Configuring Redis for OpenVAS Scanner

gsad: (‘gsad --version’): not installed yet
gvmd: (‘gvmd --version’): 21.4.4
openvas-scanner: (‘openvas --version’, in older GVM versions < 11: ‘openvassd --version’)
gvm-libs:

Environment

Operating system: Debian Linux
Kernel: Linux debian-gvm 5.10.0-7-amd64 #1 SMP Debian 5.10.40-1 (2021-05-28) x86_64 GNU/Linux
Installation method / source: Installation docs: Building GVM 21.04 — Greenbone Documentation documentation

I’m currently at the System Setup stage of building from source according to the documentation. Thanks for previous advice to get me to this stage.
My question is about the following segment of code from the documentation:

sudo chown -R gvm:gvm /var/lib/gvm
sudo chown -R gvm:gvm /var/lib/openvas
sudo chown -R gvm:gvm /var/log/gvm
sudo chown -R gvm:gvm /run/gvm
sudo chmod -R g+srw /var/lib/gvm
sudo chmod -R g+srw /var/lib/openvas
sudo chmod -R g+srw /var/log/gvm

sudo chown gvm:gvm /usr/local/sbin/gvmd
sudo chmod 6750 /usr/local/sbin/gvmd

sudo chown gvm:gvm /usr/local/bin/greenbone-nvt-sync
sudo chmod 740 /usr/local/sbin/greenbone-feed-sync
sudo chown gvm:gvm /usr/local/sbin/greenbone-*-sync
sudo chmod 740 /usr/local/sbin/greenbone-*-sync

The files are all not found. Why does this happen? Is there problem with the installation? Everthing seemed to complete OK.

The files I can find are:

/usr/local/bin/ospd-openvas
/usr/local/bin/ospd-openvas/winexe
/usr/local/bin/ospd-openvas/wmic

and several files in /usr/local/lib

Thanks for help understanding the build process!

OK, I found out the problem.

When make and install each package these lines from the install manual cause problem:

make -j$(nproc)
make DESTDIR=$INSTALL_DIR install
sudo cp -rv $INSTALL_DIR/* /
rm -rf $INSTALL_DIR/*

this works:

make -j$(nproc)
make install
rm -rf $INSTALL_DIR/*

I was able to change all the permissions successfully and create a user with password.

You need to follow the guide closely. In your case it seems you either didn’t set INSTALL_DIRECTORY, or the INSTALL_DIRECTORY is not accessible by your current user. Could you please paste the actual error here?

1 Like

I’m building with ‘root’ user first until I get a good build, then will attempt with non-root user.
Yes, INSTALL_DIR is set.

# echo $INSTALL_DIR
/root/install

I know this because every time I run make -j(nproc) I will find files in the /root/install directory. But when I run

make DESTDIR=$INSTALL_DIR install
sudo cp -rv $INSTALL_DIR/* /

the files don’t install. Then, I end up delete them again with the next command rm -rf $INSTALL_DIR/*

However, when I just run make install instead of make DESTDIR=$INSTALL_DIR install then everything seems to end up in the right place.

All the permission setting commands worked without error after that. Before they would give error

"chmod: cannot access '<filename>': No such file or directory"

Everything else worked fine. Now I’m syncing the feeds, but last time I had problem that the services would not start… The manual says:

Please be aware, even if the systemctl start commands are returning immediately, the first startup of the services may take several minutes or even hours!

At the first start the scanner needs to load all VTs into Redis and gvmd must process the CERT and SCAP data.

So, I’m not sure what will happen? I tried last time but when starting the services I get timeout error.

I don’t understand why you are trying to build with root and afterwards with a non privileged user. Just use an unprivileged user from the beginning. The guide advises this also. You need to be aware that running make can do EVERYTHING on your machine. It’s like running a random script from somewhere in the internet. Restricting the permissions while running make is a good thing!

Nevertheless if you are already root you don’t need to become root via sudo to copy the files into the destination directory of course.

1 Like

The reason I’m building with root is because I have not had a successful build after 3-4 attempts. So, I want to save some time and try to get it working. So, with root, I can put some parts of the process into a script and save time.

Now I got to the section in the manual to start the service sudo systemctl start ospd-openvas:

SO, I have tried to start the first service. But it will show like below:

# systemctl status ospd-openvas
● ospd-openvas.service - OSPd Wrapper for the OpenVAS Scanner (ospd-openvas)
     Loaded: loaded (/etc/systemd/system/ospd-openvas.service; enabled; vendor preset: enabled)
     Active: activating (auto-restart) since Thu 2021-12-16 08:37:25 UTC; 2s ago
       Docs: man:ospd-openvas(8)
             man:openvas(8)
    Process: 4019 ExecStart=/usr/local/bin/ospd-openvas --unix-socket /run/ospd/ospd-openvas.sock --pid-file /run/ospd/ospd-openvas.pid --log-file /var/log/gvm/ospd-openvas.log --lock-file>
   Main PID: 4021 (code=exited, status=0/SUCCESS)
        CPU: 572ms

So, I don’t know is it supposed to be like this? It says
Active: activating (auto-restart) (Result: protocol) since Thu 2021-12-16 08:38:26 UTC; 50s ago

and keeps resetting the time.

The good news is that I have two services running:

$ sudo systemctl status gvmd
● gvmd.service - Greenbone Vulnerability Manager daemon (gvmd)
     Loaded: loaded (/etc/systemd/system/gvmd.service; enabled; vendor preset: enabled)
     Active: active (running) since Thu 2021-12-16 08:44:34 UTC; 3min 11s ago
       Docs: man:gvmd(8)
    Process: 4096 ExecStart=/usr/local/sbin/gvmd --osp-vt-update=/run/ospd/ospd-openvas.sock --listen-group=gvm (code=exited, status=0/SUCCESS)
   Main PID: 4097 (gvmd)
      Tasks: 3 (limit: 2340)
     Memory: 768.7M
        CPU: 2min 33.239s
     CGroup: /system.slice/gvmd.service
             ├─4097 gvmd: Waiting for incoming connections
             ├─4116 gpg-agent --homedir /var/lib/gvm/gvmd/gnupg --use-standard-socket --daemon
             └─4126 gvmd: Syncing SCAP: Updating CPEs

Dec 16 08:44:31 debian-gvm systemd[1]: Starting Greenbone Vulnerability Manager daemon (gvmd)...
Dec 16 08:44:31 debian-gvm systemd[1]: gvmd.service: Can't open PID file /run/gvm/gvmd.pid (yet?) after start: Operation not permitted
Dec 16 08:44:34 debian-gvm systemd[1]: Started Greenbone Vulnerability Manager daemon (gvmd).

$ sudo systemctl status gsad
● gsad.service - Greenbone Security Assistant daemon (gsad)
     Loaded: loaded (/etc/systemd/system/gsad.service; enabled; vendor preset: enabled)
     Active: active (running) since Thu 2021-12-16 08:45:29 UTC; 2min 37s ago
       Docs: man:gsad(8)
             https://www.greenbone.net
    Process: 4160 ExecStart=/usr/local/sbin/gsad --listen=127.0.0.1 --port=9392 --http-only (code=exited, status=0/SUCCESS)
   Main PID: 4161 (gsad)
      Tasks: 2 (limit: 2340)
     Memory: 2.1M
        CPU: 26ms
     CGroup: /system.slice/gsad.service
             └─4161 /usr/local/sbin/gsad --listen=127.0.0.1 --port=9392 --http-only

Dec 16 08:45:29 debian-gvm systemd[1]: Starting Greenbone Security Assistant daemon (gsad)...
Dec 16 08:45:29 debian-gvm gsad[4160]: Oops, secure memory pool already initialized
Dec 16 08:45:29 debian-gvm systemd[1]: gsad.service: Can't open PID file /run/gvm/gsad.pid (yet?) after start: Operation not permitted
Dec 16 08:45:29 debian-gvm systemd[1]: Started Greenbone Security Assistant daemon (gsad).

but one service will not start:

Dec 16 08:53:46 debian-gvm systemd[1]: Failed to start OSPd Wrapper for the OpenVAS Scanner (ospd-openvas).
$ tail ospd-openvas.log
OSPD[4389] 2021-12-16 08:54:47,626: INFO: (ospd.main) Shutting-down server ...
OSPD[4417] 2021-12-16 08:55:49,076: WARNING: (ospd_openvas.openvas) Could not gather openvas settings. Reason Command '['openvas', '-s']' returned non-zero exit status 127.
OSPD[4417] 2021-12-16 08:55:49,143: ERROR: (ospd_openvas.daemon) openvas executable not available. Please install openvas into your PATH.

So, I think I can install OpenVas again?

openvas -s
openvas: error while loading shared libraries: libopenvas_nasl.so.21: cannot open shared object file: No such file or directory