Strange scan results

etty1337 · June 1, 2022, 5:59am

Hello Community,
When performing a scan with credentials, I expect local security checks to include analysis of netsat, services and installed packages. But, unfortunately, I don’t get the full result. Also, when scanning with the same profile, I get different scanning results. What may be the issue and how to get a predictable and complete scan result?

For example: I have an apache package installed on my server, but openvas can’t find it.

Scan Config: Full and Fast

I use: https://github.com/Secure-Compliance-Solutions-LLC/GVM-Docker
Docker image: securecompliance/gvm:debian-master-data-full

Eero · June 1, 2022, 11:23am

Well,

What os you are scanning? is it on supported list? is the login to os working? (check from logs)

Eero

etty1337 · June 2, 2022, 2:23am

@Eero
I scan Oracle Linux 7, logs show that authentication has been successful.

Eero · June 2, 2022, 4:01am

Well. local checks are a bit problematic. they need custom nvt (check files) for each os and package files. that is huge effort.

I think that oracle linux checks are not updated and maintaned anymore. I wrote oracle linux checks for some years. On my side they are not maintained any more.

Eero

etty1337 · June 3, 2022, 8:26am

Thank you, @Eero
I tried to scan CentOS and the results really got better!
I also tried to scan Oracle Linux 7 with an account that is part of the wheel group and the scan showed the apache package. Do you know why this doesn’t happen when I scanning with an account without a wheel group?

Eero · June 3, 2022, 9:40am

@etty1337 well. i think that requirement it that user account can run rpm -qa command to get package information. you can try to run command on both accounts.

Eero · June 3, 2022, 1:23pm

@etty1337 user must be able to run following rpm query:

/bin/rpm -qa --qf ‘%{NAME}~%{VERSION}~%{RELEASE}’;

or else the package list is missing.

in normal configuration user is able to run rpm queries.

Eero

etty1337 · June 6, 2022, 3:42am

@Eero, I tried to execute this command from user and got a list of installed packages. I don’t see what could be wrong with the scan.
Thanks for your help, @Eero
I need to take a break for more detailed research on the problem.

Eero · June 6, 2022, 5:17am

@etty1337 it runs following commands:

if( “oraclelinux-release-7” >< rls ) {
set_kb_item( name:“ssh/login/oracle_linux”, value:TRUE );
buf = ssh_cmd( socket:sock, cmd:"/bin/rpm -qa --qf ‘%{NAME}~%{VERSION}~%{RELEASE};’" );
register_rpms( buf:buf );
if( match = eregmatch( pattern:“oraclelinux-release-7.([0-9]+)”, string:rls ) ) {
version = “7.” + match[1];
} else {
version = “7”;
}
log_message( port:port, data:"We are able to login and detect that you are running Oracle Linux " + version );
register_and_report_os( os:"Oracle Linux " + version, cpe:“cpe:/o:oracle:linux:” + version, banner_type:“SSH login”, desc:SCRIPT_DESC, runs_key:“unixoide” );
set_kb_item( name:“ssh/login/release”, value:“OracleLinux7” ); # nb: Special handling as the Oracle / ELSA LSCs are using just the major release
exit( 0 );
}

it don’t get rpms, if release file is not matching “oraclelinux-release-7”

Eero