Operating System is in use?

GVM versions

gsad: (‘gsad --version’) 20.08.0~git
gvmd: (‘gvmd --version’) 20.08.0
openvas-scanner: (‘openvas --version’, in older GVM versions < 11: ‘openvassd --version’) 20.8.0
gvm-libs: 20.8.0

Environment

Operating system: Docker on Ubuntu 20.10
Kernel: (‘uname -a’) Linux 1a815e4fa397 5.8.0-33-generic #36-Ubuntu SMP Wed Dec 9 09:14:40 UTC 2020 x86_64 GNU/Linux
Installation method / source: Compiled from 20.8.0 source release

On the Operating Systems page I have some entries which have a zero in the hosts-column, but the delete-button is disabeld. Hovering over it shows a tooltip “Operating System is in use”.

The detail page shows the same:


Am I missing something or is this a bug?

We have a similar issue on our internal bug tracker and are looking for a solution.

Most likely the host counter is wrong here, and the operating system is actually still in use. If you still want to delete the operating system, you would need to check the details of each host. Note that you should click “Show all Identifiers” on the host detail page, else not all identifiers will be shown.

1 Like

Thanks for the hint :slight_smile:

There is a lot of stuff from reports that have alredy been (automatically) deleted :open_mouth:
Is there a way to also clean that up automatically?

Due to the bug in the host counter, I believe one needs to research manually which host still uses this OS asset as following:

To find the host assets that are using the OS assets despite the wrong count, open the host asset view
Web GUI > Assets > Hosts
and enter the powerfilter
oss~“cpe:/…”
replacing cpe:/… with the correct cpe of the os. It will look like the following example
oss~“cpe:/o:canonical:ubuntu_linux:8.04:-:lts”
this will list all host assets that feature said cpe as primary or secondary OS-Identifier.
You can delete the OS identifiers from the hosts, or the hosts altogether. When no host is using the OS-asset anymore, the os-asset it self can be deleted as well.

2 Likes

I was able to clean up a lot - thanks!

Apparently one software I have running on Ubuntu makes the host look like its Debian “cpe:/o:debian:debian_linux” :smiley:
And Debian is identified as “cpe:/o:debian:debian_linux:10” but also as “cpe:/o:linux:kernel”.

So I have “cpe:/o:debian:debian_linux” and “cpe:/o:linux:kernel” showing 0 hosts and they are not deletable…

Could you please create a new topic in Vulnerability Tests - Greenbone Community Forum and provide the output of the following two VTs (the second might not be included in your report if there are no unknown OS identifiers found) so that the feed team could have a look if the detection can be improved?

Name: OS Detection Consolidation and Reporting
OID: 1.3.6.1.4.1.25623.1.0.105937

Name: Unknown OS and Service Banner Reporting
OID: 1.3.6.1.4.1.25623.1.0.108441

AFAIK this is expected / by design. GVM is using all found OS identifiers during a scan on purpose to give the user the choice to search for e.g. “All Debian systems” but also for “All Linux systems” (which includes all Debian systems).