Hi guys,
thanks you very much :) Your input was very helpful so far!
I looked at this blog
https://blog.haardiek.org/setup-openvas-as-master-and-slave.html which
mentions OMP Slaves as scanners.
Trying to update the certificates with openvasmd --modify-scanner
--scanner-ca-pub etc. failed with:
"Failed to find scanner <correct ID from openvasmd --get-scanners>." Do
you have any idea what could be the problem?
The man-page for `openvasmd` only mentions "OpenVAS Scanner" and "OSP
Ovaldi" as scanner-types. Is there a way to use openvasmd CLI (or
gvm-tools) to add/modify OMP Slave-type scanners?
Thanks again :)
--
Mit freundlichen Grüßen / Best regards
Frieder Schlesier
Student/Trainee IT-Service
______________________
GK Software SE
On 24.04.2018 15:55, Thijs Stuurman wrote:
I use the same model but cannot quickly answer the asked questions:
1) Is it possible to run the Postgres on a different machine than
GVM+GSA? If yes: how? I was not able to find a definite place for
configuration :( So far I found a couple mentions of psql and sqlite
calls in source code and some wrapper scripts. Depending on the
current stance about this topic in the community, we are willing to
share our solution with you all. If you are interested ;-)
Should be but I don't see where the option is or should go; search for conf options.
I run the postgresql on the Master itself, gvm+gsa doesn't do much so basically
it's your DB server. Why bother splitting them up?
(if you want to for zoning purposes, put an Apache reverse proxy in front of it
in your DMZ)
2) As far as I understand, openvas-scanner needs a redis-service and access to
(a local) NVT database. Does it also require connection to SCAP and CERT data
or (probably in our case) the central Postgres?
I don't think it generally uses the scap and cert data, I often have had sync
issues with those.
Basically your slave scanner is the same as your master but will run just fine
with sqlite instead of postgresql.
Other than that they are the same with their owen NVT database.. just not
running GSA as you don't need a web interface on there.
When the master gives them a task they will run it completely themselves and
constantly feed back the results. The master will end up with all the scan
results and history; the slave will probably be empty afterwards. You can trash
the slave or give the task to another slave without worries.
You want postgresql on your master for the amount of data it will have, speed..
and I believe its now preferred over sqlite?
Also it can process more requests, one SELECT per CPU core.. which helps a lot.
(still I find it very slow, the SELECTs take a long time for me)
3) I found a couple tutorials online, how to set up openvas9 with postgres. Sadly those
all mention the "migrate-to-postgres" script, which (afaik) require a running
setup with SQLite. Is it also possible to setup openvas9 using postgres without having to
build the sqlite version beforehand? Any vage hints?
I had to migrate but I suppose if you setup a new clean installation with
postgresql, it will setup the initial database in there just like it would do
in sqlite?
Just give it a try.
Thijs Stuurman
Security Operations Center | KPN Internedservices B.V.
thijs.stuur...@internedservices.nl | thijs.stuur...@kpn.com
T: +31(0)299476185 | M: +31(0)624366778
PGP Key-ID: 0x16ADC048 (https://pgp.surfnet.nl/)
Fingerprint: 2EDB 9B42 D6E8 7D4B 6E02 8BE5 6D46 8007 16AD C048
W: https://www.internedservices.nl | L: https://nl.linkedin.com/in/thijsstuurman
-----Oorspronkelijk bericht-----
Van: Openvas-discuss <openvas-discuss-boun...@wald.intevation.org> Namens Louis
Bohm
Verzonden: dinsdag 24 april 2018 15:27
Aan: Frieder Schlesier <fschles...@gk-software.com>
CC: openvas-discuss@wald.intevation.org
Onderwerp: Re: [Openvas-discuss] Questions on distributed Setup
I can tell you that I do use the Master/Slave setup and there is at least one
other person on this list who uses the same model. Its pretty simple. The
slaves just perform the actual scanning of the host and their disk usage is
constant. I have one the slaves in AWS and one in the new IBM cloud (my
company has instances in both clouds right now). Both slaves are using 20GB of
disk. The number of CPUs and RAM is totally dependent on how many hosts you
want to scan at a time.
The master I have is running on VMWare. This is where it uses the DB. Right
now I am using the sqlite DB but I am thinking of going to Postgresql for
better performance. Generally I can run about 5-10 scans (using a subset of
the full and deep profile).
I will say that even if you are using a slave the master is being hit. The
slave is the host reaching out to the end point doing the scanning. However,
the slave scanner is CONSTANTLY updating the master with results. And from
what I can get from the logs the Master is updating the slave with new marching
orders.
If you are going to go over to postgresql do not bother doing the slaves. Only
worry about the master. The same is true with Reds. Only worry about the
Master. The slaves can be swapped in and out very quickly with little effort.
I even started writing a build script that I was thinking of pumping in to AWS
cloud formation so it could build a new slave on demand. However, it just
takes too long to download the NVTs. So I have a script to stop and start the
AWS slave as needed.
As far as building OpenVAS with Postgresql from scratch I am sure there are
directions some where. But to be honest its so simple to install fully
functional base system its not even funny. Then chaining over to postgresql is
simple. Why make it harder then it needs to be.
Louis
:::::
Louis Bohm - Sr. Systems Engineer
Dell TechDirect Certified
On Apr 23, 2018, at 8:21 AM, Frieder Schlesier <fschles...@gk-software.com>
wrote:
Hi folks,
we are trying to set up an infrastructure with multiple scanner-slaves in
different locations and one central GVM+GSA. Also we want to use Postgres as DB
Backend.
So far, a few questions came up:
1) Is it possible to run the Postgres on a different machine than
GVM+GSA? If yes: how? I was not able to find a definite place for
configuration :( So far I found a couple mentions of psql and sqlite
calls in source code and some wrapper scripts. Depending on the
current stance about this topic in the community, we are willing to
share our solution with you all. If you are interested ;-)
2) As far as I understand, openvas-scanner needs a redis-service and access to
(a local) NVT database. Does it also require connection to SCAP and CERT data
or (probably in our case) the central Postgres?
3) I found a couple tutorials online, how to set up openvas9 with postgres. Sadly those
all mention the "migrate-to-postgres" script, which (afaik) require a running
setup with SQLite. Is it also possible to setup openvas9 using postgres without having to
build the sqlite version beforehand? Any vage hints?
Thanks in advance :)
--
Mit freundlichen Grüßen / Best regards Frieder Schlesier IT-Service
______________________ GK Software SE Waldstraße 7 | 08261 Schöneck |
Germany www.gk-software.com Sitz der Gesellschaft / Registered Office
of the Company: Waldstr. 7 | 08261 Schöneck | Germany
Aufsichtsratsvorsitzender / Chairman of the Supervisory Board: Uwe
Ludwig Vorstand/Management Board: Rainer Gläß (CEO), Andre Hergert
Amtsgericht Chemnitz HRB 31501 / Commercial Register Chemnitz HRB
31501
_______________________________________________
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-dis
cuss
_______________________________________________
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
_______________________________________________
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
