My experience installing and running greenbone comunity edition

Hello everyone,

I wanted to share my experience as a fist time user of greenbone openvas/gsm. I downloaded the iso image and created a VM in virtualbox as the instructions clearly stated. So far so good.

  1. Once the installation and the two reboots completed successfully, I used the admin credentials to login, to what apparently is a bunch of options running the dialog shell command. Interesting, I used dialog when I was a kid, many decades ago, so it was funny to see it again after so many years.

  2. The instructions claimed to let it run for a while, so that background processes may download the required files. This clearly did not work. I let it sit for 30 minutes and the VM console filled with errors… weird.

  3. Since nothing was being downloaded, the “Greenbone OS” (apparently based on Debian) didn’t have internet access but had received an IP address via DHCP. Every OS that I know, receives all the required details via DHCP but this “Greenbone OS” could not. I had to use the dialog interface to manually set the DNS and gateway… weird.

  4. Now that the VM had full internet access was still not downloading anything. It appeared to try to open various TCP connections. Time to get root privileges and look inside. Wow… someone truly wanted to stop root access, since its hidden away under layers of garbage options and rather silly messages “Use this only if our support told you to do so…” wtf. I had to navigate to Advanced → Support → Superuser (really? superuser? this is Linux, its called root), then enable the “superuser” (!!) and eventually nothing happens. Then I had to enable sshd under Network → Services… still no go, ssh does not allow root login, so I have to ssh as my admin account, then navigate again to Advanced → Support → Shell → click “Continue” on the box and drop to a shell, which requires su to get to root.

  5. After 15 min, I am root and looked at the logs, the daemons and found out some errors like:
    gsm gsad main[478]: MHD: Error: received handshake message out of context

  6. Clearly the download process failed. Looking around I found the cron process:
    /etc/cron.daily/70-gsm-feed-sync
    which executes the service:
    system start gsm-feed.update

  7. At this point I discovered that the whole download procedure is based on rsync. A rather outdated method, I would expect something equivalent to dnf/rpm “delta” feature, that would avoid rsync’s excessive file-by-file tests and the data would be properly gpg signed and protected.

  8. I let the feed procedure run and monitored its progress via /var/log/full.log, once it was finished I logged in via the web interface to start using this thing.

  9. So how was the scan you ask? It clearly does not scan. I used the wizard, typed a local IP address and the scan ends immediately with an empty report with zero results.

Summary of my experience so far

  1. Quite a lot of work to get a pre-configured appliance to work, when most of the above steps should be automated.

  2. Overall it was horrible to end up without any results, a waste of my time.

I would appreciate your thoughts and suggestions :slight_smile:

1 Like

Thanks for testing the GCE and writing down your experiences. Personally I am feeling a bit offended by the tone of some of your comments. Would have been really nice if your report had been less aggressive. It’s difficult being motivated to help if someone puts down your work.

I am sorry you ran into several issues and you didn’t got the system you’d expected. Maybe you should have used the Greenbone Source Edition and build you GVM by yourself on a distribution of your personal choice. The GCE is mostly intended for normal users without much administration knowledge on Linux.

I am not going to comment on each point you have listed. Please keep in mind that our technical decisions have some background and might seem odd in you view but we have to support several different use cases that can be much different then yours.

Please still feel free to ask for help to fix you specific issues with the GCE or to get some background information about the used technologies. I am glad to help!

Regards
Björn

7 Likes

First of all, apologies for my tone of voice, it was not intended to offend, but to be honest. Maybe a mix of disappointment and plain tiredness took the best of me.

I’ll give it a go one more time, now that I have some experience about the custom features.

Please ignore my rudeness and instead keep an open mind about my suggestions, like the delta feature of package management.

FWIW, as a sys admin with quite a bit of experience, I also found it difficult to quickly access troubleshooting tools I normally use when the VM did not work properly. But I understand the effort to make Kali more end-user friendly.

I also found a problem with installing and then getting empty results. I found that issuing an openvasmd --rebuild command fixed the problem once the sync was done. Hope this helps.

Just want to make clear Greenbone isn’t involved in packaging for any distribution beside GOS. The Kali packagers are using our Source Edition. Thus setup, configuration and administration may be very different with Kali.

This should only be necessary if the feed sync didn’t work, hasn’t finished or is aborted. The first feed sync really will take some time.

@bricks, thank you very much. Both of your comments are very helpful.

  • Would it be appropriate to post in the Kali community? I think their intentions are good, but they miss the mark a little bit.
  • Is there a way in the console to monitor the progress of the feed sync?
    Thanks

What do you mean exactly? Of course you can create post in their forum. Also you can always link to topics here. But I am not aware of any Greenbone dev who is involved in the Kali community. So I don’t think that anybody from Greenbone will post at their forums.

I would never ever claim something different.

The status of the feed sync can be monitored via journalctl -f in the shell.

1 Like

Perhaps I misunderstood you. Did you say that the GCE package is maintained by the Kali people? If we have feedback regarding how locked down the GCE is currently, where is the best place to give some feedback?

Also, you are very knowledgeable, so maybe you can help with another question - is the Kali Greenbone package created from GSE?

No, no. I’ve said Greenbone only develops and provides the Greenbone OS (GOS) packages which are used in the Greenbone Community Edition (GCE). Greenbone isn’t involved in any packages besides for GOS. Other distributions like Kali take our Source Edition (the source releases of the GVM components) and build packages on their own.

The GCE is looked down with intention. It is a virtual machine for testing and trying out our software. For professional usage, support and more features you should buy a Greenbone product. Be it virtual of physical.

This forum is the best place for feedback and questions.

1 Like

Understood. All is clear; thank you.

Hi,

Firstly, thanks for the efforts in building & maintaining this tool.

I’d like to emphasise that I also found the lack of scanning results quite confusing and it was only after reading through lots of posts that I realised that scans won’t work until the SecInfo Dashboard shows data. I knew that the community feed would be required, but that clearly showed as up to date.

I think you should add something to the Scans Dashboard that explains that scans won’t work until the SecInfo download is complete. Even better would be something that prevents you from starting a scan until the download is complete.

The real issue with the way it works now, is that for people who are not familiar with the product, their first experience is that it “doesn’t work”. This is frustrating and could cost Greenbone customers down the track (assuming most people try the open source version prior to considering an upgrade).

Regards,

Antony

Hi,

I see that someone else documented their experiences of GCE previously

but i thought I’d also share some feedback

firstly i’m not a unix / linux guy but having been in the industry on the other windows side and having been doing this for 25 years or so, have some sort of tech background enough to put an iso in virutal box to be able to spin up a vm particularly one designed as an out of the box setup solution…

so here goes with my observations

VM install went OK according to the steps i carried out / followed. I was helped by the previous poster who noted that you had to log in and set DNS. This i agree for a next next next install seems strange ?

Getting started… I am using this in a virtual box setup as a pen testing tool on VM’s I’ve downloaded from the web and hosted on the same box with host only routing so that they are isolated. However to get GCE to work you need to have internet access which means that you need to have a network card for host only ( for the target vm) and one for feeds etc (NAT or bridged ) The GCE setup does not play well with this and it needs some investigation etc.

Feeds. I’ve posted a couple of questions on feeds as there is nothing in the web application that gives you visual feedback or update options to test connection to feeds etc. This is one of the most critical things and it’s very hard for a plug and play user to diagnose statuses. ?

Target pinging ? It would be most helpful to be able to ping the target before scanning to confirm that there is routing. The two nics in the VM issue makes this difficult to diagnose

Scanner services - I’m running a VM with 4 GB RAM ( the accepted min ) and I had many failed scans with the could not connect to scanner service type errors, There are multiple instances of this error on the forum. I have found that this might be a timing issue. It has taken 10 - 15 minutes with this configuration before the VM has got settled with services running. I can use the open vas scanner testing option in the web app and it will report service unavailable but if left for 10 minutes or so will then become available. ???

info - it might be helpful to have more info in the web app or vm screen that you do not need to have to log in to get ?

Incorrect setup - On login you get the incorrect / incomplete setup. This seems to relate to not having a paid subscription ? If this is he case please make the message read that. It is confusing that this might relate to feed setups as these do take a long time to run.

anyway… my 2 cents worth as a noob .

I seem to now have scans running ( according to the web app ) so fingers crossed !!!

In case you’re wondering I got here as i had used this on Kali linux in the 2019 versions before it changed and was removed / broken etc and decided to use the VM instead.

Hope this helps some other strugglers !!

B…

Old post but where I landed today.

this is much easier

And you can use podman instead of docker if you’re on RHEL/Rocky/AlmaLinux.

( it appears I can’t respond to DeeAnn as the thread is closed so editing here to say that while I’m sure a lot has changed in 4 yrs the initial “try-it-out” end user experience doesn’t appear to have: the effort reqd to get this CE edition up and running is beyond anything I can think of off-hand - it is unreasonable. Had I not found the immauss alternative I would have stuck with using an off-the-shelf VM with pre installation or possibly Parrot OS which appears to have a repo with a workable install. Compare the Nessus setup process - a few steps and a few minutes to working compared to OpenVAS CE’s War & Peace and no result. )

1 Like

Hi @bgb and welcome to the forum :slight_smile:

Yep, this is a really old thread (from 2019) and quite a few things have changed since then so please feel free to take a look around (and I’m going to close the thread because it was originally in the wrong category and really outdated).

2 Likes