OpenVAS Default
6acd0832-df90-11e4-b9d5-28d24461215b CVE 0 CVE
gvmd --modify-scanner=08b69003-5fc2-4037-a479-93b440211c73 --scanner-host=/opt/gvm/var/run/ospd.sock
Scanner modified.
gvmd --verify-scanner=08b69003-5fc2-4037-a479-93b440211c73
Scanner version: OpenVAS 7.0.1.
Create a user for the user interface:
AS GVM:
gvmd --create-user admin
gvmd --user=admin --new-password=
Ready to go: access the UI via: https://node.name.here
(you will likely need to open up the server’s firewall…)