GVM Master-Slave Setup not working

Archive Greenbone Community Edition
1

GVM versions

gsa: Greenbone Security Assistant 9.0
gvm: Greenbone Vulnerability Manager 9.0.0
ospd-openvas: OSP Server for openvas: 1.0.0
openvas: OpenVAS 7.0.0

Environment

Operating system: Ubuntu 18.04.3 LTS
Kernel: Linux node2 4.15.0-70-generic

Hi guys,

I have trouble setting up a maser-slave setting.
I allready googled a lot and read the topics here:



https://blog.haardiek.org/setup-openvas-as-master-and-slave.html

But did not come up with a working solution…

What i did:
slave:

  • added user
    gvmd --create-user=slave --password=12345 --role=Admin

  • gvmd listening on 0.0.0.0?
    tcp 0 0 0.0.0.0:9391 0.0.0.0:* LISTEN 0 29372 1214/gvmd: Waiting

  • copied /var/lib/gvm/CA/cacert.pem to master

master:

  • created credentials with user ‘slave’ and password ‘12345’ and ‘allow insecure use’

  • create GMP scanner with my credentials.

  • add cacert of slave to scanner
    gvmd --modify-scanner=‘70ec1f74-5521-44bf-bad3-601313f3433b’ --scanner-ca-pub=/root/cacert.pem

I tried a lot more, but basically i think it should work with this…

Tested the verify scanner option:
GVMD-LOG ON MASTER:
md main: DEBUG:2019-11-21 15h45.36 CET:4133: <= client “<verify_scanner scanner_id=“70ec1f74-5521-44bf-bad3-601313f3433b”/>”
lib serv: DEBUG:2019-11-21 15h45.36 CET:4133: Connected to server ‘192.168.28.157’ port 9391.
lib serv: DEBUG:2019-11-21 15h45.36 CET:4133: Shook hands with server ‘192.168.28.157’ port 9391.
lib serv:WARNING:2019-11-21 15h45.36 CET:4133: gvm_server_verify: the certificate is not trusted
lib serv:WARNING:2019-11-21 15h45.36 CET:4133: gvm_server_verify: the certificate hasn’t got a known issuer
md main: DEBUG:2019-11-21 15h45.36 CET:4133: -> client: <verify_scanner_response status=“503” status_text=“Service unavailable”/>

So it looks like a certificate problem, but not sure how to fix this?
If i look in the postgresql db i can see the cacert.pem of the scanner, but if i try to download it in gsa, i get a file with ‘undefined’ written in it… is this a bug?

GVMD-LOG ON SLAVE:

lib serv: DEBUG:2019-11-21 14h49.45 utc:2924: Shook hands with peer.
md main: DEBUG:2019-11-21 14h49.45 utc:2924: Serving GMP
md main:WARNING:2019-11-21 14h49.45 utc:2924: read_from_client_tls: failed to read from client: The TLS connection was non-properly terminated.
md main: DEBUG:2019-11-21 14h49.45 utc:2924: Cleaning up
md main: DEBUG:2019-11-21 14h49.45 utc:2924: Exiting

SCAN TEST:
i also tried to scan with the slave.
The master is able to send the task to the slave and it is actually doing some scanning, but no results are received by the master. It stucks at 1%, no logfiles nothing.

I would realy appreciate some help, since i wasted hours without progress on this…

1 Like
2

Does not anybody has an idea how to solve this problem?

3

To me, your problem report looks contradictory.

At 14.49 the slave log reports in <1 second that the connection didn’t work.
An hour later 15.45 the master log reports in <1 second that the slave didn’t provide a trusted certificate, issued by some trusted CA (certificate authority). So you should look into your certificate / certificate infrastructure, there are certainly relevant chapters in the documentation.

You said the scan started, but this doesn’t look possible with said error reports.
So either the “1%” is not really correct, or something changed in between.

Why don’t you ask a question on the ubuntu help forums? They are friendly and helpful over there, and if you run it on ubuntu, that seems a logical thing to do. If I understand the gb policies correctly, they supply the GCE in order to have a clearly defined and correctly configured system base so they support that and know every relevant detail, but they don’t want to learn the integration and configuration details of every linux OS under the sun, which sounds reasonable to me, so the ubuntu forum looks like a good place to ask (unless you installed from source yourself, then you might want to learn how to do a working integration yourself).

4

Hi!
did you find a solution yet?

5

Hi,
I managed to get rid of the cert warning (compiled it from source), but still no working master slave setup… i end up using v9, where all is working.

1 Like
6

Uping this topic. Is there any documentation explaining the master / slave architecture in GVM-11 ? Currently between the GMP, the OSP and OpenVAS scanners type, the authentication method between certificates and user/login and the fact options are not the same between gsad and gvmd in command line, all of this is highly confusing and unclear.

Under GVM-9 it was unclear too, but thanks to external blogs we were able to make it work somehow. Could anyone from greenbone point out to ressource documentations clarifying this ?

Thanks

2 Likes
7

With GVM 11 the whole scanner architecture changed. Therefore the master/slave setup is completely different too. It is based now based on OSP. Currently there is no documentation about the master/slave setup. You have to use a Greenbone Appliance with a Sensor for such setups.

3 Likes
8

Does that mean that the master / slave setup is no longer an option with GSE ?

9

Greenbone provides all parts of our core as free software (called GSE/GVM) and there are no plans to change that ever. Of course we are using some small patches in our products to adjust some configs e.g. for branding.

Therefore it is still possible to create a master/slave setup with GVM 11 but you have to dig through the source code. Currently no public configuration documentation for master/slave exists. So you either should buy a Greenbone product, use GVM 10, use GVM 11 with a GMP sensor or dig through the source codes for using an OSP sensor.

3 Likes
10

How did you get rid of the cert warning?

13

Use sockets.

1 Like
14

could you explain a bit more?