Installing Greenbone for Vulnerability Assessment Scanning
Scanning servers for vulnerabilities is important to assess security. Scans should be done regularly, especially for servers that contain sensitive customer data.
At Gorges, we chose the Greenbone Vulnerability Manager (GVM) for our solution. There are commercial and open-source Greenbone versions, and we chose the latter, specifically the Greenbone Source Edition version 20. However the open-source version has to be compiled, linked, and installed manually which can be a challenge.
First of all, kudos to Kevin Lucas for publishing an installation script. Although we could not get it to work as published, it accomplished 90% of the heavy lifting.
Hours were spent trying to get the installation script working on Ubuntu 18 and Ubuntu 20, but these attempts failed because one of the sub-packages (Greenbone Security Assistant or GSA) was failing during compilation. Switching to the Debian linux distribution solved this issue and GSA compiled.
After adding server swap space and updating all Debian packages, the GVM installation script was downloaded and executed, and the computer rebooted:
However the GSA process kept failing and would not execute. An investigation revealed that it was expecting a certain socket file to be present to communicate with another package, specifically the OpenVAS vulnerability assessment process. Creating a symbolic link to the actual socket file worked:
For us the default password from the installation script did not work, but modifying it to a new password was straightforward:
Sendmail was installed to email the completed reports to the users. Unfortunately the emails were being labelled as spam by our email filters, so Sendmail was configured to forward the email to Sendgrid SMTP service. The instructions for modifying Sendmail are located on the Sendgrid website.
The scanner was now up and running, but using a self-signed certificate for encryption. For many this is acceptable, but a proper SSL certificate is better and safer. The easiest path was to use Apache2 and LetsEncrypt with a reverse proxy.
First change the existing port from 443 to an unused port such as 9390:
Install and configure Apache:
Open the firewall for the web services:
Add a LetsEncrypt certificate:
If you read the original script then there are some extra tidbits of information, such as the initial downloading of the scanning rules will take several hours.
We now have dozens of servers scheduled for automated weekly scans.