[HELP] SCP Alert not working as expected

[DRIgnazGortngschirl]

Certainly! Here is your corrected text as a code block:

To Reproduce Steps to reproduce the behavior:

1. docker-compose.yml docker-compose.txt
2. Create a credential (Password + Username or SSH Key)
3. Create an alert with SCP method add all nesesary settign such as IP Port and know_hosts in the format IP ALGO KEY

Expected behavior Uploads the report to a different host than the VM where OpenVAS inside a container is run.

Environment (please complete the following information):

• OS: Debian 12 (bookworm)
• Memory available to OS: 2G
• Container environment used with version: docker 27.0.3

logs (commands assume the container name is 'openvas') Please attach the output from one of the following commands:

docker-compose-logs.txt

Additional context I have checked the connection on port and to the remote system where I need to send the report to, also tried inside the container with success. Sadly I am unable to test in GUI. Also worked with SSH key copy just fine in and outside of the container to the desired host. Tried adding manually known_hosts to host system as well as again inside the container to the root user.

Can you provide me with any guidance?

[immauss]

Hmm ... I'll have to do some testing with this as I've never used the SCP alert. Unfortunately, I'm low on bandwidth right now, so this might take some time before I can look into it. You might want to check on the community forums too. You did say you could get to the your target from inside the container, so it doesn't really sound like a container issue, so maybe someone over there could point you in the right direction. If you do find a solution before I get a chance .. please let me know.

Thanks, -Scott

[DRIgnazGortngschirl]

Hi Scott!

Thanks for the quick reply. I checked some forum posts and found that the known_hosts file might sometimes need to be added manually into the container. Do you know which user OpenVAS uses to copy reports via SCP to another host? I added the known_hosts manually for the root user inside the container. I successfully tested it once, but now I can't reproduce the steps on a different instance. I repeated all the steps, such as checking the port and the reachability of the remote host, adding the known_hosts file manually, and trying both SSH key and username/password authentication. Sadly, this instance is no longer available. I'll definitely let you know if I figure out how to make it work again :)

BR Mario

[DRIgnazGortngschirl]

I attempted to copy the report from the container to the host where Docker is running, and it worked on the first try. This might be due to the port specification, as we don't use port 22 for uploading to Defect Dojo, where it is later imported automatically. Instead, we use port 1122, which could be causing the issue. I will verify if the upload works with the default port 22. Currently, my workaround is as follows:

1. Create credentials with username and password authentication.
2. Create an alert, set the port to 22, specify the IP of the VM/Host, and add known hosts (copy the content from the root user inside the container to the host system, including the known_hosts file, ensuring to replace the hashed hostname with the IP of the host system). Also, add a path where the user has read/write access on the host system.
3. Add the alert to the scan.

I will test further

[DRIgnazGortngschirl]

An easier, though less secure, method is to use the "send to host" option. You can set up ncat to listen on a port on any destination system and wait for a report to be uploaded. The downside is that the data is not encrypted. I use this method to quickly extract the report from the container and upload it to its destination, Dojo, using a custom script, where it is then imported.

I would really wanna know what's causing the troubbles with SCP but got no time to check.

[immauss]

Sounds like you have this worked out. If you need more help with it, please open new issue.

Thanks, -Scott