UNIX / Linux keyboard.

How to Compile OpenVAS on OpenBSD

Open Vulnerability Assessment System

The Open Vulnerability Assessment System (OpenVAS) security tool is great! It's a free fork of the Nessus project. It is a network security scanner with a graphical front end, and it applies many thousands of vulnerability tests to machines across a network.

The only problem, as often happens with OpenBSD, is that its developers didn't include what's needed to get it to compile there without a little help. But it isn't hard, just a little tedious.

Step 1:

Get a copy of the OpenBSD port of OpenVAS. I found it through some Google searching. For OpenVAS 2.0, I found it at both neohapsis.com and nabble.com. You definitely need this, there's no need to go beyond this step until you have the OpenBSD port.

Step 2:

Add the GNU libgcrypt shared library. Download it from ftp.gnupg.org. Downloading and installing it would be something like this, change the version number as needed to reflect what's available:

$ cd /tmp
$ wget ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.6.3.tar.gz
$ gtar xvf libgcrypt-1.6.3.tar.gz
$ cd libgcrypt-1.6.3
$ ./configure
$ make
$ su root -c 'make install' 

Step 3:

Install the OpenBSD ports tree if you haven't already:

$ cd /tmp
$ wget ftp://ftp.openbsd.org/pub/OpenBSD/`uname -r`/ports.tar.gz
$ su
Password:
# cd /usr
# gtar xvf /tmp/ports.tar.gz 

Step 4:

Add the OpenVAS port at the correct place in the ports tree:

# cd /usr/ports/security
# gtar xvf /tmp/openvas2.0.tgz 

Step 5:

Add a symbolic link for a shared library that one of the makefiles won't otherwise find. Change the version number to correspond to what you have:

# cd /usr/lib
# ln -s /usr/local/lib/libgcrypt.so.19.2 

Step 6:

Build and install OpenVAS. Note that you may have to first fix the below issues with /usr/local/lib links and Makefile definitions:

# cd /usr/ports/security/openvas
# make package
# make install 

I found this archived e-mail very useful.

I encountered a lot of errors in three categories. First, an error that a library could not be found:
library gthread-2.0.3400.0 not found
The package was installed, the library was there, but it was in /usr/local/lib instead of /usr/lib. The fix would be something like the below. I don't think the second ln is needed, I think it will find the library with the appended version string:

# pushd /usr/lib
# ln -s /usr/local/lib/libgthread-2.0.so.3400.0
# ln -s /usr/local/lib/libgthread-2.0.so.3400.0 libgthread-2.0.so
# popd 

The second type of error was caused by "old style" Makefile dependency definitions. My workaround was crude, but I simply removed everything up to and including the "::" in each case. For example, change this:

LIB_DEPENDS =      openvas,openvas_hg::security/openvas/libraries \
                   gnutls::security/gnutls \
                   gpgme::security/gpgme 

into this:

LIB_DEPENDS =   security/openvas/libraries \
                security/gnutls \
		security/gpgme 

The third type of error was the most tedious to fix: I also needed to modify some files. During the build of openvas-libraries I had to:

# pushd /usr/ports/pobj
# vim openvas-libraries-2.0.1/openvas-libraries-2.0.1/libopenvas/pcap.c
	move final routine definition:
	    char *routethrough(struct in_addr *dest, struct in_addr *source) {
	from its location around line 493 to line 71, before its first use.

# vim openvas-libraries-2.0.1/openvas-libraries-2.0.1/libopenvas/network.c
	comment out the call to gnutls_transport_set_lowat()

# popd
# make package

The openvas-libraries package then builds cleanly. Then it fails on openvas-libnasl as it needs to be told to use the libgcrypt and libgnutls libraries:

# pushd /usr/ports/pobj
# vim openvas-libnasl-2.0.1/openvas-libnasl-2.0.1/nasl/Makefile
	Add this:
		-lgcrypt -lgnutls
	to the end of the NESSUS_LIBS definition.

# popd
# make package

It then goes back to building, hanging when it gets to the openvas-server package:

# pushd /usr/ports/pobj
# vim openvas-server-2.0.0/openvas-server-2.0.0/openvasd/Makefile
	Add this:
		-lgcrypt -lgnutls
	to the end of the LIBS definition.

# popd
# make package

Back to building, until it hangs withing openvas-client due to a strange need to support SSLv2! We will just comment out that vulnerable nonsense:

# pushd /usr/ports/pobj
# vim openvas-client-2.0.1/openvas-client-2.0.1/nessus/nessus.c

	Change this block:

		if (ssl_mt == NULL)
		{
		  if (strcasecmp(ssl_ver, "SSLv2") == 0)
		    ssl_mt = SSLv2_client_method();
		  else if (strcasecmp(ssl_ver, "SSLv3") == 0)
		    ssl_mt = SSLv3_client_method();
		  else if (strcasecmp(ssl_ver, "SSLv23") == 0)
		    ssl_mt = SSLv23_client_method();
		  else if (strcasecmp(ssl_ver, "TLSv1") == 0)
		    ssl_mt = TLSv1_client_method();
		  else
		    {
		    [...]

	to this:

		if (ssl_mt == NULL)
		{
		  if (strcasecmp(ssl_ver, "SSLv2") == 0)
		    /* ssl_mt = SSLv2_client_method(); */
		    ;
		  else if (strcasecmp(ssl_ver, "SSLv3") == 0)
		    ssl_mt = SSLv3_client_method();
		  else if (strcasecmp(ssl_ver, "SSLv23") == 0)
		    ssl_mt = SSLv23_client_method();
		  else if (strcasecmp(ssl_ver, "TLSv1") == 0)
		    ssl_mt = TLSv1_client_method();
		  else
		    {
		    [...]

# popd
# make package
# make install
# openvas-nvt-sync

Finally it finishes building the pieces and it can be installed and the plugins updated.


Warning: include(/usr/local/www/apache24/data/ads/responsive-banner.html): failed to open stream: No such file or directory in /usr/local/www/htdocs/open-source/compiling-openvas-on-openbsd.html on line 285

Warning: include(): Failed opening '/usr/local/www/apache24/data/ads/responsive-banner.html' for inclusion (include_path='.:/usr/local/share/pear') in /usr/local/www/htdocs/open-source/compiling-openvas-on-openbsd.html on line 285