Re: [Openvas-discuss] Scans in slave-mode - permission problem?

[Ebert, Christian]

Hi!

Thank you for the quick response.
openvasmd on the slave is already listening on any ip-address and is reachable 
from the master.
The setup works correctly in single user mode, when slave, target and task 
added by the same user.

But we want to use the setup with multiple users ("admins") in our team and we 
are not sure how to set the right permissions.

Kind regards

Christian Ebert

Von: Thijs Stuurman [mailto:thijs.stuur...@internedservices.nl]
Gesendet: Freitag, 4. November 2016 11:52
An: openvas-discuss@wald.intevation.org
Cc: Ebert, Christian
Betreff: RE: Scans in slave-mode - permission problem?

So basically, your slave does not start any job and the master hangs on the 
Request status.

I don't think it's a credential issue but rather firewalling?
I use slaves as such:


·         Openvasmd listens on 0.0.0.0:9390 with iptables allowing access to 
that port using TCP from the master

·         Master has Slave configured

o   IP address

o   Port 9390

o   Username and password configured (I created a 'slave' user with: "openvasmd 
--create-user=slave --role=Admin && openvasmd --user=slave --new-password=XXX")

Works like a charm here.
Only downside I found is that if the master process stops (openvas restart or 
something alike) while a job still runs on a slave.. it doesn't resume its 
status.

Does this help you?


Thijs Stuurman
Security Operations Center
PGP Key-ID: 0x16ADC048
Fingerprint: 2EDB 9B42 D6E8 7D4B 6E02 8BE5 6D46 8007 16AD C048

Internedservices - a KPN Company
Wielingenstraat 8 | 1441 ZR Purmerend | The Netherlands
T: +31(0)299476185 | M: +31(0)624366778
W: https://www.internedservices.nl<https://www.internedservices.nl/> | L: 
http://nl.linkedin.com/in/thijsstuurman

Van: Openvas-discuss [mailto:openvas-discuss-boun...@wald.intevation.org] 
Namens Ebert, Christian
Verzonden: Friday, November 4, 2016 10:57 AM
Aan: 
openvas-discuss@wald.intevation.org<mailto:openvas-discuss@wald.intevation.org>
Onderwerp: [Openvas-discuss] Scans in slave-mode - permission problem?

Hi everybody!

We have got some trouble with scans in slave-mode.

We have two Debian 8.6 systems with OpenVAS 8.0 installed and want to scan some 
targets in slave mode. In preparation we added the slave system with user 
"master".

Following situation:
User A (role Admin) creates a target "T1" (no credentials for authenticated 
checks) in system-1.
User B (role Admin) creates a task "T2" with target "T1" (-> owner user A) in 
system-1 using slave system-2.
User B starts task "T2" but the task hangs in status "requested". No job starts 
in system-2.

System-1 (Master):
openvasmd.log
event target:MESSAGE:2016-11-02 16h22.00 CET:1457: Target T1 has been created 
by A
event task:MESSAGE:2016-11-02 15h23.24 UTC:1463: Status of task  T2 has changed 
to New
event task:MESSAGE:2016-11-02 15h23.24 UTC:1463: Task T2 has been created by B
event task:MESSAGE:2016-11-02 15h24.13 UTC:1465: Status of task T2 has changed 
to Requested
event task:MESSAGE:2016-11-02 15h24.13 UTC:1465: Task T2 has been requested to 
start by B

System-2 (Slave):
openvasmd.log
event lsc_credential:MESSAGE:2016-11-02 15h24.13 UTC:15193: LSC Credential 
(null) could not be deleted by master
event lsc_credential:MESSAGE:2016-11-02 15h24.13 UTC:15193: LSC Credential 
(null) could not be deleted by master
event lsc_credential:MESSAGE:2016-11-02 15h24.13 UTC:15193: LSC Credential 
(null) could not be deleted by master
event lsc_credential:MESSAGE:2016-11-02 15h24.38 UTC:15194: LSC Credential 
(null) could not be deleted by master
event lsc_credential:MESSAGE:2016-11-02 15h24.38 UTC:15194: LSC Credential 
(null) could not be deleted by master
event lsc_credential:MESSAGE:2016-11-02 15h24.38 UTC:15194: LSC Credential 
(null) could not be deleted by master


We did some research:
Everything works fine when there is no usage of a slave-system (scanner = 
system-1).
Everything works fine when user A creates the target T1 and task T2 and also 
start this task by using the slave system-2.


Has anyone got an idea?
Could you verify this problem? Is the error related to user permissions?

Thank you & kind regards.


Christian Ebert
Chief Security Analyst, CISM, T.I.S.P.
Head of Penetration Testing

QSC AG
Mathias-Brüggen-Straße 55
50829 Köln

T   +49 221 669-8950
F   +49 221 669-85950
M   +49 163 6698950
christian.eb...@qsc.de
http://www.qsc.de<http://www.qsc.de/>

Besuchen Sie auch unser Blog unter http://blog.qsc.de<http://blog.qsc.de/>
Bitte finden Sie hier die handelsrechtlichen Pflichtangaben:
http://www.qsc.de/pflichtangaben


_______________________________________________
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss