├── .github ├── CODEOWNERS ├── ISSUE_TEMPLATE │ ├── config.yml │ └── issue-report.md ├── PULL_REQUEST_TEMPLATE.md ├── dependabot.yml └── workflows │ ├── auto-merge.yml │ ├── ci.yaml │ ├── cleanup-ci.yml │ ├── dependency-review.yml │ ├── deployment.yml │ ├── github-pages.yml │ └── sbom-upload.yml ├── .gitignore ├── LICENSE ├── Makefile ├── README.md ├── poetry.lock ├── pyproject.toml ├── src ├── 22.4 │ ├── container │ │ ├── admin-user.md │ │ ├── docker-compose.yml │ │ ├── gvmd-not-responding.png │ │ ├── hardware.md │ │ ├── index.md │ │ ├── introduction.md │ │ ├── manual-feed-sync.md │ │ ├── preamble.md │ │ ├── prerequisites.md │ │ ├── starting.md │ │ ├── troubleshooting.md │ │ └── workflows.md │ ├── kali │ │ ├── feed-sync.md │ │ ├── file-system.md │ │ ├── index.md │ │ ├── installation.md │ │ ├── introduction.md │ │ ├── optional-configs.md │ │ └── troubleshooting.md │ └── source-build │ │ ├── admin-user.md │ │ ├── directory-permissions.md │ │ ├── feed-import-owner.md │ │ ├── feed-loading.md │ │ ├── feed-sync.md │ │ ├── finish.md │ │ ├── gpg.md │ │ ├── greenbone-feed-sync │ │ ├── dependencies.md │ │ ├── description.md │ │ └── install.md │ │ ├── gsa │ │ ├── build.md │ │ ├── description.md │ │ └── download.md │ │ ├── gsad │ │ ├── build.md │ │ ├── dependencies.md │ │ ├── description.md │ │ └── download.md │ │ ├── gvm-libs │ │ ├── build.md │ │ ├── dependencies.md │ │ ├── description.md │ │ └── download.md │ │ ├── gvm-tools │ │ ├── dependencies.md │ │ ├── description.md │ │ └── install.md │ │ ├── gvmd │ │ ├── build.md │ │ ├── dependencies.md │ │ ├── description.md │ │ └── download.md │ │ ├── hardware.md │ │ ├── index.md │ │ ├── introduction.md │ │ ├── openvas-scanner │ │ ├── build.md │ │ ├── dependencies.md │ │ ├── description.md │ │ └── download.md │ │ ├── openvas-smb.md │ │ ├── openvasd │ │ ├── build.md │ │ ├── dependencies.md │ │ ├── description.md │ │ └── download.md │ │ ├── ospd-openvas │ │ ├── build.md │ │ ├── dependencies.md │ │ ├── description.md │ │ └── download.md │ │ ├── pg-gvm │ │ ├── build.md │ │ ├── dependencies.md │ │ ├── description.md │ │ └── download.md │ │ ├── postgres.md │ │ ├── prerequisites.md │ │ ├── redis.md │ │ ├── start-services.md │ │ ├── sudo-scanning.md │ │ ├── systemd.md │ │ ├── troubleshooting.md │ │ ├── verify.md │ │ └── workflows.md ├── _static │ ├── custom.css │ ├── docker-compose-22.4.yml │ ├── docker-compose.yml │ ├── greenbone-banner.png │ ├── greenbone.png │ ├── logo.svg │ └── setup-and-start-greenbone-community-edition.sh ├── api.md ├── architecture.md ├── background.md ├── changelog.md ├── conf.py ├── faq.md ├── favicon.png ├── glossary.md ├── history.md ├── images │ ├── GSA-22.4.png │ └── greenbone-community-22.4-architecture.png ├── index.md └── troubleshooting.md ├── test-build-and-install.sh ├── test-env.sh └── test-setup.sh /.github/CODEOWNERS: -------------------------------------------------------------------------------- 1 | # default reviewers 2 | * @greenbone/docs-maintainers 3 | 4 | # devops 5 | .github/ @greenbone/devops @greenbone/docs-maintainers 6 | pyproject.toml @greenbone/devops @greenbone/docs-maintainers 7 | poetry.lock @greenbone/devops @greenbone/docs-maintainers 8 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/config.yml: -------------------------------------------------------------------------------- 1 | blank_issues_enabled: false 2 | contact_links: 3 | - name: Greenbone Community Forum 4 | url: https://community.greenbone.net/c/gse 5 | about: Please ask and answer questions here. 6 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/issue-report.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Bug Report 3 | about: Report an issue with documentation 4 | title: '' 5 | labels: bug 6 | assignees: '' 7 | 8 | --- 9 | 10 | 26 | 27 | ### Expected behavior 28 | 29 | 33 | 34 | ### Actual behavior 35 | 36 | 44 | 45 | ### Steps to reproduce 46 | 47 | 50 | -------------------------------------------------------------------------------- /.github/PULL_REQUEST_TEMPLATE.md: -------------------------------------------------------------------------------- 1 | ## What 2 | 3 | 7 | 8 | ## Why 9 | 10 | 11 | 12 | ## References 13 | 14 | 15 | 16 | ## Checklist 17 | 18 | 19 | 20 | - [ ] [Changelog](src/changelog.md) entry 21 | 22 | 23 | -------------------------------------------------------------------------------- /.github/dependabot.yml: -------------------------------------------------------------------------------- 1 | version: 2 2 | updates: 3 | 4 | - package-ecosystem: pip 5 | directory: "/" 6 | schedule: 7 | interval: "weekly" 8 | time: "04:00" 9 | groups: 10 | python-packages: 11 | patterns: 12 | - "*" 13 | open-pull-requests-limit: 10 14 | allow: 15 | - dependency-type: direct 16 | - dependency-type: indirect 17 | 18 | - package-ecosystem: "github-actions" 19 | directory: "/" 20 | schedule: 21 | interval: "weekly" 22 | groups: 23 | github-actions: 24 | patterns: 25 | - "*" 26 | -------------------------------------------------------------------------------- /.github/workflows/auto-merge.yml: -------------------------------------------------------------------------------- 1 | name: Auto-merge squash 2 | on: pull_request_target 3 | 4 | permissions: 5 | contents: write 6 | pull-requests: write 7 | 8 | jobs: 9 | auto-merge: 10 | uses: greenbone/workflows/.github/workflows/auto-merge.yml@main 11 | secrets: inherit 12 | -------------------------------------------------------------------------------- /.github/workflows/ci.yaml: -------------------------------------------------------------------------------- 1 | name: Build the Greenbone Documentation 2 | 3 | on: 4 | pull_request: 5 | branches: [main] 6 | 7 | jobs: 8 | build-docs: 9 | name: Build Documentation 10 | runs-on: "ubuntu-latest" 11 | steps: 12 | - uses: actions/checkout@v4 13 | - name: Set up Python 14 | uses: actions/setup-python@v5 15 | with: 16 | python-version: "3.11" 17 | - name: Install poetry and dependencies 18 | uses: greenbone/actions/poetry@v3 19 | - name: Build docs 20 | run: poetry run sphinx-build -W --keep-going -b html src _build 21 | - name: Upload Documentation Artifact 22 | uses: actions/upload-artifact@v4 23 | with: 24 | name: greenbone-community-docs-from-pr 25 | path: _build/ 26 | 27 | deploy-docs: 28 | needs: build-docs 29 | name: Build Documentation 30 | uses: ./.github/workflows/deployment.yml 31 | permissions: 32 | contents: write 33 | id-token: write 34 | pages: write 35 | with: 36 | doc_root: pr/${{ github.head_ref }} 37 | artifact_name: greenbone-community-docs-from-pr 38 | -------------------------------------------------------------------------------- /.github/workflows/cleanup-ci.yml: -------------------------------------------------------------------------------- 1 | name: Build the Greenbone Documentation 2 | 3 | on: 4 | pull_request: 5 | branches: [ main ] 6 | types: [ closed ] 7 | 8 | jobs: 9 | build-docs: 10 | name: Cleanup CI build 11 | runs-on: 'ubuntu-latest' 12 | env: 13 | DOC_ROOT: pr/${{ github.head_ref }} 14 | permissions: 15 | contents: write 16 | id-token: write 17 | pages: write 18 | steps: 19 | - uses: actions/checkout@v4 20 | with: 21 | ref: "gh-pages" 22 | - name: Test Document Root Exists 23 | id: doc-root 24 | run: | 25 | echo "Checking if $DOC_ROOT exists" 26 | if [ -d "$DOC_ROOT" ]; then 27 | echo "has-doc-root=true" >> $GITHUB_OUTPUT 28 | else 29 | echo "has-doc-root=false" >> $GITHUB_OUTPUT 30 | fi 31 | - name: Cleanup Document Root and Update GitHub Pages 32 | if: steps.doc-root.outputs.has-doc-root == 'true' 33 | run: | 34 | git config --global user.name "${GITHUB_ACTOR}" 35 | git config --global user.email "${GITHUB_ACTOR}@users.noreply.github.com" 36 | git rm -r "$DOC_ROOT" 37 | git commit --amend -m "Updating Docs for commit ${GITHUB_SHA} (PR Cleanup)" 38 | git push --force-with-lease 39 | - name: Upload pages artifact 40 | if: steps.doc-root.outputs.has-doc-root == 'true' 41 | uses: actions/upload-pages-artifact@v3 42 | with: 43 | path: . 44 | - name: Deploy to GitHub Pages 45 | if: steps.doc-root.outputs.has-doc-root == 'true' 46 | uses: actions/deploy-pages@v4 47 | -------------------------------------------------------------------------------- /.github/workflows/dependency-review.yml: -------------------------------------------------------------------------------- 1 | name: 'Dependency Review' 2 | on: [pull_request] 3 | 4 | permissions: 5 | contents: read 6 | 7 | jobs: 8 | dependency-review: 9 | runs-on: ubuntu-latest 10 | permissions: 11 | pull-requests: write 12 | steps: 13 | - name: 'Dependency Review' 14 | uses: greenbone/actions/dependency-review@v3 15 | -------------------------------------------------------------------------------- /.github/workflows/deployment.yml: -------------------------------------------------------------------------------- 1 | name: Deploy the Greenbone Documentation 2 | 3 | on: 4 | workflow_call: 5 | inputs: 6 | doc_root: 7 | required: true 8 | default: "latest" 9 | type: string 10 | artifact_name: 11 | default: "greenbone-community-docs" 12 | required: true 13 | type: string 14 | 15 | permissions: 16 | contents: write 17 | id-token: write 18 | pages: write 19 | 20 | jobs: 21 | deploy-docs: 22 | name: Deploy Documentation to GitHub Pages 23 | runs-on: 'ubuntu-latest' 24 | concurrency: 25 | group: github-pages 26 | environment: 27 | name: github-pages 28 | url: ${{ steps.deployment.outputs.page_url }} 29 | steps: 30 | - uses: greenbone/actions/checkout@v3 31 | id: checkout 32 | with: 33 | ref: "gh-pages" 34 | - name: Cleanup Document Root 35 | run: | 36 | rm -rf ${{ inputs.doc_root }} 37 | mkdir -p ${{ inputs.doc_root }} 38 | - name: Download Documentation Artifact 39 | uses: actions/download-artifact@v4 40 | with: 41 | name: ${{inputs.artifact_name }} 42 | path: ${{ inputs.doc_root }} 43 | - name: Create GitHub Pages 44 | run: | 45 | git config --global user.name "${GITHUB_ACTOR}" 46 | git config --global user.email "${GITHUB_ACTOR}@users.noreply.github.com" 47 | git add ${{ inputs.doc_root }} 48 | git commit --amend -m "Updating Docs for commit ${{ steps.checkout.outputs.sha }}" 49 | git push --force-with-lease 50 | - name: Upload pages artifact 51 | uses: actions/upload-pages-artifact@v3 52 | with: 53 | path: . 54 | - name: Deploy to GitHub Pages 55 | id: deployment 56 | uses: actions/deploy-pages@v4 57 | - name: Job Summary 58 | run: | 59 | echo '### Deployment successful! :rocket: https://greenbone.github.io/docs/${{ inputs.doc_root }}' >> $GITHUB_STEP_SUMMARY 60 | -------------------------------------------------------------------------------- /.github/workflows/github-pages.yml: -------------------------------------------------------------------------------- 1 | name: "Build and deploy the Greenbone Documentation" 2 | 3 | on: 4 | workflow_dispatch: 5 | push: 6 | branches: [main] 7 | 8 | jobs: 9 | build-docs: 10 | name: Build Documentation 11 | runs-on: "ubuntu-latest" 12 | steps: 13 | - uses: actions/checkout@v4 14 | - name: Set up Python 15 | uses: actions/setup-python@v5 16 | with: 17 | python-version: "3.11" 18 | - name: Install poetry and dependencies 19 | uses: greenbone/actions/poetry@v3 20 | - name: Build docs 21 | run: poetry run sphinx-build -b html src _build 22 | - name: Upload Documentation Artifact 23 | uses: actions/upload-artifact@v4 24 | with: 25 | name: greenbone-community-docs 26 | path: _build/ 27 | 28 | deploy-docs: 29 | needs: build-docs 30 | name: Build Documentation 31 | permissions: 32 | contents: write 33 | id-token: write 34 | pages: write 35 | uses: ./.github/workflows/deployment.yml 36 | with: 37 | doc_root: latest 38 | artifact_name: greenbone-community-docs 39 | -------------------------------------------------------------------------------- /.github/workflows/sbom-upload.yml: -------------------------------------------------------------------------------- 1 | name: SBOM upload 2 | on: 3 | workflow_dispatch: 4 | push: 5 | branches: ["main"] 6 | jobs: 7 | SBOM-upload: 8 | runs-on: ubuntu-latest 9 | permissions: 10 | id-token: write 11 | contents: write 12 | steps: 13 | - name: 'SBOM upload' 14 | uses: greenbone/actions/sbom-upload@v3 15 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Byte-compiled / optimized / DLL files 2 | __pycache__/ 3 | *.py[cod] 4 | *$py.class 5 | 6 | # C extensions 7 | *.so 8 | 9 | # Distribution / packaging 10 | .Python 11 | build/ 12 | develop-eggs/ 13 | dist/ 14 | downloads/ 15 | eggs/ 16 | .eggs/ 17 | lib/ 18 | lib64/ 19 | parts/ 20 | sdist/ 21 | var/ 22 | wheels/ 23 | pip-wheel-metadata/ 24 | share/python-wheels/ 25 | *.egg-info/ 26 | .installed.cfg 27 | *.egg 28 | MANIFEST 29 | .DS_Store 30 | 31 | # PyInstaller 32 | # Usually these files are written by a python script from a template 33 | # before PyInstaller builds the exe, so as to inject date/other infos into it. 34 | *.manifest 35 | *.spec 36 | 37 | # Installer logs 38 | pip-log.txt 39 | pip-delete-this-directory.txt 40 | 41 | # Unit test / coverage reports 42 | htmlcov/ 43 | .tox/ 44 | .nox/ 45 | .coverage 46 | .coverage.* 47 | .cache 48 | nosetests.xml 49 | coverage.xml 50 | *.cover 51 | *.py,cover 52 | .hypothesis/ 53 | .pytest_cache/ 54 | 55 | # Translations 56 | *.mo 57 | *.pot 58 | 59 | # Django stuff: 60 | *.log 61 | local_settings.py 62 | db.sqlite3 63 | db.sqlite3-journal 64 | 65 | # Flask stuff: 66 | instance/ 67 | .webassets-cache 68 | 69 | # Scrapy stuff: 70 | .scrapy 71 | 72 | # Sphinx documentation 73 | docs/_build/ 74 | 75 | # PyBuilder 76 | target/ 77 | 78 | # Jupyter Notebook 79 | .ipynb_checkpoints 80 | 81 | # IPython 82 | profile_default/ 83 | ipython_config.py 84 | 85 | # pyenv 86 | .python-version 87 | 88 | # pipenv 89 | # According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control. 90 | # However, in case of collaboration, if having platform-specific dependencies or dependencies 91 | # having no cross-platform support, pipenv may install dependencies that don't work, or not 92 | # install all needed dependencies. 93 | #Pipfile.lock 94 | 95 | # PEP 582; used by e.g. github.com/David-OConnor/pyflow 96 | __pypackages__/ 97 | 98 | # Celery stuff 99 | celerybeat-schedule 100 | celerybeat.pid 101 | 102 | # SageMath parsed files 103 | *.sage.py 104 | 105 | # Environments 106 | .env 107 | .venv 108 | env/ 109 | venv/ 110 | ENV/ 111 | env.bak/ 112 | venv.bak/ 113 | 114 | # Spyder project settings 115 | .spyderproject 116 | .spyproject 117 | 118 | # Rope project settings 119 | .ropeproject 120 | 121 | # mkdocs documentation 122 | /site 123 | 124 | # mypy 125 | .mypy_cache/ 126 | .dmypy.json 127 | dmypy.json 128 | 129 | # Pyre type checker 130 | .pyre/ 131 | 132 | # Sphinx build directory 133 | _build 134 | 135 | # VSCode 136 | .vscode 137 | 138 | # docker compose override 139 | *.override.yml 140 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | # Minimal makefile for Sphinx documentation 2 | # 3 | 4 | # You can set these variables from the command line, and also 5 | # from the environment for the first two. 6 | SPHINXOPTS ?= 7 | SPHINXBUILD ?= sphinx-build 8 | SOURCEDIR = src 9 | BUILDDIR = _build 10 | 11 | # Put it first so that "make" without argument is like "make help". 12 | help: 13 | @$(SPHINXBUILD) -M help "$(SOURCEDIR)" "$(BUILDDIR)" $(SPHINXOPTS) $(O) 14 | 15 | livehtml: 16 | sphinx-autobuild "$(SOURCEDIR)" "$(BUILDDIR)" $(SPHINXOPTS) $(O) 17 | 18 | .PHONY: help Makefile livehtml 19 | 20 | # Catch-all target: route all unknown targets to Sphinx using the new 21 | # "make mode" option. $(O) is meant as a shortcut for $(SPHINXOPTS). 22 | %: Makefile 23 | @$(SPHINXBUILD) -M $@ "$(SOURCEDIR)" "$(BUILDDIR)" $(SPHINXOPTS) $(O) 24 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ![Greenbone Logo](https://www.greenbone.net/wp-content/uploads/gb_new-logo_horizontal_rgb_small.png) 2 | 3 | # Documentation for the Greenbone Community Edition 4 | 5 | The documentation is build automatically via GitHub Actions and available at 6 | https://greenbone.github.io/docs/ 7 | 8 | ## Requirements 9 | 10 | For a manual build locally Python >= 3.9 and [poetry] is required. 11 | 12 | ## Install Poetry 13 | 14 | The project requires poetry >= 1.8.0. 15 | 16 | To install poetry it is recommended to use [pipx]. pipx can be installed with 17 | the following command on Debian based systems: 18 | 19 | ```sh 20 | sudo apt install pipx 21 | ``` 22 | 23 | Install poetry using pipx 24 | 25 | ```sh 26 | python3 -m pipx install poetry 27 | ``` 28 | 29 | ## Install and Upgrade Dependencies 30 | 31 | When building the docs you should ensure that all the dependencies are installed 32 | and up to date. To install for the first time or to update the project 33 | dependencies via [poetry] run: 34 | 35 | ```sh 36 | poetry install 37 | ``` 38 | 39 | You should run this command once a week to install the latest dependencies. 40 | 41 | ## Manual Build 42 | 43 | After installing [poetry] and the project's dependencies, the docs can be built with: 44 | 45 | ```sh 46 | poetry run make html 47 | ``` 48 | 49 | To open the generated HTML docs with Firefox you can run: 50 | 51 | ```sh 52 | firefox _build/html/index.html 53 | ``` 54 | 55 | ## Auto Rebuild 56 | 57 | Alternatively it is possible to start a local HTTP server that automatically 58 | rebuilds the docs on every file change: 59 | 60 | ```sh 61 | poetry run make livehtml 62 | ``` 63 | 64 | To open the served docs with Firefox you can run: 65 | 66 | ```sh 67 | firefox http://127.0.0.1:8000 68 | ``` 69 | 70 | ## Starting From Scratch 71 | 72 | If something is wrong with your dependencies or you just want to re-start from 73 | a clean environment you need to remove the [virtual environment](https://docs.python.org/3/library/venv.html). 74 | First of all ensure that poetry's virtual environment is placed within the 75 | project: 76 | 77 | ```sh 78 | poetry config virtualenvs.in-project true 79 | ``` 80 | 81 | Afterwards the virtual environment including all installed dependencies can be 82 | deleted: 83 | 84 | ```sh 85 | rm -rf .venv 86 | ``` 87 | 88 | [poetry]: https://python-poetry.org/ 89 | [pipx]: https://pipx.pypa.io/stable/ 90 | -------------------------------------------------------------------------------- /pyproject.toml: -------------------------------------------------------------------------------- 1 | [tool.poetry] 2 | name = "greenbone-docs" 3 | version = "1.0.0" 4 | description = "Documentation for the Greenbone Community Edition" 5 | authors = ["Greenbone Networks "] 6 | package-mode = false 7 | 8 | [tool.poetry.dependencies] 9 | python = "^3.9" 10 | Sphinx = ">=7.0.1" 11 | myst-parser = ">=2.0.0" 12 | sphinx-copybutton = ">=0.5.2" 13 | sphinx-tabs = ">=3.4.1" 14 | sphinxext-opengraph = ">=0.8.2" 15 | furo = ">=2023.5.20" 16 | 17 | [tool.poetry.group.dev.dependencies] 18 | sphinx-autobuild = ">=2021.3.14" 19 | 20 | [build-system] 21 | requires = ["poetry-core>=1.0.0"] 22 | build-backend = "poetry.core.masonry.api" 23 | -------------------------------------------------------------------------------- /src/22.4/container/admin-user.md: -------------------------------------------------------------------------------- 1 | ## Setting up an Admin User 2 | 3 | ```{warning} 4 | By default, a user *admin* with the password *admin* is created. This is insecure 5 | and it is highly recommended to set a new password. 6 | ``` 7 | 8 | To update the administrator user with a password of your choice instead of the 9 | generated password, the following command can be used: 10 | 11 | ```{code-block} shell 12 | --- 13 | caption: Updating password of administrator user 14 | --- 15 | docker compose -f $DOWNLOAD_DIR/docker-compose.yml \ 16 | exec -u gvmd gvmd gvmd --user=admin --new-password='' 17 | ``` 18 | 19 | ```{note} 20 | Please be aware if your password includes special characters like `$` it needs 21 | to be quoted in single quotes. 22 | ``` 23 | -------------------------------------------------------------------------------- /src/22.4/container/docker-compose.yml: -------------------------------------------------------------------------------- 1 | ../../_static/docker-compose.yml -------------------------------------------------------------------------------- /src/22.4/container/gvmd-not-responding.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/greenbone/docs/193f957e79b4f6c3b37a0e9c6ee0300a40ef1acb/src/22.4/container/gvmd-not-responding.png -------------------------------------------------------------------------------- /src/22.4/container/hardware.md: -------------------------------------------------------------------------------- 1 | ## Hardware Requirements 2 | 3 | Minimal: 4 | 5 | * CPU Cores: 2 6 | * Random-Access Memory: 4GB 7 | * Hard Disk: 20GB free 8 | 9 | Recommended: 10 | 11 | * CPU Cores: 4 12 | * Random-Access Memory: 8GB 13 | * Hard Disk: 60GB free 14 | -------------------------------------------------------------------------------- /src/22.4/container/index.md: -------------------------------------------------------------------------------- 1 | # Greenbone Community Containers 2 | 3 | ```{include} /22.4/container/preamble.md 4 | ``` 5 | 6 | ```{include} /22.4/container/introduction.md 7 | ``` 8 | 9 | ```{include} /22.4/container/hardware.md 10 | ``` 11 | 12 | ```{include} /22.4/container/prerequisites.md 13 | ``` 14 | 15 | ## Docker Compose File 16 | 17 | ```{important} 18 | Please always ensure to use the latest version of the `docker-compose.yml` file 19 | when following this guide. The file might got updates and important changes 20 | since your last download. 21 | ``` 22 | 23 | To run the Greenbone Community Edition with containers, the following compose 24 | file should be used: 25 | 26 | ```{literalinclude} docker-compose.yml 27 | --- 28 | language: yaml 29 | caption: "Docker Compose File" 30 | --- 31 | ``` 32 | 33 | ### Download 34 | 35 | It is possible to just copy and paste the docker compose file. Alternatively, 36 | it can be downloaded with the following command directly: 37 | 38 | ```{code-block} shell 39 | --- 40 | caption: Downloading docker-compose file 41 | --- 42 | curl -f -O -L https://greenbone.github.io/docs/latest/_static/docker-compose.yml --output-dir "$DOWNLOAD_DIR" 43 | ``` 44 | 45 | ### Description 46 | 47 | The following table describes the provided containers of the docker compose file 48 | and their services in detail. 49 | 50 | | Container | Service | Description | 51 | |-----------|---------|-------------| 52 | | redis-server | [Redis Server](https://redis.io/) | A redis server with an adjusted config. Used to store VT data and scan results by the scanner. | 53 | | pg-gvm | [postgresql](https://www.postgresql.org/) | A PostgreSQL database cluster setup for use with {term}`gvmd`. The actual data is stored in the `psql_data_vol` volume. | 54 | | gvmd | gvmd | A container for {term}`gvmd` that uses unix sockets in volumes to communicate with the PostgreSQL database and ospd-openvas scanner. The downloaded feed data is stored in the `gvmd_data_vol` volume. To verify the feed data, the GPG keyring from the `gpg_data_vol` is used. | 55 | | gsa | gsad | A container running the {term}`gsad` web server for providing the web application {term}`GSA`. The web interface is available at localhost on port 9392. For communication with gvmd, a unix socket in a volume is used. | 56 | | ospd-openvas | ospd-openvas | A container providing the vulnerability scanner. The VT data from the feed is stored in the `vt_data_vol` volume. To verify the feed data, the GPG keyring from the `gpg_data_vol` is used. The connection to the redis server is established via a unix socket in a volume. | 57 | | gvm-tools | | A container providing the [gvm-tools](https://github.com/greenbone/gvm-tools/) CLI to query and control gvmd and ospd-openvas. | 58 | | gpg-data | | A container that copies a GPG keyring with Greenbone's public signing keys into the `gpg_data_vol` volume on startup. It exits afterwards. | 59 | | vulnerability-tests | | A container that copies vulnerability tests (VTs) into the `vt_data_vol` volume on startup. Shows the license and exits afterwards. | 60 | | notus-data | | A container that copies vulnerability information for notus-scanner into the `notus_data_vol` volume on startup. Shows the license and exits afterwards. | 61 | | scap-data | | A container that copies CVE and CPE data into the `scap_data_vol` volume on startup. Shows the license and exits afterwards. | 62 | | cert-bund-data | | A container that copies CERT-Bund data into the `cert_data_vol` volume on startup. Shows the license and exits afterwards. | 63 | | dfn-cert-data | | A container that copies DFN-CERT data into the `cert_data_vol` volume on startup. Shows the license and exits afterwards. | 64 | | data-objects | | A container that copies scan configs, compliance policies and port lists into the `data_objects_vol` volume on startup. Shows the license and exits afterwards. | 65 | | report-formats | | A container that copies report formats into the `data_objects_vol` volume on startup. Shows the license and exits afterwards. | 66 | | configure-openvas | | A container for setting up the configuration for OpenVAS Scanner | 67 | | openvas | | A container that shows the logs of OpenVAS Scanner | 68 | | openvasd | openvasd | A container for [openvasd](https://github.com/greenbone/openvas-scanner/tree/main/rust/openvasd). It is providing notus, a static vulnerability engine, functionality. | 69 | 70 | ```{include} /22.4/container/starting.md 71 | ``` 72 | 73 | ```{include} /22.4/container/admin-user.md 74 | ``` 75 | 76 | ## Starting the Vulnerability Management 77 | 78 | After the services have started and [all feed data has been loaded](./workflows.md#loading-the-feed-changes), 79 | the {term}`Greenbone Security Assistant web interface – GSA –` can be opened in the browser. 80 | 81 | ```{code-block} shell 82 | --- 83 | caption: Opening Greenbone Security Assistant in the browser 84 | --- 85 | xdg-open "http://127.0.0.1:9392" 2>/dev/null >/dev/null & 86 | ``` 87 | 88 | The browser will show the login page of GSA and after using the credentials 89 | created before, it is possible to start with vulnerability scanning. 90 | 91 | ```{figure} /images/GSA-22.4.png 92 | --- 93 | alt: Launching Greenbone Security Assistant for the first time 94 | --- 95 | Greenbone Security Assistant after logging in for the first time 96 | ``` 97 | 98 | ## Setup and Start Script 99 | 100 | ```{note} 101 | Please remember to follow the instructions described in the [Prerequisites](#prerequisites) 102 | first. 103 | ``` 104 | 105 | As a quick solution we provide all the commands above in a single script. This 106 | script can be downloaded with the following command directly: 107 | 108 | ```{code-block} shell 109 | --- 110 | caption: Downloading setup and start script to the current working dir 111 | --- 112 | curl -f -O https://greenbone.github.io/docs/latest/_static/setup-and-start-greenbone-community-edition.sh && chmod u+x setup-and-start-greenbone-community-edition.sh 113 | ``` 114 | 115 | To execute the script following command needs to be run 116 | 117 | ```{code-block} shell 118 | --- 119 | caption: Run setup and start script 120 | --- 121 | ./setup-and-start-greenbone-community-edition.sh 122 | ``` 123 | 124 | ```{toctree} 125 | :hidden: 126 | 127 | workflows 128 | troubleshooting 129 | ``` 130 | 131 | [docker]: https://docs.docker.com/ 132 | [docker-compose]: https://docs.docker.com/compose/ 133 | -------------------------------------------------------------------------------- /src/22.4/container/introduction.md: -------------------------------------------------------------------------------- 1 | ## Introduction 2 | 3 | This document provides a guide for running the {term}`Greenbone Community Edition` 4 | from pre-built container images using [Docker]. It consists of a distributed 5 | service {doc}`architecture `, where each service is run in a 6 | dedicated container. The orchestration of these services is done via a [docker-compose] 7 | file. 8 | 9 | With the Greenbone Community Containers, it is possible to scan your local network 10 | independent of the underlying operating system, installed software and 11 | tool chains. 12 | 13 | -------------------------------------------------------------------------------- /src/22.4/container/manual-feed-sync.md: -------------------------------------------------------------------------------- 1 | ## Performing a Manual Feed Sync 2 | 3 | It is possible to do a manual feed sync using {command}`rsync` instead of 4 | pulling the current feed content via the newest container images. 5 | 6 | ```{warning} 7 | Please be aware that the manually synced data will be overridden if the data 8 | containers are (re-)started. 9 | ``` 10 | 11 | For the manual feed sync, the [`greenbone-feed-sync`](https://github.com/greenbone/greenbone-feed-sync/) 12 | script will be used. The `greenbone-feed-sync` script is also provided via a 13 | container image. Using the container image requires extending the docker compose 14 | file as follows: 15 | 16 | ```{code-block} yaml 17 | --- 18 | caption: Extending the docker compose file for performing a manual feed sync using 19 | the greenbone-feed-sync script 20 | --- 21 | ... 22 | greenbone-feed-sync: 23 | image: registry.community.greenbone.net/community/greenbone-feed-sync 24 | volumes: 25 | - vt_data_vol:/var/lib/openvas/plugins 26 | - notus_data_vol:/var/lib/notus 27 | - gvmd_data_vol:/var/lib/gvm 28 | - scap_data_vol:/var/lib/gvm/scap-data 29 | - cert_data_vol:/var/lib/gvm/cert-data 30 | - data_objects_vol:/var/lib/gvm/data-objects/gvmd 31 | ... 32 | ``` 33 | 34 | ### Syncing Vulnerability Tests 35 | 36 | VT data contains {file}`.nasl` and {file}`.notus` files for creating results 37 | during a vulnerability scan. 38 | 39 | ```{code-block} shell 40 | --- 41 | caption: Downloading {term}`NASL` {term}`VTs` processed by the 42 | ospd-openvas scanner, this will take a while. 43 | --- 44 | docker compose -f $DOWNLOAD_DIR/docker-compose.yml \ 45 | run --rm greenbone-feed-sync greenbone-feed-sync --type nasl 46 | ``` 47 | 48 | ```{code-block} shell 49 | --- 50 | caption: Downloading `notus` {term}`VTs` processed for local security checks, 51 | this will take a while. 52 | --- 53 | docker compose -f $DOWNLOAD_DIR/docker-compose.yml \ 54 | run --rm greenbone-feed-sync greenbone-feed-sync --type notus 55 | ``` 56 | 57 | ### Syncing SCAP, CERT and GVMD Data 58 | 59 | {term}`SCAP` data contains {term}`CPE` and {term}`CVE` information. 60 | 61 | ```{code-block} shell 62 | --- 63 | caption: Downloading SCAP data processed by gvmd, this will take a while 64 | --- 65 | docker compose -f $DOWNLOAD_DIR/docker-compose.yml \ 66 | run --rm greenbone-feed-sync greenbone-feed-sync --type scap 67 | ``` 68 | 69 | CERT data contains vulnerability information from the German [DFN-CERT](https://www.dfn-cert.de/) 70 | and [CERT-Bund](https://cert-bund.de/) agencies. 71 | 72 | ```{code-block} shell 73 | --- 74 | caption: Downloading CERT data processed by gvmd 75 | --- 76 | docker compose -f $DOWNLOAD_DIR/docker-compose.yml \ 77 | run --rm greenbone-feed-sync greenbone-feed-sync --type cert 78 | ``` 79 | 80 | gvmd data (or also called data-objects) are scan configurations, compliance 81 | policies, port lists and report formats. 82 | 83 | ```{code-block} shell 84 | --- 85 | caption: Downloading data objects processed by gvmd 86 | --- 87 | docker compose -f $DOWNLOAD_DIR/docker-compose.yml \ 88 | run --rm greenbone-feed-sync greenbone-feed-sync --type gvmd-data 89 | ``` 90 | -------------------------------------------------------------------------------- /src/22.4/container/preamble.md: -------------------------------------------------------------------------------- 1 | Running the Greenbone Community Edition from containers requires knowledge about: 2 | 3 | * Using a terminal 4 | * Using [docker] 5 | * Running services via [docker compose][docker-compose] 6 | 7 | Additionally, a basic knowledge about the {doc}`architecture ` 8 | of the Greenbone Community Edition is required to understand the setup. 9 | 10 | ```{note} 11 | This guide is intended for users who want to test the newest features 12 | and/or want to get familiar with the Greenbone Community Edition. It is not 13 | intended for production setups. 14 | 15 | Currently the docs support the following distributions 16 | 17 | * **Debian stable** [(bookworm)](https://www.debian.org/releases/stable) 18 | * **Ubuntu 24.04 LTS** 19 | * **Fedora 35 and 36** 20 | * **CentOS 9 Stream** 21 | 22 | Most likely, other Debian derivatives like Mint and Kali will also work with 23 | only minor adjustments required. 24 | ``` 25 | -------------------------------------------------------------------------------- /src/22.4/container/prerequisites.md: -------------------------------------------------------------------------------- 1 | ## Prerequisites 2 | 3 | ```{note} 4 | Please follow the guide step by step. Later steps might require settings or 5 | output of a previous command. 6 | ``` 7 | 8 | The command {command}`sudo` is used for executing commands that require privileged 9 | access on the system. 10 | 11 | ### Install dependencies 12 | 13 | There are a few dependencies required for the following steps like [curl](https://curl.se/), which is required for downloading files from this guide. 14 | 15 | 16 | `````{tabs} 17 | ````{tab} Debian/Ubuntu 18 | ```{code-block} shell 19 | --- 20 | caption: Install ca-certificates, curl and gnupg Debian/Ubuntu packages 21 | --- 22 | sudo apt install ca-certificates curl gnupg 23 | ``` 24 | ```` 25 | ````{tab} Fedora/CentOS 26 | ```{code-block} shell 27 | --- 28 | caption: Install ca-certificates, curl and gnupg Fedora/CentOS packages 29 | --- 30 | sudo dnf install ca-certificates curl gnupg 31 | ``` 32 | ```` 33 | ````` 34 | 35 | ### Installing Docker 36 | 37 | [docker] is required for running the services within containers. Docker can be 38 | installed by running the following commands (taken from the Docker Engine [install guide](https://docs.docker.com/engine/install/)): 39 | 40 | `````{tabs} 41 | ````{tab} Debian 42 | ```{code-block} shell 43 | --- 44 | caption: Uninstall conflicting Debian packages 45 | --- 46 | for pkg in docker.io docker-doc docker-compose podman-docker containerd runc; do sudo apt remove $pkg; done 47 | ``` 48 | ```{code-block} shell 49 | --- 50 | caption: Set up the Docker repository 51 | --- 52 | sudo install -m 0755 -d /etc/apt/keyrings 53 | curl -fsSL https://download.docker.com/linux/debian/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg 54 | sudo chmod a+r /etc/apt/keyrings/docker.gpg 55 | echo \ 56 | "deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian \ 57 | "$(. /etc/os-release && echo "$VERSION_CODENAME")" stable" | \ 58 | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null 59 | sudo apt update 60 | ``` 61 | ```{code-block} shell 62 | --- 63 | caption: Install Docker Debian packages 64 | --- 65 | sudo apt install docker-ce docker-ce-cli containerd.io docker-compose-plugin 66 | ``` 67 | ```` 68 | ````{tab} Ubuntu 69 | ```{code-block} shell 70 | --- 71 | caption: Uninstall conflicting Ubuntu packages 72 | --- 73 | for pkg in docker.io docker-doc docker-compose podman-docker containerd runc; do sudo apt remove $pkg; done 74 | ``` 75 | ```{code-block} shell 76 | --- 77 | caption: Set up the Docker repository 78 | --- 79 | sudo install -m 0755 -d /etc/apt/keyrings 80 | curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg 81 | sudo chmod a+r /etc/apt/keyrings/docker.gpg 82 | echo \ 83 | "deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu \ 84 | "$(. /etc/os-release && echo "$VERSION_CODENAME")" stable" | \ 85 | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null 86 | sudo apt update 87 | ``` 88 | ```{code-block} shell 89 | --- 90 | caption: Install Docker Ubuntu packages 91 | --- 92 | sudo apt install docker-ce docker-ce-cli containerd.io docker-compose-plugin 93 | ``` 94 | ```` 95 | ````{tab} Fedora 96 | ```{code-block} shell 97 | --- 98 | caption: Uninstall conflicting Fedora packages 99 | --- 100 | sudo dnf remove docker docker-client docker-client-latest docker-common docker-latest docker-latest-logrotate docker-logrotate docker-selinux docker-engine-selinux docker-engine 101 | ``` 102 | ```{code-block} shell 103 | --- 104 | caption: Install docker Fedora package 105 | --- 106 | sudo dnf -y install dnf-plugins-core 107 | sudo dnf config-manager addrepo --from-repofile=https://download.docker.com/linux/fedora/docker-ce.repo 108 | sudo dnf install -y docker-ce docker-ce-cli containerd.io docker-compose-plugin 109 | ``` 110 | ```{code-block} shell 111 | --- 112 | caption: Start Docker 113 | --- 114 | sudo systemctl start docker 115 | ``` 116 | ```` 117 | ````{tab} CentOS 118 | ```{code-block} shell 119 | --- 120 | caption: Uninstall conflicting CentOS packages 121 | --- 122 | sudo dnf remove docker docker-client docker-client-latest docker-common docker-latest docker-latest-logrotate docker-logrotate docker-selinux docker-engine-selinux docker-engine 123 | ``` 124 | ```{code-block} shell 125 | --- 126 | caption: Install Docker CentOS package 127 | --- 128 | sudo dnf -y install dnf-plugins-core 129 | sudo dnf config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo 130 | sudo dnf install -y docker-ce docker-ce-cli containerd.io docker-compose-plugin 131 | ``` 132 | ```{code-block} shell 133 | --- 134 | caption: Start Docker 135 | --- 136 | sudo systemctl start docker 137 | ``` 138 | ```` 139 | ````` 140 | 141 | ### Setup 142 | 143 | To allow the current user to run {command}`docker` and therefore start the 144 | containers, they must be added to the *docker* user group. To make the group change 145 | effective, either logout and login again or use {command}`su`. 146 | 147 | ```{code-block} shell 148 | --- 149 | caption: Add current user to docker group and apply group changes for the current shell environment 150 | --- 151 | sudo usermod -aG docker $USER && su $USER 152 | ``` 153 | 154 | For downloading the Greenbone Community Edition docker compose file, a 155 | destination directory should be created. 156 | 157 | ```{code-block} shell 158 | --- 159 | caption: Create download directory 160 | --- 161 | export DOWNLOAD_DIR=$HOME/greenbone-community-container && mkdir -p $DOWNLOAD_DIR 162 | ``` 163 | -------------------------------------------------------------------------------- /src/22.4/container/starting.md: -------------------------------------------------------------------------------- 1 | ## Starting the Greenbone Community Containers 2 | 3 | Using the docker compose file, the container images can be downloaded (*pulled*) 4 | and the containers can be started in the background. 5 | 6 | ```{code-block} shell 7 | --- 8 | caption: Downloading the Greenbone Community Containers 9 | --- 10 | docker compose -f $DOWNLOAD_DIR/docker-compose.yml pull 11 | ``` 12 | 13 | ```{code-block} shell 14 | --- 15 | caption: Starting the Greenbone Community Containers 16 | --- 17 | docker compose -f $DOWNLOAD_DIR/docker-compose.yml up -d 18 | ``` 19 | 20 | To get a continuous stream of the log output of all services, run the following 21 | command: 22 | 23 | ```{code-block} shell 24 | --- 25 | caption: Show log messages of all services from the running containers 26 | --- 27 | docker compose -f $DOWNLOAD_DIR/docker-compose.yml logs -f 28 | ``` 29 | 30 | The log stream can be stopped by pressing {kbd}`Ctrl-C`. 31 | -------------------------------------------------------------------------------- /src/22.4/container/troubleshooting.md: -------------------------------------------------------------------------------- 1 | ## Troubleshooting 2 | 3 | This page contains hints for troubleshooting Greenbone Community Container specific issues. 4 | 5 | ### Facing an issue with the Greenbone Community Containers 6 | 7 | If you have an issue with the Greenbone Community Containers because something 8 | doesn't work as expected and/or you are getting an error in the web UI it is 9 | necessary to check the log output to get some technical hints about the issue. 10 | 11 | To inspect the logs you can use the [`docker compose logs`](https://docs.docker.com/engine/reference/commandline/compose_logs/) 12 | command. For displaying the complete log output you can run 13 | 14 | ```{code-block} shell 15 | --- 16 | caption: Display all logs 17 | --- 18 | docker compose -f $DOWNLOAD_DIR/docker-compose.yml logs 19 | ``` 20 | 21 | To follow the current log output to display log messages as they occur use the 22 | following command 23 | 24 | ```{code-block} shell 25 | --- 26 | caption: Follow current log output 27 | --- 28 | docker compose -f $DOWNLOAD_DIR/docker-compose.yml logs -f 29 | ``` 30 | 31 | It's also possible to just display the logs of a specific container by using 32 | `docker compose logs ` where service is the [name of the container 33 | within the docker compose file](./index.md#description). 34 | 35 | ```{code-block} shell 36 | --- 37 | caption: Follow the log messages of the gvmd container only 38 | --- 39 | docker compose -f $DOWNLOAD_DIR/docker-compose.yml logs -f gvmd 40 | ``` 41 | 42 | Additionally it is possible to bypass the `docker compose log` command and 43 | access the log files directly. For example run the following command to display 44 | the content of the OpenVAS scanner log file via {command}`cat` 45 | 46 | ```{code-block} shell 47 | --- 48 | caption: Print messages from /var/log/gvm/openvas.log 49 | --- 50 | docker compose -f $DOWNLOAD_DIR/docker-compose.yml \ 51 | exec ospd-openvas cat /var/log/gvm/openvas.log 52 | ``` 53 | 54 | Afterwards using the collected error messages in the [search of our Community Forum](https://forum.greenbone.net/search) 55 | may bring up possible results to resolve the issue already. 56 | 57 | If no fitting results can be found feel free to create a new topic the 58 | [Community Containers category in our Community Forum](https://forum.greenbone.net/c/community-containers/40). 59 | 60 | ### VTs are up-to-date but not visible on the web interface 61 | 62 | It may be possible, especially for the initial synchronization, that the scanner 63 | does not notice new VT files have arrived. Therefore, it is best to restart the 64 | scanner. 65 | 66 | ```{code-block} shell 67 | --- 68 | caption: Restart the scanner to ensure that new {term}`VTs` are loaded 69 | --- 70 | docker compose -f $DOWNLOAD_DIR/docker-compose.yml restart ospd-openvas 71 | ``` 72 | 73 | ### Port list, scan configurations, report formats are up-to-date but not visible on the web interface 74 | 75 | If port lists, scan configurations, or report formats are missing on the web interface, you may run: 76 | 77 | ```{code-block} shell 78 | --- 79 | caption: Forcing reload of report formats, scan configs and port lists 80 | --- 81 | docker compose -f $DOWNLOAD_DIR/docker-compose.yml \ 82 | exec -u gvmd gvmd gvmd --rebuild-gvmd-data=all 83 | ``` 84 | 85 | to force `gvmd` to reload the data from the file system. 86 | 87 | ### Errors while starting `pg-gvm` container 88 | 89 | While starting up the `pg-gvm` container, some errors are displayed. For example 90 | `createuser: error: creation of new role failed: ERROR: role "gvmd" already exists` 91 | or `ERROR: extension "uuid-ossp" already exists`. 92 | 93 | The code behind these errors tries to set up the database. If the database is 94 | already initialized, all tables, users, permissions and extensions exist, 95 | errors are raised. At the moment, it is not possible to silence these errors but 96 | they can be ignored safely. 97 | 98 | ### `osp_scanner_feed_version: failed to connect to /run/ospd/ospd-openvas.sock` 99 | 100 | If the `gvmd` log contains this error, `gvmd` is not able to connect to the 101 | `ospd-openvas` scanner. Most likely `ospd-openvas` is not running. Try to 102 | restart the corresponding container with: 103 | 104 | ```{code-block} shell 105 | --- 106 | caption: Restarting the ospd-openvas scanner 107 | --- 108 | docker compose -f $DOWNLOAD_DIR/docker-compose.yml restart ospd-openvas 109 | ``` 110 | 111 | If you still get errors, you need to take a look at the `ospd-openvas` logs. 112 | 113 | ```{code-block} shell 114 | --- 115 | caption: Showing log message of the ospd-openvas scanner 116 | --- 117 | docker compose -f $DOWNLOAD_DIR/docker-compose.yml log -f ospd-openvas 118 | ``` 119 | 120 | ### Cannot log in to the web interface: *Greenbone Vulnerability Manager service is not responding* 121 | 122 | If it is not possible to log in to the web interface and the following error 123 | message is shown 124 | 125 | ```{image} gvmd-not-responding.png 126 | --- 127 | alt: gvmd not responding 128 | width: 200px 129 | align: center 130 | --- 131 | ``` 132 | 133 | and/or the logs contain a `Failed to connect to server at /run/gvmd/gvmd.sock: Connection refused` 134 | message, the {term}`gvmd` container must be restarted. It is very likely it 135 | had some issues accessing the PostgreSQL database. 136 | 137 | ```{code-block} shell 138 | --- 139 | caption: Restarting {term}`gvmd` 140 | --- 141 | docker compose -f $DOWNLOAD_DIR/docker-compose.yml restart gvmd 142 | ``` 143 | 144 | ### Redis server keeps restarting `rm: cannot remove ‘/run/redis/redis.sock’: Permission denied` 145 | 146 | Under some circumstances the [Unix Domain Socket](https://en.wikipedia.org/wiki/Unix_domain_socket) 147 | of the Redis server has got wrong permissions. To fix this issue it is required 148 | to shutdown the `redis-server` and `ospd-openvas` containers and remove the 149 | `redis_socket_vol` [docker volume](https://docs.docker.com/storage/volumes/). 150 | The volume can be removed safely because it gets recreated on the next startup. 151 | 152 | ```{code-block} shell 153 | --- 154 | caption: Recreating the Redis server socket volume 155 | --- 156 | docker compose -f $DOWNLOAD_DIR/docker-compose.yml \ 157 | rm -s -f redis-server ospd-openvas 158 | docker volume rm greenbone-community-edition_redis_socket_vol 159 | docker compose -f $DOWNLOAD_DIR/docker-compose.yml up -d 160 | ``` 161 | -------------------------------------------------------------------------------- /src/22.4/kali/feed-sync.md: -------------------------------------------------------------------------------- 1 | ## Community Feed Synchronization 2 | 3 | The standard `greenbone-feed-sync` commands must be used to maintain current security information. A detailed guide on using the `greenbone-feed-sync` command is [available here](../source-build/feed-sync.md). 4 | -------------------------------------------------------------------------------- /src/22.4/kali/file-system.md: -------------------------------------------------------------------------------- 1 | ## Log And Configuration File Locations 2 | 3 | Here are the locations of the various Greenbone Community Edition log and configuration files. 4 | 5 | ```{code-block} 6 | :caption: View all Greenbone Community Edition log files 7 | ls /var/log/gvm 8 | ``` 9 | 10 | ```{code-block} 11 | :caption: View the OpenVAS Scanner configuration files 12 | ls /etc/openvas 13 | ``` 14 | 15 | ```{code-block} 16 | :caption: View the other Greenbone Community Edition configuration files 17 | ls /etc/gvm 18 | ``` 19 | -------------------------------------------------------------------------------- /src/22.4/kali/index.md: -------------------------------------------------------------------------------- 1 | # Kali Linux Install Guide 2 | 3 | ```{include} /22.4/kali/introduction.md 4 | ``` 5 | 6 | ```{include} /22.4/kali/installation.md 7 | ``` 8 | 9 | ```{include} /22.4/kali/feed-sync.md 10 | ``` 11 | 12 | ```{include} /22.4/kali/optional-configs.md 13 | ``` 14 | 15 | ```{include} /22.4/kali/file-system.md 16 | ``` 17 | 18 | ```{toctree} 19 | :hidden: true 20 | 21 | troubleshooting 22 | ``` 23 | -------------------------------------------------------------------------------- /src/22.4/kali/installation.md: -------------------------------------------------------------------------------- 1 | ## Installing Greenbone Community Edition on Kali Linux 2 | 3 | ### Quick Start Install 4 | 5 | For those who want a quick start guide, here is an overview of the standard installation process: 6 | 7 | > 1. Update Kali Linux with `sudo apt update`. 8 | > 2. Install Greenbone Community Edition with `sudo apt install gvm`. 9 | > 3. Configure Greenbone Community Edition with `sudo gvm-setup` and note the provided *admin* password from the output 10 | > 4. Check the install status with `gvm-check-setup`. 11 | > 5. Visit [https://127.0.0.1:9392](https://127.0.0.1:9392) and log in using the credentials output in step 3. 12 | > 6. Verify the feed status before starting your first scan. 13 | 14 | ### Detailed Installation Instructions 15 | 16 | In this section includes a more detailed look at each step of the installation process. 17 | 18 | ### 1. Update Kali Linux 19 | 20 | The first step is to update the system's local package lists for repositories and PPAs (Personal Package Archives). Kali Linux is a "rolling" distribution which means that it continuously updates all of its software (the kernel, libraries, applications, and other system software) to the latest versions without requiring a complete OS reinstallation. Rolling releases typically offer the latest versions of software soon after they are released. 21 | 22 | Therefore, It's highly advised to also do a full package `upgrade` before installing `gvm` since Greenbone Community Edition requires the newest version of PostgreSQL. If you are having trouble upgrading and configuring PostgreSQL during the installation process, see the [troubleshooting section](troubleshooting.md). 23 | 24 | ```{warning} System upgrades may result in changes to the existing kernel, libraries, and software that could interfere with existing functionality. Before doing an upgrade you should make a complete backup of all critical files on your system including the contents of your PostgreSQL database. 25 | ``` 26 | ```{code-block} 27 | :caption: Full package list update and system upgrade 28 | sudo apt update && sudo apt upgrade 29 | ``` 30 | 31 | ### 2. Install Greenbone Community Edition 32 | 33 | Greenbone Community Edition and required dependencies can be installed with a single command: 34 | 35 | ```bash 36 | sudo apt install gvm -y 37 | ``` 38 | Note that this is the same as executing the command: 39 | ```bash 40 | sudo apt install openvas -y 41 | ``` 42 | 43 | ### 3. Run The Automatic Configuration Script 44 | 45 | After installing the required packages, a configuration script must be run to complete the installation. To run the automatic configuration execute the command: 46 | 47 | ```{note} 48 | During `gvm-setup` you must record the default password created for the admin user. 49 | ``` 50 | 51 | ```bash 52 | sudo gvm-setup 53 | ``` 54 | 55 | ### 4. Verify The Installation 56 | 57 | The Kali Linux native installation includes a script to verify the installed services. This script can be run using the command: 58 | 59 | ```bash 60 | sudo gvm-check-setup 61 | ``` 62 | 63 | If your installation has been successfully configured, you will see the following message at the end of the verification out: 64 | 65 | ``` 66 | It seems like your GVM-22.5.0 installation is OK. 67 | ``` 68 | 69 | #### Starting And Stopping Greenbone Community Edition 70 | 71 | The following commands can be used to start and stop Greenbone Community Edition and all its required services: 72 | 73 | ```{code-block} 74 | :caption: Start all services 75 | sudo gvm-start 76 | ``` 77 | 78 | ```{code-block} 79 | :caption: Stop all services 80 | sudo gvm-stop 81 | ``` 82 | 83 | ### 5. Log Into The Greenbone Web Interface 84 | 85 | Once the installation is complete you can log into the {term}`GSA` web interface by visiting [https://127.0.0.1:9392](https://127.0.0.1:9392) in your browser and providing the default admin credentials from step 3. 86 | 87 | ### 6. Verify The Feed Status 88 | 89 | Before starting the first scan, Greenbone needs to parse the vulnerability feeds and store them into the `gvmd` PostgreSQL database, otherwise, it will not be able to initialize or complete scans without errors. This process is initialized during the setup stage, but typically takes anywhere from a few minutes to several hours to complete, depending on your system resources. 90 | 91 | The feed status can be checked by going to the `Feed Status` page from the `Administration` section in the top menu bar. 92 | -------------------------------------------------------------------------------- /src/22.4/kali/introduction.md: -------------------------------------------------------------------------------- 1 | This documentation provides instructions on how to install {term}`Greenbone Community Edition` from the Kali Linux native repository. The install packages are maintained by [Offensive Security](https://www.kali.org/tools/gvm/). Any bugs discovered during installation or use should be reported to [Kali Linux Bug Tracker](https://bugs.kali.org/main_page.php). Guidelines for submitting bugs to Kali Linux can be [found here](https://www.kali.org/docs/community/submitting-issues-kali-bug-tracker/). 2 | 3 | ```{important} 4 | Greenbone does not hold responsibility for use of the Greenbone Community Edition 5 | installed via the native Kali Linux packages, and is not involved in the packaging 6 | process of the Greenbone Community Edition for Kali Linux. 7 | ``` 8 | -------------------------------------------------------------------------------- /src/22.4/kali/optional-configs.md: -------------------------------------------------------------------------------- 1 | ## Optional Configurations 2 | 3 | The Greenbone Community Edition on Kali Linux installation relies on the same sub-system components as the [source code installation](/22.4/source-build/index.md) and all configuration options are available. Let's cover some common custom configurations. 4 | 5 | ### Configure Remote Access To The Web Interface 6 | 7 | By default Greenbone Community Edition is installed with only `localhost` access to the {term}`GSA` web interface. This means Greenbone Community Edition can only be accessed via the IP address `127.0.0.1`. To enable remote access to the web interface, the {term}`gsad` systemd service file must be modified and the gsad service must be restarted. 8 | 9 | 10 | Edit the contents of the `gsad.service` systemd service file: 11 | 12 | ```{code-block} 13 | :caption: Use nano to edit the gsad.sevice file 14 | nano /usr/lib/systemd/system/gsad.service 15 | ``` 16 | 17 | Change the value of the `--listen` argument to `0.0.0.0` and optionally change the value of `--port` to the standard SSL/TLS port 443: 18 | 19 | ```diff 20 | -ExecStart=/usr/local/sbin/gsad --foreground --listen=127.0.0.1 --port=9392 21 | +ExecStart=/usr/local/sbin/gsad --foreground --listen=0.0.0.0 --port=443 22 | ``` 23 | Restart the `gsad` service: 24 | ```{code-block} 25 | sudo systemctl daemon-reload 26 | sudo systemctl restart gsad 27 | ``` 28 | 29 | ### Setting A Password Policy 30 | 31 | The password policy configuration file defines the rules for user passwords such as minimum length, complexity, and expiration period, ensuring that all user passwords adhere to the desired security standards. 32 | 33 | ```{code-block} 34 | :caption: Edit the Greenbone Community Edition password policy configuration 35 | nano /etc/gvm/pwpolicy.conf 36 | ``` 37 | -------------------------------------------------------------------------------- /src/22.4/source-build/admin-user.md: -------------------------------------------------------------------------------- 1 | ### Setting up an Admin User 2 | 3 | For accessing and configuring the vulnerability data, an administrator user needs 4 | to be created. This user can log in via the Greenbone Security Assistant (GSA) 5 | web interface. They will have access to all data and will later be configured to 6 | act as the *Feed Import Owner*. 7 | 8 | ```{code-block} 9 | :caption: Creating an administrator user with generated password 10 | 11 | /usr/local/sbin/gvmd --create-user=admin 12 | ``` 13 | 14 | The new administrator user's password is printed on success. An administrator user can 15 | later create further users or administrators via the GSA web interface. 16 | 17 | To create the administrator user with a password of your choice instead of the generated 18 | password, the following command can be used: 19 | 20 | ```{code-block} 21 | :caption: Creating an administrator user with provided password 22 | 23 | /usr/local/sbin/gvmd --create-user=admin --password='' 24 | ``` 25 | 26 | ```{note} 27 | Please be aware if your password includes special characters like `$` it needs 28 | to be quoted in single quotes. 29 | ``` 30 | 31 | If the output doesn't show 32 | 33 | ```{code-block} none 34 | :class: no-copybutton 35 | User created. 36 | ``` 37 | 38 | you need to look at the {file}`/var/log/gvm/gvmd.log` for errors. 39 | -------------------------------------------------------------------------------- /src/22.4/source-build/directory-permissions.md: -------------------------------------------------------------------------------- 1 | ### Adjusting Permissions 2 | 3 | For a system-wide multi-user installation, it must be ensured that the 4 | directory permissions are set correctly and are matching the group setup. 5 | All users of the group *gvm* should be able to read and write logs, lock files 6 | and data like VTs. 7 | 8 | ```{code-block} 9 | :caption: Adjusting directory permissions 10 | 11 | sudo mkdir -p /var/lib/notus 12 | sudo mkdir -p /run/gvmd 13 | 14 | sudo chown -R gvm:gvm /var/lib/gvm 15 | sudo chown -R gvm:gvm /var/lib/openvas 16 | sudo chown -R gvm:gvm /var/lib/notus 17 | sudo chown -R gvm:gvm /var/log/gvm 18 | sudo chown -R gvm:gvm /run/gvmd 19 | 20 | sudo chmod -R g+srw /var/lib/gvm 21 | sudo chmod -R g+srw /var/lib/openvas 22 | sudo chmod -R g+srw /var/log/gvm 23 | ``` 24 | 25 | To allow all users of the group *gvm* access to the postgres database via the 26 | various *gvmd* commands, the permissions of the *gvmd* executable will be adjusted 27 | to always run as the *gvm* user and under the *gvm* group. 28 | 29 | ```{code-block} 30 | :caption: Adjusting gvmd permissions 31 | 32 | sudo chown gvm:gvm /usr/local/sbin/gvmd 33 | sudo chmod 6750 /usr/local/sbin/gvmd 34 | ``` 35 | -------------------------------------------------------------------------------- /src/22.4/source-build/feed-import-owner.md: -------------------------------------------------------------------------------- 1 | ### Setting the Feed Import Owner 2 | 3 | Certain resources that were previously part of the gvmd source code are now 4 | shipped via the feed. An example is the scan configuration "Full and Fast". 5 | 6 | Currently every resource needs an owner to apply the permissions and manage 7 | the access to the resources. 8 | 9 | Therefore, *gvmd* will only create these resources if a *Feed Import Owner* is 10 | configured. Here the previously created admin user will be used as the 11 | *Feed Import Owner*. 12 | 13 | ```{code-block} 14 | :caption: Setting the Feed Import Owner 15 | 16 | /usr/local/sbin/gvmd --modify-setting 78eceaec-3385-11ea-b237-28d24461215b --value `/usr/local/sbin/gvmd --get-users --verbose | grep admin | awk '{print $2}'` 17 | ``` 18 | -------------------------------------------------------------------------------- /src/22.4/source-build/feed-loading.md: -------------------------------------------------------------------------------- 1 | ### Vulnerability Tests Data 2 | 3 | If the log file of ospd-openvas ({file}`/var/log/gvm/ospd-openvas.log`) 4 | contains the following output, the OpenVAS Scanner starts to load the new VT 5 | data: 6 | 7 | ```{code-block} none 8 | :caption: ospd-openvas VT loading log message 9 | 10 | Loading VTs. Scans will be [requested|queued] until VTs are loaded. This may 11 | take a few minutes, please wait ... 12 | ``` 13 | 14 | The loading of the VT data is finished if the following log message can be found: 15 | 16 | ```{code-block} none 17 | :caption: ospd-openvas VTs loading finished log message 18 | 19 | Finished loading VTs. The VT cache has been updated from version X to Y. 20 | ``` 21 | 22 | After the scanner is aware of the VT data, the data will be requested by gvmd. This 23 | will result in the following log message in {file}`/var/log/gvm/gvmd.log`: 24 | 25 | ```{code-block} none 26 | :caption: gvmd VTs loading log message 27 | 28 | OSP service has different VT status (version X) from database (version (Y), Z VTs). Starting update ... 29 | ``` 30 | 31 | When gvmd has finished loading all VTs, the following message appears: 32 | 33 | ```{code-block} none 34 | :caption: gvmd VTs loading finished log message 35 | 36 | Updating VTs in database ... done (X VTs). 37 | ``` 38 | 39 | ### SCAP Data 40 | 41 | gvmd starts loading the {term}`SCAP` data containing {term}`CPE` and {term}`CVE` 42 | information when the following message can be found in the logs 43 | ({file}`/var/log/gvm/gvmd.log`): 44 | 45 | ```{code-block} none 46 | :caption: gvmd SCAP data loading log message 47 | 48 | update_scap: Updating data from feed 49 | ``` 50 | 51 | The SCAP data is loaded and the synchronization is finished when the (gvmd) log 52 | contains the following message: 53 | 54 | ```{code-block} none 55 | :caption: gvmd SCAP data loading finished log message 56 | 57 | update_scap_end: Updating SCAP info succeeded 58 | ``` 59 | 60 | ### CERT Data 61 | 62 | gvmd starts loading the CERT data containing DFN-CERT and CERT-Bund advisories 63 | when the following message can be found in the logs ({file}`/var/log/gvm/gvmd.log`): 64 | 65 | ```{code-block} none 66 | :caption: gvmd CERT data loading log message 67 | 68 | sync_cert: Updating data from feed 69 | ``` 70 | 71 | The CERT data is loaded and the synchronization is finished when the (gvmd) log 72 | contains the following message: 73 | 74 | ```{code-block} none 75 | :caption: gvmd CERT data finished loading log message 76 | 77 | sync_cert: Updating CERT info succeeded. 78 | ``` 79 | 80 | ### GVMD Data 81 | 82 | The log ({file}`/var/log/gvm/gvmd.log`) contains several messages when the gvmd 83 | data is loaded. For port lists, these messages are similar to: 84 | 85 | ```{code-block} none 86 | :caption: gvmd port list loaded log message 87 | 88 | Port list All IANA assigned TCP (33d0cd82-57c6-11e1-8ed1-406186ea4fc5) has been created by admin 89 | ``` 90 | 91 | For report formats: 92 | 93 | ```{code-block} none 94 | :caption: gvmd report format loaded log message 95 | 96 | Report format XML (a994b278-1f62-11e1-96ac-406186ea4fc5) has been created by admin 97 | ``` 98 | 99 | :::{hint} 100 | Scan Configs can only be loaded if the VT data is available in gvmd and a *Feed 101 | Import Owner* is set. 102 | ::: 103 | 104 | For scan configs: 105 | 106 | ```{code-block} none 107 | :caption: gvmd scan config loaded log message 108 | 109 | Scan config Full and fast (daba56c8-73ec-11df-a475-002264764cea) has been created by admin 110 | ``` 111 | -------------------------------------------------------------------------------- /src/22.4/source-build/feed-sync.md: -------------------------------------------------------------------------------- 1 | ## Performing a Feed Synchronization 2 | 3 | For the actual vulnerability scanning, {term}`Vulnerability Test scripts`, 4 | security information like {term}`CVEs `, port lists and scan configurations 5 | are required. All this data is provided by the {term}`Greenbone Community Feed` 6 | and should be downloaded initially before starting the services. 7 | 8 | A synchronization always consists of two parts: 9 | 10 | 1. Downloading the changes via [rsync](https://en.wikipedia.org/wiki/Rsync) 11 | 2. Loading the changes into memory and a database by a daemon 12 | 13 | Both steps may take a while, from several minutes up to hours, especially for the 14 | initial synchronization. Only if both steps are finished, the synchronized data 15 | is up-to-date and can be used. 16 | 17 | The first step is done via the {command}`greenbone-feed-sync` script. The second 18 | step is done automatically when the daemons are started. 19 | 20 | ### Downloading the Data 21 | 22 | ```{note} 23 | Downloading the data during the synchronization may take a while 24 | depending on the network connection and server resources. 25 | ``` 26 | 27 | The downloaded data consist of four different kind of data: 28 | 29 | - VT data 30 | - SCAP data 31 | - CERT data 32 | - GVMD data 33 | 34 | VT data contain {file}`.nasl` and {file}`.notus` files for creating results 35 | during a vulnerability scan. The {file}`.nasl` files are processed by the OpenVAS 36 | Scanner and the {file}`.notus` files by the {term}`Notus Scanner `. 37 | 38 | {term}`SCAP` data contains {term}`CPE` and {term}`CVE` information. 39 | 40 | CERT data contain vulnerability information from the German [DFN-CERT](https://www.dfn-cert.de/) 41 | and [CERT-Bund](https://www.bsi.bund.de/EN/Themen/Unternehmen-und-Organisationen/Cyber-Sicherheitslage/Reaktion/CERT-Bund/cert-bund_node.html) agencies. 42 | 43 | GVMD data (or also called "data objects") are scan configurations, compliance 44 | policies, port lists and report formats. 45 | 46 | ```{code-block} 47 | :caption: Downloading the data from the Greenbone Community Feed 48 | 49 | sudo /usr/local/bin/greenbone-feed-sync 50 | ``` 51 | -------------------------------------------------------------------------------- /src/22.4/source-build/finish.md: -------------------------------------------------------------------------------- 1 | ## Starting the Vulnerability Management 2 | 3 | After the services have started and all data has been loaded, the {term}`Greenbone 4 | Security Assistant web interface – GSA – ` can be opened in the browser. 5 | 6 | ```{code-block} 7 | :caption: Opening Greenbone Security Assistant in the browser 8 | 9 | xdg-open "http://127.0.0.1:9392" 2>/dev/null >/dev/null & 10 | ``` 11 | 12 | The browser will show the login page of *GSA* and after using the credentials 13 | created in the *Setting Up an Admin User* chapter, 14 | it is possible to start with the vulnerability scanning. 15 | 16 | ```{figure} /images/GSA-22.4.png 17 | :alt: Launching Greenbone Security Assistant for the first time 18 | 19 | Greenbone Security Assistant after logging in for the first time 20 | ``` 21 | -------------------------------------------------------------------------------- /src/22.4/source-build/gpg.md: -------------------------------------------------------------------------------- 1 | ### Feed Validation 2 | 3 | For validating the feed content, a GnuPG keychain with the *Greenbone Community 4 | Feed integrity key* needs to be created. 5 | 6 | ```{code-block} 7 | :caption: Creating a GPG keyring for feed content validation 8 | 9 | curl -f -L https://www.greenbone.net/GBCommunitySigningKey.asc -o /tmp/GBCommunitySigningKey.asc 10 | 11 | export GNUPGHOME=/tmp/openvas-gnupg 12 | mkdir -p $GNUPGHOME 13 | 14 | gpg --import /tmp/GBCommunitySigningKey.asc 15 | echo "8AE4BE429B60A59B311C2E739823FAA60ED1E580:6:" | gpg --import-ownertrust 16 | 17 | export OPENVAS_GNUPG_HOME=/etc/openvas/gnupg 18 | sudo mkdir -p $OPENVAS_GNUPG_HOME 19 | sudo cp -r /tmp/openvas-gnupg/* $OPENVAS_GNUPG_HOME/ 20 | sudo chown -R gvm:gvm $OPENVAS_GNUPG_HOME 21 | ``` 22 | -------------------------------------------------------------------------------- /src/22.4/source-build/greenbone-feed-sync/dependencies.md: -------------------------------------------------------------------------------- 1 | ```{eval-rst} 2 | .. tabs:: 3 | .. tab:: Debian/Ubuntu 4 | .. code-block:: 5 | :caption: Required dependencies for greenbone-feed-sync 6 | 7 | sudo apt install -y \ 8 | python3 \ 9 | python3-pip 10 | 11 | .. tab:: Fedora/CentOS 12 | .. code-block:: 13 | :caption: Required dependencies for greenbone-feed-sync 14 | 15 | sudo dnf install -y \ 16 | python3 \ 17 | python3-pip 18 | ``` 19 | -------------------------------------------------------------------------------- /src/22.4/source-build/greenbone-feed-sync/description.md: -------------------------------------------------------------------------------- 1 | The `greenbone-feed-sync` tool is a Python based script to download all 2 | {term}`feed data` from the {term}`Greenbone Community Feed` to your local 3 | machine. It is an improved version of two former shell scripts. 4 | 5 | ```{note} 6 | *greenbone-feed-sync* is released independently of the Greenbone Community 7 | Edition. Therefore, the newest version is used. 8 | ``` 9 | -------------------------------------------------------------------------------- /src/22.4/source-build/greenbone-feed-sync/install.md: -------------------------------------------------------------------------------- 1 | The latest version of *greeenbone-feed-sync* can be installed by using standard 2 | Python installation tool *pip*. 3 | 4 | To install it system-wide for all users without running *pip* as root user, the 5 | following commands can be used: 6 | 7 | ```{eval-rst} 8 | .. tabs:: 9 | .. tab:: Debian/Ubuntu 10 | .. code-block:: 11 | :caption: Installing greenbone-feed-sync system-wide for all users 12 | 13 | mkdir -p $INSTALL_DIR/greenbone-feed-sync 14 | 15 | python3 -m pip install --root=$INSTALL_DIR/greenbone-feed-sync --no-warn-script-location greenbone-feed-sync 16 | 17 | sudo cp -rv $INSTALL_DIR/greenbone-feed-sync/* / 18 | 19 | .. tab:: Fedora/CentOS 20 | .. code-block:: 21 | :caption: Installing greenbone-feed-sync system-wide for all users 22 | 23 | mkdir -p $INSTALL_DIR/greenbone-feed-sync 24 | 25 | python3 -m pip install --prefix $INSTALL_PREFIX --root=$INSTALL_DIR/greenbone-feed-sync --no-warn-script-location greenbone-feed-sync 26 | 27 | sudo cp -rv $INSTALL_DIR/greenbone-feed-sync/* / 28 | ``` 29 | -------------------------------------------------------------------------------- /src/22.4/source-build/gsa/build.md: -------------------------------------------------------------------------------- 1 | ```{code-block} 2 | :caption: Installing gsa 3 | 4 | sudo mkdir -p $INSTALL_PREFIX/share/gvm/gsad/web/ 5 | sudo cp -rv $SOURCE_DIR/gsa-$GSA_VERSION/* $INSTALL_PREFIX/share/gvm/gsad/web/ 6 | ``` 7 | -------------------------------------------------------------------------------- /src/22.4/source-build/gsa/description.md: -------------------------------------------------------------------------------- 1 | The web application is written in JavaScript and relies on the 2 | [react framework](https://reactjs.org/). It uses [nodejs](https://nodejs.org/) 3 | for building the application and maintaining the JavaScript dependencies. 4 | Because the installation of a specific nodejs version requires a setup of 5 | external package repositories and the build process takes a lot of time, 6 | pre-built distributable files are available. These pre-built distributable files 7 | are used in this docs. 8 | -------------------------------------------------------------------------------- /src/22.4/source-build/gsa/download.md: -------------------------------------------------------------------------------- 1 | ```{code-block} 2 | :caption: Downloading the gsa sources 3 | 4 | curl -f -L https://github.com/greenbone/gsa/releases/download/v$GSA_VERSION/gsa-dist-$GSA_VERSION.tar.gz -o $SOURCE_DIR/gsa-$GSA_VERSION.tar.gz 5 | curl -f -L https://github.com/greenbone/gsa/releases/download/v$GSA_VERSION/gsa-dist-$GSA_VERSION.tar.gz.asc -o $SOURCE_DIR/gsa-$GSA_VERSION.tar.gz.asc 6 | ``` 7 | 8 | ```{code-block} 9 | :caption: Verifying the source files 10 | 11 | gpg --verify $SOURCE_DIR/gsa-$GSA_VERSION.tar.gz.asc $SOURCE_DIR/gsa-$GSA_VERSION.tar.gz 12 | ``` 13 | 14 | The output of both commands should be similar to: 15 | 16 | ```{include} /22.4/source-build/verify.md 17 | ``` 18 | 19 | If the signatures are valid, the two tarballs can be extracted. 20 | 21 | ``` 22 | mkdir -p $SOURCE_DIR/gsa-$GSA_VERSION 23 | tar -C $SOURCE_DIR/gsa-$GSA_VERSION -xvzf $SOURCE_DIR/gsa-$GSA_VERSION.tar.gz 24 | ``` 25 | -------------------------------------------------------------------------------- /src/22.4/source-build/gsad/build.md: -------------------------------------------------------------------------------- 1 | ```{code-block} 2 | :caption: Building gsad 3 | 4 | mkdir -p $BUILD_DIR/gsad 5 | 6 | cmake \ 7 | -S $SOURCE_DIR/gsad-$GSAD_VERSION \ 8 | -B $BUILD_DIR/gsad \ 9 | -DCMAKE_INSTALL_PREFIX=$INSTALL_PREFIX \ 10 | -DCMAKE_BUILD_TYPE=Release \ 11 | -DSYSCONFDIR=/etc \ 12 | -DLOCALSTATEDIR=/var \ 13 | -DGVMD_RUN_DIR=/run/gvmd \ 14 | -DGSAD_RUN_DIR=/run/gsad \ 15 | -DGVM_LOG_DIR=/var/log/gvm \ 16 | -DLOGROTATE_DIR=/etc/logrotate.d 17 | 18 | cmake --build $BUILD_DIR/gsad -j$(nproc) 19 | ``` 20 | 21 | ```{code-block} 22 | :caption: Installing gsad 23 | 24 | mkdir -p $INSTALL_DIR/gsad && cd $BUILD_DIR/gsad 25 | 26 | make DESTDIR=$INSTALL_DIR/gsad install 27 | 28 | sudo cp -rv $INSTALL_DIR/gsad/* / 29 | ``` 30 | -------------------------------------------------------------------------------- /src/22.4/source-build/gsad/dependencies.md: -------------------------------------------------------------------------------- 1 | ```{eval-rst} 2 | .. tabs:: 3 | .. tab:: Debian/Ubuntu 4 | .. code-block:: 5 | :caption: Required dependencies for gsad 6 | 7 | sudo apt install -y \ 8 | libbrotli-dev \ 9 | libglib2.0-dev \ 10 | libgnutls28-dev \ 11 | libmicrohttpd-dev \ 12 | libxml2-dev 13 | 14 | .. tab:: Fedora/CentOS 15 | .. code-block:: 16 | :caption: Required dependencies for gsad 17 | 18 | sudo firewall-cmd --add-port=9392/tcp 19 | sudo firewall-cmd --runtime-to-permanent 20 | 21 | sudo dnf install -y \ 22 | glib2-devel \ 23 | gnutls-devel \ 24 | libmicrohttpd-devel \ 25 | libxml2-devel 26 | ``` 27 | -------------------------------------------------------------------------------- /src/22.4/source-build/gsad/description.md: -------------------------------------------------------------------------------- 1 | The web server *gsad* is written in the C programming language. It serves 2 | static content like images and provides an API for the web application. 3 | Internally it communicates with *gvmd* using {term}`GMP`. 4 | -------------------------------------------------------------------------------- /src/22.4/source-build/gsad/download.md: -------------------------------------------------------------------------------- 1 | ```{code-block} 2 | :caption: Downloading the gsad sources 3 | 4 | curl -f -L https://github.com/greenbone/gsad/archive/refs/tags/v$GSAD_VERSION.tar.gz -o $SOURCE_DIR/gsad-$GSAD_VERSION.tar.gz 5 | curl -f -L https://github.com/greenbone/gsad/releases/download/v$GSAD_VERSION/gsad-$GSAD_VERSION.tar.gz.asc -o $SOURCE_DIR/gsad-$GSAD_VERSION.tar.gz.asc 6 | ``` 7 | 8 | ```{code-block} 9 | :caption: Verifying the source files 10 | 11 | gpg --verify $SOURCE_DIR/gsad-$GSAD_VERSION.tar.gz.asc $SOURCE_DIR/gsad-$GSAD_VERSION.tar.gz 12 | ``` 13 | 14 | The output of both commands should be similar to: 15 | 16 | ```{include} /22.4/source-build/verify.md 17 | ``` 18 | 19 | If the signatures are valid, the two tarballs can be extracted. 20 | 21 | ``` 22 | tar -C $SOURCE_DIR -xvzf $SOURCE_DIR/gsad-$GSAD_VERSION.tar.gz 23 | ``` 24 | -------------------------------------------------------------------------------- /src/22.4/source-build/gvm-libs/build.md: -------------------------------------------------------------------------------- 1 | ```{eval-rst} 2 | .. tabs:: 3 | .. tab:: Debian/Ubuntu 4 | .. code-block:: 5 | :caption: Building gvm-libs 6 | 7 | mkdir -p $BUILD_DIR/gvm-libs 8 | 9 | cmake \ 10 | -S $SOURCE_DIR/gvm-libs-$GVM_LIBS_VERSION \ 11 | -B $BUILD_DIR/gvm-libs \ 12 | -DCMAKE_INSTALL_PREFIX=$INSTALL_PREFIX \ 13 | -DCMAKE_BUILD_TYPE=Release \ 14 | -DSYSCONFDIR=/etc \ 15 | -DLOCALSTATEDIR=/var 16 | 17 | cmake --build $BUILD_DIR/gvm-libs -j$(nproc) 18 | .. tab:: Fedora/CentOS 19 | .. code-block:: 20 | :caption: Building gvm-libs 21 | 22 | mkdir -p $BUILD_DIR/gvm-libs && cd $BUILD_DIR/gvm-libs 23 | 24 | cmake $SOURCE_DIR/gvm-libs-$GVM_LIBS_VERSION \ 25 | -DCMAKE_INSTALL_PREFIX=$INSTALL_PREFIX \ 26 | -DCMAKE_BUILD_TYPE=Release \ 27 | -DSYSCONFDIR=/etc \ 28 | -DLOCALSTATEDIR=/var \ 29 | -DCMAKE_C_FLAGS="-O2" \ 30 | -DCMAKE_C_FLAGS_RELEASE="-O2" 31 | 32 | make -j$(nproc) 33 | ``` 34 | 35 | ```{code-block} 36 | :caption: Installing gvm-libs 37 | 38 | mkdir -p $INSTALL_DIR/gvm-libs && cd $BUILD_DIR/gvm-libs 39 | 40 | make DESTDIR=$INSTALL_DIR/gvm-libs install 41 | 42 | sudo cp -rv $INSTALL_DIR/gvm-libs/* / 43 | ``` 44 | -------------------------------------------------------------------------------- /src/22.4/source-build/gvm-libs/dependencies.md: -------------------------------------------------------------------------------- 1 | ```{eval-rst} 2 | .. tabs:: 3 | .. tab:: Debian/Ubuntu 4 | .. code-block:: 5 | :caption: Required dependencies for gvm-libs 6 | 7 | sudo apt install -y \ 8 | libcjson-dev \ 9 | libcurl4-gnutls-dev \ 10 | libgcrypt-dev \ 11 | libglib2.0-dev \ 12 | libgnutls28-dev \ 13 | libgpgme-dev \ 14 | libhiredis-dev \ 15 | libnet1-dev \ 16 | libpaho-mqtt-dev \ 17 | libpcap-dev \ 18 | libssh-dev \ 19 | libxml2-dev \ 20 | uuid-dev 21 | 22 | .. code-block:: 23 | :caption: Optional dependencies for gvm-libs 24 | 25 | sudo apt install -y \ 26 | libldap2-dev \ 27 | libradcli-dev 28 | 29 | .. tab:: Fedora 30 | .. code-block:: 31 | :caption: Required dependencies for gvm-libs 32 | 33 | sudo dnf install -y \ 34 | cjson-devel \ 35 | glib2-devel \ 36 | gnutls-devel \ 37 | gpgme-devel \ 38 | hiredis-devel \ 39 | libcurl-devel \ 40 | libgcrypt-devel \ 41 | libnet-devel \ 42 | libpcap-devel \ 43 | libssh-devel \ 44 | libuuid-devel \ 45 | libxml2-devel \ 46 | paho-c-devel 47 | 48 | .. code-block:: 49 | :caption: Optional dependencies for gvm-libs 50 | 51 | sudo dnf install -y \ 52 | openldap-devel \ 53 | radcli-devel 54 | 55 | .. tab:: CentOS 56 | .. code-block:: 57 | :caption: Required dependencies for gvm-libs 58 | 59 | sudo dnf install -y \ 60 | cjson-devel \ 61 | glib2-devel \ 62 | gnutls-devel \ 63 | gpgme-devel \ 64 | hiredis-devel \ 65 | libcurl-devel \ 66 | libgcrypt-devel \ 67 | libnet-devel \ 68 | libpcap-devel \ 69 | libssh-devel \ 70 | libuuid-devel \ 71 | libxml2-devel \ 72 | uuid-devel 73 | 74 | .. code-block:: 75 | :caption: Optional dependencies for gvm-libs 76 | 77 | sudo dnf install -y \ 78 | openldap-devel \ 79 | radcli-devel 80 | ``` 81 | -------------------------------------------------------------------------------- /src/22.4/source-build/gvm-libs/description.md: -------------------------------------------------------------------------------- 1 | *gvm-libs* is a C library providing basic functionality like XML parsing and 2 | network communication. It is used in *openvas-scanner*, *gvmd*, *gsad* and *pg-gvm*. 3 | -------------------------------------------------------------------------------- /src/22.4/source-build/gvm-libs/download.md: -------------------------------------------------------------------------------- 1 | ```{code-block} 2 | :caption: Downloading the gvm-libs sources 3 | 4 | curl -f -L https://github.com/greenbone/gvm-libs/archive/refs/tags/v$GVM_LIBS_VERSION.tar.gz -o $SOURCE_DIR/gvm-libs-$GVM_LIBS_VERSION.tar.gz 5 | curl -f -L https://github.com/greenbone/gvm-libs/releases/download/v$GVM_LIBS_VERSION/gvm-libs-$GVM_LIBS_VERSION.tar.gz.asc -o $SOURCE_DIR/gvm-libs-$GVM_LIBS_VERSION.tar.gz.asc 6 | ``` 7 | 8 | ```{code-block} 9 | :caption: Verifying the source file 10 | 11 | gpg --verify $SOURCE_DIR/gvm-libs-$GVM_LIBS_VERSION.tar.gz.asc $SOURCE_DIR/gvm-libs-$GVM_LIBS_VERSION.tar.gz 12 | ``` 13 | 14 | The output of the last command should be similar to: 15 | 16 | ```{include} /22.4/source-build/verify.md 17 | ``` 18 | 19 | If the signature is valid, the tarball can be extracted. 20 | 21 | ``` 22 | tar -C $SOURCE_DIR -xvzf $SOURCE_DIR/gvm-libs-$GVM_LIBS_VERSION.tar.gz 23 | ``` 24 | -------------------------------------------------------------------------------- /src/22.4/source-build/gvm-tools/dependencies.md: -------------------------------------------------------------------------------- 1 | ```{eval-rst} 2 | .. tabs:: 3 | .. tab:: Debian/Ubuntu 4 | .. code-block:: 5 | :caption: Required dependencies for gvm-tools 6 | 7 | sudo apt install -y \ 8 | python3 \ 9 | python3-lxml \ 10 | python3-packaging \ 11 | python3-paramiko \ 12 | python3-pip \ 13 | python3-setuptools \ 14 | python3-venv 15 | 16 | .. tab:: Fedora/CentOS 17 | .. code-block:: 18 | :caption: Required dependencies for gvm-tools 19 | 20 | sudo dnf install -y \ 21 | python3 \ 22 | python3-lxml \ 23 | python3-packaging \ 24 | python3-paramiko \ 25 | python3-pip \ 26 | python3-setuptools 27 | ``` 28 | -------------------------------------------------------------------------------- /src/22.4/source-build/gvm-tools/description.md: -------------------------------------------------------------------------------- 1 | The Greenbone Vulnerability Management Tools, or *gvm-tools* in short, are a 2 | collection of tools that help with controlling Greenbone Community Edition 3 | installations or Greenbone Enterprise Appliances remotely. 4 | 5 | Essentially, the tools aid accessing the communication protocols 6 | {term}`Greenbone Management Protocol (GMP)` and 7 | {term}`Open Scanner Protocol (OSP)`. 8 | 9 | *gvm-tools* are optional and not required for a functional GVM stack. 10 | 11 | ```{note} 12 | *gvm-tools* is released independently of the Greenbone Community Edition. 13 | Therefore, the newest version is used. 14 | ``` 15 | -------------------------------------------------------------------------------- /src/22.4/source-build/gvm-tools/install.md: -------------------------------------------------------------------------------- 1 | The latest version of *gvm-tools* can be installed for each user via the 2 | standard Python installation tool *pip*. 3 | 4 | Alternatively to install it system-wide without running *pip* as root user, the 5 | following commands can be used: 6 | 7 | ```{eval-rst} 8 | .. tabs:: 9 | .. tab:: Debian/Ubuntu 10 | .. code-block:: 11 | :caption: Installing gvm-tools system-wide 12 | 13 | mkdir -p $INSTALL_DIR/gvm-tools 14 | 15 | python3 -m pip install --root=$INSTALL_DIR/gvm-tools --no-warn-script-location gvm-tools 16 | 17 | sudo cp -rv $INSTALL_DIR/gvm-tools/* / 18 | 19 | .. tab:: Fedora/CentOS 20 | .. code-block:: 21 | :caption: Installing gvm-tools system-wide 22 | 23 | mkdir -p $INSTALL_DIR/gvm-tools 24 | 25 | python3 -m pip install --prefix=$INSTALL_PREFIX --root=$INSTALL_DIR/gvm-tools --no-warn-script-location gvm-tools 26 | 27 | sudo cp -rv $INSTALL_DIR/gvm-tools/* / 28 | ``` 29 | -------------------------------------------------------------------------------- /src/22.4/source-build/gvmd/build.md: -------------------------------------------------------------------------------- 1 | ```{eval-rst} 2 | .. tabs:: 3 | .. tab:: Debian/Ubuntu 4 | .. code-block:: 5 | :caption: Building gvmd 6 | 7 | mkdir -p $BUILD_DIR/gvmd 8 | 9 | cmake \ 10 | -S $SOURCE_DIR/gvmd-$GVMD_VERSION \ 11 | -B $BUILD_DIR/gvmd \ 12 | -DCMAKE_INSTALL_PREFIX=$INSTALL_PREFIX \ 13 | -DCMAKE_BUILD_TYPE=Release \ 14 | -DLOCALSTATEDIR=/var \ 15 | -DSYSCONFDIR=/etc \ 16 | -DGVM_DATA_DIR=/var \ 17 | -DGVM_LOG_DIR=/var/log/gvm \ 18 | -DGVMD_RUN_DIR=/run/gvmd \ 19 | -DOPENVAS_DEFAULT_SOCKET=/run/ospd/ospd-openvas.sock \ 20 | -DGVM_FEED_LOCK_PATH=/var/lib/gvm/feed-update.lock \ 21 | -DLOGROTATE_DIR=/etc/logrotate.d 22 | 23 | cmake --build $BUILD_DIR/gvmd -j$(nproc) 24 | 25 | .. tab:: Fedora/CentOS 26 | .. code-block:: 27 | :caption: Building gvmd 28 | 29 | mkdir -p $BUILD_DIR/gvmd && cd $BUILD_DIR/gvmd 30 | 31 | cmake $SOURCE_DIR/gvmd-$GVMD_VERSION \ 32 | -DCMAKE_INSTALL_PREFIX=$INSTALL_PREFIX \ 33 | -DCMAKE_BUILD_TYPE=Release \ 34 | -DLOCALSTATEDIR=/var \ 35 | -DSYSCONFDIR=/etc \ 36 | -DGVM_DATA_DIR=/var \ 37 | -DGVM_LOG_DIR/var/log/gvm \ 38 | -DGVMD_RUN_DIR=/run/gvmd \ 39 | -DOPENVAS_DEFAULT_SOCKET=/run/ospd/ospd-openvas.sock \ 40 | -DGVM_FEED_LOCK_PATH=/var/lib/gvm/feed-update.lock \ 41 | -DSYSTEMD_SERVICE_DIR=/lib/systemd/system \ 42 | -DLOGROTATE_DIR=/etc/logrotate.d 43 | 44 | sudo mkdir /usr/include/postgresql 45 | sudo cp /usr/include/libpq-fe.h /usr/include/postgresql/libpq-fe.h 46 | 47 | make -j$(nproc) 48 | ``` 49 | 50 | ```{eval-rst} 51 | .. tabs:: 52 | .. tab:: Debian/Ubuntu 53 | .. code-block:: 54 | :caption: Installing gvmd 55 | 56 | mkdir -p $INSTALL_DIR/gvmd && cd $BUILD_DIR/gvmd 57 | 58 | make DESTDIR=$INSTALL_DIR/gvmd install 59 | 60 | sudo cp -rv $INSTALL_DIR/gvmd/* / 61 | 62 | 63 | .. tab:: Fedora/CentOS 64 | .. code-block:: 65 | :caption: Installing gvmd 66 | 67 | mkdir -p $INSTALL_DIR/gvmd 68 | 69 | make DESTDIR=$INSTALL_DIR/gvmd install 70 | 71 | sudo cp -rv $INSTALL_DIR/gvmd/* / 72 | 73 | 74 | sudo rm /usr/include/postgresql/libpq-fe.h && sudo rmdir /usr/include/postgresql 75 | ``` 76 | -------------------------------------------------------------------------------- /src/22.4/source-build/gvmd/dependencies.md: -------------------------------------------------------------------------------- 1 | ```{eval-rst} 2 | .. tabs:: 3 | .. tab:: Debian/Ubuntu 4 | .. code-block:: 5 | :caption: Required dependencies for gvmd 6 | 7 | sudo apt install -y \ 8 | libbsd-dev \ 9 | libcjson-dev \ 10 | libglib2.0-dev \ 11 | libgnutls28-dev \ 12 | libgpgme-dev \ 13 | libical-dev \ 14 | libpq-dev \ 15 | postgresql-server-dev-all \ 16 | rsync \ 17 | xsltproc 18 | 19 | .. code-block:: 20 | :caption: Optional dependencies for gvmd 21 | 22 | sudo apt install -y --no-install-recommends \ 23 | dpkg \ 24 | fakeroot \ 25 | gnupg \ 26 | gnutls-bin \ 27 | gpgsm \ 28 | nsis \ 29 | openssh-client \ 30 | python3 \ 31 | python3-lxml \ 32 | rpm \ 33 | smbclient \ 34 | snmp \ 35 | socat \ 36 | sshpass \ 37 | texlive-fonts-recommended \ 38 | texlive-latex-extra \ 39 | wget \ 40 | xmlstarlet \ 41 | zip 42 | 43 | .. tab:: Fedora 44 | .. code-block:: 45 | :caption: Required dependencies for gvmd 46 | 47 | sudo dnf install -y \ 48 | glib2-devel \ 49 | gnutls-devel \ 50 | postgresql-server-devel \ 51 | libical-devel \ 52 | xsltproc \ 53 | rsync \ 54 | libbsd-devel \ 55 | gpgme-devel 56 | 57 | .. code-block:: 58 | :caption: Optional dependencies for gvmd 59 | 60 | sudo dnf install -y --setopt=install_weak_deps=False \ 61 | texlive-scheme-medium \ 62 | texlive-fontawesome \ 63 | texlive-fontmfizz \ 64 | texlive-fonts-churchslavonic \ 65 | texlive-fontsetup \ 66 | texlive-fontsize \ 67 | texlive-fonttable \ 68 | fontawesome-fonts \ 69 | gnupg2-smime \ 70 | openssh-clients \ 71 | xmlstarlet \ 72 | zip \ 73 | rpm \ 74 | fakeroot \ 75 | dpkg \ 76 | mingw64-nsis \ 77 | gnupg \ 78 | wget \ 79 | sshpass \ 80 | socat \ 81 | samba-client \ 82 | python3-lxml \ 83 | gnutls-utils 84 | 85 | .. tab:: CentOS 86 | .. code-block:: 87 | :caption: Required dependencies for gvmd 88 | 89 | sudo dnf install -y \ 90 | glib2-devel \ 91 | gnutls-devel \ 92 | postgresql-server-devel \ 93 | libical-devel \ 94 | libxslt \ 95 | rsync \ 96 | libbsd-devel \ 97 | gpgme-devel 98 | 99 | .. code-block:: 100 | :caption: Optional dependencies for gvmd 101 | 102 | sudo dnf install -y --setopt=install_weak_deps=False \ 103 | texlive* \ 104 | gnupg2-smime \ 105 | openssh-clients \ 106 | xmlstarlet \ 107 | zip \ 108 | rpm \ 109 | fakeroot \ 110 | dpkg \ 111 | gnupg \ 112 | wget \ 113 | sshpass \ 114 | socat \ 115 | samba-client \ 116 | python3-lxml \ 117 | gnutls-utils 118 | ``` 119 | -------------------------------------------------------------------------------- /src/22.4/source-build/gvmd/description.md: -------------------------------------------------------------------------------- 1 | The Greenbone Vulnerability Management Daemon (gvmd) is the main service of the 2 | Greenbone Community Edition. It handles authentication, scan management, vulnerability 3 | information, reporting, alerting, scheduling and much more. As a storage backend, 4 | it uses a PostgreSQL database. 5 | -------------------------------------------------------------------------------- /src/22.4/source-build/gvmd/download.md: -------------------------------------------------------------------------------- 1 | ```{code-block} 2 | :caption: Downloading the gvmd sources 3 | 4 | curl -f -L https://github.com/greenbone/gvmd/archive/refs/tags/v$GVMD_VERSION.tar.gz -o $SOURCE_DIR/gvmd-$GVMD_VERSION.tar.gz 5 | curl -f -L https://github.com/greenbone/gvmd/releases/download/v$GVMD_VERSION/gvmd-$GVMD_VERSION.tar.gz.asc -o $SOURCE_DIR/gvmd-$GVMD_VERSION.tar.gz.asc 6 | ``` 7 | 8 | ```{code-block} 9 | :caption: Verifying the source file 10 | 11 | gpg --verify $SOURCE_DIR/gvmd-$GVMD_VERSION.tar.gz.asc $SOURCE_DIR/gvmd-$GVMD_VERSION.tar.gz 12 | ``` 13 | 14 | The output of the last command should be similar to: 15 | 16 | ```{include} /22.4/source-build/verify.md 17 | ``` 18 | 19 | If the signature is valid the tarball can be extracted. 20 | 21 | ``` 22 | tar -C $SOURCE_DIR -xvzf $SOURCE_DIR/gvmd-$GVMD_VERSION.tar.gz 23 | ``` 24 | -------------------------------------------------------------------------------- /src/22.4/source-build/hardware.md: -------------------------------------------------------------------------------- 1 | ## Hardware Requirements 2 | 3 | Minimal: 4 | 5 | - CPU Cores: 2 6 | - Random-Access Memory: 4GB 7 | - Hard Disk: 20GB free 8 | 9 | Recommended: 10 | 11 | - CPU Cores: 4 12 | - Random-Access Memory: 8GB 13 | - Hard Disk: 60GB free 14 | -------------------------------------------------------------------------------- /src/22.4/source-build/index.md: -------------------------------------------------------------------------------- 1 | # Building from Source 2 | 3 | ```{include} /22.4/source-build/introduction.md 4 | ``` 5 | 6 | ```{highlight} shell-session 7 | ``` 8 | 9 | ```{include} /22.4/source-build/hardware.md 10 | ``` 11 | 12 | ```{include} /22.4/source-build/prerequisites.md 13 | ``` 14 | 15 | ## Building and Installing the Components 16 | 17 | ```{note} 18 | The components should be build and installed in the listed order. 19 | ``` 20 | 21 | ### gvm-libs 22 | 23 | ```{include} /22.4/source-build/gvm-libs/description.md 24 | ``` 25 | 26 | ```{code-block} 27 | :caption: Setting the gvm-libs version to use 28 | 29 | export GVM_LIBS_VERSION=22.22.0 30 | ``` 31 | 32 | ```{include} /22.4/source-build/gvm-libs/dependencies.md 33 | ``` 34 | 35 | ```{include} /22.4/source-build/gvm-libs/download.md 36 | ``` 37 | 38 | Afterwards, gvm-libs can be build and installed. 39 | 40 | ```{include} /22.4/source-build/gvm-libs/build.md 41 | ``` 42 | 43 | ### gvmd 44 | 45 | ```{include} /22.4/source-build/gvmd/description.md 46 | ``` 47 | 48 | ```{code-block} 49 | :caption: Setting the gvmd version to use 50 | 51 | export GVMD_VERSION=26.0.0 52 | ``` 53 | 54 | ```{include} /22.4/source-build/gvmd/dependencies.md 55 | ``` 56 | 57 | Details about the optional dependencies can be found at 58 | . 59 | 60 | ```{include} /22.4/source-build/gvmd/download.md 61 | ``` 62 | 63 | ```{include} /22.4/source-build/gvmd/build.md 64 | ``` 65 | 66 | ### pg-gvm 67 | 68 | ```{include} /22.4/source-build/pg-gvm/description.md 69 | ``` 70 | 71 | ```{code-block} 72 | :caption: Setting the pg-gvm version to use 73 | 74 | export PG_GVM_VERSION=22.6.9 75 | ``` 76 | 77 | ```{include} /22.4/source-build/pg-gvm/dependencies.md 78 | ``` 79 | 80 | ```{include} /22.4/source-build/pg-gvm/download.md 81 | ``` 82 | 83 | Afterwards, pg-gvm can be build and installed. 84 | 85 | ```{include} /22.4/source-build/pg-gvm/build.md 86 | ``` 87 | 88 | ### Greenbone Security Assistant 89 | 90 | The Greenbone Security Assistant (GSA) sources consist of two parts: 91 | 92 | - Web server *gsad* 93 | - Web application *GSA* 94 | 95 | #### GSA 96 | 97 | ```{include} /22.4/source-build/gsa/description.md 98 | ``` 99 | 100 | ```{code-block} 101 | :caption: Setting the GSA version to use 102 | 103 | export GSA_VERSION=25.0.0 104 | ``` 105 | 106 | ```{include} /22.4/source-build/gsa/download.md 107 | ``` 108 | 109 | ```{include} /22.4/source-build/gsa/build.md 110 | ``` 111 | 112 | #### gsad 113 | 114 | ```{include} /22.4/source-build/gsad/description.md 115 | ``` 116 | 117 | ```{code-block} 118 | :caption: Setting the GSAd version to use 119 | 120 | export GSAD_VERSION=24.3.0 121 | ``` 122 | 123 | ```{include} /22.4/source-build/gsad/dependencies.md 124 | ``` 125 | 126 | ```{include} /22.4/source-build/gsad/download.md 127 | ``` 128 | 129 | ```{include} /22.4/source-build/gsad/build.md 130 | ``` 131 | 132 | ### openvas-smb 133 | 134 | ```{include} /22.4/source-build/openvas-smb.md 135 | ``` 136 | 137 | ### openvas-scanner 138 | 139 | ```{include} /22.4/source-build/openvas-scanner/description.md 140 | ``` 141 | 142 | ```{code-block} 143 | :caption: Setting the openvas-scanner version to use 144 | 145 | export OPENVAS_SCANNER_VERSION=23.20.1 146 | ``` 147 | 148 | ```{include} /22.4/source-build/openvas-scanner/dependencies.md 149 | ``` 150 | 151 | ```{include} /22.4/source-build/openvas-scanner/download.md 152 | ``` 153 | 154 | ```{include} /22.4/source-build/openvas-scanner/build.md 155 | ``` 156 | 157 | ### ospd-openvas 158 | 159 | ```{include} /22.4/source-build/ospd-openvas/description.md 160 | ``` 161 | 162 | ```{code-block} 163 | :caption: Setting the ospd and ospd-openvas versions to use 164 | 165 | export OSPD_OPENVAS_VERSION=22.9.0 166 | ``` 167 | 168 | ```{include} /22.4/source-build/ospd-openvas/dependencies.md 169 | ``` 170 | 171 | ```{include} /22.4/source-build/ospd-openvas/download.md 172 | ``` 173 | 174 | ```{include} /22.4/source-build/ospd-openvas/build.md 175 | ``` 176 | 177 | ### openvasd 178 | 179 | ```{include} /22.4/source-build/openvasd/description.md 180 | ``` 181 | 182 | ```{code-block} 183 | :caption: Setting the openvas versions to use 184 | 185 | export OPENVAS_DAEMON=23.20.0 186 | ``` 187 | 188 | ```{include} /22.4/source-build/openvasd/dependencies.md 189 | ``` 190 | 191 | ```{include} /22.4/source-build/openvasd/download.md 192 | ``` 193 | 194 | ```{include} /22.4/source-build/openvasd/build.md 195 | ``` 196 | 197 | ### greenbone-feed-sync 198 | 199 | ```{include} /22.4/source-build/greenbone-feed-sync/description.md 200 | ``` 201 | 202 | ```{include} /22.4/source-build/greenbone-feed-sync/dependencies.md 203 | ``` 204 | 205 | ```{include} /22.4/source-build/greenbone-feed-sync/install.md 206 | ``` 207 | 208 | ### gvm-tools 209 | 210 | ```{include} /22.4/source-build/gvm-tools/description.md 211 | ``` 212 | 213 | ```{include} /22.4/source-build/gvm-tools/dependencies.md 214 | ``` 215 | 216 | ```{include} /22.4/source-build/gvm-tools/install.md 217 | ``` 218 | 219 | ## Performing a System Setup 220 | 221 | ```{include} /22.4/source-build/redis.md 222 | ``` 223 | 224 | ```{include} /22.4/source-build/directory-permissions.md 225 | ``` 226 | 227 | ```{include} /22.4/source-build/gpg.md 228 | ``` 229 | 230 | ```{include} /22.4/source-build/sudo-scanning.md 231 | ``` 232 | 233 | ```{include} /22.4/source-build/postgres.md 234 | ``` 235 | 236 | ```{include} /22.4/source-build/admin-user.md 237 | ``` 238 | 239 | ```{include} /22.4/source-build/feed-import-owner.md 240 | ``` 241 | 242 | ```{include} /22.4/source-build/systemd.md 243 | ``` 244 | 245 | ```{include} /22.4/source-build/feed-sync.md 246 | ``` 247 | 248 | ```{include} /22.4/source-build/start-services.md 249 | ``` 250 | 251 | ```{include} /22.4/source-build/feed-loading.md 252 | ``` 253 | 254 | ```{include} /22.4/source-build/finish.md 255 | ``` 256 | 257 | ```{toctree} 258 | :hidden: true 259 | 260 | workflows 261 | troubleshooting 262 | ``` 263 | -------------------------------------------------------------------------------- /src/22.4/source-build/introduction.md: -------------------------------------------------------------------------------- 1 | Building the Greenbone Community Edition from source requires knowledge about: 2 | 3 | - Using a terminal 4 | - Shell programming basics 5 | - Installing software via *apt* or *dnf* 6 | - Using a C compiler 7 | - Using *CMake* and *make* 8 | - The [Linux File System Hierarchy](https://en.wikipedia.org/wiki/Filesystem_Hierarchy_Standard) 9 | - Running services via *systemd* 10 | 11 | Additionally, a basic knowledge about the {doc}`architecture ` 12 | of the Greenbone Community Edition is required to follow this guide. 13 | 14 | :::{note} 15 | This guide is intended for developers who want to try out the newest features 16 | and/or want to get familiar with the source code. It is not intended for 17 | production setups. 18 | 19 | Currently the docs support the following distributions 20 | 21 | - **Debian stable** [(bookworm)](https://www.debian.org/releases/stable) 22 | - **Ubuntu 24.04 LTS** 23 | - **Fedora 38** 24 | - **CentOS 9 Stream** 25 | 26 | Most likely, other Debian derivatives like Mint and Kali will also work with 27 | only minor adjustments required. 28 | ::: 29 | -------------------------------------------------------------------------------- /src/22.4/source-build/openvas-scanner/build.md: -------------------------------------------------------------------------------- 1 | ```{code-block} 2 | :caption: Building openvas-scanner 3 | 4 | mkdir -p $BUILD_DIR/openvas-scanner 5 | 6 | cmake \ 7 | -S $SOURCE_DIR/openvas-scanner-$OPENVAS_SCANNER_VERSION \ 8 | -B $BUILD_DIR/openvas-scanner \ 9 | -DCMAKE_INSTALL_PREFIX=$INSTALL_PREFIX \ 10 | -DCMAKE_BUILD_TYPE=Release \ 11 | -DSYSCONFDIR=/etc \ 12 | -DLOCALSTATEDIR=/var \ 13 | -DOPENVAS_FEED_LOCK_PATH=/var/lib/openvas/feed-update.lock \ 14 | -DOPENVAS_RUN_DIR=/run/ospd 15 | 16 | cmake --build $BUILD_DIR/openvas-scanner -j$(nproc) 17 | ``` 18 | 19 | ```{code-block} 20 | :caption: Installing openvas-scanner 21 | 22 | mkdir -p $INSTALL_DIR/openvas-scanner && cd $BUILD_DIR/openvas-scanner 23 | 24 | make DESTDIR=$INSTALL_DIR/openvas-scanner install 25 | 26 | sudo cp -rv $INSTALL_DIR/openvas-scanner/* / 27 | ``` 28 | 29 | As of version 23.0 the `openvasd_server` configuration needs to be set to a running `OpenVASD` instance. 30 | 31 | ```{code-block} 32 | printf "table_driven_lsc = yes\n" | sudo tee /etc/openvas/openvas.conf 33 | printf "openvasd_server = http://127.0.0.1:3000\n" | sudo tee -a /etc/openvas/openvas.conf 34 | ``` 35 | -------------------------------------------------------------------------------- /src/22.4/source-build/openvas-scanner/dependencies.md: -------------------------------------------------------------------------------- 1 | ```{eval-rst} 2 | .. tabs:: 3 | .. tab:: Debian/Ubuntu 4 | .. code-block:: 5 | :caption: Required dependencies for openvas-scanner 6 | 7 | sudo apt install -y \ 8 | bison \ 9 | libglib2.0-dev \ 10 | libgnutls28-dev \ 11 | libgcrypt20-dev \ 12 | libpcap-dev \ 13 | libgpgme-dev \ 14 | libksba-dev \ 15 | rsync \ 16 | nmap \ 17 | libjson-glib-dev \ 18 | libcurl4-gnutls-dev \ 19 | libbsd-dev \ 20 | krb5-multidev 21 | 22 | .. code-block:: 23 | :caption: Debian optional dependencies for openvas-scanner 24 | 25 | sudo apt install -y \ 26 | python3-impacket \ 27 | libsnmp-dev 28 | 29 | .. tab:: Fedora 30 | .. code-block:: 31 | :caption: Required dependencies for openvas-scanner 32 | 33 | sudo dnf install -y \ 34 | bison \ 35 | glib2-devel \ 36 | gnutls-devel \ 37 | libgcrypt-devel \ 38 | libpcap-devel \ 39 | gpgme-devel \ 40 | libksba-devel \ 41 | rsync \ 42 | nmap \ 43 | json-glib-devel \ 44 | libcurl-devel \ 45 | libbsd-devel \ 46 | krb5-devel 47 | 48 | .. code-block:: 49 | :caption: Fedora optional dependencies for openvas-scanner 50 | 51 | sudo dnf install -y \ 52 | python3-impacket 53 | 54 | .. tab:: CentOS 55 | .. code-block:: 56 | :caption: Required dependencies for openvas-scanner 57 | 58 | sudo dnf install -y \ 59 | bison \ 60 | glib2-devel \ 61 | gnutls-devel \ 62 | libgcrypt-devel \ 63 | libpcap-devel \ 64 | gpgme-devel \ 65 | libksba-devel \ 66 | rsync \ 67 | nmap \ 68 | json-glib-devel \ 69 | libcurl-devel \ 70 | libbsd-devel \ 71 | krb5-devel 72 | ``` 73 | -------------------------------------------------------------------------------- /src/22.4/source-build/openvas-scanner/description.md: -------------------------------------------------------------------------------- 1 | *openvas-scanner* is a full-featured scan engine that executes a continuously 2 | updated and extended feed of {term}`Vulnerability Tests (VTs)`. The feed consist of 3 | thousands of NASL (Network Attack Scripting Language) scripts which implement 4 | all kind of vulnerability checks. 5 | -------------------------------------------------------------------------------- /src/22.4/source-build/openvas-scanner/download.md: -------------------------------------------------------------------------------- 1 | ```{code-block} 2 | :caption: Downloading the openvas-scanner sources 3 | 4 | curl -f -L https://github.com/greenbone/openvas-scanner/archive/refs/tags/v$OPENVAS_SCANNER_VERSION.tar.gz -o $SOURCE_DIR/openvas-scanner-$OPENVAS_SCANNER_VERSION.tar.gz 5 | curl -f -L https://github.com/greenbone/openvas-scanner/releases/download/v$OPENVAS_SCANNER_VERSION/openvas-scanner-v$OPENVAS_SCANNER_VERSION.tar.gz.asc -o $SOURCE_DIR/openvas-scanner-$OPENVAS_SCANNER_VERSION.tar.gz.asc 6 | ``` 7 | 8 | ```{code-block} 9 | :caption: Verifying the source file 10 | 11 | gpg --verify $SOURCE_DIR/openvas-scanner-$OPENVAS_SCANNER_VERSION.tar.gz.asc $SOURCE_DIR/openvas-scanner-$OPENVAS_SCANNER_VERSION.tar.gz 12 | ``` 13 | 14 | The output of the last command should be similar to: 15 | 16 | ```{include} /22.4/source-build/verify.md 17 | ``` 18 | 19 | If the signature is valid, the tarball can be extracted. 20 | 21 | ``` 22 | tar -C $SOURCE_DIR -xvzf $SOURCE_DIR/openvas-scanner-$OPENVAS_SCANNER_VERSION.tar.gz 23 | ``` 24 | -------------------------------------------------------------------------------- /src/22.4/source-build/openvas-smb.md: -------------------------------------------------------------------------------- 1 | *openvas-smb* is a helper module for *openvas-scanner*. It includes libraries 2 | (openvas-wmiclient/openvas-wincmd) to interface with Microsoft Windows Systems 3 | through the Windows Management Instrumentation API and a winexe binary to 4 | execute processes remotely on that system. 5 | 6 | It is an optional dependency of *openvas-scanner* but is required for scanning 7 | Windows-based systems. 8 | 9 | ```{warning} 10 | *openvas-smb* doesn't work on CentOS at the moment! 11 | It is not a hard requirement. 12 | ``` 13 | 14 | ```{code-block} 15 | :caption: Setting the openvas-smb version to use 16 | 17 | export OPENVAS_SMB_VERSION=22.5.3 18 | ``` 19 | 20 | ```{eval-rst} 21 | .. tabs:: 22 | .. tab:: Debian/Ubuntu 23 | .. code-block:: 24 | :caption: Required dependencies for openvas-smb 25 | 26 | sudo apt install -y \ 27 | gcc-mingw-w64 \ 28 | libgnutls28-dev \ 29 | libglib2.0-dev \ 30 | libpopt-dev \ 31 | libunistring-dev \ 32 | heimdal-multidev \ 33 | perl-base 34 | 35 | ``` 36 | 37 | ```{code-block} 38 | :caption: Downloading the openvas-smb sources 39 | 40 | curl -f -L https://github.com/greenbone/openvas-smb/archive/refs/tags/v$OPENVAS_SMB_VERSION.tar.gz -o $SOURCE_DIR/openvas-smb-$OPENVAS_SMB_VERSION.tar.gz 41 | curl -f -L https://github.com/greenbone/openvas-smb/releases/download/v$OPENVAS_SMB_VERSION/openvas-smb-v$OPENVAS_SMB_VERSION.tar.gz.asc -o $SOURCE_DIR/openvas-smb-$OPENVAS_SMB_VERSION.tar.gz.asc 42 | ``` 43 | 44 | ```{code-block} 45 | :caption: Verifying the source file 46 | 47 | gpg --verify $SOURCE_DIR/openvas-smb-$OPENVAS_SMB_VERSION.tar.gz.asc $SOURCE_DIR/openvas-smb-$OPENVAS_SMB_VERSION.tar.gz 48 | ``` 49 | 50 | The output of the last command should be similar to: 51 | 52 | ```{include} /22.4/source-build/verify.md 53 | ``` 54 | 55 | If the signature is valid, the tarball can be extracted. 56 | 57 | ``` 58 | tar -C $SOURCE_DIR -xvzf $SOURCE_DIR/openvas-smb-$OPENVAS_SMB_VERSION.tar.gz 59 | ``` 60 | 61 | ```{code-block} 62 | :caption: Building openvas-smb 63 | 64 | mkdir -p $BUILD_DIR/openvas-smb 65 | 66 | cmake \ 67 | -S $SOURCE_DIR/openvas-smb-$OPENVAS_SMB_VERSION \ 68 | -B $BUILD_DIR/openvas-smb \ 69 | -DCMAKE_INSTALL_PREFIX=$INSTALL_PREFIX \ 70 | -DCMAKE_BUILD_TYPE=Release 71 | 72 | cmake --build $BUILD_DIR/openvas-smb -j$(nproc) 73 | ``` 74 | 75 | ```{code-block} 76 | :caption: Installing openvas-smb 77 | 78 | mkdir -p $INSTALL_DIR/openvas-smb && cd $BUILD_DIR/openvas-smb 79 | 80 | make DESTDIR=$INSTALL_DIR/openvas-smb install 81 | 82 | sudo cp -rv $INSTALL_DIR/openvas-smb/* / 83 | ``` 84 | -------------------------------------------------------------------------------- /src/22.4/source-build/openvasd/build.md: -------------------------------------------------------------------------------- 1 | ``` 2 | mkdir -p $INSTALL_DIR/openvasd/usr/local/bin 3 | cd $SOURCE_DIR/openvas-scanner-$OPENVAS_DAEMON/rust/src/openvasd 4 | cargo build --release 5 | 6 | cd $SOURCE_DIR/openvas-scanner-$OPENVAS_DAEMON/rust/src/scannerctl 7 | cargo build --release 8 | 9 | sudo cp -v ../../target/release/openvasd $INSTALL_DIR/openvasd/usr/local/bin/ 10 | sudo cp -v ../../target/release/scannerctl $INSTALL_DIR/openvasd/usr/local/bin/ 11 | sudo cp -rv $INSTALL_DIR/openvasd/* / 12 | ``` 13 | -------------------------------------------------------------------------------- /src/22.4/source-build/openvasd/dependencies.md: -------------------------------------------------------------------------------- 1 | ```{eval-rst} 2 | .. tabs:: 3 | .. tab:: Debian 4 | 5 | .. attention:: 6 | For Debian systems you have to follow the `rustup `_ instructions because the default Rust version is too dated for `OpenVASD` 7 | 8 | .. code-block:: 9 | :caption: Required dependencies for openvasd 10 | 11 | # Follow instructions of https://rustup.rs to install cargo and afterwards run 12 | 13 | sudo apt install -y \ 14 | pkg-config \ 15 | libssl-dev 16 | 17 | .. tab:: Ubuntu 18 | .. code-block:: 19 | :caption: Required dependencies for openvasd 20 | 21 | sudo apt install -y \ 22 | cargo \ 23 | pkg-config \ 24 | libssl-dev 25 | 26 | .. tab:: Fedora 27 | .. code-block:: 28 | :caption: Required dependencies for openvasd 29 | 30 | sudo dnf install -y \ 31 | cargo \ 32 | pkg-config \ 33 | openssl-devel 34 | 35 | .. tab:: CentOS 36 | 37 | .. attention:: 38 | For CentOS systems you have to follow the `rustup `_ instructions because the default Rust version is too dated for `OpenVASD` 39 | 40 | .. code-block:: 41 | :caption: Required dependencies for openvasd 42 | 43 | # Follow instructions of https://rustup.rs to install cargo and afterwards run 44 | 45 | sudo dnf install -y \ 46 | pkg-config \ 47 | openssl-devel 48 | ``` 49 | -------------------------------------------------------------------------------- /src/22.4/source-build/openvasd/description.md: -------------------------------------------------------------------------------- 1 | *OpenVASD* is used for detecting vulnerable products. 2 | 3 | Currently only the [notus](https://greenbone.github.io/scanner-api/#/notus/notus_run) service is integrated into gvmd. 4 | That means that `openvas` is using `openvasd` for static version checks if a scan with ssh credentials is started and packages got found. 5 | 6 | If you want to enable the full functionality you either need to adapt the `openvasd.service` file and remove the `--mode service_notus` flag and create a [configuration file](https://github.com/greenbone/openvas-scanner/blob/main/rust/examples/openvasd/config.example.toml) within `/etc/openvasd/openvasd.toml` or adapt the [arguments](https://github.com/greenbone/openvas-scanner/tree/main/rust/src/openvasd#options) within `openvasd.service` if you don't want to create a configuration file. 7 | 8 | For more information see: 9 | 10 | - 11 | - 12 | - 13 | -------------------------------------------------------------------------------- /src/22.4/source-build/openvasd/download.md: -------------------------------------------------------------------------------- 1 | ```{code-block} 2 | :caption: Downloading the openvas-scanner sources 3 | 4 | curl -f -L https://github.com/greenbone/openvas-scanner/archive/refs/tags/v$OPENVAS_DAEMON.tar.gz -o $SOURCE_DIR/openvas-scanner-$OPENVAS_DAEMON.tar.gz 5 | curl -f -L https://github.com/greenbone/openvas-scanner/releases/download/v$OPENVAS_DAEMON/openvas-scanner-v$OPENVAS_DAEMON.tar.gz.asc -o $SOURCE_DIR/openvas-scanner-$OPENVAS_DAEMON.tar.gz.asc 6 | ``` 7 | 8 | ```{code-block} 9 | :caption: Verifying the source file 10 | 11 | gpg --verify $SOURCE_DIR/openvas-scanner-$OPENVAS_DAEMON.tar.gz.asc $SOURCE_DIR/openvas-scanner-$OPENVAS_DAEMON.tar.gz 12 | ``` 13 | 14 | The output of the last command should be similar to: 15 | 16 | ```{include} /22.4/source-build/verify.md 17 | ``` 18 | 19 | If the signature is valid, the tarball can be extracted. 20 | 21 | ``` 22 | tar -C $SOURCE_DIR -xvzf $SOURCE_DIR/openvas-scanner-$OPENVAS_DAEMON.tar.gz 23 | ``` 24 | -------------------------------------------------------------------------------- /src/22.4/source-build/ospd-openvas/build.md: -------------------------------------------------------------------------------- 1 | ```{eval-rst} 2 | .. tabs:: 3 | .. tab:: Debian/Ubuntu 4 | .. code-block:: 5 | :caption: Installing ospd-openvas 6 | 7 | cd $SOURCE_DIR/ospd-openvas-$OSPD_OPENVAS_VERSION 8 | 9 | mkdir -p $INSTALL_DIR/ospd-openvas 10 | 11 | python3 -m pip install --root=$INSTALL_DIR/ospd-openvas --no-warn-script-location . 12 | 13 | sudo cp -rv $INSTALL_DIR/ospd-openvas/* / 14 | 15 | .. tab:: Fedora/CentOS 16 | .. code-block:: 17 | :caption: Installing ospd-openvas 18 | 19 | cd $SOURCE_DIR/ospd-openvas-$OSPD_OPENVAS_VERSION 20 | 21 | mkdir -p $INSTALL_DIR/ospd-openvas 22 | 23 | python3 -m pip install --prefix=$INSTALL_PREFIX --root=$INSTALL_DIR/ospd-openvas --no-warn-script-location . 24 | 25 | sudo cp -rv $INSTALL_DIR/ospd-openvas/* / 26 | ``` 27 | -------------------------------------------------------------------------------- /src/22.4/source-build/ospd-openvas/dependencies.md: -------------------------------------------------------------------------------- 1 | ```{eval-rst} 2 | .. tabs:: 3 | .. tab:: Debian/Ubuntu 4 | .. code-block:: 5 | :caption: Required dependencies for ospd-openvas 6 | 7 | sudo apt install -y \ 8 | python3 \ 9 | python3-pip \ 10 | python3-setuptools \ 11 | python3-packaging \ 12 | python3-wrapt \ 13 | python3-cffi \ 14 | python3-psutil \ 15 | python3-lxml \ 16 | python3-defusedxml \ 17 | python3-paramiko \ 18 | python3-redis \ 19 | python3-gnupg \ 20 | python3-paho-mqtt 21 | 22 | .. tab:: Fedora 23 | .. code-block:: 24 | :caption: Required dependencies for ospd-openvas 25 | 26 | sudo dnf install -y \ 27 | python3 \ 28 | python3-pip \ 29 | python3-setuptools \ 30 | python3-packaging \ 31 | python3-wrapt \ 32 | python3-cffi \ 33 | python3-psutil \ 34 | python3-lxml \ 35 | python3-defusedxml \ 36 | python3-paramiko \ 37 | python3-redis \ 38 | python3-gnupg \ 39 | python3-paho-mqtt 40 | 41 | .. tab:: CentOS 42 | .. code-block:: 43 | :caption: Required dependencies for ospd-openvas 44 | 45 | sudo dnf install -y \ 46 | python3 \ 47 | python3-pip \ 48 | python3-setuptools \ 49 | python3-packaging \ 50 | python3-wrapt \ 51 | python3-cffi \ 52 | python3-psutil \ 53 | python3-lxml \ 54 | python3-defusedxml \ 55 | python3-paramiko \ 56 | python3-redis \ 57 | python3-gnupg \ 58 | python3-wheel 59 | ``` 60 | -------------------------------------------------------------------------------- /src/22.4/source-build/ospd-openvas/description.md: -------------------------------------------------------------------------------- 1 | *ospd-openvas* is an {term}`OSP server` implementation to allow 2 | {term}`gvmd` to remotely control an openvas-scanner. It is running as a daemon 3 | and waits for incoming OSP requests from *gvmd*. 4 | -------------------------------------------------------------------------------- /src/22.4/source-build/ospd-openvas/download.md: -------------------------------------------------------------------------------- 1 | ```{code-block} 2 | :caption: Downloading the ospd-openvas sources 3 | 4 | curl -f -L https://github.com/greenbone/ospd-openvas/archive/refs/tags/v$OSPD_OPENVAS_VERSION.tar.gz -o $SOURCE_DIR/ospd-openvas-$OSPD_OPENVAS_VERSION.tar.gz 5 | curl -f -L https://github.com/greenbone/ospd-openvas/releases/download/v$OSPD_OPENVAS_VERSION/ospd-openvas-v$OSPD_OPENVAS_VERSION.tar.gz.asc -o $SOURCE_DIR/ospd-openvas-$OSPD_OPENVAS_VERSION.tar.gz.asc 6 | ``` 7 | 8 | ```{code-block} 9 | :caption: Verifying the source files 10 | 11 | gpg --verify $SOURCE_DIR/ospd-openvas-$OSPD_OPENVAS_VERSION.tar.gz.asc $SOURCE_DIR/ospd-openvas-$OSPD_OPENVAS_VERSION.tar.gz 12 | ``` 13 | 14 | The output of the last command should be similar to: 15 | 16 | ```{include} /22.4/source-build/verify.md 17 | ``` 18 | 19 | If the signatures are valid, the tarballs can be extracted. 20 | 21 | ``` 22 | tar -C $SOURCE_DIR -xvzf $SOURCE_DIR/ospd-openvas-$OSPD_OPENVAS_VERSION.tar.gz 23 | ``` 24 | -------------------------------------------------------------------------------- /src/22.4/source-build/pg-gvm/build.md: -------------------------------------------------------------------------------- 1 | ```{eval-rst} 2 | .. tabs:: 3 | .. tab:: Debian/Ubuntu 4 | .. code-block:: 5 | :caption: Building pg-gvm 6 | 7 | mkdir -p $BUILD_DIR/pg-gvm 8 | 9 | cmake \ 10 | -S $SOURCE_DIR/pg-gvm-$PG_GVM_VERSION \ 11 | -B $BUILD_DIR/pg-gvm \ 12 | -DCMAKE_BUILD_TYPE=Release 13 | 14 | cmake --build $BUILD_DIR/pg-gvm -j$(nproc) 15 | 16 | .. tab:: Fedora/CentOS 17 | .. code-block:: 18 | :caption: Building pg-gvm 19 | 20 | mkdir -p $BUILD_DIR/pg-gvm && cd $BUILD_DIR/pg-gvm 21 | 22 | cmake $SOURCE_DIR/pg-gvm-$PG_GVM_VERSION \ 23 | -DCMAKE_BUILD_TYPE=Release 24 | 25 | make -j$(nproc) 26 | ``` 27 | 28 | ```{code-block} 29 | :caption: Installing pg-gvm 30 | 31 | mkdir -p $INSTALL_DIR/pg-gvm && cd $BUILD_DIR/pg-gvm 32 | 33 | make DESTDIR=$INSTALL_DIR/pg-gvm install 34 | 35 | sudo cp -rv $INSTALL_DIR/pg-gvm/* / 36 | ``` 37 | -------------------------------------------------------------------------------- /src/22.4/source-build/pg-gvm/dependencies.md: -------------------------------------------------------------------------------- 1 | ```{eval-rst} 2 | .. tabs:: 3 | .. tab:: Debian/Ubuntu 4 | .. code-block:: 5 | :caption: Required dependencies for pg-gvm 6 | 7 | sudo apt install -y \ 8 | libglib2.0-dev \ 9 | libical-dev \ 10 | postgresql-server-dev-all 11 | 12 | .. tab:: Fedora/CentOS 13 | .. code-block:: 14 | :caption: Required dependencies for pg-gvm 15 | 16 | sudo dnf install -y \ 17 | glib2-devel \ 18 | gnutls-devel \ 19 | libical-devel \ 20 | postgresql-server-devel 21 | ``` 22 | -------------------------------------------------------------------------------- /src/22.4/source-build/pg-gvm/description.md: -------------------------------------------------------------------------------- 1 | *pg-gvm* is a PostgreSQL server extension that adds several functions used by *gvmd*, e.g., iCalendar and host range evaluation. 2 | In previous versions, these functions were managed directly by *gvmd* while *pg-gvm* uses the extension management built into PostgreSQL. 3 | -------------------------------------------------------------------------------- /src/22.4/source-build/pg-gvm/download.md: -------------------------------------------------------------------------------- 1 | ```{code-block} 2 | :caption: Downloading the pg-gvm sources 3 | 4 | curl -f -L https://github.com/greenbone/pg-gvm/archive/refs/tags/v$PG_GVM_VERSION.tar.gz -o $SOURCE_DIR/pg-gvm-$PG_GVM_VERSION.tar.gz 5 | curl -f -L https://github.com/greenbone/pg-gvm/releases/download/v$PG_GVM_VERSION/pg-gvm-$PG_GVM_VERSION.tar.gz.asc -o $SOURCE_DIR/pg-gvm-$PG_GVM_VERSION.tar.gz.asc 6 | ``` 7 | 8 | ```{code-block} 9 | :caption: Verifying the source file 10 | 11 | gpg --verify $SOURCE_DIR/pg-gvm-$PG_GVM_VERSION.tar.gz.asc $SOURCE_DIR/pg-gvm-$PG_GVM_VERSION.tar.gz 12 | ``` 13 | 14 | The output of the last command should be similar to: 15 | 16 | ```{include} /22.4/source-build/verify.md 17 | ``` 18 | 19 | If the signature is valid the tarball can be extracted. 20 | 21 | ``` 22 | tar -C $SOURCE_DIR -xvzf $SOURCE_DIR/pg-gvm-$PG_GVM_VERSION.tar.gz 23 | ``` 24 | -------------------------------------------------------------------------------- /src/22.4/source-build/postgres.md: -------------------------------------------------------------------------------- 1 | ### Setting up PostgreSQL 2 | 3 | The [PostgreSQL](https://www.postgresql.org/) database management system is 4 | used as a central storage for user and scan information. *gvmd* connects to 5 | a PostgreSQL database and queries the data. This database must be created 6 | and configured. 7 | 8 | ```{eval-rst} 9 | .. tabs:: 10 | .. tab:: Debian/Ubuntu 11 | .. code-block:: 12 | :caption: Installing the PostgreSQL server 13 | 14 | sudo apt install -y postgresql 15 | 16 | .. tab:: Fedora/CentOS 17 | .. code-block:: 18 | :caption: Installing the PostgreSQL server 19 | 20 | sudo dnf install -y postgresql-server postgresql-contrib 21 | ``` 22 | 23 | If necessary the PostgreSQL database server needs to be started manually 24 | 25 | ```{eval-rst} 26 | .. tabs:: 27 | .. tab:: Debian 28 | .. code-block:: 29 | :caption: Starting the PostgreSQL database server 30 | 31 | sudo systemctl start postgresql@15-main 32 | 33 | .. tab:: Ubuntu 34 | .. code-block:: 35 | :caption: Starting the PostgreSQL database server 36 | 37 | sudo systemctl start postgresql@14-main 38 | 39 | .. tab:: Fedora/CentOS 40 | .. code-block:: 41 | :caption: Starting the PostgreSQL database server 42 | 43 | sudo postgresql-setup --initdb --unit postgresql 44 | sudo systemctl start postgresql 45 | ``` 46 | 47 | For setting up the PostgreSQL database it is required to become the postgres 48 | user. 49 | 50 | ```{code-block} 51 | :caption: Changing to the postgres user 52 | 53 | sudo -u postgres bash 54 | ``` 55 | 56 | ```{code-block} 57 | :caption: Setting up PostgreSQL user and database for the Greenbone Community Edition 58 | 59 | cd 60 | createuser -DRS gvm 61 | createdb -O gvm gvmd 62 | ``` 63 | 64 | ```{code-block} 65 | :caption: Setting up database permissions and extensions 66 | 67 | psql gvmd -c "create role dba with superuser noinherit; grant dba to gvm;" 68 | 69 | exit 70 | ``` 71 | -------------------------------------------------------------------------------- /src/22.4/source-build/prerequisites.md: -------------------------------------------------------------------------------- 1 | ## Prerequisites 2 | 3 | ```{note} 4 | Please follow the guide step by step. Later steps might require settings or 5 | output of a previous command. 6 | ``` 7 | 8 | The command `sudo` is used for executing commands that require privileged 9 | access on the system. 10 | 11 | ### Creating a User and a Group 12 | 13 | The services provided by the Greenbone Community Edition should run as a dedicated user and 14 | group. Therefore a `gvm` user and a group with the same name will be created. 15 | 16 | ```{eval-rst} 17 | .. tabs:: 18 | .. tab:: Debian/Ubuntu 19 | .. code-block:: 20 | :caption: Creating a gvm system user and group 21 | 22 | sudo useradd -r -M -U -G sudo -s /usr/sbin/nologin gvm 23 | 24 | .. tab:: Fedora/CentOS 25 | .. code-block:: 26 | :caption: Creating a gvm system user and group 27 | 28 | sudo useradd -r -M -U -G wheel -s /usr/sbin/nologin gvm 29 | ``` 30 | 31 | ### Adjusting the Current User 32 | 33 | To allow the current user to run *gvmd* he must be added to the *gvm* group. 34 | To make the group change effective either logout and login again or use 35 | {command}`su`. 36 | 37 | ```{code-block} 38 | :caption: Add current user to gvm group 39 | 40 | sudo usermod -aG gvm $USER 41 | 42 | su $USER 43 | ``` 44 | 45 | ### Setting Environment Variables 46 | 47 | For easier installation and not having to repeat the same directory paths over 48 | and over again the build from source guide uses [environment variables](https://en.wikipedia.org/wiki/Environment_variable). 49 | These environment variables are used later in the guide. 50 | 51 | ```{attention} 52 | If you close your linux shell/terminal or start a new one, for example due to a 53 | system reboot while following this guide, you need to set the environment 54 | variables again. Environment variables are only valid in your current 55 | shell/terminal. 56 | ``` 57 | 58 | #### Choosing an Install Prefix 59 | 60 | Before building the software stack, a (root) directory must be chosen where 61 | the built software will finally be installed. For example, when building packages, 62 | the distribution developers set this path to {file}`/usr`. 63 | 64 | By default, it is {file}`/usr/local` which is also used in this guide. This 65 | directory will be stored in an environment variable {envvar}`INSTALL_PREFIX` 66 | to be able to reference it later. 67 | 68 | ```{code-block} 69 | :caption: Setting an install prefix environment variable 70 | 71 | export INSTALL_PREFIX=/usr/local 72 | ``` 73 | 74 | #### Setting the PATH 75 | 76 | On Debian systems the locations {file}`/sbin`, {file}`/usr/sbin` and 77 | {file}`/usr/local/sbin` are not in the {envvar}`PATH` of normal users. To run 78 | *gvmd* which is located in {file}`/usr/local/sbin` the {envvar}`PATH` 79 | environment variable should be adjusted. 80 | 81 | ```{code-block} 82 | :caption: Adjusting PATH for running gvmd 83 | 84 | export PATH=$PATH:$INSTALL_PREFIX/sbin 85 | ``` 86 | 87 | #### Setting a Source, Build and Install Directory 88 | 89 | To separate the sources and the build artifacts, a source and a build directory 90 | must be created. 91 | 92 | This source directory will be used later in this guide via 93 | an environment variable {envvar}`SOURCE_DIR`. Accordingly, a variable 94 | {envvar}`BUILD_DIR` will be set for the build directory. Both can be set to any 95 | directory to which the current user has write permissions. Therefore 96 | directories in the current user's home directory are chosen in this guide. 97 | 98 | ```{code-block} 99 | :caption: Choosing a source directory 100 | 101 | export SOURCE_DIR=$HOME/source 102 | mkdir -p $SOURCE_DIR 103 | ``` 104 | 105 | ```{code-block} 106 | :caption: Choosing a build directory 107 | 108 | export BUILD_DIR=$HOME/build 109 | mkdir -p $BUILD_DIR 110 | ``` 111 | 112 | Additionally, an install directory will be set as an environment variable 113 | {envvar}`INSTALL_DIR`. It is used as a temporary installation directory 114 | before moving all built artifacts to the final destination. 115 | 116 | ```{code-block} 117 | :caption: Choosing a temporary install directory 118 | 119 | export INSTALL_DIR=$HOME/install 120 | mkdir -p $INSTALL_DIR 121 | ``` 122 | 123 | ### Choosing the Installation Source 124 | 125 | For building the GVM software stack, three different sources can be chosen 126 | depending on the desired stability: 127 | 128 | - Building from release [tarballs] 129 | - Building from git tags 130 | - Building from release branches 131 | 132 | Linux distributions use the release [tarballs] because it is the most common 133 | and well known method to share source code. 134 | 135 | Newer build systems may stick with the git tags. 136 | 137 | If you are a developer and very familiar with building from source already, you 138 | may also try out using the git release branches. These have the 139 | advantage that they contain the newest fixes which may not yet be included in the 140 | release tarballs or git tags. As a downside, the release branches may 141 | contain only partially fixed issues and need to be updated more often. 142 | 143 | This guide will use the tarballs to build the software. 144 | 145 | ### Installing Common Build Dependencies 146 | 147 | For downloading, configuring, building and installing the Greenbone Community 148 | Edition components, several tools and applications are required. To install this 149 | requirements the following commands can be used: 150 | 151 | ```{eval-rst} 152 | .. tabs:: 153 | .. tab:: Debian/Ubuntu 154 | .. code-block:: 155 | :caption: Installing common build dependencies 156 | 157 | sudo apt update 158 | sudo apt install --no-install-recommends --assume-yes \ 159 | build-essential \ 160 | curl \ 161 | cmake \ 162 | pkg-config \ 163 | python3 \ 164 | python3-pip \ 165 | gnupg 166 | 167 | .. tab:: Fedora 168 | .. code-block:: 169 | :caption: Installing common build dependencies 170 | 171 | sudo dnf upgrade -y 172 | sudo dnf groupinstall 'Development Tools' -y 173 | sudo dnf install -y \ 174 | cmake \ 175 | python3-pip \ 176 | tar \ 177 | gcc-c++ 178 | 179 | sudo tee /etc/ld.so.conf.d/local.conf < /etc/tmpfiles.d/redis-openvas.conf 24 | d /var/lib/redis/openvas 0750 redis redis - - 25 | z /var/lib/redis/openvas 0750 redis redis - - 26 | d /run/redis-openvas 0750 redis redis - - 27 | z /run/redis-openvas 0750 redis redis - - 28 | EOF' 29 | 30 | sudo systemd-tmpfiles --create 31 | 32 | sudo sh -c 'cat << EOF > /etc/systemd/system/redis-server@.service 33 | [Unit] 34 | Description=Redis persistent key-value database 35 | After=network.target 36 | After=network-online.target 37 | Wants=network-online.target 38 | 39 | [Service] 40 | WorkingDirectory=/var/lib/redis/%i 41 | ExecStart=/usr/bin/redis-server /etc/redis/redis-%i.conf --daemonize no --supervised systemd 42 | ExecStop=/usr/libexec/redis-shutdown 43 | Type=notify 44 | User=redis 45 | Group=redis 46 | RuntimeDirectory=%i 47 | RuntimeDirectoryMode=0755 48 | 49 | [Install] 50 | WantedBy=multi-user.target 51 | EOF' 52 | ``` 53 | 54 | After installing the Redis server package, a specific configuration for the 55 | *openvas-scanner* must be added. 56 | 57 | ```{code-block} 58 | :caption: Adding configuration for running the Redis server for the scanner 59 | 60 | sudo cp $SOURCE_DIR/openvas-scanner-$OPENVAS_SCANNER_VERSION/config/redis-openvas.conf /etc/redis/ 61 | sudo chown redis:redis /etc/redis/redis-openvas.conf 62 | echo "db_address = /run/redis-openvas/redis.sock" | sudo tee -a /etc/openvas/openvas.conf 63 | ``` 64 | 65 | ```{code-block} 66 | :caption: Start redis with openvas config 67 | 68 | sudo systemctl start redis-server@openvas.service 69 | ``` 70 | 71 | ```{code-block} 72 | :caption: Ensure redis with openvas config is started on every system startup 73 | 74 | sudo systemctl enable redis-server@openvas.service 75 | ``` 76 | 77 | Additionally the *gvm* user must be able to access the redis unix socket at 78 | {file}`/run/redis-openvas/redis.sock`. 79 | 80 | ```{code-block} 81 | :caption: Adding the *gvm* user to the redis group 82 | 83 | sudo usermod -aG redis gvm 84 | ``` 85 | -------------------------------------------------------------------------------- /src/22.4/source-build/start-services.md: -------------------------------------------------------------------------------- 1 | ### Starting the Greenbone Community Edition Services 2 | 3 | ```{important} 4 | When the feed content has been downloaded, the new data must be loaded by 5 | the corresponding daemons. This may take several minutes up to hours, especially 6 | for the initial loading of the data. Without loaded data, scans will contain 7 | incomplete and erroneous results. 8 | ``` 9 | 10 | After starting the Greenbone Community Edition services via systemd, the running 11 | daemons will pick up the feed content and load the data automatically. 12 | 13 | ```{warning} 14 | Please be aware, even if the {command}`systemctl start` commands are returning 15 | immediately, the **first startup** of the services may take several minutes 16 | or even hours! 17 | ``` 18 | 19 | ```{code-block} 20 | :caption: Finally starting the services 21 | 22 | sudo systemctl start ospd-openvas 23 | sudo systemctl start gvmd 24 | sudo systemctl start gsad 25 | sudo systemctl start openvasd 26 | ``` 27 | 28 | ```{code-block} 29 | :caption: Ensuring services are run at every system startup 30 | 31 | sudo systemctl enable ospd-openvas 32 | sudo systemctl enable gvmd 33 | sudo systemctl enable gsad 34 | sudo systemctl enable openvasd 35 | ``` 36 | 37 | ```{code-block} 38 | :caption: Checking the status of the services 39 | 40 | sudo systemctl status ospd-openvas 41 | sudo systemctl status gvmd 42 | sudo systemctl status gsad 43 | sudo systemctl status openvasd 44 | ``` 45 | -------------------------------------------------------------------------------- /src/22.4/source-build/sudo-scanning.md: -------------------------------------------------------------------------------- 1 | ### Setting up *sudo* for Scanning 2 | 3 | For vulnerability scanning, it is required to have several capabilities for which 4 | only root users are authorized, e.g., creating raw sockets. Therefore, a 5 | configuration will be added to allow the users of the *gvm* group to run the 6 | *openvas-scanner* application as root user via *sudo*. 7 | 8 | ```{warning} 9 | Make sure that only necessary users have access to the *gvm* group. Each user 10 | of the *gvm* group can manipulate the Vulnerability Test (VT) scripts 11 | (.nasl files). These scripts are run with root privileges and therefore can 12 | be used for exploits. See 13 | [https://csal.medium.com/pentesters-tricks-local-privilege-escalation-in-openvas-fe933d7f161f](https://csal.medium.com/pentesters-tricks-local-privilege-escalation-in-openvas-fe933d7f161f). 14 | ``` 15 | 16 | ```{eval-rst} 17 | .. tabs:: 18 | .. tab:: Debian/Ubuntu/Fedora 19 | .. code-block:: none 20 | 21 | echo "%gvm ALL = NOPASSWD: /usr/local/sbin/openvas" | sudo tee /etc/sudoers.d/gvm \ 22 | && sudo chmod 0440 /etc/sudoers.d/gvm 23 | 24 | .. tab:: CentOS 25 | .. code-block:: none 26 | 27 | sudo visudo 28 | 29 | ... 30 | 31 | # Allow /usr/local path 32 | Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin 33 | 34 | # allow users of the gvm group run openvas 35 | %gvm ALL = NOPASSWD: /usr/local/sbin/openvas 36 | ``` 37 | -------------------------------------------------------------------------------- /src/22.4/source-build/systemd.md: -------------------------------------------------------------------------------- 1 | ### Setting up Services for *Systemd* 2 | 3 | [Systemd](https://systemd.io/) is used to start the daemons *ospd-openvas*, 4 | *openvasd*, *gvmd* and *gsad*. Therefore, service files are required. 5 | 6 | ```{code-block} 7 | :caption: Systemd service file for ospd-openvas 8 | 9 | cat << EOF > $BUILD_DIR/ospd-openvas.service 10 | [Unit] 11 | Description=OSPd Wrapper for the OpenVAS Scanner (ospd-openvas) 12 | Documentation=man:ospd-openvas(8) man:openvas(8) 13 | After=network.target networking.service redis-server@openvas.service openvasd.service 14 | Wants=redis-server@openvas.service openvasd.service 15 | ConditionKernelCommandLine=!recovery 16 | 17 | [Service] 18 | Type=exec 19 | User=gvm 20 | Group=gvm 21 | RuntimeDirectory=ospd 22 | RuntimeDirectoryMode=2775 23 | PIDFile=/run/ospd/ospd-openvas.pid 24 | ExecStart=/usr/local/bin/ospd-openvas --foreground --unix-socket /run/ospd/ospd-openvas.sock --pid-file /run/ospd/ospd-openvas.pid --log-file /var/log/gvm/ospd-openvas.log --lock-file-dir /var/lib/openvas --socket-mode 0o770 --notus-feed-dir /var/lib/notus/advisories 25 | SuccessExitStatus=SIGKILL 26 | Restart=always 27 | RestartSec=60 28 | 29 | [Install] 30 | WantedBy=multi-user.target 31 | EOF 32 | ``` 33 | 34 | ```{code-block} 35 | :caption: Install systemd service file for ospd-openvas 36 | 37 | sudo cp -v $BUILD_DIR/ospd-openvas.service /etc/systemd/system/ 38 | ``` 39 | 40 | ```{code-block} 41 | :caption: Systemd service file for gvmd 42 | 43 | cat << EOF > $BUILD_DIR/gvmd.service 44 | [Unit] 45 | Description=Greenbone Vulnerability Manager daemon (gvmd) 46 | After=network.target networking.service postgresql.service ospd-openvas.service 47 | Wants=postgresql.service ospd-openvas.service 48 | Documentation=man:gvmd(8) 49 | ConditionKernelCommandLine=!recovery 50 | 51 | [Service] 52 | Type=exec 53 | User=gvm 54 | Group=gvm 55 | PIDFile=/run/gvmd/gvmd.pid 56 | RuntimeDirectory=gvmd 57 | RuntimeDirectoryMode=2775 58 | ExecStart=/usr/local/sbin/gvmd --foreground --osp-vt-update=/run/ospd/ospd-openvas.sock --listen-group=gvm 59 | Restart=always 60 | TimeoutStopSec=10 61 | 62 | [Install] 63 | WantedBy=multi-user.target 64 | EOF 65 | ``` 66 | 67 | ```{code-block} 68 | :caption: Install systemd service file for gvmd 69 | 70 | sudo cp -v $BUILD_DIR/gvmd.service /etc/systemd/system/ 71 | ``` 72 | 73 | ```{code-block} none 74 | :caption: Systemd service file for gsad 75 | 76 | cat << EOF > $BUILD_DIR/gsad.service 77 | [Unit] 78 | Description=Greenbone Security Assistant daemon (gsad) 79 | Documentation=man:gsad(8) https://www.greenbone.net 80 | After=network.target gvmd.service 81 | Wants=gvmd.service 82 | 83 | [Service] 84 | Type=exec 85 | User=gvm 86 | Group=gvm 87 | RuntimeDirectory=gsad 88 | RuntimeDirectoryMode=2775 89 | PIDFile=/run/gsad/gsad.pid 90 | ExecStart=/usr/local/sbin/gsad --foreground --listen=127.0.0.1 --port=9392 --http-only 91 | Restart=always 92 | TimeoutStopSec=10 93 | 94 | [Install] 95 | WantedBy=multi-user.target 96 | Alias=greenbone-security-assistant.service 97 | EOF 98 | ``` 99 | 100 | ```{code-block} 101 | :caption: Install systemd service file for gsad 102 | 103 | sudo cp -v $BUILD_DIR/gsad.service /etc/systemd/system/ 104 | ``` 105 | 106 | ```{code-block} 107 | :caption: Systemd service file for openvasd 108 | cat << EOF > $BUILD_DIR/openvasd.service 109 | [Unit] 110 | Description=OpenVASD 111 | Documentation=https://github.com/greenbone/openvas-scanner/tree/main/rust/openvasd 112 | ConditionKernelCommandLine=!recovery 113 | [Service] 114 | Type=exec 115 | User=gvm 116 | RuntimeDirectory=openvasd 117 | RuntimeDirectoryMode=2775 118 | ExecStart=/usr/local/bin/openvasd --mode service_notus --products /var/lib/notus/products --advisories /var/lib/notus/advisories --listening 127.0.0.1:3000 119 | SuccessExitStatus=SIGKILL 120 | Restart=always 121 | RestartSec=60 122 | [Install] 123 | WantedBy=multi-user.target 124 | EOF 125 | ``` 126 | 127 | ```{code-block} 128 | :caption: Install systemd service file for openvasd 129 | sudo cp -v $BUILD_DIR/openvasd.service /etc/systemd/system/ 130 | ``` 131 | 132 | Afterwards, the services need to be activated and started. 133 | 134 | ```{code-block} 135 | :caption: Making systemd aware of the new service files 136 | 137 | sudo systemctl daemon-reload 138 | ``` 139 | -------------------------------------------------------------------------------- /src/22.4/source-build/troubleshooting.md: -------------------------------------------------------------------------------- 1 | ## Troubleshooting 2 | 3 | This page contains hints for troubleshooting source build specific issues. 4 | 5 | ```{warning} 6 | The commands in the following troubleshooting guidelines are only valid if you 7 | followed the source build documentation. If you installed the Greenbone 8 | Community Edition via a Linux Distribution (for example Kali Linux), the 9 | commands may be slightly different and need to be adjusted. 10 | ``` 11 | 12 | ### Failed to find port_list ‘33d0cd82-57c6-11e1-8ed1-406186ea4fc5‘ 13 | 14 | This error can occur when tying to use the Task Wizard to create a quick scan 15 | after the initial setup. It is cause by {command}`gvmd` not being able to load 16 | the port lists from the {term}`feed` into its database. To fix this issue, you 17 | need to check if {file}`/var/lib/gvm/data-objects/` contains the port list XML 18 | file: 19 | 20 | ```{code-block} shell 21 | --- 22 | caption: Checking if port list is already synced 23 | --- 24 | find /var/lib/gvm/data-objects/ -name "*33d0cd82-57c6-11e1-8ed1-406186ea4fc5*.xml" 25 | ``` 26 | 27 | If the {command}`find` command does not return an XML file, the data objects 28 | have not been synced from the {term}`feed` (yet). 29 | 30 | ```{code-block} shell 31 | --- 32 | caption: Syncing data objects processed by gvmd 33 | --- 34 | sudo -u gvm greenbone-feed-sync --type GVMD_DATA 35 | ``` 36 | 37 | Second, {command}`gvmd` should be forced to (re-)load the data objects including 38 | the port lists from the disk. 39 | 40 | ```{code-block} shell 41 | --- 42 | caption: Syncing data objects processed by gvmd 43 | --- 44 | sudo -u gvm gvmd --rebuild-gvmd-data=all 45 | ``` 46 | 47 | When {command}`gvmd` has loaded the port list successfully the {file}`/var/log/gvm/gvmd.log` 48 | file shows the following output 49 | 50 | ```{code-block} none 51 | :caption: gvmd port list loaded log message 52 | 53 | Port list All IANA assigned TCP (33d0cd82-57c6-11e1-8ed1-406186ea4fc5) has been created by admin 54 | ``` 55 | 56 | ### Failed to find scan configuration 57 | 58 | This issue is similar to [Failed to find port_list](#failed-to-find-port_list-33d0cd82-57c6-11e1-8ed1-406186ea4fc5). 59 | It will be raised if {command}`gvmd` is not able to load the scan configs from 60 | the file system into its database. First of all you should check if the scan 61 | configs have been downloaded from the {term}`feed`. 62 | 63 | ```{code-block} shell 64 | --- 65 | caption: Checking if scan configs are already available 66 | --- 67 | find /var/lib/gvm/data-objects/ -name "*daba56c8-73ec-11df-a475-002264764cea*.xml" 68 | ``` 69 | 70 | If the {command}`find` command does not return at least one XML file for your 71 | release, the data objects have not been downloaded from the {term}`feed` (yet). 72 | 73 | ```{code-block} shell 74 | --- 75 | caption: Syncing data objects processed by gvmd 76 | --- 77 | sudo -u gvm greenbone-feed-sync --type gvmd-data 78 | ``` 79 | 80 | Because scan configs reference {term}`VTs`, loading scan configs also 81 | requires synced VTs from the {term}`feed`. You can check if the VTs are already 82 | loaded by looking at the {menuselection}`Secinfo > NVTs` page on the web interface. 83 | 84 | If there are no VTs visible on the web interface, they must be downloaded from the 85 | feed. 86 | 87 | ```{code-block} shell 88 | --- 89 | caption: Syncing VTs processed by the openvas scanner 90 | --- 91 | sudo -u gvm greenbone-feed-sync --type nvt 92 | ``` 93 | 94 | Loading the VTs from the file system may take a while, from several minutes up 95 | to hours depending on your system performance and number of {term}`VTs`. You 96 | can follow the process of loading VTs by looking at the {file}`/var/log/gvm/ospd-openvas.log` 97 | and {file}`/var/log/gvm/gvmd.log` files. 98 | 99 | If there are still no scan configs under {menuselection}`Configuration > Scan Configs` 100 | on the web interface after some hours and the logs of gvmd and ospd-openvas do not show 101 | errors, the `Feed Import Owner` may not have been set. 102 | 103 | ```{code-block} shell 104 | --- 105 | caption: Setting the `Feed Import Owner` 106 | --- 107 | gvmd --modify-setting 78eceaec-3385-11ea-b237-28d24461215b --value `gvmd --get-users --verbose | grep admin | awk '{print $2}'` 108 | ``` 109 | 110 | If all these steps do not resolve the issue, it is very likely a bigger problem, 111 | for example with the PostgreSQL database. Therefore, the 112 | {file}`/var/log/gvm/ospd-openvas.log` and {file}`/var/log/gvm/gvmd.log` files 113 | must be inspected for possible error and warning messages. 114 | 115 | ### curl: (22) The requested URL returned error: 404 116 | 117 | While downloading some source file of the software components the URL can't be 118 | found and {command}`curl` returns a HTTP status code 404. 119 | 120 | Please ensure the version variable of the to be downloaded component and all 121 | [required environment variables](./index.md#setting-environment-variables) are 122 | set. If that doesn't work try to replace the variables in the curl command with 123 | the actual content. 124 | -------------------------------------------------------------------------------- /src/22.4/source-build/verify.md: -------------------------------------------------------------------------------- 1 | ```{code-block} none 2 | :class: no-copybutton 3 | 4 | gpg: Signature made Fri Apr 16 08:31:02 2021 UTC 5 | gpg: using RSA key 9823FAA60ED1E580 6 | gpg: Good signature from "Greenbone Community Feed integrity key" [ultimate] 7 | ``` 8 | -------------------------------------------------------------------------------- /src/22.4/source-build/workflows.md: -------------------------------------------------------------------------------- 1 | # Workflows 2 | 3 | ## Updating to Newer Releases 4 | 5 | The [build-from-source guide](./index.md) is updated regularly to use the 6 | newest releases of the [components of the Greenbone Community Edition](../../background.md#architecture). 7 | If you have a source build containing older versions of the components, this 8 | section describes how to update them. 9 | 10 | First, the services should be stopped to be able to replace them later on. 11 | 12 | ```{code-block} shell 13 | --- 14 | caption: Stopping all services 15 | --- 16 | sudo systemctl stop gsad gvmd ospd-openvas openvasd 17 | ``` 18 | 19 | Afterwards, you must verify that all [prerequisites](./index.md#prerequisites) are met. 20 | In particular, make sure that the [required environment variables](./index.md#setting-environment-variables) 21 | are set. 22 | 23 | For being able to update `ospd-openvas`, `greenbone-feed-sync` and `gvm-tools` 24 | they must be uninstalled first. 25 | 26 | ```{code-block} shell 27 | --- 28 | caption: Uninstall ospd-openvas, greenbone-feed-sync and gvm-tools 29 | --- 30 | sudo python3 -m pip uninstall --break-system-packages ospd-openvas greenbone-feed-sync gvm-tools 31 | ``` 32 | 33 | The `--break-system-packages` argument is required because of [PEP 668](https://peps.python.org/pep-0668/). 34 | 35 | Next, you need to follow the [build and install documentation](./index.md#building-and-installing-the-components) 36 | as you would the first time. This will download and install the 37 | latest component releases. The already installed versions will be overwritten by 38 | the new ones. 39 | 40 | When updating to newer releases, a database update may be required. The database 41 | is managed by {command}`gvmd`. The following command must be used to update 42 | the database: 43 | 44 | ```{code-block} shell 45 | --- 46 | caption: Updating the database schema 47 | --- 48 | /usr/local/sbin/gvmd --migrate 49 | ``` 50 | 51 | After all components have been installed and the database has 52 | been updated, the last step is to restart the services. 53 | 54 | ```{code-block} shell 55 | --- 56 | caption: Restarting all services 57 | --- 58 | sudo systemctl start gsad gvmd ospd-openvas openvasd 59 | ``` 60 | 61 | ## Accessing the Web Interface Remotely 62 | 63 | When following the build-from-source guide, the web server is configured to listen only 64 | on the local address of the host (127.0.0.1). To allow remote access on all 65 | interfaces of the host, the {command}`gsad` systemd service file must be modified to 66 | configure the web server {command}`gsad` to listen on all network interfaces. 67 | 68 | ```{code-block} none 69 | :caption: Systemd service file for gsad to listen on all interfaces 70 | 71 | cat << EOF > $BUILD_DIR/gsad.service 72 | [Unit] 73 | Description=Greenbone Security Assistant daemon (gsad) 74 | Documentation=man:gsad(8) https://www.greenbone.net 75 | After=network.target gvmd.service 76 | Wants=gvmd.service 77 | 78 | [Service] 79 | Type=exec 80 | User=gvm 81 | RuntimeDirectory=gsad 82 | RuntimeDirectoryMode=2775 83 | PIDFile=/run/gsad/gsad.pid 84 | ExecStart=/usr/local/sbin/gsad --foreground --listen=0.0.0.0 --port=9392 --http-only 85 | Restart=always 86 | TimeoutStopSec=10 87 | 88 | [Install] 89 | WantedBy=multi-user.target 90 | Alias=greenbone-security-assistant.service 91 | EOF 92 | ``` 93 | 94 | ```{code-block} 95 | :caption: Installing the systemd service file for gsad 96 | 97 | sudo cp -v $BUILD_DIR/gsad.service /etc/systemd/system/ 98 | ``` 99 | 100 | Afterwards, the changed service file must be reloaded so that the changes 101 | are taken into account by systemd, and the {command}`gsad` service must be 102 | restarted. 103 | 104 | 105 | ```{code-block} 106 | :caption: Reloading changed gsad.service file 107 | 108 | sudo systemctl daemon-reload 109 | ``` 110 | 111 | ```{code-block} 112 | :caption: Restarting gsad 113 | 114 | sudo systemctl restart gsad 115 | ``` 116 | -------------------------------------------------------------------------------- /src/_static/custom.css: -------------------------------------------------------------------------------- 1 | div.document { 2 | width: 1200px; 3 | } 4 | 5 | body { 6 | font-family: Helvetica, Verdana; 7 | } 8 | 9 | div.body { 10 | max-width: 1200px; 11 | } 12 | 13 | h1, h2, h3, h4, h5, h6 { 14 | font-weight:500; 15 | } 16 | 17 | div.body h1, 18 | div.body h2, 19 | div.body h3, 20 | div.body h4, 21 | div.body h5, 22 | div.body h6 { 23 | font-family: Helvetica, Verdana; 24 | } 25 | 26 | .sphinx-tabs-tab { 27 | color:var(--color-content-foreground); 28 | font-family: Helvetica, Verdana; 29 | cursor: pointer; 30 | } 31 | 32 | .sphinx-tabs-tab[aria-selected="false"] { 33 | background-color: rgba(0, 0, 0, 0.05); 34 | } 35 | 36 | a { 37 | color: var(--color-content-foreground); 38 | text-decoration: none; 39 | border-bottom: 1px dotted var(--color-content-foreground); 40 | } 41 | 42 | a:hover { 43 | color: #11AB51 !important; 44 | border-bottom: 1px solid var(--color-content-foreground); 45 | } 46 | 47 | a:visited { 48 | color: var(--color-content-foreground); 49 | border-bottom: 1px solid var(--color-content-foreground); 50 | } 51 | 52 | a:active { 53 | color: #11AB51; 54 | border-bottom: 1px solid var(--color-content-foreground); 55 | } 56 | 57 | .related-pages a .page-info .title, .bottom-of-page a { 58 | color: var(--color-foreground-secondary); 59 | text-decoration: none; 60 | border-bottom: 1px dotted var(--color-foreground-secondary); 61 | } 62 | 63 | .related-pages a:hover .page-info .title, .bottom-of-page a:hover { 64 | text-decoration: none; 65 | color: #11AB51; 66 | border-bottom: 1px solid var(--color-foreground-secondary); 67 | } 68 | 69 | a.muted-link { 70 | border-bottom:0; 71 | } 72 | 73 | a.muted-link:hover { 74 | border-bottom:0; 75 | color:#11AB51; 76 | } 77 | 78 | a.sidebar-brand, .toctree-l1 > a.reference, .toctree-l2 > a.reference, toc-tree a.reference { 79 | border-bottom: 0; 80 | } 81 | 82 | .toctree-l1 > a.reference:hover, .toctree-l2 > a.reference:hover, .toc-tree a.reference:hover { 83 | border-bottom: 0; 84 | color: #11AB51; 85 | } 86 | 87 | .related-pages a { 88 | border-bottom:0; 89 | } 90 | 91 | .related-pages a:hover { 92 | border-bottom:0; 93 | } 94 | 95 | .toctree-wrapper .caption-text, .sidebar-tree .caption-text { 96 | font-size:2em; 97 | font-weight:500; 98 | color: var(--color-content-foreground); 99 | } 100 | 101 | .sidebar-brand-text { 102 | text-align:left; 103 | } 104 | 105 | .sidebar-search { 106 | color:var(--color-content-foreground); 107 | } 108 | 109 | 110 | .sidebar-tree .toctree-l1 > .reference { 111 | color: var(--color-content-foreground); 112 | } 113 | 114 | .toc-tree li.scroll-current > .reference { 115 | color: var(--color-content-foreground); 116 | } 117 | 118 | .toc-tree .reference { 119 | color: var(--color-content-foreground); 120 | font-size:1.1em; 121 | } 122 | 123 | .toc-title { 124 | color: var(--color-content-foreground); 125 | font-size:1.2em; 126 | } 127 | 128 | div.admonition { 129 | background-color:var(--color-background-secondary); 130 | padding: 20px 20px; 131 | border-radius: 4px; 132 | } 133 | 134 | .admonition.note > .admonition-title, .admonition.warning > .admonition-title, .admonition.tip > .admonition-title, .admonition.important > .admonition-title, .admonition.hint > .admonition-title { 135 | background-color:var(--color-background-secondary); 136 | font-family: Helvetica, Verdana; 137 | font-weight: bold; 138 | font-size:1em; 139 | } 140 | 141 | div.body p.caption { 142 | font-size: 240%; 143 | margin-bottom: 0px; 144 | } 145 | 146 | div.sphinxsidebar h3 { 147 | font-family: Helvetica, Verdana; 148 | } 149 | 150 | div.sphinxsidebar a { 151 | border: 0px; 152 | } 153 | 154 | div.sphinxsidebarwrapper p.description { 155 | font-size: 15px; 156 | } 157 | 158 | div.sphinxsidebarwrapper h1.logo { 159 | font-size: 25px; 160 | } 161 | 162 | div.sphinxsidebarwrapper h1.logo-name { 163 | margin-top:50px; 164 | } 165 | 166 | div.sphinxsidebarwrapper p.description { 167 | margin-bottom: 50px; 168 | } 169 | 170 | 171 | div.sphinxsidebarwrapper img { 172 | max-width: 70%; 173 | } 174 | 175 | .highlight-shell-session .go::before { 176 | content: ">"; 177 | padding-right: 1em; 178 | } 179 | 180 | .highlight pre { 181 | border-radius: 6px; 182 | font-family: Consolas,Monaco,Andale Mono,Ubuntu Mono,monospace; 183 | font-size: 0.9em; 184 | line-height: 1.2; 185 | padding: 1.25rem 1.5rem; 186 | } 187 | 188 | .code-block-caption { 189 | font-size:0.7em; 190 | background-color: var(--color-background-secondary); 191 | color: var(--color-foreground-primary); 192 | } 193 | 194 | 195 | .code-block-caption a { 196 | color:var(--color-foreground-primary); 197 | } 198 | 199 | .code-block-caption a:hover { 200 | color:#11AB51; 201 | } 202 | 203 | 204 | div.edit-this-page > a.muted-link, div.view-this-page > a.muted-link, svg.icon-tabler-shadow, svg.theme-icon-when-dark, svg.theme-icon-when-light, .toctree-checkbox ~ label .icon svg { 205 | color:var(--color-content-foreground); 206 | } 207 | 208 | 209 | div.edit-this-page > a.muted-link:hover, div.view-this-page > a.muted-link:hover, svg.icon.icon-tabler.icon-tabler-copy:hover, svg.icon-tabler-shadow:hover, svg.theme-icon-when-dark:hover, svg.theme-icon-when-light:hover, .toctree-checkbox ~ label .icon svg:hover { 210 | color:#11AB51; 211 | } 212 | 213 | .highlight { 214 | background-color: var(--color-code-background); 215 | color:var(--color-code-foreground); 216 | } 217 | 218 | .highlight button.copybtn { 219 | background-color:transparent; 220 | } 221 | 222 | .highlight button.copybtn:hover { 223 | background-color:transparent; 224 | } 225 | 226 | svg.icon.icon-tabler.icon-tabler-copy { 227 | color: var(--color-code-foreground); 228 | 229 | } 230 | 231 | .highlight .go { 232 | color: var(--color-code-foreground); 233 | font-weight: normal; 234 | } 235 | 236 | .highlight .l { 237 | color: var(--color-code-foreground); 238 | } 239 | 240 | #contents.toc { 241 | background-color: #ffffff; 242 | border: none; 243 | } 244 | 245 | .back-to-top { 246 | background-color:var(--color-background-secondary); 247 | } 248 | 249 | div.topic { 250 | border-radius: 4px; 251 | } 252 | 253 | div.topic a.reference.internal { 254 | border: 0px; 255 | } 256 | 257 | div.toctree-wrapper.compound a.reference.internal { 258 | border: 0px; 259 | } 260 | 261 | #indices-and-tables a.reference.internal { 262 | border: 0px; 263 | } 264 | 265 | .sidebar-logo { 266 | max-width: 70%; 267 | } 268 | -------------------------------------------------------------------------------- /src/_static/docker-compose-22.4.yml: -------------------------------------------------------------------------------- 1 | name: greenbone-community-edition 2 | 3 | services: 4 | vulnerability-tests: 5 | image: registry.community.greenbone.net/community/vulnerability-tests 6 | environment: 7 | FEED_RELEASE: "24.10" 8 | volumes: 9 | - vt_data_vol:/mnt 10 | 11 | notus-data: 12 | image: registry.community.greenbone.net/community/notus-data 13 | volumes: 14 | - notus_data_vol:/mnt 15 | 16 | scap-data: 17 | image: registry.community.greenbone.net/community/scap-data 18 | volumes: 19 | - scap_data_vol:/mnt 20 | 21 | cert-bund-data: 22 | image: registry.community.greenbone.net/community/cert-bund-data 23 | volumes: 24 | - cert_data_vol:/mnt 25 | 26 | dfn-cert-data: 27 | image: registry.community.greenbone.net/community/dfn-cert-data 28 | volumes: 29 | - cert_data_vol:/mnt 30 | depends_on: 31 | - cert-bund-data 32 | 33 | data-objects: 34 | image: registry.community.greenbone.net/community/data-objects 35 | environment: 36 | FEED_RELEASE: "24.10" 37 | volumes: 38 | - data_objects_vol:/mnt 39 | 40 | report-formats: 41 | image: registry.community.greenbone.net/community/report-formats 42 | environment: 43 | FEED_RELEASE: "24.10" 44 | volumes: 45 | - data_objects_vol:/mnt 46 | depends_on: 47 | - data-objects 48 | 49 | gpg-data: 50 | image: registry.community.greenbone.net/community/gpg-data 51 | volumes: 52 | - gpg_data_vol:/mnt 53 | 54 | redis-server: 55 | image: registry.community.greenbone.net/community/redis-server 56 | restart: on-failure 57 | volumes: 58 | - redis_socket_vol:/run/redis/ 59 | 60 | pg-gvm: 61 | image: registry.community.greenbone.net/community/pg-gvm:stable 62 | restart: on-failure 63 | volumes: 64 | - psql_data_vol:/var/lib/postgresql 65 | - psql_socket_vol:/var/run/postgresql 66 | 67 | gvmd: 68 | image: registry.community.greenbone.net/community/gvmd:stable 69 | restart: on-failure 70 | volumes: 71 | - gvmd_data_vol:/var/lib/gvm 72 | - scap_data_vol:/var/lib/gvm/scap-data/ 73 | - cert_data_vol:/var/lib/gvm/cert-data 74 | - data_objects_vol:/var/lib/gvm/data-objects/gvmd 75 | - vt_data_vol:/var/lib/openvas/plugins 76 | - psql_data_vol:/var/lib/postgresql 77 | - gvmd_socket_vol:/run/gvmd 78 | - ospd_openvas_socket_vol:/run/ospd 79 | - psql_socket_vol:/var/run/postgresql 80 | depends_on: 81 | pg-gvm: 82 | condition: service_started 83 | scap-data: 84 | condition: service_completed_successfully 85 | cert-bund-data: 86 | condition: service_completed_successfully 87 | dfn-cert-data: 88 | condition: service_completed_successfully 89 | data-objects: 90 | condition: service_completed_successfully 91 | report-formats: 92 | condition: service_completed_successfully 93 | 94 | gsa: 95 | image: registry.community.greenbone.net/community/gsa:stable 96 | restart: on-failure 97 | ports: 98 | - 127.0.0.1:9392:80 99 | volumes: 100 | - gvmd_socket_vol:/run/gvmd 101 | depends_on: 102 | - gvmd 103 | # Sets log level of openvas to the set LOG_LEVEL within the env 104 | # and changes log output to /var/log/openvas instead /var/log/gvm 105 | # to reduce likelyhood of unwanted log interferences 106 | configure-openvas: 107 | image: registry.community.greenbone.net/community/openvas-scanner:stable 108 | volumes: 109 | - openvas_data_vol:/mnt 110 | - openvas_log_data_vol:/var/log/openvas 111 | command: 112 | - /bin/sh 113 | - -c 114 | - | 115 | printf "table_driven_lsc = yes\nopenvasd_server = http://openvasd:80\n" > /mnt/openvas.conf 116 | sed "s/127/128/" /etc/openvas/openvas_log.conf | sed 's/gvm/openvas/' > /mnt/openvas_log.conf 117 | chmod 644 /mnt/openvas.conf 118 | chmod 644 /mnt/openvas_log.conf 119 | touch /var/log/openvas/openvas.log 120 | chmod 666 /var/log/openvas/openvas.log 121 | 122 | # shows logs of openvas 123 | openvas: 124 | image: registry.community.greenbone.net/community/openvas-scanner:stable 125 | restart: on-failure 126 | volumes: 127 | - openvas_data_vol:/etc/openvas 128 | - openvas_log_data_vol:/var/log/openvas 129 | command: 130 | - /bin/sh 131 | - -c 132 | - | 133 | cat /etc/openvas/openvas.conf 134 | tail -f /var/log/openvas/openvas.log 135 | depends_on: 136 | configure-openvas: 137 | condition: service_completed_successfully 138 | 139 | openvasd: 140 | image: registry.community.greenbone.net/community/openvas-scanner:stable 141 | restart: on-failure 142 | environment: 143 | # `service_notus` is set to disable everything but notus, 144 | # if you want to utilize openvasd directly, remove `OPENVASD_MODE` 145 | OPENVASD_MODE: service_notus 146 | GNUPGHOME: /etc/openvas/gnupg 147 | LISTENING: 0.0.0.0:80 148 | volumes: 149 | - openvas_data_vol:/etc/openvas 150 | - openvas_log_data_vol:/var/log/openvas 151 | - gpg_data_vol:/etc/openvas/gnupg 152 | - notus_data_vol:/var/lib/notus 153 | # enable port forwarding when you want to use the http api from your host machine 154 | # ports: 155 | # - 127.0.0.1:3000:80 156 | depends_on: 157 | vulnerability-tests: 158 | condition: service_completed_successfully 159 | configure-openvas: 160 | condition: service_completed_successfully 161 | gpg-data: 162 | condition: service_completed_successfully 163 | networks: 164 | default: 165 | aliases: 166 | - openvasd 167 | 168 | ospd-openvas: 169 | image: registry.community.greenbone.net/community/ospd-openvas:stable 170 | restart: on-failure 171 | hostname: ospd-openvas.local 172 | cap_add: 173 | - NET_ADMIN # for capturing packages in promiscuous mode 174 | - NET_RAW # for raw sockets e.g. used for the boreas alive detection 175 | security_opt: 176 | - seccomp=unconfined 177 | - apparmor=unconfined 178 | command: 179 | [ 180 | "ospd-openvas", 181 | "-f", 182 | "--config", 183 | "/etc/gvm/ospd-openvas.conf", 184 | "--notus-feed-dir", 185 | "/var/lib/notus/advisories", 186 | "-m", 187 | "666", 188 | ] 189 | volumes: 190 | - gpg_data_vol:/etc/openvas/gnupg 191 | - vt_data_vol:/var/lib/openvas/plugins 192 | - notus_data_vol:/var/lib/notus 193 | - ospd_openvas_socket_vol:/run/ospd 194 | - redis_socket_vol:/run/redis/ 195 | - openvas_data_vol:/etc/openvas/ 196 | - openvas_log_data_vol:/var/log/openvas 197 | depends_on: 198 | redis-server: 199 | condition: service_started 200 | gpg-data: 201 | condition: service_completed_successfully 202 | vulnerability-tests: 203 | condition: service_completed_successfully 204 | configure-openvas: 205 | condition: service_completed_successfully 206 | 207 | gvm-tools: 208 | image: registry.community.greenbone.net/community/gvm-tools 209 | volumes: 210 | - gvmd_socket_vol:/run/gvmd 211 | - ospd_openvas_socket_vol:/run/ospd 212 | depends_on: 213 | - gvmd 214 | - ospd-openvas 215 | 216 | volumes: 217 | gpg_data_vol: 218 | scap_data_vol: 219 | cert_data_vol: 220 | data_objects_vol: 221 | gvmd_data_vol: 222 | psql_data_vol: 223 | vt_data_vol: 224 | notus_data_vol: 225 | psql_socket_vol: 226 | gvmd_socket_vol: 227 | ospd_openvas_socket_vol: 228 | redis_socket_vol: 229 | openvas_data_vol: 230 | openvas_log_data_vol: 231 | -------------------------------------------------------------------------------- /src/_static/docker-compose.yml: -------------------------------------------------------------------------------- 1 | docker-compose-22.4.yml -------------------------------------------------------------------------------- /src/_static/greenbone-banner.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/greenbone/docs/193f957e79b4f6c3b37a0e9c6ee0300a40ef1acb/src/_static/greenbone-banner.png -------------------------------------------------------------------------------- /src/_static/greenbone.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/greenbone/docs/193f957e79b4f6c3b37a0e9c6ee0300a40ef1acb/src/_static/greenbone.png -------------------------------------------------------------------------------- /src/_static/setup-and-start-greenbone-community-edition.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Copyright (C) 2022 - 2025 Greenbone AG 3 | # 4 | # SPDX-License-Identifier: GPL-3.0-or-later 5 | # 6 | # This program is free software: you can redistribute it and/or modify 7 | # it under the terms of the GNU General Public License as published by 8 | # the Free Software Foundation, either version 3 of the License, or 9 | # (at your option) any later version. 10 | # 11 | # This program is distributed in the hope that it will be useful, 12 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | # GNU General Public License for more details. 15 | # 16 | # You should have received a copy of the GNU General Public License 17 | # along with this program. If not, see . 18 | 19 | set -e 20 | 21 | DOWNLOAD_DIR=$HOME/greenbone-community-container 22 | RELEASE="22.4" 23 | 24 | 25 | installed() { 26 | # $1 should be the command to look for. If $2 is set, we have arguments 27 | local failed=0 28 | if [ -z "$2" ]; then 29 | if ! [ -x "$(command -v "$1")" ]; then 30 | failed=1 31 | fi 32 | else 33 | local ret=0 34 | "$@" &> /dev/null || ret=$? 35 | if [ "$ret" -ne 0 ]; then 36 | failed=1 37 | fi 38 | fi 39 | 40 | if [ $failed -ne 0 ]; then 41 | echo "$* is not available. See https://greenbone.github.io/docs/latest/$RELEASE/container/#prerequisites." 42 | exit 1 43 | fi 44 | 45 | } 46 | 47 | installed curl 48 | installed docker 49 | installed docker compose 50 | 51 | mkdir -p "$DOWNLOAD_DIR" && cd "$DOWNLOAD_DIR" 52 | 53 | echo "Downloading docker-compose file..." 54 | curl -f -O https://greenbone.github.io/docs/latest/_static/docker-compose.yml 55 | 56 | echo "Pulling Greenbone Community Containers" 57 | docker compose -f "$DOWNLOAD_DIR"/docker-compose.yml pull 58 | echo 59 | 60 | echo "Starting Greenbone Community Containers" 61 | docker compose -f "$DOWNLOAD_DIR"/docker-compose.yml up -d 62 | echo 63 | 64 | read -r -s -p "Password for admin user: " password 65 | docker compose -f "$DOWNLOAD_DIR"/docker-compose.yml \ 66 | exec -u gvmd gvmd gvmd --user=admin --new-password="$password" 67 | 68 | echo 69 | echo "The feed data will be loaded now. This process may take several minutes up to hours." 70 | echo "Before the data is not loaded completely, scans will show insufficient or erroneous results." 71 | echo "See https://greenbone.github.io/docs/latest/$RELEASE/container/workflows.html#loading-the-feed-changes for more details." 72 | echo 73 | echo "Press Enter to open the Greenbone Security Assistant web interface in the web browser." 74 | read 75 | xdg-open "http://127.0.0.1:9392" 2>/dev/null >/dev/null & 76 | -------------------------------------------------------------------------------- /src/api.md: -------------------------------------------------------------------------------- 1 | # API 2 | 3 | ## python-gvm 4 | 5 | Greenbone Vulnerability Management Python Library 6 | 7 | [https://greenbone.github.io/python-gvm/](https://greenbone.github.io/python-gvm/) 8 | 9 | ## gvm-tools 10 | 11 | Remote control your Greenbone Community Edition or Greenbone Enterprise Appliance 12 | 13 | [https://greenbone.github.io/gvm-tools/](https://greenbone.github.io/gvm-tools/) 14 | 15 | ## pontos 16 | 17 | Common utilities and tools maintained by Greenbone 18 | 19 | [https://greenbone.github.io/pontos/](https://greenbone.github.io/pontos/) 20 | 21 | ## autohooks 22 | 23 | Library for managing git hooks 24 | 25 | [https://greenbone.github.io/autohooks/](https://greenbone.github.io/autohooks/) 26 | -------------------------------------------------------------------------------- /src/architecture.md: -------------------------------------------------------------------------------- 1 | ## Architecture 2 | 3 | The Greenbone Community Edition consists of a framework with several services. 4 | It is developed as part of the commercial [Greenbone Enterprise] product line. 5 | 6 | The Greenbone Community Edition was originally built as a community project 7 | named [OpenVAS] and is primarily developed and forwarded by [Greenbone]. 8 | 9 | The architecture for the Greenbone Community Edition is grouped into three major parts: 10 | 11 | - Executable scanner applications that run vulnerability tests (VT) against 12 | target systems 13 | - Greenbone Vulnerability Management Daemon (gvmd) 14 | - Greenbone Security Assistant (GSA) with the Greenbone Security Assistant 15 | Daemon (gsad) 16 | 17 | The following figure shows an overview of the architecture for the 22.4 release. 18 | 19 | > :::{figure} images/greenbone-community-22.4-architecture.png 20 | > :alt: Greenbone Community Edition Architecture 21 | > 22 | > Architecture in release 22.4 23 | > ::: 24 | 25 | The Greenbone Community Edition is released under open-source licenses. By using 26 | it, Linux distributions can create and provide the software components in the 27 | form of installation packages. 28 | 29 | ### Greenbone Vulnerability Management Daemon (gvmd) 30 | 31 | The [Greenbone Vulnerability Management Daemon (gvmd)] – also called Greenbone Vulnerability 32 | Manager is the central service that consolidates plain vulnerability scanning into 33 | a full vulnerability management solution. gvmd controls the OpenVAS Scanner via Open 34 | Scanner Protocol (OSP). 35 | 36 | The service itself offers the XML-based, {term}`Greenbone Management Protocol (GMP)`. 37 | gvmd also controls an SQL database (PostgreSQL) where all configuration and scan result data is 38 | centrally stored. Furthermore, gvmd also handles user management including permissions 39 | control with groups and roles. And finally, the service has an internal runtime 40 | system for scheduled tasks and other events. 41 | 42 | ### Greenbone Security Assistant (GSA) 43 | 44 | The [Greenbone Security Assistant (GSA)] is the web interface that a 45 | user controls scans and accesses vulnerability information with. It is the main 46 | contact point for a user. It connects to gvmd via the web server [Greenbone 47 | Security Assistant Daemon (gsad)][greenbone security assistant daemon (gsad)] to provide a full-featured web application for 48 | vulnerability management. The communication occurs using the 49 | {term}`Greenbone Management Protocol (GMP)` with which the user can also 50 | communicate directly by using different tools. 51 | 52 | ### OpenVAS Scanner 53 | 54 | The main scanner [OpenVAS Scanner] is a full-featured scan engine that executes 55 | {term}`Vulnerability Tests (VTs) ` against target systems. For this, it uses 56 | the daily updated and comprehensive feeds: the full-featured, extensive, commercial 57 | {term}`Greenbone Enterprise Feed ` or the free 58 | available {term}`Greenbone Community Feed `. 59 | 60 | The scanner consists of the components [ospd-openvas] and [openvas-scanner]. 61 | The OpenVAS Scanner is controlled via {term}`OSP`. The OSP Daemon for the 62 | OpenVAS Scanner (ospd-openvas) communicates with gvmd via OSP: VT data is 63 | collected, scans are started and stopped, and scan results are transferred to 64 | gvmd via ospd. 65 | 66 | ### Notus Scanner 67 | 68 | The [Notus Scanner] scans during every regular scan, so no user interaction is 69 | necessary. It offers better performance due to less system resource 70 | consumption and thus, faster scanning. 71 | 72 | The Notus Scanner replaces the logic of potentially all NASL-based local 73 | security checks (LSCs). A comparison of installed software on a host against a 74 | list of known vulnerable software is done instead of running a VT script for 75 | each LSC. 76 | 77 | The regular OpenVAS Scanner loads each NASL LSC individually and executes it 78 | one by one for every host. A single known vulnerability is then compared with 79 | the installed software. This is repeated for all LSCs. 80 | 81 | With the Notus Scanner, the list of installed software is loaded in the same 82 | way, but is directly compared with all known vulnerable software for the 83 | operating system of the scanned host. This eliminates the need to run the 84 | LSCs because the information about the known vulnerable software is collected 85 | in one single list and not distributed in individual NASL scripts. 86 | 87 | ### Additional Software 88 | 89 | The [Greenbone Vulnerability Management Tools (gvm-tools)] are a collection of 90 | tools that help with remote controlling Greenbone Community Edition installations 91 | or Greenbone Enterprise Appliances. The tools aid in accessing the communication 92 | protocols {term}`GMP (Greenbone Management Protocol)` and 93 | {term}`OSP (Open Scanner Protocol)`. 94 | 95 | This module is comprised of interactive and non-interactive clients. 96 | The programming language Python is supported directly for interactive scripting. 97 | But it is also possible to issue remote GMP/OSP commands without programming in 98 | Python. 99 | 100 | [greenbone]: https://www.greenbone.net/en/ 101 | [greenbone enterprise]: https://www.greenbone.net/en/products/ 102 | [greenbone security assistant (gsa)]: https://github.com/greenbone/gsa 103 | [greenbone security assistant daemon (gsad)]: https://github.com/greenbone/gsad 104 | [greenbone vulnerability management tools (gvm-tools)]: https://github.com/greenbone/gvm-tools 105 | [greenbone vulnerability manager (gvmd)]: https://github.com/greenbone/gvmd 106 | [notus scanner]: https://github.com/greenbone/notus-scanner 107 | [openvas]: https://www.openvas.org/ 108 | [openvas scanner]: https://github.com/greenbone/openvas-scanner 109 | [openvas-scanner]: https://github.com/greenbone/openvas-scanner 110 | [ospd-openvas]: https://github.com/greenbone/ospd-openvas 111 | -------------------------------------------------------------------------------- /src/background.md: -------------------------------------------------------------------------------- 1 | # Background 2 | 3 | ```{include} ./architecture.md 4 | ``` 5 | 6 | ```{include} ./history.md 7 | ``` 8 | -------------------------------------------------------------------------------- /src/conf.py: -------------------------------------------------------------------------------- 1 | # Configuration file for the Sphinx documentation builder. 2 | # 3 | # This file only contains a selection of the most common options. For a full 4 | # list see the documentation: 5 | # https://www.sphinx-doc.org/en/master/usage/configuration.html 6 | 7 | # -- Path setup -------------------------------------------------------------- 8 | 9 | # If extensions (or modules to document with autodoc) are in another directory, 10 | # add these directories to sys.path here. If the directory is relative to the 11 | # documentation root, use os.path.abspath to make it absolute, like shown here. 12 | # 13 | # import os 14 | # import sys 15 | # sys.path.insert(0, os.path.abspath('.')) 16 | 17 | 18 | # -- Project information ----------------------------------------------------- 19 | 20 | project = "Greenbone Community Documentation" 21 | copyright = "2021–2024, Greenbone AG" 22 | author = "Greenbone AG" 23 | 24 | 25 | # -- General configuration --------------------------------------------------- 26 | 27 | # Add any Sphinx extension module names here, as strings. They can be 28 | # extensions coming with Sphinx (named 'sphinx.ext.*') or your custom 29 | # ones. 30 | extensions = [ 31 | "sphinx.ext.githubpages", 32 | "sphinx.ext.napoleon", 33 | "myst_parser", 34 | "sphinx_copybutton", 35 | "sphinx_tabs.tabs", 36 | "sphinxext.opengraph", 37 | ] 38 | 39 | # Add any paths that contain templates here, relative to this directory. 40 | templates_path = ["_templates"] 41 | 42 | # List of patterns, relative to source directory, that match files and 43 | # directories to ignore when looking for source files. 44 | # This pattern also affects html_static_path and html_extra_path. 45 | exclude_patterns = [ 46 | "_build", 47 | "Thumbs.db", 48 | ".DS_Store", 49 | ".venv", 50 | ".vscode", 51 | "dist", 52 | ] 53 | 54 | source_suffix = { 55 | ".rst": "restructuredtext", 56 | ".md": "markdown", 57 | } 58 | 59 | # -- Options for HTML output ------------------------------------------------- 60 | 61 | # The theme to use for HTML and HTML Help pages. See the documentation for 62 | # a list of builtin themes. 63 | # 64 | html_theme = "furo" 65 | html_title = project 66 | 67 | html_favicon = "favicon.png" 68 | 69 | # Add any paths that contain custom static files (such as style sheets) here, 70 | # relative to this directory. They are copied after the builtin static files, 71 | # so a file named "default.css" will overwrite the builtin "default.css". 72 | html_static_path = ["_static"] 73 | html_css_files = ["custom.css"] 74 | html_logo = "_static/logo.svg" 75 | 76 | repo_url = "https://github.com/greenbone/docs/" 77 | html_theme_options = { 78 | "source_repository": repo_url, 79 | "source_branch": "main", 80 | "source_directory": "src/", 81 | "light_css_variables": { 82 | "color-content-foreground": "#4D4D4D", 83 | "color-foreground-primary": "4D4D4D", 84 | "color-foreground-secondary": "#808080", 85 | "color-code-background": "#333333", 86 | "color-code-foreground": "#E6E6E6", 87 | "color-admonition-title--note": "#11AB51", 88 | "admonition-font-size": "0.9rem", 89 | "color-background-primary": "#FFFFFF", 90 | "color-background-secondary": "#F5F5F5", 91 | "color-sidebar-background": "#F5F5F5", 92 | }, 93 | "dark_css_variables": { 94 | "color-content-foreground": "#F5F5F5", 95 | "color-foreground-primary": "F5F5F5", 96 | "color-foreground-secondary": "#E6E6E6", 97 | "color-code-background": "#333333", 98 | "color-code-foreground": "#E6E6E6", 99 | "color-admonition-title--note": "#11AB51", 100 | "admonition-font-size": "0.9rem", 101 | "color-background-primary": "#171717", 102 | "color-background-secondary": "#4D4D4D", 103 | "color-sidebar-background": "#333333", 104 | }, 105 | "footer_icons": [ 106 | { 107 | "name": "GitHub", 108 | "url": repo_url, 109 | "html": """ 110 | 111 | 112 | 113 | """, 114 | "class": "", 115 | }, 116 | ], 117 | } 118 | 119 | myst_html_meta = { 120 | "description lang=en": "Greenbone Community Edition – Documentation", 121 | "description lang=de": "Greenbone Community Edition – Dokumentation", 122 | "keywords": "OpenVAS, Greenbone, Community, Greenbone Community Edition, GVM, Container, Docker, Documentation", 123 | "property=og:locale": "en_US", 124 | } 125 | 126 | # https://myst-parser--467.org.readthedocs.build/en/467/syntax/optional.html#auto-generated-header-anchors 127 | myst_heading_anchors = 3 128 | 129 | myst_enable_extensions = ["colon_fence", "deflist"] 130 | 131 | pygments_style = "zenburn" 132 | 133 | suppress_warnings = ["myst.header"] 134 | 135 | # settings for sphinxext-opengraph 136 | # it automagically adds Open Graph meta tags to your site’s generated HTML. 137 | # The Open Graph protocol is used by social media websites to determine how to 138 | # present a page when a link is posted, and by search engines as a criterion 139 | # toward ranking. https://github.com/wpilibsuite/sphinxext-opengraph 140 | ogp_site_url = "http://greenbone.github.io/docs/latest/" 141 | ogp_image = "https://greenbone.github.io/docs/latest/_images/greenbone-banner.png" 142 | 143 | 144 | copybutton_selector = "div:not(.no-copybutton) > div.highlight > pre" 145 | -------------------------------------------------------------------------------- /src/faq.md: -------------------------------------------------------------------------------- 1 | # Frequently Asked Questions (FAQ) 2 | 3 | ## Greenbone, GVM and OpenVAS – How are they connected? 4 | 5 | For a comprehensive background see {doc}`History of OpenVAS `. 6 | 7 | ## Where can I ask questions and get support? 8 | 9 | Support is only provided for the Greenbone Enterprise product line. 10 | Besides that, the Greenbone Community can be reached at the [community forum] 11 | to ask question. In this forum, several Greenbone developers try to help on a 12 | voluntary basis. 13 | 14 | ## Can you help with my issue on Kali, Cent OS, XYZ distribution? 15 | 16 | Greenbone does not provide any packages for any Linux distribution besides the 17 | commercial Greenbone OS. If you have installed the Greenbone Community Edition 18 | from your distribution like Kali Linux, an external package repository 19 | or even some random docker image, Greenbone was not involved in providing this 20 | installation method to you. 21 | 22 | The development of the Greenbone Community Edition and packaging for a 23 | distribution or container image is completely independent. Therefore, our 24 | software provided from these sources may be heavily adjusted, outdated or even 25 | completely broken. If you have issues with the software, please contact the 26 | provider of the packages first and create a ticket at their issue tracker. How 27 | to contact the provider depends and varies. 28 | 29 | ## Please help me with the installation of OpenVAS and also advise me on the recommended OS platform. 30 | 31 | This is very similar to [Can you help with my issue on Kali, Cent OS, XYZ distribution](#can-you-help-with-my-issue-on-kali-cent-os-xyz-distribution). 32 | Greenbone cannot provide installation docs for the many available Linux 33 | distributions available. Setups, configurations, build systems, packaging tools, 34 | available software, best practices, ... diverge to much to offer *official* 35 | packages, scripts or anything else from Greenbone. We offer this Greenbone Community Edition 36 | documentation and the [community forum] for discussing setup problems. Therefore, 37 | Greenbone also does not recommend any distribution nor do we prefer one 38 | distribution over the other. Most of the time, we are not even aware which 39 | distribution ships which version of our software. 40 | 41 | ## Can you help me updating my OpenVAS installation? 42 | 43 | This is also very similar to [Can you help with my issue on Kali, Cent OS, XYZ distribution](#can-you-help-with-my-issue-on-kali-cent-os-xyz-distribution). 44 | 45 | For updating your **source build** from a previous version of this guide, see [](./22.4/source-build/workflows.md#updating-to-newer-releases). 46 | 47 | For updating your installation of the **Greenbone Community Containers**, see 48 | [](./22.4/container/workflows.md#updating-the-greenbone-community-containers). 49 | 50 | We are **not** able to offer any help on updating installations done via any 51 | **external** source like Kali packages, Cent OS packages, some other guide or 52 | some random docker images because we are not aware of their specific needs and 53 | changes! Please contact the author(s) of your installation method. 54 | 55 | ## Which release contains which component? 56 | 57 | It was often confusing to find out which software component of the 58 | {term}`Greenbone Community Edition` belongs to which release. Additionally, the 59 | {term}`Greenbone OS ` used in the [Greenbone Free](https://www.greenbone.net/en/testnow/) 60 | had a different versioning scheme than the Community Edition. The following 61 | table contains an overview which component in which version belongs to a 62 | release. 63 | 64 | | Release | GOS | gvmd | GMP | GSA | gvm-libs | OpenVAS Scanner | Notus Scanner | Status | Release Date | 65 | |:--------|----:|------|-----|-----:|----------|-----------------|:-------------:|:------:|--------------| 66 | | [Greenbone Community Edition 22.4](https://forum.greenbone.net/t/greenbone-community-edition-22-4-stable-initial-release-2022-07-25/12638) | 22.04.y | 22.x.y | 22.4 | 22.x.y | 22.x.y | 22.x.y | 22.x.y | stable | 2022-07-25 | 67 | | [GVM 21.4](https://forum.greenbone.net/t/gvm-21-04-stable-initial-release-2021-04-16/8942) | 21.04.y | 21.4.y | 21.4 | 21.4.y | 21.4.y | 21.4.y | - | end-of-life ([Community Edition: since 2023-01-17](https://forum.greenbone.net/t/greenbone-community-edition-21-04-end-of-life/13837), [GOS: since 2023-04-03](https://forum.greenbone.net/t/greenbone-os-21-04-retired-final-patch-level-gos-21-04-26/14365)) | 2021-04-16 | 68 | | [GVM 20.08](https://forum.greenbone.net/t/gvm-20-08-stable-initial-release-2020-08-12/6312) | [20.08](https://forum.greenbone.net/t/greenbone-os-20-08-0-released/6535) | 20.8.y | 20.8 | 20.8.y | 20.8.y | 20.8.y | - | end-of-life (since 2021-12-02) | 2020-08-12 | 69 | | [GVM 11](https://forum.greenbone.net/t/gvm-11-stable-initial-release-2019-10-14/3674) | 6.0.y | 9.0.y | 9.0 | 9.0.y | 11.0.y | 7.0.y | - |end-of-life (since 2020-12-31) | 2019-10-14 | 70 | | [GVM 10](https://forum.greenbone.net/t/gvm-10-old-stable-initial-release-2019-04-05/208) | 5.0.y | 8.0.y | 8.0 | 8.0.y | 10.0.y | 6.0.y | - | end-of-life (since 2020-12-31) | 2019-04-05 | 71 | | [OpenVAS 9](https://forum.greenbone.net/t/gvm-9-end-of-life-initial-release-2017-03-07/211) | 4.x.y | openvas-manager 7.0.y | OMP 7 | 7.0.y | openvas-libraries 9.0.y | 5.1.y | - | end-of-life | 2017-03-07 | 72 | 73 | ## My self-compiled version is not working as expected. Can you help me? 74 | 75 | All questions should be handled at the [community forum] 76 | but please be aware that your questions are answered on a voluntary basis. Therefore, 77 | please do not expect immediate responses. The community forum is for individuals 78 | to exchange experiences and problems about a [Free Software](https://en.wikipedia.org/wiki/Free_software) 79 | project and not to get instant advises from the developers or professional 80 | support to fix your current issue. 81 | 82 | If you are using a self-compiled version of the Greenbone software stack not build from this 83 | guide or packages from an external third party like a distribution please always 84 | check if you can reproduce the same behavior with the [Greenbone Free](https://www.greenbone.net/en/testnow/) 85 | If we are able to reproduce your issue it will be much easier to fix. 86 | 87 | ## Can I mix components from different releases? 88 | 89 | Short answer: **no**. You must **never** mix versions of our components from 90 | different releases. Often people try to use version e.g. the scanner from the 91 | main branch in combination with a release version of the other components like 92 | gvmd to check if their failing scan works with a newer version. While it may 93 | work for some components in most circumstances it is very likely to break for 94 | gvmd, ospd, ospd-openvas and openvas-scanner. These components interact with 95 | each other a lot and rely on public and private interfaces that change with 96 | **every** release. Internal incompatible changes even might happen in bugfix 97 | releases. Therefore never mix components from different releases. Always use the 98 | latest releases or the same release branches. In the release announcements of 99 | the [community forum], we always update the linked released versions which should 100 | be used and are known to work flawlessly. 101 | 102 | ## I am looking for an overview about OpenVAS. 103 | 104 | See {doc}`Greenbone, GVM, OpenVAS and How They Are Connected ` for some 105 | background about Greenbone OpenVAS. 106 | 107 | Our software consists of several software components. All components 108 | are free software and can be found at [GitHub](https://github.com/greenbone/). 109 | 110 | For an overview of the components and their connections, please take a look at 111 | the {doc}`Architecture `. 112 | 113 | [community forum]: https://forum.greenbone.net 114 | 115 | ## I still fail to see/understand the concept of `greenbone-feed-sync --type` vs. `greenbone-nvt-sync`/`greenbone-certdata-sync`/`greenbone-scapdata-sync` vs. `gvm-feed-update` 116 | 117 | **gvm-feed-update** is **NOT** maintained by Greenbone and is therefore not used 118 | anywhere in our docs or in code provided by Greenbone. It is maintained by the 119 | Kali/Debian packagers and just calls the standard `greenbone-*-sync` scripts. 120 | 121 | **greenbone-certdata-sync** is just the same as [`greenbone-feed-sync --type CERT`](https://github.com/greenbone/gvmd/blob/v22.5.0/tools/greenbone-certdata-sync.in). 122 | It is/was only provided for backwards compatibility and does not get installed 123 | (by default) anymore since [`gvmd` 22.5.0](https://github.com/greenbone/gvmd/releases/tag/v22.5.0). 124 | 125 | **greenbone-scapdata-sync** is just the same as [`greenbone-feed-sync --type SCAP`](https://github.com/greenbone/gvmd/blob/v22.5.0/tools/greenbone-scapdata-sync.in). 126 | It is/was only provided for backwards compatibility and does not get installed 127 | (by default) anymore since [`gvmd` 22.5.0](https://github.com/greenbone/gvmd/releases/tag/v22.5.0). 128 | 129 | **greenbone-nvt-sync** is the *old* sync script written in bash to download the 130 | vulnerability tests data ({file}`.nasl` and {file}`.notus` files). It is deprecated since 131 | [`openvas-scanner` 22.6.0](https://github.com/greenbone/openvas-scanner/releases/tag/v22.6.0). 132 | 133 | **/usr/sbin/greenbone-feed-sync** is the *old* sync script written in bash to 134 | download the CERT, SCAP and GVMD data. It does not get installed 135 | (by default) anymore since [`gvmd` 22.5.0](https://github.com/greenbone/gvmd/releases/tag/v22.5.0). 136 | 137 | There is a new **greenbone-feed-sync** script written in Python to replace all 138 | of the above scripts, see the announcement at [https://forum.greenbone.net/t/new-greenbone-feed-sync-script/13925](https://forum.greenbone.net/t/new-greenbone-feed-sync-script/13925). 139 | This script is used in the build-from-source guide already but has not been 140 | picked up by the distributions yet. Hopefully, it will arrive at the 141 | distributions in the next months. It even supports the `gvm-feed-update` use 142 | case because by default, if no arguments are passed, `--type all` is run which 143 | downloads all feed data types. 144 | -------------------------------------------------------------------------------- /src/favicon.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/greenbone/docs/193f957e79b4f6c3b37a0e9c6ee0300a40ef1acb/src/favicon.png -------------------------------------------------------------------------------- /src/glossary.md: -------------------------------------------------------------------------------- 1 | # Glossary 2 | 3 | ```{glossary} 4 | gvmd 5 | 6 | Management daemon shipped with GVM 10 and later. Abbreviation for 7 | **G**reenbone **V**ulnerability **M**anagement **D**aemon. 8 | 9 | openvassd 10 | 11 | Scanner daemon used by GVM 10 and before. It listens for incoming 12 | connections and starts scan processes to run the actual vulnerability tests. 13 | It collects the results and reports them to the management daemon. With the 14 | GVM 11 release, it has been converted to the {term}`openvas` application by 15 | removing the daemon and replacing the communication protocol. 16 | Abbreviation for **OpenVAS** **S**canner **D**aemon. 17 | 18 | openvas 19 | 20 | Scanner application executable to run vulnerability tests against targets 21 | and to store scan results into a Redis database. Used in 22 | GVM 11 and later. It has originated from the {term}`openvassd`. 23 | 24 | openvasd 25 | 26 | A new service introduced with the OpenVAS Scanner release 23.0 to execute nasl scripts and provide static version comparisons. 27 | It has a http based [API](https://greenbone.github.io/scanner-api/) to control scans and get results. 28 | The adaptation will be done in various downwards compatible ways. As of 23.0.1 `openvas` is using the `/notus` endpoint for version checks, additionally `OpenVASD` is setting up redis and controls `openvas` for scanning. 29 | In the next phases it will gradually take over `openvas` functionality with the end goal of replacing `ospd-openvas` and `openvas` completely. 30 | 31 | OSPd 32 | 33 | A [framework](https://github.com/greenbone/ospd) for several scanner 34 | daemons speaking the {term}`Open Scanner Protocol (OSP) `. 35 | 36 | ospd-openvas 37 | 38 | A {term}`OSP ` scanner daemon managing the {term}`openvas ` 39 | executable for reporting scan results to the management daemon {term}`gvmd`. 40 | Used in GVM 11 and later. 41 | 42 | gsad 43 | 44 | A web server providing the {term}`Greenbone Security Assistant ` web 45 | application. 46 | 47 | GSA 48 | 49 | The Greenbone Security Assistant (GSA) web application to control scans and 50 | access vulnerability information via a web interface in a browser. 51 | 52 | GOS 53 | 54 | Greenbone Operating System, the operating system of the 55 | {term}`Greenbone Enterprise` Appliance. It provides the commercial version 56 | of the {term}`Greenbone Community Edition` with enterprise support and 57 | features. 58 | 59 | GSM 60 | 61 | Greenbone Security Manager (GSM) is the former name of our commercial 62 | product line {term}`Greenbone Enterprise` as hardware or virtual appliances. 63 | 64 | GMP 65 | 66 | The Greenbone Management Protocol (GMP) is an XML-based communication 67 | protocol provided by {term}`gvmd`. It provides an API to create, read, update 68 | and delete scans and vulnerability information. 69 | 70 | OSP 71 | 72 | The Open Scanner Protocol is an XML-based communication protocol provided by 73 | {term}`ospd-openvas`. It provides an API to start scans, get {term}`VT` 74 | information and to receive scan results. 75 | 76 | GVM 77 | 78 | The {term}`Greenbone Community Edition` consists of several services. This 79 | software framework has been named Greenbone Vulnerability Management (GVM) 80 | in the past. 81 | 82 | Greenbone Community Edition 83 | 84 | The Greenbone Community Edition covers the actual releases of the Greenbone 85 | application framework for vulnerability scanning and vulnerability 86 | management provided as open-source software to the community. The Greenbone 87 | Community Edition is adopted by external third parties, e.g., if the 88 | software framework is provided by a Linux distribution, it is build from the 89 | Greenbone Community Edition. It is developed as part of the commercial 90 | {term}`Greenbone Enterprise` product line. Sometimes referred to as the 91 | OpenVAS framework. 92 | 93 | Greenbone Community Containers 94 | 95 | Container images that are pre-built on [GitHub](https://github.com/greenbone) 96 | and available via [dockerhub](https://hub.docker.com/u/greenbone). These 97 | images can be used to run the newest versions of the {term}`Greenbone Community Edition` 98 | without having to care about the operating system, compiler and build 99 | tool chains. 100 | 101 | Greenbone Enterprise 102 | 103 | Greenbone Enterprise is the [Greenbone product line for on-premises solutions](https://www.greenbone.net/en/product-comparison/). 104 | Included are virtual or hardware Greenbone Enterprise Appliances with the 105 | {term}`Greenbone Operating System (GOS)`, 106 | the {term}`Greenbone Vulnerability Management (GVM) framework `, and 107 | the {term}`Greenbone Enterprise Feed`. 108 | 109 | Greenbone Community Feed 110 | 111 | The [Greenbone Community Feed](https://www.greenbone.net/en/feed-comparison/) 112 | is the freely available feed for vulnerability information licensed as open-source. 113 | It contains basic scan configurations, report formats, port lists and the 114 | most important vulnerability tests. The provided data is updated on a daily 115 | basis with no warranty or promises for fixes or completeness. 116 | 117 | Greenbone Enterprise Feed 118 | 119 | The [Greenbone Enterprise Feed](https://www.greenbone.net/en/feed-comparison/) 120 | is the commercial feed provided by Greenbone containing additional 121 | enterprise features like vulnerability tests for enterprise products, policy 122 | and compliance checks, extensive reports formats and special scan configurations. 123 | The feed comes with a service-level agreement ensuring support, quality 124 | assurance and availability. 125 | 126 | VT 127 | 128 | Vulnerability Tests (VTs), also known as Network Vulnerability Tests 129 | (NVTs), are scripts written in the {term}`NASL` programming language to detect 130 | vulnerabilities at remote hosts. 131 | 132 | SCAP 133 | 134 | Abbreviation for [Security Content Automation Protocol](https://csrc.nist.gov/projects/security-content-automation-protocol/). 135 | It is used for providing {term}`CPE` and {term}`CVE` data via the Greenbone 136 | Enterprise and Community Feeds. 137 | 138 | CPE 139 | 140 | Abbreviation for [Common Platform Enumeration](https://csrc.nist.gov/Projects/Security-Content-Automation-Protocol/Specifications/cpe). 141 | Common Platform Enumeration (CPE) is a standardized method of describing and 142 | identifying classes of applications, operating systems, and hardware devices 143 | present among an enterprise's computing assets. 144 | 145 | CVE 146 | 147 | Abbreviation for [Common Vulnerabilities and Exposures](https://www.cve.org/). 148 | It provides unique, common identifiers for publicly known information-security 149 | vulnerabilities in publicly released software packages. 150 | 151 | notus-scanner 152 | 153 | A scanner to improve the so-called local security checks. Local security 154 | checks are comparisons of vulnerable and installed versions of a software. 155 | Before notus-scanner, all checks have been implemented in {term}`NASL` scripts 156 | and each {term}`NASL` script ran in an own openvas-scanner process. 157 | With notus-scanner, checks are run in one go per host. With the 158 | OpenVAS Scanner release 23.0 it got replaced by {term}`openvasd`. 159 | 160 | Feed 161 | 162 | The feed is a set of different files continuously delivered via 163 | {command}`rsync` and updated on a daily basis. It contains {term}`CPE`, 164 | {term}`CVE`, {term}`VT`, CERT, Port List, Report Format and Scan Config 165 | information. The feed is available in a {term}`Commercial` 166 | and {term}`Community` edition. 167 | 168 | NASL 169 | 170 | The NASL Attack Scripting Language (NASL) is a language which is part of the 171 | OpenVAS Project and interpreted by the NASL interpreter. It is a simple 172 | language with focus on detecting vulnerabilities on network devices. Therefore 173 | it provides many built-in functions to attack hosts to discover 174 | vulnerabilities. A NASL script can be either run directly with the NASL 175 | interpreter `openvas-nasl` or within a scan with {term}`openvas`. 176 | ``` 177 | -------------------------------------------------------------------------------- /src/history.md: -------------------------------------------------------------------------------- 1 | ## Greenbone, GVM, OpenVAS and How They Are Connected 2 | 3 | When the OpenVAS project was launched, it only consisted of an engine for scanning 4 | vulnerabilities. 5 | 6 | Shortly after that, the company [Greenbone] was founded to achieve 7 | professional support for vulnerability scanning. Greenbone started to lead the 8 | development of OpenVAS, added several software components and turned OpenVAS 9 | into a vulnerability management solution while keeping the values of free 10 | software. This vulnerability management solution was later named 11 | {term}`Greenbone Vulnerability Management (GVM)` to reflect the origins and 12 | brand changes. Therefore, after the release of the OpenVAS 9 13 | framework, the following releases got named GVM. 14 | 15 | With this in mind, OpenVAS could mean 16 | 17 | - a vulnerability scanner (OpenVAS Scanner), 18 | - a name for a software framework of several components (GVM), 19 | - a software project led by the company [Greenbone] (Greenbone Source Edition), 20 | - a source code release of a vulnerability management solution (OpenVAS 9, GVM 20.08, ...), or 21 | - a community of users and developers (Greenbone Community) 22 | 23 | depending on the context. 24 | 25 | To have a unique name we decided to use the term 26 | {term}`Greenbone Community Edition` as an umbrella for all Open Source/Free 27 | Software efforts of the company Greenbone in 2022. 28 | 29 | ## History of the OpenVAS project 30 | 31 | In 2005, the developers of the vulnerability scanner Nessus decided to 32 | discontinue the work under open-source licenses and switch to a proprietary 33 | business model. 34 | 35 | At this point, developers from Intevation and DN-Systems – the two companies 36 | which would later found the Greenbone AG – were already contributing 37 | developments to Nessus, focusing on client tools. The works were primarily 38 | supported by the German Federal Office for Information Security (BSI). 39 | 40 | In 2006, several forks of Nessus were created in response to the 41 | discontinuation of the open-source solution. Of these forks, only one has continued 42 | to show activity: OpenVAS, the Open Vulnerability Assessment System. OpenVAS was 43 | registered as a project at Software in the Public Interest, Inc. to hold and 44 | protect the domain "openvas.org". 45 | 46 | The years 2006 and 2007 brought little activity other than cleanups of the status quo. 47 | But in late 2008, the Greenbone AG, based in Osnabrück, 48 | Germany was founded to drive OpenVAS forward. Essentially, Greenbone's business 49 | plan was about 3 cornerstones: 50 | 51 | > 1. Go beyond plain vulnerability scanning towards a comprehensive 52 | > vulnerability management solution. 53 | > 2. Create a turn-key appliance product for enterprise customers. 54 | > 3. Continue the open-source concept of creating a transparent security 55 | > technology. 56 | 57 | Also in 2008, two further companies became active: Secpod from India and 58 | Security Space from Canada. Both of them had a focus on contributing 59 | vulnerability tests, and teamed up with Greenbone to start producing 60 | a reliable and up-to-date feed of vulnerability tests. This started with removing 61 | any source code and vulnerability tests where the license was not clear or not 62 | compatible. Several thousands of vulnerability tests were eliminated to get a clean 63 | starting point. Shortly after, the feed content grew quickly and steadily. 64 | 65 | In 2009, Greenbone added the first additional modules to build a vulnerability 66 | management solution. The web interface and the central management service were 67 | developed from scratch, with generic protocols defined as their API. At the same 68 | time, the OpenVAS scanner was carefully improved and quickly lost compatibility 69 | with its ancestor. All open-source work was branded "OpenVAS". The first 70 | "Greenbone Security Manager" appliance products entered the market in spring 2010. 71 | 72 | In the years 2010 to 2016, the commercial product was systematically improved 73 | and extended, and so were the open-source modules. The vulnerability 74 | management was extended to include daily updated security advisories, which were 75 | made available to the public with a GPL-compatible license by the German CERTs 76 | DFN-CERT and CERT-Bund, a division of the BSI. 77 | 78 | In March 2017, the OpenVAS framework reached version 9. Many new 79 | modules and numerous features were added during the release cycles. Several hundreds 80 | of thousands of lines of code were produced and there was almost no day without a 81 | couple of released code improvements by a growing development team. 82 | 83 | The year 2017 marked the beginning of a new era: first of all, Greenbone became 84 | visible as the driving force behind OpenVAS, by introducing several naming changes. This 85 | included several activities, the most essential one using the term 86 | {term}`Greenbone Vulnerability Management" (GVM)` instead of "OpenVAS framework" 87 | for the releases. Since then the OpenVAS Scanner is only one of many modules. This 88 | led to "GVM-10" as the successor of "OpenVAS-9". There were no license changes, 89 | all modules remained free and open-source software. 90 | 91 | The second major change in 2017 involved the feed service. Apart from the 92 | branding confusion, several companies integrated the technology and feed, passing 93 | it off as their work or claiming to be an alternative to Greenbone's product at 94 | a better price. Only a minority of them contributed to the project and properly 95 | complied with the GPL licenses. None of them cooperates with Greenbone commercially. To achieve better visibility, less misunderstanding, 96 | and better differentiation from other OpenVAS-based products, the public feed 97 | was renamed to {term}`Greenbone Community Feed` and the feed development was internalized. 98 | Furthermore, the release scheme has been changed from a 14-day delay to a daily 99 | publication without delay, now excluding vulnerability tests for enterprise products. 100 | 101 | The third major change to the new era was the transition to a modern 102 | infrastructure, namely GitHub and a community forum. The whole transition was 103 | completed in 2018 and boosted both productivity and community activity. 104 | 105 | The OpenVAS Scanner released with GVM-10 received numerous performance optimization 106 | to meet the challenge of a growing number of vulnerability tests scanning 107 | target networks of increasing size and heterogeneity. 108 | 109 | GVM-11 introduced substantial architectural changes: the former service 110 | {term}`openvassd` was turned into a command-line tool {term}`openvas`. It is 111 | controlled by the service layer {term}`ospd-openvas`. 112 | This concept essentially replaces the old stateful, permanent and proprietary 113 | OTP (OpenVAS Transfer Protocol) by the new stateless, request-response 114 | XML-based and generic {term}`OSP (Open Scanner Protocol)`. 115 | 116 | With [GVM 20.08](https://forum.greenbone.net/t/gvm-20-08-end-of-life-initial-release-2020-08-12/6312), 117 | the release versioning changed to [Calendar Versioning](https://calver.org/). 118 | Most important change in this release was to ship and sync the gvmd object data 119 | consisting of the report formats, port lists, policies and scan configs with the 120 | feed. 121 | 122 | Besides removing legacy features like GMP scanners, the [21.4 release](https://forum.greenbone.net/t/gvm-21-04-end-of-life-initial-release-2021-04-16/8942) 123 | got support for CVSSv3.0/CVSSv3.1. 124 | 125 | The [Greenbone Community Edition 22.4](https://forum.greenbone.net/t/greenbone-community-edition-22-4-stable-initial-release-2022-07-25/12638) 126 | release added the Notus Scanner and removed some legacy features like support 127 | for generic OSP scanners. 128 | 129 | During 2023 the decision was taken to allow more flexible development of the 130 | components and to release them independently of each other. To allow to express 131 | software compatibility most components switched to [semantic versioning](https://semver.org/). 132 | -------------------------------------------------------------------------------- /src/images/GSA-22.4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/greenbone/docs/193f957e79b4f6c3b37a0e9c6ee0300a40ef1acb/src/images/GSA-22.4.png -------------------------------------------------------------------------------- /src/images/greenbone-community-22.4-architecture.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/greenbone/docs/193f957e79b4f6c3b37a0e9c6ee0300a40ef1acb/src/images/greenbone-community-22.4-architecture.png -------------------------------------------------------------------------------- /src/index.md: -------------------------------------------------------------------------------- 1 | ```{eval-rst} 2 | .. meta:: 3 | :description lang=en: Greenbone Community Edition - Documentation 4 | :description lang=de: Greenbone Community Edition - Dokumentation 5 | :keywords: OpenVAS, Greenbone, Community, Greenbone Community Edition, GVM, Container, Docker, Documentation 6 | :property=og:locale: en_US 7 | ``` 8 | 9 | # Greenbone Community Edition – Documentation 10 | 11 | The Greenbone Community Edition covers the actual source code of the Greenbone 12 | Vulnerability Management software stack, which is also known as [OpenVAS](./history.md). 13 | 14 | It is available as regularly updated source code snapshots/release archives 15 | confirmed to work and as source code checkouts directly from the git source code 16 | repositories at [GitHub](https://github.com/greenbone/). The latter is not 17 | recommended for production scenarios as the code is edited on a daily basis and 18 | issues and incomplete functionality may appear. 19 | 20 | The sources of the Greenbone Community Edition are adopted by third parties, for 21 | example Linux distributions like Kali, Alpine, etc. 22 | 23 | This documentation covers the stable version of the Greenbone Community Edition. 24 | 25 | ```{image} _static/greenbone-banner.png 26 | ``` 27 | 28 | ```{toctree} 29 | :hidden: true 30 | 31 | background 32 | 22.4/source-build/index 33 | 22.4/container/index 34 | 22.4/kali/index 35 | faq 36 | troubleshooting 37 | glossary 38 | changelog 39 | api 40 | ``` 41 | -------------------------------------------------------------------------------- /src/troubleshooting.md: -------------------------------------------------------------------------------- 1 | # Troubleshooting 2 | 3 | This page contains hints for troubleshooting general issues with the 4 | Greenbone Community Edition. 5 | 6 | - For source build specific troubleshooting, see 7 | [Troubleshooting the source build](./22.4/source-build/troubleshooting.md). 8 | - For community container specific troubleshooting see [Troubleshooting the community containers](./22.4/container/troubleshooting.md). 9 | - For Kali Linux specific troubleshooting see [Troubleshooting a Kali Linux installation](./22.4/kali/troubleshooting.md). 10 | 11 | ### Facing an issue with the Greenbone Community Edition 12 | 13 | If you have an issue with the Greenbone Community Edition because something 14 | doesn't work as expected and/or you are getting an error in the web UI it is 15 | necessary to check the log files to get some technical hints about the issue. 16 | 17 | If something doesn't work during the scan the {file}`/var/log/gvm/ospd-openvas.log` 18 | and {file}`/var/log/gvm/openvas.log` files should be checked for errors. 19 | 20 | Otherwise the {file}`/var/log/gvm/gvmd.log` file needs to be inspected. 21 | 22 | Afterwards using the collected error messages in the [search of our Community Forum](https://forum.greenbone.net/search) 23 | may bring up possible results to resolve the issue already. 24 | 25 | If no fitting results can be found feel free to create a new topic at our 26 | [Community Forum](https://forum.greenbone.net/). A post in the forum should 27 | always contain the installation method and the version of the Greenbone 28 | Community Edition (build from source via this guide, official community 29 | containers, Kali packages, ...) and the found error message. 30 | 31 | 32 | ## My scan does not show any results 33 | 34 | After a finished scan, your report does not contain any results or errors. 35 | 36 | Some common issues if scans does not return any results are: 37 | 38 | 1. The targets are not answering to an **ICMP Echo Request** → Check the 39 | **Alive Test** setting of your target definition and try some of the other 40 | available methods. Further reading: 41 | 42 | - [Greenbone Enterprise Appliance documentation - Hosts not found](https://docs.greenbone.net/GSM-Manual/gos-22.04/en/scanning.html#hosts-not-found) 43 | - [Greenbone Enterprise Appliance documentation - Creating a target](https://docs.greenbone.net/GSM-Manual/gos-22.04/en/scanning.html#creating-a-target) 44 | - [Greenbone Enterprise Appliance documentation - Alive Test](https://docs.greenbone.net/GSM-Manual/gos-22.04/en/scanning.html#alive-test) 45 | 46 | 2. You are using a custom scan configuration which does not include the following 47 | two VTs from the **Port scanners** family. 48 | 49 | - [Nmap (NASL wrapper) - OID: 1.3.6.1.4.1.25623.1.0.14259](https://secinfo.greenbone.net/nvt/1.3.6.1.4.1.25623.1.0.14259) 50 | - [Ping Host - OID: 1.3.6.1.4.1.25623.1.0.100315](https://secinfo.greenbone.net/nvt/1.3.6.1.4.1.25623.1.0.100315) 51 | 52 | Further reading [here](https://community.greenbone.net/t/hint-self-created-scan-configs-copy-of-empty-scan-config-showing-no-results/331) 53 | 54 | 3. You are using a [port list](https://docs.greenbone.net/GSM-Manual/gos-22.04/en/performance.html#selecting-a-port-list-for-a-task) 55 | which is not optimal for your environment: 56 | 57 | e.g., a ``All TCP and All UDP`` port list might be responsible for your 58 | port scan timing out, causing your scan to not return any results at all. 59 | It is suggested to start with a smaller port list, e.g., ``All IANA TCP``. 60 | 61 | 4. **SELinux** is enabled and blocking the scanner from doing its job. 62 | 63 | 5. You do not have **nmap** installed or not available within your **PATH**. 64 | 65 | For further debugging/logging, the mentioned **Nmap (NASL wrapper)** and 66 | **Ping Host** VTs allow to configure various settings: 67 | 68 | * Ping Host 69 | 1. **Report about unreachable Hosts** configured to **yes**: include notes 70 | if a remote host is considered as dead/not reachable, and the reason why. 71 | 2. **Log failed nmap calls** and **Log nmap output** configured to **yes**: 72 | Logs additional output if nmap was used. 73 | 74 | * Nmap (NASL wrapper) 75 | 1. **Log nmap output** configured to **yes**: Log additional output if nmap 76 | was used. 77 | 78 | ## OOM is killing Redis on large scans 79 | 80 | During a larger scan, the machine is running out of memory. Therefore, the Linux 81 | Out-of-Memory (OOM) killer is terminating the Redis database server and the scan 82 | gets interrupted. 83 | 84 | The problem described is not easy to solve as it can have several root causes, 85 | from known issues to usage behavior. In particular, there can be problems with 86 | vHosts and CGI caching. 87 | 88 | In general, we recommend the following: 89 | 90 | * Prevent overloading the system by adjusting the usage: 91 | * Do not start scan tasks all at once. Use schedules to start them at intervals. 92 | * Reconfigure scan targets to include less hosts. Split the hosts into more targets and tasks instead. 93 | * Do not run or schedule feed updates for times where scan tasks are running or scheduled to run. 94 | * Do not view or download large reports while scan tasks are running. 95 | 96 | * Disable vHost expansion for scans that cause problems: 97 | * Clone and edit the used scan configuration. 98 | * Set the scanner preference `expand_vhosts` to `0` and save the change. 99 | 100 | * Disable CGI caching for scans that cause problems: 101 | * Clone and edit the used scan configuration. 102 | * Navigate to the VT family *Settings*. 103 | * Edit the VT `Global Variable Settings` (OID: *1.3.6.1.4.1.25623.1.0.12288*). 104 | * Set the preference `Disable caching of web pages during CGI scanning` to `Yes` and save the change. 105 | 106 | If you think that you can narrow the problem down to a specific issue in the 107 | scanner please open an issue for the scanner at 108 | [https://github.com/greenbone/openvas-scanner/issues](https://github.com/greenbone/openvas-scanner/issues). 109 | 110 | For support on scan configuration changes like mentioned above to reduce the 111 | memory usage during a scan please open a topic at 112 | [Scanning / scan configuration - Greenbone Community Forum](https://forum.greenbone.net/c/scanning-scan-configuration/26). 113 | 114 | ## Vulnerabilities are not found 115 | 116 | A scan report does not contain any results or some known vulnerabilities do not 117 | show up in the report. 118 | 119 | This may have several reasons. Most likely, the {term}`feed` synchronization is not 120 | finished yet. The feed data has been downloaded to the file system of the local 121 | machine but {command}`gvmd` and {command}`ospd-openvas` did not have enough resources 122 | to load them into their databases and memory yet. This can be checked on the web interface 123 | by opening the {menuselection}`SecInfo > NVTs` page to see whether {term}`VTs` 124 | are listed there and the {menuselection}`Administration > Feed Status` 125 | page to see whether a synchronization process is currently running. 126 | 127 | If both pages are fine, you may take a look at the following sections in our 128 | product manual: 129 | - [20.2 Why Is a Service/Product Not Detected?](https://docs.greenbone.net/GSM-Manual/gos-22.04/en/faq.html#why-is-a-service-product-not-detected) 130 | - [20.3 Why Is a Vulnerability Not Detected?](https://docs.greenbone.net/GSM-Manual/gos-22.04/en/faq.html#why-is-a-vulnerability-not-detected) 131 | -------------------------------------------------------------------------------- /test-build-and-install.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -e 4 | 5 | source ./test-env.sh 6 | 7 | mkdir -p $SOURCE_DIR 8 | mkdir -p $BUILD_DIR 9 | mkdir -p $INSTALL_DIR 10 | 11 | $APT_UPDATE 12 | $APT_INSTALL \ 13 | build-essential \ 14 | curl \ 15 | cmake \ 16 | pkg-config \ 17 | python3 \ 18 | python3-pip \ 19 | gnupg 20 | 21 | # gvm-libs 22 | 23 | $APT_INSTALL \ 24 | libglib2.0-dev \ 25 | libgpgme-dev \ 26 | libgnutls28-dev \ 27 | uuid-dev \ 28 | libssh-gcrypt-dev \ 29 | libhiredis-dev \ 30 | libxml2-dev \ 31 | libpcap-dev \ 32 | libnet1-dev \ 33 | libldap2-dev \ 34 | libradcli-dev 35 | 36 | curl -f -L https://github.com/greenbone/gvm-libs/archive/refs/tags/v$GVM_LIBS_VERSION.tar.gz -o $SOURCE_DIR/gvm-libs-$GVM_LIBS_VERSION.tar.gz 37 | 38 | tar -C $SOURCE_DIR -xvzf $SOURCE_DIR/gvm-libs-$GVM_LIBS_VERSION.tar.gz 39 | 40 | mkdir -p $BUILD_DIR/gvm-libs && cd $BUILD_DIR/gvm-libs 41 | 42 | cmake $SOURCE_DIR/gvm-libs-$GVM_LIBS_VERSION \ 43 | -DCMAKE_INSTALL_PREFIX=$INSTALL_PREFIX \ 44 | -DCMAKE_BUILD_TYPE=Release \ 45 | -DSYSCONFDIR=/etc \ 46 | -DLOCALSTATEDIR=/var 47 | 48 | make -j$(nproc) 49 | 50 | make DESTDIR=$INSTALL_DIR install 51 | 52 | $SUDO cp -rv $INSTALL_DIR/* / 53 | 54 | 55 | # gvmd 56 | 57 | $APT_INSTALL \ 58 | libglib2.0-dev \ 59 | libgnutls28-dev \ 60 | libpq-dev \ 61 | postgresql-server-dev-13 \ 62 | libical-dev \ 63 | xsltproc \ 64 | rsync \ 65 | texlive-latex-extra \ 66 | texlive-fonts-recommended \ 67 | xmlstarlet \ 68 | zip \ 69 | rpm \ 70 | fakeroot \ 71 | dpkg \ 72 | nsis \ 73 | gnupg \ 74 | gpgsm \ 75 | wget \ 76 | sshpass \ 77 | openssh-client \ 78 | socat \ 79 | snmp \ 80 | python3 \ 81 | smbclient \ 82 | python3-lxml \ 83 | gnutls-bin 84 | 85 | curl -f -L https://github.com/greenbone/gvmd/archive/refs/tags/v$GVMD_VERSION.tar.gz -o $SOURCE_DIR/gvmd-$GVMD_VERSION.tar.gz 86 | 87 | tar -C $SOURCE_DIR -xvzf $SOURCE_DIR/gvmd-$GVMD_VERSION.tar.gz 88 | 89 | mkdir -p $BUILD_DIR/gvmd && cd $BUILD_DIR/gvmd 90 | 91 | cmake $SOURCE_DIR/gvmd-$GVMD_VERSION \ 92 | -DCMAKE_INSTALL_PREFIX=$INSTALL_PREFIX \ 93 | -DCMAKE_BUILD_TYPE=Release \ 94 | -DLOCALSTATEDIR=/var \ 95 | -DSYSCONFDIR=/etc \ 96 | -DGVM_DATA_DIR=/var \ 97 | -DGVMD_RUN_DIR=/run/gvmd \ 98 | -DOPENVAS_DEFAULT_SOCKET=/run/ospd/ospd-openvas.sock \ 99 | -DGVM_FEED_LOCK_PATH=/var/lib/gvm/feed-update.lock \ 100 | -DSYSTEMD_SERVICE_DIR=/lib/systemd/system \ 101 | -DDEFAULT_CONFIG_DIR=/etc/default \ 102 | -DLOGROTATE_DIR=/etc/logrotate.d 103 | 104 | make -j$(nproc) 105 | 106 | make DESTDIR=$INSTALL_DIR install 107 | 108 | $SUDO cp -rv $INSTALL_DIR/* / 109 | 110 | 111 | # gsa 112 | 113 | $APT_INSTALL \ 114 | nodejs \ 115 | yarnpkg 116 | 117 | curl -f -L https://github.com/greenbone/gsa/archive/refs/tags/v$GSA_VERSION.tar.gz -o $SOURCE_DIR/gsa-$GSA_VERSION.tar.gz 118 | 119 | tar -C $SOURCE_DIR -xvzf $SOURCE_DIR/gsa-$GSA_VERSION.tar.gz 120 | 121 | cd $SOURCE_DIR/gsa-$GSA_VERSION 122 | 123 | rm -rf build 124 | 125 | yarnpkg 126 | yarnpkg build 127 | 128 | $SUDO mkdir -p $INSTALL_PREFIX/share/gvm/gsad/web/ 129 | $SUDO cp -r build/* $INSTALL_PREFIX/share/gvm/gsad/web/ 130 | 131 | # gsad 132 | 133 | $APT_INSTALL \ 134 | libmicrohttpd-dev \ 135 | libxml2-dev \ 136 | libglib2.0-dev \ 137 | libgnutls28-dev 138 | 139 | curl -f -L https://github.com/greenbone/gsad/archive/refs/tags/v$GSAD_VERSION.tar.gz -o $SOURCE_DIR/gsad-$GSAD_VERSION.tar.gz 140 | 141 | tar -C $SOURCE_DIR -xvzf $SOURCE_DIR/gsad-$GSAD_VERSION.tar.gz 142 | 143 | mkdir -p $BUILD_DIR/gsad && cd $BUILD_DIR/gsad 144 | 145 | cmake $SOURCE_DIR/gsad-$GSAD_VERSION \ 146 | -DCMAKE_INSTALL_PREFIX=$INSTALL_PREFIX \ 147 | -DCMAKE_BUILD_TYPE=Release \ 148 | -DSYSCONFDIR=/etc \ 149 | -DLOCALSTATEDIR=/var \ 150 | -DGVMD_RUN_DIR=/run/gvmd \ 151 | -DGSAD_RUN_DIR=/run/gsad \ 152 | -DLOGROTATE_DIR=/etc/logrotate.d 153 | 154 | make -j$(nproc) 155 | 156 | make DESTDIR=$INSTALL_DIR install 157 | 158 | $SUDO cp -rv $INSTALL_DIR/* / 159 | 160 | 161 | # openvas-smb 162 | 163 | $APT_INSTALL \ 164 | gcc-mingw-w64 \ 165 | libgnutls28-dev \ 166 | libglib2.0-dev \ 167 | libpopt-dev \ 168 | libunistring-dev \ 169 | heimdal-dev \ 170 | perl-base 171 | 172 | curl -f -L https://github.com/greenbone/openvas-smb/archive/refs/tags/v$OPENVAS_SMB_VERSION.tar.gz -o $SOURCE_DIR/openvas-smb-$OPENVAS_SMB_VERSION.tar.gz 173 | 174 | tar -C $SOURCE_DIR -xvzf $SOURCE_DIR/openvas-smb-$OPENVAS_SMB_VERSION.tar.gz 175 | 176 | mkdir -p $BUILD_DIR/openvas-smb && cd $BUILD_DIR/openvas-smb 177 | 178 | cmake $SOURCE_DIR/openvas-smb-$OPENVAS_SMB_VERSION \ 179 | -DCMAKE_INSTALL_PREFIX=$INSTALL_PREFIX \ 180 | -DCMAKE_BUILD_TYPE=Release 181 | 182 | make -j$(nproc) 183 | 184 | make DESTDIR=$INSTALL_DIR install 185 | 186 | $SUDO cp -rv $INSTALL_DIR/* / 187 | 188 | 189 | # openvas-scanner 190 | 191 | $APT_INSTALL \ 192 | bison \ 193 | libglib2.0-dev \ 194 | libgnutls28-dev \ 195 | libgcrypt20-dev \ 196 | libpcap-dev \ 197 | libgpgme-dev \ 198 | libksba-dev \ 199 | rsync \ 200 | nmap \ 201 | python3-impacket \ 202 | libsnmp-dev 203 | 204 | curl -f -L https://github.com/greenbone/openvas-scanner/archive/refs/tags/v$OPENVAS_SCANNER_VERSION.tar.gz -o $SOURCE_DIR/openvas-scanner-$OPENVAS_SCANNER_VERSION.tar.gz 205 | 206 | tar -C $SOURCE_DIR -xvzf $SOURCE_DIR/openvas-scanner-$OPENVAS_SCANNER_VERSION.tar.gz 207 | 208 | mkdir -p $BUILD_DIR/openvas-scanner && cd $BUILD_DIR/openvas-scanner 209 | 210 | cmake $SOURCE_DIR/openvas-scanner-$OPENVAS_SCANNER_VERSION \ 211 | -DCMAKE_INSTALL_PREFIX=$INSTALL_PREFIX \ 212 | -DCMAKE_BUILD_TYPE=Release \ 213 | -DSYSCONFDIR=/etc \ 214 | -DLOCALSTATEDIR=/var \ 215 | -DOPENVAS_FEED_LOCK_PATH=/var/lib/openvas/feed-update.lock \ 216 | -DOPENVAS_RUN_DIR=/run/ospd 217 | 218 | make -j$(nproc) 219 | 220 | make DESTDIR=$INSTALL_DIR install 221 | 222 | $SUDO cp -rv $INSTALL_DIR/* / 223 | 224 | 225 | # ospd-openvas 226 | 227 | $APT_INSTALL \ 228 | python3 \ 229 | python3-pip \ 230 | python3-setuptools \ 231 | python3-packaging \ 232 | python3-wrapt \ 233 | python3-cffi \ 234 | python3-psutil \ 235 | python3-lxml \ 236 | python3-defusedxml \ 237 | python3-paramiko \ 238 | python3-redis 239 | 240 | curl -f -L https://github.com/greenbone/ospd-openvas/archive/refs/tags/v$OSPD_OPENVAS_VERSION.tar.gz -o $SOURCE_DIR/ospd-openvas-$OSPD_OPENVAS_VERSION.tar.gz 241 | 242 | tar -C $SOURCE_DIR -xvzf $SOURCE_DIR/ospd-openvas-$OSPD_OPENVAS_VERSION.tar.gz 243 | 244 | cd $SOURCE_DIR/ospd-openvas-$OSPD_OPENVAS_VERSION 245 | 246 | python3 -m pip install . --prefix=$INSTALL_PREFIX --root=$INSTALL_DIR --no-warn-script-location 247 | 248 | $SUDO cp -rv $INSTALL_DIR/* / 249 | 250 | -------------------------------------------------------------------------------- /test-env.sh: -------------------------------------------------------------------------------- 1 | if [ $(id -u) -eq 0 ]; then 2 | SUDO="" 3 | APT_UPDATE="apt update" 4 | APT_INSTALL="apt install -y --no-install-recommends --no-install-suggests" 5 | else 6 | SUDO=sudo 7 | APT_UPDATE="sudo apt update" 8 | APT_INSTALL="sudo apt install -y --no-install-recommends --no-install-suggests" 9 | fi 10 | 11 | HAS_SYSTEMD=1 12 | which systemd >/dev/null || HAS_SYSTEMD=0 13 | 14 | export INSTALL_PREFIX=/usr/local 15 | export PATH=$PATH:$INSTALL_PREFIX/sbin 16 | 17 | export SOURCE_DIR=$HOME/source 18 | export BUILD_DIR=$HOME/build 19 | export INSTALL_DIR=$HOME/install 20 | 21 | export GVM_VERSION=21.4.4 22 | export GVM_LIBS_VERSION=$GVM_VERSION 23 | export GVMD_VERSION=21.4.5 24 | export GSA_VERSION=$GVM_VERSION 25 | export GSAD_VERSION=$GVM_VERSION 26 | export OPENVAS_SMB_VERSION=21.4.0 27 | export OPENVAS_SCANNER_VERSION=$GVM_VERSION 28 | export OSPD_OPENVAS_VERSION=$GVM_VERSION 29 | -------------------------------------------------------------------------------- /test-setup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -e 4 | 5 | source ./test-env.sh 6 | 7 | $APT_INSTALL sudo 8 | 9 | $SUDO useradd -r -M -U -G sudo -s /usr/sbin/nologin gvm 10 | 11 | $SUDO usermod -aG gvm $USER 12 | 13 | su $USER 14 | 15 | # setup redis 16 | 17 | $APT_INSTALL redis-server 18 | 19 | $SUDO cp $SOURCE_DIR/openvas-scanner-$GVM_VERSION/config/redis-openvas.conf /etc/redis/ 20 | $SUDO chown redis:redis /etc/redis/redis-openvas.conf 21 | echo "db_address = /run/redis-openvas/redis.sock" | $SUDO tee -a /etc/openvas/openvas.conf 22 | 23 | $SUDO usermod -aG redis gvm 24 | 25 | # adjust permissions 26 | $SUDO chown -R gvm:gvm /var/lib/gvm 27 | $SUDO chown -R gvm:gvm /var/lib/openvas 28 | $SUDO chown -R gvm:gvm /var/log/gvm 29 | $SUDO chown -R gvm:gvm /run/gvmd 30 | $SUDO chown -R gvm:gvm /run/gsad 31 | $SUDO chown -R gvm:gvm /run/ospd 32 | 33 | $SUDO chmod -R g+srw /var/lib/gvm 34 | $SUDO chmod -R g+srw /var/lib/openvas 35 | $SUDO chmod -R g+srw /var/log/gvm 36 | 37 | $SUDO chown gvm:gvm /usr/local/sbin/gvmd 38 | $SUDO chmod 6750 /usr/local/sbin/gvmd 39 | 40 | $SUDO chown gvm:gvm /usr/local/bin/greenbone-nvt-sync 41 | $SUDO chmod 740 /usr/local/sbin/greenbone-feed-sync 42 | $SUDO chown gvm:gvm /usr/local/sbin/greenbone-*-sync 43 | $SUDO chmod 740 /usr/local/sbin/greenbone-*-sync 44 | 45 | # postgres 46 | $APT_INSTALL postgresql 47 | 48 | if [ $HAS_SYSTEMD -eq 1 ]; then 49 | $SUDO systemctl start postgresql@13-main 50 | else 51 | pg_ctlcluster 13-main start 52 | fi 53 | 54 | sudo -u postgres createuser -DRS gvm 55 | sudo -u postgres createdb -O gvm gvmd 56 | sudo -u postgres psql gvmd -c 'create role dba with superuser noinherit;' 57 | sudo -u postgres psql gvmd -c 'grant dba to gvm;' 58 | sudo -u postgres psql gvmd -c 'create extension "uuid-ossp";' 59 | sudo -u postgres psql gvmd -c 'create extension "pgcrypto";' 60 | 61 | # setup gvmd 62 | gvmd --create-user=admin --password=admin 63 | gvmd --modify-setting 78eceaec-3385-11ea-b237-28d24461215b --value `gvmd --get-users --verbose | grep admin | awk '{print $2}'` 64 | 65 | # start services 66 | if [ $HAS_SYSTEMD -eq 1 ]; then 67 | $SUDO systemctl start redis-server@openvas.service 68 | $SUDO systemctl enable redis-server@openvas.service 69 | 70 | cat << EOF > $BUILD_DIR/ospd-openvas.service 71 | [Unit] 72 | Description=OSPd Wrapper for the OpenVAS Scanner (ospd-openvas) 73 | Documentation=man:ospd-openvas(8) man:openvas(8) 74 | After=network.target networking.service redis-server@openvas.service 75 | Wants=redis-server@openvas.service 76 | ConditionKernelCommandLine=!recovery 77 | 78 | [Service] 79 | Type=forking 80 | User=gvm 81 | Group=gvm 82 | RuntimeDirectory=ospd 83 | RuntimeDirectoryMode=2775 84 | PIDFile=/run/ospd/ospd-openvas.pid 85 | ExecStart=/usr/local/bin/ospd-openvas --unix-socket /run/ospd/ospd-openvas.sock --pid-file /run/ospd/ospd-openvas.pid --log-file /var/log/gvm/ospd-openvas.log --lock-file-dir /var/lib/openvas --socket-mode 0o770 86 | SuccessExitStatus=SIGKILL 87 | Restart=always 88 | RestartSec=60 89 | 90 | [Install] 91 | WantedBy=multi-user.target 92 | EOF 93 | 94 | $SUDO cp $BUILD_DIR/ospd-openvas.service /etc/systemd/system/ 95 | 96 | cat << EOF > $BUILD_DIR/gvmd.service 97 | [Unit] 98 | Description=Greenbone Vulnerability Manager daemon (gvmd) 99 | After=network.target networking.service postgresql.service ospd-openvas.service 100 | Wants=postgresql.service ospd-openvas.service 101 | Documentation=man:gvmd(8) 102 | ConditionKernelCommandLine=!recovery 103 | 104 | [Service] 105 | Type=forking 106 | User=gvm 107 | Group=gvm 108 | PIDFile=/run/gvmd/gvmd.pid 109 | RuntimeDirectory=gvmd 110 | RuntimeDirectoryMode=2775 111 | ExecStart=/usr/local/sbin/gvmd --osp-vt-update=/run/ospd/ospd-openvas.sock --listen-group=gvm 112 | Restart=always 113 | TimeoutStopSec=10 114 | 115 | [Install] 116 | WantedBy=multi-user.target 117 | EOF 118 | 119 | $SUDO cp $BUILD_DIR/gvmd.service /etc/systemd/system/ 120 | 121 | cat << EOF > $BUILD_DIR/gsad.service 122 | [Unit] 123 | Description=Greenbone Security Assistant daemon (gsad) 124 | Documentation=man:gsad(8) https://www.greenbone.net 125 | After=network.target gvmd.service 126 | Wants=gvmd.service 127 | 128 | [Service] 129 | Type=forking 130 | User=gvm 131 | Group=gvm 132 | RuntimeDirectory=gsad 133 | RuntimeDirectoryMode=2775 134 | PIDFile=/run/gsad/gsad.pid 135 | ExecStart=/usr/local/sbin/gsad --listen=127.0.0.1 --port=9392 --http-only 136 | Restart=always 137 | TimeoutStopSec=10 138 | 139 | [Install] 140 | WantedBy=multi-user.target 141 | Alias=greenbone-security-assistant.service 142 | EOF 143 | 144 | $SUDO cp $BUILD_DIR/gsad.service /etc/systemd/system/ 145 | 146 | $SUDO systemctl daemon-reload 147 | 148 | $SUDO systemctl enable ospd-openvas 149 | $SUDO systemctl enable gvmd 150 | $SUDO systemctl enable gsad 151 | 152 | $SUDO systemctl start ospd-openvas 153 | $SUDO systemctl start gvmd 154 | $SUDO systemctl start gsad 155 | else 156 | # likely in docker container 157 | fi 158 | --------------------------------------------------------------------------------