本文提到的GVM不是开发人员所熟知的“Go Version Management ”,而是德国 Greenbone 公司出品的一套平台环境安全漏洞扫描与管理工具,主要面向平台运维人员。
GVM 的全称是 Greenbone Vulnerability Management ,是一个安全扫描系统,其开源社区版本也叫 Open-VAS,当前的稳定版本是 Greenbone Vulnerability Management version 11 (GVM-11)。
今天我试图在 Ubuntu 1404 环境上升级安装 GVM-11,但遗憾的是安装失败了,原因是 GVM-11 不支持当前操作系统环境。
经查阅 GVM-11 的项目资料得知:GVM-11 仅支持 CentOS 8、Ubuntu 18 和 Ubuntu 20 。
我在 Ubuntu 14 上只能考虑安装 GVM-8,接下来我会找个时间在 Ubuntu 1404 上部署 Docker 环境,用 docker 部署 GVM-11 。
尽管本次升级安装失败了,但这个踩坑过程也是值得记录的。
我的踩坑过程:
Ubuntu 1404 安装 Open-VAS(Greenbone Vulnerability Management)
googlebigtable@googlebigtable-virtual-machine:~$ sudo su
[sudo] password for googlebigtable:
root@googlebigtable-virtual-machine:/home/googlebigtable# apt install -y aptitude
.........................................................................................................
正在设置 aptitude (0.6.8.2-1ubuntu4) ...
update-alternatives: using /usr/bin/aptitude-curses to provide /usr/bin/aptitude (aptitude) in 自动模式
正在处理用于 libc-bin (2.19-0ubuntu6) 的触发器 ...
root@googlebigtable-virtual-machine:/home/googlebigtable#
root@googlebigtable-virtual-machine:/home/googlebigtable# timedatectl set-timezone Asia/Shanghai
root@googlebigtable-virtual-machine:/home/googlebigtable# systemctl restart syslog
systemctl:未找到命令
root@googlebigtable-virtual-machine:/home/googlebigtable# service syslog restart
syslog: unrecognized service
root@googlebigtable-virtual-machine:/home/googlebigtable# service rsyslog restart
rsyslog stop/waiting
rsyslog start/running, process 5670
root@googlebigtable-virtual-machine:/home/googlebigtable#
root@googlebigtable-virtual-machine:/home/googlebigtable# echo "deb http://apt.postgresql.org/pub/repos/apt/ trusty-pgdg main" >> /etc/apt/sources.list.d/pgdg.list
root@googlebigtable-virtual-machine:/home/googlebigtable# cat /etc/apt/sources.list.d/pgdg.list
deb http://apt.postgresql.org/pub/repos/apt/ trusty-pgdg main
root@googlebigtable-virtual-machine:/home/googlebigtable# wget --quiet -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | sudo apt-key add -
OK
root@googlebigtable-virtual-machine:/home/googlebigtable# apt-get update
忽略 http://cn.archive.ubuntu.com trusty InRelease
命中 http://security.ubuntu.com trusty-security InRelease
....................................................................................................
正在读取软件包列表... 完成
root@googlebigtable-virtual-machine:/home/googlebigtable# aptitude install -y postgresql-10
下列“新”软件包将被安装。
libpq5{a} pgdg-keyring{a} postgresql-10 postgresql-client-10{a} postgresql-client-common{a} postgresql-common{a} sysstat{a}
0 个软件包被升级,新安装 7 个, 0 个将被删除, 同时 766 个将不升级。
需要获取 7,028 kB 的存档。 解包后将要使用 31.4 MB。
........................................................................................................
正在设置 postgresql-client-common (201.pgdg14.04+1) ...
正在设置 postgresql-client-10 (10.8-1.pgdg14.04+1) ...
update-alternatives: using /usr/share/postgresql/10/man/man1/psql.1.gz to provide /usr/share/man/man1/psql.1.gz (psql.1.gz) in 自动模式
正在设置 postgresql-common (201.pgdg14.04+1) ...
正在将用户“postgres”加入到“ssl-cert”组中
Creating config file /etc/postgresql-common/createcluster.conf with new version
Building PostgreSQL dictionaries from installed myspell/hunspell packages...
en_au
en_gb
en_us
en_za
Removing obsolete dictionary files:
- No PostgreSQL clusters exist; see "man pg_createcluster"
正在设置 sysstat (10.2.0-1) ...
Creating config file /etc/default/sysstat with new version
update-alternatives: using /usr/bin/sar.sysstat to provide /usr/bin/sar (sar) in 自动模式
正在处理用于 ureadahead (0.100.0-16) 的触发器 ...
正在设置 postgresql-10 (10.8-1.pgdg14.04+1) ...
Creating new PostgreSQL cluster 10/main ...
/usr/lib/postgresql/10/bin/initdb -D /var/lib/postgresql/10/main --auth-local peer --auth-host md5
属于此数据库系统的文件宿主为用户 "postgres".
此用户也必须为服务器进程的宿主.
数据库簇将使用本地化语言 "zh_CN.UTF-8"进行初始化.
默认的数据库编码已经相应的设置为 "UTF8".
initdb: 无法为本地化语言环境"zh_CN.UTF-8"找到合适的文本搜索配置
缺省的文本搜索配置将会被设置到"simple"
禁止为数据页生成校验和.
修复已存在目录 /var/lib/postgresql/10/main 的权限 ... 成功
正在创建子目录 ... 成功
选择默认最大联接数 (max_connections) ... 100
选择默认共享缓冲区大小 (shared_buffers) ... 128MB
选择动态共享内存实现 ......posix
创建配置文件 ... 成功
正在运行自举脚本 ...成功
正在执行自举后初始化 ...成功
同步数据到磁盘...成功
Success. You can now start the database server using:
/usr/lib/postgresql/10/bin/pg_ctl -D /var/lib/postgresql/10/main -l logfile startVer Cluster Port Status Owner Data directory Log file
10 main 5432 down postgres /var/lib/postgresql/10/main /var/log/postgresql/postgresql-10-main.log
update-alternatives: using /usr/share/postgresql/10/man/man1/postmaster.1.gz to provide /usr/share/man/man1/postmaster.1.gz (postmaster.1.gz) in 自动模式
- Starting PostgreSQL 10 database server [ OK ]
正在处理用于 libc-bin (2.19-0ubuntu6) 的触发器 ...
root@googlebigtable-virtual-machine:/home/googlebigtable#
root@googlebigtable-virtual-machine:/home/googlebigtable# find / -name pg_hba.conf
/etc/postgresql/10/main/pg_hba.conf
root@googlebigtable-virtual-machine:/home/googlebigtable# cat -n /etc/postgresql/10/main/pg_hba.conf
1 # PostgreSQL Client Authentication Configuration File
2 # ===================================================
3 #
4 # Refer to the "Client Authentication" section in the PostgreSQL
5 # documentation for a complete description of this file. A short
6 # synopsis follows.
7 #
8 # This file controls: which hosts are allowed to connect, how clients
9 # are authenticated, which PostgreSQL user names they can use, which
10 # databases they can access. Records take one of these forms:
11 #
12 # local DATABASE USER METHOD [OPTIONS]
13 # host DATABASE USER ADDRESS METHOD [OPTIONS]
14 # hostssl DATABASE USER ADDRESS METHOD [OPTIONS]
15 # hostnossl DATABASE USER ADDRESS METHOD [OPTIONS]
16 #
17 # (The uppercase items must be replaced by actual values.)
18 #
19 # The first field is the connection type: "local" is a Unix-domain
20 # socket, "host" is either a plain or SSL-encrypted TCP/IP socket,
21 # "hostssl" is an SSL-encrypted TCP/IP socket, and "hostnossl" is a
22 # plain TCP/IP socket.
23 #
24 # DATABASE can be "all", "sameuser", "samerole", "replication", a
25 # database name, or a comma-separated list thereof. The "all"
26 # keyword does not match "replication". Access to replication
27 # must be enabled in a separate record (see example below).
28 #
29 # USER can be "all", a user name, a group name prefixed with "+", or a
30 # comma-separated list thereof. In both the DATABASE and USER fields
31 # you can also write a file name prefixed with "@" to include names
32 # from a separate file.
33 #
34 # ADDRESS specifies the set of hosts the record matches. It can be a
35 # host name, or it is made up of an IP address and a CIDR mask that is
36 # an integer (between 0 and 32 (IPv4) or 128 (IPv6) inclusive) that
37 # specifies the number of significant bits in the mask. A host name
38 # that starts with a dot (.) matches a suffix of the actual host name.
39 # Alternatively, you can write an IP address and netmask in separate
40 # columns to specify the set of hosts. Instead of a CIDR-address, you
41 # can write "samehost" to match any of the server's own IP addresses,
42 # or "samenet" to match any address in any subnet that the server is
43 # directly connected to.
44 #
45 # METHOD can be "trust", "reject", "md5", "password", "scram-sha-256",
46 # "gss", "sspi", "ident", "peer", "pam", "ldap", "radius" or "cert".
47 # Note that "password" sends passwords in clear text; "md5" or
48 # "scram-sha-256" are preferred since they send encrypted passwords.
49 #
50 # OPTIONS are a set of options for the authentication in the format
51 # NAME=VALUE. The available options depend on the different
52 # authentication methods -- refer to the "Client Authentication"
53 # section in the documentation for a list of which options are
54 # available for which authentication methods.
55 #
56 # Database and user names containing spaces, commas, quotes and other
57 # special characters must be quoted. Quoting one of the keywords
58 # "all", "sameuser", "samerole" or "replication" makes the name lose
59 # its special character, and just match a database or username with
60 # that name.
61 #
62 # This file is read on server startup and when the server receives a
63 # SIGHUP signal. If you edit the file on a running system, you have to
64 # SIGHUP the server for the changes to take effect, run "pg_ctl reload",
65 # or execute "SELECT pg_reload_conf()".
66 #
67 # Put your actual configuration here
68 # ----------------------------------
69 #
70 # If you want to allow non-local connections, you need to add more
71 # "host" records. In that case you will also need to make PostgreSQL
72 # listen on a non-local interface via the listen_addresses
73 # configuration parameter, or via the -i or -h command line switches.
74
75
76
77
78 # DO NOT DISABLE!
79 # If you change this first entry you will need to make sure that the
80 # database superuser can access the database using some other method.
81 # Noninteractive access to all databases is required during automatic
82 # maintenance (custom daily cronjobs, replication, and similar tasks).
83 #
84 # Database administrative login by Unix domain socket
85 local all postgres peer
86
87 # TYPE DATABASE USER ADDRESS METHOD
88
89 # "local" is for Unix domain socket connections only
90 local all all peer
91 # IPv4 local connections:
92 host all all 127.0.0.1/32 md5
93 # IPv6 local connections:
94 host all all ::1/128 md5
95 # Allow replication connections from localhost, by a user with the
96 # replication privilege.
97 local replication all peer
98 host replication all 127.0.0.1/32 md5
99 host replication all ::1/128 md5root@googlebigtable-virtual-machine:/home/googlebigtable#
root@googlebigtable-virtual-machine:/home/googlebigtable# cp /etc/postgresql/10/main/pg_hba.conf{,.original}
root@googlebigtable-virtual-machine:/home/googlebigtable# gedit /etc/postgresql/10/main/pg_hba.conf
修改为允许本地连接
84 # Database administrative login by Unix domain socket
85 local all postgres trust
86
87 # TYPE DATABASE USER ADDRESS METHOD
88
89 # "local" is for Unix domain socket connections only
90 local all all trust
91 # IPv4 local connections:
92 host all all 127.0.0.1/32 trust
93 # IPv6 local connections:
94 host all all ::1/128 trustroot@googlebigtable-virtual-machine:/home/googlebigtable# service postgresql restart
- Restarting PostgreSQL 10 database server [ OK ]
root@googlebigtable-virtual-machine:/home/googlebigtable#
root@googlebigtable-virtual-machine:/home/googlebigtable# add-apt-repository ppa:mrazavi/gvm
Greenbone Vulnerability Management version 11 (GVM-11) is the current stable major release of tools offering a comprehensive and powerful vulnerability scanning and vulnerability management solution. GVM is developed for and as part of the commercial product line Greenbone Security Manager. It is developed by Greenbone and licenced as Open Source.
More info at: https://community.greenbone.net/
NEW
A set of docker images based on this PPA are avialble at docker hub. It could be used to setup GVM on any distribution of GNU/Linux.
More info: https://github.com/admirito/gvm-containers
.............................................................................................................
gpg: 钥匙环‘/tmp/tmpnen9kor6/secring.gpg’已建立
gpg: 钥匙环‘/tmp/tmpnen9kor6/pubring.gpg’已建立
gpg: 下载密钥‘4AA450E0’,从 hkp 服务器 keyserver.ubuntu.com
gpg: /tmp/tmpnen9kor6/trustdb.gpg:建立了信任度数据库
gpg: 密钥 4AA450E0:公钥“Launchpad PPA for Mohammad Razavi”已导入
gpg: 合计被处理的数量:1
gpg: 已导入:1 (RSA: 1)
OK
root@googlebigtable-virtual-machine:/home/googlebigtable#
root@googlebigtable-virtual-machine:/home/googlebigtable# apt install -y gvm
正在读取软件包列表... 完成
正在分析软件包的依赖关系树
正在读取状态信息... 完成
E: 未发现软件包 gvm
root@googlebigtable-virtual-machine:/home/googlebigtable# aptitude install -y gvm
无法找到任何名称或者描述中匹配“gvm”的软件包
无法找到任何名称或者描述中匹配“gvm”的软件包
将不会安装,升级或者删除任何软件包。
0 个软件包被升级,新安装 0 个, 0 个将被删除, 同时 766 个将不升级。
需要获取 0 B 的存档。 解包后将要使用 0 B。
root@googlebigtable-virtual-machine:/home/googlebigtable#
查阅
https://github.com/greenbone/gvmd
https://launchpad.net/~mrazavi/+archive/ubuntu/gvm
得知,GVM只能安装到Ubuntu 18 和 Ubuntu 20 上。
官方推荐的安装组件和过程:
To install the Greenbone Vulnerability Management 11 packages on Ubuntu 20.04 Focal Fossa first you need to install PostgreSQL database server (if you don't already have one--it could also be installed on a remote machine):
sudo apt install postgresql
Then use the following commands to install GVM:
sudo add-apt-repository ppa:mrazavi/gvm
sudo apt install gvm
Finally, you have to update the greenbone nvt/cert/scap data with these commands:
greenbone-nvt-sync
sudo greenbone-scapdata-sync
sudo greenbone-certdata-sync
You can access the Greenbone Security Assistant web interface at:
(The port number has changed according to the upstream in the new version and the old 4000 port number is no longer the default)
The default username/password is as follows:
Username: admin
Password: admin
You can check the status of greenbone daemons with systemctl:
systemctl status ospd-openvas # scanner
systemctl status gvmd # manager
systemctl status gsad # web ui
顺利安装 GVM 后的 Web 管理系统登录界面如下:
