| Description | Permissions for the /etc/openvas/gnupg folder are not correct. Because _gvm doesn't have access to this folder, it prevents the verification key database and temp files from being saved there. This causes gnupg signature verification to fail, which results in ospd-openvas to respawn over and over again (attempting a sync but failing).
OSPD[17844] 2023-02-20 00:37:22,128: INFO: (ospd_openvas.daemon) Loading VTs. Scans will be [requested|queued] until VTs are loaded. This may take a few minutes, please wait...
OSPD[17844] 2023-02-20 00:37:22,382: DEBUG: (gnupg) verify_file: <_io.BufferedReader name='/var/lib/notus/advisories/sha256sums.asc'>, '/var/lib/notus/advisories/sha256sums'
OSPD[17844] 2023-02-20 00:37:22,382: DEBUG: (gnupg) Handling detached verification
OSPD[17844] 2023-02-20 00:37:22,384: DEBUG: (gnupg) Wrote to temp file: b'-----BEGIN PGP SIGNATURE-----\n\niQIzBAABCgAdFiEEiuS+QptgpZsxHC5zmCP6pg7R5YAFAmPu/FsACgkQmCP6pg7R\n5YCdbw//SOhRR9mGLseG1aOfjc819xBF05IVXZkSYGuy3DWsK76+nOTtx4SzKhuS\nApr+Q5domPDF+EyZQhoWmWq4/BWQ4iJMc+j5w6Ia7Ifl/LhhQx9sLdR8B3OdaObb\nxplXaOg4TOUE9elbqlukKh5KvwbQE2EI/rP5qPHLK0ofDwM6O4UNzDW0oZUn5hMO\ngXjn9TlMq727H5sPz/5ZyitlF2pxRuIGQwD1IVbnrrsUPGuo8TR1GL4FBSoW8blV\n7eIk/NCCH89WAGCf32et0uL7eGpqLd6NNKW2JWlS88icvfgIpUcNZMuZuddEybSw\nGDH4EdnXo+xUONgCv6ao+bn3ZtGmhQ4dp2lySRTBgk0eEqZuiH+qyTrwtU6fC7NO\nmL7zTDRR/mt6DucKwfDhs9GXwSrKi6260n1hrw3tlJOHTcZKZemZ67dOZ6OM05Fy\nxoZ45Wr5iOI8ORTE0ooHFS1wx/PJKF+7XtpGlo5Vret9kDYiwg3ABjnkdJGI9ji0\nY+BfSBh5FdnV2eQvx5sIn+Lfte4XwMXuw2gjkE1zkn0opIIxxoBLpoiVVJERnhyg\nv/tOMS/b5e6p+g5yBypwVhNdhbksDBR1vKpHR+5i4pyiE0vHg5CcQa0O8WeCzizk\n592mJow2kZAUPjOgr54R49abC6soT045AuFS8yp3Dz5RddepPNY=\n=q8u+\n-----END PGP SIGNATURE-----\n'
OSPD[17844] 2023-02-20 00:37:22,386: DEBUG: (gnupg) 20553: gpg --status-fd 2 --no-tty --no-verbose --fixed-list-mode --batch --with-colons --homedir /etc/openvas/gnupg --verify /tmp/pygpgb856_vuq /var/lib/notus/advisories/sha256sums
OSPD[17844] 2023-02-20 00:37:22,386: DEBUG: (gnupg) stderr reader: <Thread(Thread-396 (_read_response), initial daemon)>
OSPD[17844] 2023-02-20 00:37:22,387: DEBUG: (gnupg) stdout reader: <Thread(Thread-397 (_read_data), initial daemon)>
OSPD[17844] 2023-02-20 00:37:22,401: DEBUG: (gnupg) gpg: WARNING: unsafe ownership on homedir '/etc/openvas/gnupg'
OSPD[17844] 2023-02-20 00:37:22,401: DEBUG: (gnupg) gpg: failed to create temporary file '/etc/openvas/gnupg/.#lk0x023ad5f0.kali-raspberry-pi.20553': Permission denied
OSPD[17844] 2023-02-20 00:37:22,401: DEBUG: (gnupg) gpg: keyblock resource '/etc/openvas/gnupg/pubring.kbx': Permission denied
OSPD[17844] 2023-02-20 00:37:22,402: DEBUG: (gnupg) [GNUPG:] ERROR add_keyblock_resource 33587201
OSPD[17844] 2023-02-20 00:37:22,402: WARNING: (gnupg) potential problem: ERROR: add_keyblock_resource 33587201
OSPD[17844] 2023-02-20 00:37:22,402: DEBUG: (gnupg) [GNUPG:] NEWSIG
OSPD[17844] 2023-02-20 00:37:22,402: DEBUG: (gnupg) message ignored: NEWSIG,
OSPD[17844] 2023-02-20 00:37:22,402: DEBUG: (gnupg) gpg: Signature made Fri 17 Feb 2023 04:02:35 AM UTC
OSPD[17844] 2023-02-20 00:37:22,403: DEBUG: (gnupg) gpg: using RSA key 8AE4BE429B60A59B311C2E739823FAA60ED1E580
OSPD[17844] 2023-02-20 00:37:22,403: DEBUG: (gnupg) [GNUPG:] ERROR keydb_search 33554445
OSPD[17844] 2023-02-20 00:37:22,403: WARNING: (gnupg) potential problem: ERROR: keydb_search 33554445
OSPD[17844] 2023-02-20 00:37:22,403: DEBUG: (gnupg) [GNUPG:] ERROR keydb_search 33554445
OSPD[17844] 2023-02-20 00:37:22,403: WARNING: (gnupg) potential problem: ERROR: keydb_search 33554445
OSPD[17844] 2023-02-20 00:37:22,404: DEBUG: (gnupg) [GNUPG:] ERRSIG 9823FAA60ED1E580 1 10 00 1676606555 9 8AE4BE429B60A59B311C2E739823FAA60ED1E580
OSPD[17844] 2023-02-20 00:37:22,404: DEBUG: (gnupg) [GNUPG:] NO_PUBKEY 9823FAA60ED1E580
OSPD[17844] 2023-02-20 00:37:22,404: DEBUG: (gnupg) gpg: Can't check signature: No public key
OSPD[17844] 2023-02-20 00:37:22,405: WARNING: (gnupg) gpg returned a non-zero error code: 2
This can be solved with the following steps:
cd /tmp
wget https://www.greenbone.net/GBCommunitySigningKey.asc
echo "8AE4BE429B60A59B311C2E739823FAA60ED1E580:6:" > /tmp/ownertrust.txt
export GNUPGHOME=/tmp/openvas-gnupg
mkdir -p $GNUPGHOME
gpg --import /tmp/GBCommunitySigningKey.asc
gpg --import-ownertrust < /tmp/ownertrust.txt
export OPENVAS_GNUPG_HOME=/etc/openvas/gnupg
sudo mkdir -p $OPENVAS_GNUPG_HOME
sudo cp -r /tmp/openvas-gnupg/* $OPENVAS_GNUPG_HOME/
sudo chown -R _gvm:_gvm $OPENVAS_GNUPG_HOME
After resolving the gnupg permissions error, ospd-openvas still will not start, due to a configuration error.
Feb 20 14:53:14 kali-raspberry-pi systemd[1]: Started ospd-openvas.service - OSPd Wrapper for the OpenVAS Scanner (ospd-openvas).
Feb 20 14:53:25 kali-raspberry-pi ospd-openvas[1494]: Traceback (most recent call last):
Feb 20 14:53:25 kali-raspberry-pi ospd-openvas[1494]: File "/usr/lib/python3/dist-packages/redis/client.py", line 1950, in _execute_transaction
Feb 20 14:53:25 kali-raspberry-pi ospd-openvas[1494]: response = self.parseresponse(connection, "")
Feb 20 14:53:25 kali-raspberry-pi ospd-openvas[1494]: ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Feb 20 14:53:25 kali-raspberry-pi ospd-openvas[1494]: File "/usr/lib/python3/dist-packages/redis/client.py", line 2018, in parse_response
Feb 20 14:53:25 kali-raspberry-pi ospd-openvas[1494]: result = Redis.parse_response(self, connection, command_name, options)
Feb 20 14:53:25 kali-raspberry-pi ospd-openvas[1494]: ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Feb 20 14:53:25 kali-raspberry-pi ospd-openvas[1494]: File "/usr/lib/python3/dist-packages/redis/client.py", line 1254, in parse_response
Feb 20 14:53:25 kali-raspberry-pi ospd-openvas[1494]: response = connection.read_response()
Feb 20 14:53:25 kali-raspberry-pi ospd-openvas[1494]: ^^^^^^^^^^^^^^^^^^^^^^^^^^
Feb 20 14:53:25 kali-raspberry-pi ospd-openvas[1494]: File "/usr/lib/python3/dist-packages/redis/connection.py", line 839, in read_response
Feb 20 14:53:25 kali-raspberry-pi ospd-openvas[1494]: raise response
Feb 20 14:53:25 kali-raspberry-pi ospd-openvas[1494]: redis.exceptions.ExecAbortError: Transaction discarded because of previous errors.
Feb 20 14:53:25 kali-raspberry-pi ospd-openvas[1494]: During handling of the above exception, another exception occurred:
Feb 20 14:53:25 kali-raspberry-pi ospd-openvas[1494]: Traceback (most recent call last):
Feb 20 14:53:25 kali-raspberry-pi ospd-openvas[1494]: File "/usr/bin/ospd-openvas", line 8, in <module>
Feb 20 14:53:25 kali-raspberry-pi ospd-openvas[1494]: sys.exit(main())
Feb 20 14:53:25 kali-raspberry-pi ospd-openvas[1494]: ^^^^^^
Feb 20 14:53:25 kali-raspberry-pi ospd-openvas[1494]: File "/usr/lib/python3/dist-packages/ospd_openvas/daemon.py", line 1268, in main
Feb 20 14:53:25 kali-raspberry-pi ospd-openvas[1494]: daemon_main('OSPD - openvas', OSPDopenvas, NotusParser())
Feb 20 14:53:25 kali-raspberry-pi ospd-openvas[1494]: File "/usr/lib/python3/dist-packages/ospd/main.py", line 164, in main
Feb 20 14:53:25 kali-raspberry-pi ospd-openvas[1494]: daemon.init(server)
Feb 20 14:53:25 kali-raspberry-pi ospd-openvas[1494]: File "/usr/lib/python3/dist-packages/ospd_openvas/daemon.py", line 549, in init
Feb 20 14:53:25 kali-raspberry-pi ospd-openvas[1494]: self.update_vts()
Feb 20 14:53:25 kali-raspberry-pi ospd-openvas[1494]: File "/usr/lib/python3/dist-packages/ospd_openvas/daemon.py", line 674, in update_vts
Feb 20 14:53:25 kali-raspberry-pi ospd-openvas[1494]: self.notus.reload_cache()
Feb 20 14:53:25 kali-raspberry-pi ospd-openvas[1494]: File "/usr/lib/python3/dist-packages/ospd_openvas/notus.py", line 156, in reload_cache
Feb 20 14:53:25 kali-raspberry-pi ospd-openvas[1494]: self.cache.store_advisory(advisory["oid"], res)
Feb 20 14:53:25 kali-raspberry-pi ospd-openvas[1494]: File "/usr/lib/python3/dist-packages/ospd_openvas/notus.py", line 86, in store_advisory
Feb 20 14:53:25 kali-raspberry-pi ospd-openvas[1494]: return OpenvasDB.set_single_item(
Feb 20 14:53:25 kali-raspberry-pi ospd-openvas[1494]: ^^^^^^^^^^^^^^^^^^^^^^^^^^
Feb 20 14:53:25 kali-raspberry-pi ospd-openvas[1494]: File "/usr/lib/python3/dist-packages/ospd_openvas/db.py", line 345, in set_single_item
Feb 20 14:53:25 kali-raspberry-pi ospd-openvas[1494]: pipe.execute()
Feb 20 14:53:25 kali-raspberry-pi ospd-openvas[1494]: File "/usr/lib/python3/dist-packages/redis/client.py", line 2078, in execute
Feb 20 14:53:25 kali-raspberry-pi ospd-openvas[1494]: return conn.retry.call_with_retry(
Feb 20 14:53:25 kali-raspberry-pi ospd-openvas[1494]: ^^^^^^^^^^^^^^^^^^^^^^^^^^^
Feb 20 14:53:25 kali-raspberry-pi ospd-openvas[1494]: File "/usr/lib/python3/dist-packages/redis/retry.py", line 46, in call_with_retry
Feb 20 14:53:25 kali-raspberry-pi ospd-openvas[1494]: return do()
Feb 20 14:53:25 kali-raspberry-pi ospd-openvas[1494]: ^^^^
Feb 20 14:53:25 kali-raspberry-pi ospd-openvas[1494]: File "/usr/lib/python3/dist-packages/redis/client.py", line 2079, in <lambda>
Feb 20 14:53:25 kali-raspberry-pi ospd-openvas[1494]: lambda: execute(conn, stack, raise_on_error),
Feb 20 14:53:25 kali-raspberry-pi ospd-openvas[1494]: ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Feb 20 14:53:25 kali-raspberry-pi ospd-openvas[1494]: File "/usr/lib/python3/dist-packages/redis/client.py", line 1953, in _execute_transaction
Feb 20 14:53:25 kali-raspberry-pi ospd-openvas[1494]: raise errors[0][1]
Feb 20 14:53:25 kali-raspberry-pi ospd-openvas[1494]: File "/usr/lib/python3/dist-packages/redis/client.py", line 1943, in _execute_transaction
Feb 20 14:53:25 kali-raspberry-pi ospd-openvas[1494]: self.parseresponse(connection, "")
Feb 20 14:53:25 kali-raspberry-pi ospd-openvas[1494]: File "/usr/lib/python3/dist-packages/redis/client.py", line 2018, in parse_response
Feb 20 14:53:25 kali-raspberry-pi ospd-openvas[1494]: result = Redis.parse_response(self, connection, command_name, options)
Feb 20 14:53:25 kali-raspberry-pi ospd-openvas[1494]: ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Feb 20 14:53:25 kali-raspberry-pi ospd-openvas[1494]: File "/usr/lib/python3/dist-packages/redis/client.py", line 1254, in parse_response
Feb 20 14:53:25 kali-raspberry-pi ospd-openvas[1494]: response = connection.read_response()
Feb 20 14:53:25 kali-raspberry-pi ospd-openvas[1494]: ^^^^^^^^^^^^^^^^^^^^^^^^^^
Feb 20 14:53:25 kali-raspberry-pi ospd-openvas[1494]: File "/usr/lib/python3/dist-packages/redis/connection.py", line 839, in read_response
Feb 20 14:53:25 kali-raspberry-pi ospd-openvas[1494]: raise response
Feb 20 14:53:25 kali-raspberry-pi ospd-openvas[1494]: redis.exceptions.ResponseError: Command # 1 (DEL internal/notus/advisories/1.3.6.1.4.1.25623.1.1.4.2012.0033.1>
Feb 20 14:53:26 kali-raspberry-pi ospd-openvas[1494]: Exception ignored in atexit callback: <function exit_cleanup at 0xb37a9528>
Feb 20 14:53:26 kali-raspberry-pi ospd-openvas[1494]: Traceback (most recent call last):
Feb 20 14:53:26 kali-raspberry-pi ospd-openvas[1494]: File "/usr/lib/python3/dist-packages/ospd/main.py", line 86, in exit_cleanup
Feb 20 14:53:26 kali-raspberry-pi ospd-openvas[1494]: sys.exit()
Feb 20 14:53:26 kali-raspberry-pi ospd-openvas[1494]: SystemExit:
Feb 20 14:53:26 kali-raspberry-pi systemd[1]: ospd-openvas.service: Main process exited, code=exited, status=1/FAILURE
Feb 20 14:53:26 kali-raspberry-pi systemd[1]: ospd-openvas.service: Failed with result 'exit-code'.
The key error is:
redis.exceptions.ResponseError: Command # 1 (DEL internal/notus/advisories/1.3.6.1.4.1.25623.1.1.4.2012.0033.1) of pipeline caused error: MISCONF Redis is configured to save RDB snapshots, but it's currently unable to persist to disk. Commands that may modify the data set are disabled, because this instance is configured to report errors during writes if RDB snapshotting fails (stop-writes-on-bgsave-error option). Please check the Redis logs for details about the RDB error.
This error is related to explicitly disabling save in the /etc/redis/redis-openvas.conf file, which was addressed in this commit:
https://github.com/greenbone/openvas-scanner/pull/1199/commits/130a07177804262b0f0e80c72f89eccd473be132
If you add save "" to the /etc/redis/redis-openvas.conf file (around line 221), ie:
#save 900 1
#save 300 10
#save 60 10000
save ""
Then the issue is solved:
OSPD[820] 2023-02-20 23:36:40,913: DEBUG: (ospd_openvas.openvas) Finished loading VTs into Redis DB
OSPD[820] 2023-02-20 23:36:41,049: INFO: (ospd_openvas.daemon) Finished loading VTs. The VT cache has been updated from version 0 to 202302201018.
OSPD[820] 2023-02-20 23:36:41,051: DEBUG: (ospd_openvas.daemon) Calculating vts integrity check hash...
OSPD[820] 2023-02-20 23:37:21,239: DEBUG: (paho.mqtt.client) Sending PINGREQ
OSPD[820] 2023-02-20 23:37:21,240: DEBUG: (paho.mqtt.client) Received PINGRESP
OSPD[820] 2023-02-20 23:38:11,642: DEBUG: (ospd_openvas.lock) Removed lock from file /run/ospd/feed-update.lock.
OSPD[820] 2023-02-20 23:38:21,308: DEBUG: (paho.mqtt.client) Sending PINGREQ
OSPD[820] 2023-02-20 23:38:21,308: DEBUG: (paho.mqtt.client) Received PINGRESP
OSPD[820] 2023-02-20 23:38:21,645: DEBUG: (ospd_openvas.daemon) Current feed version: 202302201018
OSPD[820] 2023-02-20 23:38:21,645: DEBUG: (ospd_openvas.daemon) Plugin feed version: 202302201018
OSPD[820] 2023-02-20 23:38:31,646: DEBUG: (ospd_openvas.daemon) Current feed version: 202302201018
OSPD[820] 2023-02-20 23:38:31,647: DEBUG: (ospd_openvas.daemon) Plugin feed version: 202302201018
OSPD[820] 2023-02-20 23:38:41,650: DEBUG: (ospd_openvas.daemon) Current feed version: 202302201018
OSPD[820] 2023-02-20 23:38:41,651: DEBUG: (ospd_openvas.daemon) Plugin feed version: 202302201018 |
|---|
