Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 22

Thread: Openvas setup fails

  1. #11
    Join Date
    Jun 2008
    Location
    Netherlands
    Posts
    24,884

    Default Re: Openvas setup fails

    Quote Originally Posted by tsu2 View Post
    Code:
    zypper rm openvas*
    Please, please. When typed like this, this is a wild card for the shell. Only by incident it will be left as it is by the shell. When you want to prevent characters that are special to the shell to be interpreted by the shell and thus to be used in the arguments to the command itselft, you should quote them! E.g.
    Code:
    zypper rm 'openvas*'
    Even the man page of zypper acknowledges the fact that people tend to ignore this.
    (quote the string to prevent the shell from expanding the wildcard)
    Henk van Velden

  2. #12
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    10,944
    Blog Entries
    2

    Default Re: Openvas setup fails

    hcvv
    You're right! Absolutely, strings should be enclosed to prevent injection and accidental execution! But, that's more of an issue when scripting (and distributing scripts) and very unlikely an issue when entering the zypper command manually...


    But, a FYI to anyone who is following this thread...


    I've been able to take this install with me,
    And can report that eventually the script will complete without error...
    But there a lot of "gotchas" which I'll describe next along with a general description of some things that had to be done.

    The Following is a continuation of my previous post that describes Preparation and Installation

    Things the "openvas-check-setup" script will prompt you to do...

    - SQLite3 needs to be installed before you can add a User (Admin role and setting password)


    Code:
    zypper in sqlite3
    You'll be prompted to set up a User, but it's useless (more on this later)
    Code:
    openvasmd --create-user=tsu --role=Admin && openvasmd --user=tsu --new-password=123
    - Rebuild the database several times


    Code:
    openvasmd --rebuild
    - Update the scapdata database


    Code:
    openvas-scapdata-sync
    - Create new or use the default certificate for downloading data from some sources, the following uses the default certificate


    Code:
    openvas-certdata-sync
    - Configure the Password Policy. The following command opens the default policy, you need to modify it in some way to disable the error. You can use your graphical text editor to do this if you wish (with root permissions)


    Code:
    vi /etc/openvas/pwpolicy.conf
    An example if you want to use kwrite with root permissions... First open a root console (su- ) and then execute the following


    Code:
    kwrite /etc/openvas/pwpolicy.conf
    Install greenbone


    Code:
    zypper in greenbone-security-assistant
    Now, in addition to the above, I recommend the following which will automatically start up various parts of OpenVAS (except redis which will still be started manually. If people want to have redis start up automatically, I'll post that separately since it's not a simple procedure)

    First start Redis manually in a console referencing the config file as I described earlier
    Code:
    redis-server /etc/redis/default.conf
    To start openvas manager automatically
    systemctl start openvas-manager.service
    systemctl enable openvas-manager.service

    To start the openvas scanner service automatically
    systemctl enable openvas-scanner.service
    systemctl start openvas-scanner.service

    Run the check script which besides checking also starts up openvas to verify nothing else needs to be fixed.
    It should state some warnings about pdflatex, nmap and nsis.

    If you install texlive(zypper install textlive), you'll get pdflatex, but there's still an unknown problem and may not work.
    You can install nmap, but the script will complain about nmap being too new. I haven't yet checked if this is an issue (IMO an important issue if not working).
    You can't install nsis because it's distributed only as a Windows binary so can run only in something like Wine.

    [Optional]
    Now if you want to, you can reboot if you wish to test your setup when it newly boots.
    When your system has booted, every required sub-system except redis should have started automatically.
    Start redis in a console, then run the check script again to verify everything is working properly and continue.

    Now to address the problem of a non-working account. To install a working User account, run the following and copy the generated password
    Code:
    openvasmd --create-user Username
    Open a web browser to localhost if on the same machine as your OpenVAS to localhost
    Code:
    localhost
    The Greenbone Securiity Assistant should open.
    Enter the Username you configured above, and paste the password into its field.
    When you're authenticated, you can go in and change the password to something easier to remember.

    One more observation...
    The steps described result in a generally unsafe configuration, susceptible to hacking. Do not expose to the Internet, in fact I'd recommend you install this in a VM which can always be shut down except when you're running it.

    HTH for anyone,
    TSU
    Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
    Solved a problem recently? Create a wiki page for future personal reference!
    Learn something new?
    Attended a computing event?
    Post and Share!

  3. #13

    Default Re: Openvas setup fails

    Thanks for the help.
    I followed this:
    Code:
    zypper rm openvas*
    zypper rr security_OpenVAS_UNSTABLE_v7
    zypper ar --gpg-auto-import-keys http://download.opensuse.org/repositories/security:/OpenVAS:/STABLE:/v8/openSUSE_Leap_42.1/ Security:_42.1
    
    
    
    
    zypper in --from Security:_42.1 openvas-cli openvas-manager openvas-scanner openvas-scanner-doc
    These completed successfully.
    then i installed redis
    Code:
    zypper in redis
    cp /etc/redis/default.conf.example /etc/redis/default.conf
    then I uncommented
    unixsocket /tmp/redis.sock
    installed sqllite3.
    Code:
    zypper in sqllite3
    all these were successful.
    I started redis
    Code:
    redis-server /etc/redis/default.conf
    this gives no message so cannot say its starting or not.

    if I command
    Code:
    openvas-check-setup
    If 'openvas-check-setup' is not a typo you can use command-not-found to lookup the package that contains it, like this:
        cnf openvas-check-setup
    I tried to
    Code:
    openvas-setup
    **********************
    [i] No user data directory '/var/lib/openvas/scap-data/private' found.
    [i] No CPEs or CVEs updated, skipping CVSS and CVE recount for CPEs.
    [i] No OVAL definitions or CVEs updated, skipping CVSS recount for OVAL definitions.
    [i] No CVEs updated, skipping placeholder CPE update.
    openvassd: no process found
    Job for openvas-scanner.service failed because the control process exited with error code. See "systemctl status openvas-scanner.service" and "journalctl -xe" for details.
    Failed to start openvas-administrator.service: Unit openvas-administrator.service failed to load: No such file or directory.
    /usr/sbin/openvas-setup: line 19: openvasad: command not found
    I thought openvas-administrator and greenbone-security-assiatant may be missing.
    I tried
    Code:
     zypper in openvas-administrator greenbone-security-assistant
    this installs greenbone-security-assistant but not openvas-administrator.
    messages displayed:
    'openvas-administrator' not found in package names. Trying capabilities.
    No provider of 'openvas-administrator' found.

    how to install openvas-administrator?
    OR i am in wrong direction?

  4. #14
    Join Date
    Jun 2008
    Location
    Netherlands
    Posts
    24,884

    Default Re: Openvas setup fails

    Quote Originally Posted by tsu2 View Post
    hcvv
    You're right! Absolutely, strings should be enclosed to prevent injection and accidental execution! But, that's more of an issue when scripting (and distributing scripts) and very unlikely an issue when entering the zypper command manually...
    I am NOT talking about injection and accidental execution from scripts. I am talking about the normal behaviour of the shell. Example:
    Code:
    boven:/tmp/test # ls
    boven:/tmp/test # zypper se -i Network*
    Loading repository data...
    Reading installed packages...
    
    S | Name                          | Summary                                    | Type   
    --+-------------------------------+--------------------------------------------+--------
    i | NetworkManager                | Network Link Manager and User Applications | package
    i | NetworkManager-kde4-libs      | NetworkManager client for KDE 4            | package
    i | NetworkManager-kde4-libs-lang | Languages for package NetworkManager-kde4  | package
    i | NetworkManager-openvpn        | NetworkManager VPN support for OpenVPN     | package
    i | NetworkManager-openvpn-kde4   | NetworkManager client for KDE 4            | package
    i | NetworkManager-pptp           | NetworkManager VPN support for PPTP        | package
    i | NetworkManager-pptp-kde4      | NetworkManager client for KDE 4            | package
    i | NetworkManager-vpnc           | NetworkManager VPN Support for vpnc        | package
    i | NetworkManager-vpnc-kde4      | NetworkManager client for KDE 4            | package
    boven:/tmp/test # touch Networking
    boven:/tmp/test # zypper se -i Network*
    Loading repository data...
    Reading installed packages...
    
    S | Name                 | Summary                               | Type   
    --+----------------------+---------------------------------------+--------
    i | glib-networking      | Network-related GIO modules for glib  | package
    i | glib-networking-lang | Languages for package glib-networking | package
    boven:/tmp/test #
    I have an empty directory. Thus the Pathname Expansion (read the pararaph of that name in the man page of bash) will leave Network* as it is and give it as argument to zypper. Probably what most people want to happen.

    Then, for some reason, I have a file Networking in my working directory. And look what happens. The shell expands Network* into Networking and gives that as an argument to zypper. So either quote it
    Code:
    boven:/tmp/test # ls
    Networking
    boven:/tmp/test # zypper se -i 'Network*'
    Loading repository data...
    Reading installed packages...
    
    S | Name                          | Summary                                    | Type   
    --+-------------------------------+--------------------------------------------+--------
    i | NetworkManager                | Network Link Manager and User Applications | package
    i | NetworkManager-kde4-libs      | NetworkManager client for KDE 4            | package
    i | NetworkManager-kde4-libs-lang | Languages for package NetworkManager-kde4  | package
    i | NetworkManager-openvpn        | NetworkManager VPN support for OpenVPN     | package
    i | NetworkManager-openvpn-kde4   | NetworkManager client for KDE 4            | package
    i | NetworkManager-pptp           | NetworkManager VPN support for PPTP        | package
    i | NetworkManager-pptp-kde4      | NetworkManager client for KDE 4            | package
    i | NetworkManager-vpnc           | NetworkManager VPN Support for vpnc        | package
    i | NetworkManager-vpnc-kde4      | NetworkManager client for KDE 4            | package
    boven:/tmp/test #
    or be surprised when you do this one day not wich zypper se, but with a zypper rm.
    Last edited by hcvv; 27-Nov-2016 at 03:58.
    Henk van Velden

  5. #15
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    10,944
    Blog Entries
    2

    Default Re: Openvas setup fails

    Quote Originally Posted by grishi111 View Post

    if I command
    Code:
    openvas-check-setup
    If 'openvas-check-setup' is not a typo you can use command-not-found to lookup the package that contains it, like this:
        cnf openvas-check-setup
    I tried to
    Code:
    openvas-setup
    **********************
    [i] No user data directory '/var/lib/openvas/scap-data/private' found.
    [i] No CPEs or CVEs updated, skipping CVSS and CVE recount for CPEs.
    [i] No OVAL definitions or CVEs updated, skipping CVSS recount for OVAL definitions.
    [i] No CVEs updated, skipping placeholder CPE update.
    openvassd: no process found
    Job for openvas-scanner.service failed because the control process exited with error code. See "systemctl status openvas-scanner.service" and "journalctl -xe" for details.
    Failed to start openvas-administrator.service: Unit openvas-administrator.service failed to load: No such file or directory.
    /usr/sbin/openvas-setup: line 19: openvasad: command not found
    I thought openvas-administrator and greenbone-security-assiatant may be missing.
    I tried
    Code:
     zypper in openvas-administrator greenbone-security-assistant
    this installs greenbone-security-assistant but not openvas-administrator.
    messages displayed:
    'openvas-administrator' not found in package names. Trying capabilities.
    No provider of 'openvas-administrator' found.

    how to install openvas-administrator?
    OR i am in wrong direction?
    The script is in my post #7 under "Preparation"
    https://svn.wald.intevation.org/svn/...as-check-setup

    Copy the contents of that link to a file and call it something like "openvas-check-setup.sh" and make it executable.

    Do not run it immediately, if you follow post #7, I describe the order of steps to run.

    1. Run openvas-setup
    Code:
    openvas-setup
    2. After it completes, then run openvas-check-setup.sh for the first time and as you fix whatever the output describes, again repeatedly until the script says that your installation "is OK."

    TSU
    Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
    Solved a problem recently? Create a wiki page for future personal reference!
    Learn something new?
    Attended a computing event?
    Post and Share!

  6. #16
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    10,944
    Blog Entries
    2

    Default Re: Openvas setup fails

    Quote Originally Posted by hcvv View Post
    I am NOT talking about injection and accidental execution from scripts. I am talking about the normal behaviour of the shell. Example:
    Code:
    boven:/tmp/test # ls
    boven:/tmp/test # zypper se -i Network*
    Loading repository data...
    Reading installed packages...
    
    S | Name                          | Summary                                    | Type   
    --+-------------------------------+--------------------------------------------+--------
    i | NetworkManager                | Network Link Manager and User Applications | package
    i | NetworkManager-kde4-libs      | NetworkManager client for KDE 4            | package
    i | NetworkManager-kde4-libs-lang | Languages for package NetworkManager-kde4  | package
    i | NetworkManager-openvpn        | NetworkManager VPN support for OpenVPN     | package
    i | NetworkManager-openvpn-kde4   | NetworkManager client for KDE 4            | package
    i | NetworkManager-pptp           | NetworkManager VPN support for PPTP        | package
    i | NetworkManager-pptp-kde4      | NetworkManager client for KDE 4            | package
    i | NetworkManager-vpnc           | NetworkManager VPN Support for vpnc        | package
    i | NetworkManager-vpnc-kde4      | NetworkManager client for KDE 4            | package
    boven:/tmp/test # touch Networking
    boven:/tmp/test # zypper se -i Network*
    Loading repository data...
    Reading installed packages...
    
    S | Name                 | Summary                               | Type   
    --+----------------------+---------------------------------------+--------
    i | glib-networking      | Network-related GIO modules for glib  | package
    i | glib-networking-lang | Languages for package glib-networking | package
    boven:/tmp/test #
    I have an empty directory. Thus the Pathname Expansion (read the pararaph of that name in the man page of bash) will leave Network* as it is and give it as argument to zypper. Probably what most people want to happen.

    Then, for some reason, I have a file Networking in my working directory. And look what happens. The shell expands Network* into Networking and gives that as an argument to zypper. So either quote it
    Code:
    boven:/tmp/test # ls
    Networking
    boven:/tmp/test # zypper se -i 'Network*'
    Loading repository data...
    Reading installed packages...
    
    S | Name                          | Summary                                    | Type   
    --+-------------------------------+--------------------------------------------+--------
    i | NetworkManager                | Network Link Manager and User Applications | package
    i | NetworkManager-kde4-libs      | NetworkManager client for KDE 4            | package
    i | NetworkManager-kde4-libs-lang | Languages for package NetworkManager-kde4  | package
    i | NetworkManager-openvpn        | NetworkManager VPN support for OpenVPN     | package
    i | NetworkManager-openvpn-kde4   | NetworkManager client for KDE 4            | package
    i | NetworkManager-pptp           | NetworkManager VPN support for PPTP        | package
    i | NetworkManager-pptp-kde4      | NetworkManager client for KDE 4            | package
    i | NetworkManager-vpnc           | NetworkManager VPN Support for vpnc        | package
    i | NetworkManager-vpnc-kde4      | NetworkManager client for KDE 4            | package
    boven:/tmp/test #
    or be surprised when you do this one day not wich zypper se, but with a zypper rm.
    OK, I see what you are saying...

    Curiously, I can't seem to identify exactly what the BASH shell is passing to the command.
    Firstly, just using a wildcard (*) is a form of pathname expansion, but if the BASH shell is indeed doing the expansion independently and before passing to the command, then in theory it should be possible to inspect the expansion separately from the command.

    In other words, in your example it should be possible to "echo" (instead of passing to zypper) the results of quoting or not quoting the regular expression, for example

    Code:
    boven:/tmp/test # echo Network*
    boven:/tmp/test # echo 'Network*'
    The first above results in "Networking" while the second results in words with the string "Network" included. OK. So, you can now test substituting those results with the wildcard expressions in the following

    Code:
    boven:/tmp/test # zypper in -i Networking
    boven:/tmp/test # zypper in -i 'Network*'
    As should be expected the quoted wildcard expression remains consistent in all tests.
    But the unquoted wildcard expression returns a different result than its value as displayed by "echo."

    I guess this little exercise does show that quoting the regular expression ensures control of various expansions including the Pathname Expansion.

    But, I'm disappointed that there is no easily understood logic or consistency to the unquoted regular expression so that it can be used in a known way. At least, unless anyone can explain the anomaly I just described.

    Thx,
    TSU
    Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
    Solved a problem recently? Create a wiki page for future personal reference!
    Learn something new?
    Attended a computing event?
    Post and Share!

  7. #17
    Join Date
    Jun 2008
    Location
    Netherlands
    Posts
    24,884

    Default Re: Openvas setup fails

    I hope you now understand the important fact that when one wants to keep characters, that are special to the shell, unchanged (not interpreted by bash) so they can be propagated to the arguments of the program that one calls in the shell, you have to quote them.

    This has nothing to do with the fact that you now forgot to read
    Code:
    man zyppper
    where it says (my example):
    search (se) [options] [querystring|capability] ...
    and (your example)
    install (in) [options] <name|capability|rpm_file_uri> ...
    In the first case the argument I gave is a querystring.
    In your case it is a name.
    So they are different in the two cases and the result of what those statements act on will be different.

    Oh yes, and when you want to trace what bash is doing with the lines you type, use
    Code:
    set -x
    Last edited by hcvv; 28-Nov-2016 at 02:22.
    Henk van Velden

  8. #18
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    10,944
    Blog Entries
    2

    Default Re: Openvas setup fails

    Quote Originally Posted by hcvv View Post
    I hope you now understand the important fact that when one wants to keep characters, that are special to the shell, unchanged (not interpreted by bash) so they can be propagated to the arguments of the program that one calls in the shell, you have to quote them.

    <snip>
    Thx. Will explore.

    For those who are following the main part of this thread, because it seems that the string and any possible path based on "openvas" appears to be unique, so <in this specifc case> it seems there is no difference whether quotes are used or not.

    But, undoubtedly using quotes is <proper practice>

    BTW - Based on this, I think that unless a valid reason exists, it's a code defect for zypper to <not> automatically quote all names and capabilites regardless whether a Regular Expression is used or not.

    TSU
    Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
    Solved a problem recently? Create a wiki page for future personal reference!
    Learn something new?
    Attended a computing event?
    Post and Share!

  9. #19
    Join Date
    Jun 2008
    Location
    Netherlands
    Posts
    24,884

    Default Re: Openvas setup fails

    Quote Originally Posted by tsu2 View Post
    BTW - Based on this, I think that unless a valid reason exists, it's a code defect for zypper to <not> automatically quote all names and capabilites regardless whether a Regular Expression is used or not.

    TSU
    That is utter nonsense.

    You type in the shell. Only bash interpretes what you type. Zypper is unaware of that.
    (The only thing it can do is warn the user again and again to quote shell special characters, what it does several times in the man page).

    Bash does first Word slplitting and then:
    Expansion is performed on the command line after it has been split into words. There are seven kinds of expansion performed: brace expansion, tilde expansion, parameter and variable expansion, command substitution, arithmetic expansion, word splitting, and pathname expansion.

    The order of expansions is: brace expansion, tilde expansion, parameter, variable and arithmetic expansion and command substitution (done in a left-to-right fashion), word splitting, and pathname expansion.
    That is all done before the shell looks at the first word of the expanded command to see if it is program or not. And bash has no specific knowledge of zypper, thus it behaves not different if the first word of a command is zypper, or ls, or ....

    And when the command starts with he word zypper, the shell searches for a file of that name, using the PATH variable. It will find /usr/bin/zypper. It then asks the shell to start a new proces from the file /usr/bin/zypper and to give it all the arguments that are now words in the expanded command. Zypper is started and it parses the arguments having no knowledge whatsoever about how the command looked like when you typed it.

    This is all very basic and taught very, very early in Unix/Linux courses. When a shell user does not have at least some basic knowledge about what happens to what he types even before a program is started, he will learn earlier or later the hard way. Specially when he uses the shell as the Superuser .
    Last edited by hcvv; 28-Nov-2016 at 11:21. Reason: English is more difficult then bash commands
    Henk van Velden

  10. #20
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    10,944
    Blog Entries
    2

    Default Re: Openvas setup fails

    Quote Originally Posted by hcvv View Post
    That is utter nonsense.

    You type in the shell. Only bash interpretes what you type. Zypper is unaware of that.
    (The only thing it can do is warn the user again and again to quote shell special characters, what it does several times in the man page).

    Bash does first Word slplitting and then:

    That is all done before the shell looks at the first word of the expanded command to see if it is program or not. And bash has no specific knowledge of zypper, thus it behaves not different if the first word of a command is zypper, or ls, or ....

    And when the command starts with he word zypper, the shell searches for a file of that name, using the PATH variable. It will find /usr/bin/zypper. It then asks the shell to start a new proces from the file /usr/bin/zypper and to give it all the arguments that are now words in the expanded command. Zypper is started and it parses the arguments having no knowledge whatsoever about how the command looked like when you typed it.

    This is all very basic and taught very, very early in Unix/Linux courses. When a shell user does not have at least some basic knowledge about what happens to what he types even before a program is started, he will learn earlier or later the hard way. Specially when he uses the shell as the Superuser .
    It appears that inserting quotes before expansion is not possible as you say.
    The likely authoritative source for describing the order in which BASH processes the command, the argument, any quotes and any expansions is described here

    http://mywiki.wooledge.org/BashParser

    BASH parses the command and argument only in step 4, after processing existing quotes, special characters like re-direction and doing expansions.

    TSU
    Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
    Solved a problem recently? Create a wiki page for future personal reference!
    Learn something new?
    Attended a computing event?
    Post and Share!

Page 2 of 3 FirstFirst 123 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •