Hi everyone,
right now I'm trying to set up an openvas infrastructure with a Manager Node (which would be openvas-manager with gsad, however in this case for testing purposes I installed the whole openvas package via atomic repo) and several scanner nodes in different subnets.
My understanding was that I could use the web interface of gsad to add scanners. As the openvas-scanner no longer listens on a tcp socket I couldn't really figure out which port to use now. It used to be 9391 I guess, but now the only port anything openvas related listens to is the port 9392.
If I add a scanner using port 9392 the connection can be established (therefore also the certificates seem to be set up correctly). I can even start a scan but it wouldn't leave the "Requested" state. On the beginning of the scan I can see some packets going to and from the scanner node to the manager node but then nothing happens. No communication from/to the manager and no scanning activity. If I start a scan manually on the scanner node everything seems to be fine. So my guess is that connection to port 9392 for remote connect from the scanner node might be the wrong approach. Until now I couldn't find any documentation which would help me with the current version of openvas.
Anyone has a running setup like this and willing to share a fix for this?
thanks for your help!
OpenVAS with multiple Scanners
-
- Atomicorp Staff - Site Admin
- Posts: 8355
- Joined: Wed Dec 31, 1969 8:00 pm
- Location: earth
- Contact:
Re: OpenVAS with multiple Scanners
You didnt mention the manager config here, is that what you have running on 9391?
Re: OpenVAS with multiple Scanners
I am using the standard config. As far as I could see the only listening tcp socket is on 9392, scanner and manager are using a UNIX socket in /var/run but no tcp socket at all.
-
- Atomicorp Staff - Site Admin
- Posts: 8355
- Joined: Wed Dec 31, 1969 8:00 pm
- Location: earth
- Contact:
Re: OpenVAS with multiple Scanners
Ah thats probably it then, the scanner(s) connect to the manager (openvasmd). You'd need to modify /etc/sysconfig/openvas-manager (if you hadnt already) to listen on a port with --listen= to start wth, and then create the scanner(s) in openvas manager
Code: Select all
--create-scanner=<scanner> Create global scanner <scanner> and exit.
--modify-scanner=<scanner-uuid> Modify scanner <scanner-uuid> and exit.
--scanner-name=<name> Name for --modify-scanner.
--scanner-host=<scanner-host> Scanner host for --create-scanner and --modify-scanner. Default is /var/run/openvassd.sock.
--otp-scanner=<unixsocket> Path to scanner unix socket file. Used by --rebuild and --update
--scanner-port=<scanner-port> Scanner port for --create-scanner and --modify-scanner. Default is 9391.
--scanner-type=<scanner-type> Scanner type for --create-scanner and --mdoify-scanner. Either 'OpenVAS' or 'OSP'.
--scanner-ca-pub=<scanner-ca-pub> Scanner CA Certificate path for --[create|modify]-scanner.
--scanner-key-pub=<scanner-key-public> Scanner Certificate path for --[create|modify]-scanner.
--scanner-key-priv=<scanner-key-private> Scanner private key path for --[create|modify]-scanner.
--verify-scanner=<scanner-uuid> Verify scanner <scanner-uuid> and exit.
--delete-scanner=<scanner-uuid> Delete scanner <scanner-uuid> and exit.
--get-scanners List scanners and exit.
Re: OpenVAS with multiple Scanners
Ah, Great! I was missing that information until now. I will try this and let you know. The only thing I changed for the scanner yet was the location of the unix socket to connect to redis. I looked for another parameter in the openvassd config but I did not think about the manager daemon. Thanks a lot!
-
- Atomicorp Staff - Site Admin
- Posts: 8355
- Joined: Wed Dec 31, 1969 8:00 pm
- Location: earth
- Contact:
Re: OpenVAS with multiple Scanners
Let us know how it works out, as I havent had the opportunity to try this kind of setup either. With the right info we can probably add this condition to openvas-setup to add remote scanners and/or oSPD daemons.
Re: OpenVAS with multiple Scanners
With '--listen' parameter openvasmd starts listening on port 9390. I can connect to the scanner from the manager node through the web interface.
Unfortunately scans still fail with 'Stopped at 1%".
/var/log/openvas/openvasmd.log shows the following error:
Seems like the manager on the remote scanning node is not receiving what it expects to start a scan. I'll have another look into it tomorrow, but any suggestions are welcome!
Unfortunately scans still fail with 'Stopped at 1%".
/var/log/openvas/openvasmd.log shows the following error:
Code: Select all
md omp: INFO:2017-06-19 18h36.41 utc:2345: Failed to parse client XML: Error on line 1 char 2: ' ' is not a valid character following a '<' character; it may not begin an element name
Re: OpenVAS with multiple Scanners
I managed to create a working setup using scanner type "OMP Slave" and authentication by user/password. I was hoping for a certificate based authentication between scanner and manager nodes but I still end up with the error mentioned above. I might have a look into that in the future.
-
- Atomicorp Staff - Site Admin
- Posts: 8355
- Joined: Wed Dec 31, 1969 8:00 pm
- Location: earth
- Contact:
Re: OpenVAS with multiple Scanners
I seem to recall getting something like this to work with some CA trickery. I think I had to add the self-generated CA to the global system CA using: https://fedoraproject.org/wiki/Features ... rtificates