GVM 20.8 container can't scan hosts beside localhost

GVM versions

gsad: 20.8
gvmd: 20.8
openvas-scanner: 20.8
gvm-libs: 20.8

Environment

Operating system: Debian 10 (container)
Kernel: (‘uname -a’) 5.9.8-200.fc33.x86_64 (Fedora is container host)
Installation method / source: Source

Installation method

I installed GVM/OpenVAS from source, and that’s described in this Github repo, this also includes a Docker Hub image, in case you want to try out my image. If there are any comments about the installation method, please let me know as well. It should be all in line with the documentation.

Problem

When I then start a quick scan for localhost, I get scan results. But when I scan other hosts (either other local containers, VMs or hosts in the network) it stops in a few seconds. On those hosts I scan, no firewall logs appear. I use the “Port List: All IANA assigned TCP”, all syncs are up to date.

Even when I set the target as “assume alive”, it still finishes in a few second and considers it “done”, while nothing is reported.

The logs also don’t show anything interesting:

==> /usr/local/var/log/gvm/ospd-openvas.log <==
OSPD[129] 2020-11-27 14:42:31,037: INFO: (ospd.command.command) Scan d1a6155e-e342-4907-ba34-c0a90614ca95 added to the queue in position 1.
OSPD[129] 2020-11-27 14:42:37,660: INFO: (ospd.ospd) Currently 1 queued scans.
OSPD[129] 2020-11-27 14:42:37,771: INFO: (ospd.ospd) Starting scan d1a6155e-e342-4907-ba34-c0a90614ca95.

==> /usr/local/var/log/gvm/gvmd.log <==
event task:MESSAGE:2020-11-27 14h42.41 UTC:19736: Status of task New Quick Task Clone 1 (4358b3ed-cd0a-4bdd-9c81-c3fa366100f1) has changed to Running

==> /usr/local/var/log/gvm/ospd-openvas.log <==
OSPD[129] 2020-11-27 14:42:58,567: INFO: (ospd.ospd) d1a6155e-e342-4907-ba34-c0a90614ca95: Host scan finished.
OSPD[129] 2020-11-27 14:42:58,569: INFO: (ospd.ospd) d1a6155e-e342-4907-ba34-c0a90614ca95: Scan finished.

==> /usr/local/var/log/gvm/gvmd.log <==
event task:MESSAGE:2020-11-27 14h43.02 UTC:19736: Status of task New Quick Task Clone 1 (4358b3ed-cd0a-4bdd-9c81-c3fa366100f1) has changed to Done

Any suggestions to troubleshoot this further? I tried setting the OSPD service in DEBUG log-level mode, but that only displayed communication interaction logs between the scanner and OSPD.

At all deepens on your network setup, you need to direct attach the other hosts without the container web-forwarding and load-balancing technology. So you need to put via SDN your raw network connectivity into the container, otherwise you see only partial targets or localhost.

As well the scanner needs to run with root and raw capabilities even inside a container.

2 Likes

Yes! You reminded me of a recent Fedora Magazine article about this. At least running nmap works now without issues. I added the NET_RAW and NET_ADMIN capability. Let’s see how it goes now with GVM itself. But I think this was it.

1 Like

No Container are build for incoming web/smtp/etc services and not doing mass sessions from a container from inside to outside … if you scan a FULL tcp & udp hosts you have per target up to 131070 sessions in a very short time frame. Many container hosts are not build for that. Even the session table might overflow pretty easy and then you got false negatives.

The only solution i saw was terminating the traffic via SDN and encapsulation inside the Container context. So you bypass all web-services voodoo.

2 Likes

Hi, I seem to have the same problem
I also posted a question in the community before I noticed your article

I’m sorry that my technique is not very good, the article you provided

I don’t understand very well, I don’t use Docker
Podman is also not installed, so we are in the same situation?
Looking forward to your reply.

@AquaL1te

The Problem is the Linux Networks Stack with a stateful firewall in whatever context plus Kernel Security, Docker is one of many cases where a firewall or security system like SELinux, Capabilities, etc ruin your results.

1 Like

Hi PietroVAS,

as this is your first post here, welcome to the community forum!

If you consider to buy a Qualys or Tenable/Nessus product you might be interested in this post pointing out the differences between community and commercial versions (and support).

2 Likes

It is important to understand how your system is working if you home brew your system. The same for any other network and security product. If you can only scan localhost you have a issue with your setup and your network. For that reason we have a free community version that is exactly based on our appliance including appliance OS. If you bridge that appliance direct to a network you have a safe and solid setup. Just ping to the external scan interface and it should work.

2 Likes