OpenVAS is broken after distupgrade to Kali 2.0

[adamhj]

I have replaced some timestamp in log content with XXXX-XX-XX XXhXX.XX UTC:XXXX, because the forum has a silly firewall which will prevent me from submitting this post if I don't do this

I run a distupgrade to kali 2.0 days before and now found that openvas can not work correctly

I can log into the web console and create scan tasks, but no task will start. Clicking start on tasks reports:

Operation: Start Task
Status code: 503
Status message: Service temporarily down

checked the openvasmd log and found this:

lib serv:WARNING:2015-12-11 05h16.22 UTC:4668: Failed to shake hands with peer: The TLS connection was non-properly terminated.
lib serv:WARNING:XXXX-XX-XX XXhXX.XX UTC:XXXX: Failed to shutdown server socket
event task:MESSAGE:XXXX-XX-XX XXhXX.XX UTC:XXXX: Task db60c538-ad1e-4f6f-9cd1-3e80b9926d46 could not be started by admin

tried openvas initial setup and got no luck

tried delete openvas ca&server&client cert manually and generate them with openvas-mkcert/openvas-mkcert-client and the problem is still their

tried run openvas-setup line by line and found that openvasmd --rebuild --progress will fail:

Rebuilding NVT cache... failed.

the error in log file looks the same:

lib serv:WARNING:2015-12-11 05h21.23 utc:4701: Failed to shake hands with peer: The TLS connection was non-properly terminated.
lib serv:WARNING:XXXX-XX-XX XXhXX.XX UTC:XXXX: Failed to shutdown server socket

openvas-check-setup runs without error:

root@kali:~# openvas-check-setup --v8
openvas-check-setup 2.3.0
Test completeness and readiness of OpenVAS-8
(add '--v6' or '--v7' or '--9'
if you want to check for another OpenVAS version)

Please report us any non-detected problems and
help us to improve this check routine:
http://lists.wald.intevation.org/mai...penvas-discuss

Send us the log-file (/tmp/openvas-check-setup.log) to help analyze the problem.

Use the parameter --server to skip checks for client tools
like GSD and OpenVAS-CLI.

Step 1: Checking OpenVAS Scanner ...
OK: OpenVAS Scanner is present in version 5.0.1.
OK: OpenVAS Scanner CA Certificate is present as /var/lib/openvas/CA/cacert.pem.
OK: OpenVAS Scanner server certificate is valid and present as /var/lib/openvas/CA/servercert.pem.
OK: NVT collection in /var/lib/openvas/plugins contains 44735 NVTs.
WARNING: Signature checking of NVTs is not enabled in OpenVAS Scanner.
SUGGEST: Enable signature checking (see http://www.openvas.org/trusted-nvts.html).
OK: The NVT cache in /var/cache/openvas contains 71963 files for 44735 NVTs.
OK: redis-server is present in version v=2.8.17.
OK: scanner (kb_location setting) is configured properly using the redis-server socket: /var/lib/redis/redis.sock
OK: redis-server is running and listening on socket: /var/lib/redis/redis.sock.
OK: redis-server configuration is OK and redis-server is running.
Step 2: Checking OpenVAS Manager ...
OK: OpenVAS Manager is present in version 6.0.1.
OK: OpenVAS Manager client certificate is valid and present as /var/lib/openvas/CA/clientcert.pem.
OK: OpenVAS Manager database found in /var/lib/openvas/mgr/tasks.db.
OK: Access rights for the OpenVAS Manager database are correct.
OK: At least one user exists.
OK: sqlite3 found, extended checks of the OpenVAS Manager installation enabled.
OK: OpenVAS Manager database is at revision 146.
OK: OpenVAS Manager expects database at revision 146.
OK: Database schema is up to date.
OK: OpenVAS Manager database contains information about 39009 NVTs.
OK: OpenVAS SCAP database found in /var/lib/openvas/scap-data/scap.db.
OK: OpenVAS CERT database found in /var/lib/openvas/cert-data/cert.db.
OK: xsltproc found.
Step 3: Checking user configuration ...
WARNING: Your password policy is empty.
SUGGEST: Edit the /etc/openvas/pwpolicy.conf file to set a password policy.
Step 4: Checking Greenbone Security Assistant (GSA) ...
OK: Greenbone Security Assistant is present in version 6.0.1.
Step 5: Checking OpenVAS CLI ...
OK: OpenVAS CLI version 1.4.0.
Step 6: Checking Greenbone Security Desktop (GSD) ...
SKIP: Skipping check for Greenbone Security Desktop.
Step 7: Checking if OpenVAS services are up and running ...
OK: netstat found, extended checks of the OpenVAS services enabled.
OK: OpenVAS Scanner is running and listening only on the local interface.
OK: OpenVAS Scanner is listening on port 9391, which is the default port.
WARNING: OpenVAS Manager is running and listening only on the local interface.
This means that you will not be able to access the OpenVAS Manager from the
outside using GSD or OpenVAS CLI.
SUGGEST: Ensure that OpenVAS Manager listens on all interfaces unless you want
a local service only.
OK: OpenVAS Manager is listening on port 9390, which is the default port.
WARNING: Greenbone Security Assistant is running and listening only on the local interface.
This means that you will not be able to access the Greenbone Security Assistant from the
outside using a web browser.
SUGGEST: Ensure that Greenbone Security Assistant listens on all interfaces.
OK: Greenbone Security Assistant is listening on port 9392, which is the default port.
Step 8: Checking nmap installation ...
WARNING: Your version of nmap is not fully supported: 7.00
SUGGEST: You should install nmap 5.51 if you plan to use the nmap NSE NVTs.
Step 10: Checking presence of optional tools ...
OK: pdflatex found.
OK: PDF generation successful. The PDF report format is likely to work.
OK: ssh-keygen found, LSC credential generation for GNU/Linux targets is likely to work.
WARNING: Could not find rpm binary, LSC credential package generation for RPM and DEB based targets will not work.
SUGGEST: Install rpm.
WARNING: Could not find makensis binary, LSC credential package generation for Microsoft Windows targets will not work.
SUGGEST: Install nsis.

It seems like your OpenVAS-8 installation is OK.

If you think it is not OK, please report your observation
and help us to improve this check routine:
http://lists.wald.intevation.org/mai...penvas-discuss
Please attach the log-file (/tmp/openvas-check-setup.log) to help us analyze the problem.

found some link on internet that may be related
http://comments.gmane.org/gmane.comp...vas.users/7764

This thread says that the problem is related to a bug in libgnutls 3.3.8 and openvas version below 8.0.4. Then I checked that in the current release of kali sana, libgnutls is of version 3.3.8, and openvas's version is 8.0.1, so I think I have meet the same problem, and if this is the case, it means openvas in current sana release won't work at all

[grid]

I just updated my Kali install, and OpenVAS is working fine for me. Have you tried removing & reinstalling OpenVAS?

[adamhj]

well, this works..

removed all contents in directories named openvas found in the system, except for those in metasploit
ran apt-get install --reinstall with dpkg option --force-confmiss for all openvas components
start an openvas-setup again
now it works

I'm wondering what is the root cause of this case..

One way or another, thank you for your hint

[adamhj]

well with my reinstall, the scanner can not connect to redis now..
it seems no package contains file /etc/openvas/openvassd.conf which set the redis socket path..
manually create this file and add a line fix this:

kb_location=/var/lib/redis/redis.sock

I'm wondering where did the original file come from..

[adamhj]

Ok, I found the root cause, someone on openvas mail-list give me this link:
https://svn.wald.intevation.org/svn/...anager/INSTALL -> "Updating Scanner Certificates"

the reason for my problem is that i generated new certs without updating the the scanner's cert, with the command in the link above

I think it is better to add this command into openvas-setup script, as the default lifetime in the cert generation script is only one year, everyone will come to this problem after one year's usage of openvas in kali

[grid]

Good points, adamhj. Glad you got it working & thanks for posting the fix