OpenVAS: using the alert methode scp to generate an .csv to import in i-doit.

I wanted to use the alert method scp, but found in the documentation very few details.

The goal is to create a csv.-file, which I can then automated import into i-doit to document each scan in my cmdb.
https://www.i-doit.org/

Configuration in i-doit

I created a custom categorie for OpenVAS-Scans with the required fields.

i-doit-openvas-1

Here is an overview of what it should look like later:

i-doit-openvas-2

Configuration in the greenbone security assistant

scp1

My first tests were depressing.No report arrived in the planned storage location.

Attention: As it turned out later was among other problems also the entry in “known hosts” wrong!

So I went to the search for the functionality. In the search in the source code I found a promising script with the name alert in the directory “openvas-manager-6.0.9/src/alert_methods/SCP/”

In the bash script two programs are used. Sshpass and scp. Because sshpass was not installed in my debian, I installed it with apt-get install sshpass.

The second test thereafter was as unsuccessful as the first.To analyze the problem more precisely I wanted to install in the bash script a few debug commands. But I had to find it first in the installation.

I found the script in the installation in a subdirectory of /usr/local/share/openvas/openvasmd/global_alert_methods

root@sv-openvas ~ # ls -l /usr/local/share/openvas/openvasmd/global_alert_methods
insgesamt 20
drwxr-xr-x 2 root root 4096 Jan 5 17:00 2db07698-ec49-11e5-bcff-28d24461215b
drwxr-xr-x 2 root root 4096 Jan 5 17:00 4a398d42-87c0-11e5-a1c0-28d24461215b
drwxr-xr-x 2 root root 4096 Jan 5 17:00 9d435134-15d3-11e6-bf5c-28d24461215b
drwxr-xr-x 2 root root 4096 Jan 5 17:00 cd1f5a34-6bdc-11e0-9827-002264764cea
drwxr-xr-x 2 root root 4096 Jan 5 17:00 f9d97653-f89b-41af-9ba1-0f6ee00e9c1a

Here the contents of the file:

#!/bin/sh
#
# OpenVAS
# $Id$
# Description: Escalator method script: SCP.
#
# Authors:
# Matthew Mundell <matthew.mundell@greenbone.net>
#
# Copyright:
# Copyright (C) 2016 Greenbone Networks GmbH
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.

PASSWORD=$1
USERNAME=$2
HOST=$3
DEST=$4
KNOWN_HOSTS=$5
REPORT_FILE=$6

KNOWN_HOSTS_FILE=`mktemp` || exit 1
echo $KNOWN_HOSTS > $KNOWN_HOSTS_FILE

PASSWORD_FILE=`mktemp` || exit 1
echo $PASSWORD > $PASSWORD_FILE

# Escape destination twice because it is also expanded on the remote end.
sshpass -f ${PASSWORD_FILE} scp -o HashKnownHosts=no -o UserKnownHostsFile="${KNOWN_HOSTS_FILE} ~/.ssh/known_hosts ~/.ssh/known_hosts2" "${REPORT_FILE}" "${USERNAME}@${HOST}:'${DEST}'"

#echo $? > /tmp/EXIT_CODE

rm $KNOWN_HOSTS_FILE
rm $PASSWORD_FILE

The working solution

After many try and with the support of Eero Volotinen it has finally worked and here ist the solution:

I started scp as root and contacted the target.

root@sv-openvas ~ # scp -o StrictHostKeyChecking=no test.csv root@192.168.1.119:/root/csv-reports
 Warning: Permanently added '192.168.1.119' (ECDSA) to the list of known hosts.
 root@192.168.1.119's password:

Then I copy the content of /root/.ssh/known_hosts in the field “Known Hosts:” in the gui.

root@sv-openvas /tmp # cat /root/.ssh/known_hosts
 |1|4O1k4wlSOacMxEIpabbreZRASYM=|RPlTCrLdtfReZrDCJbKoYWxUJBQ= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAVIOC6bL2LuSMkl5JZIf0VyahpFAinllgpQaNjw7S2dy/vkRMs9vP6jPzGrFkq2hFRtzvdB+5HQA/HSGcf4CmE=

The correct configuration looks like this:

scp2

The alarm can be tested with the play button:

scp3

Independent of the selected report format, a xml-file is always transferred.
Is this a bug or feature? 🙂

Fortunately, the file CSV_Hosts.xsl can be used to create a clear csv file.

Generate the .csv

The file is located in /usr/local/share/openvas/openvasmd/global_report_formats/9087b18c-626c-11e3-8892-406186ea4fc5/

root@debian /tmp # xsltproc CSV_Hosts.xsl report
IP,Hostname,OS,Scan Start,Scan End,CVSS,Severity,High,Medium,Low,Log,False Positive,Total
192.168.1.107,,,2017-01-21T22:23:21+01:00,2017-01-21T22:24:44+01:00,0.0,None,0,0,0,14,0,14
192.168.1.108,,,2017-01-21T22:23:21+01:00,2017-01-21T22:25:51+01:00,0.0,None,0,0,0,8,0,8

I-doit import configuration

i-doit-openvas-3

Advertisements

One thought on “OpenVAS: using the alert methode scp to generate an .csv to import in i-doit.

  1. Thanks for that great and very useful HowTo. I ran in almost the same problems.
    I’m still struggling with two topics:
    – name the transferred file to something like .csv to identify different scp’ed files by source
    – make scp connect with username & public key

    It would be really interesting to have these things running.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s