[Openvas-devel] [openvas-Bugs][6335] openvas-adduser rules are not recognized by OpenVAS Administrator

noreply at wald.intevation.org noreply at wald.intevation.org
Thu May 17 14:47:17 CEST 2012 

Bugs item #6335, was opened at 2012-05-17 14:47 by Joerg Gerschuetz
You can respond by visiting: 
https://wald.intevation.org/tracker/?func=detail&atid=220&aid=6335&group_id=29

Status: Open
Priority: 3
Submitted By: Joerg Gerschuetz (sniffermaster)
Assigned to: Nobody (None)
Summary: openvas-adduser rules are not recognized by OpenVAS Administrator 
Architecture: 64 Bit
Product: OpenVAS
Operating System: Linux
Component: openvas-scanner
Version: None
Severity: major
Resolution: Awaiting Response
Hardware: PC
URL: 


Initial Comment:
If you add an user via openvas-adduser, e.g.

----
sudo openvas-adduser
Using /var/tmp as a temporary file holder.

Add a new openvassd user
---------------------------------


Login : OpenVASAdmin
Authentication (pass/cert) [pass] :
Login password :
Login password (again) :

User rules
---------------
openvassd has a rules system which allows you to restrict the hosts that OpenVASAdmin has the right to test.
For instance, you may want him to be able to scan his own host only.

Please see the openvas-adduser(8) man page for the rules syntax.

Enter the rules for this user, and hit ctrl-D once you are done:
(the user can have an empty rules set)
default accept


Login             : OpenVASAdmin
Password          : ***********

Rules             :
default accept


Is that ok? (y/n) [y] y
user added.
---

the generated rules file in
/usr/local/var/lib/openvas/users/OpenVASAdmin/auth
is not recognized although the syntax seems to be ok.
When using GSA the user´s host access is displayed as "Custom" and most probably defaults to "deny".

When I schedule a scan I find errors in openvassd.messages:
[Thu May 17 11:21:23 2012][3083] user om : attempted to add rules on top of server rules
[Thu May 17 11:21:33 2012][3083] user om starts a new scan. Target(s) : 192.168.10.199, with max_hosts = 20 and max_checks = 4
[Thu May 17 11:21:33 2012][3083] user om : rejected attempt to scan 192.168.10.199
[Thu May 17 11:21:33 2012][3083] user om : test complete


I tried to play around a little bit, and it seems as if you HAVE to use the two comment lines EXACTLY as they are generated when adding a user through GSA, i.e.


---
openvas-adduser
Using /var/tmp as a temporary file holder.

Add a new openvassd user
---------------------------------


Login : i
Authentication (pass/cert) [pass] :
Login password :
Login password (again) :

User rules
---------------
openvassd has a rules system which allows you to restrict the hosts that i has the right to test.
For instance, you may want him to be able to scan his own host only.

Please see the openvas-adduser(8) man page for the rules syntax.

Enter the rules for this user, and hit ctrl-D once you are done:
(the user can have an empty rules set)
# This file is managed by the OpenVAS Administrator.
# Any modifications must keep to the format that the Administrator expects.


Login             : i
Password          : ***********

Rules             :
# This file is managed by the OpenVAS Administrator.
# Any modifications must keep to the format that the Administrator expects.


Is that ok? (y/n) [y] y
user added.
---

This user is displayed correctly in GSA as:
i User Allow All

If I only skip the "." when the rules are set:

---
openvas-adduser
Using /var/tmp as a temporary file holder.

Add a new openvassd user
---------------------------------


Login : j
Authentication (pass/cert) [pass] :
Login password :
Login password (again) :

User rules
---------------
openvassd has a rules system which allows you to restrict the hosts that j has the right to test.
For instance, you may want him to be able to scan his own host only.

Please see the openvas-adduser(8) man page for the rules syntax.

Enter the rules for this user, and hit ctrl-D once you are done:
(the user can have an empty rules set)
# This file is managed by the OpenVAS Administrator
# Any modifications must keep to the format that the Administrator expects


Login             : j
Password          : ***********

Rules             :
# This file is managed by the OpenVAS Administrator <--------- "." deleted
# Any modifications must keep to the format that the Administrator expects <--------- "." deleted


Is that ok? (y/n) [y] y
user added.
---

this user j ends with custom settings:
j User Custom



Steps to reproduce:

(1) Create an user with openvas-adduser - when asked for rules use:

# This file is managed by the OpenVAS Administrator.
# Any modifications must keep to the format that the Administrator expects.

in the first two lines (and eventually more rules)
Result: The user has a correct rule set

(2) Create another user - when asked for rules use e.g.

default accept
or
accept 1.1.1.1
default deny
or whatever example found in "man openvas-adduser"
Result: The user seems to have an invalid/undefined rule set. When checking via GSA the user has "Custom" as Host Access


----------------------------------------------------------------------

You can respond by visiting: 
https://wald.intevation.org/tracker/?func=detail&atid=220&aid=6335&group_id=29

More information about the Openvas-devel mailing list