Skip to content

Latest commit

 

History

History
214 lines (146 loc) · 4.59 KB

README.md

File metadata and controls

214 lines (146 loc) · 4.59 KB

scanner-lab

scanner-lab is an framework to test scanner responsibilities within a closed environment to reproduce some issues.

It is not using:

  • gvmd

or any other scanner management besides ospd.

This is done on purpose to reduce the amount of moving parts.

This is done by providing a runtime environment based on Kubernetes.

Which spins up:

  • a notus-scanner instance
  • a ospd (and therefore openvas-scanner) instance configured to use TLS
  • a slackware instance with a running ssh daemon
  • a victim image based on metasploitable

and then runs a test-binary called run-feature-tests.

Currently it does:

  • Discovery and Full and Fast scan-config

on the targets:

  • slackware
  • victim

To deploy and run run-feature-tests you can execute:

make

Installation

On a newly created environment you need to have

  • make
  • rsync
  • this repository

on your machine.

Requirements:

  • /var/lib/openvas/plugins/
  • /var/lib/notus/
  • /var/lib/gvm/data-objects/gvmd/22.04/scan-configs/

must exist and writeable by the user so that make update-local-feed can succeed.

You can verify it by running make check-feed-dirs. If there is no output and no error code this is correctly setup.

Install k3s

Although k3s is just a single binary it is useful to have a systemd integration for that they prepared a script which you can download via:

  curl -Lo install_k3s.sh https://get.k3s.io

review and execute it.

The script should install:

  • /usr/local/bin/k3s
  • /usr/local/bin/kubectl - kubernetes client (symlinked to k3s)
  • /usr/local/bin/crictl - CRI client (symlinked to k3s)
  • /usr/local/bin/k3s-killall.sh - to kill k3s
  • /usr/local/bin/k3s-uninstall.sh - to uninstall

Additionally it should create

  • /etc/systemd/system/k3s.service and enabling it per default.

To allow user execution set a KUBECONFIG variable:

export KUBECONFIG=~/.kube/config

if you already have running pods you can copy the configuration like:

mkdir -p ~/.kube
sudo k3s kubectl config view --raw > "$KUBECONFIG"

Further resources:

Apply deployments

make deploy

To update your local feed you can execute:

make update-local-feed

Remove deployments

make delete

Update

make update-local-feed
make update

Scale

kubectl scale deployments/victim --replicas=100
kubectl scale deployments/slsw --replicas=100

Useful commands

Use own paths instead of defaults

If you follow the standard setup

  • $YOUR_PATH/var/lib/openvas/plugins
  • $YOUR_PATH/var/lib/notus
  • $YOUR_PATH/var/lib/gvm/data-objects/gvmd/22.04/scan-configs

but just in a different path you can also set INSTALL_PREFIX either via environment or make variable instead of overriding each feed variable before executing create-local-volume-deployment.

If you want to use different source paths than set you can create a own openvas-persistent-volumes-deployment-local.yaml by executing:

make \
  nasl_target=$YOUR_NASL_PATH \
  notus_target=$YOUR_NOTUS_PATH \
  sc_target=$YOUR_SCAN_CONFIG_PATH \
  create-local-volume-deployment

Be aware that when you want to run make update-feed you need to apply the same values as you did when creating openvas-persistent-volumes-deployment-local.yaml If you change the INSTALL_PREFIX then you have to delete the persistent volume and openvas and deploy afterwards:

make delete-persistant-volumes
make deploy-openvas

start a scan

kubectl exec -ti deployment/openvas -c ospd -- bash
ospd-scans \
  -a localhost:4242 \
  --cert-path /var/lib/gvm/CA/cacert.pem \
  --certkey-path /var/lib/gvm/private/CA/serverkey.pem \
  --host 10.42.0.0/24 \
  --policies "Discovery,Full and fast" \
  --cmd start-finish

openvas logs

kubectl exec -ti deployment/openvas -c ospd -- tail -f /var/log/gvm/openvas.log 

Usage

To use the exposed TCP socket to OSPD you have to get the IP-Address of openvas:

kubectl get pods -l app=openvas -o wide

and the certificate and key file:

cd feature-tests
make fetch-certs

afterwards you can connect to it via:

echo "<get_version/>" | gnutls-cli \
  --port=4242 \
  --insecure \
  --x509certfile=/tmp/ca.pem \
  --x509keyfile=/tmp/key.pem \
  $(kubectl get pods -o wide | awk '/openvas/{print $6}')

run feature tests

cd ./feature-tests
make run

License

Copyright (C) 2022-2023 Greenbone Networks GmbH

Licensed under the GNU Affero General Public License v3.0 or later.