[研究]Greenbone GVM / OpenVAS 22.4.0弱點掃描工具安裝(atomic)(Fedora 36)

[研究]Greenbone GVM / OpenVAS 22.4.0弱點掃描工具安裝(atomic)(Fedora 36)

2022-10-27

Greenbone Vulnerability Management (GVM)，

前身為 Open Vulnerability Assessment Scanner(OpenVAS)

安裝參考

https://github.com/Atomicorp/gvm

安裝摘要 ( 雖然沒說支援 Fedora，但實際上測試可以)

su root Install the Atomic Yum Repository wget -q -O - https://updates.atomicorp.com/installers/atomic | sudo sh Install the GVM/openvas package # Redhat/Rocky/Centos 8 Only dnf config-manager --set-enabled powertools dnf install epel-release # Redhat/Rocky 9 Only dnf config-manager --set-enabled crb dnf install epel-release # dnf install gvm Configure openvas gvm-setup

Atomicorp 有 Fedora 36 資料
https://www6.atomicorp.com/channels/atomic/fedora/36/x86_64/RPMS/

實際狀況

[liveuser@localhost-live ~]$ su root [root@localhost-live ~]$# wget -q -O - https://updates.atomicorp.com/installers/atomic | sudo sh Atomic Free Unsupported Archive installer, version 7.0.2 BY INSTALLING THIS SOFTWARE AND BY USING ANY AND ALL SOFTWARE PROVIDED BY ATOMICORP LIMITED YOU ACKNOWLEDGE AND AGREE: THIS SOFTWARE AND ALL SOFTWARE PROVIDED IN THIS REPOSITORY IS PROVIDED BY ATOMICORP LIMITED AS IS, IS UNSUPPORTED AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL ATOMICORP LIMITED, THE COPYRIGHT OWNER OR ANY CONTRIBUTOR TO ANY AND ALL SOFTWARE PROVIDED BY OR PUBLISHED IN THIS REPOSITORY BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. For supported software packages please contact us at: sales@atomicorp.com Do you agree to these terms? (yes/no) [Default: yes] (直接按下 Enrer) Configuring the [atomic] repo archive for this system Installing the Atomic GPG keys: OK Downloading atomic-release-1.0-23.fc36.art.noarch.rpm: Verifying... ################################# [100%] Preparing... ################################# [100%] Updating / installing... 1:atomic-release-1.0-23.fc36.art ################################# [100%] Enable repo by default? (yes/no) [Default: yes]: (直接按下 Enrer) The Atomic repo has now been installed and configured for your system The following channels are available: atomic - [ACTIVATED] - contains the stable tree of ART packages atomic-testing - [DISABLED] - contains the testing tree of ART packages atomic-bleeding - [DISABLED] - contains the development tree of ART packages [root@localhost-live ~]#

安裝失敗的部分不管

安裝 EPEL，安裝了2次，確認沒有其他要安裝的

[root@localhost-live ~]# dnf config-manager --set-enabled crb Error: No matching repo to modify: crb. [root@localhost-live ~]# dnf config-manager --set-enabled powertools Error: No matching repo to modify: powertools. [root@localhost-live ~]# yum install -y epel-release Fedora 36 - atomic 8.9 kB/s | 102 kB 00:11 Fedora 36 - x86_64 5.0 MB/s | 81 MB 00:16 Fedora 36 openh264 (From Cisco) - x86_64 873 B/s | 2.5 kB 00:02 Fedora Modular 36 - x86_64 1.0 MB/s | 2.4 MB 00:02 Fedora 36 - x86_64 - Updates 1.7 MB/s | 29 MB 00:17 Fedora Modular 36 - x86_64 - Updates 1.4 MB/s | 2.8 MB 00:02 No match for argument: epel-release Error: Unable to find a match: epel-release [root@localhost-live ~]# yum install -y epel-release Last metadata expiration check: 0:00:29 ago on Thu 27 Oct 2022 12:31:48 AM EDT. No match for argument: epel-release Error: Unable to find a match: epel-release [root@localhost-live ~]#

安裝 GVM，結果根目錄空間不足

[root@localhost-live ~]# dnf install gvm -y (略...安裝2千1百多個套件) Error Summary ------------- Disk Requirements: At least 652MB more space needed on the / filesystem. [root@localhost-live ~]# [root@localhost-live ~]# df Filesystem 1K-blocks Used Available Use% Mounted on devtmpfs 4096 0 4096 0% /dev tmpfs 1988840 12 1988828 1% /dev/shm tmpfs 795536 10088 785448 2% /run /dev/sr0 1970848 1970848 0 100% /run/initramfs/live /dev/mapper/live-rw 7712908 6712224 984300 88% / tmpfs 1988840 2752 1986088 1% /tmp vartmp 1988840 0 1988840 0% /var/tmp tmpfs 397768 156 397612 1% /run/user/1000 /dev/nvme0n1p2 103808000 3001548 99024724 3% /mnt/sysroot /dev/nvme0n1p1 996780 175844 752124 19% /mnt/sysroot/boot tmpfs 1988840 0 1988840 0% /mnt/sysroot/dev/shm /dev/nvme0n1p2 103808000 3001548 99024724 3% /mnt/sysroot/home tmpfs 1988840 0 1988840 0% /mnt/sysroot/tmp [root@localhost-live ~]#

原本 VM 的  HDD 是 100GB，重新做一個 1000GB 的 VM，重新安裝 Fedora，安裝一切

[user1@fedora ~]$ [user1@fedora ~]$ df Filesystem 1K-blocks Used Available Use% Mounted on devtmpfs 4096 0 4096 0% /dev tmpfs 1988836 0 1988836 0% /dev/shm tmpfs 795536 2548 792988 1% /run /dev/nvme0n1p2 1047526400 3797772 1041957604 1% / tmpfs 1988836 144 1988692 1% /tmp /dev/nvme0n1p2 1047526400 3797772 1041957604 1% /home /dev/nvme0n1p1 996780 175844 752124 19% /boot tmpfs 397764 152 397612 1% /run/user/1000 /dev/sr0 1970848 1970848 0 100% /run/media/lu/Fedora-WS-Live-36-1-5 [user1@fedora ~]$

下面

[user1@fedora ~]$ sudo dnf install gvm -y (略...安裝2千1百多個套件) Complete! [user1@fedora ~]$

下面，執行設定時，要求先關閉 SELinux

[root@localhost ~]# gvm-setup ##################################### GVM Setup, Version: 6.1.0 Atomicorp, Inc. ##################################### Error: Selinux is set to (Enforcing) selinux must be disabled in order to use openvas exiting.... [root@localhost ~]#

下面，以 root 權限修改 SELinux 設定檔案 ( 也可直接 sudo  vi  /etc/selinux/config   )

[user1@fedora ~]$ sudo vi /etc/selinux/config # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=disabled <=== 從 enforcing 改為 disabled # SELINUXTYPE= can take one of three two values: # targeted - Targeted processes are protected, # minimum - Modification of targeted policy. Only selected processes are protected. # mls - Multi Level Security protection. SELINUXTYPE=targeted 別改錯，改到這個了 重新啟動作業系統，讓 SELinux 生效 [user1@fedora ~]$ reboot

設定

[user1@fedora ~]$ sudo gvm-setup ##################################### GVM Setup, Version: 6.1.0 Atomicorp, Inc. ##################################### * Initializing database in '/var/lib/pgsql/data' * Initialized, logs are in /var/lib/pgsql/initdb_postgresql.log ... (很長，很花時間，略；每年有數萬筆資料匯入) Enter Administrator Password: Verify Administrator Password: Created symlink /etc/systemd/system/multi-user.target.wants/ospd-openvas.service → /usr/lib/systemd/system/ospd-openvas.service. Created symlink /etc/systemd/system/multi-user.target.wants/notus-scanner.service → /usr/lib/systemd/system/notus-scanner.service. Created symlink /etc/systemd/system/openvas-manager.service → /usr/lib/systemd/system/gvmd.service. Created symlink /etc/systemd/system/multi-user.target.wants/gvmd.service → /usr/lib/systemd/system/gvmd.service. Created symlink /etc/systemd/system/greenbone-security-assistant.service → /usr/lib/systemd/system/gsad.service. Created symlink /etc/systemd/system/multi-user.target.wants/gsad.service → /usr/lib/systemd/system/gsad.service. Created symlink /etc/systemd/system/multi-user.target.wants/mosquitto.service → /usr/lib/systemd/system/mosquitto.service. success ##################################### Setup complete Log in to GSAD at https://localhost ##################################### [user1@fedora ~]$

安裝完成，可用瀏覽器連上  https://localhost

補：

/usr/sbin/greenbone-feed-sync --type SCAP success

Updating CERT data...

/usr/sbin/greenbone-feed-sync --type CERT

Greenbone community feed server - http://feed.community.greenbone.net/

This service is hosted by Greenbone Networks - http://www.greenbone.net/

If you have any questions, please use the Greenbone community portal. 

See https://community.greenbone.net for details.

********************************************************************************

補充：安裝時也可用 gvm* 代替 gvm，相關套件會全部安裝，或現在補安裝 (非必須)。

[root@localhost ~]# yum install gvm* -y

這種安裝沒有安裝檢測功能

[root@localhost ~]# gvm-check-setup bash: gvm-check-setup: command not found... [root@localhost ~]#

(完)

相關

[研究]Greenbone GVM / OpenVAS 22.4.0弱點掃描工具安裝(atomic)(Fedora 36)
https://shaurong.blogspot.com/2022/10/greenbone-gvm-openvas-2240atomicfedora.html

[研究]Greenbone GVM / OpenVAS 22.4.0弱點掃描工具安裝(atomic)(Rocky Linux 9)
https://shaurong.blogspot.com/2022/10/greenbone-gvm-openvas-2240atomicrocky.html

[研究]Greenbone GSM Trial  22.04.3 VM (OpenVAS/GCE) 弱點掃描工具虛擬機器
https://shaurong.blogspot.com/2022/10/greenbone-gsm-trial-22043-vm-openvasgce.html

[研究]Greenbone GSM Trial  21.04.15 VM (OpenVAS/GCE) 弱點掃描工具虛擬機器
https://shaurong.blogspot.com/2022/05/greenbone-gsm-trial-210415-vm-openvasgce.html

[研究]GVM / OpenVAS 21.4弱點掃描工具安裝(atomic)(CentOS Stream 8)
https://shaurong.blogspot.com/2022/05/gvm-openvas-214atomiccentos-stream-8.html

[研究]OpenVAS 21.4弱點掃描工具安裝(Fedora 35)
https://shaurong.blogspot.com/2022/05/openvas-214fedora-35.html

[研究]OpenVAS 21.4安裝(yum) gvm-setup 詳細資訊(CentOS Stream 8)
https://shaurong.blogspot.com/2022/05/openvas-214yum-gvm-setup-centos-stream-8.html

[研究] OpenVAS 21.4弱點掃描工具安裝(yum)(CentOS Stream 8)
https://shaurong.blogspot.com/2022/05/openvas-214yumcentos-stream-8.html

[研究] GSM Community Edition v4.2.17 (含 OpenVAS-9) 會掃描的網站路徑https://shaurong.blogspot.com/2018/06/gsm-community-edition-v4217-openvas-9_22.html

[研究] GSM Community Edition v4.2.17 (含 OpenVAS-9) .iso 安裝與試用
http://shaurong.blogspot.com/2018/06/gsm-community-edition-v4217-openvas-9.html

Greenbone Warning: SecInfo Database Missing
https://secinfo.greenbone.net/help/cpes.html?r=1&token=guest

OpenVAS SecInfo Database Missing
http://www.anjing.me/wiki/index.php?title=Openvas#SecInfo_Database_Missing

[研究] OpenVAS 9 安裝與使用(yum)(CentOS 7.5 x64)
http://shaurong.blogspot.com/2018/06/openvas-9-yumcentos-75-x64.html

[研究] OpenVAS 9 (iso)安裝
http://shaurong.blogspot.com/2017/06/openvas-9.html

[研究] OpenVAS-8 DEMO Virtual Appliance 1.0 安裝
http://shaurong.blogspot.com/2015/05/openvas-8-demo-virtual-appliance-10.html

[研究] OpenVAS-7 DEMO Virtual Appliance 2.4 安裝
http://shaurong.blogspot.com/2015/03/openvas-7-demo-virtual-appliance-24.html

[研究] OpenVAS 7 安裝與使用(yum)(CentOS 7.0 x64)
http://shaurong.blogspot.com/2014/11/openvas-7-yumcentos-70-x64.html

[研究] OpenVAS 6 安裝與使用(yum)(CentOS 7.0 x64)
http://shaurong.blogspot.com/2014/08/openvas-6-yumcentos-70-x64.html

[研究] OpenVAS 6.0 beta 5 安裝與使用(yum)(Fedora 20 x64)
http://shaurong.blogspot.com/2014/02/openvas-60-beta-5-yumfedora-20-x64.html

[研究] OpenVAS 安裝與使用(yum)(CentOS 6.5 x64)
http://shaurong.blogspot.com/2014/01/openvas-yumcentos-65-x64.html