My experience installing and running greenbone comunity edition

gce

#1

Hello everyone,

I wanted to share my experience as a fist time user of greenbone openvas/gsm. I downloaded the iso image and created a VM in virtualbox as the instructions clearly stated. So far so good.

  1. Once the installation and the two reboots completed successfully, I used the admin credentials to login, to what apparently is a bunch of options running the dialog shell command. Interesting, I used dialog when I was a kid, many decades ago, so it was funny to see it again after so many years.

  2. The instructions claimed to let it run for a while, so that background processes may download the required files. This clearly did not work. I let it sit for 30 minutes and the VM console filled with errors… weird.

  3. Since nothing was being downloaded, the “Greenbone OS” (apparently based on Debian) didn’t have internet access but had received an IP address via DHCP. Every OS that I know, receives all the required details via DHCP but this “Greenbone OS” could not. I had to use the dialog interface to manually set the DNS and gateway… weird.

  4. Now that the VM had full internet access was still not downloading anything. It appeared to try to open various TCP connections. Time to get root privileges and look inside. Wow… someone truly wanted to stop root access, since its hidden away under layers of garbage options and rather silly messages “Use this only if our support told you to do so…” wtf. I had to navigate to Advanced -> Support -> Superuser (really? superuser? this is Linux, its called root), then enable the “superuser” (!!) and eventually nothing happens. Then I had to enable sshd under Network -> Services… still no go, ssh does not allow root login, so I have to ssh as my admin account, then navigate again to Advanced -> Support -> Shell -> click “Continue” on the box and drop to a shell, which requires su to get to root.

  5. After 15 min, I am root and looked at the logs, the daemons and found out some errors like:
    gsm gsad main[478]: MHD: Error: received handshake message out of context

  6. Clearly the download process failed. Looking around I found the cron process:
    /etc/cron.daily/70-gsm-feed-sync
    which executes the service:
    system start gsm-feed.update

  7. At this point I discovered that the whole download procedure is based on rsync. A rather outdated method, I would expect something equivalent to dnf/rpm “delta” feature, that would avoid rsync’s excessive file-by-file tests and the data would be properly gpg signed and protected.

  8. I let the feed procedure run and monitored its progress via /var/log/full.log, once it was finished I logged in via the web interface to start using this thing.

  9. So how was the scan you ask? It clearly does not scan. I used the wizard, typed a local IP address and the scan ends immediately with an empty report with zero results.

Summary of my experience so far

  1. Quite a lot of work to get a pre-configured appliance to work, when most of the above steps should be automated.

  2. Overall it was horrible to end up without any results, a waste of my time.

I would appreciate your thoughts and suggestions :slight_smile:


#2

Thanks for testing the GCE and writing down your experiences. Personally I am feeling a bit offended by the tone of some of your comments. Would have been really nice if your report had been less aggressive. It’s difficult being motivated to help if someone puts down your work.

I am sorry you ran into several issues and you didn’t got the system you’d expected. Maybe you should have used the Greenbone Source Edition and build you GVM by yourself on a distribution of your personal choice. The GCE is mostly intended for normal users without much administration knowledge on Linux.

I am not going to comment on each point you have listed. Please keep in mind that our technical decisions have some background and might seem odd in you view but we have to support several different use cases that can be much different then yours.

Please still feel free to ask for help to fix you specific issues with the GCE or to get some background information about the used technologies. I am glad to help!

Regards
Björn


#3

First of all, apologies for my tone of voice, it was not intended to offend, but to be honest. Maybe a mix of disappointment and plain tiredness took the best of me.

I’ll give it a go one more time, now that I have some experience about the custom features.

Please ignore my rudeness and instead keep an open mind about my suggestions, like the delta feature of package management.


#4

FWIW, as a sys admin with quite a bit of experience, I also found it difficult to quickly access troubleshooting tools I normally use when the VM did not work properly. But I understand the effort to make Kali more end-user friendly.

I also found a problem with installing and then getting empty results. I found that issuing an openvasmd --rebuild command fixed the problem once the sync was done. Hope this helps.


#5

Just want to make clear Greenbone isn’t involved in packaging for any distribution beside GOS. The Kali packagers are using our Source Edition. Thus setup, configuration and administration may be very different with Kali.

This should only be necessary if the feed sync didn’t work, hasn’t finished or is aborted. The first feed sync really will take some time.


#6

@bricks, thank you very much. Both of your comments are very helpful.

  • Would it be appropriate to post in the Kali community? I think their intentions are good, but they miss the mark a little bit.
  • Is there a way in the console to monitor the progress of the feed sync?
    Thanks

#7

What do you mean exactly? Of course you can create post in their forum. Also you can always link to topics here. But I am not aware of any Greenbone dev who is involved in the Kali community. So I don’t think that anybody from Greenbone will post at their forums.

I would never ever claim something different.

The status of the feed sync can be monitored via journalctl -f in the shell.


#8

Perhaps I misunderstood you. Did you say that the GCE package is maintained by the Kali people? If we have feedback regarding how locked down the GCE is currently, where is the best place to give some feedback?

Also, you are very knowledgeable, so maybe you can help with another question - is the Kali Greenbone package created from GSE?


#9

No, no. I’ve said Greenbone only develops and provides the Greenbone OS (GOS) packages which are used in the Greenbone Community Edition (GCE). Greenbone isn’t involved in any packages besides for GOS. Other distributions like Kali take our Source Edition (the source releases of the GVM components) and build packages on their own.

The GCE is looked down with intention. It is a virtual machine for testing and trying out our software. For professional usage, support and more features you should buy a Greenbone product. Be it virtual of physical.

This forum is the best place for feedback and questions.


#10

Understood. All is clear; thank you.