No remote scanner after Update from 20.08.2 to 21.4..5

uli-fischer · November 28, 2021, 12:58pm

When posting you should provide information about your environment using the following template:

GVM versions

gsad: (‘21.4.5’)
gvmd:
Greenbone Vulnerability Manager 21.4.5~dev1~git-58b99303-stable
GIT revision 58b99303-stable
Manager DB revision 242
openvas-scanner:
OpenVAS 21.4.4~dev1~git-896481a9-stable
GIT revision ~git-896481a9-stable
gvm-libs 21.4.4~dev1

Environment

Operating system: Debian Buster
Kernel: Linux gvm-scanner-vlan201 4.19.0-18-amd64 #1 SMP Debian 4.19.208-1 (2021-09-29) x86_64 GNU/Linux
Installation method / source: git an compile

Hi

I’ve updated my scan environment from 20.08.2 to 21.4.5.

under 20.08.2 i’ve Configured a remote Scanner and everything works fine

after Update i could not connect to the remote scanner but everythink looks fine

Slave Side:

gvmd --version
Greenbone Vulnerability Manager 21.4.5~dev1~git-58b99303-stable
GIT revision 58b99303-stable
Manager DB revision 242
Copyright (C) 2009-2021 Greenbone Networks GmbH
License: AGPL-3.0-or-later
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

root@gvm-scanner-vlan201:/opt/gvm# systemctl status ospd-openvas.service
● ospd-openvas.service - Job that runs the ospd-openvas daemon
   Loaded: loaded (/etc/systemd/system/ospd-openvas.service; enabled; vendor preset: enabled)
   Active: active (running) since Sun 2021-11-28 09:33:04 CET; 3h 54min ago
     Docs: man:gvm
 Main PID: 4669 (python)
    Tasks: 4 (limit: 4695)
   Memory: 625.7M
   CGroup: /system.slice/ospd-openvas.service
           ├─4669 /opt/gvm/bin/ospd-scanner/bin/python /opt/gvm/bin/ospd-scanner/bin/ospd-openvas --pid-file /opt/gvm/var/run/ospd-openvas.pid --unix-socket=
           └─4671 /opt/gvm/bin/ospd-scanner/bin/python /opt/gvm/bin/ospd-scanner/bin/ospd-openvas --pid-file /opt/gvm/var/run/ospd-openvas.pid --unix-socket=

Nov 28 09:33:02 gvm-scanner-vlan201 systemd[1]: Starting Job that runs the ospd-openvas daemon...
Nov 28 09:33:04 gvm-scanner-vlan201 systemd[1]: Started Job that runs the ospd-openvas daemon.

root@gvm-scanner-vlan201:/opt/gvm# systemctl status gvmd
● gvmd.service - Open Vulnerability Assessment System Manager Daemon
   Loaded: loaded (/etc/systemd/system/gvmd.service; enabled; vendor preset: enabled)
   Active: active (running) since Sat 2021-11-27 22:29:54 CET; 14h ago
     Docs: man:gvmd(8)
           https://www.greenbone.net
 Main PID: 21658 (gvmd)
    Tasks: 1 (limit: 4695)
   Memory: 90.6M
   CGroup: /system.slice/gvmd.service
           └─21658 gvmd: Waiting for incoming connections

Nov 27 22:29:38 gvm-scanner-vlan201 systemd[1]: Starting Open Vulnerability Assessment System Manager Daemon...
Nov 27 22:29:38 gvm-scanner-vlan201 systemd[1]: gvmd.service: Can't open PID file /opt/gvm/var/run/gvmd.pid (yet?) after start: No such file or directory
Nov 27 22:29:54 gvm-scanner-vlan201 systemd[1]: Started Open Vulnerability Assessment System Manager Daemon.
root@gvm-scanner-vlan201:/opt/gvm# cat /etc/systemd/system/gvmd.service
[Unit]
Description=Open Vulnerability Assessment System Manager Daemon
Documentation=man:gvmd(8) https://www.greenbone.net
Wants=postgresql.service ospd-openvas.service
After=postgresql.service ospd-openvas.service

[Service]
Type=forking
User=gvm
Group=gvm
PIDFile=/opt/gvm/var/run/gvmd.pid
WorkingDirectory=/opt/gvm
#ExecStart=/opt/gvm/sbin/gvmd --osp-vt-update=/opt/gvm/var/run/ospd.sock
ExecStart=/opt/gvm/sbin/gvmd --osp-vt-update=/opt/gvm/var/run/ospd.sock --listen=0.0.0.0 --port=9391
ExecReload=/bin/kill -HUP
KillMode=mixed
Restart=on-failure
RestartSec=2min
KillMode=process
KillSignal=SIGINT
GuessMainPID=no
PrivateTmp=true

[Install]
WantedBy=multi-user.target
root@gvm-scanner-vlan201:/opt/gvm# cat /etc/systemd/system/ospd-openvas.service
[Unit]
Description=Job that runs the ospd-openvas daemon
Documentation=man:gvm
After=network.target redis-server@openvas.service
Wants=redis-server@openvas.service

[Service]
Environment=PATH=/opt/gvm/bin/ospd-scanner/bin:/opt/gvm/bin:/opt/gvm/sbin:/opt/gvm/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
Type=forking
User=gvm
Group=gvm
WorkingDirectory=/opt/gvm
PIDFile=/opt/gvm/var/run/ospd-openvas.pid
ExecStart=/opt/gvm/bin/ospd-scanner/bin/python /opt/gvm/bin/ospd-scanner/bin/ospd-openvas --pid-file /opt/gvm/var/run/ospd-openvas.pid --unix-socket=/opt/gvm /var/run/ospd.sock --log-file /opt/gvm/var/log/gvm/ospd-scanner.log --lock-file-dir /opt/gvm/var/run/ospd/
Restart=on-failure
RestartSec=2min
KillMode=process
KillSignal=SIGINT
GuessMainPID=no
PrivateTmp=true

[Install]
WantedBy=multi-user.target
root@gvm-scanner-vlan201:/opt/gvm# ss -lta
State                Recv-Q            Send-Q                              Local Address:Port                                   Peer Address:Port
LISTEN               0                 1024                                    127.0.0.1:6788                                        0.0.0.0:*
LISTEN               0                 1024                                    127.0.0.1:6789                                        0.0.0.0:*
LISTEN               0                 511                                     127.0.0.1:6379                                        0.0.0.0:*
LISTEN               0                 512                                       0.0.0.0:9391                                        0.0.0.0:*
LISTEN               0                 128                                       0.0.0.0:sunrpc                                      0.0.0.0:*
LISTEN               0                 128                                       0.0.0.0:38259                                       0.0.0.0:*
LISTEN               0                 128                                       0.0.0.0:ssh                                         0.0.0.0:*
LISTEN               0                 224                                     127.0.0.1:postgresql                                  0.0.0.0:*
LISTEN               0                 20                                      127.0.0.1:smtp                                        0.0.0.0:*
LISTEN               0                 128                                       0.0.0.0:6010                                        0.0.0.0:*
ESTAB                0                 0                                       127.0.0.1:6789                                      127.0.0.1:47184
ESTAB                0                 0                                     10.20.1.221:34376                                     10.20.2.8:8220
ESTAB                0                 0                                       127.0.0.1:34298                                     127.0.0.1:6789
ESTAB                0                 0                                       127.0.0.1:34296                                     127.0.0.1:6789
ESTAB                0                 0                                     10.20.1.221:58302                                     10.20.2.2:9200
ESTAB                0                 0                                       127.0.0.1:34244                                     127.0.0.1:6789
ESTAB                0                 0                                       127.0.0.1:6789                                      127.0.0.1:34270
ESTAB                0                 0                                       127.0.0.1:47184                                     127.0.0.1:6789
TIME-WAIT            0                 0                                     10.20.1.221:53454                                     10.20.1.2:http
ESTAB                0                 0                                     10.20.1.221:41372                               192.168.178.252:ldap
ESTAB                0                 0                                     10.20.1.221:58306                                     10.20.2.2:9200
ESTAB                0                 0                                       127.0.0.1:6789                                      127.0.0.1:34244
TIME-WAIT            0                 0                                     10.20.1.221:41152                                 13.227.133.83:http
ESTAB                0                 0                                     10.20.1.221:1008                                192.168.178.252:nfs
ESTAB                0                 0                                     10.20.1.221:ssh                                  192.168.178.41:65334
TIME-WAIT            0                 0                                     10.20.1.221:56760                               199.232.190.132:http
ESTAB                0                 0                                     10.20.1.221:53630                               192.168.178.252:ldap
ESTAB                0                 0                                     10.20.1.221:41990                                     10.20.2.2:9200
TIME-WAIT            0                 0                                     10.20.1.221:53456                                     10.20.1.2:http
ESTAB                0                 0                                       127.0.0.1:6789                                      127.0.0.1:34298
ESTAB                0                 0                                       127.0.0.1:34270                                     127.0.0.1:6789
ESTAB                0                 0                                       127.0.0.1:6789                                      127.0.0.1:34214
ESTAB                0                 0                                       127.0.0.1:34214                                     127.0.0.1:6789
ESTAB                0                 0                                       127.0.0.1:6789                                      127.0.0.1:34296
LISTEN               0                 128                                          [::]:39939                                          [::]:*
LISTEN               0                 128                                          [::]:sunrpc                                         [::]:*
LISTEN               0                 128                                             *:6556                                              *:*
TIME-WAIT            0                 0                            [::ffff:10.20.1.221]:6556                             [::ffff:10.20.1.3]:37404

Master side:

root@gvm-portal:/opt/gvm#  gvmd --version
Greenbone Vulnerability Manager 21.4.5~dev1~git-58b99303-stable
GIT revision 58b99303-stable
Manager DB revision 242
Copyright (C) 2009-2021 Greenbone Networks GmbH
License: AGPL-3.0-or-later
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

root@gvm-portal:/opt/gvm# systemctl status ospd-openvas.service
● ospd-openvas.service - Job that runs the ospd-openvas daemon
   Loaded: loaded (/etc/systemd/system/ospd-openvas.service; enabled; vendor preset: enabled)
   Active: active (running) since Sun 2021-11-28 10:57:39 CET; 2h 34min ago
     Docs: man:gvm
 Main PID: 18425 (python)
    Tasks: 4 (limit: 4695)
   Memory: 424.4M
   CGroup: /system.slice/ospd-openvas.service
           ├─18425 /opt/gvm/bin/ospd-scanner/bin/python /opt/gvm/bin/ospd-scanner/bin/ospd-openvas --pid-file /opt/gvm/var/run/ospd-openvas.pid --unix-socket
           └─18427 /opt/gvm/bin/ospd-scanner/bin/python /opt/gvm/bin/ospd-scanner/bin/ospd-openvas --pid-file /opt/gvm/var/run/ospd-openvas.pid --unix-socket

Nov 28 10:57:36 gvm-portal systemd[1]: Starting Job that runs the ospd-openvas daemon...
Nov 28 10:57:39 gvm-portal systemd[1]: Started Job that runs the ospd-openvas daemon.

root@gvm-portal:/opt/gvm# systemctl status gvmd
● gvmd.service - Open Vulnerability Assessment System Manager Daemon
   Loaded: loaded (/etc/systemd/system/gvmd.service; enabled; vendor preset: enabled)
   Active: active (running) since Sun 2021-11-28 12:35:20 CET; 56min ago
     Docs: man:gvmd(8)
           https://www.greenbone.net
 Main PID: 13532 (gvmd)
    Tasks: 2 (limit: 4695)
   Memory: 118.0M
   CGroup: /system.slice/gvmd.service
           ├─10776 gpg-agent --homedir /opt/gvm/var/lib/gvm/gvmd/gnupg --use-standard-socket --daemon
           └─13532 gvmd: Waiting for incoming connections

Nov 28 12:35:15 gvm-portal systemd[1]: Starting Open Vulnerability Assessment System Manager Daemon...
Nov 28 12:35:16 gvm-portal systemd[1]: gvmd.service: Can't open PID file /opt/gvm/var/run/gvmd.pid (yet?) after start: No such file or directory
Nov 28 12:35:20 gvm-portal systemd[1]: Started Open Vulnerability Assessment System Manager Daemon.
root@gvm-portal:/opt/gvm#  cat /etc/systemd/system/gvmd.service
[Unit]
Description=Open Vulnerability Assessment System Manager Daemon
Documentation=man:gvmd(8) https://www.greenbone.net
Wants=postgresql.service ospd-openvas.service
After=network.target networking.service postgresql.service ospd-openvas.service
ConditionKernelCommandLine=!recovery

[Service]
Type=forking
User=gvm
Group=gvm
PIDFile=/opt/gvm/var/run/gvmd.pid
WorkingDirectory=/opt/gvm
RuntimeDirectory=gvm
RuntimeDirectoryMode=2775
Environment=PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/opt/gvm/bin:/opt/gvm/sbin
ExecStart=/opt/gvm/sbin/gvmd --osp-vt-update=/opt/gvm/var/run/ospd.sock --listen-group=gvm
ExecReload=/bin/kill -HUP
KillMode=mixed
Restart=on-failure
RestartSec=2min
KillMode=process
KillSignal=SIGINT
GuessMainPID=no
PrivateTmp=true

[Install]
WantedBy=multi-user.target
root@gvm-portal:/opt/gvm# cat /etc/systemd/system/ospd-openvas.service
[Unit]
Description=Job that runs the ospd-openvas daemon
Documentation=man:gvm
After=network.target redis-server@openvas.service
Wants=redis-server@openvas.service

[Service]
Environment=PATH=/opt/gvm/bin/ospd-scanner/bin:/opt/gvm/bin:/opt/gvm/sbin:/opt/gvm/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
Type=forking
User=gvm
Group=gvm
WorkingDirectory=/opt/gvm
PIDFile=/opt/gvm/var/run/ospd-openvas.pid
ExecStart=/opt/gvm/bin/ospd-scanner/bin/python /opt/gvm/bin/ospd-scanner/bin/ospd-openvas --pid-file /opt/gvm/var/run/ospd-openvas.pid --unix-socket=/opt/gvm/var/run/ospd.sock --log-file /opt/gvm/var/log/gvm/ospd-scanner.log --lock-file-dir /opt/gvm/var/run/ospd/
Restart=on-failure
RestartSec=2min
KillMode=process
KillSignal=SIGINT
GuessMainPID=no
PrivateTmp=true

[Install]
WantedBy=multi-user.target

when i check “verify scanner” the in the gsa i receive : Error Service unavailable
In the Log on Master side (also GSA Installed) i see only

md manage:WARNING:2021-11-28 13h36.03 CET:5540: Could not connect to Scanner at 10.20.1.221:9391

when i perform a scan on the remote scanner i receive the following in the gvmd.log of the master :

event task:MESSAGE:2021-11-28 13h41.27 CET:10538: Status of task Discovery Systemmanagement (fad210f0-08b5-42b4-b37d-399c999994e4) has changed to Requested
event task:MESSAGE:2021-11-28 13h41.27 CET:10538: Task Discovery Systemmanagement (fad210f0-08b5-42b4-b37d-399c999994e4) has been requested to start by admin
md manage:WARNING:2021-11-28 13h41.34 CET:10552: Could not connect to Scanner at 10.20.1.221:9391
md manage:WARNING:2021-11-28 13h41.34 CET:10552: OSP start_scan 507032ec-7460-40ca-82af-94122577a13f: Could not connect to Scanner
event task:MESSAGE:2021-11-28 13h41.34 CET:10552: Status of task Discovery Systemmanagement (fad210f0-08b5-42b4-b37d-399c999994e4) has changed to Done
event task:MESSAGE:2021-11-28 13h41.34 CET:10552: Status of task Discovery Systemmanagement (fad210f0-08b5-42b4-b37d-399c999994e4) has changed to Interrupted

I’ve checked the Firewall in between. I could not see any packet witch are going from master to slave also i’ve open all Ports in between no packet

so it seems that the gvmd on master side will not send out any packet.

What debug configuration i’ve to do so see more details in the log?
do i something wrong during compile do i need additional compile switches

Scanning on the local scanner on the System installed gvmd and GSA works fine. (compile/sonfig is identical to the slave only different is the gvmd.service)

regards
Uli

DeeAnn · November 30, 2021, 1:09pm

Hi @uli-fischer,

It looks like you’re using development sources but I’m not sure which ones. Can you please post a link to the repository these are coming from? Thanks!

bricks · November 30, 2021, 1:27pm

Also I am really not sure what you mean by remote scanner and how you did setup it.

uli-fischer · November 30, 2021, 3:28pm

Hi
@ DeeAnn: i Use the sources from GIT git clone -b stable --single-branch https://github.com/greenbone/gvm-libs.git an so one for all necessary modules

@ bricks: I Configure on PC (PC1) with GSA & gvmd & openvasan annother PC (PC2) in an different subnet only gvmd & openvasan whant. Goal is to communicate from PC1 for Scans in the second subnet to PC2 so i’ve not to scan over Firewalls or Routers. This works perfect with 20.08 but after the Update on 21.4 the central PC (PC1) sends no requests out to PC2

May bee i missed a packet to compile i See with 21.04 it splits gsad and gsa (both installed on PC1)

uli-fischer · November 30, 2021, 4:40pm

hi

I’ve done some investigation and when i try to reset the ca for the Scanner i receive this message:

gvm@gvm-portal:~$ gvmd -v --modify-scanner=aaeba959-ffb5-49e9-9fc3-722d56ea4aa9 --scanner-ca-pub=/mnt/software/ca/gvm-scanner-vlan201.pem
Credential should be 'cc'.

is there a change that i could only use Client Certificate no more Username / Passwort (like in 20.08) for the connection?

Here the output of show scanner it shows “OSP-Sensor” in the UI i see “Greenbone Sensor”

gvm@gvm-portal:~$ gvmd -v --get-scanners
6acd0832-df90-11e4-b9d5-28d24461215b  CVE    0  CVE
08b69003-5fc2-4037-a479-93b440211c73  OpenVAS  /opt/gvm/var/run/ospd.sock  0  OpenVAS Default
aaeba959-ffb5-49e9-9fc3-722d56ea4aa9  OSP-Sensor  10.20.1.221  9391  scanner-vlan201

Try to set up a new sensor and client certificate but can’t find any documentation to do this

uli-fischer · November 30, 2021, 5:22pm

one step forward

Seems that it’s not possible to use username/password for master - sensor connection furthermore. use CC now i see that the both System communicate witch each other but get a tls error

config debug level on client for md and get this log entries:

md   main:  DEBUG:2021-11-30 17h17.12 utc:7680: serve_and_schedule: last_schedule_time 2: 1638292632
md   main:  DEBUG:2021-11-30 17h17.12 utc:7680: fork_feed_sync: 7680 forked 7748
md   main:  DEBUG:2021-11-30 17h17.12 utc:7746:    Serving GMP
md   main:  DEBUG:2021-11-30 17h17.12 UTC:7748:    Cleaning up
md   main:  DEBUG:2021-11-30 17h17.12 UTC:7748:    Exiting
md   main:  DEBUG:2021-11-30 17h17.12 utc:7746: <= client  "<get_version/>"
md   main:  DEBUG:2021-11-30 17h17.12 utc:7746: -> client: <get_version_response status="200" status_text="OK"><version>21.4</version></get_version_response>
md   main:  DEBUG:2021-11-30 17h17.12 utc:7746: => client  98 bytes
md   main:  DEBUG:2021-11-30 17h17.12 utc:7746: => client  done
md   main:WARNING:2021-11-30 17h17.12 utc:7746: read_from_client_tls: failed to read from client: The TLS connection was non-properly terminated.
md   main:  DEBUG:2021-11-30 17h17.12 utc:7746:    Cleaning up
md   main:  DEBUG:2021-11-30 17h17.12 utc:7746:    Exiting

bricks · December 1, 2021, 9:42am

The OSP-Sensor in gvmd is actually the same as Greenbone Sensor and the right term should be Greenbone Sensor. Sorry for not having caught this mistake.

Nevertheless using TLS for this setup is not supported from our side. Even didn’t know that it might work. Using TLS for gvmd <-> ospd-openvas connections is not tested at all. Sadly there isn’t a community documentation for the sensor setup which is a bit complicated. But if I remember correctly there have been some threads here in the forum for possible setups.

uli-fischer · December 1, 2021, 5:34pm

hi bricks
Thanks for the feedback
I’ve a looked on the documented setup in the forum but unfortunately they always used Username & Passwort to set up the session and so far i could finger out it is only supported using Client Certificate since 21.0 and i don’t know where i have to place the certificate for the Credentials of the Master sensor side
I could not fin a way to config an credential using certificate on slave Side by command line.
i Have to check if i could manage it when i setup also gsa on slave.

By the way i don’t want to set up a connection gvmd <-> ospd-openvas i want to set up gvmd(master) <-> gvmd(sensor).

bricks · December 1, 2021, 6:30pm

oh the gvmd <-> gvmd setup is deprecated since 20.04 and will be removed in the next release. A Greenbone Sensor is always gvmd <-> remote ospd-openvas