Greenbone Vulnerability Manager, formerly OpenVAS, is a full-featured free open-source vulnerability scanner with enterprise-grade features [Link].

It supports unauthenticated and authenticated testing for internet and industrial protocols at various levels of intrusion.

Requirements

  • 4 vCPU (2 is the minimum, but it does not work properly with less)
  • 8GB of RAM (less may crash the server)
  • 50GB of Storage (approximately 25% utilized after deployment)

INSTALLING

Ubuntu 24.04

sudo apt update && sudo apt upgrade -y
sudo apt install ca-certificates curl gnupg -y
for pkg in docker.io docker-doc docker-compose podman-docker containerd runc; do sudo apt remove $pkg -y; done
sudo install -m 0755 -d /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
sudo chmod a+r /etc/apt/keyrings/docker.gpg
echo "deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu "$(. /etc/os-release && echo "$VERSION_CODENAME")" stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
sudo apt update
sudo apt install docker-ce docker-ce-cli containerd.io docker-compose-plugin -y
sudo usermod -aG docker $USER && su $USER
export DOWNLOAD_DIR=$HOME/greenbone-community-container && mkdir -p $DOWNLOAD_DIR
curl -f -O -L https://greenbone.github.io/docs/latest/_static/docker-compose.yml --output-dir "$DOWNLOAD_DIR"
docker compose -f $DOWNLOAD_DIR/docker-compose.yml up -d
docker compose -f $DOWNLOAD_DIR/docker-compose.yml exec -u gvmd gvmd gvmd --user=admin --new-password='strong_password'

Debian 12

sudo apt update && sudo apt upgrade -y
sudo apt install ca-certificates curl gnupg -y
for pkg in docker.io docker-doc docker-compose podman-docker containerd runc; do sudo apt remove $pkg -y; done
sudo install -m 0755 -d /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/debian/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
sudo chmod a+r /etc/apt/keyrings/docker.gpg
echo "deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian "$(. /etc/os-release && echo "$VERSION_CODENAME")" stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
sudo apt update
sudo apt install docker-ce docker-ce-cli containerd.io docker-compose-plugin -y
sudo usermod -aG docker $USER && su $USER
export DOWNLOAD_DIR=$HOME/greenbone-community-container && mkdir -p $DOWNLOAD_DIR
curl -f -O -L https://greenbone.github.io/docs/latest/_static/docker-compose.yml --output-dir "$DOWNLOAD_DIR"
docker compose -f $DOWNLOAD_DIR/docker-compose.yml up -d
docker compose -f $DOWNLOAD_DIR/docker-compose.yml exec -u gvmd gvmd gvmd --user=admin --new-password='strong_password'

In your browser, navigate to http://10.10.10.1:9392.


DATABASES UPDATE

The first time the container starts, it takes several minutes to download the latest vulnerability updates.

Navigate to Administration > Feed Status and wait until all feeds show a status of “current”.

After a very long time…


REFLECTIONS

Since the Docker Compose file was introduced, deploying and managing OpenVAS has become much easier (it was quite painful before). See the official documentation for additional information [Link].

To watch output logs in real-time:

export DOWNLOAD_DIR=$HOME/greenbone-community-container
docker compose -f $DOWNLOAD_DIR/docker-compose.yml logs -f

There is an issue that took me a long time to figure out: feed updates do not reliably succeed and mostly fail.

The feeds are pulled via rsync from the following sources:

  • Community NVT Feed
    • rsync://feed.community.greenbone.net:/nvt-feed
  • SCAP Feed
    • rsync://feed.community.greenbone.net:/scap-data
  • CERT Feed
    • rsync://feed.community.greenbone.net:/cert-data
  • GVMD Data Feed
    • rsync://feed.community.greenbone.net:/gvmd-data

Without a paid license for the enterprise repository, the limited resources of the community servers often cause the sync to fail partway through.

There are two solutions:

  • Self-host a mirror of the repository.
    • Deploy a service that periodically syncs with the remote and serves the repository locally to all your consumers.
  • Pull the container images to the latest version before syncing. This minimizes the delta between local and remote, improving the chances of a successful sync.
    • export DOWNLOAD_DIR=$HOME/greenbone-community-container
      docker compose -f $DOWNLOAD_DIR/docker-compose.yml down
      docker compose -f $DOWNLOAD_DIR/docker-compose.yml pull
      docker compose -f $DOWNLOAD_DIR/docker-compose.yml up -d