search

admirito / gvm-containers

Greenbone Vulnerability Management Containers
85 stars 57 forks source link

gvm-tools question #35

Open franko108 opened 3 years ago

franko108 commented 3 years ago

Hello,

this is not an issue but a question.
How to connect gvm-tools (ideally from another Docker instance) to your docker instance(s) ?
It can be on the very same VM (that is host for docker containers).

Otherwise, I like how openvas works on your Docker instances, this is one thing that I need, not to import and update the IP lists manually.

Thanks, best.

franko108 commented 3 years ago

Well, instead of adding another docker container, I added a line in your gvmd/Dockerfile as there is already python 3:
python3 -m pip install gvm-tools; \

Gvm-tools are then installed within container and responding to a command, but I can't connect gvm-cli to gvm. Either I don't see well or anything else is the problem.
The doc states gvm-cli can be connected to gvm socket that shall be probably in /run/gvm/gvmd.sock or /var/run/gvm/gvmd.sock within the same container but I couldn't find it at all.
Can you help at that regard, apparently, you are maintainer of the PPA as well, so you are really familiar with this software?

However, my suggestion is that gvm-tools are part of your docker stack, anyone who will use gvm-containers seriously will try to integrate it with own orchestration tool like ansible, terraform, aws cli or anything else (or all from the list) and providing own lists of IP's and update it on the regular basis.
With pretty dynamic changing of the servers, opening and closing the IP list and doing manual import is just not good enough.

Another really good part of your Docker that can perform update of the new vulnerabilities, and makes possible to do check on regular basis including the new security issues.
With cli, this will be really great and useful software. Everything else that I've tried works properly.

admirito commented 3 years ago

It is a good idea to add gvm-tools as another container, but for now if you have gvm-tools installed anywhere (e.g. by pip or by apt from PPA), you can use the tls connection type to connect to the gvmd.

First find the IP address of gvmd. E.g. you can use docker inspect:

$ docker inspect gvm-containers_gvmd_1 | grep IPAddress
                    "IPAddress": "172.24.0.4",

So, in this example the IP address is 172.24.0.4. Then, you can run gvm-cli:

$ gvm-cli tls --hostname 172.24.0.4 --xml "<GET_VERSION/>"
<get_version_response status="200" status_text="OK"><version>20.08</version></get_version_response>
franko108 commented 3 years ago

Thanks, this works!
Even running like: `$ docker exec -it gvm-containers_gvmd_1 gvm-cli tls --hostname 127.0.0.1 --xml ""

20.08` I added one shared volume between host and container that will use IP list (and probably some other related things as scan tasks), and this could work properly. Well, adding another container might be more in the spirit of decoupling, but this one line adding within the same container might be even easier to use. Gvm-cli is not a daemon and not taking too much space.
BTuma commented 2 years ago

I had trouble finding where the certs were to connect via TLS. For anyone else looking this might help you. My container version of GVM did not have SSH and the socket option didn't work in the startup script so TLS was my connection choice.

If you login on the gvm container _#docker exec -it <containername/id> bash and then su to the gvm user. You can then run this command to the certificates you need to connect.

gvm-manage-certs -V

Simply copy down the needed certs to a location on your client machine and setup your gvm-tools.config file and that should work :)