I’m currently running OpenVAS using the docker images, but I want to use an external postgres database.
I can see that
gvmd has parameters for DB host, user, and port, but I can’t see one for password. It seems as though the default has no password on the
gvmd role. Is it possible to set a password? I don’t want a database with no password on it
Also, is there a list of what permissions the DB user actually requires, rather than just granting
For the source code or Kali Linux installation, PostgreSQL’s
peer authentication protects passwordless login. I’m not sure about Docker containers and obviously,
peer auth won’t work for a remote connection.
By default, GVMD relies on PostgreSQL’s peer authentication method. The command line arguments for database settings such as host, user, and port are not required when starting
gvmd. If these args are not provided, only the dbname is actually submitted to PG when connecting.
This forces PostgreSQL to use
peer authentication - which uses the connecting processes’ Linux username as the database login username. Using
peer auth also protects the gvm PostgreSQL database from being accessed by anything except the gvmd process itself, since the
gvm Linux user is created as a no-login user (at least for the source code installation it is).
sudo useradd -r -M -U -G sudo -s /usr/sbin/nologin gvm
So, only those with root/sudo can become the gvm Linux user.
To actually allow passwordless authentication in PG, you would have to set the PostgreSQL Host-Based Authentication configuration file (pg_hba.conf) to explicitly allow it using the
trust method. Otherwise, passwordless authentication for PostgreSQL is not possible under any circumstances.
If you want to add a password-based auth to GVM anyway you would need to modify the source code. For example, in the GVMD package the database connection is created in the sql_pg.c file and it seems that the only place where database connection settings are collected is in the main gvmd.c file when command line arguments are parsed.
Of course, then you would need to change the PostgreSQL auth setting in pg_hba.conf to something like
Thanks, that’s what I suspected We wanted to use AWS RDS for the database, which doesn’t (AFAIK) support passwordless authentication.