Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add missing scanner params #293

Merged
merged 7 commits into from
Jul 24, 2020
Merged

Add missing scanner params #293

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
9728db8
Remove openvas only preference
ArnoStiefvater Jul 17, 2020
09b7055
Support more openvas settings
ArnoStiefvater Jul 17, 2020
5422553
Add changelog entry
ArnoStiefvater Jul 17, 2020
595290f
Fix tests
ArnoStiefvater Jul 17, 2020
3d3f94b
Improve OSPD_PARAMS dict
ArnoStiefvater Jul 20, 2020
306fcd2
Do not add options without value
ArnoStiefvater Jul 21, 2020
86508a5
Use boolean value instead of int
ArnoStiefvater Jul 23, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
managing the version information in ospd-openvas [#238](https://github.com/greenbone/ospd-openvas/pull/238)
- Pass store directory to OSPDaemon init [#266](https://github.com/greenbone/ospd-openvas/pull/266)
- Add URI field to results for file path or webservice URL [#271](https://github.com/greenbone/ospd-openvas/pull/271)
- Add element to OSPD_PARAMS entries to indicate visibility for client. [#293](https://github.com/greenbone/ospd-openvas/pull/293)

### Changed
- Less strict checks for the nvti cache version
Expand Down
148 changes: 141 additions & 7 deletions ospd_openvas/daemon.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -77,37 +77,34 @@
'name': 'auto_enable_dependencies',
'default': 1,
'mandatory': 1,
'visible_for_client': True,
'description': 'Automatically enable the plugins that are depended on',
},
'cgi_path': {
'type': 'string',
'name': 'cgi_path',
'default': '/cgi-bin:/scripts',
'mandatory': 1,
'visible_for_client': True,
'description': 'Look for default CGIs in /cgi-bin and /scripts',
},
'checks_read_timeout': {
'type': 'integer',
'name': 'checks_read_timeout',
'default': 5,
'mandatory': 1,
'visible_for_client': True,
'description': (
'Number of seconds that the security checks will '
+ 'wait for when doing a recv()'
),
},
'drop_privileges': {
'type': 'boolean',
'name': 'drop_privileges',
'default': 0,
'mandatory': 1,
'description': '',
},
'non_simult_ports': {
'type': 'string',
'name': 'non_simult_ports',
'default': '139, 445, 3389, Services/irc',
'mandatory': 1,
'visible_for_client': True,
'description': (
'Prevent to make two connections on the same given '
+ 'ports at the same time.'
Expand All @@ -118,6 +115,7 @@
'name': 'open_sock_max_attempts',
'default': 5,
'mandatory': 0,
'visible_for_client': True,
'description': (
'Number of unsuccessful retries to open the socket '
+ 'before to set the port as closed.'
Expand All @@ -128,6 +126,7 @@
'name': 'timeout_retry',
'default': 5,
'mandatory': 0,
'visible_for_client': True,
'description': (
'Number of retries when a socket connection attempt ' + 'timesout.'
),
Expand All @@ -137,6 +136,7 @@
'name': 'optimize_test',
'default': 5,
'mandatory': 0,
'visible_for_client': True,
'description': (
'By default, openvas does not trust the remote ' + 'host banners.'
),
Expand All @@ -146,20 +146,23 @@
'name': 'plugins_timeout',
'default': 5,
'mandatory': 0,
'visible_for_client': True,
'description': 'This is the maximum lifetime, in seconds of a plugin.',
},
'report_host_details': {
'type': 'boolean',
'name': 'report_host_details',
'default': 1,
'mandatory': 1,
'visible_for_client': True,
'description': '',
},
'safe_checks': {
'type': 'boolean',
'name': 'safe_checks',
'default': 1,
'mandatory': 1,
'visible_for_client': True,
'description': (
'Disable the plugins with potential to crash '
+ 'the remote services'
Expand All @@ -170,13 +173,15 @@
'name': 'scanner_plugins_timeout',
'default': 36000,
'mandatory': 1,
'visible_for_client': True,
'description': 'Like plugins_timeout, but for ACT_SCANNER plugins.',
},
'time_between_request': {
'type': 'integer',
'name': 'time_between_request',
'default': 0,
'mandatory': 0,
'visible_for_client': True,
'description': (
'Allow to set a wait time between two actions '
+ '(open, send, close).'
Expand All @@ -187,20 +192,23 @@
'name': 'unscanned_closed',
'default': 1,
'mandatory': 1,
'visible_for_client': True,
'description': '',
},
'unscanned_closed_udp': {
'type': 'boolean',
'name': 'unscanned_closed_udp',
'default': 1,
'mandatory': 1,
'visible_for_client': True,
'description': '',
},
'expand_vhosts': {
'type': 'boolean',
'name': 'expand_vhosts',
'default': 1,
'mandatory': 0,
'visible_for_client': True,
'description': 'Whether to expand the target hosts '
+ 'list of vhosts with values gathered from sources '
+ 'such as reverse-lookup queries and VT checks '
Expand All @@ -211,10 +219,136 @@
'name': 'test_empty_vhost',
'default': 0,
'mandatory': 0,
'visible_for_client': True,
'description': 'If set to yes, the scanner will '
+ 'also test the target by using empty vhost value '
+ 'in addition to the targets associated vhost values.',
},
'max_hosts': {
'type': 'integer',
'name': 'max_hosts',
'default': 30,
'mandatory': 0,
'visible_for_client': False,
'description': (
'The maximum number of hosts to test at the same time which '
+ 'should be given to the client (which can override it). '
+ 'This value must be computed given your bandwidth, '
+ 'the number of hosts you want to test, your amount of '
+ 'memory and the performance of your processor(s).'
),
},
'max_checks': {
'type': 'integer',
'name': 'max_checks',
'default': 10,
'mandatory': 0,
'visible_for_client': False,
'description': (
'The number of plugins that will run against each host being '
+ 'tested. Note that the total number of process will be max '
+ 'checks x max_hosts so you need to find a balance between '
+ 'these two options. Note that launching too many plugins at '
+ 'the same time may disable the remote host, either temporarily '
+ '(ie: inetd closes its ports) or definitely (the remote host '
+ 'crash because it is asked to do too many things at the '
+ 'same time), so be careful.'
),
},
'port_range': {
'type': 'string',
'name': 'port_range',
'default': '',
'mandatory': 0,
'visible_for_client': False,
'description': (
'This is the default range of ports that the scanner plugins will '
+ 'probe. The syntax of this option is flexible, it can be a '
+ 'single range ("1-1500"), several ports ("21,23,80"), several '
+ 'ranges of ports ("1-1500,32000-33000"). Note that you can '
+ 'specify UDP and TCP ports by prefixing each range by T or U. '
+ 'For instance, the following range will make openvas scan UDP '
+ 'ports 1 to 1024 and TCP ports 1 to 65535 : '
+ '"T:1-65535,U:1-1024".'
),
},
'test_alive_hosts_only': {
'type': 'boolean',
'name': 'test_alive_hosts_only',
'default': 0,
'mandatory': 0,
'visible_for_client': False,
'description': (
'If this option is set, openvas will scan the target list for '
+ 'alive hosts in a separate process while only testing those '
+ 'hosts which are identified as alive. This boosts the scan '
+ 'speed of target ranges with a high amount of dead hosts '
+ 'significantly.'
),
},
'source_iface': {
'type': 'string',
'name': 'source_iface',
'default': '',
'mandatory': 0,
'visible_for_client': False,
'description': (
'Name of the network interface that will be used as the source '
+ 'of connections established by openvas. The scan won\'t be '
+ 'launched if the value isn\'t authorized according to '
+ '(sys_)ifaces_allow / (sys_)ifaces_deny if present.'
),
},
'ifaces_allow': {
'type': 'string',
'name': 'ifaces_allow',
'default': '',
'mandatory': 0,
'visible_for_client': False,
'description': (
'Comma-separated list of interfaces names that are authorized '
+ 'as source_iface values.'
),
},
'ifaces_deny': {
'type': 'string',
'name': 'ifaces_deny',
'default': '',
'mandatory': 0,
'visible_for_client': False,
'description': (
'Comma-separated list of interfaces names that are not '
+ 'authorized as source_iface values.'
),
},
'hosts_allow': {
'type': 'string',
'name': 'hosts_allow',
'default': '',
'mandatory': 0,
'visible_for_client': False,
'description': (
'Comma-separated list of the only targets that are authorized '
+ 'to be scanned. Supports the same syntax as the list targets. '
+ 'Both target hostnames and the address to which they resolve '
+ 'are checked. Hostnames in hosts_allow list are not resolved '
+ 'however.'
),
},
'hosts_deny': {
'type': 'string',
'name': 'hosts_deny',
'default': '',
'mandatory': 0,
'visible_for_client': False,
'description': (
'Comma-separated list of targets that are not authorized to '
+ 'be scanned. Supports the same syntax as the list targets. '
+ 'Both target hostnames and the address to which they resolve '
+ 'are checked. Hostnames in hosts_deny list are not '
+ 'resolved however.'
),
},
}


Expand Down
4 changes: 4 additions & 0 deletions ospd_openvas/preferencehandler.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -500,6 +500,10 @@ def prepare_scan_params_for_openvas(self, ospd_params: Dict[str, Dict]):
val = _from_bool_to_str(value)
else:
val = str(value)
# Do not add options which only have the empty string as value.
# We may run into problems on openvas side otherwise.
if val == '':
continue
prefs_val.append(key + "|||" + val)

self.kbdb.add_scan_preferences(self._openvas_scan_id, prefs_val)
Expand Down
Loading