Hi!
Thank you for the quick response.
openvasmd on the slave is already listening on any ip-address and is reachable
from the master.
The setup works correctly in single user mode, when slave, target and task
added by the same user.
But we want to use the setup with multiple users ("admins") in our team and we
are not sure how to set the right permissions.
Kind regards
Christian Ebert
Von: Thijs Stuurman [mailto:thijs.stuur...@internedservices.nl]
Gesendet: Freitag, 4. November 2016 11:52
An: openvas-discuss@wald.intevation.org
Cc: Ebert, Christian
Betreff: RE: Scans in slave-mode - permission problem?
So basically, your slave does not start any job and the master hangs on the
Request status.
I don't think it's a credential issue but rather firewalling?
I use slaves as such:
· Openvasmd listens on 0.0.0.0:9390 with iptables allowing access to
that port using TCP from the master
· Master has Slave configured
o IP address
o Port 9390
o Username and password configured (I created a 'slave' user with: "openvasmd
--create-user=slave --role=Admin && openvasmd --user=slave --new-password=XXX")
Works like a charm here.
Only downside I found is that if the master process stops (openvas restart or
something alike) while a job still runs on a slave.. it doesn't resume its
status.
Does this help you?
Thijs Stuurman
Security Operations Center
PGP Key-ID: 0x16ADC048
Fingerprint: 2EDB 9B42 D6E8 7D4B 6E02 8BE5 6D46 8007 16AD C048
Internedservices - a KPN Company
Wielingenstraat 8 | 1441 ZR Purmerend | The Netherlands
T: +31(0)299476185 | M: +31(0)624366778
W: https://www.internedservices.nl<https://www.internedservices.nl/> | L:
http://nl.linkedin.com/in/thijsstuurman
Van: Openvas-discuss [mailto:openvas-discuss-boun...@wald.intevation.org]
Namens Ebert, Christian
Verzonden: Friday, November 4, 2016 10:57 AM
Aan:
openvas-discuss@wald.intevation.org<mailto:openvas-discuss@wald.intevation.org>
Onderwerp: [Openvas-discuss] Scans in slave-mode - permission problem?
Hi everybody!
We have got some trouble with scans in slave-mode.
We have two Debian 8.6 systems with OpenVAS 8.0 installed and want to scan some
targets in slave mode. In preparation we added the slave system with user
"master".
Following situation:
User A (role Admin) creates a target "T1" (no credentials for authenticated
checks) in system-1.
User B (role Admin) creates a task "T2" with target "T1" (-> owner user A) in
system-1 using slave system-2.
User B starts task "T2" but the task hangs in status "requested". No job starts
in system-2.
System-1 (Master):
openvasmd.log
event target:MESSAGE:2016-11-02 16h22.00 CET:1457: Target T1 has been created
by A
event task:MESSAGE:2016-11-02 15h23.24 UTC:1463: Status of task T2 has changed
to New
event task:MESSAGE:2016-11-02 15h23.24 UTC:1463: Task T2 has been created by B
event task:MESSAGE:2016-11-02 15h24.13 UTC:1465: Status of task T2 has changed
to Requested
event task:MESSAGE:2016-11-02 15h24.13 UTC:1465: Task T2 has been requested to
start by B
System-2 (Slave):
openvasmd.log
event lsc_credential:MESSAGE:2016-11-02 15h24.13 UTC:15193: LSC Credential
(null) could not be deleted by master
event lsc_credential:MESSAGE:2016-11-02 15h24.13 UTC:15193: LSC Credential
(null) could not be deleted by master
event lsc_credential:MESSAGE:2016-11-02 15h24.13 UTC:15193: LSC Credential
(null) could not be deleted by master
event lsc_credential:MESSAGE:2016-11-02 15h24.38 UTC:15194: LSC Credential
(null) could not be deleted by master
event lsc_credential:MESSAGE:2016-11-02 15h24.38 UTC:15194: LSC Credential
(null) could not be deleted by master
event lsc_credential:MESSAGE:2016-11-02 15h24.38 UTC:15194: LSC Credential
(null) could not be deleted by master
We did some research:
Everything works fine when there is no usage of a slave-system (scanner =
system-1).
Everything works fine when user A creates the target T1 and task T2 and also
start this task by using the slave system-2.
Has anyone got an idea?
Could you verify this problem? Is the error related to user permissions?
Thank you & kind regards.
Christian Ebert
Chief Security Analyst, CISM, T.I.S.P.
Head of Penetration Testing
QSC AG
Mathias-Brüggen-Straße 55
50829 Köln
T +49 221 669-8950
F +49 221 669-85950
M +49 163 6698950
christian.eb...@qsc.de
http://www.qsc.de<http://www.qsc.de/>
Besuchen Sie auch unser Blog unter http://blog.qsc.de<http://blog.qsc.de/>
Bitte finden Sie hier die handelsrechtlichen Pflichtangaben:
http://www.qsc.de/pflichtangaben
_______________________________________________
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
