Hi I recently compiled and installed the gvmd (V8) and openvas. According to the readme the first (privileged user) should be created via:
“You can create an administrator user with the --create-user option of gvmd:
gvmd --create-user=myuser”
and I noticed that after the first creation and even after starting the gvmd the --create-user method still succeeds to create admin users upon invocation (which is not secure at all on a very privileged machine).
Am I missing something?
how can I prevent other user creation after the first Admin?
You can´t, this is part of the permission model. Admin can always create other users assign permission and roles to them. You should never expose the admin interface external or to a 3rd party.
As well you can always create new admins in case you loose one admin credential I suggest you learn first about the role based permission model to understand how the internal user and permission handling works.