Minimal docker setup with python-gvm OSP API

HeikoIteratec · September 1, 2023, 9:53am

Hi,
I am currently try to build a slim/minimal docker setup with the ospd-openvas scanner only. Then, i want to connect to the ospd-openvas socket of the scanner to submit a scan via a python script using python-gvm.

The connection from my python script to the socket works fine, and commands like check_feed also. However, a problem occeurs when submitting a scan with start_scan:

<get_scans_response status="200" status_text="OK">
  <scan id="5e914c35-5362-4336-a66f-073e6a75b718" target="localhost" progress="0" status="interrupted" start_time="1693561094" end_time="1693561145">
    <results>
      <result name="" type="Error Message" severity="" host="" hostname="" test_id="" port="" qod="" uri="">No VTS to run.</result>
      <result name="" type="Error Message" severity="" host="localhost" hostname="" test_id="" port="" qod="" uri="">Host process failure ('NoneType' object has no attribute 'items').</result>
      <result name="" type="Error Message" severity="" host="" hostname="" test_id="" port="" qod="" uri="">Scan process Failure</result>
    </results>
  </scan>
</get_scans_response>

It seems like no VTs are available during the runtime, even if the log claims that the VT cache has been updated (in the ospd-openvas docker container).

Thank you in advance!

My python script:

import time
from gvm.connections import UnixSocketConnection
from gvm.protocols.latest import Osp
from gvm.xml import XmlCommand
from gvm.transforms import EtreeTransform
from lxml import etree

path = '/run/ospd/ospd-openvas.sock'
connection = UnixSocketConnection(path=path)
transform = EtreeTransform()

osp = Osp(connection=connection, transform=transform)

with osp:
    response = osp.get_version()
    print(etree.tostring(response, pretty_print=True).decode('utf-8'))

    cmd = XmlCommand('check_feed')
    response = osp.send_command(cmd.to_string())
    while response.find('.//lockfile_in_use').text == '1':
        time.sleep(10)
        response = osp.send_command(cmd.to_string())

    # start_scan
    targets = [{
        'hosts': 'localhost',
        'ports': '22',
    }]
    response = osp.start_scan(targets=targets) 
    print('[start_scan] ' + etree.tostring(response, pretty_print=True).decode('utf-8'))
    scan_id = response.find('.//id').text

    print('Post exec sleep...')
    time.sleep(60)

    response = osp.get_scans(scan_id=scan_id)
    while True:
        print('[get_scans] ' + etree.tostring(response, pretty_print=True).decode('utf-8'))
        time.sleep(10)
        response = osp.get_scans(scan_id=scan_id)

My docker-compose.yaml:

version: "3.7"

services:

  vulnerability-tests:
    image: greenbone/vulnerability-tests
    environment:
      STORAGE_PATH: /var/lib/openvas/22.04/vt-data/nasl
    volumes:
      - vt_data_vol:/mnt

  notus-data:
    image: greenbone/notus-data
    volumes:
      - notus_data_vol:/mnt

  gpg-data:
    image: greenbone/gpg-data
    volumes:
      - gpg_data_vol:/mnt

  redis-server:
    image: greenbone/redis-server
    restart: on-failure
    volumes:
      - redis_socket_vol:/run/redis/

  ospd-openvas:
    image: greenbone/ospd-openvas:stable
    restart: on-failure
    init: true
    hostname: ospd-openvas.local
    cap_add:
      - NET_ADMIN # for capturing packages in promiscuous mode
      - NET_RAW # for raw sockets e.g. used for the boreas alive detection
    security_opt:
      - seccomp=unconfined
      - apparmor=unconfined
    command:
      [
        "ospd-openvas",
        "-f",
        "--config",
        "/etc/gvm/ospd-openvas.conf",
        "--mqtt-broker-address",
        "mqtt-broker",
        "--notus-feed-dir",
        "/var/lib/notus/advisories",
        "-m",
        "666"
      ]
    volumes:
      - gpg_data_vol:/etc/openvas/gnupg
      - vt_data_vol:/var/lib/openvas/plugins
      - notus_data_vol:/var/lib/notus
      - ospd_openvas_socket_vol:/run/ospd
      - redis_socket_vol:/run/redis/
    depends_on:
      redis-server:
        condition: service_started
      gpg-data:
        condition: service_completed_successfully
      vulnerability-tests:
        condition: service_completed_successfully

  mqtt-broker:
    restart: on-failure
    image: greenbone/mqtt-broker
    ports:
      - 1883:1883
    networks:
      default:
        aliases:
          - mqtt-broker
          - broker

  notus-scanner:
    restart: on-failure
    image: greenbone/notus-scanner:stable
    volumes:
      - notus_data_vol:/var/lib/notus
      - gpg_data_vol:/etc/openvas/gnupg
    environment:
      NOTUS_SCANNER_MQTT_BROKER_ADDRESS: mqtt-broker
      NOTUS_SCANNER_PRODUCTS_DIRECTORY: /var/lib/notus/products
    depends_on:
      - mqtt-broker
      - gpg-data
      - vulnerability-tests

  my-own-api:
    restart: on-failure
    build: ./api
    volumes:
      - ospd_openvas_socket_vol:/run/ospd
    depends_on:
      ospd-openvas:
        condition: service_started

volumes:
  gpg_data_vol:
  vt_data_vol:
  notus_data_vol:
  ospd_openvas_socket_vol:
  redis_socket_vol:

rippledj · September 5, 2023, 6:08pm

This won’t work because you ospd-openvas requires gvmd which in turn I believe requires the other containers such as redis and mosquitto. Perhaps you can reave out the gsa container, but I believe you will need all the others. Maybe someone else can confirm this or tell you differently.

alfredo · October 20, 2023, 12:29pm

Hi,
I am trying to do something similar. If you add the vt_selection parameter, the test is executed with no fail.
However, these 2 VTs are detected when I run it trough the web admin on my test host. I checked the VTS (with osp.get_vts()) on the ospd container and these 2 are present in the scanner.

    vt_selection = {
         '1.3.6.1.4.1.25623.1.0.80091':{},
         '1.3.6.1.4.1.25623.1.0.105610':{},
        'vt_groups': ['family=debian', 'family=general']
    }

    response = osp.start_scan(targets=targets, vt_selection=vt_selection)

This is the response of the script, by adding the vt_selection:

[get_scans] <get_scans_response status="200" status_text="OK">
  <scan id="fbe9f60b-d4cd-4543-b8a3-84ad96885c30" target="192.168.86.93" progress="100" status="finished" start_time="1697804100" end_time="1697804139">
    <results>
      <result name="HOST_START" type="Log Message" severity="0.0" host="192.168.86.93" hostname="" test_id="" port="" qod="" uri="">Fri Oct 20 12:15:36 2023</result>
      <result name="HOST_END" type="Log Message" severity="0.0" host="192.168.86.93" hostname="" test_id="" port="" qod="" uri="">Fri Oct 20 12:15:36 2023</result>
    </results>
  </scan>
</get_scans_response>

Any idea why there are not reported issues on OSP?
Thank you!