**Operating system:Debian 10
Kernel: (‘uname -a’)
Installation method / source:
I successfully installed GSE on a non-root directory /opt/gvm. Installation completes fine, and I set the option cmake -DCMAKE_INSTALL_PREFIX=/opt/gvm … during build.
I am able to start PSQL, Redis socket, create an admin user with --create-user=admin and even update the NVT, cert and scap data.
The certificate chain was created with /opt/gvm/bin/gvm-manage-certs -a and the verification is successful, with the correct paths under /opt/gvm:
===> Checking certificates
OK: Directory for keys (/opt/gvm/var/lib/gvm/private/CA) exists.
OK: Directory for certificates (/opt/gvm/var/lib/gvm/CA) exists.
OK: CA key found in /opt/gvm/var/lib/gvm/private/CA/cakey.pem
OK: CA certificate found in /opt/gvm/var/lib/gvm/CA/cacert.pem
OK: CA certificate verified.
OK: Certificate /opt/gvm/var/lib/gvm/CA/servercert.pem verified.
OK: Certificate /opt/gvm/var/lib/gvm/CA/clientcert.pem verified.
However, when trying to start gymd with the following command:
su - gvm sh -c "/opt/gvm/sbin/gvmd -v --listen=192.168.1.100 --port=9391 --osp-vt-update=/opt/gvm/var/run/ospd.sock"
I obtain the following error(s):
md main:MESSAGE:2020-04-03 10h50.02 utc:131: Greenbone Vulnerability Manager version 9.0.0 (DB revision 221)
md manage:WARNING:2020-04-03 10h50.02 utc:133: database must be initialised from scanner
md manage:MESSAGE:2020-04-03 10h50.02 utc:133: No SCAP database found
md manage:MESSAGE:2020-04-03 10h50.02 utc:133: No CERT database found
util gpgme:MESSAGE:2020-04-03 10h50.03 utc:133: Setting GnuPG dir to ‘/opt/gvm/var/lib/gvm/gvmd/gnupg’
util gpgme:MESSAGE:2020-04-03 10h50.03 utc:133: Created GnuPG dir ‘/opt/gvm/var/lib/gvm/gvmd/gnupg’
util gpgme:MESSAGE:2020-04-03 10h50.03 utc:133: Using OpenPGP engine version ‘2.2.12’
util gpgme: INFO:2020-04-03 10h50.03 utc:133: starting key generation …
util gpgme: INFO:2020-04-03 10h50.03 utc:133: OpenPGP key ‘GVM Credential Encryption’ has been generated
lib serv:WARNING:2020-04-03 10h50.03 utc:133: server_new_internal: failed to set credentials key file: Error while reading file.
lib serv:WARNING:2020-04-03 10h50.03 utc:133: server_new_internal: cert file: /opt/gvm/var/lib/gvm/CA/servercert.pem
lib serv:WARNING:2020-04-03 10h50.03 utc:133: server_new_internal: key file : /opt/gvm/var/lib/gvm/private/CA/serverkey.pem
md main:CRITICAL:2020-04-03 10h50.03 utc:133: gvmd: client server initialisation failed
Any help/pointers are welcome! As far as I know my configuration is correct, but I am not able to start GVMD.
Looks like your installation is broken. You need to setup & run GVM in the following order:
Build in order from source:
Build openvas, ospd-openvas, ospd
Then; setup GVM certs infrastructure:
Setup PostGreSQL database:
sudo -u postgres bash
createuser -DRS gvm
createdb -O gvm gvmd
create role dba with superuser noinherit;
grant dba to gvm;
create extension “uuid-ossp”;
Start gvmd, ospd-openvas
systemctl start gvmd
systemctl start ospd-openvas
And pay attention to the permission. Your whole installation of GVM should be done in specific directory owned by the user gvm will run as. On your post upon, it looks like your certificates were generated by another user and are not available to the user running gvmd.
You may also want to check this guide; very useful on debian: https://sadsloth.net/post/install-gvm11-src_part1/
Thanks for your quick answer. I’ve solved the permission user and I am able to start GSA with an HTTP connection. However, I am not able to configure it to work on HTTPS.
I installed the certificates with gvm-manage-certs -a as “gvm” user, and verification completes OK.
This is how I am launching ospd-openvas, gvmd and gsa:
ospd-openvas --log-file /usr/local/var/log/gvm/ospd-openvas.log --unix-socket /tmp/ospd.sock --log-level INFO
---- wait for /tmp/ospd.sock to be listening, and set 666 permissions
su -c “gvmd -v --listen=192.168.1.100 --port=9390 --osp-vt-update=/tmp/ospd.sock” gvm
su -c “gsad --verbose --mlisten=192.168.1.100 --mport=9390” gvm
I get the following errors on the logs:
gvm-master | ==> /usr/local/var/log/gvm/gsad.log <==
gvm-master | gsad main:MESSAGE:2020-04-06 08h55.10 utc:464: Starting GSAD version 9.0
gvm-master | gsad main:WARNING:2020-04-06 08h55.10 utc:465: Binding to port 443 failed, trying default port 9392 next.
gvm-master | ==> /usr/local/var/log/gvm/gvmd.log <==
gvm-master | md main:WARNING:2020-04-06 08h55.07 utc:422: gvmd: Another process is busy starting up
gvm-master | md manage:WARNING:2020-04-06 08h55.07 utc:418: database must be initialised from scanner
gvm-master | md manage: INFO:2020-04-06 08h55.08 utc:442: sync_scap: Updating data from feed
gvm-master | md manage: INFO:2020-04-06 08h55.08 utc:442: Updating CPEs
gvm-master | md main:MESSAGE:2020-04-06 08h55.08 utc:451: Greenbone Vulnerability Manager version 9.0.0 (DB revision 221)
gvm-master | md manage: INFO:2020-04-06 08h55.08 utc:451: Getting users.
gvm-master | md manage:WARNING:2020-04-06 08h55.08 utc:451: database must be initialised from scanner
gvm-master | md main:MESSAGE:2020-04-06 08h55.09 utc:458: Greenbone Vulnerability Manager version 9.0.0 (DB revision 221)
gvm-master | md manage: INFO:2020-04-06 08h55.09 utc:458: Getting users.
gvm-master | md manage:WARNING:2020-04-06 08h55.09 utc:458: database must be initialised from scanner
==> /usr/local/var/log/gvm/gsad.log <==
gvm-master | gsad main:WARNING:2020-04-06 08h55.10 utc:467: main: start_http_daemon redirect failed !
Port 443 (https) is a privileged port; it can only be binded with root privileges. That’s the reason why you should run gsad via systemd. The process is then started as root to open the privileged port, and then drop it’s privileges to the normal user. Assuming the user gsad should run as is gvmd, you must have a gsad.service system file in your /etc/systemd/system directory.
The gsad.service should contain this:
Description=Job that runs the gsa daemon
ExecStart=/opt/gvm/sbin/gsad --drop-privileges=gvm -p 443 -k /opt/gvm/var/lib/gvm/private/CA/serverkey.pem -c /opt/gvm/var/lib/gvm/CA/servercert.pem --timeout=3600 --munix-socket=/opt/gvm/var/run/gvmd.sock
Then enable this service file with:
sudo systemctl enable gsad
Then start gsad with:
sudo systemctl start gsad
Also you should not use /tmp folder to store your ospd socket. Use /opt/gvm/var/run instead, as explained in the documentation. Using /tmp is likely to create you troubles. So you should start gvmd like this:
gvmd -v --listen=192.168.1.100 --port=9390 --osp-vt-update=/opt/gvm/var/run/ospd.sock
Again create a systemd file for this purpose too (see the slashdot tutorial again).
It seems also you did not use the " -DCMAKE_INSTALL_PREFIX=/opt/gvm" flag before building your sources. GSAD should not use /usr/local/var/log/gvm to create it’s logfile, it’s likely to create you permissions problems. Same for gvmd.log file. Again; build everything under the gvm user in /opt/gvm source tree. Failing to do this will take you to permission problems.