Hi,
I am currently try to build a slim/minimal docker setup with the ospd-openvas
scanner only. Then, i want to connect to the ospd-openvas socket of the scanner to submit a scan via a python script using python-gvm.
The connection from my python script to the socket works fine, and commands like check_feed
also. However, a problem occeurs when submitting a scan with start_scan
:
<get_scans_response status="200" status_text="OK">
<scan id="5e914c35-5362-4336-a66f-073e6a75b718" target="localhost" progress="0" status="interrupted" start_time="1693561094" end_time="1693561145">
<results>
<result name="" type="Error Message" severity="" host="" hostname="" test_id="" port="" qod="" uri="">No VTS to run.</result>
<result name="" type="Error Message" severity="" host="localhost" hostname="" test_id="" port="" qod="" uri="">Host process failure ('NoneType' object has no attribute 'items').</result>
<result name="" type="Error Message" severity="" host="" hostname="" test_id="" port="" qod="" uri="">Scan process Failure</result>
</results>
</scan>
</get_scans_response>
It seems like no VTs are available during the runtime, even if the log claims that the VT cache has been updated (in the ospd-openvas
docker container).
Thank you in advance!
My python script:
import time
from gvm.connections import UnixSocketConnection
from gvm.protocols.latest import Osp
from gvm.xml import XmlCommand
from gvm.transforms import EtreeTransform
from lxml import etree
path = '/run/ospd/ospd-openvas.sock'
connection = UnixSocketConnection(path=path)
transform = EtreeTransform()
osp = Osp(connection=connection, transform=transform)
with osp:
response = osp.get_version()
print(etree.tostring(response, pretty_print=True).decode('utf-8'))
cmd = XmlCommand('check_feed')
response = osp.send_command(cmd.to_string())
while response.find('.//lockfile_in_use').text == '1':
time.sleep(10)
response = osp.send_command(cmd.to_string())
# start_scan
targets = [{
'hosts': 'localhost',
'ports': '22',
}]
response = osp.start_scan(targets=targets)
print('[start_scan] ' + etree.tostring(response, pretty_print=True).decode('utf-8'))
scan_id = response.find('.//id').text
print('Post exec sleep...')
time.sleep(60)
response = osp.get_scans(scan_id=scan_id)
while True:
print('[get_scans] ' + etree.tostring(response, pretty_print=True).decode('utf-8'))
time.sleep(10)
response = osp.get_scans(scan_id=scan_id)
My docker-compose.yaml:
version: "3.7"
services:
vulnerability-tests:
image: greenbone/vulnerability-tests
environment:
STORAGE_PATH: /var/lib/openvas/22.04/vt-data/nasl
volumes:
- vt_data_vol:/mnt
notus-data:
image: greenbone/notus-data
volumes:
- notus_data_vol:/mnt
gpg-data:
image: greenbone/gpg-data
volumes:
- gpg_data_vol:/mnt
redis-server:
image: greenbone/redis-server
restart: on-failure
volumes:
- redis_socket_vol:/run/redis/
ospd-openvas:
image: greenbone/ospd-openvas:stable
restart: on-failure
init: true
hostname: ospd-openvas.local
cap_add:
- NET_ADMIN # for capturing packages in promiscuous mode
- NET_RAW # for raw sockets e.g. used for the boreas alive detection
security_opt:
- seccomp=unconfined
- apparmor=unconfined
command:
[
"ospd-openvas",
"-f",
"--config",
"/etc/gvm/ospd-openvas.conf",
"--mqtt-broker-address",
"mqtt-broker",
"--notus-feed-dir",
"/var/lib/notus/advisories",
"-m",
"666"
]
volumes:
- gpg_data_vol:/etc/openvas/gnupg
- vt_data_vol:/var/lib/openvas/plugins
- notus_data_vol:/var/lib/notus
- ospd_openvas_socket_vol:/run/ospd
- redis_socket_vol:/run/redis/
depends_on:
redis-server:
condition: service_started
gpg-data:
condition: service_completed_successfully
vulnerability-tests:
condition: service_completed_successfully
mqtt-broker:
restart: on-failure
image: greenbone/mqtt-broker
ports:
- 1883:1883
networks:
default:
aliases:
- mqtt-broker
- broker
notus-scanner:
restart: on-failure
image: greenbone/notus-scanner:stable
volumes:
- notus_data_vol:/var/lib/notus
- gpg_data_vol:/etc/openvas/gnupg
environment:
NOTUS_SCANNER_MQTT_BROKER_ADDRESS: mqtt-broker
NOTUS_SCANNER_PRODUCTS_DIRECTORY: /var/lib/notus/products
depends_on:
- mqtt-broker
- gpg-data
- vulnerability-tests
my-own-api:
restart: on-failure
build: ./api
volumes:
- ospd_openvas_socket_vol:/run/ospd
depends_on:
ospd-openvas:
condition: service_started
volumes:
gpg_data_vol:
vt_data_vol:
notus_data_vol:
ospd_openvas_socket_vol:
redis_socket_vol: