ロード・オブ・ザ・ホワイトハッカー

ホワイトハッカーはじめました

KaliにOpenVAS ⇒ GVMをセットアップ

GVMについて

GVM(Greenbone-Vulnerability-Manager)は、かつてはOpenVASと呼ばれていた。Openと名が付くらいなので、オープンソース脆弱性スキャナー。

 

ライセンスは、GNU Affero General Public License v3.0 or later.と、良く分かりませんが、IPAが解説してくれています。

www.ipa.go.jp

 

GVMのセットアップ

0.Kaliのアップデート

apt update

いきなりGVMをインストールしようとしたら、apt updateをせよ、と怒られた。

f:id:chikuwamaruX:20210722205741p:plain

 

1.インストールの実行

apt install -y gvm

gvm-setup

ダウンロードに時間がかかる。年代別のCVE情報を取得している?

f:id:chikuwamaruX:20210722221656p:plain

この後、adminユーザーが作成され、パスワードが表示されるので、メモするらしい。

 

2.サービス確認

gvm-start

ブラウザが自動起動して、https://127.0.0.1:9392/ へアクセス 

本来なら、これでセットアップ完了するようです。しかし、エラーが出てブラウザ起動しない。

 

サービスが起動しなかった対処

gvm-startコマンドを実行しても、以下のメッセージが表示され、ブラウザが自動起動しない。

Job for gvmd.service failed because a timeout was exceeded.
See "systemctl status gvmd.service" and "journalctl -xe" for details.

これぞ、オープンソースの醍醐味。

 

 sudo gvm-check-setup

を叩くと、セットアップの状況を教えてくれる。

gvm-check-setup 21.4.1
Test completeness and readiness of GVM-21.4.1
Step 1: Checking OpenVAS (Scanner)...
OK: OpenVAS Scanner is present in version 21.4.1.
OK: Server CA Certificate is present as /var/lib/gvm/CA/servercert.pem.
Checking permissions of /var/lib/openvas/gnupg/*
OK: _gvm owns all files in /var/lib/openvas/gnupg
OK: redis-server is present.
OK: scanner (db_address setting) is configured properly using the redis-server socket: /var/run/redis-openvas/redis-server.sock
OK: redis-server is running and listening on socket: /var/run/redis-openvas/redis-server.sock.
OK: redis-server configuration is OK and redis-server is running.
OK: _gvm owns all files in /var/lib/openvas/plugins
OK: NVT collection in /var/lib/openvas/plugins contains 75056 NVTs.
Checking that the obsolete redis database has been removed
OK: No old Redis DB
OK: ospd-OpenVAS is present in version 21.4.1.
Step 2: Checking GVMD Manager ...
OK: GVM Manager (gvmd) is present in version 21.4.2.
Step 3: Checking Certificates ...
OK: GVM client certificate is valid and present as /var/lib/gvm/CA/clientcert.pem.
OK: Your GVM certificate infrastructure passed validation.
Step 4: Checking data ...
OK: SCAP data found in /var/lib/gvm/scap-data.
OK: CERT data found in /var/lib/gvm/cert-data.
Step 5: Checking Postgresql DB and user ...
OK: Postgresql version and default port are OK.
ERROR: The Postgresql DB does not exist.
FIX: Run 'sudo runuser -u postgres -- /usr/share/gvm/create-postgresql-database'

ERROR: Your GVM-21.4.1 installation is not yet complete!

Please follow the instructions marked with FIX above and run this
script again.

  Postresqlのエラーらしく、コマンドを叩けと、とのことなので、コピペして実行。

sudo runuser -u postgres -- /usr/share/gvm/create-postgresql-database
CREATE ROLE
GRANT ROLE
CREATE EXTENSION
CREATE EXTENSION

 

再度、gvm-check-setupを叩くと、今度はユーザーを作成しろと。

gvm-check-setup 21.4.1
Test completeness and readiness of GVM-21.4.1
Step 1: Checking OpenVAS (Scanner)...
OK: OpenVAS Scanner is present in version 21.4.1.
OK: Server CA Certificate is present as /var/lib/gvm/CA/servercert.pem.
Checking permissions of /var/lib/openvas/gnupg/*
OK: _gvm owns all files in /var/lib/openvas/gnupg
OK: redis-server is present.
OK: scanner (db_address setting) is configured properly using the redis-server socket: /var/run/redis-openvas/redis-server.sock
OK: redis-server is running and listening on socket: /var/run/redis-openvas/redis-server.sock.
OK: redis-server configuration is OK and redis-server is running.
OK: _gvm owns all files in /var/lib/openvas/plugins
OK: NVT collection in /var/lib/openvas/plugins contains 75056 NVTs.
Checking that the obsolete redis database has been removed
OK: No old Redis DB
OK: ospd-OpenVAS is present in version 21.4.1.
Step 2: Checking GVMD Manager ...
OK: GVM Manager (gvmd) is present in version 21.4.2.
Step 3: Checking Certificates ...
OK: GVM client certificate is valid and present as /var/lib/gvm/CA/clientcert.pem.
OK: Your GVM certificate infrastructure passed validation.
Step 4: Checking data ...
OK: SCAP data found in /var/lib/gvm/scap-data.
OK: CERT data found in /var/lib/gvm/cert-data.
Step 5: Checking Postgresql DB and user ...
OK: Postgresql version and default port are OK.
gvmd | _gvm | UTF8 | en_US.UTF-8 | en_US.UTF-8 |
ERROR: No users found. You need to create at least one user to log in.
FIX: create a user by running 'sudo runuser -u _gvm -- gvmd --create-user=<name> --password=<password>'

ERROR: Your GVM-21.4.1 installation is not yet complete!

Please follow the instructions marked with FIX above and run this
script again.

 

コピペして実行して、またまた gvm-check-setupを叩くと、意味不明なエラーが。

gvm-check-setup 21.4.1
Test completeness and readiness of GVM-21.4.1
Step 1: Checking OpenVAS (Scanner)...
OK: OpenVAS Scanner is present in version 21.4.1.
OK: Server CA Certificate is present as /var/lib/gvm/CA/servercert.pem.
Checking permissions of /var/lib/openvas/gnupg/*
OK: _gvm owns all files in /var/lib/openvas/gnupg
OK: redis-server is present.
OK: scanner (db_address setting) is configured properly using the redis-server socket: /var/run/redis-openvas/redis-server.sock
OK: redis-server is running and listening on socket: /var/run/redis-openvas/redis-server.sock.
OK: redis-server configuration is OK and redis-server is running.
OK: _gvm owns all files in /var/lib/openvas/plugins
OK: NVT collection in /var/lib/openvas/plugins contains 75056 NVTs.
Checking that the obsolete redis database has been removed
OK: No old Redis DB
OK: ospd-OpenVAS is present in version 21.4.1.
Step 2: Checking GVMD Manager ...
OK: GVM Manager (gvmd) is present in version 21.4.2.
Step 3: Checking Certificates ...
OK: GVM client certificate is valid and present as /var/lib/gvm/CA/clientcert.pem.
OK: Your GVM certificate infrastructure passed validation.
Step 4: Checking data ...
OK: SCAP data found in /var/lib/gvm/scap-data.
OK: CERT data found in /var/lib/gvm/cert-data.
Step 5: Checking Postgresql DB and user ...
OK: Postgresql version and default port are OK.
gvmd | _gvm | UTF8 | en_US.UTF-8 | en_US.UTF-8 |
OK: At least one user exists.
Step 6: Checking Greenbone Security Assistant (GSA) ...
Oops, secure memory pool already initialized
ERROR: Greenbone Security Assistant too old or too new: 21.4.1~dev1
FIX: Please install Greenbone Security Assistant >= 21.04.

ERROR: Your GVM-21.4.1 installation is not yet complete!

Please follow the instructions marked with FIX above and run this
script again.

なんだか、gvm-check-setupのバグらしく、エラーを無視して、gvm-startを叩けば、無事にサービスが起動して、ブラウザが起動。

f:id:chikuwamaruX:20210723102706p:plain

 

更新

gvm-feed-update

 このコマンドにより、脆弱性情報が更新される。