OpenVAS on Ubuntu 18.04: what's the correct way?

Hi All,
I’m trying to get a working installation of OpenVAS on Ubuntu 18.04.
At this time, I can’t get it work.

I have tried installing the OpenVAS from the official Ubuntu repository (apt-get install openvas), but it fails during the service activation.

Then I searched on the web, and I found many resources that suggest to add another repository “add-apt-repository ppa:mrazavi/openvas” and then install it with “apt install openvas9”.

So the first question is: which one is the correct way to install OpenVAS in Ubuntu 18.04?

Thanks

Install is from the Source ! Most packets have security issues (run as root) or set insecure passwords or cryptography.

Hi,

in general we (Greenbone) don’t give advises about preferring any linux distribution nor package repository. Some are updated more often, some use different settings, some are more stable. Thus the rating depends on your personal choice and experiences.

Currently the ppa:mrazavi/openvas repo seems to be more up to date as the main repo for 18.04.

1 Like

Just to better understand, usually the advantage in using Linux distributions and their official repositories is related to the security offered by the vendor managing it’s repositories.
So, If I use Red Hat Enterprise Linux, it’s suggested to update system packages with it’s official repository.

In this case, you are suggesting me to compile OpenVAS from the source avoiding using Ubuntu official repository because it’s insecure.

Can you explain me why OpenVAS installation should be insecure if installed from Ubuntu repositories?
Who is in charge of OpenVAS packages maintenance on the Ubuntu repository?

Thanks

Sorry for the confusion. We are not giving this advice. In the past some TLS cert and other security issues have been imposed to Greenbone which we weren’t responsible for nor able to change.

Greenbone just advises to use the Greenbone Community Edition. If you are using any other 3rd party package there might be a some pitfalls and misconfigurations for which we are not in charge.

2 Likes

Thanks for your clarification.

Hi Magnum,

My experience with Openvas since 2 years now on Ubuntu is that you should consider the ppa from mrazavi. This is the most up to date set of built packages for your distro. The only drawback of this ppa is that currently it’s locked to 7.0.3, while Openvas9 is available in 7.0.4.

Compiling the sources will quickly becomes a nightmare given the number of dependencies and the lack of documentation regarding proper installation on Ubuntu. I have tried, and while I finally succeeded, it wasn’t a easy job. So unless you like to play with source packages, stick to the deb packages available.

That’s my advice as an experienced user of OpenVAS on Ubuntu.

Best,

Hi Magnum,

Please be aware that mrazavi is setting default passwords and running the GUI on Port 4000. Both are not seen as good and secure code of practice.

If you take security serious i would stay away from this ppa.

2 Likes

The problem is there is no official Openvas repositoy for Ubuntu. To get the deb, you need to use the non-official repository of mrazavi, which as explained below is not up to date and not very secure.

Having said that, on Ubuntu 18.04, if you want to compile the sources of Openvas, then you will need to install the following packages first:

sudo apt-get install libmicrohttpd-dev libxml2-dev libxslt1-dev cmake pkg-config libglib2.0-dev libgnutls28-dev uuid-dev libssh-gcrypt-dev libhiredis-dev xmltoman doxygen clang-format graphviz libpthread-stubs0-dev libpthread-workqueue-dev libpthread-workqueue0 locales-all libjson-perl gettext libmicrohttpd-dev libxml2-dev python-polib python-impacket gcc pkg-config libssh-gcrypt-dev libgnutls28-dev libglib2.0-dev libpcap-dev bison libksba-dev libgcrypt20-dev python-netsnmp heimdal-dev heimdal-multidev libpopt-dev libpopt0 gcc-mingw* libsqlite3-dev libpq-dev sqlite3 sqlfairy xsltproc libgd-graph-perl redis-server icu-devtools libicu-dev libmicrohttpd-dev python3-dev gnutls-bin libical-dev git libldap2-dev libsnmp-dev

Then:
sudo apt-get install libical2 libical2-dev libmicrohttpd12 libgpgme-dev libevent-core-1.4-2 libevent-core-2.1-6 bevent-pthreads-2.1-6

On top of this, if you plan to use PostgreSQL as the main database, you need to install:
sudo apt-get install postgresql postgresql-doc postgresql-server-dev-all

For gvm-tools you will need to do:
apt-get install python3-pip
pip3 install setuptools wheel
pip3 install gvm-tools

Then you can compile openvas packages from sources. This apply to the latest stable release (7.0.4) only. Also make sure you have enough free space and a good internet connection as the upon commands will download and install dozens of other packages not in the list…!

3 Likes

Why running gsad on port 4000 isn’t a security best practice ?

All ports above 1023 are available to ANY user in the system and any user can listen on them. Only privileged ports <= 1023 are seen as secure be course they are only system-service accessible.

Well, in that case that means you need to run gsad as root. Which is against all basics security best practice (and btw not recommended as discussed in this post: Running openvas as a non privileged user?).

Sounds like an unsecure configuration to me.

Check the available gsad --help parameters which allows to run such a setup in a secure way:

  --drop-privileges=<user>                       Drop privileges to <user>.
  --do-chroot
2 Likes

Thanks cfi I never noticed these options. In that case I understand the secure setup. I’ll give it a try !
And regarding openvasmd, what’s the solution if you need to run it as a slave ? by default it runs on port 9390. Is there similar options ? I havn’t seen that.

1 Like

For sensors you will use Sockets :wink: You just need to tunnel the sockets between master & sensor !

I’m testing gsad in this setup but I have an issue with chrooting. Dropping privileges works as expected, but chrooting immediately fails:

** (process:5966): ERROR (recursed) **: Can not open ‘gsad.log’ logfile: Permission deniedAborted (core dumped)

So obviously gsad cannot access it’s logfile; but: gsad user has a home directory set to /var/run/gsad fully writeable and I can’t find any logfiles there, while it should be able to create one.

Currently this directory is empty. If gsad is chrooted in it; I suppose it should have all it’s files inside this directory ? But then how do you manage connection with openvasmd socket which is necessarily outside of it?

stracing the program shows that gsad is trying to chroot itself under /usr/local/share/openvas/gsa.

chroot(“/usr/local/share/openvas/gsa”) = 0

This obviously cannot work as the openvasmd socket is not available from that place. I can’t find any option to specify chroot directory to gsad. Specifiying it in the /etc/passwd as anyone would expect this to be has no effect :frowning: