Libgvm can't access the redis sock

asrozar · June 15, 2022, 4:08pm

GVM versions

gsad: ('gsad 21.4.4)
gvmd: ('gvmd 21.4.5)
openvas-scanner: (OpenVAS 21.4.4)
gvm-libs: (21.4.4)

Environment

Operating system:
Kernel: (5.4.0-117-generic #132-Ubuntu SMP Thu Jun 2 00:39:06 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux)
Installation method / source: = https://greenbone.github.io/docs/latest/21.04/source-build/

Hello,
I’ve run into a very strange issue with Redis. When I kick off a scan I get the following redis error.

==> /var/log/gvm/openvas.log <==
sd   main:MESSAGE:2022-06-15 13h25.55 utc:189645: openvas 21.4.4 started
libgvm util:CRITICAL:2022-06-15 13h25.55 utc:189645: redis_find: redis connection error to /run/redis-openvas/redis.sock: Permission denied
libgvm util:CRITICAL:2022-06-15 13h25.55 utc:189645: get_redis_ctx: redis connection error to /run/redis-openvas/redis.sock: Permission denied
libgvm util:CRITICAL:2022-06-15 13h25.55 utc:189645: get_redis_ctx: redis connection error to /run/redis-openvas/redis.sock: Permission denied
sd   main:MESSAGE:2022-06-15 13h25.55 utc:189645: Failed to initialize nvti cache.
libgvm util:CRITICAL:2022-06-15 13h25.55 utc:189645: redis_find: redis connection error to /run/redis-openvas/redis.sock: Permission denied

But from a permissions standpoint, I’m pretty sure they are correct. The gvm user is in the redis group and the /run/redis-openvas/redis.sock file is set properly to my knowledge.

From /etc/group I see this, redis:x:120:gvm and the file permissions are srwxrwx--- 1 redis redis 0 Jun 15 13:01 /run/redis-openvas/redis.sock.

Any pointers as to where else to look would be greatly appreciated.

Thank you!

Eero · June 15, 2022, 4:22pm

@asrozar sounds like permission problem. is sudo setup as expected?

Eero

asrozar · June 15, 2022, 4:28pm

@Eero - I agree that is does sound like it, but what other permissions are there to check?

visudo shows %gvm ALL = NOPASSWD: /usr/local/sbin/openvas

Thank you for the quick response.

Eero · June 15, 2022, 4:30pm

@asrozar well. I need to check from my own scanner. If you can use Debian, then you can use my ansible to setup system correctly

Eero

asrozar · June 15, 2022, 4:33pm

@Eero - It’s ubuntu so it’s pretty close, I’d likely need to make modifications. Is it on Github?

Eero · June 15, 2022, 4:33pm

@asrozar is this command working on gvm user?

redis-cli -s /run/redis-openvas/redis.sock --stat

Eero

Eero · June 15, 2022, 4:36pm

@asrozar well. its on github, but it works on Debian – only tested on it.

packages are bit different on ubuntu. requires too much effort…

Eero

asrozar · June 15, 2022, 4:47pm

@Eero - It sure does.

avery_rozar@winston-salem-scanner:~$ sudo -u gvm redis-cli -s /run/redis-openvas/redis.sock --stat
------- data ------ --------------------- load -------------------- - child -
keys       mem      clients blocked requests            connections          
199075     193.41M  3       0       798485 (+0)         1034        
199075     193.41M  3       0       798486 (+1)         1034        
199075     193.41M  3       0       798487 (+1)         1034        
199075     193.41M  3       0       798488 (+1)         1034        
199075     193.41M  3       0       798489 (+1)         1034        
199075     193.41M  3       0       798490 (+1)         1034        
199075     193.41M  3       0       798491 (+1)         1034        
199075     193.41M  3       0       798493 (+2)         1034        
199075     193.41M  3       0       798494 (+1)         1034        
199075     193.41M  3       0       798495 (+1)         1034        
199075     193.41M  3       0       798496 (+1)         1034

and so on....

Eero · June 15, 2022, 6:33pm

@asrozar problem is probably than scanner cannot access to redis? is all initscripts ok?

Eero