Lazy loaded image
Collections
Greenbone Community Containers 22.4 - Greenbone Community Documentation
00 min
Dec 10, 2023
Apr 13, 2024
type
status
date
summary
tags
category
URL
password
slug
icon
Running the Greenbone Community Edition from containers requires knowledge about:
  • Using a terminal
Additionally, a basic knowledge about the architecture of the Greenbone Community Edition is required to understand the setup.
Note
This guide is intended for users who want to test the newest features and/or want to get familiar with the Greenbone Community Edition. It is not intended for production setups.
Currently the docs support the following distributions
  • Ubuntu 22.04 LTS
  • Fedora 35 and 36
  • CentOS 9 Stream
Most likely, other Debian derivatives like Mint and Kali will also work with only minor adjustments required.

Introduction

This document provides a guide for running the Greenbone Community Edition from pre-built container images using Docker. It consists of a distributed service architecture, where each service is run in a dedicated container. The orchestration of these services is done via a docker-compose file.
With the Greenbone Community Containers, it is possible to scan your local network independent of the underlying operating system, installed software and tool chains.

Hardware Requirements

Minimal:
  • CPU Cores: 2
  • Random-Access Memory: 4GB
  • Hard Disk: 20GB free
Recommended:
  • CPU Cores: 4
  • Random-Access Memory: 8GB
  • Hard Disk: 60GB free

Prerequisites

Note
Please follow the guide step by step. Later steps might require settings or output of a previous command.
The command sudo is used for executing commands that require privileged access on the system.

Install dependencies

There are a few dependencies required for the following steps like curl, which is required for downloading files from this guide.

Installing Docker

docker is required for running the services within containers. Docker can be installed by running the following commands (taken from the Docker Engine install guide):
Uninstall conflicting Debian packages
Install Docker Debian packages

Setup

To allow the current user to run docker and therefore start the containers, they must be added to the docker user group. To make the group change effective, either logout and login again or use su.
Add current user to docker group and apply group changes for the current shell environment
For downloading the Greenbone Community Edition docker compose file, a destination directory should be created.
Create download directory

Docker Compose File

To run the Greenbone Community Edition with containers, the following compose file should be used:
Docker Compose File

Download

It is possible to just copy and paste the docker compose file. Alternatively, it can be downloaded with the following command directly:
Downloading docker-compose file

Description

The following table describes the provided containers of the docker compose file and their services in detail.
Container
Service
Description
redis-server
A redis server with an adjusted config. Used to store VT data and scan results by the scanner.
pg-gvm
A PostgreSQL database cluster setup for use with gvmd. The actual data is stored in the psql_data_vol volume.
gvmd
gvmd
A container for gvmd that uses unix sockets in volumes to communicate with the PostgreSQL database and ospd-openvas scanner. The downloaded feed data is stored in the gvmd_data_vol volume. To verify the feed data, the GPG keyring from the gpg_data_vol is used.
gsa
gsad
A container running the gsad web server for providing the web application GSA. The web interface is available at localhost on port 9392. For communication with gvmd, a unix socket in a volume is used.
ospd-openvas
ospd-openvas
A container providing the vulnerability scanner. The VT data from the feed is stored in the vt_data_vol volume. To verify the feed data, the GPG keyring from the gpg_data_vol is used. The connection to the redis server is established via a unix socket in a volume.
mqtt-broker
An MQTT Broker used for communication between notus-scanner, openvas-scanner and ospd-openvas.
notus-scanner
notus-scanner
A container running the notus-scanner used for local security checks. To verify the feed data, the GPG keyring from the gpg_data_vol is used. The feed data for notus-scanner itself is stored in the notus_data_vol.
gvm-tools
A container providing the gvm-tools CLI to query and control gvmd and ospd-openvas.
gpg-data
A container that copies a GPG keyring with Greenbone’s public signing keys into the gpg_data_vol volume on startup. It exits afterwards.
vulnerability-tests
A container that copies vulnerability tests (VTs) into the vt_data_vol volume on startup. Shows the license and exits afterwards.
notus-data
A container that copies vulnerability information for notus-scanner into the notus_data_vol volume on startup. Shows the license and exits afterwards.
scap-data
A container that copies CVE and CPE data into the scap_data_vol volume on startup. Shows the license and exits afterwards.
cert-bund-data
A container that copies CERT-Bund data into the cert_data_vol volume on startup. Shows the license and exits afterwards.
dfn-cert-data
A container that copies DFN-CERT data into the cert_data_vol volume on startup. Shows the license and exits afterwards.
data-objects
A container that copies scan configs, compliance policies and port lists into the data_objects_vol volume on startup. Shows the license and exits afterwards.
report-formats
A container that copies report formats into the data_objects_vol volume on startup. Shows the license and exits afterwards.

Starting the Greenbone Community Containers

Using the docker compose file, the container images can be downloaded (pulled) and the containers can be started in the background.
Downloading the Greenbone Community Containers
Starting the Greenbone Community Containers
To get a continuous stream of the log output of all services, run the following command:
Show log messages of all services from the running containers
The log stream can be stopped by pressing Ctrl-C.

Setting up an Admin User

Warning
By default, a user admin with the password admin is created. This is insecure and it is highly recommended to set a new password.
To update the administrator user with a password of your choice instead of the generated password, the following command can be used:
Updating password of administrator user

Starting the Vulnerability Management

After the services have started and all feed data has been loaded, the Greenbone Security Assistant web interface – GSA – can be opened in the browser.
Opening Greenbone Security Assistant in the browser
The browser will show the login page of GSA and after using the credentials created before, it is possible to start with vulnerability scanning.
notion image
Greenbone Security Assistant after logging in for the first time

Setup and Start Script

Note
Please remember to follow the instructions described in the Prerequisites first.
As a quick solution we provide all the commands above in a single script. This script can be downloaded with the following command directly:
Downloading setup and start script to the current working dir
To execute the script following command needs to be run

Updating the Greenbone Community Containers

To update the Greenbone Community Containers to the latest version, it is required to pull the images and restart the containers which have new images. This can be done with:
Downloading the Greenbone Community Containers
Starting the Greenbone Community Containers

Performing a Feed Synchronization

For the actual vulnerability scanning, Vulnerability Tests, security information like CVEs, port lists and scan configurations are required. All this data is provided by the Greenbone Community Feed via dedicated data container images.
A feed synchronization always consists of two parts:
  1. Downloading the changes via pulling new container images
  1. Loading the changes into memory and a database by a daemon
Both steps may take a while, from several minutes up to hours, especially for the initial synchronization. Only if both steps are finished, the synchronized data is up-to-date and can be used.
The first step is done via the docker compose pull. The second step is done automatically when the daemons are running.

Downloading the Feed Changes

The data of the Greenbone Community Feed is provided via several container images. When these images are started, they copy the data into the used docker volumes automatically. Afterwards, the data is picked up from the volumes by the running daemons.
To download the latest feed data container images run
Downloading the Greenbone Community Edition feed data containers
To copy the data from the images to the volumes run
Starting the Greenbone Community feed data containers

Loading the Feed Changes

Important
When feed content has been downloaded, the new data must be loaded by the corresponding daemons. This may take several minutes up to hours, especially for the initial loading of the data. Without loaded data, scans will contain incomplete and erroneous results.
After the Greenbone Community Containers have been started, the running daemons will always pick up the feed content and load the data automatically.

Vulnerability Tests Data

If the log (of ospd-openvas) contains the following output, the OpenVAS Scanner starts to load the new VT data:
ospd-openvas VT loading log message
The loading of the VT data is finished if the log message can be found:
ospd-openvas VTs loading finished log message
After the scanner is aware of the VT data, the data will be requested by gvmd. This will result in the following log message:
gvmd VTs loading log message
When gvmd has finished loading all VTs, the following message appears:
gvmd VTs loading finished log message

SCAP Data

gvmd starts loading the SCAP data containing CPE and CVE information when the following message can be found in the logs:
gvmd SCAP data loading log message
The SCAP data is loaded and the synchronization is finished when the (gvmd) log contains the following message:
gvmd SCAP data loading finished log message

CERT Data

gvmd starts loading the CERT data containing DFN-CERT and CERT-Bund advisories when the following message can be found in the logs:
gvmd CERT data loading log message
The CERT data is loaded and the synchronization is finished when the (gvmd) log contains the following message:
gvmd CERT data finished loading log message

GVMD Data

The log contains several messages when the gvmd data is loaded. For port lists, these messages are similar to:
gvmd port list loaded log message
For report formats:
gvmd report format loaded log message
Hint
Scan Configs can only be loaded if the VT data is available in gvmd and a Feed Import Owner is set.
For scan configs:
gvmd scan config loaded log message

Accessing the Web Interface Remotely

When using the docker compose file, the web server is configured to listen only on the local address of the host (127.0.0.1). To allow remote access on all interfaces of the host, the compose file must be modified to configure the web server gsad to listen on all network interfaces.
The following change of the docker compose file must be applied:
Allowing access on all host interfaces

Starting from Scratch

To start from scratch, the containers must be stopped. Afterwards, the containers and volumes must be removed to delete all data. All this can be done by running:
Remove containers and volumes (all data)

Gaining a Terminal for a Container

If you want to debug something in a container, install additional software, take a look at the file content, or change some configuration, it is possible to gain shell access to a container.
To access a container with a bash shell as a root user, you can run:
Gain a Terminal for a Container
Afterwards, you can execute standard bash commands within the running container.

Using gvm-tools for CLI access

To query data or control gvmd and ospd-openvas via CLI, gvm-tools can be used. gvm-tools is provided in the gvm-tools container. This container can be started with:
Start container for gvm-tools CLI access
Afterwards, a bash shell is provided and gvm-cli, gvm-pyshell or gvm-script can be run. For example:
Query gvmd version via gvm-cli

Exposing gvmd Unix socket for GMP Access

To enable the use of the protocol GMP provided by gvmd from the docker host, a bind mount must be used for the /run/gvmd directory. To make the gvmd Unix socket available, a directory must be created first and the permissions must be adjusted.
In the next step, the docker compose file must be changed as follows:
After restarting the containers with
the Unix socket should be available at /tmp/gvm/gvmd/gvmd.sock. For example, to use the socket with gvm-tools, the following command can be executed:

Setting up a mail transport agent inside Docker container

gvmd uses the msmtp client as MTA. It can be configured with environment variables within compose file or command line. Available variables (for detailed explanation refer to msmtp documentation, note that not all mstmp options implemented in gvmd container):
  • MTA_HOST: The SMTP server to send the mail to. (Mandatory parameter).
  • MTA_PORT: The port that the SMTP server listens on. (default = ‘25’).
  • MTA_TLS: Enable or disable TLS (on|off’).
  • MTA_STARTTLS: TLS variant: start TLS from within the session (‘on’, default), or tunnel the session through TLS (‘off’).
  • MTA_AUTH: Enable or disable authentication and optionally choose a method to use (‘on’|’off’|’method’).
  • MTA_USER: Username for authentication.
  • MTA_PASSWORD: Password for authentication.
  • MTA_FROM: Set the envelope-from address.
  • MTA_LOGFILE: Enable logging to the specified file.
Examples:
Use a local network relay without authorization
Use the Google Mail services with SSL and authorization

Performing a Manual Feed Sync

It is possible to do a manual feed sync using rsync instead of pulling the current feed content via the newest container images.
Warning
Please be aware that the manually synced data will be overridden if the data containers are (re-)started.
For the manual feed sync, the greenbone-feed-sync script will be used. The greenbone-feed-sync script is also provided via a container image. Using the container image requires extending the docker compose file as follows:
Extending the docker compose file for performing a manual feed sync using the greenbone-feed-sync script

Syncing Vulnerability Tests

VT data contains .nasl and .notus files for creating results during a vulnerability scan. The .nasl files are processed by the OpenVAS Scanner and the .notus files by the Notus Scanner.
Hint
.notus files and the Notus Scanner are only available for 22.4.
Downloading NASL VTs processed by the ospd-openvas scanner, this will take a while.
Downloading notus VTs processed by the Notus Scanner, this will take a while.

Syncing SCAP, CERT and GVMD Data

SCAP data contains CPE and CVE information.
Downloading SCAP data processed by gvmd, this will take a while
CERT data contains vulnerability information from the German DFN-CERT and CERT-Bund agencies.
Downloading CERT data processed by gvmd
gvmd data (or also called data-objects) are scan configurations, compliance policies, port lists and report formats.
Downloading data objects processed by gvmd
This page contains hints for troubleshooting Greenbone Community Container specific issues.

VTs are up-to-date but not visible on the web interface

It may be possible, especially for the initial synchronization, that the scanner does not notice new VT files have arrived. Therefore, it is best to restart the scanner.
Restart the scanner to ensure that new VTs are loaded

Port list, scan configurations, report formats are up-to-date but not visible on the web interface

If port lists, scan configurations, or report formats are missing on the web interface, you may run:
Forcing reload of report formats, scan configs and port lists
to force gvmd to reload the data from the file system.

Errors while starting pg-gvm container

While starting up the pg-gvm container, some errors are displayed. For example createuser: error: creation of new role failed: ERROR:  role "gvmd" already exists or ERROR:  extension "uuid-ossp" already exists.
The code behind these errors tries to set up the database. If the database is already initialized, all tables, users, permissions and extensions exist, errors are raised. At the moment, it is not possible to silence these errors but they can be ignored safely.

osp_scanner_feed_version: failed to connect to /run/ospd/ospd-openvas.sock

If the gvmd log contains this error, gvmd is not able to connect to the ospd-openvas scanner. Most likely ospd-openvas is not running. Try to restart the corresponding container with:
Restarting the ospd-openvas scanner
If you still get errors, you need to take a look at the ospd-openvas logs.
Showing log message of the ospd-openvas scanner

Cannot log in to the web interface: Greenbone Vulnerability Manager service is not responding

If it is not possible to log in to the web interface and the following error message is shown
notion image
and/or the logs contain a Failed to connect to server at /run/gvmd/gvmd.sock: Connection refused message, the gvmd container must be restarted. It is very likely it had some issues accessing the PostgreSQL database.
Restarting gvmd

Redis server keeps restarting rm: cannot remove ‘/run/redis/redis.sock’: Permission denied

Under some circumstances the Unix Domain Socket of the Redis server has got wrong permissions. To fix this issue it is required to shutdown the redis-server and ospd-openvas containers and remove the redis_socket_vol docker volume. The volume can be removed safely because it gets recreated on the next startup.
Recreating the Redis server socket volume
上一篇
Best practices for network security - Microsoft Azure | Microsoft Learn
下一篇
How To Setup A L2TP/SSTP Client Access RRaS Server In Azure ~ Bauer-Power Media