Hello dr. Wagner Thanks for your answers. I apologize but I need more clarifications about your questions and comments. Later on my answers and doubts according your sequence: 1- Yes, I enabled dependencies at runtime.
2- About your second question, I meant the scanner was running as normal user. But your question made me doubtful: I never worried about users on the target machine both for scanning without LSC enabled, when I do not need an user (I believed), and using LSC, for which on purpose I created user sshovas without password. Is it all correct? 3- I do not have an user named openvas on the system (I remember you that I am doing tests using the client/server host as target too!), but errors about authentication for openvas user started only after a specific date. It looks like I made some kind of activity which changed something on Openvas configuration. The stranger aspect is that, for me, OpenVAS seems work well both client and server side! 4- I did not understand at all your last comment: This observation is OK. The actual LSCs only do checks on the KB without connecting a target system. Its the other scripts that do active connection to the target system and retrieve package dabase etc. Especially when you say that LSCs do not connect to the target system but check the KB. For which reason I built the publickey authentication? And do I need to enable the KB feature to activate LSCs? Thank you again. My kindest regards Francesco -------------------------------------------------------- This e-mail and any attachments is a confidential correspondence intended only for use of the individual or entity named above. If you are not the intended recipient or the agent responsible for delivering the message to the intended recipient, you are hereby notified that any disclosure, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the error at the following email address: [email protected] or at Aspasiel Helpdesk Team by phone (phone number +390744203555), and then delete this message from your system. P Please consider our environment and think before you print. Thank you! q -------------------------------------------------------- Da: [email protected] [mailto:[email protected]] Per conto di [email protected] Inviato: venerdì 9 aprile 2010 17.57 A: [email protected] Oggetto: Openvas-discuss Digest, Vol 39, Issue 10 Send Openvas-discuss mailing list submissions to [email protected] To subscribe or unsubscribe via the World Wide Web, visit http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss or, via email, send a message with subject or body 'help' to [email protected] You can reach the person managing the list at [email protected] When replying, please edit your Subject line so it is more specific than "Re: Contents of Openvas-discuss digest..." Today's Topics: 1. About LSC (Vincenti Francesco) 2. Re: About LSC (Jan-Oliver Wagner) ---------------------------------------------------------------------- Message: 1 Date: Fri, 9 Apr 2010 16:16:37 +0200 From: "Vincenti Francesco" <[email protected]> Subject: [Openvas-discuss] About LSC To: <[email protected]> Message-ID: <[email protected]> Content-Type: text/plain; charset="us-ascii" Hello everybody I started to test my OpenVAS tool (2.x.x), installed on a Fedora C7 OS, and I tried to activate the Local Security Checks to analyze the features it offers. To do this I activated a public/private key connection, according the suggestions of the documentation. I followed all the steps in the same way. I built a scope with Fedora Local Security Checks plugins and others activated, to analyze localhost (the host where server and client are installed). I put the data suggested by documentation under "Credentials" section and I started the scope not as root but as a normal user. The output was a report which contains the following information: Security Issue and Fixes - Host localhost Localhost - ssh (22/tcp) Informational An ssh server is running on this port OID: something Informational It was possible to login using the SSH credentials supplied. Hence local security checks are enabled OID: something Informational Remote SSH version: version Remote SSH supported authentication: publickey, gssapi-with-mic, password After these, few information about the Operating system OpenVAS found. So, I thought the SSH publickey connection worked well! But, when I analyzed /var/log/secure, I found the following message: Apr 9 11:00:06 hostname sshd[8518]: Did not receive identification string from 127.0.0.1 Apr 9 11:00:09 hostname sshd[8529]: Accepted publickey for sshovas from 127.0.0.1 port 11262 ssh2 Apr 9 11:00:09 hostname sshd[8529]: pam_unix(sshd:session): session opened for user sshovas by (uid=0) Apr 9 11:00:12 hostname sshd[8570]: Invalid user openvas from 127.0.0.1 Apr 9 11:00:12 hostname sshd[8573]: input_userauth_request: invalid user openvas Apr 9 11:00:12 hostname sshd[8570]: pam_unix(sshd:auth): check pass; user unknown Apr 9 11:00:13 hostname sshd[8570]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh rus er= rhost=localhost.localdomain Apr 9 11:00:13 hostname sshd[8570]: pam_succeed_if(sshd:auth): error retrieving information about user openvas Apr 9 11:00:15 hostname sshd[8570]: Failed password for invalid user openvas from 127.0.0.1 port 11264 ssh2 Apr 9 11:00:15 hostname sshd[8573]: Connection closed by 127.0.0.1 Apr 9 11:13:51 hostname sshd[8529]: pam_unix(sshd:session): session closed for user sshovas And lastlog does not show sshovas connected. Is there anyone who can explain what happened and the meaning of these incongruous results? I do not think to miss something but all is possible. Thank you very much. Best regards Francesco Vincenti P.S. After other tests, i verified that the error sequence regarding user openvas in /var/log/secure appears also without executing Local Security Checks plugins. -------------------------------------------------------- This e-mail and any attachments is a confidential correspondence intended only for use of the individual or entity named above. If you are not the intended recipient or the agent responsible for delivering the message to the intended recipient, you are hereby notified that any disclosure, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the error at the following email address: [email protected] or at Aspasiel Helpdesk Team by phone (phone number +390744203555), and then delete this message from your system. P Please consider our environment and think before you print. Thank you! q -------------------------------------------------------- -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.wald.intevation.org/pipermail/openvas-discuss/attachments/20100409/2cedbb7a/attachment-0001.htm ------------------------------ Message: 2 Date: Fri, 9 Apr 2010 17:56:19 +0200 From: "Jan-Oliver Wagner" <[email protected]> Subject: Re: [Openvas-discuss] About LSC To: [email protected] Message-ID: <[email protected]> Content-Type: text/plain; charset="utf-8" Hello Francesco, On Friday 09 April 2010 16:16:37 Vincenti Francesco wrote: > I started to test my OpenVAS tool (2.x.x), installed on a Fedora C7 OS, > and I tried to activate the Local Security Checks to analyze the > features it offers. I recommend to switch to OpenVAS 3.0 in general. However, the LSCs should work for both 2.0 and 3.0. > I built a scope with Fedora Local Security Checks plugins and others > activated, to analyze localhost (the host where server and client are > installed). Have you enable dependencies at runtime? > I put the data suggested by documentation under "Credentials" section > and I started the scope not as root but as a normal user. You mean the scanner is running as normal user? Or do you mean the remote user on the target system? However, LSCs sould work nicely even via less privileged users. > So, I thought the SSH publickey connection worked well! yes, looks OK. > But, when I analyzed /var/log/secure, I found the following message: > > > > Apr 9 11:00:06 hostname sshd[8518]: Did not receive identification > string from 127.0.0.1 > > Apr 9 11:00:09 hostname sshd[8529]: Accepted publickey for sshovas from > 127.0.0.1 port 11262 ssh2 > > Apr 9 11:00:09 hostname sshd[8529]: pam_unix(sshd:session): session > opened for user sshovas by (uid=0) > > Apr 9 11:00:12 hostname sshd[8570]: Invalid user openvas from 127.0.0.1 > > Apr 9 11:00:12 hostname sshd[8573]: input_userauth_request: invalid > user openvas Can you check you did not mix users "sshovas" and "openvas" in some way? > After other tests, i verified that the error sequence regarding user > openvas in /var/log/secure appears also without executing Local Security > Checks plugins. This observation is OK. The actual LSCs only do checks on the KB without connecting a target system. Its the other scripts that do active connection to the target system and retrieve package dabase etc. All the best Jan -- Dr. Jan-Oliver Wagner | ++49-541-335084-0 | http://www.greenbone.net/ Greenbone Networks GmbH, Neuer Graben 17, 49074 Osnabr?ck AG Osnabr?ck, HR B 202460 | Gesch?ftsf?hrer: Lukas Grunwald, Dr. Jan-Oliver Wagner ------------------------------ _______________________________________________ Openvas-discuss mailing list [email protected] http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss End of Openvas-discuss Digest, Vol 39, Issue 10 *********************************************** _______________________________________________ Openvas-discuss mailing list [email protected] http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
