While building OpenVAS 22 from source as per the documentation, the setup is without passwords for Redis and MQTT. Is this not a security issue? (I am hoping it is not since Redis is likely using Unix Socket to communicate)
Would there be any issue if i add a password for these tools? Where would I need to make the changes to add password to make communications authenticated?
This guide is intended for developers who want to try out the newest features and/or want to get familiar with the source code. It is not intended for production setups.
Therefore as always with free software, you are free to do whatever you want on your own risk without any warranty.
First, I’ll point out that you are correct that @bricks is the Guru of the land!
To answer your question, yes, there would certainly be repercussions to requiring these services to authenticate. It’s not impossible to accomplish, but perhaps much easier to harden the endpoint running Greenbone. For example, SELinux can be used to restrict access to Redis or Mosquitto, allowing only certain users or processes to use it or groups may also be used to restrict certain commands.
However if you wanted to add password auth to Redis for example, I believe you would have to modify the Redis config file of the openvas-scanner, redis-openvas.conf to comment out the requirepass setting and add a password there.
Then you would have to identify all the places where Redis connections are made and add the authentication there as well. For example:
# Add password to redis cli with -a flag
redis-cli -a <password>
# Redis URL with authentication
redis_url = "redis://:<password>@localhost:6379/0"
# Connect to Redis
r = redis.Redis.from_url(redis_url)
But then you have to secure the password in plaintext on the server, or decrypt it when needed, use an environment variable? Just secure the Redis and Mosquitte MQQT processes with SELinux.