Installing OpenVAS (GVM) on CentOS 7

Installing OpenVAS (GVM) on CentOS 7

This is a walkthough for installing and configuring OpenVAS (GVM) on CentOS 7. OpenVAS (Open Vulnerability Assessment System) is an opensource vulnerability scanner.

Greenbone has deprecated OpenVAS version 9 and version 10 is now known as Greenbone Vulnerability Manager (GVM). Likewise, the new rpms are called ‘greenbone-vulnerability-manager’ and ‘gvm-libs’ which replace the ‘openvas’ and ‘openvas-libraries’ rpms. If you are upgrading from 9 to the latest version, you may lose your previous tasks and reports so beware! Also, if you are still on version 9 and you simply need a temporary workaround for “Report outdated Scan Engine / Environment (local)” error, scroll to the bottom. 

Brief History

OpenVAS forked from Nessus when Tenable took the previously opensource product to closed source back in 2005. That’s worth mentioning primarily because on a side note, I’ve used Nessus for many years and I remember when it was forked. Since then, Nessus became one of the leaders in the vulnerability scanning space and a fairly polished. Nessus generates nice reports and it is/was a great product for a decent price. However, in the last few years the price has really started to creep IMO. Tenable then announced they were pulling API access to Nessus Professional, which happens to be something I use quite extensively. As a result, I was left searching for alternatives. Admittedly, I tried OpenVAS years ago, but it was a bit of a mess to setup and I wasn’t exactly enamored with the interface. I’d heard good things recently so I figured I would give it another shot.

Changelog
10June2018 – Originally posted
11June2018 – Added ‘Configuring PDF Reports’ section
22Oct2018 – Added ‘Automatic Feed Updates With Cron’ section
30Nov2018 – Added net-tools to yum install command
11Mar2019 – Added alternate URLs for Atomicorp (reader feedback)
21Mar2019 – Added temp fix for “Report outdated Scan Engine / Environment (local)”
20Apr2019 – Rewrite for new GVM 10 version
13Dec2019 – Updated write-up

Installing CentOS 7

So first things first, I prefer to start with a minimal install of CentOS. The install takes less time, the filesystem takes up less space, and I despise updating packages I never use! Download the latest version of CentOS 7 and go through the standard install. If you are installing OpenVAS (GVM) virtually, I would recommend at least 2 CPUs, 3GB of memory, and 30GB of hard drive (this depends on number of scans and how much data you will retain).

Configuring CentOS

OpenVAS (GVM) will complain if you leave SELinux enabled so disable it using the following command.

sed -i 's/=enforcing/=disabled/' /etc/selinux/config

Open the necessary port for OpenVAS web interface right away as well.

firewall-cmd --zone=public --add-port=9392/tcp --permanent
firewall-cmd --reload

As a best practice, once you have install CentOS (or any OS for that matter), you need to do updates. You can update CentOS by using ‘yum -y update’ and then reboot. We need to reboot for the SELinux changes to take effect anyway.

yum -y update && reboot

Once the system comes back up, install the wget package and then install/configure the repository from Atomic Corp. You can use the default answers when adding keys for the Atomic Corp repository. We’ll also install ‘net-tools’ specifically for the ‘netstat’ command. Adding the package here clears up some later errors when testing the setup.

yum -y install wget net-tools
wget -q -O - https://updates.atomicorp.com/installers/atomic | sh

You will receive a couple of prompts during the install. One is to agree to the terms and the other is to enable the Atomic repo. You can simply hit ‘enter’ on both as the default is yes.

Atomic Repo default install options

Note: If you have issues with ‘updates’ in the wget URL above, other readers have stated using either ‘www’ or ‘www6’ works instead. For example, 
wget -q -O – https://www.atomicorp.com/installers/atomic | sh
wget -q -O – https://www6.atomicorp.com/installers/atomic | sh

Installing/Configuring OpenVAS (GVM)

Next, install OpenVAS (GVM) and related dependencies. This will install over 300MB of dependencies so be patient.

yum -y install greenbone-vulnerability-manager

If you try to install ‘openvas’ instead of ‘greenbone-vulnerability-manager’ in the command above you will simply receive a message that ‘Package openvas is obsoleted by greenbone-vulnerability-manager, trying to install greenbone-vulnerability-manager-10.0.0-6947.el7.art.noarch’ instead.

When yum completes, use the ‘sed’ command below to uncomment the following 2 unixsocket-related lines in the /etc/redis.conf file. I would recommend copying/pasting that little bit of command line kung fu to make sure you don’t miss any spaces or quotation marks.
# unixsocket /tmp/redis.sock
# unixsocketperm 700

sed -i '/^#.*unixsocket/s/^# //' /etc/redis.conf

Now, we need to enable the redis service so it starts after future reboots. We’ll also start/restart the service.

systemctl enable redis && systemctl restart redis

Run ‘openvas-setup’ and accept rsync as your default. This command may seem out of place (as it still references openvas), but for some reason the developers decided not to rename it. At any rate, this can take a while so be patient. It is downloading GBs worth of data. In addition, after the feeds are downloaded, there are times where you think the installer is hung… It’s not! Just be patient and grab a soda or coffee! While I didn’t have any issues with the downloads, others have reported their rsync process stops during setup. If this happens, just run openvas-setup again. Also, just a reminder that rsync uses TCP port 873 so you may have to allow it outbound in your egress firewall rules and/or configure it to work with your proxy server.

openvas-setup
-- Output --
Openvas Setup, Version: 4.01
Step 1: Update NVT, CERT, and SCAP data
Please note this step could take some time.
Once completed, this will be updated automatically every 24 hours
Select download method
* wget (NVT download only)
* curl (NVT download only)
* rsync
Note: If rsync requires a proxy, you should define that before this step.
Downloader [Default: rsync]

Note: If you get the error below when running openvas-setup, go back to the very first ‘sed’ command in this tutorial to disable SELinux. Don’t forget to reboot when you’re done.

Openvas Setup, Version: 4.01
Error: Selinux is set to (Enforcing)
selinux must be disabled in order to use openvas
exiting....

Once openvas-setup completes and some keys are generated, you’ll receive the following prompt(s). When asked if you want to “Allow connections from any IP?”  you can accept the default of ‘yes’ by simply pressing enter assuming you want to access the web interface from any IP address. You can change your username (I stayed with ‘admin’) and type in the password (twice) that you want to use to access the web interface.

-- Output --
Step 2: Configure GSAD
The Greenbone Security Assistant is a Web Based front end
for managing scans. By default it is configured to only allow
connections from localhost.
Allow connections from any IP? [Default: yes]
Redirecting to /bin/systemctl restart gsad.service
Step 3: Choose the GSAD admin users password.
The admin user is used to configure accounts,
Update NVT's manually, and manage roles.
Enter administrator username [Default: admin] : 
Enter Administrator Password:
Verify Administrator Password:

The system will build/rebuild the NVT cache. This step can also take a bit of time so be patient. Rebuilding NVT is followed with a message that you can now access the interface.

-- Output --
Rebuilding NVT cache... done.
Setup complete, you can now access GSAD at:
https://<IP>:9392

The only problem? OpenVAS (GVM) isn’t running on 9392 as the package states. Perhaps they will fix this at some point in the future, but for now, run the following commands. The first command switches gsad to listen on 9392 (instead of 443) and the second command restarts gsad.

echo 'OPTIONS="--listen=0.0.0.0 --port=9392"' > /etc/sysconfig/gsad
systemctl restart gsad

After running the 2 commands above, gsad should now be running on port 9392. If you want to verify, type in the following command. If you receive nothing back, you’ve got an issue!

# netstat -ano |grep 9392
tcp        0      0 0.0.0.0:9392            0.0.0.0:*               LISTEN      off (0.00/0/0)

GVM no longer has openvas-check-setup so the next paragraph is no longer helpful. <shrug> Skip ahead to “Accessing the OpenVAS (GVM) web interface.”

Before doing that, I recommend running the command below to make sure you get the message: It seems like your OpenVAS-9 installation is OK.
There are some errors regarding PDF generation and missing LaTex packages. If you would like to create PDF reports out of OpenVAS, follow the section below on Configuring PDF Reports. Otherwise, you can skip ahead to Accessing the web interface.

openvas-check-setup --v9
-- Output --
...
Step 10: Checking presence of optional tools ...
OK: pdflatex found.
WARNING: PDF generation failed, most likely due to missing LaTeX packages. The PDF report format will not work.
SUGGEST: Install required LaTeX packages.
It seems like your OpenVAS-9 installation is OK.

Accessing the OpenVAS (GVM) web interface

As mentioned in the previous message, you can now access to the web interface from any browser by going to https://<your IP address>:9392. You will receive a security prompt regarding the certificate since it is self-signed, but after that you should be able to login. Even though you can login at this point, I would highly recommend following the other sections below! It will save you time down the road!

OpenVAS web interface login

Automatic Feed Updates With Cron

OpenVAS vulnerability scans are only as good as the information/plug-ins you’re checking against. Thus, if your feeds are out-of-date, your scans are not going to reflect the true nature of the environment because you are not testing for the most recently discovered vulnerabilities. From the web interface, you can check the status of your feeds anytime via Extras -> Feed Status.

OpenVAS feed status - outdated feeds

I’ve seen where the feeds update automatically by default and I’ve seen them not. I always add the cron jobs below just to be on the safe side. If you are not familiar with cron jobs, they are an easy way to tell the system to run a command at a given time. From the command line, type in ‘crontab -e’ to edit cron, which should be empty to start with. Hit the ‘i’ key to enter insert mode and then copy/paste the text in the gray box below. After your copy/paste, hit the ‘Esc’ key followed by typing in ‘:wq’ to exit. For those of you familiar with ‘vi’ that sequence of events should have been very familiar! The three commands coincide with the 3 feed types found in the Feed Status page — NVT, SCAP, and CERT. For the 3 cron jobs we just installed, the top command runs greenbone-nvt-sync at 1:35am, greenbone-scapdata-sync at 12:05am, and greenbone-certdata-sync at 1:05am.

35 1 * * * /usr/sbin/greenbone-nvt-sync > /dev/null
5 0 * * * /usr/sbin/greenbone-scapdata-sync > /dev/null
5 1 * * * /usr/sbin/greenbone-certdata-sync > /dev/null

Assuming you just installed the system (the feeds update during the install process) or your cron jobs are keeping your feeds up-to-date properly, your feed status page should appear similar to the one below. Note: It is common for the feeds to be up-to-date and still report back they are a few days old as shown in the picture. I would suggest checking this page every now and again to make sure everything is updating as expected.

OpenVAS Feed Status - Feeds Up-To-Date

Configuring PDF Reports

I found documentation for working PDF reports in OpenVAS to be lacking. I was able to pull together bits and pieces from different sites to get it working. This is what you will need to do if you create/download PDF reports in OpenVAS and the pdf files are 0 bytes.

Working PDF reports in OpenVAS

First, install additional texlive packages for CentOS 7.

yum -y install texlive-collection-fontsrecommended texlive-collection-latexrecommended texlive-changepage texlive-titlesec

The following steps were found on blogspot. It creates a directory, downloads the comment.sty file, changes permissions on the newly downloaded file, and then recreates the database with texhash. You can copy/paste the commands below into an SSH terminal window.

mkdir -p /usr/share/texlive/texmf-local/tex/latex/comment
cd /usr/share/texlive/texmf-local/tex/latex/comment
wget http://mirrors.ctan.org/macros/latex/contrib/comment/comment.sty
chmod 644 comment.sty
texhash

If you re-run the openvas-check-setup command (don’t forget –v9), you should see those PDF-related errors are cleaned up as shown below.

openvas-check-setup --v9
-- Output --
...
Step 10: Checking presence of optional tools ...
OK: pdflatex found.
OK: PDF generation successful. The PDF report format is likely to work.

Final notes

Success! From the web interface you can start a scan via Scans -> Tasks -> Task Wizard. Get comfortable with the interface! Are there some things I miss or I’m going to miss about Nessus? Of course! Nessus is like a pair of old shoes you’ve traveled a lot of miles with so it’s hard to get your feet used to something new. I have to say that so far though, I’m pretty happy with OpenVAS (GVM). Sure it’s not quite as polished and maybe it will produce some false positives others don’t, but that’s ok. Even if you already have another vulnerability scanner in your environment and you just need a second opinion, I would strongly suggest giving OpenVAS (GVM) a shot if you haven’t done so recently.

Update – Override

If you performed a new install, you won’t see this issue below so you can skip this section. I only leave this here for folks who land here because of cached search terms and they can’t update for some reason or another.

Report outdated Scan Engine / Environment (local) – 10.0
Summary
This script checks and reports an outdated scan engine for the following environments:
- Greenbone Source Edition (GSE)
- Greenbone Community Edition (GCE)
used for this scan.
NOTE: While this is not, in and of itself, a security vulnerability, a severity is reported to make you aware of a possible decreased scan coverage due to e.g.:
- missing functionalities
- missing bugfixes
- incompatibilities within the feed.
Vulnerability Detection Result
Installed GVM version:        9.0.1
Latest available GVM version: 9.0.3
Reference URL:                https://community.greenbone.net/t/gvm-9-stable-initial-release-2017-03-07/211

Not the clearest explanation of what exactly is going on. Greenbone appears to be deprecating OpenVAS in favor of GVM-10, Greenbone Community Edition, or Greenbone Security Manager One. In the meantime, you can get rid of the false positives until you have time to update. To bypass these errors for the time being, simply go to a report with the error/vulnerability and click on ‘Add Override.’

In the new window that pops up, change the options to ‘Any’ as shown below followed by ‘Create.’ All of your previously related vulnerabilities that were 10.0 are now gone. Once again, this is a temporary solution and I would recommend looking at alternatives or updating to GVM-10. 

add override

88 thoughts on “Installing OpenVAS (GVM) on CentOS 7

    1. It’s worth mentioning that setenforce is a temporary setting that will not survive a reboot. This is contrast to the sed command above which modifies SELinux via the /etc/selinux/config file. I leave SELinux disabled because a) it will intermittently cause issues with scans and b) the openvas-setup throws up errors if you have it enabled.

  1. Hi,

    Thank you for your instructions. Really more clean than others. I have a question: any idea on how to survive to “Possible dependency cycle detected” in openvas scanner log?
    These events drive redis to fill CPU load, and consequently scanner goes down (even if doesn’t crash, tcpdump shows that network traffic stops).
    Up to now, standard software or plugin updates don’t solve the problems.

    Thanks again,
    l

  2. Thank you for this guide – it gives me hope that I am very close to having a working openvas install again on my centos 7 host. Now for the “close” part:

    The install runs until we get to starting openvassd, and hangs there until I kill the systemctl start openas-scanner command. Nothing I can do will get openvassd to actually respond to requests, write to logs, etc.

    Only error from openvas-check-setup –v9
    ERROR: The number of NVTs in the OpenVAS Manager database is too low.
    FIX: Make sure OpenVAS Scanner is running with an up-to-date NVT collection and run ‘openvasmd –rebuild’.
    WARNING: OpenVAS Scanner is NOT running!

    Thanks for any advice you may hve..

    1. Hey Walter! It sounds like your NVT feed isn’t updating. Have you tried running /usr/sbin/greenbone-nvt-sync from the command line to see if it spits back any errors that might be more helpful? I’ve seen a handful of times when the feed update was blocked by the firewall. Let me know what it is when you figure it out and I’d be happy to make changes to the guide if appropriate. Thanks!

      1. I see I failed to follow up here. Sorry! I never got that install working, and made do with a docker container. I came back to it recently on a fresh vm. I did not encounter a repeat of the error I saw last year.

        Your guide is the one Greenbone should be publishing – it saved me endless frustration! Many, many thank yous.

  3. Dallas. My compliments, this was a really great guide. I have OpenVAS up and running. I have started to setup some scans and have pulled reports. However, I have a bit of an advanced configuration question regarding targets.
    See I need to setup targets for each of my subnets and I have a lot. I was doing some reading about importing XML through OMP, the OpenVAS CLI. I just can’t seem to land on the right guide to configure this properly. I figured I would run it by you, maybe you have a guide or some direction. Thanks!

    1. Thanks for the feedback Corey! I haven’t tried the XML through OMP method so I can’t offer an suggestions there. The most I’ve done is via a comma-delimited file uploaded via the web interface. You can’t specify a CIDR larger than a /24, however, you can use subnets/IPs like the example below so the possibilities are pretty endless IMO. If you already have the subnets in a spreadsheet, an export to CSV followed by some command line kung fu should get your formatting correct too. Hopefully that helps!
      10.1.0.0/24, 192.168.1.10-20, 172.16.1.0/24

  4. Thanks for the guide, it helped a lot. The only issues I had was with the scapdata sync and a login issue. After the install completed it wouldn’t let me log in with the username/password I used. I tried to re-run the command as-s but I got an error saying that username already existed. I re-ran the command and gave it a different username and it solved the login issue. The other command was “greenborne-scapdata-sync”. I am curious though. Should the scap data update itself? Or add this to a script and run it on a schedule?
    Thanks for your help

    1. Randy, thanks for stopping by. I’ve installed OpenVAS several times and I don’t believe I’ve ever ran into an issue with the login so I’m not sure on that one. Regarding feed updates… I knew I needed to add something regarding the update process to the guide and you prodded me to do that. The guide now has a section on automatic feed updates with cron. Please check it out and let me know if you run into any issues. Thanks for the nudge! 😉

  5. Thanks for the great guide, everything are explained well and works fine, but I miss a section that explains how to enable OpenVAS on CentOS to send emails. Where do I configure the OpenVAS /CentOS email settings?

    1. As you create your scan task (or if you are editing it afterward), simply click the star next to ‘alerts’ and it should be self-explanatory. Basically, name the alert, fill in your to and from address, click ‘attach report’ and select PDF from the dropdown menu. If you don’t receive the email, try sending a sample report to a non-corporate email address first. This will verify if OpenVAS is functioning properly and if your email defenses such as anti-spam or SPF/DKIM/DMARC are getting in the way. Hope this helps!

  6. Great tutorial had to go to the blog to get this line of code
    # yum -y install texlive-changepage texlive-titlesec
    for Centos 7. The rest worked like a charm and the whole thing worked after i looked at the blog page you linked.

    1. Thanks for the feedback Allen! I’m guessing the full command for installing the PDF-related packages didn’t show because of its length, i.e. it gets cutoff unless you scroll over. Either way, so happy to hear you have it working!

      yum -y install texlive-collection-fontsrecommended texlive-collection-latexrecommended texlive-changepage texlive-titlesec

  7. Hi.
    Thanks for the clear explanation.
    I have a propblem connect to webui from another machine in the same network.

    I try to resolve the issue by this answers:
    hxxps://superuser[dot]com/questions/977331/how-to-make-openvas-listen-on-an-external-interface

    but it’s not work yet.
    what can i do?

    1. My guess is that you are experiencing firewall-related issues and that depends on what OS you are running. The link you sent is for Kali, which is going to be a little different than other Linux distros. Are you running CentOS 7 as the post implies? If so, the first few commands firewall commands should get you taken care of. Some other steps you can take irregardless of the OS. First, run netstat and see if OpenVAS is listening. If it is, in the same netstat command you can also check whether OpenVAS is listening on 0.0.0.0 or 127.0.0.1. Make changes as appropriate. Best of luck!

  8. Hi Dallas,

    First of all thanks for this awesome tutorial, all the installation works like a charm.

    Problem is, when running the scan, I get no results from any host, checking on my firewall, the OpenVAS is not sending any packets to any hosts… The scanner is superfast too, it takes like just 2 minutes.

    I have done openvas-check-setup –v9 and everything is OK, just a warning for have the version 6.47 of the nmap instead of 5.51

    Any ideas?

    Thanks so much!

    1. Thanks for the feedback! The nmap version warning is normal. Are you sure you have selinux disabled? Anything in the logs? Are you positive a prior scan didn’t ban/block the scanner IP address? You mention a firewall and I’m assuming you are referring to a host-based firewall, but if you are going through an actual firewall, is an IPS potentially blocking the scans? I can’t think of any time I’ve seen what you’re experiencing right off the top of my head otherwise, although I would also try a scan with a very limited ruleset to see if maybe a feed or scan config is erring out on you. I’d love to hear back what you find just for my own curiosity.

      1. Fixed, it was a signatures problem.

        We had enabled the nasl signature check, and even after disabling it , when we check the logs its keeped saying “Will not execute. Bad or missing signature” on each nasl script. We had reinstall without change anything on signature check and it’s work perfect.

        Thanks again for this tutorial and your attention!

    1. The www does not work at least in the US anymore.

      Not Found
      The requested URL /installers/atomic was not found on this server.

      1. Jason, thanks for the feedback! I just tried the www from two different US-based internet connections and they both worked. Regardless, I did add information in the guide to use updates and www6 as alternates though. I’ll flip flop the guide so updates is the primary.

  9. Thank you very much

    I had these two warnings:

    1) WARNING: Signature checking of NVTs is not enabled in OpenVAS Scanner.
    2) WARNING: Your version of nmap is not fully supported: 6.47

    How can I resolve them?

    1. Thanks for stopping by! Neither of those warnings should prevent OpenVAS from running. In fact, I don’t know if I’ve have performed an install where the nmap warning wasn’t present. Holler back if you need anything else and happy scanning!

    1. I didn’t have much of a chance to look at it, but it seems OpenVAS 9 is still considered the “stable” branch while GVM-10 is beta. That said, the versions in the Atomic repo are extremely outdated and that is the problem. Even switching to the Atomic test feed only made a marginal improvement. I’m going to leave the override in solution in place for the time being, but I might end up on Debian or Ubuntu if I can’t find an updated repo for CentOS fairly soon.

      1. Hi,

        I read about the problems with the scan engine. I’m facing the same issue. Do you know, what’s the right community to address this problem or to get a status? Is it that much better to switch to Ubuntu/Debian as you are also dependent n the repository data?

        Regards

        1. I think Atomic Corp would be the best place to ask since they own the repository. FWIW, I was unable to find OpenVAS on any other repos. I’ll likely change to Ubuntu/Debian at some point since those repos seem to be maintained. If you hear anything back, please give me a holler!

  10. hi
    can u plz tell me that how long it takes to rsync to start the OpenVas setup.today i start the sync by hitting enter ‘openvas-setup’ this in 19:56 for the sync but still
    21:12(IST) there is no single further progress happen.

    even its not showing any error. I don’t have any proxy setting in my Vmware virtual environment as it is a lab setup. As per your advise i also added the 873 tcp port in the external zone in my firewall configuration.

    so can u please help me for the solution.

    1. I’ve seen where the OpenVas setup seems to “hang” for 30 minutes but everything still goes through ok. The timeframe can vary based on on CPU, memory, and internet pipe, but yes, the process can be awfully slow. It just appears to be the initial setup too. I’ve never seen those same types of hangs after that.

  11. Report outdated Scan Engine

    I now also struggled with this news.
    What to do ?
    Found this page
    https://www.greenbone.net/en/install_use_gce/

    Telling me that schedules and alarms are “…only availble with the bigger GSM models…and can be obtained from Greenbone as an evaluation unit..”.

    Well, that sucks as I am satisfied with my running OpenVAS9.

    Any idea, further infos ?

    1. You can use an Ubuntu install without issue at this time as those repos are more up-to-date than the CentOS ones. The end might be near though and the information regarding any changes is somewhat lacking.

  12. Hi, some updates to the atomicorp repo discussion, they published the upgrade to 9.0.3 on last friday. Today I updated (yum update) one of my distributed scanning node running into some troubles (openvas-manager failed to start, openvas-cli missing libs), openvas-setup runs without issues and openvas-check-setup claims only about openvas-cli; so keep care on yum update. Found also an issue request on github regarding this problem. hxxps://github.com/Atomicorp/openvas/issues/7

    1. Thanks for the udpate! I just tried this on my test box and it broke the install for me as well. Yikes! Unfortunately, I think it’s about time to move on from the Atomic Corp repos.

      1. Atomicorp has updated their repos, since yesterday new openvas packages are available. Tried today a yum update on my testbox and it seems working, they also closed the issue von github. With the upgrade they moved to gvm-10 I think, but not sure. Manager and GSAD is v8.0.0 and openvassd v6.0.0. openvas-manager (openvasmd) is now gvmd and the config/log dirs changed /var/lib/gvm/, /var/log/gvm/. I had only to correct my config files on /etc/sysconfig/gsad: OPTIONS=”–listen=0.0.0.0 –port=9392″ and removed the old settings GSAD_ADDRESS… otherwise it will run on 80/443 or, something strange, on IPv6 don’t know why. Didn’t tried a scan now to check if everthing is working correctly, will do this tomorrow.

        BR,
        Cache

  13. Getting the following services failed during the install. Any workaround you guys can suggest?

    ++++++++++++++++++++++++++++++++++++++++++

    # journalctl -xe
    — Defined-By: systemd
    — Support: hxxp://lists.freedesktop.org/mailman/listinfo/systemd-devel

    — Unit openvas-manager.service has finished shutting down.
    Apr 09 11:51:44 openvas9.uhd.edu systemd[1]: Starting OpenVAS Manager…
    — Subject: Unit openvas-manager.service has begun start-up
    — Defined-By: systemd

    1. There are some fairly significant errors when updating to OpenVAS 9.03 from the Atomic Corp repos right now. My only suggestion at this time is to revert back to your previous packages.

  14. Have you gotten ldap to work with the GVM 10 install?
    I have version 7.0.2 ldap fully working. Using the same settings on GVM 10 is not working.
    From source code install it looks like they are using libldap2.

    1. I have not. I wouldn’t be surprised if there is an problem with the library from the repo though. Investigate it a bit more and if that’s the issue, head over to the github and submit an issue. Atomic Corp has been pretty responsive to issues the past few weeks with the change to GVM 10 from OpenVAS 9.

  15. Good info! Everything worked well until
    openvas-check-setup –v9
    Looks like this was dropped.
    is there another way to do the same thing?

    Thanks in Advance!

    1. Thanks for the feedback! I still thought it was helpful as well. As noted in the guide, openvas-check-setup is no longer maintained or recommended by the developers. Maybe they’ll include similar functionality in the future.

  16. I like the way the document is created quite professional. The preface and especially the ChangeLog. I intend to use your documentation to install openvas. Will let you how it goes.

  17. Hello Dallas,

    Thanks for the guide, its very usefull. I think its work in fresh installation.
    Now I need to update from production system, could you say me the necessary steps to update without lost the configuration and report.

    Regards.

    1. Glad you found it useful Jaime! I did not look into it any further. I didn’t need the data long-term so I made a “clean break” to the new version. That said, the reports and tasks for OpenVAS were stored in tasks.db file under /var/lib/openvas/mgr/. The new reports and tasks for GVM are stored in gvmd.db under /var/lib/gvm/gvmd/. I don’t know if you could simply copy the old data and rename it, however, the 2 files are eerily close in setup and they are both SQLite databases. Please let me know what you figure out and best of luck!
      Update: I did some additional research. What I described above very well might work. If it doesn’t, you might also be able to use the ‘gvmd –migrate’ command to upgrade the database.

  18. Hi Dallas,
    thank you for the great install guide! I have installed the new GVM10, but it seems the new GUI cannot export the reports in the very useful HTML format. Do you have any idea regarding this?

    1. Hey Peter! I didn’t notice that HTML wasn’t an exportable format. That said, I tend to avoid HTML reports since so many email servers now block it and I prefer other formats anyway. Though I haven’t tried any of them, I would suggest exporting to another format such as LaTex or XML and then converting that to HTML output. You might also be able to export via the command line using gvm-tools (link below). Best of luck!
      https://github.com/greenbone/gvm-tools/issues/18

  19. PDF report file became 0 byte in OpenVAS (GSA 8.0) on CentOS 7
    I was in trouble because I couldn’t find any information on the Japanese website.
    It was very helpful. Thank you.

  20. Hi!
    I got a problem. All services are running, but I cannot get connection with web interface… What can be wrong? Followed all your steps. BTW great job!

    1. Hey Murto! I went back through the guide to ensure all of the steps worked. I did make a few changes, however, it was largely still correct. The best way to troubleshoot would be to use netstat from the command line. For example, netstat -ano | grep gsad would tell you what port the security assistant web interface is running on. If you see it is running on 9392, then I would check your firewall and ensure you opened the ports as described at the beginning of the guide. Feel free to holler back if you have other questions!

  21. Just had to come and comment love to find a guide that gets me from nothing to installed in under an hour. Well written and easy to understand why .

    1. I haven’t tried it on 8 just yet, but I wouldn’t be surprised to find out the same steps work. If you get a chance to try it out and find out one way or another, please let me know. Thanks for the feedback!

      1. Hello. First of all 10/10 guide, thank you very very much.
        Regarding CentOS 8, Atomic repo on CentOS 8 has almost no packages, so it can’t be installed via yum. Maybe it can be done via manually building the package from source, but not sure if it can work. Cheers!

  22. Hey, thanks for the guide. Worked great as a guide to an Ansible play I’m building. At least in the interim until we get a GVM10 guide for Centos7. Government is slow on approved host OS’s…

  23. Thanks for the great tutorial, first time in my IT career I come across a tutorial which someone wrote to help others and it works without any issue’s…….Thanks Dallas I will definitely check you site out for help in future…

  24. Hi Dallas,

    Is there a way to install this offline ? I have classified systems I need this on that have no internet access.

    I am assuming I can install on one machine then scan others from the machine it was installed on ?

    1. Hey Carlo! I don’t have any experience with that, but I would assume you could copy NASL files and others to meet your needs. Greenbone also has an ‘AirGap’ paid solution that appears to be exactly what you are asking for. Best of luck!

Leave a Reply

Your email address will not be published. Required fields are marked *