├── LICENSE ├── README.md └── install.sh /LICENSE: -------------------------------------------------------------------------------- 1 | This is free and unencumbered software released into the public domain. 2 | 3 | Anyone is free to copy, modify, publish, use, compile, sell, or 4 | distribute this software, either in source code form or as a compiled 5 | binary, for any purpose, commercial or non-commercial, and by any 6 | means. 7 | 8 | In jurisdictions that recognize copyright laws, the author or authors 9 | of this software dedicate any and all copyright interest in the 10 | software to the public domain. We make this dedication for the benefit 11 | of the public at large and to the detriment of our heirs and 12 | successors. We intend this dedication to be an overt act of 13 | relinquishment in perpetuity of all present and future rights to this 14 | software under copyright law. 15 | 16 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, 17 | EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF 18 | MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. 19 | IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR 20 | OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, 21 | ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR 22 | OTHER DEALINGS IN THE SOFTWARE. 23 | 24 | For more information, please refer to 25 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # gvm-install-script 2 | 3 | An *unofficial* script to install GVM alias OpenVAS on debian (10) and ubuntu (20.04). 4 | 5 | This script installs GVM, alias OpenVAS. It is not made for docker, but VMs and bare metal deployments. It does not configure any of the components, nor the system to be secure or production ready. Most Linux distributions come with thier own GVM packages, which might be more stable and elegant to deploy. This script is for all, who want their GVM to be installed from git. 6 | 7 | ## Usage 8 | 9 | Set the following environment variables as for your need. 10 | 11 | - `GVM_INSTALL_PREFIX`: Path to the gvm user directory. (default = */var/opt/gvm*) 12 | - `GVM_VERSION`: GVM version to install. (one of [stable,oldstable,main]; default = *stable*) 13 | - `GVM_ADMIN_PWD`: Initial admin password. (default = *admin*) 14 | 15 | ```bash 16 | $ ./install.sh 17 | ``` 18 | 19 | ## Requirements 20 | 21 | - base installation of one of 22 | - debian 10 23 | - ubuntu 20.04 24 | - internet access 25 | - shell (SSH) on the target system 26 | - *sudo* installed 27 | - user with *sudo* permissions 28 | - at least 16GB disk storage 29 | - at least 4GB of memory 30 | - at least 2 CPU cores / vCPUs 31 | 32 | ## Credits 33 | 34 | I have made this script based on a blog post from *sadsloth* ([link](https://sadsloth.net/post/install-gvm11-src-on-debian/)) - **big thanks** -, as well as the installation guidelines found in the various repositories from [greenbone](https://github.com/greenbone). 35 | -------------------------------------------------------------------------------- /install.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # This is free and unencumbered software released into the public domain. 4 | # 5 | # Anyone is free to copy, modify, publish, use, compile, sell, or 6 | # distribute this software, either in source code form or as a compiled 7 | # binary, for any purpose, commercial or non-commercial, and by any 8 | # means. 9 | # 10 | # In jurisdictions that recognize copyright laws, the author or authors 11 | # of this software dedicate any and all copyright interest in the 12 | # software to the public domain. We make this dedication for the benefit 13 | # of the public at large and to the detriment of our heirs and 14 | # successors. We intend this dedication to be an overt act of 15 | # relinquishment in perpetuity of all present and future rights to this 16 | # software under copyright law. 17 | # 18 | # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, 19 | # EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF 20 | # MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. 21 | # IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR 22 | # OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, 23 | # ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR 24 | # OTHER DEALINGS IN THE SOFTWARE. 25 | # 26 | # For more information, please refer to 27 | 28 | set -eE 29 | sudo bash -c "echo 'User $USER is sudo enabled.'" 30 | 31 | export DEBIAN_FRONTEND=noninteractive 32 | export AS_ROOT="sudo bash -c" 33 | export AS_GVM="sudo -u gvm bash -c" 34 | export PROMPT="$(basename $0)" 35 | 36 | function log() { 37 | local TIME=$(date +"%T") 38 | case $1 in 39 | -i) 40 | echo -en "\033[0;32m[INFO ]\033[0m" 41 | shift 42 | ;; 43 | -w) 44 | echo -en "\033[0;33m[WARN ]\033[0m" 45 | shift 46 | ;; 47 | -e) 48 | echo -en "\033[0;31m[ERROR]\033[0m" 49 | shift 50 | ;; 51 | esac 52 | local ROUTINE='' 53 | if [ -n "${FUNCNAME[1]}" ]; then 54 | ROUTINE="->${FUNCNAME[1]}" 55 | fi 56 | echo " ${TIME} ${PROMPT}${ROUTINE}:: $*" 57 | } 58 | 59 | function require() { 60 | local error=0 61 | for v in $*; do 62 | if [ -z "${!v}" ]; then 63 | log -e Env. $v is not set! 64 | error=1 65 | fi 66 | done 67 | return $error 68 | } 69 | 70 | function exec_as() { 71 | local user="$1" 72 | local fn="$2" 73 | shift; shift 74 | local env=() 75 | for e in $@; do 76 | env+=( "$e=${!e}" ) 77 | done 78 | sudo "${env[@]}" -u "$user" bash -c "$(declare -f $fn); $fn" 79 | } 80 | 81 | function print_help() { 82 | echo 'GVM install script' 83 | echo '' 84 | echo 'Configuration is done via environment variables as seen below.' 85 | echo '' 86 | echo 'Usage: ./install.sh [OPTIONS]' 87 | echo '' 88 | echo 'OPTIONS:' 89 | echo ' -h | --help : Display this message' 90 | echo '' 91 | echo 'ENVIRONMENT:' 92 | echo '' 93 | echo ' GVM_INSTALL_PREFIX : Path to the gvm user directory. (default = /var/opt/gvm)' 94 | echo ' GVM_VERSION : GVM version to install.' 95 | echo ' GVM_ADMIN_PWD : Initial admin password. (default = admin)' 96 | echo ' GVM_GSAD_OPTS : Options to pass into gsad service, refer to "gsad --help". (eg. SSL certificate)' 97 | echo '' 98 | } 99 | 100 | trap "log -e 'Installation failed!'" ERR 101 | 102 | for arg in $@; do 103 | case $arg in 104 | -h | --help | *) 105 | print_help 106 | exit 1 107 | ;; 108 | esac 109 | done 110 | 111 | ### ARGUMENTS ### 112 | 113 | export GVM_INSTALL_PREFIX="${GVM_INSTALL_PREFIX:-/var/opt/gvm}" 114 | export GVM_VERSION="${GVM_VERSION:-stable}" 115 | export GVM_ADMIN_PWD="${GVM_ADMIN_PWD:-admin}" 116 | 117 | require GVM_INSTALL_PREFIX 118 | require GVM_VERSION 119 | require GVM_ADMIN_PWD 120 | 121 | ### INSTALL ### 122 | 123 | $AS_ROOT "systemctl stop gvmd.service gsad.service ospd-openvas.service || true" 124 | 125 | function update_system() { 126 | set -e 127 | export DEBIAN_FRONTEND=noninteractive 128 | apt update 129 | apt upgrade -yq 130 | apt dist-upgrade -yq 131 | apt autoremove -yq 132 | } 133 | 134 | function install_deps() { 135 | set -e 136 | export DEBIAN_FRONTEND=noninteractive 137 | apt install -yq \ 138 | bison cmake curl doxygen fakeroot gcc g++ \ 139 | gcc-mingw-w64 gettext git gnupg gnutls-bin \ 140 | graphviz heimdal-dev libgcrypt20-dev libglib2.0-dev \ 141 | libgnutls28-dev libgpgme-dev libhiredis-dev \ 142 | libical-dev libksba-dev libldap2-dev libmicrohttpd-dev \ 143 | libpcap-dev libpopt-dev libradcli-dev libsnmp-dev \ 144 | libsqlite3-dev libssh-gcrypt-dev libxml2-dev nmap nodejs npm \ 145 | nsis perl-base pkg-config postgresql postgresql-contrib \ 146 | postgresql-server-dev-all python3-defusedxml python3-lxml \ 147 | python3-paramiko python3-pip python3-psutil python3-setuptools \ 148 | python3-polib python3-dev redis redis-server rpm rsync smbclient \ 149 | snmp socat software-properties-common sshpass \ 150 | texlive-fonts-recommended texlive-latex-extra uuid-dev \ 151 | vim virtualenv wget xmltoman xml-twig-tools xsltproc libnet1-dev libunistring-dev 152 | curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | apt-key add - 153 | echo 'deb https://dl.yarnpkg.com/debian/ stable main' \ 154 | | tee /etc/apt/sources.list.d/yarn.list 155 | apt update 156 | apt install -yq yarn 157 | } 158 | 159 | log -i "Update system" 160 | exec_as root update_system 161 | log -i "Install dependencies" 162 | exec_as root install_deps 163 | 164 | function setup_user() { 165 | set -e 166 | if [[ "$(id gvm 2>&1 | grep -o 'no such user')" == "no such user" ]]; then 167 | useradd -c "GVM/OpenVAS user" -d "$GVM_INSTALL_PREFIX" -m -s /bin/bash -U -G redis gvm 168 | else 169 | usermod -c "GVM/OpenVAS user" -d "$GVM_INSTALL_PREFIX" -m -s /bin/bash -aG redis gvm 170 | fi 171 | echo "export PATH=\"\$PATH:$GVM_INSTALL_PREFIX/bin:$GVM_INSTALL_PREFIX/sbin:$GVM_INSTALL_PREFIX/.local/bin\"" \ 172 | | tee /etc/profile.d/gvm.sh 173 | chmod 755 /etc/profile.d/gvm.sh 174 | . /etc/profile.d/gvm.sh 175 | cat << EOF > /etc/ld.so.conf.d/gvm.conf 176 | $GVM_INSTALL_PREFIX/lib 177 | EOF 178 | } 179 | 180 | log -i "Setup user" 181 | exec_as root setup_user GVM_INSTALL_PREFIX 182 | 183 | function system_tweaks() { 184 | set -e 185 | sysctl -w net.core.somaxconn=1024 186 | sysctl vm.overcommit_memory=1 187 | if [ -z "$(grep -o 'net.core.somaxconn' /etc/sysctl.conf)" ]; then 188 | echo 'net.core.somaxconn=1024' >> /etc/sysctl.conf 189 | fi 190 | if [ -z "$(grep -o 'vm.overcommit_memory' /etc/sysctl.conf)" ]; then 191 | echo 'vm.overcommit_memory=1' >> /etc/sysctl.conf 192 | fi 193 | cat << EOF > /etc/systemd/system/disable-thp.service 194 | [Unit] 195 | Description=Disable Transparent Huge Pages (THP) 196 | [Service] 197 | Type=simple 198 | ExecStart=/bin/sh -c "echo 'never' > /sys/kernel/mm/transparent_hugepage/enabled && echo 'never' > /sys/kernel/mm/transparent_hugepage/defrag" 199 | [Install] 200 | WantedBy=multi-user.target 201 | EOF 202 | systemctl daemon-reload 203 | systemctl enable --now disable-thp 204 | } 205 | 206 | log -i "System tweaks" 207 | exec_as root system_tweaks 208 | 209 | log -i "Clone GVM sources" 210 | export PKG_CONFIG_PATH=$GVM_INSTALL_PREFIX/lib/pkgconfig:$PKG_CONFIG_PATH 211 | $AS_GVM "mkdir -p ~/src" 212 | 213 | function clone_sources() { 214 | set -e 215 | cd ~/src 216 | git clone -b "$GVM_VERSION" https://github.com/greenbone/gvm-libs.git \ 217 | || (cd gvm-libs; git pull --all; git checkout "$GVM_VERSION"; git pull; cd ..) 218 | git clone -b "$GVM_VERSION" https://github.com/greenbone/openvas.git \ 219 | || (cd openvas; git pull --all; git checkout "$GVM_VERSION"; git pull; cd ..) 220 | git clone -b "$GVM_VERSION" https://github.com/greenbone/gvmd.git \ 221 | || (cd gvmd; git pull --all; git checkout "$GVM_VERSION"; git pull; cd ..) 222 | git clone -b main --single-branch https://github.com/greenbone/openvas-smb.git \ 223 | || (cd openvas-smb; git pull; cd ..) 224 | git clone -b "$GVM_VERSION" https://github.com/greenbone/gsa.git \ 225 | || (cd gsa; git pull --all; git checkout "$GVM_VERSION"; git pull; cd ..) 226 | git clone -b "$GVM_VERSION" https://github.com/greenbone/ospd-openvas.git \ 227 | || (cd ospd-openvas; git pull --all; git checkout "$GVM_VERSION"; git pull; cd ..) 228 | git clone -b "$GVM_VERSION" https://github.com/greenbone/ospd.git \ 229 | || (cd ospd; git pull --all; git checkout "$GVM_VERSION"; git pull; cd ..) 230 | git clone -b "$GVM_VERSION" https://github.com/greenbone/gsad.git \ 231 | || (cd gsad; git pull --all; git checkout "$GVM_VERSION"; git pull; cd ..) 232 | } 233 | 234 | exec_as gvm clone_sources GVM_VERSION 235 | 236 | function install_gvm_libs() { 237 | set -e 238 | export PKG_CONFIG_PATH="$PKG_CONFIG_PATH" 239 | cd ~/src/gvm-libs 240 | mkdir -p build 241 | cd build 242 | rm -rf * 243 | cmake -DCMAKE_INSTALL_PREFIX="$GVM_INSTALL_PREFIX" \ 244 | -DLOCALSTATEDIR="$GVM_INSTALL_PREFIX/var" -DSYSCONFDIR="$GVM_INSTALL_PREFIX/etc" .. 245 | make -j$(nproc) 246 | # requires /run/gvm directory 247 | make install 248 | } 249 | 250 | function install_openvas_smb() { 251 | set -e 252 | export PKG_CONFIG_PATH="$PKG_CONFIG_PATH" 253 | cd ~/src/openvas-smb 254 | mkdir -p build 255 | cd build 256 | rm -rf * 257 | cmake -DCMAKE_INSTALL_PREFIX="$GVM_INSTALL_PREFIX" .. 258 | make -j$(nproc) 259 | make install 260 | } 261 | 262 | function install_openvas() { 263 | set -e 264 | export PKG_CONFIG_PATH="$PKG_CONFIG_PATH" 265 | cd ~/src/openvas 266 | mkdir -p build 267 | cd build 268 | rm -rf * 269 | cmake -DCMAKE_INSTALL_PREFIX="$GVM_INSTALL_PREFIX" \ 270 | -DLOCALSTATEDIR="$GVM_INSTALL_PREFIX/var" -DSYSCONFDIR="$GVM_INSTALL_PREFIX/etc" .. 271 | make -j$(nproc) 272 | make install 273 | } 274 | 275 | $AS_ROOT "mkdir -p -m 750 /run/gvm /run/gsad /run/ospd /run/gvmd" 276 | $AS_ROOT "chown -R gvm. /run/gvm /run/gsad /run/ospd /run/gvmd" 277 | log -i "Install gvm-libs" 278 | exec_as gvm install_gvm_libs PKG_CONFIG_PATH GVM_INSTALL_PREFIX 279 | log -i "Install openvas-smb" 280 | exec_as gvm install_openvas_smb PKG_CONFIG_PATH GVM_INSTALL_PREFIX 281 | log -i "Install openvas" 282 | exec_as gvm install_openvas PKG_CONFIG_PATH GVM_INSTALL_PREFIX 283 | $AS_ROOT ldconfig 284 | 285 | function config_redis() { 286 | set -e 287 | cp -f /etc/redis/redis.conf /etc/redis/redis.conf.orig 288 | cp -f "$GVM_INSTALL_PREFIX/src/openvas/config/redis-openvas.conf" /etc/redis/ 289 | chown redis:redis /etc/redis/redis-openvas.conf 290 | echo 'db_address = /run/redis-openvas/redis.sock' > "$GVM_INSTALL_PREFIX/etc/openvas/openvas.conf" 291 | chown gvm:gvm "$GVM_INSTALL_PREFIX/etc/openvas/openvas.conf" 292 | systemctl enable --now redis-server@openvas.service 293 | } 294 | 295 | log -i "Configure redis" 296 | exec_as root config_redis GVM_INSTALL_PREFIX 297 | 298 | function edit_sudoers() { 299 | set -e 300 | if [[ "$(grep -o '$GVM_INSTALL_PREFIX/sbin' /etc/sudoers || true)" == "" ]]; then 301 | sed -e "s|\(Defaults\s*secure_path.*\)\"|\1:$GVM_INSTALL_PREFIX/sbin\"|" -i /etc/sudoers 302 | fi 303 | echo "gvm ALL = NOPASSWD: $GVM_INSTALL_PREFIX/sbin/openvas" > /etc/sudoers.d/gvm 304 | echo "gvm ALL = NOPASSWD: $GVM_INSTALL_PREFIX/sbin/gsad" >> /etc/sudoers.d/gvm 305 | chmod 440 /etc/sudoers.d/gvm 306 | } 307 | 308 | log -i "Edit sudoers" 309 | exec_as root edit_sudoers GVM_INSTALL_PREFIX 310 | 311 | function install_gvmd() { 312 | set -e 313 | export PKG_CONFIG_PATH="$PKG_CONFIG_PATH" 314 | cd ~/src/gvmd 315 | mkdir -p build 316 | cd build 317 | rm -rf * 318 | cmake -DCMAKE_INSTALL_PREFIX="$GVM_INSTALL_PREFIX" -DSYSTEMD_SERVICE_DIR="$GVM_INSTALL_PREFIX" \ 319 | -DLOCALSTATEDIR="$GVM_INSTALL_PREFIX/var" -DSYSCONFDIR="$GVM_INSTALL_PREFIX/etc" .. 320 | make -j$(nproc) 321 | make install 322 | } 323 | 324 | log -i "Install gvmd" 325 | exec_as gvm install_gvmd PKG_CONFIG_PATH GVM_INSTALL_PREFIX 326 | 327 | function setup_postgres() { 328 | set -e 329 | psql postgres -tAc "SELECT 1 FROM pg_roles WHERE rolname='gvm'" | grep -q 1 \ 330 | || createuser -DRS gvm 331 | psql -lqt | cut -d '|' -f 1 | grep -qw gvmd \ 332 | || createdb -O gvm gvmd 333 | psql gvmd -c 'create role dba with superuser noinherit;' \ 334 | 2>&1 | grep -e 'already exists' -e 'CREATE ROLE' 335 | psql gvmd -c 'grant dba to gvm;' 336 | psql gvmd -c 'create extension "uuid-ossp";' \ 337 | 2>&1 | grep -e 'already exists' -e 'CREATE EXTENSION' 338 | psql gvmd -c 'create extension "pgcrypto";' \ 339 | 2>&1 | grep -e 'already exists' -e 'CREATE EXTENSION' 340 | } 341 | 342 | log -i "Setup postgresql" 343 | exec_as postgres setup_postgres 344 | 345 | function setup_gvmd() { 346 | set -e 347 | . /etc/profile.d/gvm.sh 348 | gvmd --migrate 349 | gvm-manage-certs -af 350 | gvmd --get-users | grep admin || gvmd --create-user=admin --password="$GVM_ADMIN_PWD" 351 | # set feed owner 352 | local admin_id="$(gvmd --get-users --verbose | grep admin | cut -d ' ' -f2 | tr -d '\n')" 353 | gvmd --modify-setting 78eceaec-3385-11ea-b237-28d24461215b --value "$admin_id" 354 | } 355 | 356 | log -i "Setup gvmd" 357 | exec_as gvm setup_gvmd GVM_ADMIN_PWD 358 | 359 | function install_gsa() { 360 | set -e 361 | export PKG_CONFIG_PATH="$PKG_CONFIG_PATH" 362 | cd ~/src/gsad 363 | mkdir -p build 364 | cd build 365 | rm -rf * 366 | cmake -DCMAKE_INSTALL_PREFIX="$GVM_INSTALL_PREFIX" -DSYSTEMD_SERVICE_DIR="$GVM_INSTALL_PREFIX" \ 367 | -DLOCALSTATEDIR="$GVM_INSTALL_PREFIX/var" -DSYSCONFDIR="$GVM_INSTALL_PREFIX/etc" .. 368 | make -j$(nproc) 369 | make install 370 | cd ~/src/gsa 371 | rm -rf build 372 | yarn 373 | yarn build 374 | mkdir -p $GVM_INSTALL_PREFIX/share/gvm/gsad/web/ 375 | cp -r build/* $GVM_INSTALL_PREFIX/share/gvm/gsad/web/ 376 | touch "$GVM_INSTALL_PREFIX/var/log/gvm/gsad.log" 377 | } 378 | 379 | log -i "Install gsa" 380 | exec_as gvm install_gsa PKG_CONFIG_PATH GVM_INSTALL_PREFIX 381 | 382 | function install_ospd_openvas() { 383 | set -e 384 | export PKG_CONFIG_PATH="$PKG_CONFIG_PATH" 385 | cd ~/src 386 | if [ ! -d "$GVM_INSTALL_PREFIX/bin/ospd-scanner/" ]; then 387 | virtualenv --python python3 "$GVM_INSTALL_PREFIX/bin/ospd-scanner/" 388 | fi 389 | . "$GVM_INSTALL_PREFIX/bin/ospd-scanner/bin/activate" 390 | python3 -m pip install --upgrade pip 391 | cd ospd 392 | pip3 install . 393 | cd ../ospd-openvas/ 394 | pip3 install . 395 | } 396 | 397 | log -i "Install ospd-openvas" 398 | exec_as gvm install_ospd_openvas PKG_CONFIG_PATH GVM_INSTALL_PREFIX 399 | 400 | function create_gvmd_service() { 401 | set -e 402 | cat << EOF > /etc/systemd/system/gvmd.service 403 | [Unit] 404 | Description=Open Vulnerability Assessment System Manager Daemon 405 | Documentation=man:gvmd(8) https://www.greenbone.net 406 | Wants=postgresql.service ospd-openvas.service 407 | After=postgresql.service ospd-openvas.service network.target networking.service 408 | [Service] 409 | Type=forking 410 | User=gvm 411 | Group=gvm 412 | PIDFile=/run/gvmd/gvmd.pid 413 | RuntimeDirectory=gvmd 414 | RuntimeDirectoryMode=2775 415 | EnvironmentFile=$GVM_INSTALL_PREFIX/etc/default/gvmd 416 | ExecStart=$GVM_INSTALL_PREFIX/sbin/gvmd --osp-vt-update=/run/ospd/ospd-openvas.sock -c /run/gvmd/gvmd.sock --listen-group=gvm 417 | Restart=always 418 | TimeoutStopSec=10 419 | PrivateTmp=true 420 | [Install] 421 | WantedBy=multi-user.target 422 | EOF 423 | systemctl daemon-reload 424 | systemctl enable --now gvmd.service 425 | systemctl --no-pager status gvmd.service 426 | } 427 | 428 | function create_gsad_service() { 429 | set -e 430 | cat << EOF > /etc/systemd/system/gsad.service 431 | [Unit] 432 | Description=Greenbone Security Assistant (gsad) 433 | Documentation=man:gsad(8) https://www.greenbone.net 434 | After=network.target gvmd.service 435 | Wants=gvmd.service 436 | [Service] 437 | Type=forking 438 | PIDFile=/run/gsad/gsad.pid 439 | RuntimeDirectory=gsad 440 | RuntimeDirectoryMode=2775 441 | ExecStart=$GVM_INSTALL_PREFIX/sbin/gsad --drop-privileges=gvm --munix-socket=/run/gvmd/gvmd.sock $GVM_GSAD_OPTS 442 | Restart=always 443 | TimeoutStopSec=10 444 | PrivateTmp=true 445 | [Install] 446 | WantedBy=multi-user.target 447 | EOF 448 | systemctl daemon-reload 449 | systemctl enable --now gsad.service 450 | systemctl --no-pager status gsad.service 451 | } 452 | 453 | function create_openvas_service() { 454 | set -e 455 | cat << EOF > $GVM_INSTALL_PREFIX/etc/ospd-openvas.conf 456 | [OSPD - openvas] 457 | log_level = INFO 458 | socket_mode = 0o770 459 | unix_socket = /run/ospd/ospd-openvas.sock 460 | pid_file = /run/ospd/ospd-openvas.pid 461 | log_file = $GVM_INSTALL_PREFIX/var/log/gvm/ospd-openvas.log 462 | lock_file_dir = $GVM_INSTALL_PREFIX/var/lib/openvas 463 | EOF 464 | cat << EOF > /etc/systemd/system/ospd-openvas.service 465 | [Unit] 466 | Description=Job that runs the ospd-openvas daemon 467 | Documentation=man:gvm 468 | After=network.target networking.service redis-server@openvas.service 469 | Wants=redis-server@openvas.service 470 | [Service] 471 | Environment=PATH=$GVM_INSTALL_PREFIX/bin/ospd-scanner/bin:$GVM_INSTALL_PREFIX/bin:$GVM_INSTALL_PREFIX/sbin:$GVM_INSTALL_PREFIX/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin 472 | Type=forking 473 | User=gvm 474 | Group=gvm 475 | RuntimeDirectory=ospd 476 | RuntimeDirectoryMode=2775 477 | PIDFile=/run/ospd/ospd-openvas.pid 478 | ExecStart=$GVM_INSTALL_PREFIX/bin/ospd-scanner/bin/ospd-openvas --config $GVM_INSTALL_PREFIX/etc/ospd-openvas.conf 479 | Restart=always 480 | RestartSec=60 481 | SuccessExitStatus=SIGKILL 482 | PrivateTmp=true 483 | [Install] 484 | WantedBy=multi-user.target 485 | EOF 486 | systemctl daemon-reload 487 | systemctl enable --now ospd-openvas.service 488 | systemctl --no-pager status ospd-openvas.service 489 | } 490 | 491 | log -i "Create GVM services" 492 | exec_as root create_openvas_service GVM_INSTALL_PREFIX 493 | exec_as root create_gvmd_service GVM_INSTALL_PREFIX 494 | exec_as root create_gsad_service GVM_INSTALL_PREFIX GVM_GSAD_OPTS 495 | 496 | function set_default_scanner() { 497 | set -e 498 | . /etc/profile.d/gvm.sh 499 | local id="$(gvmd --get-scanners | grep -i openvas | cut -d ' ' -f1 | tr -d '\n')" 500 | gvmd --modify-scanner="$id" --scanner-host="/run/ospd/ospd-openvas.sock" 501 | } 502 | 503 | log -i "Set OpenVAS default scanner" 504 | exec_as gvm set_default_scanner GVM_INSTALL_PREFIX 505 | 506 | function create_feed_update_service() { 507 | set -e 508 | cat << EOF > "$GVM_INSTALL_PREFIX/bin/gvm-update-feed.sh" 509 | #!/bin/bash 510 | . /etc/profile.d/gvm.sh 511 | echo "SYNC NVTs ..." 512 | greenbone-nvt-sync 513 | sleep 120 514 | echo "SYNC GVMD DATA ..." 515 | greenbone-feed-sync --type GVMD_DATA 516 | sleep 120 517 | echo "SYNC SCAP DATA ..." 518 | #greenbone-feed-sync --type SCAP 519 | greenbone-scapdata-sync 520 | sleep 120 521 | echo "SYNC CERT DATA ..." 522 | #greenbone-feed-sync --type CERT 523 | greenbone-certdata-sync 524 | EOF 525 | chown gvm:gvm "$GVM_INSTALL_PREFIX/bin/gvm-update-feed.sh" 526 | chmod 755 "$GVM_INSTALL_PREFIX/bin/gvm-update-feed.sh" 527 | 528 | cat << EOF > /etc/systemd/system/gvm-feed-update.service 529 | [Unit] 530 | Description=GVM feed update 531 | 532 | [Service] 533 | Type=simple 534 | User=gvm 535 | Group=gvm 536 | ExecStart=$GVM_INSTALL_PREFIX/bin/gvm-update-feed.sh 537 | Restart=on-failure 538 | RestartSec=30sec 539 | EOF 540 | 541 | cat << EOF > /etc/systemd/system/gvm-feed-update.timer 542 | [Unit] 543 | Description=GVM feed update timer 544 | 545 | [Timer] 546 | OnCalendar=weekly 547 | Persistent=true 548 | 549 | [Install] 550 | WantedBy=timers.target 551 | EOF 552 | systemctl daemon-reload 553 | systemctl enable --now gvm-feed-update.timer 554 | } 555 | 556 | log -i "Create weekly feed update service" 557 | exec_as root create_feed_update_service GVM_INSTALL_PREFIX 558 | 559 | function kickoff_feed_sync() { 560 | systemctl start gvm-feed-update.service 561 | } 562 | 563 | log -i "Start initial feed sync" 564 | exec_as root kickoff_feed_sync 565 | 566 | log -i "GVM installation completed" 567 | log -i "Plugin feeds are synced in background. This might take a while ..." 568 | log -i "Please reboot the machine as soon as possible." 569 | --------------------------------------------------------------------------------