OpenVAS with multiple Scanners

Support/Development for OpenVAS
peer69
Forum User
Forum User
Posts: 5
Joined: Fri Jun 09, 2017 4:26 am
Location: Berlin

OpenVAS with multiple Scanners

Unread post by peer69 »

Hi everyone,

right now I'm trying to set up an openvas infrastructure with a Manager Node (which would be openvas-manager with gsad, however in this case for testing purposes I installed the whole openvas package via atomic repo) and several scanner nodes in different subnets.
My understanding was that I could use the web interface of gsad to add scanners. As the openvas-scanner no longer listens on a tcp socket I couldn't really figure out which port to use now. It used to be 9391 I guess, but now the only port anything openvas related listens to is the port 9392.
If I add a scanner using port 9392 the connection can be established (therefore also the certificates seem to be set up correctly). I can even start a scan but it wouldn't leave the "Requested" state. On the beginning of the scan I can see some packets going to and from the scanner node to the manager node but then nothing happens. No communication from/to the manager and no scanning activity. If I start a scan manually on the scanner node everything seems to be fine. So my guess is that connection to port 9392 for remote connect from the scanner node might be the wrong approach. Until now I couldn't find any documentation which would help me with the current version of openvas.
Anyone has a running setup like this and willing to share a fix for this?

thanks for your help!
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8355
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: OpenVAS with multiple Scanners

Unread post by scott »

You didnt mention the manager config here, is that what you have running on 9391?
peer69
Forum User
Forum User
Posts: 5
Joined: Fri Jun 09, 2017 4:26 am
Location: Berlin

Re: OpenVAS with multiple Scanners

Unread post by peer69 »

I am using the standard config. As far as I could see the only listening tcp socket is on 9392, scanner and manager are using a UNIX socket in /var/run but no tcp socket at all.
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8355
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: OpenVAS with multiple Scanners

Unread post by scott »

Ah thats probably it then, the scanner(s) connect to the manager (openvasmd). You'd need to modify /etc/sysconfig/openvas-manager (if you hadnt already) to listen on a port with --listen= to start wth, and then create the scanner(s) in openvas manager

Code: Select all

  --create-scanner=<scanner>                   Create global scanner <scanner> and exit.
  --modify-scanner=<scanner-uuid>              Modify scanner <scanner-uuid> and exit.
  --scanner-name=<name>                        Name for --modify-scanner.
  --scanner-host=<scanner-host>                Scanner host for --create-scanner and --modify-scanner. Default is /var/run/openvassd.sock.
  --otp-scanner=<unixsocket>                   Path to scanner unix socket file. Used by --rebuild and --update
  --scanner-port=<scanner-port>                Scanner port for --create-scanner and --modify-scanner. Default is 9391.
  --scanner-type=<scanner-type>                Scanner type for --create-scanner and --mdoify-scanner. Either 'OpenVAS' or 'OSP'.
  --scanner-ca-pub=<scanner-ca-pub>            Scanner CA Certificate path for --[create|modify]-scanner.
  --scanner-key-pub=<scanner-key-public>       Scanner Certificate path for --[create|modify]-scanner.
  --scanner-key-priv=<scanner-key-private>     Scanner private key path for --[create|modify]-scanner.
  --verify-scanner=<scanner-uuid>              Verify scanner <scanner-uuid> and exit.
  --delete-scanner=<scanner-uuid>              Delete scanner <scanner-uuid> and exit.
  --get-scanners                               List scanners and exit.
peer69
Forum User
Forum User
Posts: 5
Joined: Fri Jun 09, 2017 4:26 am
Location: Berlin

Re: OpenVAS with multiple Scanners

Unread post by peer69 »

Ah, Great! I was missing that information until now. I will try this and let you know. The only thing I changed for the scanner yet was the location of the unix socket to connect to redis. I looked for another parameter in the openvassd config but I did not think about the manager daemon. Thanks a lot!
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8355
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: OpenVAS with multiple Scanners

Unread post by scott »

Let us know how it works out, as I havent had the opportunity to try this kind of setup either. With the right info we can probably add this condition to openvas-setup to add remote scanners and/or oSPD daemons.
peer69
Forum User
Forum User
Posts: 5
Joined: Fri Jun 09, 2017 4:26 am
Location: Berlin

Re: OpenVAS with multiple Scanners

Unread post by peer69 »

With '--listen' parameter openvasmd starts listening on port 9390. I can connect to the scanner from the manager node through the web interface.
Unfortunately scans still fail with 'Stopped at 1%".
/var/log/openvas/openvasmd.log shows the following error:

Code: Select all

md    omp:   INFO:2017-06-19 18h36.41 utc:2345:    Failed to parse client XML: Error on line 1 char 2: ' ' is not a valid character following a '<' character; it may not begin an element name
Seems like the manager on the remote scanning node is not receiving what it expects to start a scan. I'll have another look into it tomorrow, but any suggestions are welcome!
peer69
Forum User
Forum User
Posts: 5
Joined: Fri Jun 09, 2017 4:26 am
Location: Berlin

Re: OpenVAS with multiple Scanners

Unread post by peer69 »

I managed to create a working setup using scanner type "OMP Slave" and authentication by user/password. I was hoping for a certificate based authentication between scanner and manager nodes but I still end up with the error mentioned above. I might have a look into that in the future.
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8355
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: OpenVAS with multiple Scanners

Unread post by scott »

I seem to recall getting something like this to work with some CA trickery. I think I had to add the self-generated CA to the global system CA using: https://fedoraproject.org/wiki/Features ... rtificates
Post Reply