Thank you for your help and your time.
Can anyone tell me what tools to install for what I want to do?
I have 4 rasberry Pi’s with OpenVAS installed and working, I would like to control them remotely from an Azure server. (Obviously the Raberrys are on different networks)
Send a scan order and retrieve the scan reports.
I am a bit confused between gvm-tools, gvm-cli, GSA and on which machine to install them!
(I’m not talking about the configuration here but rather the overall architecture)
Maybe deploy the Pi’s as secondaries (slaves) to a single primary (Master), as alluded to by the two posts above. The secondaries “only” need to run ospd-openvas & Openvas-scanner. PoC installation here: https://github.com/martinboller/gse
Using it RN (albeit only 2 secondaries). Tested on Debian 10 and 11, thus working on RPi, including latest version which is based on Debian 11.
Thank you all for your answers!
I would like to ask if you know if it is possible to control several Rasberrys (several OpenVAS) on several different networks with the same GSA (Web Interface)?
On the slave/Rasberry configuration, if I understand correctly I have to change the --listen=127.0.0.1 to --listen=0.0.0.0?
If the master is on the cloud should I put --listen=IPCLOUD?
ospd-openvas should listen “externally”, so yes, either use 0.0.0.0 or the specific IP for that specific RPi.
Then create certs for each secondary (slave) on the primary (master) and copy the cert to the secondary. You can also use the same certificates for all secondaries, but if you lose any of the boxes revoking the cert will break all secondaries, so it is preferable to have a cert pr. secondary.
The bash script I referred to previously prepares all of that - post install steps are described at the bottom of the script, but the required certs are created on the primary and just need to be copied to the secondaries.
Hope this helps
Hi Ben,
Correct, except you must copy the certificates to the secondary first. This was true for the “old” version
For the updated version (committed right now) all you need to do is run add-secondary-2–primary.sh on the primary - this copies the certs and installs them + adds the scanner to the primary. Run it once for each secondary and specify the server name as well as the password for the user “greenbone” created on the secondaries (it is unique to each secondary, but the script will tell you what it is.
You need connectivity from the primary to the secondaries on port 9390 (you can change the port in the script), so I prefer running the primary internally, and have secondaries both internally and externally (cloud) so kinda the opposite of you.
Have fun…
/Martin
I forgot: Using SCP/SSH in the add-secondary-2-primary.sh script to connect to the secondary for moving certs / executing script, so port 22 access is needed too.
Thank you again for your help, I couldn’t devote much time to it because I’m working on other projects.
I would like to reconfirm some points with you to make sure I understand and know if I can do what I need.
I have made a shema to understand each other.
I have a cloud server, the master, and I need to run scans on an openvas slave at a client.
Obviously I can’t open a port on the local network to reach my slave(s).
If I understand your installation scripts correctly, you add different slaves to the master’s config (when you ask for the HOST and the pass in add-secondary-2-primary.sh) so afterwards it is the master that contacts the slave to give it orders (in ssh).
Is it possible to do the reverse and have the slave contact the master to get information and return results?
Do you have an idea and/or advice to implement my idea (the schema).
Thank you again for your help, I was able to do some tests locally but the multi-network and cloud side is slowing me down a bit.
