OpenNetAdmin

Track. Automate. Configure.

Home About Features Community Develop
Download this project as a tar.gz file

nmap_scan_cron fails

kaptk2

09-03-2011 14:53:53

When trying to test nmap_scan_cron I type /opt/ona/bin/nmap_scan_cron -l and I get back a message saying Permission denied! what is this all about and how can I fix it?

Thanks

Matt

10-03-2011 09:01:15

This is an issue with the default behavior of DCM and how it authenticates. There were some recent changes that locked down some security that I need to address.

The solution is this:
1. create a user named "dcm.pl", the password can be set to whatever you wish
2. If you are going to use the update option in nmap_scan then you will want to grant the dcm.pl user "interface_modify" permission
3. you will want to grant the ona_sql permission as well
4. optionally you can configure a .htaccess that limits the IP addresses that can use dcm.pl. This is probably a good idea to improve security of the tool. There is an example file located in /opt/ona/www/.htaccess.example

I will probably create this user automatically in future releases.

caleb99

03-06-2011 08:28:07

do we create this user in mysql? could you be more specific here? I'm kind of a linux newbie.

Matt

03-06-2011 17:27:56

The dcm.pl user I am speaking of is an ONA user. You will need to create it through the GUI.

You can click on admin -> manage users and then add the new user there. the name would be 'dcm.pl'.. then grant the ona_sql and interface_modify permissions that will allow the nmap scan process to function correctly.

rlev

07-03-2012 12:18:32

Thread, I resurrect thee!

We recently ran into this same issue and I finally came across this thread. Perhaps it would be a good idea to post this info on the wiki page for this plugin.

That said, I think I am having a second issue related to this. It appears that the plugin is now running the scan on the devices already in the DB. However, if I try running the plugin script with the -n x.x.x.x/XX options, it acts like it completes fine but never creates the report in the subnets directory.

Any ideas on that one?

Edit: Actually, now that I have gone back and reverified...this did not resolve the issue. The script now runs without complaining about permission denied, however nothing is being updated. Nothing in the DB, none of the reports for existing subnets in the /opt/ona/www/local/nmap_scans/subnets directory, nothing at all. I also haven't been able to find any logs regarding this script other than the complaining about user info for dcm.pl in the ona.log before applying the above mentioned fix. Does the activity of the actual script get logged anywhere? It doesn't look like the script is point to any log files.

In fact, running a tcpdump on the ONA server while attempting to run the plugin script results in absolutely no traffic whatsoever to any of the subnets that it is supposedly scanning.

tpeters

19-04-2012 08:45:12

Hi,

Did this ever get resolved as I have the same issue, nmap runs but no files are created in subnet directory :(

Trev

Matt

19-04-2012 10:31:59

Well this could be a few things.. lets start with some basics and see what we find.

First off when running nmap_scan_cron you should test using the '-l' flag to list the subnets that it is going to scan. If the list is blank then that explains much.

One thing to note. The default behavior is to only scan subnets that have the 'nmap_scan' custom attribute set to 'Y". However, I'm sure many people will run it like I do in my environment. This is to pass in the '-a' flag which inverts the logic and will scan ALL subnets in the database EXCEPT those that have 'nmap_scan' set to N. I do it this way because I'd rather blacklist than whitelist.

If you do an 'nmap_scan_cron -l -a' I would expect that you should get a list of subnets back? If not then there is an issue. If it does work then simply run 'nmap_scan_cron -a' manually or via a cron job and it hopefully will work.

Thanks