I’m playing around with latest gvm, and noticed an issue with ospd-openvas. Since it is run as a non-root user, it cannot do traffic capture. The scan works fine but the following error appears in the log for some plugins:
lib misc:MESSAGE:2020-02-06 14h24.26 utc:18857: enp0s3: You don’t have permission to capture on that device (socket: Operation not permitted)
lib nasl:MESSAGE:2020-02-06 14h24.26 utc:18857: 18857 pcap_next: Could not get a bpf
lib misc:MESSAGE:2020-02-06 14h24.51 utc:22022: enp0s3: You don’t have permission to capture on that device (socket: Operation not permitted)
lib nasl:MESSAGE:2020-02-06 14h24.51 utc:22022: 22022 pcap_next: Could not get a bpf
I don´t think there is a way around this because pcap needs low-level access to the network interface. Due to the security implications (capturing network traffic, generating arbitrary network packets etc), such access is limited to privileged users only.
Well, the question is actually how to give gvm user privilegied access to network interface. I’m pretty sure there is nice way to do this, I just can’t find how.
I would suggest not run a BPF-Firewall on the scanner, packet filter (non stateful) might be OK, but not BPF or anything with session tracking and state tracking.
To be clear, you have to REMOVE the firewall, even with a empty rule set it WILL_NOT_WORK due to internal SYN counter even in your firewall is on accept.
I redid the test with firewall disabled, but I still see the same problem. By disabled I mean I did the following:
sudo ufw reset
sudo ufw disable
Which is basically the most I can do; otherwise ufw must be removed from the kernel at boot time, but it looks a bit overkill to me, especially since with previous GVM implementation the firewall was simply off, and I never had this issue.
You need to remove the code and structures from the Kernel. Disabling does not help. Just re-compile your kernel and leave anything state and network related out
Was always the case but the bpf makes it worse. I would additional suggest to disable SE-Linux, App Armor and Grsecurity is not supported as well
Before with netfilter you could see that the state counter overflows or your scans are slow due to syn-cookies … etc. So it´s never a good idea to run a firewall on your scanner …
Hmm… actually it’s not that simple. Netfilter seems highly integrated in the kernel nowadays, and I can’t figure out how to completely remove it’s support without recompiling a kernel (which I something I want to avoid at all costs !)
Does anyone know how those security features can be disabled from the kernel ?
It can´t you need to recompile the kernel for a performant setup If the session tracking is in the kernel, it will be always active and limiting your scan capabilities. All our appliances have a optimized own Greenbone kernel for that reason You should activate additional security like mentioned above as well.
Well, that’s somehow hopeless… It seems to be a major issue; so I’m a bit surprise this isn’t documented anywhere nor raised elsewhere in this forum. After all ALL linux installations are configured this way. And I don’t believe there is anyone in this forum using gvm on Linux who is actually recompiling his own kernel…
It always depends from the size of your installation You can scan your home network with 4 devices without any problem, but for any serious and big installation you need to understand how TCP and your firewall works and what limitation you will face.
As well here are many firewall issues. It´s not a GVMd issue, it´s more a Scanner issue.
Unfortunately the appliance model is not an option in my case, due to the internal constraints imposed by my company in our datacenters. So I’m a bit stuck because I can’t go for the commercial model. Regarding the issues I’ll be facing if I don’t setup a specific kernel, is this documented somewhere ? If I don’t have the choice, then at least understanding the consequences may help me taking a final call.
