Master and slave architecture

Okay, so here you go. Note that I suppose in this guide you’ve setup your postgresql database properly. This is well documented in the gvmd README file.

Please also note that gvmd is only necessary on the master side. You don’t have to run it on the slave side.

First you need to tweak some sysctl configs:

sysctl -w net.core.somaxconn=1024
sysctl -w vm.overcommit_memory=1
echo “net.core.somaxconn=1024” >> /etc/sysctl.conf
echo “vm.overcommit_memory=1” >> /etc/sysctl.conf

Disable THP:

cat << EOF > /etc/systemd/system/disable-thp.service
Description=Disable Transparent Huge Pages (THP)

ExecStart=/bin/sh -c “echo ‘never’ > /sys/kernel/mm/transparent_hugepage/enabled && echo ‘never’ > /sys/kernel/mm/transparent_hugepage/defrag”

systemctl daemon-reload ;
systemctl start disable-thp ;
systemctl enable disable-thp ;\

Then you need to make sure you have EXACTLY the same version installed on both master and slave. Take the latest stable release branch via git:

git clone -b gvm-libs-11.0 GitHub - greenbone/gvm-libs: Greenbone Vulnerability Management Libraries
git clone -b gvmd-9.0 GitHub - greenbone/gvmd: Greenbone Vulnerability Manager - The database backend for the Greenbone Community Edition
git clone GitHub - greenbone/openvas-smb: SMB module for OpenVAS Scanner
git clone -b openvas-7.0 GitHub - greenbone/openvas-scanner: This repository contains the scanner component for Greenbone Community Edition.
git clone -b ospd-2.0 GitHub - greenbone/ospd: OSPd is a framework for vulnerability scanners which share the same communication protocol: OSP (Open Scanner Protocol)
git clone -b ospd-openvas-1.0 GitHub - greenbone/ospd-openvas: ospd-openvas is an OSP server implementation to allow GVM to remotely control an OpenVAS Scanner
git clone -b gsa-9.0 GitHub - greenbone/gsa: Greenbone Security Assistant - The web frontend for the Greenbone Community Edition

Build & install everything under /opt/gvm under the user gvm on both Master & Slave; then on both systems:

Setup GVM Certificates installation. Attention; you need to setup the certificates hostnames properly otherwise slave authentication may fails.


Then run gvm-manage-certs -a

Again, do this on both system.

Now you need to setup ospd & openvas configuration files:

Create /opt/gvm/etc/openvas/ospd.conf

[OSPD - openvas]
kb_location = /var/run/redis/redis.sock

Create /opt/gvm/etc/openvas/openvas.conf

db_address = /var/run/redis/redis.sock

Open your redis.conf file and make sure the following parameters are present:

unixsocket /var/run/redis/redis.sock
unixsocketperm 775
databases 65535

Make sure the following are commented out:

#save 900 1
#save 300 10
#save 60 10000

Now restart redis and check it’s listening on /var/run/redis/redis.sock, with the rights permissions.

Fix openvas permissions so it can runs probes needing root privileges:

sudo groupadd pcap
sudo usermod -a -G pcap gvm
sudo chgrp pcap /usr/sbin/tcpdump
sudo chmod 750 /usr/sbin/tcpdump
sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump
sudo setcap cap_net_raw,cap_net_admin=eip /opt/gvm/bin/wmic
sudo setcap cap_net_raw,cap_net_admin=eip /opt/gvm/bin/winexe
sudo setcap cap_net_raw,cap_net_admin=eip /opt/gvm/bin/openvas-nasl
sudo setcap cap_net_raw,cap_net_admin=eip /opt/gvm/bin/openvas-nasl-lint
sudo setcap cap_net_raw,cap_net_admin=eip /opt/gvm/sbin/openvas
sudo setcap cap_net_raw,cap_net_admin=eip /opt/gvm/bin/ospd-scanner/bin/ospd-openvas

At this point you should be able to start gvmd and setup the scanner on the master. So thie following section only apply to the master.

Start gvmd from a terminal:

/opt/gvm/sbin/gvmd --osp-vt-update=/opt/gvm/var/run/ospd.sock --inheritor=admin -f

Using -f flag with help you debug everything is correct. You can remove that flag afterward. Gvmd will complain it is not initialized, which is normal. Read on.

Download feed updates:


Start ospd-openvas wrapper:

/opt/gvm/bin/ospd-scanner/bin/python3.6 /opt/gvm/bin/ospd-scanner/bin/ospd-openvas --pid-file /opt/gvm/var/run/ --unix-socket=/opt/gvm/var/run/ospd.sock --log-file /opt/gvm/var/log/gvm/ospd-scanner.log --log-level DEBUG --lock-file-dir /opt/gvm/var/run/ --config /opt/gvm/etc/openvas/ospd.conf -f

Again, -f flag will make sure you get all logs in ther terminal and will help debugging. Remove it once it’s working as expected. Leave it sometime to populate the redis database and load all feeds.

Create your local admin user:

gvmd --create-user=admin --password=your_pass --role=“Super Admin”

Once ospd-openvas has finished loading, check your gvmd terminal to see if it has connected succesfully to ospd.sock and is populating the database correctly. At this point, the database should be initialized properly by gvmd.

Now you can create the local scanner on the master side:

gvmd --create-scanner=“Master OPENVAS Scanner” --scanner-type=“OpenVas” --scanner-host=/opt/gvm/var/run/ospd.sock

Check with gvmd --verify-scanner =your_scanner_UUID that it’s working fine.

At this point, you should have a local GSE up & running. You can run scans via gsad, but using your local scanner.

Now, on the slave side, you can setup your slave scanner:

Download feed updates:


/opt/gvm/bin/ospd-scanner/bin/python3.6 /opt/gvm/bin/ospd-scanner/bin/ospd-openvas --pid-file /opt/gvm/var/run/ -p 9390 -b -k /opt/gvm/var/lib/gvm/private/CA/serverkey.pem -c /opt/gvm/var/lib/gvm/CA/servercert.pem --ca-file /opt/gvm/var/lib/gvm/CA/cacert.pem --log-level DEBUG --lock-file-dir /opt/gvm/var/run/ -l /opt/gvm/var/log/gvm/ospd-openvas-slave.log -f

Wait for it to populate redis db and finish loading nvt. It may take some time. Make sure the slave finishes loading properly.

Now copy the following slave client certificates to the master which will be used for the authentication. Copy them to gvm directory on the master side.


Now, get back to the master and setup the slave scanner:

gvmd --create-scanner=mySlaveScanner --scanner-type=OpenVas --scanner-port=9390 --scanner-host=your_slave_ip --scanner-ca-pub=/opt/gvm/cacert.pem --scanner-key-priv=/opt/gvm/clientkey.pem --scanner-key-pub=/opt/gvm/clientcert.pem

Make sure you choose the certificates you’ve just copied from the slave, as they will be used to authenticate gvmd against the scanner.

Now again, check your scanner with gvmd --verify-scanner, and if you did everything correctly you should have the following result: OpenVAS 7.0.1.

and a working slave scanner :slight_smile: