KaliにOpenVAS ⇒ GVMをセットアップ
GVMについて
GVM(Greenbone-Vulnerability-Manager)は、かつてはOpenVASと呼ばれていた。Openと名が付くらいなので、オープンソースの脆弱性スキャナー。
ライセンスは、GNU Affero General Public License v3.0 or later.と、良く分かりませんが、IPAが解説してくれています。
GVMのセットアップ
0.Kaliのアップデート
apt update
いきなりGVMをインストールしようとしたら、apt updateをせよ、と怒られた。
1.インストールの実行
apt install -y gvm
gvm-setup
ダウンロードに時間がかかる。年代別のCVE情報を取得している?
この後、adminユーザーが作成され、パスワードが表示されるので、メモするらしい。
2.サービス確認
gvm-start
ブラウザが自動起動して、https://127.0.0.1:9392/ へアクセス
本来なら、これでセットアップ完了するようです。しかし、エラーが出てブラウザ起動しない。
サービスが起動しなかった対処
gvm-startコマンドを実行しても、以下のメッセージが表示され、ブラウザが自動起動しない。
Job for gvmd.service failed because a timeout was exceeded.
See "systemctl status gvmd.service" and "journalctl -xe" for details.
これぞ、オープンソースの醍醐味。
sudo gvm-check-setup
を叩くと、セットアップの状況を教えてくれる。
gvm-check-setup 21.4.1
Test completeness and readiness of GVM-21.4.1
Step 1: Checking OpenVAS (Scanner)...
OK: OpenVAS Scanner is present in version 21.4.1.
OK: Server CA Certificate is present as /var/lib/gvm/CA/servercert.pem.
Checking permissions of /var/lib/openvas/gnupg/*
OK: _gvm owns all files in /var/lib/openvas/gnupg
OK: redis-server is present.
OK: scanner (db_address setting) is configured properly using the redis-server socket: /var/run/redis-openvas/redis-server.sock
OK: redis-server is running and listening on socket: /var/run/redis-openvas/redis-server.sock.
OK: redis-server configuration is OK and redis-server is running.
OK: _gvm owns all files in /var/lib/openvas/plugins
OK: NVT collection in /var/lib/openvas/plugins contains 75056 NVTs.
Checking that the obsolete redis database has been removed
OK: No old Redis DB
OK: ospd-OpenVAS is present in version 21.4.1.
Step 2: Checking GVMD Manager ...
OK: GVM Manager (gvmd) is present in version 21.4.2.
Step 3: Checking Certificates ...
OK: GVM client certificate is valid and present as /var/lib/gvm/CA/clientcert.pem.
OK: Your GVM certificate infrastructure passed validation.
Step 4: Checking data ...
OK: SCAP data found in /var/lib/gvm/scap-data.
OK: CERT data found in /var/lib/gvm/cert-data.
Step 5: Checking Postgresql DB and user ...
OK: Postgresql version and default port are OK.
ERROR: The Postgresql DB does not exist.
FIX: Run 'sudo runuser -u postgres -- /usr/share/gvm/create-postgresql-database'ERROR: Your GVM-21.4.1 installation is not yet complete!
Please follow the instructions marked with FIX above and run this
script again.
Postresqlのエラーらしく、コマンドを叩けと、とのことなので、コピペして実行。
sudo runuser -u postgres -- /usr/share/gvm/create-postgresql-database
CREATE ROLE
GRANT ROLE
CREATE EXTENSION
CREATE EXTENSION
再度、gvm-check-setupを叩くと、今度はユーザーを作成しろと。
gvm-check-setup 21.4.1
Test completeness and readiness of GVM-21.4.1
Step 1: Checking OpenVAS (Scanner)...
OK: OpenVAS Scanner is present in version 21.4.1.
OK: Server CA Certificate is present as /var/lib/gvm/CA/servercert.pem.
Checking permissions of /var/lib/openvas/gnupg/*
OK: _gvm owns all files in /var/lib/openvas/gnupg
OK: redis-server is present.
OK: scanner (db_address setting) is configured properly using the redis-server socket: /var/run/redis-openvas/redis-server.sock
OK: redis-server is running and listening on socket: /var/run/redis-openvas/redis-server.sock.
OK: redis-server configuration is OK and redis-server is running.
OK: _gvm owns all files in /var/lib/openvas/plugins
OK: NVT collection in /var/lib/openvas/plugins contains 75056 NVTs.
Checking that the obsolete redis database has been removed
OK: No old Redis DB
OK: ospd-OpenVAS is present in version 21.4.1.
Step 2: Checking GVMD Manager ...
OK: GVM Manager (gvmd) is present in version 21.4.2.
Step 3: Checking Certificates ...
OK: GVM client certificate is valid and present as /var/lib/gvm/CA/clientcert.pem.
OK: Your GVM certificate infrastructure passed validation.
Step 4: Checking data ...
OK: SCAP data found in /var/lib/gvm/scap-data.
OK: CERT data found in /var/lib/gvm/cert-data.
Step 5: Checking Postgresql DB and user ...
OK: Postgresql version and default port are OK.
gvmd | _gvm | UTF8 | en_US.UTF-8 | en_US.UTF-8 |
ERROR: No users found. You need to create at least one user to log in.
FIX: create a user by running 'sudo runuser -u _gvm -- gvmd --create-user=<name> --password=<password>'ERROR: Your GVM-21.4.1 installation is not yet complete!
Please follow the instructions marked with FIX above and run this
script again.
コピペして実行して、またまた gvm-check-setupを叩くと、意味不明なエラーが。
gvm-check-setup 21.4.1
Test completeness and readiness of GVM-21.4.1
Step 1: Checking OpenVAS (Scanner)...
OK: OpenVAS Scanner is present in version 21.4.1.
OK: Server CA Certificate is present as /var/lib/gvm/CA/servercert.pem.
Checking permissions of /var/lib/openvas/gnupg/*
OK: _gvm owns all files in /var/lib/openvas/gnupg
OK: redis-server is present.
OK: scanner (db_address setting) is configured properly using the redis-server socket: /var/run/redis-openvas/redis-server.sock
OK: redis-server is running and listening on socket: /var/run/redis-openvas/redis-server.sock.
OK: redis-server configuration is OK and redis-server is running.
OK: _gvm owns all files in /var/lib/openvas/plugins
OK: NVT collection in /var/lib/openvas/plugins contains 75056 NVTs.
Checking that the obsolete redis database has been removed
OK: No old Redis DB
OK: ospd-OpenVAS is present in version 21.4.1.
Step 2: Checking GVMD Manager ...
OK: GVM Manager (gvmd) is present in version 21.4.2.
Step 3: Checking Certificates ...
OK: GVM client certificate is valid and present as /var/lib/gvm/CA/clientcert.pem.
OK: Your GVM certificate infrastructure passed validation.
Step 4: Checking data ...
OK: SCAP data found in /var/lib/gvm/scap-data.
OK: CERT data found in /var/lib/gvm/cert-data.
Step 5: Checking Postgresql DB and user ...
OK: Postgresql version and default port are OK.
gvmd | _gvm | UTF8 | en_US.UTF-8 | en_US.UTF-8 |
OK: At least one user exists.
Step 6: Checking Greenbone Security Assistant (GSA) ...
Oops, secure memory pool already initialized
ERROR: Greenbone Security Assistant too old or too new: 21.4.1~dev1
FIX: Please install Greenbone Security Assistant >= 21.04.ERROR: Your GVM-21.4.1 installation is not yet complete!
Please follow the instructions marked with FIX above and run this
script again.
なんだか、gvm-check-setupのバグらしく、エラーを無視して、gvm-startを叩けば、無事にサービスが起動して、ブラウザが起動。
更新
gvm-feed-update
このコマンドにより、脆弱性情報が更新される。
