Connecting the dots to GVM

Focus:

If your question is “How the do you connect gvm-tools remotely?” then this article is for you. To vent a little bit, I spent hours trying to figure this out. The documentation on how to do this is somewhat spotty and may not be straight forward especially if you are using a containerized deployment of GVM where it is not a full Linux deployment that your GVM is running on. For the project I am running I based my deployment on a Docker container image from Secure Compliance/GVM. Unless you can follow the source build instructions and are a fairly veteran Linux user it can be pretty difficult to figure out how to set this up. So for those of you out there scouring the internet to find the solution (especially if you are using a GVM container) hopefully this helps you out.

Background:

Lately I have been working on an open source project to do security vulnerability scanning with an open source Nessus based scanning engine called Greenbone. Its not a bad system, but it is not something for a novice user as there are several things unique to it. One of the most frustrating things about the project is the lack of thorough documentation. There is plenty of documentation but complete examples are kind of hard to find and you have to dig a little. I suppose a lot of it is because of the different ways you can deploy it or maybe it’s because everyone who uses it already knows how to connect to control things remotely. Either way it really sucks for anyone completely new to the GVM project trying to figure out what you have to do to connect to it remotely to control and execute and script scans.

GVM has a suite of options that you can choose from to control it. It is called “gvm-tools”. The official documentation is here. The capabilities and various ways to control GVM look to be very powerful and reduces the need to write custom python scripts to do what you have to do. Inside gvm-tools there are 3 components gvm-cli, gvm-scripts, and gvm-pyshell (which includes the gvm-python library). Each of these components can connect in 3 ways via SOCKET, TLS, or SSH. Depending on your setup (such as a container image) you may be restricted in how you connect. In my setup I am running a container based on this docker image and so neither SSH or sockets was an option that worked for me. Regardless I will walk through each method to help explain this.

For my example I am using an Ubuntu server running as a docker host which I will be running the remote tools from the host OS to connect into my container running gvm.

Do not run the gvm remote tools as “root”

STEPS TO REMOTELY CONNECT 

  1. On your Linux machine or Docker Linux Host which will be running your scripts – Install Python3, pip and gvm-tools. Follow this article for the overview and install. Github repo on it is here
    • Install python and pip. (I am using Ubuntu, use what works for you)
      • # apt-get install python3 pip
    • Install gvm-tools 
      • # python3 -m pip install gvm-tools
  1. Next step is opening up the port. GVM talks on port 9390 for its remote GMP engine which the suite of gvm-tools talks.
    • If you are running on a GVM docker container you will need to do one of the following
      • Map port 9390 from the container to the host port 9390 (make sure this is secure to just run on the docker host or segmented or protected with firewall)
      • You can also do port forwarding via an SSH tunnel via this FAQ – Question 4
    • If you are running on a Linux server it is easy you simply need to have port 9390 listening.
  3. Now for the BIGGEST thing that they dont explain in the documentation well is HOW YOU SETUP THE CONNECTIONS. It is not enough to simply talk over port 9390 you need to authenticate every time you  need to talk to the GMP engine. You can do it with SSH, SOCKET, or TLS.
    For my example I chose authenticating via certificates because of the way I am using a docker container.

      • For SSH (The easiest but doesnt work with most gvm containers). Simply have an SSH enabled user on the appliance with SSH and password authentication enabled. Unfortunately this is NOT possible in many of the container deployments because the functions to add users with SSH is not available. If you are running a full Linux host with GVM source edition then this is the way to do it.
      • For SOCKET (the legacy way can work with containers with adjusting the startup script) – This is doable and what is needed is creating a socket via the gvmd daemon. Its not that straightforward but once you create the socket you can reference it for your connection. You can reference this FAQ Question 2 to help with staging this in a container startup script. Since this kind of the legacy method I veered away from this because I worry if this may change or go away later.  http://manpages.ubuntu.com/manpages/impish/man8/gvmd.8.html
      • For TLS ( the middle ground – verified that it works with containers!!)  I feel this is probably the easiest method, but they do not tell you how to do this at all. For those of you using containers this is the golden bit of information you have probably been searching for! I managed to find this by digging in the source code to see how they create the certificates.
        • Inside of the GVM container or server that is installed you can run a simple command as the gvm user to find out the locations of your certificates.
          Simply run the following as the gvm user:  % gvm-manage-certs -V

          This will tell you where the certs you need live. You will need to copy or download the following cert files.  ( servercert.pem, serverkey.pem, cacert.pem ). Copy these cert files to a directory that is accessible by the user on the client machine that will be doing the remote execution.This is how it will map for the .config file in the next section.
          certfile= servercert.pem
          keyfile= serverkey.pem
          cafile= cacert.pem
  4. Next with the user you are going to configure you connection settings. You can find the general instructions here: https://gvm-tools.readthedocs.io/en/latest/config.html
    You want to create the .config directory in the home directory of the user executing the remote commands and create a file called gvm-tools.conf.Note that you really only need to add what you need to connect (SSH, TLS, SOCKET). SSH is preferred, but TLS and SOCKETS are fine too.
    So for example if you are going to connect to GVM via TLS you would have something like the following

    • TLS Connection:
      Example: gvm-tools.conf to connect via socket. This would be the socket path on the GVM appliance

      [main]
# increased timeout to 5 minutes
timeout = 300
tls_path=/home/your_user/certs
default_user=gvm

[gmp]
username=admin
password=somepass

[tls]
port=9390
certfile=%(tls_path)s/servercert.pem
keyfile=%(tls_path)s/serverkey.pem
cafile=%(tls_path)s/cacert.pem
    • Socket Connection:
      Everything as above except you have a block for a socket connection

      [socket]
socketpath=/var/run/gvmd.sock
    • SSH Connection:
      Everything as above except you have a block for a socket connection

      [ssh]
username=sshuser-on-gvm
password=sshpassword
port=2222

 

5. CONNECT  Now for the fun part. Once you can access port 9390 and once you have your connection and authentication configured you can now CONNECT!!! Reference the documentation and github on how to use each one of the tools