GSM: Configuring a Scan Sensor
You already configured a central Master, but it can not reach all segments of your network.
In another step you want to deploy Scan Sensors to also scan those unreachable segments for vulnerabilities.
All communication between the Master and a Scan Sensor is initiated by the Master. The OpenVAS Management Protocol (OMP) uses TCP port 9390 for the communication.
The feed update for the Scan Sensors is either pulled directly from the Greenbone Update Servers or pushed from the Master. The Master pushes the feed to the Scan Node using SSH on TCP port 22. If you do not wish to use this feature and there is a firewall between the Master and the Scan Node, this firewall should not block SSH without notice (policy setting “drop” or “Deny”). Instead it should either permit the traffic (“Accept” or “Permit”) or block the connection with feedback (“Reject”), since the Master will always try to push settings and would have to wait for a timeout otherwise.
Basic configuration of the Scan Sensor
Like with any other GSM, a Scan Sensor is initially configured using the serial console. Beyond the basic network settings and the administrative access a Scan Sensor needs two mandatory settings:
- The Scan Account the Master should use to control the Scan Sensor
- Enabling the Remote OMP Feature with
set public_omp enabled
Configuration of the Master
A Scan Sensor is added to the Master at „Configuration -> Slaves“:
Login and Password use the Scan Account that has been configured on the Scan Node in the first step.
After the Scan Sensor has been added this way it can be used when configuring tasks:
Using the Master as a feed source
In many cases where security policies forbid the scan of a network segment straight from the Master, access to the Internet from the same segment is prohibited as well. To keep the Scan Sensor up-to-date in this scenario as well it is possible to synchronize from the Master. This occurs automatically each time the Master synchronizes with the Greenbone Update Servers.
To utilize this feature a few steps are needed. First, retrieve the “Master Key” from the Master (on the serial console, or via SSH):
gsm> show masterkey ssh-dss AAAAB3NzaC1kc3MAAACBANd6Hj7Vxta57Qf5np4+vhsxa8aiiLd8asAHCL0vD …
Then transfer the “Master Key” to the Scan Sensor:
gsm> masterkeydownload Please paste the master key into the CLI, END with CTRL-D ssh-dss AAAAB3NzaC1kc3MAAACBANd6Hj7Vxta57Qf5np4+vhsxa8aiiLd8asAHCL0vD … gsm> show masterkey ssh-dss AAAAB3NzaC1kc3MAAACBANd6Hj7Vxta57Qf5np4+vhsxa8aiiLd8asAHCL0vD …
Verifying the “Master Key” after the download is recommended due to the erroneous implementation of many USB-to-serial converters on the market.
On the Scan Sensor, use gos-admin-menu to enable the Scan Sensor to receive updates from its Master:
- Activate remote SSH access on the Scan Sensor in the “Remote” menu:
- Disable feed synchronization from the Internet in the “Feed” menu:
- Enable updates from the Master in the “Feed” menu:
On the Master, use gos-admin-menu to add the Scan Sensor to the list of sensors and to enable the Master sending updates to the sensors:
- Activate automatic Scan Sensor synchronization in the “Sensors” menu:
- Add the Scan Sensor to the list in the “Sensors” menu:
- You can check the connection to the Scan Sensor using the “Check sensors” entry:
Since the Master pushes the feed to the Scan Sensor only after a feed update from the Greenbone Update Servers, the most current feed will become available on the Scan Sensor only after the next feed update.