Atomicorp

Posted: **Wed Jun 14, 2017 8:45 am**

Hi everyone,

right now I'm trying to set up an openvas infrastructure with a Manager Node (which would be openvas-manager with gsad, however in this case for testing purposes I installed the whole openvas package via atomic repo) and several scanner nodes in different subnets.
My understanding was that I could use the web interface of gsad to add scanners. As the openvas-scanner no longer listens on a tcp socket I couldn't really figure out which port to use now. It used to be 9391 I guess, but now the only port anything openvas related listens to is the port 9392.
If I add a scanner using port 9392 the connection can be established (therefore also the certificates seem to be set up correctly). I can even start a scan but it wouldn't leave the "Requested" state. On the beginning of the scan I can see some packets going to and from the scanner node to the manager node but then nothing happens. No communication from/to the manager and no scanning activity. If I start a scan manually on the scanner node everything seems to be fine. So my guess is that connection to port 9392 for remote connect from the scanner node might be the wrong approach. Until now I couldn't find any documentation which would help me with the current version of openvas.
Anyone has a running setup like this and willing to share a fix for this?

thanks for your help!

Posted: **Sun Jun 18, 2017 1:23 pm**

You didnt mention the manager config here, is that what you have running on 9391?

Posted: **Sun Jun 18, 2017 2:07 pm**

I am using the standard config. As far as I could see the only listening tcp socket is on 9392, scanner and manager are using a UNIX socket in /var/run but no tcp socket at all.

Posted: **Mon Jun 19, 2017 10:17 am**

Ah thats probably it then, the scanner(s) connect to the manager (openvasmd). You'd need to modify /etc/sysconfig/openvas-manager (if you hadnt already) to listen on a port with --listen= to start wth, and then create the scanner(s) in openvas manager

Code: Select all

  --create-scanner=<scanner>                   Create global scanner <scanner> and exit.
  --modify-scanner=<scanner-uuid>              Modify scanner <scanner-uuid> and exit.
  --scanner-name=<name>                        Name for --modify-scanner.
  --scanner-host=<scanner-host>                Scanner host for --create-scanner and --modify-scanner. Default is /var/run/openvassd.sock.
  --otp-scanner=<unixsocket>                   Path to scanner unix socket file. Used by --rebuild and --update
  --scanner-port=<scanner-port>                Scanner port for --create-scanner and --modify-scanner. Default is 9391.
  --scanner-type=<scanner-type>                Scanner type for --create-scanner and --mdoify-scanner. Either 'OpenVAS' or 'OSP'.
  --scanner-ca-pub=<scanner-ca-pub>            Scanner CA Certificate path for --[create|modify]-scanner.
  --scanner-key-pub=<scanner-key-public>       Scanner Certificate path for --[create|modify]-scanner.
  --scanner-key-priv=<scanner-key-private>     Scanner private key path for --[create|modify]-scanner.
  --verify-scanner=<scanner-uuid>              Verify scanner <scanner-uuid> and exit.
  --delete-scanner=<scanner-uuid>              Delete scanner <scanner-uuid> and exit.
  --get-scanners                               List scanners and exit.

Posted: **Mon Jun 19, 2017 10:22 am**

Ah, Great! I was missing that information until now. I will try this and let you know. The only thing I changed for the scanner yet was the location of the unix socket to connect to redis. I looked for another parameter in the openvassd config but I did not think about the manager daemon. Thanks a lot!

Posted: **Mon Jun 19, 2017 10:54 am**

Let us know how it works out, as I havent had the opportunity to try this kind of setup either. With the right info we can probably add this condition to openvas-setup to add remote scanners and/or oSPD daemons.

Posted: **Mon Jun 19, 2017 2:41 pm**

With '--listen' parameter openvasmd starts listening on port 9390. I can connect to the scanner from the manager node through the web interface.
Unfortunately scans still fail with 'Stopped at 1%".
/var/log/openvas/openvasmd.log shows the following error:

Code: Select all

md    omp:   INFO:2017-06-19 18h36.41 utc:2345:    Failed to parse client XML: Error on line 1 char 2: ' ' is not a valid character following a '<' character; it may not begin an element name

Seems like the manager on the remote scanning node is not receiving what it expects to start a scan. I'll have another look into it tomorrow, but any suggestions are welcome!

Posted: **Fri Jul 07, 2017 10:33 am**

I managed to create a working setup using scanner type "OMP Slave" and authentication by user/password. I was hoping for a certificate based authentication between scanner and manager nodes but I still end up with the error mentioned above. I might have a look into that in the future.

Posted: **Mon Jul 10, 2017 10:38 am**

I seem to recall getting something like this to work with some CA trickery. I think I had to add the self-generated CA to the global system CA using: https://fedoraproject.org/wiki/Features ... rtificates

Atomicorp

OpenVAS with multiple Scanners

OpenVAS with multiple Scanners

Re: OpenVAS with multiple Scanners

Re: OpenVAS with multiple Scanners

Re: OpenVAS with multiple Scanners

Re: OpenVAS with multiple Scanners

Re: OpenVAS with multiple Scanners

Re: OpenVAS with multiple Scanners

Re: OpenVAS with multiple Scanners

Re: OpenVAS with multiple Scanners