scanner-lab is an framework to test scanner responsibilities within a closed environment to reproduce some issues.
It is not using:
- gvmd
or any other scanner management besides ospd.
This is done on purpose to reduce the amount of moving parts.
This is done by providing a runtime environment based on Kubernetes.
Which spins up:
- a notus-scanner instance
- a ospd (and therefore openvas-scanner) instance configured to use TLS
- a slackware instance with a running ssh daemon
- a victim image based on metasploitable
and then runs a test-binary called run-feature-tests.
Currently it does:
- Discovery and Full and Fast scan-config
on the targets:
- slackware
- victim
To deploy and run run-feature-tests you can execute:
make
On a newly created environment you need to have
- make
- rsync
- this repository
on your machine.
Requirements:
/var/lib/openvas/plugins//var/lib/notus//var/lib/gvm/data-objects/gvmd/22.04/scan-configs/
must exist and writeable by the user so that make update-local-feed can succeed.
You can verify it by running make check-feed-dirs. If there is no output and no error code this is correctly setup.
Although k3s is just a single binary it is useful to have a systemd integration for that they prepared a script which you can download via:
curl -Lo install_k3s.sh https://get.k3s.io
review and execute it.
The script should install:
/usr/local/bin/k3s/usr/local/bin/kubectl- kubernetes client (symlinked to k3s)/usr/local/bin/crictl- CRI client (symlinked to k3s)/usr/local/bin/k3s-killall.sh- to kill k3s/usr/local/bin/k3s-uninstall.sh- to uninstall
Additionally it should create
/etc/systemd/system/k3s.serviceand enabling it per default.
To allow user execution set a KUBECONFIG variable:
export KUBECONFIG=~/.kube/config
if you already have running pods you can copy the configuration like:
mkdir -p ~/.kube
sudo k3s kubectl config view --raw > "$KUBECONFIG"
Further resources:
- https://rancher.com/docs/k3s/latest/en/installation/installation-requirements/
- https://rancher.com/docs/k3s/latest/en/quick-start/
make deploy
To update your local feed you can execute:
make update-local-feed
make delete
make update-local-feed
make update
kubectl scale deployments/victim --replicas=100
kubectl scale deployments/slsw --replicas=100
If you follow the standard setup
- $YOUR_PATH/var/lib/openvas/plugins
- $YOUR_PATH/var/lib/notus
- $YOUR_PATH/var/lib/gvm/data-objects/gvmd/22.04/scan-configs
but just in a different path you can also set INSTALL_PREFIX either via environment or make variable instead of overriding each feed variable before executing create-local-volume-deployment.
If you want to use different source paths than set you can create a own openvas-persistent-volumes-deployment-local.yaml by executing:
make \
nasl_target=$YOUR_NASL_PATH \
notus_target=$YOUR_NOTUS_PATH \
sc_target=$YOUR_SCAN_CONFIG_PATH \
create-local-volume-deployment
Be aware that when you want to run make update-feed you need to apply the same values as you did when creating openvas-persistent-volumes-deployment-local.yaml
If you change the INSTALL_PREFIX then you have to delete the persistent volume and openvas and deploy afterwards:
make delete-persistant-volumes
make deploy-openvas
kubectl exec -ti deployment/openvas -c ospd -- bash
ospd-scans \
-a localhost:4242 \
--cert-path /var/lib/gvm/CA/cacert.pem \
--certkey-path /var/lib/gvm/private/CA/serverkey.pem \
--host 10.42.0.0/24 \
--policies "Discovery,Full and fast" \
--cmd start-finish
kubectl exec -ti deployment/openvas -c ospd -- tail -f /var/log/gvm/openvas.log
To use the exposed TCP socket to OSPD you have to get the IP-Address of openvas:
kubectl get pods -l app=openvas -o wide
and the certificate and key file:
cd feature-tests
make fetch-certs
afterwards you can connect to it via:
echo "<get_version/>" | gnutls-cli \
--port=4242 \
--insecure \
--x509certfile=/tmp/ca.pem \
--x509keyfile=/tmp/key.pem \
$(kubectl get pods -o wide | awk '/openvas/{print $6}')
cd ./feature-tests
make run
Copyright (C) 2022-2023 Greenbone Networks GmbH
Licensed under the GNU Affero General Public License v3.0 or later.