Scanning gvm with gvm

Hi!

Scanning gvm with gvm gives one 5.5 scored vulnerability: some https-ciphers are not taken as secure and you are adviced to disable them. Any configuraton value to setto make gvmd not use these ciphers any more?

–
Thomas

During the setup of your installation you either created a certificate with the respective GVM helper script
or you created the certificates on your own.

There are many things and ways that influence the quality of the certificates.

If you share the scan result, the GVM version, your underlying operating system (with a hint at the gnutls version) and of course how you generated the certificate, this would help for a more detailed answer.

Doing the TLS certificates right and offering various options to manage this did cost us quite a lot of work for the administration interface of the Greenbone Security Manager appliance. And it needs attention on a continuous basis.

Hi,

adding to the certificates mentioned previously the used cipher suites and allowed TLS version of the gsad component plays a role as well.

By default the gsad will use the global/system-wide configured cipher suites and TLS version of GnuTLS. To overwrite this default of GnuTLS have a look at the --gnutls-priorities command line option of gsad:

https://github.com/greenbone/gsa/blob/gsa-7.0/doc/gsad.8#L46-L47

Examples on a more secure priority strings where posted at various places in the past like e.g.

--gnutls-priorities=SECURE128:-AES-128-CBC:-CAMELLIA-128-CBC:-VERS-SSL3.0:-VERS-TLS1.0
http://lists.wald.intevation.org/pipermail/openvas-discuss/2017-June/011099.html

where is this process started upon boot, or when it is illed what restarts it? I need to restrict this to only TLS1.2 using the string above, but not sure where to edit the command. Thanks in advance

This seems to depend on your system, if it’s a SysV, upstart or systemd system, and I don’t see from your message any info about what kind of system you are running your processes on.

If it’s a modern Linux system, its probably systemd, so you might look in the systemd manpages about how to start and stop services and how to configure systemd to automatically run and restart them as you want them to do.

On OpenBSDs there’d be a SysV style thing adapted to their style of doing things.

Its OEL, which is I’m pretty sure is systemd. However I need a little more specific answer, like where is the gsad command invoked? So i can edit the line and add the needed parameters. I vaguely understand systemd so pease be verbose. Thanks very much in advance.

I guess there should be a /etc/default/gsad file where you can adjust the gsad startup parameters.

Please note that a more specific answer might be only given by the OEL integrator of the GSE sources because this highly depends on how the integration was done. You can try to research who is in charge of this OEL integration (Hint: Greenbone isn’t) and ask for some documentation on how to change the startup parameters of the GVM components.

Note that at least Kali Linux has the following warning in the /etc/default/ files they are shipping for GVM:

NOTE: This file is not used if you are using systemd.

Ok I found out where the startup parameters are located:
/etc/sysconfig/gsad

problem is where do i find the syntax and possible parameters to use?

I don´t know if this is part of your uncoordinated integration of GVM, i would ask your packet provider for help here.
If you compile your GVM self, you can find all necessary documentation at out GITHUB site.

I’m sorry for being ignorant here, and very inexperianced with GVM but i dont now what you meant by “uncoordinated integration of GVM” nor “packet provider.”

We installed OpenVAS from .rpm’s can’t remember where we found those. but the installation is working fine, it scans perfectly, however, when the OpenVAS server is scanned by itself or by Qualys or Nessus, we get TLS vulnerabilities., and need to turn off TLS 1.0 and 1.1, and only allow 1.2. This is why i need to pass the parameters to the startup gsad command.

Did you try “man gsad” on your system to get the man page for the gsad installed on your system, explaining the available options? If you need to find the source code of gsad, you find all on gitub, which is also linked above. Be sure to check your gsad version to get to the right branch in the source code.

I guess that if you use .rpm’s from anywhere and not from the provider of your linux distribution, as your post seems to suggest, then you run indeed an integration (of OpenVAS into the system you use) not coordinated by anyone but yourself.

Otherwise, you can seach for such terminology with the magnifier glass up right on the forum pages. One relevant link would be:

which explains some of the background and risks and alternatives as well.

The link Check security of GSE integrations posted above summarizes the situation very good. We (the company Greenbone) don’t support or provide any packages for any distribution besides our own Greenbone OS used in our products. We even don’t give advises which distribution you should pick. Therefore we actually don’t know how to fix your issue because the start scripts are distribution and even package specific.

An answer which should be answer this question as well was given previously in this topic:

Thanks for the reply. I get the concept if I were invoking the command-line, and i have tried this manually, and it seems to work, however, I cant find where the command line is invoked on startup or on a service restart, therefore, I cannot edit the command line, i hope i am making sense. I did however find a file that holds startup parameters for gsad but not sure of the correct syntax for this file, the ones above don’t seem to work

Ubuntu using systemd:

1. edit /etc/systemd/system/gsa.service and change the execstart line to ExecStart=/usr/bin/sudo /opt/gvm/sbin/gsad --gnutls-priorities=SECURE128:-AES-128-CBC:-CAMELLIA-128-CBC:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1
2. systemctl daemon-reload
3. systemctl restart gsa