Install OpenVAS 5 in Ubuntu 12.04

OpenVAS 5 installation can be a little confusing for those not familiar with the different OpenVAS components. Making it even more so is a little problem with libgnutls that is causing many people more than a little frustration.

This guide will step you through the installation of OpenVAS 5 on Ubuntu 12.04.

Previously this guide involved a a hack to get OpenVAS working. However the latest packages now work correctly with no dodgy hacks. This is a step by step guide that mostly follows the installation instructions from the OpenVAS project.

Here is an excellent diagram from the openvas project that covers the different OpenVAS components and where they fit in. The page also contains additional information and mentions the library libgnutls package that caused some problems with TLS that has been resolved with the latest package updates.

First step is to install Ubuntu 12.04 x64 server from iso to a Virtualbox machine. I have used default settings on Virtualbox for a Linux Ubuntu machine (I did upgrade the RAM to 1024mb, if you have lots bump it up).

During the installation of Ubuntu server all defaults were selected, I also selected install openssh server. 10 minutes later I have a nice clean Ubuntu server install ready to go.

Now for the installation of OpenVAS 5. Grab the packages from OpenVAS project site. Note I will use the .deb packages downloaded manually. There is an option to configure OBS repository for apt-get installation.

The server install of Ubuntu has no desktop, so from the terminal use wget to grab the packages.

wget http://download.opensuse.org/repositories/security:/OpenVAS:/UNSTABLE:/v5/xUbuntu_12.04/amd64/greenbone-security-assistant_3.0.3-1_amd64.deb
wget http://download.opensuse.org/repositories/security:/OpenVAS:/UNSTABLE:/v5/xUbuntu_12.04/amd64/libmicrohttpd10_0.9.21-1_amd64.deb
wget http://download.opensuse.org/repositories/security:/OpenVAS:/UNSTABLE:/v5/xUbuntu_12.04/amd64/libopenvas5_5.0.3-1_amd64.deb
wget http://download.opensuse.org/repositories/security:/OpenVAS:/UNSTABLE:/v5/xUbuntu_12.04/amd64/openvas-cli_1.1.5-1_amd64.deb
wget http://download.opensuse.org/repositories/security:/OpenVAS:/UNSTABLE:/v5/xUbuntu_12.04/amd64/openvas-administrator_1.2.1-1_amd64.deb
wget http://download.opensuse.org/repositories/security:/OpenVAS:/UNSTABLE:/v5/xUbuntu_12.04/amd64/openvas-manager_3.0.3-1_amd64.deb
wget http://download.opensuse.org/repositories/security:/OpenVAS:/UNSTABLE:/v5/xUbuntu_12.04/amd64/openvas-scanner_3.3.1-1_amd64.deb

No need for the GUI Greenbone Security Desktop (although we will likely want to download and run this from our client machines using Linux or Windows).

wget http://download.opensuse.org/repositories/security:/OpenVAS:/UNSTABLE:/v5/xUbuntu_12.04/amd64/gsd_1.2.2-1_amd64.deb

Next step is to install a couple of extra packages that are required for OpenVAS.

apt-get install libgpgme11 libpth20 sqlite3 xsltproc nmap

Then install the different OpenVAS components that we downloaded.

dpkg -i greenbone-security-assistant_3.0.3-1_amd64.deb openvas-administrator_1.2.1-1_amd64.deb libmicrohttpd10_0.9.21-1_amd64.deb openvas-cli_1.1.5-1_amd64.deb libopenvas5_5.0.3-1_amd64.deb openvas-manager_3.0.3-1_amd64.deb

Since we are building a server based system for vulnerability scanning, we will be accessing the server components over the network. To change the default listen address from 127.0.0.1 localhost to the IP address of the local network interface we will change settings in these files.

root@ubuntu:~# vi /etc/default/greenbone-security-assistant 
root@ubuntu:~# vi /etc/default/openvas-manager 
root@ubuntu:~# vi /etc/default/greenbone-security-assistant 
root@ubuntu:~# vi /etc/default/openvas-administrator 
root@ubuntu:~# vi /etc/default/openvas-scanner

The init.d start scripts use these files to get the parameters for starting of the services.

The following steps are the straight from the OpenVAS project website, it involves setting up the certificates and creating the users.

test -e /var/lib/openvas/CA/cacert.pem  || sudo openvas-mkcert -q
sudo openvas-nvt-sync
test -e /var/lib/openvas/users/om || sudo openvas-mkcert-client -n om -i
sudo /etc/init.d/openvas-manager stop
sudo /etc/init.d/openvas-scanner stop
sudo openvassd
sudo openvasmd --migrate
sudo openvasmd --rebuild
sudo killall openvassd
sleep 15
sudo /etc/init.d/openvas-scanner start
sudo /etc/init.d/openvas-manager start
sudo /etc/init.d/openvas-administrator restart
sudo /etc/init.d/greenbone-security-assistant restart
test -e /var/lib/openvas/users/admin || sudo openvasad -c add_user -n admin -r Admin

It is likely that starting greenbone-security-assistant resulted in an error. This I believe is due to a TLS issue in libmicrohttpd. Note that GSAD is only required if you wish to use the web client, it is not necessary to run the GSD (Greenbone Security Desktop Client) and the OMP (command line client).

root@ubuntu:~# /etc/init.d/greenbone-security-assistant start
Starting Greenbone Security Assistant: ERROR.

To make this work we will disable HTTPS under gsad. Take note that this means the openvas username and password are transmitted over HTTP (unencrypted) when logging into gsad.

Edit and add --http-only to the execute command like so:

Change the line in /etc/init.d/greenbone-security-assistant from:

start_daemon() {
        start-stop-daemon --start --exec $DAEMON -- $DAEMONOPTS 2>&1 >/dev/null

to:

start_daemon() {
        start-stop-daemon --start --exec $DAEMON -- $DAEMONOPTS --http-only 2>&1 >/dev/null

Restarting greenbone security administrator, may now still result in an error but if you execute netstat -anp you will see that gsad is now running on 9392.

If all went well we should be able to use the omp command line client to authenticate against the OpenVAS manager. To do this the following command queries the manager and lists all tasks.

omp -h 192.168.1.3 -p 9390 -u admin -w admin -T -v
---- snip lots of xml -----
b493b7a8-7489-11df-a3ec-002264764cea  Localhost
Command completed successfully.

This indicates that the OpenVAS manager is working, and we have gotten past the libgnutls problem.

Now when connecting to http://192.168.1.3:9392/ in the browser, we are able to access the GSAD login screen. OpenVAS is now working and we can access the scanner via either the gsad web client, the gsd local client or the omp command line client.

Here are some screenshots showing our success. Note that since the OpenVAS server has no desktop we have installed gsd on an Ubuntu workstation and connect to 192.168.1.3 over the network.

A note about the OpenVAS configuration File
The openvas scanner has a configuration file /etc/openvas/openvas.conf however in a default installation of the Ubuntu packages this is not present after installation.

The file can be created from the running openvassd.

openvassd -s

This shows the current running configuration, so simply redirect the output from that command to a new file /etc/openvas/openvas.conf and you then have a configuration that can be modified to suit your requirements. Restart openvassd to have the configuration file read in.

While you are here take a look at the online openvas scanner and Free Nmap scan options. Having access to some remote internet scanners might just be a handy additional to your security testing arsenal.

Share this Post
Share on FacebookTweet about this on TwitterShare on Google+Share on StumbleUpon

,

  • wytcld

    That’s “libgnutls26” to be removed.

    • Thanks for the correction, guide is now updated. No need for libgnutls26 hacks. 🙂

      • Juan Machado

        Do you have an update for V6 or V7 in Ubuntu 13.04? Thanks

  • IT-säkerhetsföreningen SNSC

    Thanks so much for a great instruction, but you missed dpkg -i openvas-scanner_3.3.1-1_amd64.deb Best regard T

  • paetechie

    i tried this many times but still getting an error on greenbone 🙁 is the libmicrohttpd still the culprit?

  • OJ LaBoeuf

    the reason greenbone still says error is because of a bug in the init script.

    If you change the line where it compares $cmd to $name to $daemon instead the test will succeed.

    #No gsad?
    [ “$cmd” != “$DAEMON” ] && return 1

    fixed it for me. Also i added –http-only to DAEMONOPTS in /etc/default/greenbone-security-assistant

    and changed

    [ “$GSA_ADDRESS” ] && DAEMONOPTS=”$DAEMONOPTS –listen=$GSA_ADDRESS”

    that way it doesn’t clobber the setting from default as appropriate.

  • Mig Uel

    Thank you, and thanks to the user in the comments OJ LaBoeuf, it worked. 🙂

  • Jamie Mack

    Unfortunately it seems that this issue still persists with Ubuntu server 12.04.01LTS AMD64 – Greenbone security gives the message “Authentication configuration could not be loaded.” in the log files. Everything i’ve seen online points to the fact that libgnutls26 should be < 2.12 ideally 2.10 from Oneric however I can't work out how to downgrade this package only. Can you please include your previous hack back into the page for reference?

  • Patrick LaRoche

    After following these instruction for Ubuntu 12.04, I can get the web site up, but upon logging in I get “Login failed. OMP service is down.”

    The “omp” command listed as the last step results in”:
    WARNING: Verbose mode may reveal passwords!

    Will try to connect to host 192.168.86.145, port 9390…
    lib xml-Message: asking for 1048576

    lib xml-Message: <=

  • adrian

    Same error as Patrick, have you got arounf this yet?

  • dragar

    same error with OMP service is down. Is there any solution? Is this guide dead?

    • Ammar Soleimani

      do this :

      After that you have to create a client certificate
      using the openvas-mkcert-client tool. If -n is specified the tool
      doesn’t ask any questions and creates a certificate for the user “om”.
      The -i parameter installs the certificate to be used with the OpenVAS
      manager.

      sudo openvas-mkcert-client -n om -i

      http://samiux.blogspot.com/2013/05/howto-openvas-on-ubuntu-desktop-1204-lts.html

  • angryrob

    I had the same OMP issue but have it fixed now. Here is what i did to fix.

    Remove the spaces after http:// and download.opensuse.

    sudo add-apt-repository “deb http:// download.opensuse .org/repositories/security:/OpenVAS:/UNSTABLE:/v5/xUbuntu_12.04/ ./”
    wget -q http:// download.opensuse .org/repositories/security:/OpenVAS:/UNSTABLE:/v5/xUbuntu_12.04/Release.key -O- | sudo apt-key add –
    apt-get update
    apt-get dist-upgrade

    This is how i have my /etc/rc.local set up. (I am just running Ubuntu Server with no GUI)

    echo “Starting OpenVAS Scanner Daemon…”
    /usr/sbin/openvassd && echo [ OK ]
    echo “Starting OpenVAS Manager Daemon…”
    /usr/sbin/openvasmd && echo [ OK ]
    echo “Starting OpenVAS Administrator Daemon…”
    /usr/sbin/openvasad && echo [ OK ]
    echo “Starting Greenbone Security Assistant Web Interface…”
    /usr/sbin/gsad –http-only && echo [ OK ]
    echo “Downloading NVT Updates…”
    /usr/sbin/openvas-nvt-sync && echo [ OK ]
    exit 0

    Then follow the steps for recreating the certificates and rebooted the machine. After that I was able to log into Greenbone.

  • Ronald Migahil Rodriguez

    Thank you very much, now is working fine with Debian 8.2