Openvas setup fails

English Applications
1

Hi, i am using opensuse 42.2 leap.
recently i installed openvas, while installing openvas there was one error regarding one dependency libgcrypt.so.11()(64) not found. I installed libgcrypt11-1.5.4-2.12.1.i586.rpm manually hoping this should fix the issue. then installation process completed successfully.
but while setup

openvas-setup

getting error after some times and downloading few xml files:

openvassd: no process found
openvassd: error while loading shared libraries: libgcrypt.so.11: cannot open shared object file: No such file or directory
openvasmd: error while loading shared libraries: libgcrypt.so.11: cannot open shared object file: No such file or directory
openvassd: no process found
Job for openvas-scanner.service failed because the control process exited with error code. See "systemctl status openvas-scanner.service" and "journalctl -xe" for details.
Job for openvas-manager.service failed because the control process exited with error code. See "systemctl status openvas-manager.service" and "journalctl -xe" for details.
Failed to start openvas-administrator.service: Unit openvas-administrator.service failed to load: No such file or directory.
/usr/sbin/openvas-setup: line 19: openvasad: command not found

I understand this may be because libgcrypt.so.11 . but don’t know how to fix this.
please help me fix the problem.

2

Few pointers;

  • Leap 42.2 is 64-bit distribution so binaries compiled for it natively would not use i586 (32-bit) libraries.
  • OpenVAS ships in the 42.2 repositories so the right way to install it would be;

sudo zypper in openvas-cli openvas-manager openvas-scanner
sudo openvas-setup

After some lengthy and large downloads, browse to https://localhost:9392/ with your favourite browser.

It doesn’t start on its own, use sudo systemctl start openvas-manager

3

I read until here. How did you install, from where?

4

I found the information in opensuse site itself

zypper addrepo http://download.opensuse.org/repositories/security:OpenVAS:UNSTABLE:v7/openSUSE_13.1/security:OpenVAS:UNSTABLE:v7.repo
zypper refresh
zypper install libopenvas

installation was successful beside on warning.

Few pointers;

  • Leap 42.2 is 64-bit distribution so binaries compiled for it natively would not use i586 (32-bit) libraries.

I installed 64 variant and setup proceeds. after downloading lots of packages(NVTs and others)
it gives error:

You will have to copy them by hand.

openvassd: no process found
All plugins loaded                                   
Job for openvas-scanner.service failed because a timeout was exceeded. See "systemctl status openvas-scanner.service" and "journalctl -xe" for details.
Job for openvas-manager.service failed because the control process exited with error code. See "systemctl status openvas-manager.service" and "journalctl -xe" for details.
Failed to start openvas-administrator.service: Unit openvas-administrator.service failed to load: No such file or directory.
/usr/sbin/openvas-setup: line 19: openvasad: command not found

I hope this help you to figure out problem and you will be able to help me further.

5

You installed a 13.1 version in 42.2?? Think that may be the problem. don you???

6

Yes I realized.
I completely removed all openvas and related packages in YaST. disabled 13.1 repo that i created. refreshed repo using zypper refresh.
then

sudo zypper in openvas-cli openvas-manager openvas-scanner
sudo openvas-setup

but error seems same

openvassd: no process found
All plugins loaded                                   
Job for openvas-scanner.service failed because a timeout was exceeded. See "systemctl status openvas-scanner.service" and "journalctl -xe" for details.
Job for openvas-manager.service failed because the control process exited with error code. See "systemctl status openvas-manager.service" and "journalctl -xe" for details.
Failed to start openvas-administrator.service: Unit openvas-administrator.service failed to load: No such file or directory.
Failed to start greenbone-security-assistant.service: Unit greenbone-security-assistant.service failed to load: No such file or directory.
/usr/sbin/openvas-setup: line 19: openvasad: command not found
reishi@linux-jcjy:~> sudo systemctl start openvas-manager
root's password:
Job for openvas-manager.service failed because the control process exited with error code. See "systemctl status openvas-manager.service" and "journalctl -xe" for details.

am I missing something?

7

Decided to spend a little time on this, but have to run before completing…
First, it should be noted that although OpenVAS is in the main repository for openSUSE 42.2, it’s old and unusable. Below will be instructions for installing a version of OpenVAS which should be new enough to work.

All of the following commands should be run in a root console…

PREPARATION:
Because the OpenVAS from the openSUSE repos are not complete, I highly recommend downloading the following script, make it executable and you can run it any time to check your install for completeness and validity all the way up to where you have a working OpenVAS

https://svn.wald.intevation.org/svn/openvas/trunk/tools/openvas-check-setup

REMOVAL:
Although your existing openvas <might> update with a “zypper up” I’d recommend removing it first with the following

zypper rm openvas*

Then remove the repo you used to install your wrong version of openvas

zypper rr security_OpenVAS_UNSTABLE_v7

INSTALLATION:
Now, you can install openVAS.

Because the version of openVAS in the 42.2 OSS is old and won’t work, install OpenVAS from this 42.1 security repo until a 42.2 repo is made available

zypper ar --gpg-auto-import-keys http://download.opensuse.org/repositories/security:/OpenVAS:/STABLE:/v8/openSUSE_Leap_42.1/ Security:_42.1

If you’d like, you can list the available packages you can install

zypper se openvas

From that list of openVAS packages, you can install any or all packages which aren’t libraries, for example the following

zypper in --from Security:_42.1 openvas-cli openvas-manager openvas-scanner openvas-scanner-doc

It looks like your next step should be to run the setup, which among other things will download and install the latest xml definition files from openvas.org, mitr.org and more, installing and updating plugins…This will take awhile since it looks like only one network connection is used…This step can take over an hour to complete…
Small notes:

  • A setup configuration file likely exists somewhere which should be modified before running setup.
    If the setup parameters are not modified, the following default values are installed
  • A certificate/signature is created specifying the installed location is Berlin, Germany
  • Default username is “om”
openvas-setup

Now, if you run the openvas-check-setup, it will complain that redis server is not installed.
So, you can install redis

zypper in redis

And then configure it

cp /etc/redis/default.conf.example /etc/redis/default.conf

Find the following line in /etc/redis/default.conf and remove the hash (#) at the beginning of the line to enable listening on the default Unix socket

# unixsocket /tmp/redis.sock

Now, start redis in a console

redis-server /etc/redis/default.conf

Now, run your openvas check script again and everything should check out and tell you what port your browser should open to (on my system, it’s 6379)

But, it’s taking a <very> long time for a page to render, I don’t know if I should wait longer but I’ve got to go now…

Maybe someone can take this and run with the ball to complete a successfully running OpenVAS…

Good Luck,
TSU

8

Forgot to add at the very end,
the last check I described will tell you how to add a User which is likely necessary.

You may need to install sqlite3 as suggested (it may not be optional) before a user can be added.

TSU

9

Final, add comment…

The above statement about runniing 32-bit libraries in LEAP is not really correct.

LEAP <can> run 32-bit binaries and you can install 32-bit libraries, but they’re not provided for you.
If you can provide everything “32-bit” that’s needed, a 32-bit app should not be a problem, but it won’t likely be easy…

IMO,
TSU

10

Made a couple more tries… but although not complete a final noteworthy commend…

Just keep running the check script and fixing whatever it tells you to do.
I’ve fun it now about 6 additional times and a variety of things have been modified… installing sqlite3 before adding a User, rebuilding the database a couple times, synchronizing scap data… and there’s still more fixes needed but it looks like there’s a good probability that eventually everything will be working.

TSU

11

Please, please. When typed like this, this is a wild card for the shell. Only by incident it will be left as it is by the shell. When you want to prevent characters that are special to the shell to be interpreted by the shell and thus to be used in the arguments to the command itselft, you should quote them! E.g.

zypper rm 'openvas*'

Even the man page of zypper acknowledges the fact that people tend to ignore this.

(quote the string to prevent the shell from expanding the wildcard)

12

hcvv
You’re right! Absolutely, strings should be enclosed to prevent injection and accidental execution! But, that’s more of an issue when scripting (and distributing scripts) and very unlikely an issue when entering the zypper command manually…

But, a FYI to anyone who is following this thread…

I’ve been able to take this install with me,
And can report that eventually the script will complete without error…
But there a lot of “gotchas” which I’ll describe next along with a general description of some things that had to be done.

The Following is a continuation of my previous post that describes Preparation and Installation

Things the “openvas-check-setup” script will prompt you to do…

  • SQLite3 needs to be installed before you can add a User (Admin role and setting password)
zypper in sqlite3

You’ll be prompted to set up a User, but it’s useless (more on this later)

openvasmd --create-user=tsu --role=Admin && openvasmd --user=tsu --new-password=123
  • Rebuild the database several times
openvasmd --rebuild
  • Update the scapdata database
openvas-scapdata-sync
  • Create new or use the default certificate for downloading data from some sources, the following uses the default certificate
openvas-certdata-sync
  • Configure the Password Policy. The following command opens the default policy, you need to modify it in some way to disable the error. You can use your graphical text editor to do this if you wish (with root permissions)
vi /etc/openvas/pwpolicy.conf

An example if you want to use kwrite with root permissions… First open a root console (su- ) and then execute the following

kwrite /etc/openvas/pwpolicy.conf

Install greenbone

zypper in greenbone-security-assistant

Now, in addition to the above,** I recommend the following** which will automatically start up various parts of OpenVAS (except redis which will still be started manually. If people want to have redis start up automatically, I’ll post that separately since it’s not a simple procedure)

First start Redis manually in a console referencing the config file as I described earlier

redis-server /etc/redis/default.conf

To start openvas manager automatically
systemctl start openvas-manager.service
systemctl enable openvas-manager.service

To start the openvas scanner service automatically
systemctl enable openvas-scanner.service
systemctl start openvas-scanner.service

Run the check script which besides checking also starts up openvas to verify nothing else needs to be fixed.
It should state some warnings about pdflatex, nmap and nsis.

If you install** texlive**(zypper install textlive), you’ll get pdflatex, but there’s still an unknown problem and may not work.
You can install nmap, but the script will complain about nmap being too new. I haven’t yet checked if this is an issue (IMO an important issue if not working).
You can’t install nsis because it’s distributed only as a Windows binary so can run only in something like Wine.

Optional]
Now if you want to, you can reboot if you wish to test your setup when it newly boots.
When your system has booted, every required sub-system except redis should have started automatically.
Start redis in a console, then run the check script again to verify everything is working properly and continue.

Now to address the problem of a non-working account. To install a working User account, run the following and copy the generated password

openvasmd --create-user *Username*

Open a web browser to localhost if on the same machine as your OpenVAS to localhost

localhost

The Greenbone Securiity Assistant should open.
Enter the Username you configured above, and paste the password into its field.
When you’re authenticated, you can go in and change the password to something easier to remember.

One more observation…
The steps described result in a generally **unsafe **configuration, susceptible to hacking. Do not expose to the Internet, in fact I’d recommend you install this in a VM which can always be shut down except when you’re running it.

HTH for anyone,
TSU

13

Thanks for the help.
I followed this:

zypper rm openvas*
zypper rr security_OpenVAS_UNSTABLE_v7
zypper ar --gpg-auto-import-keys http://download.opensuse.org/repositories/security:/OpenVAS:/STABLE:/v8/openSUSE_Leap_42.1/ Security:_42.1




zypper in --from Security:_42.1 openvas-cli openvas-manager openvas-scanner openvas-scanner-doc

These completed successfully.
then i installed redis

zypper in redis
cp /etc/redis/default.conf.example /etc/redis/default.conf

then I uncommented
unixsocket /tmp/redis.sock
installed sqllite3.

zypper in sqllite3

all these were successful.
I started redis

redis-server /etc/redis/default.conf

this gives no message so cannot say its starting or not.

if I command

openvas-check-setup
If 'openvas-check-setup' is not a typo you can use command-not-found to lookup the package that contains it, like this:
    cnf openvas-check-setup

I tried to

openvas-setup
**********************
* No user data directory '/var/lib/openvas/scap-data/private' found.
* No CPEs or CVEs updated, skipping CVSS and CVE recount for CPEs.
* No OVAL definitions or CVEs updated, skipping CVSS recount for OVAL definitions.
* No CVEs updated, skipping placeholder CPE update.
openvassd: no process found
Job for openvas-scanner.service failed because the control process exited with error code. See "systemctl status openvas-scanner.service" and "journalctl -xe" for details.
Failed to start openvas-administrator.service: Unit openvas-administrator.service failed to load: No such file or directory.
/usr/sbin/openvas-setup: line 19: openvasad: command not found

I thought openvas-administrator and greenbone-security-assiatant may be missing.
I tried

 zypper in openvas-administrator greenbone-security-assistant

this installs greenbone-security-assistant but not openvas-administrator.
messages displayed:
‘openvas-administrator’ not found in package names. Trying capabilities.
No provider of ‘openvas-administrator’ found.

how to install openvas-administrator?
OR i am in wrong direction?****

14

I am NOT talking about injection and accidental execution from scripts. I am talking about the normal behaviour of the shell. Example:

boven:/tmp/test # ls
boven:/tmp/test # zypper se -i Network*
Loading repository data...
Reading installed packages...

S | Name                          | Summary                                    | Type   
--+-------------------------------+--------------------------------------------+--------
i | NetworkManager                | Network Link Manager and User Applications | package
i | NetworkManager-kde4-libs      | NetworkManager client for KDE 4            | package
i | NetworkManager-kde4-libs-lang | Languages for package NetworkManager-kde4  | package
i | NetworkManager-openvpn        | NetworkManager VPN support for OpenVPN     | package
i | NetworkManager-openvpn-kde4   | NetworkManager client for KDE 4            | package
i | NetworkManager-pptp           | NetworkManager VPN support for PPTP        | package
i | NetworkManager-pptp-kde4      | NetworkManager client for KDE 4            | package
i | NetworkManager-vpnc           | NetworkManager VPN Support for vpnc        | package
i | NetworkManager-vpnc-kde4      | NetworkManager client for KDE 4            | package
boven:/tmp/test # touch Networking
boven:/tmp/test # zypper se -i Network*
Loading repository data...
Reading installed packages...

S | Name                 | Summary                               | Type   
--+----------------------+---------------------------------------+--------
i | glib-networking      | Network-related GIO modules for glib  | package
i | glib-networking-lang | Languages for package glib-networking | package
boven:/tmp/test #

I have an empty directory. Thus the Pathname Expansion (read the pararaph of that name in the man page of bash) will leave Network* as it is and give it as argument to zypper. Probably what most people want to happen.

Then, for some reason, I have a file Networking in my working directory. And look what happens. The shell expands Network* into Networking and gives that as an argument to zypper. So either quote it

boven:/tmp/test # ls
Networking
boven:/tmp/test # zypper se -i 'Network*'
Loading repository data...
Reading installed packages...

S | Name                          | Summary                                    | Type   
--+-------------------------------+--------------------------------------------+--------
i | NetworkManager                | Network Link Manager and User Applications | package
i | NetworkManager-kde4-libs      | NetworkManager client for KDE 4            | package
i | NetworkManager-kde4-libs-lang | Languages for package NetworkManager-kde4  | package
i | NetworkManager-openvpn        | NetworkManager VPN support for OpenVPN     | package
i | NetworkManager-openvpn-kde4   | NetworkManager client for KDE 4            | package
i | NetworkManager-pptp           | NetworkManager VPN support for PPTP        | package
i | NetworkManager-pptp-kde4      | NetworkManager client for KDE 4            | package
i | NetworkManager-vpnc           | NetworkManager VPN Support for vpnc        | package
i | NetworkManager-vpnc-kde4      | NetworkManager client for KDE 4            | package
boven:/tmp/test #

or be surprised when you do this one day not wich zypper se, but with a zypper rm.

15

The script is in my post #7 under “Preparation”
https://svn.wald.intevation.org/svn/…as-check-setup

Copy the contents of that link to a file and call it something like “openvas-check-setup.sh” and make it executable.

Do not run it immediately, if you follow post #7, I describe the order of steps to run.

  1. Run openvas-setup
openvas-setup
  1. After it completes, then run openvas-check-setup.sh for the first time and as you fix whatever the output describes, again repeatedly until the script says that your installation “is OK.”

TSU****

16

OK, I see what you are saying…

Curiously, I can’t seem to identify exactly what the BASH shell is passing to the command.
Firstly, just using a wildcard (*) is a form of pathname expansion, but if the BASH shell is indeed doing the expansion independently and before passing to the command, then in theory it should be possible to inspect the expansion separately from the command.

In other words, in your example it should be possible to “echo” (instead of passing to zypper) the results of quoting or not quoting the regular expression, for example

boven:/tmp/test # echo Network*
boven:/tmp/test # echo 'Network*'

The first above results in “Networking” while the second results in words with the string “Network” included. OK. So, you can now test substituting those results with the wildcard expressions in the following

boven:/tmp/test # zypper in -i Networking
boven:/tmp/test # zypper in -i 'Network*'

As should be expected the quoted wildcard expression remains consistent in all tests.
But the unquoted wildcard expression returns a different result than its value as displayed by “echo.”

I guess this little exercise does show that quoting the regular expression ensures control of various expansions including the Pathname Expansion.

But, I’m disappointed that there is no easily understood logic or consistency to the unquoted regular expression so that it can be used in a known way. At least, unless anyone can explain the anomaly I just described.

Thx,
TSU

17

I hope you now understand the important fact that when one wants to keep characters, that are special to the shell, unchanged (not interpreted by bash) so they can be propagated to the arguments of the program that one calls in the shell, you have to quote them.

This has nothing to do with the fact that you now forgot to read

man zyppper

where it says (my example):

search (se) [options] [querystring|capability] …

and (your example)

install (in) [options] <name|capability|rpm_file_uri> …

In the first case the argument I gave is a querystring.
In your case it is a name.
So they are different in the two cases and the result of what those statements act on will be different.

Oh yes, and when you want to trace what bash is doing with the lines you type, use

set -x
18

Thx. Will explore.

For those who are following the main part of this thread, because it seems that the string and any possible path based on “openvas” appears to be unique, so <in this specifc case> it seems there is no difference whether quotes are used or not.

But, undoubtedly using quotes is <proper practice>

BTW - Based on this, I think that unless a valid reason exists, it’s a code defect for zypper to <not> automatically quote all names and capabilites regardless whether a Regular Expression is used or not.

TSU

19

That is utter nonsense.

You type in the shell. Only bash interpretes what you type. Zypper is unaware of that.
(The only thing it can do is warn the user again and again to quote shell special characters, what it does several times in the man page).

Bash does first Word slplitting and then:

Expansion is performed on the command line after it has been split into words. There are seven kinds of expansion performed: brace expansion, tilde expansion, parameter and variable expansion, command substitution, arithmetic expansion, word splitting, and pathname expansion.

The order of expansions is: brace expansion, tilde expansion, parameter, variable and arithmetic expansion and command substitution (done in a left-to-right fashion), word splitting, and pathname expansion.

That is all done before the shell looks at the first word of the expanded command to see if it is program or not. And bash has no specific knowledge of zypper, thus it behaves not different if the first word of a command is zypper, or ls, or …

And when the command starts with he word zypper, the shell searches for a file of that name, using the PATH variable. It will find /usr/bin/zypper. It then asks the shell to start a new proces from the file /usr/bin/zypper and to give it all the arguments that are now words in the expanded command. Zypper is started and it parses the arguments having no knowledge whatsoever about how the command looked like when you typed it.

This is all very basic and taught very, very early in Unix/Linux courses. When a shell user does not have at least some basic knowledge about what happens to what he types even before a program is started, he will learn earlier or later the hard way. Specially when he uses the shell as the Superuser :(.

20

It appears that inserting quotes before expansion is not possible as you say.
The likely authoritative source for describing the order in which BASH processes the command, the argument, any quotes and any expansions is described here

http://mywiki.wooledge.org/BashParser

BASH parses the command and argument only in step 4, after processing existing quotes, special characters like re-direction and doing expansions.

TSU