---
- name: Deploy Vulnerability Scanner (OpenVAS/GVM)
hosts: security_servers
become: true
vars:
openvas_admin_user: "admin"
openvas_admin_password: "{{ vault_openvas_password | default('ChangeMe123!') }}"
tasks:
- name: Update apt cache
apt:
update_cache: yes
- name: Install required packages
apt:
name:
- software-properties-common
- apt-transport-https
- curl
- gnupg
state: present
- name: Add GVM PPA repository
apt_repository:
repo: ppa:mrazavi/gvm
state: present
- name: Install GVM/OpenVAS
apt:
name:
- gvm
- openvas-scanner
- openvas-manager
- greenbone-security-assistant
- greenbone-feed-sync
state: present
update_cache: yes
- name: Setup GVM
shell: |
gvm-setup
gvm-feed-update
args:
creates: /var/lib/gvm/.setup_complete
- name: Create setup completion marker
file:
path: /var/lib/gvm/.setup_complete
state: touch
owner: _gvm
group: _gvm
- name: Create GVM admin user
shell: |
gvmd --create-user={{ openvas_admin_user }} --password={{ openvas_admin_password }}
args:
creates: /var/lib/gvm/.admin_user_created
register: create_user_result
- name: Create admin user marker
file:
path: /var/lib/gvm/.admin_user_created
state: touch
owner: _gvm
group: _gvm
when: create_user_result is succeeded
- name: Start and enable GVM services
service:
name: "{{ item }}"
state: started
enabled: yes
loop:
- greenbone-security-assistant
- openvas-scanner
- openvas-manager
- name: Configure firewall for GVM
ufw:
rule: allow
port: "{{ item }}"
proto: tcp
loop:
- 443 # GSA web interface
- 9390 # GVM daemon
- name: Wait for GSA to be ready
wait_for:
port: 443
host: 127.0.0.1
delay: 60
- name: Create vulnerability scan script
copy:
content: |
#!/bin/bash
# Automated vulnerability scan script
TARGET=${1:-127.0.0.1}
SCAN_NAME="Security_Scan_$(date +%Y%m%d_%H%M%S)"
echo "Starting vulnerability scan for: $TARGET"
echo "Scan name: $SCAN_NAME"
# Create scan task
TASK_ID=$(gvm-cli --gmp-username {{ openvas_admin_user }} --gmp-password {{ openvas_admin_password }} \
socket --socketpath /var/run/gvmd.sock --xml \
"$SCAN_NAME$TARGET" \
| grep -oP 'id="\K[^"]+')
echo "Created scan task with ID: $TASK_ID"
# Start scan
gvm-cli --gmp-username {{ openvas_admin_user }} --gmp-password {{ openvas_admin_password }} \
socket --socketpath /var/run/gvmd.sock --xml \
""
echo "Scan started. Monitor progress in GSA web interface."
dest: /usr/local/bin/vulnerability-scan.sh
mode: '0755'
- name: Create scheduled vulnerability scan
cron:
name: "Weekly vulnerability scan"
minute: "0"
hour: "2"
weekday: "0"
job: "/usr/local/bin/vulnerability-scan.sh {{ ansible_default_ipv4.address }}"
- name: Display OpenVAS/GVM information
debug:
msg: |
OpenVAS/GVM has been successfully deployed:
- Web Interface: https://{{ ansible_default_ipv4.address }}:443
- Admin Username: {{ openvas_admin_user }}
- Admin Password: {{ openvas_admin_password }}
Run vulnerability scans with:
/usr/local/bin/vulnerability-scan.sh
Weekly automated scans are configured for Sunday 2 AM.
handlers:
- name: restart greenbone-security-assistant
service:
name: greenbone-security-assistant
state: restarted
- name: restart openvas-scanner
service:
name: openvas-scanner
state: restarted
- name: restart openvas-manager
service:
name: openvas-manager
state: restarted