Launch a script before a scan

warnaud · April 18, 2024, 8:51am

hi Folks,

Besides scripting everything using a CLI is it possible to run a bash script before launching a task ? I need to change some network configuration before some tasks, of course I could “hack my way” with crontab but I don’t really know how much time a scan last thus the next one should reset the network config ( tag vlan).

Many thanks!

rippledj · April 18, 2024, 12:12pm

This is possible technically, but not an easy task to pull off.

The only way I could do this is by creating a custom .nasl VT that executes the bash script on the target using an SSH execute command. Then creating a custom scan configuration for a new task as a credentialed scan. Then “daisy chaining” it to occur before the scan task you want it to precede using an alert. You can find instructions on the forum here on how to create a custom .nasl script and load it into Greenbone.

warnaud · April 18, 2024, 2:34pm

ok so I don’t think I made myself understandable/clear.
I have multiple tasks, each for a different VLAN.
Each VLAN requires to change the TAG id of one of the network card of the openvas server. I was thinking to add to the task something to run a script on the local server that will change the tag id then launch the scan. Some kind of “Pre-Task Script”

cfi · April 18, 2024, 2:38pm

Currently the only possibility seems to be to use a HTTP GET alert:

https://docs.greenbone.net/GSM-Manual/gos-22.04/en/scanning.html#using-alerts

and make that script which changes the TAG id available on a local HTTP endpoint.

warnaud · April 18, 2024, 2:47pm

so I would run an alert that will send the task name/id to another webserver so this webserver interprets it as a command to launch a script I can see so many flaws and security issues here

cfi · April 18, 2024, 2:57pm

Actually no, there can be also a “Task run status changed to” condition of e.g. “New” or “Requested” which means that the Alert is run before the task is actually getting started. The picture below only shows the default of “Done” which can be changed accordingly:

warnaud · April 18, 2024, 3:00pm

yes sorry I modified my answer while you were replying. I get the concept but seems to me a huge security issue and as a non developper (willingly!) I can see how this will fail in many ways. While launching a local script reduces many problem.

cfi · April 18, 2024, 3:08pm

Full understandable, but other “out of the box” possibilities seems to be not available AFAICT.

warnaud · April 18, 2024, 4:04pm

one solution would be to launch those scans from crontab in a script taking care of the network configuration first but no way to make

openvas --scan-start=UUID

to work. I got no error but it never launch the job :-(.

cfi · April 22, 2024, 8:03am

For reference, the above has now a follow up on the question how to launch a scan from command line here: