OpenVAS – Broken Debian Installer Packages

Recently, I have read an article in a computer magazine on the vulnerability scanner OpenVAS. It sounded interesting and that was why I wanted to try it out. OpenVAS provides a live virtual appliance container file for demo purposes. Trying to install it into a VMWare Player, I was not able to get it running. As it appeared to be related to an incompatible library on the image, I decided to install a new Debian 7.5 Wheezy image as VM. All the steps necessary for install and setup can be found on the OpenVAS website.
One of the crucial steps in between is to run

openvas-certdata-sync

which updates the cert database. Without it, you won’t be able to start the openvas-scanner service. It would fail with the error message

sql_x: sqlite3_prepare failed: no such table: main.meta

in the log file /var/log/openvas/openvasmd.log. However, when running openvas-certdata-sync, you will get another block of error messages, reading

/usr/sbin/openvas-certdata-sync: 185: /usr/sbin/openvas-certdata-sync: cannot open /usr/share/openvas/cert/cert_db_init.sql: No such file
Error: no such table: dfn_cert_advs
Error: no such table: meta
Error: Inconsistent data. Resetting CERT database.

This problem has already been addressed by the Novell Bugzilla since August, 2013, but has not been fixed yet. Futhermore, there are many other reports of this issue in several forums and mailing lists.

The root cause of this matter is that the Debian software package openvas-manager is missing the files in /usr/share/openvas/cert/. These files, however, are available in the VM container file. Unfortunately, extracting and copying them over to your installation may be a bit tricky; that is why I have bundled them for you in a file attached to this blog. You may download the file and extract it via

cd /usr/share/openvas
mkdir cert
cd cert
wget http://blog.schmoigl-online.de/?dl_id=5
tar xzvf openvas-cert.tar.gz
rm openvas-cert.tar.gz

onto you local machine.

  OpenVAS metadata files for cert directory (2.0 KiB, 2,027 hits)

Afterwards, you need to run

openvas-certdata-sync

again.

It’s a shame that a bug report has been open for more than 10 months now, causing that no Debian distribution will run out of the box anymore, and has not been – even – addressed yet.
If that is representative for the reliability of a security product, should you really run it in your network?

VN:F [1.9.22_1171]
Rating: 5.0/5 (3 votes cast)
VN:F [1.9.22_1171]
Rating: +1 (from 1 vote)
OpenVAS - Broken Debian Installer Packages, 5.0 out of 5 based on 3 ratings

Leave a Reply

Your email address will not be published. Required fields are marked *

*