openvas

Docker Pulls Docker Stars GitHub Issues Discord Twitter Badge

A Greenbone Vulnerability Management docker image

Brought to you by

Immauss Cybersecurity

This lives as a docker container at: docker hub

The Greenbone Source code can be found at: Greenbone Source Code

The advantages of the Immauss container image vs the Greenbone images:

The the latest image is based on GVM 22.4.x In single container mode, it runs all the components needed to create a scanner in a single container including:

In multi-container mode it creates individual containers for each of the components. Since most of the Greenbone components utlize unix sockets for comunication, the contianers share a volume (the default name is: ovasrun) soley for the sharing of the sokets.`

Deployment

Install docker

If you have Kali or Ubuntu you can use the docker.io package.

apt install docker.io

For other distros, please check with docker for the latest on installation options. https://docs.docker.com/engine/install/

Run the container

These commands will pull, create, and start the container:

Without persistent volume:

docker run --detach --publish 8080:9392 -e PASSWORD="Your admin password here" --name openvas immauss/openvas

To create a volume to store persistent data.

docker volume create openvas

Start the container with a persistent volume:

docker run --detach --publish 8080:9392 -e PASSWORD="Your admin password here" --volume openvas:/data --name openvas immauss/openvas

You can use whatever --name you’d like but for the sake of this guide we’re using openvas.

The --publish 8080:9392 option will port forward 8080 on the host to 9392 (the container web interface port) in the docker container. Port 8080 was chosen only to avoid conflicts with any existing OpenVAS/GVM installation. You can change 8080 to any available port that you`d like.

Depending on your hardware, it can take anywhere from a few seconds to 30 minutes while the NVTs are scanned and the database is rebuilt.

The NVTs will update every time the container starts. Even if you leave your container running 24/7, the easiest way to update your NVTs is to restart the container.

docker restart openvas

There is also a script in the container that will initiate the sync.

/scripts/sync.sh

You can run the sync at anytime on a running container with:

docker exec -it <container-name> /scripts/sync.sh

Docker compose

The git repo has two docker-compose.yml files.

- /compose/docker-compose.yml
- /multi-container/docker-compose.yml

The ‘yml’ in /compose is a single container immplementation. The ‘yml’ in /multi-container is for …. multiple containers. Both utilize a ‘.env” file. You can set the docker tag in the “.env” file.

To utilze the docker-compose.yml files, change to the desired directory and run: ``` docker-compose up -d ```
For upgrades, edit the ".env" file and change the version, then execute: ``` docker-compose up -d ```

For upgrades from major versions, ensure you are using the most recent docker-compose.yml for the git repo. For instance, from  21.4 -> 22.4, the notus scanner was added. If you do not utilize the new docker-compose.yml with the mulit-container 'yml', then there will be no container with the 'notuscanner'.

Database backup

If you are running the container on a continuing basis, it is a good idea to make a backup of the database at regular intervals. The container is setup to properly shutdown the database to prevent corruption, but if the process is killed unexpectedly, or the host machine loses power, then it is still possible for the database to become corrupt. To make a backup of the current database in the container:

docker exec -it <container name> su -c "/usr/lib/postgresql/12/bin/pg_dumpall" postgres > db-backup-file.sql

Database restoral

Restoral is a bit more difficult. This assumes you are using a volume named “openvas”. No other container should be accessing this volume at the time of restoral. This could be an empty container or a previously used container. The below command will:

  1. Start a temporary container
  2. Perform initial setup for gvm
  3. Setup and start postgresql
  4. Restore from the backup file
  5. Shutdown postgresql
  6. Stop and remove the temporary container.
docker run -it -e RESTORE=true -v <path to backupfile>:/usr/lib/db-backup.sql --rm -v openvas:/data immauss/openvas

Full backup

There are a number of crucial items not stored in the database such as encryption keys for credentials, SSL certificates etc. All of these will however be stored on the persitent volume located in /data of the container filesystem. The easiest way to backup the entireity of the volume is shutdown the openvas container and use a new container to create the backup. This is the safest way to create the backup to ensure no files are changed during the backup process. The below commands assume a container name of openvas-prod and a volume name of openvas.

Stop the running container

docker stop openvas-prod

Start a temporary container to create the backup.

docker run -it --rm -v openvas:/opt -v $(pwd):/mnt alpine /bin/sh -c "cd /opt; tar -cjvf /mnt/openvas.full.tar.gz *" 

Restart the production container

docker start openvas-prod

Full restoral

The restoral is similar to the backup process in that we use the alpine container to perform this function. The restoral should be to an empty volume, so start by creating that new volume.

docker volume create new-openvas-volume

Then extract the backup into the volume with alpine.

docker run --rm -it -v <path to backup file>:/backup.tar.gz -v openvas:/mnt alpine /bin/sh -c "cd /mnt; tar xvf /backup.tar.gz"

Options

The following options can be set as environement variables when starting the container. To set an environement variable use “-e”: