[Openvas-discuss] Questions on distributed Setup

Thijs Stuurman Thijs.Stuurman at internedservices.nl
Tue Apr 24 15:55:32 CEST 2018


I use the same model but cannot quickly answer the asked questions:

> 1) Is it possible to run the Postgres on a different machine than 
> GVM+GSA? If yes: how? I was not able to find a definite place for 
> configuration :( So far I found a couple mentions of psql and sqlite 
> calls in source code and some wrapper scripts. Depending on the 
> current stance about this topic in the community, we are willing to 
> share our solution with you all. If you are interested ;-)
 
Should be but I don't see where the option is or should go; search for conf options.
I run the postgresql on the Master itself, gvm+gsa doesn't do much so basically it's your DB server. Why bother splitting them up?
(if you want to for zoning purposes, put an Apache reverse proxy in front of it in your DMZ)


> 2) As far as I understand, openvas-scanner needs a redis-service and access to (a local) NVT database. Does it also require connection to SCAP and CERT data or (probably in our case) the central Postgres?

I don't think it generally uses the scap and cert data, I often have had sync issues with those.
Basically your slave scanner is the same as your master but will run just fine with sqlite instead of postgresql.
Other than that they are the same with their owen NVT database.. just not running GSA as you don't need a web interface on there.

When the master gives them a task they will run it completely themselves and constantly feed back the results. The master will end up with all the scan results and history; the slave will probably be empty afterwards. You can trash the slave or give the task to another slave without worries.

You want postgresql on your master for the amount of data it will have, speed.. and I believe its now preferred over sqlite?
Also it can process more requests, one SELECT per CPU core.. which helps a lot. (still I find it very slow, the SELECTs take a long time for me)
 
> 3) I found a couple tutorials online, how to set up openvas9 with postgres. Sadly those all mention the "migrate-to-postgres" script, which (afaik) require a running setup with SQLite. Is it also possible to setup openvas9 using postgres without having to build the sqlite version beforehand? Any vage hints?

I had to migrate but I suppose if you setup a new clean installation with postgresql, it will setup the initial database in there just like it would do in sqlite?
Just give it a try.


Thijs Stuurman
Security Operations Center | KPN Internedservices B.V.
thijs.stuurman at internedservices.nl | thijs.stuurman at kpn.com
T: +31(0)299476185 | M: +31(0)624366778
PGP Key-ID: 0x16ADC048 (https://pgp.surfnet.nl/)
Fingerprint: 2EDB 9B42 D6E8 7D4B 6E02 8BE5 6D46 8007 16AD C048

W: https://www.internedservices.nl | L: https://nl.linkedin.com/in/thijsstuurman

-----Oorspronkelijk bericht-----
Van: Openvas-discuss <openvas-discuss-bounces at wald.intevation.org> Namens Louis Bohm
Verzonden: dinsdag 24 april 2018 15:27
Aan: Frieder Schlesier <fschlesier at gk-software.com>
CC: openvas-discuss at wald.intevation.org
Onderwerp: Re: [Openvas-discuss] Questions on distributed Setup

I can tell you that I do use the Master/Slave setup and there is at least one other person on this list who uses the same model.  Its pretty simple.  The slaves just perform the actual scanning of the host and their disk usage is constant.  I have one the slaves in AWS and one in the new IBM cloud (my company has instances in both clouds right now).  Both slaves are using 20GB of disk.  The number of CPUs and RAM is totally dependent on how many hosts you want to scan at a time.

The master I have is running on VMWare.  This is where it uses the DB.  Right now I am using the sqlite DB but I am thinking of going to Postgresql for better performance.  Generally I can run about 5-10 scans (using a subset of the full and deep profile).

I will say that even if you are using a slave the master is being hit.  The slave is the host reaching out to the end point doing the scanning.  However, the slave scanner is CONSTANTLY updating the master with results.  And from what I can get from the logs the Master is updating the slave with new marching orders. 

If you are going to go over to postgresql do not bother doing the slaves.  Only worry about the master.  The same is true with Reds.  Only worry about the Master.  The slaves can be swapped in and out very quickly with little effort.  I even started writing a build script that I was thinking of pumping in to AWS cloud formation so it could build a new slave on demand.  However, it just takes too long to download the NVTs.  So I have a script to stop and start the AWS slave as needed.

As far as building OpenVAS with Postgresql from scratch I am sure there are directions some where.  But to be honest its so simple to install fully functional base system its not even funny.  Then chaining over to postgresql is simple.  Why make it harder then it needs to be.

Louis
:::::
Louis Bohm - Sr. Systems Engineer
	Dell TechDirect Certified

> On Apr 23, 2018, at 8:21 AM, Frieder Schlesier <fschlesier at gk-software.com> wrote:
> 
> Hi folks,
> 
> we are trying to set up an infrastructure with multiple scanner-slaves in different locations and one central GVM+GSA. Also we want to use Postgres as DB Backend.
> 
> So far, a few questions came up:
> 
> 1) Is it possible to run the Postgres on a different machine than 
> GVM+GSA? If yes: how? I was not able to find a definite place for 
> configuration :( So far I found a couple mentions of psql and sqlite 
> calls in source code and some wrapper scripts. Depending on the 
> current stance about this topic in the community, we are willing to 
> share our solution with you all. If you are interested ;-)
> 
> 2) As far as I understand, openvas-scanner needs a redis-service and access to (a local) NVT database. Does it also require connection to SCAP and CERT data or (probably in our case) the central Postgres?
> 
> 3) I found a couple tutorials online, how to set up openvas9 with postgres. Sadly those all mention the "migrate-to-postgres" script, which (afaik) require a running setup with SQLite. Is it also possible to setup openvas9 using postgres without having to build the sqlite version beforehand? Any vage hints?
> 
> Thanks in advance :)
> 
> --
> 
> Mit freundlichen Grüßen / Best regards Frieder Schlesier IT-Service 
> ______________________ GK Software SE Waldstraße 7 | 08261 Schöneck | 
> Germany www.gk-software.com Sitz der Gesellschaft / Registered Office 
> of the Company: Waldstr. 7 | 08261 Schöneck | Germany 
> Aufsichtsratsvorsitzender / Chairman of the Supervisory Board: Uwe 
> Ludwig Vorstand/Management Board: Rainer Gläß (CEO), Andre Hergert 
> Amtsgericht Chemnitz HRB 31501 / Commercial Register Chemnitz HRB 
> 31501
> 
> _______________________________________________
> Openvas-discuss mailing list
> Openvas-discuss at wald.intevation.org
> https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-dis
> cuss

_______________________________________________
Openvas-discuss mailing list
Openvas-discuss at wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss


More information about the Openvas-discuss mailing list