GVM versions
gsa: (‘9.0.0’)
gvm: (‘9.0.0’)
openvas-scanner: (7.0.0’)
**gvm-libs:11.0.0
Environment
**Operating system:Debian 10
Kernel: (‘uname -a’)
Installation method / source:
I successfully installed GSE on a non-root directory /opt/gvm. Installation completes fine, and I set the option cmake -DCMAKE_INSTALL_PREFIX=/opt/gvm … during build.
I am able to start PSQL, Redis socket, create an admin user with --create-user=admin and even update the NVT, cert and scap data.
The certificate chain was created with /opt/gvm/bin/gvm-manage-certs -a and the verification is successful, with the correct paths under /opt/gvm:
===> Checking certificates
OK: Directory for keys (/opt/gvm/var/lib/gvm/private/CA) exists.
OK: Directory for certificates (/opt/gvm/var/lib/gvm/CA) exists.
OK: CA key found in /opt/gvm/var/lib/gvm/private/CA/cakey.pem
OK: CA certificate found in /opt/gvm/var/lib/gvm/CA/cacert.pem
OK: CA certificate verified.
OK: Certificate /opt/gvm/var/lib/gvm/CA/servercert.pem verified.
OK: Certificate /opt/gvm/var/lib/gvm/CA/clientcert.pem verified.
However, when trying to start gymd with the following command:
su - gvm sh -c "/opt/gvm/sbin/gvmd -v --listen=192.168.1.100 --port=9391 --osp-vt-update=/opt/gvm/var/run/ospd.sock"
I obtain the following error(s):
md main:MESSAGE:2020-04-03 10h50.02 utc:131: Greenbone Vulnerability Manager version 9.0.0 (DB revision 221)
md manage:WARNING:2020-04-03 10h50.02 utc:133: database must be initialised from scanner
md manage:MESSAGE:2020-04-03 10h50.02 utc:133: No SCAP database found
md manage:MESSAGE:2020-04-03 10h50.02 utc:133: No CERT database found
util gpgme:MESSAGE:2020-04-03 10h50.03 utc:133: Setting GnuPG dir to ‘/opt/gvm/var/lib/gvm/gvmd/gnupg’
util gpgme:MESSAGE:2020-04-03 10h50.03 utc:133: Created GnuPG dir ‘/opt/gvm/var/lib/gvm/gvmd/gnupg’
util gpgme:MESSAGE:2020-04-03 10h50.03 utc:133: Using OpenPGP engine version ‘2.2.12’
util gpgme: INFO:2020-04-03 10h50.03 utc:133: starting key generation …
util gpgme: INFO:2020-04-03 10h50.03 utc:133: OpenPGP key ‘GVM Credential Encryption’ has been generated
lib serv:WARNING:2020-04-03 10h50.03 utc:133: server_new_internal: failed to set credentials key file: Error while reading file.
lib serv:WARNING:2020-04-03 10h50.03 utc:133: server_new_internal: cert file: /opt/gvm/var/lib/gvm/CA/servercert.pem
lib serv:WARNING:2020-04-03 10h50.03 utc:133: server_new_internal: key file : /opt/gvm/var/lib/gvm/private/CA/serverkey.pem
md main:CRITICAL:2020-04-03 10h50.03 utc:133: gvmd: client server initialisation failed
Any help/pointers are welcome! As far as I know my configuration is correct, but I am not able to start GVMD.
Thanks,
Inés
Looks like your installation is broken. You need to setup & run GVM in the following order:
Build in order from source:
Build openvas-smb
Build gvm-libs
Build gvmd
Build openvas, ospd-openvas, ospd
Build gsa
Then; setup GVM certs infrastructure:
gvm-manage-certs -a
Setup PostGreSQL database:
sudo -u postgres bash
createuser -DRS gvm
createdb -O gvm gvmd
psql gvmd
create role dba with superuser noinherit;
grant dba to gvm;
create extension “uuid-ossp”;
exit
exit
\q
Start gvmd, ospd-openvas
systemctl start gvmd
systemctl start ospd-openvas
Update Feeds
greenbone-scapdata-sync
greenbone-certdata-sync
greenbone-nvt-sync
1 Like
And pay attention to the permission. Your whole installation of GVM should be done in specific directory owned by the user gvm will run as. On your post upon, it looks like your certificates were generated by another user and are not available to the user running gvmd.
2 Likes
You may also want to check this guide; very useful on debian: https://sadsloth.net/post/install-gvm11-src_part1/
1 Like
Hi tatooin,
Thanks for your quick answer. I’ve solved the permission user and I am able to start GSA with an HTTP connection. However, I am not able to configure it to work on HTTPS.
I installed the certificates with gvm-manage-certs -a as “gvm” user, and verification completes OK.
This is how I am launching ospd-openvas, gvmd and gsa:
ospd-openvas --log-file /usr/local/var/log/gvm/ospd-openvas.log --unix-socket /tmp/ospd.sock --log-level INFO
---- wait for /tmp/ospd.sock to be listening, and set 666 permissions
su -c “gvmd -v --listen=192.168.1.100 --port=9390 --osp-vt-update=/tmp/ospd.sock” gvm
su -c “gsad --verbose --mlisten=192.168.1.100 --mport=9390” gvm
I get the following errors on the logs:
gvm-master | ==> /usr/local/var/log/gvm/gsad.log <==
gvm-master | gsad main:MESSAGE:2020-04-06 08h55.10 utc:464: Starting GSAD version 9.0
gvm-master | gsad main:WARNING:2020-04-06 08h55.10 utc:465: Binding to port 443 failed, trying default port 9392 next.
gvm-master | ==> /usr/local/var/log/gvm/gvmd.log <==
gvm-master | md main:WARNING:2020-04-06 08h55.07 utc:422: gvmd: Another process is busy starting up
gvm-master | md manage:WARNING:2020-04-06 08h55.07 utc:418: database must be initialised from scanner
gvm-master | md manage: INFO:2020-04-06 08h55.08 utc:442: sync_scap: Updating data from feed
gvm-master | md manage: INFO:2020-04-06 08h55.08 utc:442: Updating CPEs
gvm-master | md main:MESSAGE:2020-04-06 08h55.08 utc:451: Greenbone Vulnerability Manager version 9.0.0 (DB revision 221)
gvm-master | md manage: INFO:2020-04-06 08h55.08 utc:451: Getting users.
gvm-master | md manage:WARNING:2020-04-06 08h55.08 utc:451: database must be initialised from scanner
gvm-master | md main:MESSAGE:2020-04-06 08h55.09 utc:458: Greenbone Vulnerability Manager version 9.0.0 (DB revision 221)
gvm-master | md manage: INFO:2020-04-06 08h55.09 utc:458: Getting users.
gvm-master | md manage:WARNING:2020-04-06 08h55.09 utc:458: database must be initialised from scanner
==> /usr/local/var/log/gvm/gsad.log <==
gvm-master | gsad main:WARNING:2020-04-06 08h55.10 utc:467: main: start_http_daemon redirect failed !
Port 443 (https) is a privileged port; it can only be binded with root privileges. That’s the reason why you should run gsad via systemd. The process is then started as root to open the privileged port, and then drop it’s privileges to the normal user. Assuming the user gsad should run as is gvmd, you must have a gsad.service system file in your /etc/systemd/system directory.
The gsad.service should contain this:
[Unit]
Description=Job that runs the gsa daemon
Documentation=man:gsa
After=postgresql.service
[Service]
Type=forking
PIDFile=/opt/gvm/var/run/gsad.pid
WorkingDirectory=/opt/gvm
ExecStart=/opt/gvm/sbin/gsad --drop-privileges=gvm -p 443 -k /opt/gvm/var/lib/gvm/private/CA/serverkey.pem -c /opt/gvm/var/lib/gvm/CA/servercert.pem --timeout=3600 --munix-socket=/opt/gvm/var/run/gvmd.sock
Restart=on-failure
RestartSec=2min
KillMode=process
KillSignal=SIGINT
GuessMainPID=no
PrivateTmp=true
[Install]
WantedBy=multi-user.target
Then enable this service file with:
sudo systemctl enable gsad
Then start gsad with:
sudo systemctl start gsad
Also you should not use /tmp folder to store your ospd socket. Use /opt/gvm/var/run instead, as explained in the documentation. Using /tmp is likely to create you troubles. So you should start gvmd like this:
gvmd -v --listen=192.168.1.100 --port=9390 --osp-vt-update=/opt/gvm/var/run/ospd.sock
Again create a systemd file for this purpose too (see the slashdot tutorial again).
It seems also you did not use the " -DCMAKE_INSTALL_PREFIX=/opt/gvm" flag before building your sources. GSAD should not use /usr/local/var/log/gvm to create it’s logfile, it’s likely to create you permissions problems. Same for gvmd.log file. Again; build everything under the gvm user in /opt/gvm source tree. Failing to do this will take you to permission problems.
1 Like