I wanted to use the alert method scp, but found in the documentation very few details.
The goal is to create a csv.-file, which I can then automated import into i-doit to document each scan in my cmdb.
https://www.i-doit.org/
Configuration in i-doit
I created a custom categorie for OpenVAS-Scans with the required fields.
Here is an overview of what it should look like later:
Configuration in the greenbone security assistant
My first tests were depressing.No report arrived in the planned storage location.
Attention: As it turned out later was among other problems also the entry in “known hosts” wrong!
So I went to the search for the functionality. In the search in the source code I found a promising script with the name alert in the directory “openvas-manager-6.0.9/src/alert_methods/SCP/”
In the bash script two programs are used. Sshpass and scp. Because sshpass was not installed in my debian, I installed it with apt-get install sshpass.
The second test thereafter was as unsuccessful as the first.To analyze the problem more precisely I wanted to install in the bash script a few debug commands. But I had to find it first in the installation.
I found the script in the installation in a subdirectory of /usr/local/share/openvas/openvasmd/global_alert_methods
root@sv-openvas ~ # ls -l /usr/local/share/openvas/openvasmd/global_alert_methods insgesamt 20 drwxr-xr-x 2 root root 4096 Jan 5 17:00 2db07698-ec49-11e5-bcff-28d24461215b drwxr-xr-x 2 root root 4096 Jan 5 17:00 4a398d42-87c0-11e5-a1c0-28d24461215b drwxr-xr-x 2 root root 4096 Jan 5 17:00 9d435134-15d3-11e6-bf5c-28d24461215b drwxr-xr-x 2 root root 4096 Jan 5 17:00 cd1f5a34-6bdc-11e0-9827-002264764cea drwxr-xr-x 2 root root 4096 Jan 5 17:00 f9d97653-f89b-41af-9ba1-0f6ee00e9c1a
Here the contents of the file:
#!/bin/sh
#
# OpenVAS
# $Id$
# Description: Escalator method script: SCP.
#
# Authors:
# Matthew Mundell <matthew.mundell@greenbone.net>
#
# Copyright:
# Copyright (C) 2016 Greenbone Networks GmbH
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
PASSWORD=$1
USERNAME=$2
HOST=$3
DEST=$4
KNOWN_HOSTS=$5
REPORT_FILE=$6
KNOWN_HOSTS_FILE=`mktemp` || exit 1
echo $KNOWN_HOSTS > $KNOWN_HOSTS_FILE
PASSWORD_FILE=`mktemp` || exit 1
echo $PASSWORD > $PASSWORD_FILE
# Escape destination twice because it is also expanded on the remote end.
sshpass -f ${PASSWORD_FILE} scp -o HashKnownHosts=no -o UserKnownHostsFile="${KNOWN_HOSTS_FILE} ~/.ssh/known_hosts ~/.ssh/known_hosts2" "${REPORT_FILE}" "${USERNAME}@${HOST}:'${DEST}'"
#echo $? > /tmp/EXIT_CODE
rm $KNOWN_HOSTS_FILE
rm $PASSWORD_FILE
The working solution
After many try and with the support of Eero Volotinen it has finally worked and here ist the solution:
I started scp as root and contacted the target.
root@sv-openvas ~ # scp -o StrictHostKeyChecking=no test.csv root@192.168.1.119:/root/csv-reports Warning: Permanently added '192.168.1.119' (ECDSA) to the list of known hosts. root@192.168.1.119's password:
Then I copy the content of /root/.ssh/known_hosts in the field “Known Hosts:” in the gui.
root@sv-openvas /tmp # cat /root/.ssh/known_hosts |1|4O1k4wlSOacMxEIpabbreZRASYM=|RPlTCrLdtfReZrDCJbKoYWxUJBQ= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAVIOC6bL2LuSMkl5JZIf0VyahpFAinllgpQaNjw7S2dy/vkRMs9vP6jPzGrFkq2hFRtzvdB+5HQA/HSGcf4CmE=
The correct configuration looks like this:
The alarm can be tested with the play button:
Independent of the selected report format, a xml-file is always transferred.
Is this a bug or feature? 🙂
Fortunately, the file CSV_Hosts.xsl can be used to create a clear csv file.
Generate the .csv
The file is located in /usr/local/share/openvas/openvasmd/global_report_formats/9087b18c-626c-11e3-8892-406186ea4fc5/
root@debian /tmp # xsltproc CSV_Hosts.xsl report IP,Hostname,OS,Scan Start,Scan End,CVSS,Severity,High,Medium,Low,Log,False Positive,Total 192.168.1.107,,,2017-01-21T22:23:21+01:00,2017-01-21T22:24:44+01:00,0.0,None,0,0,0,14,0,14 192.168.1.108,,,2017-01-21T22:23:21+01:00,2017-01-21T22:25:51+01:00,0.0,None,0,0,0,8,0,8
I-doit import configuration
A handful of linux and security. 
Thanks for that great and very useful HowTo. I ran in almost the same problems.
I’m still struggling with two topics:
– name the transferred file to something like .csv to identify different scp’ed files by source
– make scp connect with username & public key
It would be really interesting to have these things running.
LikeLike
Thangs for this Tutorial! It Work on my Network Perfect!
LikeLike