Master - Slave Configuration Troubleshooting

jjacec1 · October 1, 2018, 5:53am

Hi everyone,

I have attempted to deploy a distributed setup, where the OpenVAS manager is creating requests to remote OpenVAS scanners to scan.

Right now, my topology is simple (internal network in Vbox) = Master (10.0.2.8) is directly connected to Slave (10.0.2.9) . They are pingable to one another.

What I have done is:
Slave

nano /etc/init.d/openvas-manager > change the manager IP to 10.0.2.8, manager port to 9390
Create new user > openvasmd --create-user=scanner --role=Admin
openvas-manage-certs > obtain the cacert.pem file for Manager

Master

Create credentials > User + Password
Create scanner > Host > 10.0.2.9, OMP Slave, use cacert.pem, use above credentials
Create Target
Create Task

From the:
tail /var/log/openvas/openvasmd.logs
I can see that connections are being tried but failing to reach the slave. From the GSA GUI, the task is stuck on “Requested”

Hence, can someone help with identifying:
What and How to check in the case of non-connectivity between Master and Slave (eg, are they reachable, are they listening on the port, to actual configuration of OpenVAS)

Thanks in advance!

cfi · October 1, 2018, 7:45am

some notes on this on how to use e.g. netstat to see if the slave is actually listening on the expected port are provided in the blogpost:

https://blog.haardiek.org/setup-openvas-as-master-and-slave.html

i had linked in Setting up Remote Scanners with Centralized Manager - #4 by cfi - Greenbone Community Edition - Greenbone Community Forum

Tools like nmap and similar could help you as well to see if the master is able to reach the expected port on the slave.

jjacec1 · October 2, 2018, 1:24am

Hi cfi,

Thank you for your response and guidance! I think I got it now. For those who want to know how this is done, just take note of the link.

My steps indicated are correct except for the part where I have edited the /etc/init.d/openvas-manager

Instead, I have done this instead > https://superuser.com/questions/977331/how-to-make-openvas-listen-on-an-external-interface

Hope that helps anyone with the same problem!

Cheers

lucianofain · October 31, 2018, 1:52pm

Hi, I don’t have problems to reach the slave, but i have problems with certificates, can you please describe more detailed how do you export/import it? Regardss

jjacec1 · November 2, 2018, 9:53am

Hi Lucianofain,

If you are talking about the certs so that master and slaves can communicate, all you have to do is to find something called the servercert.pem.

Try to do this on the slaves:
find / -name servercert.pem

See where it is located, and when you find it, transfer it to the master, anywhere you want. When you create a slave scanner on the master, there will be a need to upload a cert. This is where you select the certs.

Hope that is what you are looking for!

Cheers!

lucianofain · November 2, 2018, 10:43am

The error that gives me is the following:

I copy the servercert.pem from the slave to the master, renaming it as sensor.pem
I define the sensor in the GSA of the master as Type OMP Slave
I try to upload the sensor.pem
The GSA issues the message (Status code 400) Operation Save Scanner Failed. Erroneous CA certificate. I also did (chmod 777 sensor.pem)

Any help will be welcome.

lucianofain · November 2, 2018, 11:13am

Sorry team, it was my mistake. It was difference of dates between master and slave. Thanks for you support.