Centos 8 安装GVM 20.08

参考链接1：https://sadsloth.net/post/install-gvm-20_08-src-on-debian/
参考链接2：https://community.greenbone.net/t/full-gvm-11-build-guide-for-centos-8/5425

旧版的openvas安装成功之后无法下载漏洞库，官方建议使用新版的GVM；
尝试在centos7上源码安装，但无法成功，未深究原因，不确定是centos7无法安装GVM 20.08还是依赖未解决
centos8上安装GVM11，ospd组件启动有问题，控制台可以启动，但是使用systemd无法启动成功，忘记截图，无法确认问题；
由于本次安装耗费了很长时间，做个记录。
安装步骤：

• 安装python3

yum install python3

确认python3安装位置

`which python3`

选择上一部中pythons3点安装位置

alternatives --config  python 

• 安装epel 仓库

yum install epel-release

• 安装 centos-powertools仓库

yum config-manager --set-enabled powertools

• 安装编译工具

yum groupinstall -y "development tools"

• 安装依赖

yum install -y cmake glib2-devel zlib-devel gnutls-devel libuuid-devel libssh-devel  libxml2-devel libgcrypt-devel openldap-devel popt-devel redis libical-devel openssl-devel hiredis-devel radcl i-devel gpgme-devel libksba-devel doxygen libpcap-devel nodejs python3-polib libmicrohttpd-devel gnutls-utils python3-devel libpq-devel texinfo xmltoman nmap sshpass socat mingw32-gcc ncurses-devel

• 安装 postgres数据库

	yum install -y postgresql-server postgresql-contrib postgresql-server-develpostgresql-setup --initdbsystemctl enable postgresqlsystemctl start postgresql

• 配置postgres 数据库

	sudo -Hiu postgrescreateuser gvmcreatedb -O gvm gvmdpsql gvmdcreate role dba with superuser noinherit;grant dba to gvm;create extension “uuid-ossp”;create extension “pgcrypto”;\qexitsystemctl restart postgresql

• 在系统环境添加gvm 库路径

	echo "/data/gvm/lib" > /etc/ld.so.conf.d/gvm.confldconfig

• 添加 gvm用户、配置主目录

	useradd -r -d /data/gvm -c "GVM(OpenVAS) User" -s /bin/bash gvmmkdir /data/gvmmkdir /data/gvm/srcchown -R gvm:gvm /data/gvm

• 在/etc/profile添加gvm可执行文件路径

  vim /etc/profile
  添加以下两行：
  export PATH=$PATH:/data/gvm/bin

  export PATH=$PATH:/data/gvm/sbin

source /etc/profile

• 获取gvm安装包

	su - gvmcd /data/gvm/srcgit clone -b gvm-libs-20.08 --single-branch https://github.com/greenbone/gvm-libs.git git clone -b openvas-20.08 --single-branch https://github.com/greenbone/openvas.git git clone -b gvmd-20.08 --single-branch https://github.com/greenbone/gvmd.git git clone -b master --single-branch https://github.com/greenbone/openvas-smb.git git clone -b gsa-20.08 --single-branch https://github.com/greenbone/gsa.git git clone -b ospd-openvas-20.08 --single-branch  https://github.com/greenbone/ospd-openvas.git git clone -b ospd-20.08 --single-branch https://github.com/greenbone/ospd.git

• 安装gvm-libs

	cd gvm-libsexport PKG_CONFIG_PATH=/data/gvm/lib/pkgconfigmkdir buildcd buildcmake -DCMAKE_INSTALL_PREFIX=/data/gvm ..makemake docmake install

• 安装heimdal（切换至root用户）

	cd /usr/local/srcwget https://github.com/heimdal/heimdal/releases/download/heimdal-7.7.0/heimdal-7.7.0.tar.gztar xvfz heimdal-7.7.0.tar.gzcd heimdal-7.7.0./configure  --enable-opt=no --prefix=/data/heimdalmakemake installln -s /data/heimdal/include/ /data/heimdal/include/heimdalecho "/data/hemidal/lib" > /etc/ld.so.conf.d/hemidal.confldconfig

• 安装openvas-smb

	cd /data/gvm/src/openvas-smbexport PKG_CONFIG_PATH=/data/gvm/lib/pkgconfig:/data/heimdal/lib/pkgconfigmkdir buildcd buildcmake -DCMAKE_INSTALL_PREFIX=/data/gvm ..makemake install

• 安装openvas

	cd /data/gvm/src/openvasmkdir build cd build/ cmake -DCMAKE_INSTALL_PREFIX=/opt/gvm .. make make doc make install 

• 修改redis配置文件（切换到root用户）

	cp /etc/redis.conf  /etc/redis.conf.origcp /data/gvm/src/openvas/config/redis-openvas.conf /etc/redis.confchown redis /etc/redis.conf

/etc/redis.conf文件中以下两行内容应该如下：

	echo "db_address = /tmp/redis.sock" > /data/gvm/etc/openvas/openvas.confsystemctl enable redissystemctl start redis

• 配置系统环境（切换到root用户）

	sysctl -w net.core.somaxconn=1024sysctl -w vm.overcommit_memory=1echo "net.core.somaxconn=1024"  >> /etc/sysctl.confecho "vm.overcommit_memory=1" >> /etc/sysctl.conf

	cat << EOF > /etc/systemd/system/disable-thp.service[Unit]Description=Disable Transparent Huge Pages (THP)[Service]Type=simpleExecStart=/bin/sh -c "echo 'never' > /sys/kernel/mm/transparent_hugepage/enabled && echo 'never' > /sys/kernel	/mm/transparent_hugepage/defrag"[Install]WantedBy=multi-user.targetEOF

	systemctl daemon-reloadsystemctl start disable-thp.servicesystemctl enable disable-thp.service

• 将gvm用户添加到redis组（切换到root用户）

	usermod  -aG redis gvmsystemctl restart redis

• 修改/etc/sudoers文件

  添加以下行
  Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin:/data/gvm/sbin"
  gvm ALL = NOPASSWD:/data/gvm/sbin/openvas
  gvm ALL = NOPASSWD:/data/gvm/sbin/gsad

• 同步漏洞库

  su - gvm
  greenbone-nvt-sync （容易失败，多次尝试直到成功为止）
  sudo openvas -u

• 安装gvmd

	cd /data/gvm/src/gvmdexport PKG_CONFIG_PATH=/data/gvm/lib/pkgconfig:/data/heimdal/lib/pkgconfigmkdir buildcd buildcmake -DCMAKE_INSTALL_PREFIX=/data/gvm ..makemake docmake install

• 配置gvmd

  gvm-manage-certs -a
  gvmd --create-user=admin --password=admin
  查看刚刚创建的admin的uuid
  gvmd --get-users --verbose
  admin 41f853e4-fecf-423f-85b7-18fa3396bac5 ««« 记住这个uuid
  修改uuid
  gvmd --modify-setting 78eceaec-3385-11ea-b237-28d24461215b --value 41f853e4-fecf-423f-85b7-18fa3396bac5
  greenbone-feed-sync --type GVMD_DATA
  greenbone-feed-sync --type SCAP
  greenbone-feed-sync --type CERT

• 安装gsa

	cd /data/gvm/src/gsamkdir buildcd buildcmake -DCMAKE_INSTALL_PREFIX=/data/gvm ..makemake docmake install

• 安装ospd-openvas

	cd /data/gvm/srcvirtualenv --python python3.7  /data/gvm/bin/ospd-scanner/source /data/gvm/bin/ospd-scanner/bin/activatemkdir /data/gvm/var/run/ospdcd ospdpip3 install .cd /data/gvm/src/opsd-openvaspip3 install .

• 创建启动脚本

	cat << EOF > /etc/systemd/system/gvmd.service[Unit]Description=Job that runs the gvm daemonDocumentation=man:gvmAfter=ospd.service[Service]Type=forkingUser=gvmGroup=gvmPIDFile=/data/gvm/var/run/gvmd.pidWorkingDirectory=/data/gvmExecStartPre=/bin/sleep 60ExecStart=/data/gvm/sbin/gvmd --osp-vt-update=/data/gvm/var/run/ospd.sock[Install]WantedBy=multi-user.targetEOF

	cat << EOF > /etc/systemd/system/gsad.service[Unit]Description=Job that runs the gsa daemonDocumentation=man:gsaAfter=postgresql.service[Service]Type=forkingPIDFile=/data/gvm/var/run/gsad.pidWorkingDirectory=/data/gvmExecStart=/data/gvm/sbin/gsad --no-redirect --listen=127.0.0.1 -p 20001[Install]WantedBy=multi-user.targetEOF

	cat << EOF > /etc/systemd/system/ospd-openvas.service[Unit]Description=Job that runs the ospd-openvas daemonDocumentation=man:gvmAfter=network.target redis-server@openvas.serviceWants=redis-server@openvas.service[Service]Environment=PATH=/data/gvm/bin/ospd-scanner/bin:/data/gvm/bin:/data/gvm/sbin:/data/gvm/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/binType=forkingUser=gvmGroup=gvmWorkingDirectory=/data/gvmPIDFile=/data/gvm/var/run/ospd-openvas.pidExecStart=/data/gvm/bin/ospd-scanner/bin/python /data/gvm/bin/ospd-scanner/bin/ospd-openvas --pid-file /data/gvm/var/run/ospd-openvas.pid --unix-socket=/data/gvm/var/run/ospd.sock --log-file /data/gvm/var/log/gvm/ospd-scanner.log --lock-file-dir /data/gvm/var/run/[Install]WantedBy=multi-user.targetEOF

	systemctl daemon-reload systemctl enable gvmd systemctl enable gsad systemctl enable ospd-openvas systemctl start gvmd systemctl start gsad systemctl start ospd-openvas

• 配置nginx

  下载nginx安装包nginx-1.19.6.tar.gz
  tar -zxvf nginx-1.19.6.tar.gz
  cd nginx-1.19.6/
  useradd -r -d /usr/local/nginx -c “Nginx web server” -s /sbin/nologin nginx
  vim src/http/ngx_http_header_filter_module.c（修改缺省banner值），具体内容如下图：
  

  yum install libxml2 libxml2-dev libxslt-devel gd-devel perl-devel perl-ExtUtils-Embed geoip-devel gperftools-devel
  ./configure --prefix=/usr/local/nginx --user=nginx --group=nginx --with-file-aio --with-ipv6 --with-http_auth_request_module --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_addition_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_geoip_module=dynamic --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_degradation_module --with-http_slice_module --with-http_stub_status_module
  –with-http_perl_module=dynamic --with-mail=dynamic --with-mail_ssl_module --with-pcre --with-pcre-jit --with-stream=dynamic
  –with-stream_ssl_module --with-google_perftools_module --with-debug
  make
  make install
  chown -R nginx:nginx /usr/local/nginx/
  修改/usr/local/nginx/conf/nginx.conf
  运行用户为nginx
  

  修改http自动跳转到https
  

  配置https访问
  

	cat <<EOF > /etc/systemd/system/nginx.service[Unit]Description=The nginx HTTP and reverse proxy serverAfter=network.target remote-fs.target nss-lookup.target[Service]Type=forkinguser=nginxgroup=nginxPIDFile=/usr/local/nginx/logs/nginx.pidExecStartPre=/usr/bin/rm -f /usr/local/nginx/logs/nginx.pidExecStartPre=/usr/local/nginx/sbin/nginx -tExecStart=/usr/local/nginx/sbin/nginxExecReload=/bin/kill -s HUP $MAINPIDKillSignal=SIGQUITTimeoutStopSec=5KillMode=processPrivateTmp=true[Install]WantedBy=multi-user.targetEOF

	systemctl daemon-reloadsystemctl start nginxsystemctl enable nginx

• 访问GVM

  

  输入默认的账户密码：admin public就可以登录，后续修改账户密码。