Re: [Openvas-discuss] Scanner Master Slave setup

Louis Bohm Sun, 25 Feb 2018 23:29:11 -0800

The url says to add a listen=0.0.0.0 port=9393 for openvasmd on the slave.  The 
master will then use just the scanner on the slave not the entire OpenVAS stack 
of the slave (even though you need to install all of it).


The Allow Insecure option is on the username/password credential created and 
assigned to the scanner config on the master.  They slave is only setup with 
the admin account.  No other users and/or roles need to be setup there.

Louis
:::::
Louis Bohm - Sr. Systems Engineer
        Dell TechDirect Certified

> On Feb 23, 2018, at 10:09 AM, Thijs Stuurman 
> <thijs.stuur...@internedservices.nl> wrote:
> 
> By the way, I do notice your initial mail contains logs with:
>  
> lib  serv:  DEBUG:2018-02-22 17h59.10 UTC:22888:    Connected to server 
> ‘op4us1opsscan01.domain.net <http://op4us1opsscan01.domain.net/>' port 9393.
>  
> My master connects to the slaves using OMP (Type: OMP Slave) on port 9390 on 
> which gvmd is listening.
>  
> I do not see any option in the slave configuration to set secure of insecure…
>  
> Thijs Stuurman
> Security Operations Center | KPN Internedservices B.V.
> thijs.stuur...@internedservices.nl 
> <mailto:thijs.stuur...@internedservices.nl> | thijs.stuur...@kpn.com 
> <mailto:thijs.stuur...@kpn.com>
> T: +31(0)299476185 | M: +31(0)624366778
> PGP Key-ID: 0x16ADC048 (https://pgp.surfnet.nl/ <https://pgp.surfnet.nl/>)
> Fingerprint: 2EDB 9B42 D6E8 7D4B 6E02 8BE5 6D46 8007 16AD C048
>  
> W: https://www.internedservices.nl <https://www.internedservices.nl/> | L: 
> https://nl.linkedin.com/in/thijsstuurman 
> <https://nl.linkedin.com/in/thijsstuurman>
>  
> Van: Louis Bohm [mailto:lo...@systemgeek.net <mailto:lo...@systemgeek.net>] 
> Verzonden: vrijdag 23 februari 2018 16:05
> Aan: Thijs Stuurman <thijs.stuur...@internedservices.nl 
> <mailto:thijs.stuur...@internedservices.nl>>
> CC: openvas-discuss@wald.intevation.org 
> <mailto:openvas-discuss@wald.intevation.org>
> Onderwerp: Re: [Openvas-discuss] Scanner Master Slave setup
>  
> I got it working but not sure why.  So if I use a username/password and set 
> the credential to allow insecure=yes the client comes back with a 200 
> response but does nothing.  If I change the credential to allow insecure=no 
> the client comes back with:
> md   main:  DEBUG:2018-02-23 15h01.16 UTC:25782: -> client: 
> <create_credential_response status="400" status_text="Erroneous private key 
> or associated passphrase"/>
> but then the scan starts…
>  
> Very odd.
>  
> I will have to try the same thing but with the servercert.pem and see if that 
> works.
>  
> Louis
> :::::
> Louis Bohm - Sr. Systems Engineer
>             Dell TechDirect Certified 
>  
> On Feb 23, 2018, at 9:59 AM, Louis Bohm <lo...@systemgeek.net 
> <mailto:lo...@systemgeek.net>> wrote:
>  
> That yelled me this on the client but still the scan has not progressed from 
> Requested.
>  
> Client:
> lib  serv:  DEBUG:2018-02-23 14h37.52 utc:25578:    Shook hands with peer.
> md   main:  DEBUG:2018-02-23 14h37.52 utc:25578:    Serving OMP.
> md   main:  DEBUG:2018-02-23 14h37.52 utc:25578: <= client  Input may contain 
> password, suppressed.
> md    omp:  DEBUG:2018-02-23 14h37.52 utc:25578:    XML  start: authenticate 
> (0)
> md    omp:  DEBUG:2018-02-23 14h37.52 utc:25578:    client state set: 2
> md    omp:  DEBUG:2018-02-23 14h37.52 utc:25578:    XML  start: credentials 
> (2)
> md    omp:  DEBUG:2018-02-23 14h37.52 utc:25578:    client state set: 3
> md    omp:  DEBUG:2018-02-23 14h37.52 utc:25578:    XML  start: username (3)
> md    omp:  DEBUG:2018-02-23 14h37.52 utc:25578:    client state set: 5
> md    omp:  DEBUG:2018-02-23 14h37.52 utc:25578:    XML   text: admin
> md    omp:  DEBUG:2018-02-23 14h37.52 utc:25578:    XML    end: username
> md    omp:  DEBUG:2018-02-23 14h37.52 utc:25578:    client state set: 3
> md    omp:  DEBUG:2018-02-23 14h37.52 utc:25578:    XML  start: password (3)
> md    omp:  DEBUG:2018-02-23 14h37.52 utc:25578:    client state set: 4
> md    omp:  DEBUG:2018-02-23 14h37.52 utc:25578:    XML   text: ********
> md    omp:  DEBUG:2018-02-23 14h37.52 utc:25578:    XML    end: password
> md    omp:  DEBUG:2018-02-23 14h37.52 utc:25578:    client state set: 3
> md    omp:  DEBUG:2018-02-23 14h37.52 utc:25578:    XML    end: credentials
> md    omp:  DEBUG:2018-02-23 14h37.52 utc:25578:    client state set: 2
> md    omp:  DEBUG:2018-02-23 14h37.52 utc:25578:    XML    end: authenticate
> md   main:  DEBUG:2018-02-23 14h37.52 UTC:25578: -> client: 
> <authenticate_response status="200" 
> status_text="OK"><role>Admin</role><timezone>UTC</timezone><severity>nist</severity></authenticate_response>
> md    omp:  DEBUG:2018-02-23 14h37.52 UTC:25578:    client state set: 1
> md   main:  DEBUG:2018-02-23 14h37.52 UTC:25578: => client  144 bytes
> md   main:  DEBUG:2018-02-23 14h37.52 UTC:25578: => client  done
> I know the username and password are correct.  And the slave even sent a 200 
> response to the master so why is it not working????  So frustrating.
>  
> Louis
> :::::
> Louis Bohm - Sr. Systems Engineer
>             Dell TechDirect Certified 
>  
> On Feb 23, 2018, at 7:42 AM, Thijs Stuurman 
> <thijs.stuur...@internedservices.nl 
> <mailto:thijs.stuur...@internedservices.nl>> wrote:
>  
> Try the /var/lib/openvas/CA/cacert.pem from your slave.
>  
> Thijs Stuurman
> Security Operations Center | KPN Internedservices B.V.
> thijs.stuur...@internedservices.nl 
> <mailto:thijs.stuur...@internedservices.nl> | thijs.stuur...@kpn.com 
> <mailto:thijs.stuur...@kpn.com>
> T: +31(0)299476185 | M: +31(0)624366778
> PGP Key-ID: 0x16ADC048 (https://pgp.surfnet.nl/ <https://pgp.surfnet.nl/>)
> Fingerprint: 2EDB 9B42 D6E8 7D4B 6E02 8BE5 6D46 8007 16AD C048
>  
> W: https://www.internedservices.nl <https://www.internedservices.nl/> | L: 
> https://nl.linkedin.com/in/thijsstuurman 
> <https://nl.linkedin.com/in/thijsstuurman>
>  
> Van: Louis Bohm [mailto:lo...@systemgeek.net <mailto:lo...@systemgeek.net>] 
> Verzonden: vrijdag 23 februari 2018 13:18
> Aan: Thijs Stuurman <thijs.stuur...@internedservices.nl 
> <mailto:thijs.stuur...@internedservices.nl>>
> CC: openvas-discuss@wald.intevation.org 
> <mailto:openvas-discuss@wald.intevation.org>
> Onderwerp: Re: [Openvas-discuss] Scanner Master Slave setup
>  
> According to the doc it says to use: 
> ${CMAKE_INSTALL_PREFIX}"/var/lib/openvas/CA/servercert.pem.
> On CentOS 7 that turns out to be: /var/lib/openvas/CA/servercert.pem 
> according to openvas-manage-certs -V
> [root@pci-sec02 ~]# openvas-manage-certs -V
> OK: Directory for keys (/var/lib/openvas/private/CA) exists.
> OK: Directory for certificates (/var/lib/openvas/CA) exists.
> OK: CA key found in /var/lib/openvas/private/CA/cakey.pem
> OK: CA certificate found in /var/lib/openvas/CA/cacert.pem
> OK: CA certificate verified.
> OK: Certificate /var/lib/openvas/CA/servercert.pem verified.
> OK: Certificate /var/lib/openvas/CA/clientcert.pem verified.
>  
> Is it not the servercert.pem from the slave openvas host that I am supposed 
> to use?
>  
> Louis
> :::::
> Louis Bohm - Sr. Systems Engineer
>             Dell TechDirect Certified 
>  
> On Feb 23, 2018, at 5:09 AM, Thijs Stuurman 
> <thijs.stuur...@internedservices.nl 
> <mailto:thijs.stuur...@internedservices.nl>> wrote:
>  
> My best guess is that you didn’t load in the right CA certificate from your 
> slave at step:
>  
> CA Certificate: The certificate you gathered from the slave
>  
> Thijs Stuurman
> Security Operations Center | KPN Internedservices B.V.
> thijs.stuur...@internedservices.nl 
> <mailto:thijs.stuur...@internedservices.nl> | thijs.stuur...@kpn.com 
> <mailto:thijs.stuur...@kpn.com>
> T: +31(0)299476185 | M: +31(0)624366778
> PGP Key-ID: 0x16ADC048 (https://pgp.surfnet.nl/ <https://pgp.surfnet.nl/>)
> Fingerprint: 2EDB 9B42 D6E8 7D4B 6E02 8BE5 6D46 8007 16AD C048
>  
> W: https://www.internedservices.nl <https://www.internedservices.nl/> | L: 
> https://nl.linkedin.com/in/thijsstuurman 
> <https://nl.linkedin.com/in/thijsstuurman>
>  
> Van: Openvas-discuss [mailto:openvas-discuss-boun...@wald.intevation.org 
> <mailto:openvas-discuss-boun...@wald.intevation.org>] Namens Louis Bohm
> Verzonden: donderdag 22 februari 2018 19:11
> Aan: openvas-discuss@wald.intevation.org 
> <mailto:openvas-discuss@wald.intevation.org>
> Onderwerp: [Openvas-discuss] Scanner Master Slave setup
>  
> I followed the following doc 
> https://blog.haardiek.org/setup-openvas-as-master-and-slave.html 
> <https://blog.haardiek.org/setup-openvas-as-master-and-slave.html> to set up 
> the master slave environment with the exception that I am doing this on 
> CentOS 7 with OpenVAS9.
>  
> On the master I am getting this:
> lib  serv:  DEBUG:2018-02-22 17h59.10 UTC:22888:    Connected to server 
> ‘op4us1opsscan01.domain.net <http://op4us1opsscan01.domain.net/>' port 9393.
> lib  serv:  DEBUG:2018-02-22 17h59.10 UTC:22888:    Shook hands with server 
> 'op4us1opsscan01.domain.net <http://op4us1opsscan01.domain.net/>' port 9393.
> lib  serv:WARNING:2018-02-22 17h59.10 UTC:22888: openvas_server_verify: the 
> certificate is not trusted
> lib  serv:WARNING:2018-02-22 17h59.10 UTC:22888: openvas_server_verify: the 
> certificate hasn't got a known issuer
>  
> On the client I am getting this:
> lib  serv:  DEBUG:2018-02-22 18h05.53 utc:20431:    Shook hands with peer.
> md   main:  DEBUG:2018-02-22 18h05.53 utc:20431:    Serving OMP.
>  
> But in the GUI all I see is Status: Requested and it never changes.
>  
> Any idea why this is not working?
>  
> Louis
> :::::
> Louis Bohm - Sr. Systems Engineer
>             Dell TechDirect Certified

_______________________________________________
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] Scanner Master Slave setup

Reply via email to