OpenVAS Change Request #8: Introduce NVT family "Credentials"
Status: Voted +2. Implemented. Server-side changes released with openvas-plugins 1.0.2, client-side released with OpenVAS-Client 1.0.4.Purpose
To consistently mark those NVTs that transfer user input on credentials into the knowledge base by setting the family to "Credentials".
References
Initial discussion on openvas-plugins mailing list where this request emerged from.
Rationale
OpenVAS-Client offers a configuration page on "Credentials". It summarizes those "plugin preferences" that are managing parameters for logging in somewhere. OpenVAS-Client identifies them currently by hard-coded names (which is a behavior inherited from Nessus).
Apparently names can change or new ones can appear. It is considered a broken concept to have it necessary to change this in the client application each time such a change occurs. Instead, the client should flexible react on changes happened in OpenVAS server.
Effects
- During a transition phase some credential settings may not appear (any more) in the Credentials page, but only in the Plugin Preferences page in OpenVAS-Client.
- The current concept of NASL/NTP allows for arbitrary languages of the family name. Thus, if "Credentials" as family name is hard coded into OpenVAS-Client, then the translation of this name is not identified as a credentials script and will only be shown in the preferences page. This is mostly a theoretical problem, because the number of the relevant script is quite low and mostly static. Also, the failures would happen already (e.g. logins.nasl) because the names are translatable as well.
Design and Implementation
- Change family to "Credentials" for ssh_authorization.nasl in openvas-plugins/scripts/.
- openvas-plugins/scripts/logins.nasl: separate SMB into a nasl file of its own, e.g. as "smb_authorization.nasl" and set the family of both to "Credentials". Note that actually, logins.nasl should eventually be further resolved into separate scripts.
- In openvas-client/nessus/prefs_dialog/prefs_dialog_plugins_prefs.c change is_credentials to return true for family members of "Credentials". Or replace call of this function entirely by direct check for this family.
- While we are at it: Change the "Credentials" page of OpenVAS-Client to work in the same way as the Preferences page, i.e. have a overview and allow the user to click on the respective credentials name to change the values. This is basically intended to have a more consistent user interface.
History
- 2008-06-12 Jan-Oliver Wagner <jan-oliver.wagner@intevation.de>:
Status update: now implemented. - 2008-06-01 Jan-Oliver Wagner <jan-oliver.wagner@intevation.de>:
Added voting result. - 2008-04-30 Jan-Oliver Wagner <jan-oliver.wagner@intevation.de>:
Initial text.