Signed NVTs / openvas-scanner "stop"

Anger · November 16, 2018, 5:16pm

I have problems with the scanner. It stops after enabling signatures, but when consulting the
State has remained active, I leave in detail the whole procedure.

Status%20openvasscanner

Enable the validation option for verification of signatures

vi /etc/openvas/openvassd.conf
Should consider all the NASL scripts as being signed ? (unsafe if set to ‘yes’)
nasl_no_signature_check = no

Versions of openvasmd and openvassd

openvasmd --versionOpenVAS Manager 7.0.2
Manager DB revision 184

openvassd --version
OpenVAS Scanner 5.1.1

Signature process

gpg --homedir=/etc/openvas/gnupg --list-keys

gpg: WARNING: unsafe permissions on homedir `/etc/openvas/gnupg'
/etc/openvas/gnupg/pubring.gpg
pub   1024D/48DB4530 2007-11-05
uid                  OpenVAS Transfer Integrity
sub   2048g/70610CFB 2007-11-05

gpg --homedir=/etc/openvas/gnupg --list-public-keys

gpg: WARNING: unsafe permissions on homedir `/etc/openvas/gnupg'
/etc/openvas/gnupg/pubring.gpg
pub   1024D/48DB4530 2007-11-05
uid                  OpenVAS Transfer Integrity
sub   2048g/70610CFB 2007-11-05

gpg --homedir=/etc/openvas/gnupg --list-sigs

gpg: WARNING: unsafe permissions on homedir `/etc/openvas/gnupg'
/etc/openvas/gnupg/pubring.gpg
pub   1024D/48DB4530 2007-11-05
uid                  OpenVAS Transfer Integrity
sig 3        48DB4530 2007-11-05  OpenVAS Transfer Integrity
sub   2048g/70610CFB 2007-11-05
sig          48DB4530 2007-11-05  OpenVAS Transfer Integrity
-----------------------------
**Downloads Keys**
wget https://www.greenbone.net/GBCommunitySigningKey.asc
gpg --homedir=/etc/openvas/gnupg --import GBCommunitySigningKey.asc
------------------------------------
**import signature of the keys.**
gpg --homedir=/etc/openvas/gnupg --import /etc/openvas/gnupg/48DB4530.key
--------------------------------------
**Sign**
gpg --homedir=/etc/openvas/gnupg --lsign-key 48DB4530

Update feeds

greenbone-nvt-sync
greenbone-certdata-sync
greenbone-scapdata-sync
openvasmd --rebuild

Version System Operator: centos 7

Log /var/openvas/openvassd.log

[Fri Nov 16 16:19:47 2018][8590] /var/lib/openvas/plugins/2018/coremail/gb_coremail_stored_xss_vuln.nasl: Will not execute. Bad or missing signature
[Fri Nov 16 16:19:47 2018][8590] /var/lib/openvas/plugins/2018/coremail/gb_coremail_stored_xss_vuln.nasl: Could not be loaded
[Fri Nov 16 16:19:48 2018][8590] /var/lib/openvas/plugins/2018/lynxtechnology/gb_twonky_server_mult_vuln.nasl: Will not execute. Bad or missing signature
[Fri Nov 16 16:19:48 2018][8590] /var/lib/openvas/plugins/2018/lynxtechnology/gb_twonky_server_mult_vuln.nasl: Could not be loaded
[Fri Nov 16 16:19:48 2018][8590] /var/lib/openvas/plugins/2018/lynxtechnology/gb_twonky_server_mult_vuln_active.nasl: Will not execute. Bad or missing signature
[Fri Nov 16 16:19:48 2018][8590] /var/lib/openvas/plugins/2018/lynxtechnology/gb_twonky_server_mult_vuln_active.nasl: Could not be loaded
[Fri Nov 16 16:19:48 2018][8590] /var/lib/openvas/plugins/2018/opensuse/gb_suse_2018_3754_1.nasl: Will not execute. Bad or missing signature
[Fri Nov 16 16:19:48 2018][8590] /var/lib/openvas/plugins/2018/opensuse/gb_suse_2018_3754_1.nasl: Could not be loaded
[Fri Nov 16 16:19:48 2018][8590] /var/lib/openvas/plugins/2018/dolibarr/gb_dolibarr_7_0_0_mult_vuln.nasl: Will not execute. Bad or missing signature
[Fri Nov 16 16:19:48 2018][8590] /var/lib/openvas/plugins/2018/dolibarr/gb_dolibarr_7_0_0_mult_vuln.nasl: Could not be loaded
[Fri Nov 16 16:19:48 2018][8590] /var/lib/openvas/plugins/2018/lutron/gb_lutron_quantum_integ_device_infor_disc_vuln.nasl: Will not execute. Bad or missing signature
[Fri Nov 16 16:19:48 2018][8590] /var/lib/openvas/plugins/2018/lutron/gb_lutron_quantum_integ_device_infor_disc_vuln.nasl: Could not be loaded
[Fri Nov 16 16:19:48 2018][8590] /var/lib/openvas/plugins/2018/digium/gb_asterisk_AST-2018-010.nasl: Will not execute. Bad or missing signature
[Fri Nov 16 16:19:48 2018][8590] /var/lib/openvas/plugins/2018/digium/gb_asterisk_AST-2018-010.nasl: Could not be loaded
[Fri Nov 16 16:19:48 2018][8590] /var/lib/openvas/plugins/2018/piwigo/gb_piwigo_mult_xss_vuln.nasl: Will not execute. Bad or missing signature
[Fri Nov 16 16:19:48 2018][8590] /var/lib/openvas/plugins/2018/piwigo/gb_piwigo_mult_xss_vuln.nasl: Could not be loaded
[Fri Nov 16 16:19:48 2018][8590] /var/lib/openvas/plugins/2018/fedora/gb_fedora_2018_e8d19367cb_mingw-SDL2_image_fc28.nasl: Will not execute. Bad or missing signature
[Fri Nov 16 16:19:48 2018][8590] /var/lib/openvas/plugins/2018/fedora/gb_fedora_2018_e8d19367cb_mingw-SDL2_image_fc28.nasl: Could not be loaded
[Fri Nov 16 16:19:48 2018][8590] Stopped loading plugins: High number of errors.

Status de openvas-scanner>

systemctl status openvas-scanner
● openvas-scanner.service - OpenVAS Scanner
Loaded: loaded (/usr/lib/systemd/system/openvas-scanner.service; enabled; vendor preset: disabled)
Active: active (running) since Fri 2018-11-16 14:05:23 -03; 468ms ago
Process: 9500 ExecStart=/usr/sbin/openvassd $OPTIONS (code=exited, status=0/SUCCESS)
Main PID: 9501 (openvassd)
CGroup: /system.slice/openvas-scanner.service
├─9501 openvassd: Reloaded 100 of 47880 NVTs (0% / ETA: 00:00)
└─9502 openvassd (Loading Handler)

Nov 16 14:05:23 localhost.localdomain systemd[1]: Starting OpenVAS Scanner…
Nov 16 14:05:23 localhost.localdomain systemd[1]: Started OpenVAS Scanner.

Again

Loaded: loaded (/usr/lib/systemd/system/openvas-scanner.service; enabled; vendor preset: disabled)
Active: active (running) since Fri 2018-11-16 14:08:19 -03; 2s ago
Process: 11574 ExecStart=/usr/sbin/openvassd $OPTIONS (code=exited, status=0/SUCCESS)
Main PID: 11575 (openvassd)
CGroup: /system.slice/openvas-scanner.service
├─11575 openvassd: Reloaded 4600 of 47880 NVTs (9% / ETA: 00:18)
└─11576 openvassd (Loading Handler)

Nov 16 14:08:19 localhost.localdomain systemd[1]: Starting OpenVAS Scanner…
Nov 16 14:08:19 localhost.localdomain systemd[1]: Started OpenVAS Scanner.

Again

● openvas-scanner.service - OpenVAS Scanner
Loaded: loaded (/usr/lib/systemd/system/openvas-scanner.service; enabled; vendor preset: disabled)
Active: active (running) since Fri 2018-11-16 14:10:46 -03; 1s ago
Process: 13322 ExecStart=/usr/sbin/openvassd $OPTIONS (code=exited, status=0/SUCCESS)
Main PID: 13323 (openvassd)
CGroup: /system.slice/openvas-scanner.service
├─13323 openvassd: Reloaded 550 of 47880 NVTs (1% / ETA: 01:26)
└─13324 openvassd (Loading Handler)

Nov 16 14:10:46 localhost.localdomain systemd[1]: Starting OpenVAS Scanner…
Nov 16 14:10:46 localhost.localdomain systemd[1]: Started OpenVAS Scanner.

Again

● openvas-scanner.service - OpenVAS Scanner
Loaded: loaded (/usr/lib/systemd/system/openvas-scanner.service; enabled; vendor preset: disabled)
Active: activating (start) since Fri 2018-11-16 14:11:38 -03; 7ms ago
Main PID: 13872 (code=exited, status=1/FAILURE); : 13930 (openvassd)
CGroup: /system.slice/openvas-scanner.service
└─13930 /usr/sbin/openvassd

Again

● openvas-scanner.service - OpenVAS Scanner
Loaded: loaded (/usr/lib/systemd/system/openvas-scanner.service; enabled; vendor preset: disabled)
Active: active (running) since Fri 2018-11-16 14:12:23 -03; 1s ago
Process: 14475 ExecStart=/usr/sbin/openvassd $OPTIONS (code=exited, status=0/SUCCESS)
Main PID: 14476 (openvassd)
CGroup: /system.slice/openvas-scanner.service
├─14476 openvassd: Reloaded 3550 of 47880 NVTs (7% / ETA: 00:24)
└─14477 openvassd (Loading Handler)

Nov 16 14:12:23 localhost.localdomain systemd[1]: Starting OpenVAS Scanner…
Nov 16 14:12:23 localhost.localdomain systemd[1]: Started OpenVAS Scanner.

Deactivating signature validation works without problems

cfi · November 16, 2018, 6:03pm

Hi, when choosing the category for a topic please try to have a look at the category description for each category first:

The current used category is/was Greenbone Professional Edition - Greenbone Community Forum (Description: About the Greenbone Professional Edition category - Greenbone Professional Edition - Greenbone Community Forum) which is about the downloadable ready-to use virtual machine.

Based on your signature issue you seems to have an own installation either build from source or installed via 3rdparty repositories. For such installation the https://community.greenbone.net/c/gse (Description: About the Greenbone Community Edition category - Greenbone Community Edition - Greenbone Community Forum) needs to be chosen.

I have moved the topic to the correct category for now. It could be possible that the info above is made more prominent / easier to find in the future.

To solve your issue you might want to give the following topic below a try. Researching the reason and possible issues of the “unsafe permissions on homedir” might worth another try.

cfi · November 16, 2018, 6:06pm

Adding to the points above the versions below are quite outdated, please update to the recent versions of the GVM-9 (end-of-life, initial release 2017-03-07) - Greenbone Community Edition - Greenbone Community Forum first to avoid that any current seen issues are originating from such outdated versions.

Anger · November 17, 2018, 2:54am

I followed the guide step by step, and the same way, the openvassd behaves unstable. stop-start-

very thanks

isweluiz · May 16, 2019, 7:44pm

Hello guys

I solved this problem and I sharing on my blog: