by: Hacking

Greenbone Vulnerability Manager, formerly OpenVAS, is a full-featured free open-source vulnerability scanner with enterprise-grade features [Link].

It is capable of unauthenticated and authenticated testing for internet and industrial protocols under various levels of intrusion.

Requirements

  • 4 vCPU (2 in the minimum, but it does not work properly)
  • 8GB of RAM (less might crash the server)
  • 50GB of Storage (will be 25% utilized after deployment)

INSTALLING

Ubuntu 24.04

sudo apt update && sudo apt upgrade -y
sudo apt install ca-certificates curl gnupg -y
for pkg in docker.io docker-doc docker-compose podman-docker containerd runc; do sudo apt remove $pkg -y; done
sudo install -m 0755 -d /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
sudo chmod a+r /etc/apt/keyrings/docker.gpg
echo "deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu "$(. /etc/os-release && echo "$VERSION_CODENAME")" stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
sudo apt update
sudo apt install docker-ce docker-ce-cli containerd.io docker-compose-plugin -y
sudo usermod -aG docker $USER && su $USER
export DOWNLOAD_DIR=$HOME/greenbone-community-container && mkdir -p $DOWNLOAD_DIR
curl -f -O -L https://greenbone.github.io/docs/latest/_static/docker-compose.yml --output-dir "$DOWNLOAD_DIR"
docker compose -f $DOWNLOAD_DIR/docker-compose.yml up -d
docker compose -f $DOWNLOAD_DIR/docker-compose.yml exec -u gvmd gvmd gvmd --user=admin --new-password='strong_password'

Debian 12

sudo apt update && sudo apt upgrade -y
sudo apt install ca-certificates curl gnupg -y
for pkg in docker.io docker-doc docker-compose podman-docker containerd runc; do sudo apt remove $pkg -y; done
sudo install -m 0755 -d /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/debian/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
sudo chmod a+r /etc/apt/keyrings/docker.gpg
echo "deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian "$(. /etc/os-release && echo "$VERSION_CODENAME")" stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
sudo apt update
sudo apt install docker-ce docker-ce-cli containerd.io docker-compose-plugin -y
sudo usermod -aG docker $USER && su $USER
export DOWNLOAD_DIR=$HOME/greenbone-community-container && mkdir -p $DOWNLOAD_DIR
curl -f -O -L https://greenbone.github.io/docs/latest/_static/docker-compose.yml --output-dir "$DOWNLOAD_DIR"
docker compose -f $DOWNLOAD_DIR/docker-compose.yml up -d
docker compose -f $DOWNLOAD_DIR/docker-compose.yml exec -u gvmd gvmd gvmd --user=admin --new-password='strong_password'

On the browser, navigate to http://10.10.10.1:9392.

DATABASES UPDATE

The first time the container is started it takes several minutes to download the latest vulnerability updates.

Navigate to Administration > Feed Status. Wait until the status of all of the feeds is up to date (“current”).

After a very long tims…

REFLECTIONS

Since the Docker Compose file was created, deploying and managing OpenVAS became extremely easy (it was very painful before). See official documentation for additional information [Link].

If necessary, watch output logs in real-time for issues:

export DOWNLOAD_DIR=$HOME/greenbone-community-container
docker compose -f $DOWNLOAD_DIR/docker-compose.yml logs -f

There was an issue that haunted me for years and took me a long time to connect the dots. The feed update does not reliably succeed and mostly fails.

The problem is that the feeds are pulled with the usage of rsync from the sources:

  • Community NVT Feed
    • rsync://feed.community.greenbone.net:/nvt-feed
  • SCAP Feed
    • rsync://feed.community.greenbone.net:/scap-data
  • CERT Feed
    • rsync://feed.community.greenbone.net:/cert-data
  • GVMD Data Feed
    • rsync://feed.community.greenbone.net:/gvmd-data

If you are not paying for the license that gives you access to the enterprise repository (which is not public), the limited resources of these servers cause the sync to fail halfway through the sync.

The solutions for this problem are:

  • Self-host a mirror of the repository.
    • Deploy a service that will synchronize once every so often with the remote and serve the repository locally to all your consumers.
  • Pulling the container images to the latest before starting syncing will reduce the delta between the local and remote to the minimum, and it might be able to complete. 
    • export DOWNLOAD_DIR=$HOME/greenbone-community-container
docker compose -f $DOWNLOAD_DIR/docker-compose.yml down
docker compose -f $DOWNLOAD_DIR/docker-compose.yml pull
docker compose -f $DOWNLOAD_DIR/docker-compose.yml up -d