4. System Administration

The administration of the Greenbone Operating System (GOS) version 4 is fully achieved through a menu based console access. The administrator does not need any commandline or shell access to fulfill the configuration or maintenance tasks. Only for support and troubleshooting purposes shell access is provided. To access the system administration interface you need to login as admin on the console. This chapter is organized based on the system administration menu structure. First the Setup, then the Maintenance and finally the Advanced submenu is covered.

4.1. Introduction

4.1.1. Log in as admin

Once turned on the appliance will boot. The boot process can be monitored via serial console. The boot process of the virtual appliance can be monitored in the hypervisor (VirtualBox or VMWare).

_images/boot-vbox.png

Boot screen of the appliance

After the boot process is completed you can log into the system locally using the console. The default login is user: admin with password: admin. After the login (if not already configured) the GSM may remind you that the setup has not been completed yet.

4.1.1.1. Authorization Concept

The GSM offers two different levels of access. There is a user level and a system level. The user level (Web Admin) access is available via the graphical web interface or the Greenbone management protocol (GMP). The system level (GSM Admin) is only available via console or secure shell protocol (SSH).

4.1.1.2. User Level Access

The user level access does support the management of users, groups and fine-grained permissions via either the web interface or GMP. Further details may be found in section User Management. While the user level may be access either via the web interface or the Greenbone management protocol (GMP) the GMP access is turned of by default on all devices but sensors. Furthermore in its delivery state no account has been defined on all GSM devices for accessing the user level. Thus no unauthorized access is possible between the commissioning and the configuration of the device.

4.1.1.3. System Administration Level Access

The system administration interface is only available via the console or SSH. Only one account is supported: admin. This account is to be used for all system administration of the GSM. This unprivileged user may not directly modify any system files but can only instruct the system to modify some configurations.

The privileged account root should only be used in emergencies in consultation with the Greenbone support team. If any modifications are done without consultation you are not entitled to receive assistance by the Greenbone support team anymore.

When delivered by Greenbone the user admin is assigned the password admin. During the first setup this password should be changed. Trivial passwords are declined. This includes the password admin as well. All network interfaces are disabled by default and no IP address is assigned. The SSH service is disabled as well. To use SSH for accessing the GSM the network interfaces and the SSH service need to be enabled first. The Greenbone Security Manager Community Edition (GSM CE) and the GSM ONE enables the network interfaces using DHCP immediately after the installation but the SSH service is disabled as well.

If the SSH service is enabled only admin may login remotely. The root login is disabled via SSH. The privileged user root may only login via Console. In delivery state the user root does not have any password and is directly able to login. Using su to switch from the admin user to the root user is disabled by default. It may be enabled using superuser and superuserpassword (see section Superuser).

Enabling the password for root should only be done briefly in emergencies. To remind the admin user of this setting it is displayed during the login process including the root-password in clear text.

4.1.2. System Administration Access

The CLI can be accessed via serial console or SSH. However, SSH access is possibly deactivated and has to be enabled using the serial console first (see section SSH).

Access via SSH from UNIX/Linux can be done directly via command line:

$ ssh admin@<gsm>

Replace gsm with the IP address or DNS name of the GSM appliance. To verify the host-key, its checksum can be displayed via serial port prior. To do this change into the submenu Setup followed by Services and SSH and select Fingerprint.

Access to the command line via serial port is described in the respective section of the setup guide. Login is preformed with user admin (see section Log in as admin). The factory default password is admin. Alternatively SSH can be used to log in (see section SSH).

4.1.3. Committing Changes

All changes introduced through the system administration menus are not saved and activated immediately. Rather the menu is modified and a new Save option is added if you have any pending modifications.

_images/gsm-commit.png

Save pending modifications

If you exit the menu without saving any pending modification a warning is displayed. You may choose to go back (ESC), save (Yes) or discard (No) the modifications.

_images/gsm-discard.png

Discard pending modifications

4.2. Setup Menu

4.2.1. Users Management

The system administration interface allows the management of users and passwords. In particular, it offers the possibility to change the password of the system administrator and to manage web users. These web users may be administrators (scan administrator respectively), guests and Super Admin.

4.2.1.1. System Administrator password change

The password of the system administrator may be changed. This is especially important during the first base configuration. The factory setting admin/admin is not suitable for a production environment.

The respective function is available in the Setup menu. Here you will find the user management in the User submenu.

The following users can be configured (see section Authorization Concept):

  1. GSM-Admin: This is the administrator which can log into via command line (i.e. via serial port).
  2. Web-Admin: This is the administrator which can log into the web interface.

To change the GSM-Admin password select the option Password. You will be asked to enter the current (UNIX) password of the administrator. Afterwards you must enter the new password twice.

This change is effective immediately. A commit of the change is not required. A rollback is not possible either.

_images/gsm-admin-pw.png

Changing of the GSM administrator password

Note

Trivial passwords are being rejected. This includes the default password admin.

4.2.1.2. Managing Web Users

To be able to use the GSM appliance a web administrator must be set up. This user is being referred to as scan administrator in some documentation and by some applications.

The set-up of the first web admin is only possible through the system administration interface. Within Setup menu switch to the User option and select Web Users. Several new options are displayed.

_images/gsm-web-users.png

Web users management

  • List Users - This displays a list of the current web users.
  • Admin User - This creates a new web administrator. The first web admin has to be defined using the system administration interface. Once logged in the web admin may be used to add further web administrator or normal web users.
  • Enable Guest - This enables the guest user. This may not be done using the web interface but only the system administration interface.
  • Super Admin - This creates the super admin. Only one super admin may be defined. The super admin may only be defined using the system administration interface.
  • Delete Account - This option may be used to delete a web user.
  • Change Password - This option may be used to change the password of any web user.

More than one user with administrative rights can be set up. Further configuration of the users using the system administration interface is not possible. It is only possible to display the existing users or delete them if applicable.

To edit the existing users, or add users with less permissions, use the web-interface.

The following screen shot displays the creation of a web administrator:

_images/gsm-web-admin.png

Web admin creation

To create the user use the <Enter> key. To navigate from field to field use the cursor keys.

4.2.2. Network configuration

The network configuration menu offers the following options:

  • Configure the Network Interfaces
  • Configure the Domain Name Servers
  • Global Gateway (IPv4 and IPv6)
  • Hostname and Domainname
  • Management IP addresses (IPv4 and IPv6)
  • Display MAC and IP addresses
  • Enable Expert Mode

Any change within the network configuration has to be saved via the Menu and the GSM needs to be rebooted for the change to be fully effective.

4.2.2.1. Network Interfaces

The GSM may have up to 24 network interfaces. At least one network interface must be configured to access the GSM via the network. Usually the first network adapter eth0 is used for this purpose. The admin hast to configure this network interface and to attach the appliance to the network.

Depending on the actual model the first network interface may be preconfigured:

  • GSM ONE: DHCP
  • All other models: no IP address set

IPv6 is disabled on all models by default.

To configure the adapter enter the Setup menu and navigate to the Network submenu. Here choose the option Configure the Network Interfaces.

You will be able to configure the network interface eth0.

_images/gsm-eth0.png

Configuration of eth0

To setup a static IP address choose the appropriate option, remove the text dhcp from the configuration line and replace it with the correct IP address including the prefix length.

_images/gsm-staticip.png

Entering a static IP address

To configure a network interface to use DHCP choose the option Enable DHCP. This option is only available if currently a static IP address is configured.

To configure the MTU of the interface use the appropriate option from the menu. To use the default values leave the field in the dialogue empty.

When configuring IPv6 addresses the admin has the choice of:

  • Stateful DHCPv6
  • Router Advertisement
  • Static IP

Depending on the mechanism used the gateway and the dns server need to be configured manually.

This menu supports the configuration of VLANs as well. To configure a VLAN subinterface choose the option Configure the VLAN interfaces on this interface and enter the VLAN number.

_images/vlan1.png

Creating a new VLAN subinterface

The next screen will display a success message. After acknowledgement of this message the interface may be configured using IPv4 and/or IPv6 using the usual dialogue.

_images/vlan2.png

Configuring the VLAN subinterface eth0.3

Additional VLAN subinterfaces may be added.

Always ensure that any changes are saved before exiting the menu. If pending modifications are detected you will be warned appropriately.

4.2.2.2. DNS server

In order to receive the feed and updates the GSM requires a reachable and functioning DNS server for name resolution. If the GSM uses a proxy to download the feed and updates this setting is not required.

If DHCP is used for the configuration of the network interfaces, the DNS servers provided by the DHCP protocol will be used.

The GSM appliance supports up to three DNS servers. At least one DNS server is required. Additional servers will only be used at an outage of the first server. To configure the DNS servers enter the Setup menu and choose the submenu Network. Here choose Configure the Domain Name Servers.

You will be able to configure three different DNS servers. These servers can be configured using either an IPv4 or an IPv6 address.

_images/gsm-dns-conf.png

Setup DNS servers

Any change has to be committed by choosing Save in the menu.

If the DNS-servers can be reached and are functional is shown by the Selfcheck (see section Selfcheck)

4.2.2.3. Global Gateway

The global gateway may be automatically obtained using DHCP or router advertisements. If the GSM is configured to use static IP addresses the global gateway has to be configured manually. Separate options are available for IPv4 and IPv6.

The global gateway is often called the default gateway as well. To configure the global gateway use the option Global Gateway for IPv4 and Global Gateway (IPv6) for IPv6 within the Network submenu.

When using DHCP to assign IP addresses the global gateway will also be set via DHCP unless the global gateway has been set explicitly.

_images/gsm-globalgw.png

Configuring the global gateway

4.2.2.4. Hostname/Domainname

While the GSM does not require a special hostname the hostname is an important item when creating certificates and sending emails. The options Hostname and domainname may be used to modify the fully qualified domainname of the appliance. While the hostname is used to configure the short hostname the domainname option is used for the domain suffix. The factory default values are:

  • Hostname: gsm
  • Domainname: gbuser.net

4.2.2.5. Management IP Addresses

These options allow the configuration of the management interfaces for IPv4 and IPv6 access. If these options are not configured the administrative interfaces will be available on all network interfaces. To restrict the access enter either the IP address or the name of the network interface (e.g. eth0) in the dialogue. All administrative access (SSH, HTTPS, GMP) will be restricted to the appropriate interface and will not be available on the other interfaces any more.

_images/managementip.png

Restricting management access

4.2.2.6. Display MAC/IP addresses

These menu options provide a simple overview on the use MAC addresses and the currently configured IP addresses of the appliance. These options do not support the configuration of the MAC addresses.

_images/displaymac.png

Display the MAC addresses

4.2.2.7. Expert Mode

While simple network configuration tasks can be handled via the menus, complex setups using different static routes require further configuration. While the configuration of VLANs is now supported multiple static routes are currently not possible using the menus.

To make respective changes in the configuration an expert mode exists. It requires the configuration of these settings in separate files for each network card underneath the directory /etc/network/interfaces.d in the filesystem.

The creation, editing and activation of these settings is covered in this section.

To use the expert mode it must be activated first. Enter the Setup menu. Navigate to Network and choose Expert.

A new menu will be displayed.

_images/gsm-expertnet2.png

Enable Expert Mode

To revert back to normal mode at the later date use the menu option Expert. The network service will be immediately restarted.

When enabling the Expert Mode the admin starts with the current configuration of the network cards. Once the mode is enabled a new menu option Edit is displayed instead of the interfaces submenu. This options drops the admin user in a shell in the /etc/network/interfaces.d directory.

_images/editnic.png

Depending on the model several configuration files are available

The syntax of the files adhere to the Debian standard. To call an additional command when enabling the network card the keyword up may be used. To achieve the same task while disabling the card the keyword down is used.

4.2.2.7.1. Additional IP addresses

The menus only support the configuration of one IP address per network card. To add additional addresses to the same card the expert mode may be used. To add an additional address use the command ip with the addr argument

iface eth0 inet static
  address 192.168.222.115/24
  up ip addr add 192.168.222.200/24 dev eth0
4.2.2.7.2. Static Routing

Most networks only have one gateway. This gateway often is referred to as default gateway. Sometimes historically grown networks use different routers for different destinations. If these routers do not communicate data through dynamic routing protocols client systems often require static routes for those destinations. The expert configuration allows for configuration of unlimited static routes.

To set a route use the ip command with the route argument

iface eth0 inet static
  ...
  up ip route add default via 192.168.81.1
  up ip -f inet6 route add default via 2607:f0d0:2001::1

4.2.3. Services

To access the GSM appliance remotely basically two options are available

HTTPS
This is the usual option for the creation, execution and analysis of the vulnerability scans. This option is activated by default and cannot be deactivated. Configuration is only possible for the timeout of the automatic logout when the HTTPS session is inactive.
SSH
This option allows the possibility to access the command line, CLI and GOS-Admin-Menu of the GSM appliance. This access is deactivated by default and must be activated first. This can be done via serial console for example.
GMP (Greenbone Management Protocol)
The Greenbone Management Protocol (GMP) allows for the communication with other Greenbone products (i.e. an additional GSM). This protocol is based on the OpenVAS Management Protocol. It can also be used for the communication of in-house software with the appliance (see section Greenbone Management Protocol).

SNMP

SNMP
Read access of the GSM is possible via SNMPv3 (see section SNMP)

4.2.3.1. HTTPS

4.2.3.1.1. Timeout

The timeout value of the web interface can be set via Setup/Services/HTTPS/Timeout.

The value of the timeout can be between 1 and 1440 minutes (1 day). The default is 15 minutes.

4.2.3.1.2. Ciphers

Ciphers

The HTTPS ciphers may be configured. The current setting allows only secure ciphers using at least 128 Bit key length explicitly disallowing AES-128-CBC, Camellia-128-CBC and the cipher suites used by SSLv3 and TLSv1.0.

The string used to define the ciphers is validated by GNUTLS and has to conform to the corresponding syntax.

4.2.3.1.3. Certificate

This menu option supports the generation of self-signed HTTPS certificates or the import of certificates signed by external certificate authorities.

The menu offers the following choices:

  • Download: Download the current HTTPS certificate for import in your browser
  • CSR: Generate a Certificate Signing Request for the HTTPS certificate
  • Generate : Auto-generate a new self-signed HTTPS certificate
  • PKCS12: Import a PKCS#12 file as new HTTPS certificate
  • Certificate: Import a certificate signed by an external certificate authority

These different options are explained in the following sections.

The GSM appliance basically can use two types of certificates:

  • Self-signed certificates
  • Certificates issued by an external certificate authority

The use of self-signed certificates is the easiest way. It poses, however, the lowest security and more work for the user:

  • The trust of a self-signed certificate can only be checked manually by the user through manual import of the certificate and examination of the finger print of the certificate.
  • Self-signed certificates cannot be revoked. Once they are accepted by the user in the browser they are stored permanently in the browser. If an attacker gains access to the corresponding private key a man-in-the –middle attack on the connection protected by the certificate can be launched.

The use of a certificate issued by a certificate authority has several advantages:

  • All clients trusting the authority can verify the certificate directly and establish a security connection. No warning is displayed in the browser.
  • The certificate can be revoked easily by the certificate authority. If the clients have the ability to check the certificate status they can decline a certificate that may still be within its validity period but has been revoked. As mechanisms the Certificate Revocation Lists (CRLs) or Online Certificate Status Protocol (OCSP) can be used.
  • Especially when multiple systems within an organization serve SSL protected information the use of an organizational CA simplifies the management drastically. All clients simply have to trust the organizational CA to accept all of the certificates issued by the CA.

All modern operating systems support the creation and management of their own certificate authority. Under Microsoft Windows Server the Active Directory Certificate Services support the administrator in the creation of a root CA. For Linux systems various options are available. One option is described in the IPSec-Howto.

When creating and exchanging certificates it needs to be considered that the admin verifies how the systems are accessed later before creating the certificate. The IP address or the DNS name respectively, is stored when creating the certificate. Additionally after creating the certificate a reboot is required so that all services can use the new certificate. This needs to be taken into consideration when changing certificates.

_images/gsm-download-cert.png

Downloading the certificate

4.2.3.1.3.1. Self-signed certificates

To support a quick setup the GSM supports self-signed certificates. However, by factory default of many variants such a certificate is not pre-installed and must be created by the administrator. The GSM ONE, however, already comes with a pre-installed certificate.

Self-signed certificates can be easily created using the Option Generate (see section Generate). After creating the certificate a reboot is required so all services can use the new certificate.

4.2.3.1.3.2. Certificate by an external certificate authority

To import a certificate by an external certificate authority two options are available:

  • Generate a CSR on the GSM , sign it using an external CA and import the certificate
  • Generate the CSR and the certificate externally and import both using a PCKS#12 file

The next step depends on whether you require a certificate signing request (CSR) which will be subsequently signed by a certificate authority or whether you already have a key and signed certificate you would like to use for this GSM.

If you need to create a new CSR use the menu option CSR (see section CSR). Then sign the request and use the menu option Certificate to import the signed certificate (see section Certificate).

If you already have a key and a signed certificate you would like to use for this GSM, the menu option PKCS12 must be used instead to transfer the key and certificate to the GSM. The command expects the key and certificate in PKCS#12 format (see section PKCS12).

4.2.3.1.3.3. Download

Using this option the GSM will start an additional webserver running on an unprivileged port offering just the HTTPS certificate file for download. The URL and the port used are displayed in the console.

After the successful download the fingerprint of the certificate is displayed for verification within the browser.

_images/gsm-download-csr.png

Downloading the certificate signing request

4.2.3.1.3.4. CSR

If you choose the option to generate a new certificate signing request you are warned that the creation of a new CSR will overwrite the current key. After confirmation the CSR will be offered for download on an unprivileged port. The URL to use including the port is displayed on the console.

After downloading the certificate signing request (CSR) use an external certificate authority to sign the CSR and proceed to upload the certificate again (see section Certificate).

_images/gsm-upload-pkcs12.png

Uploading the PKCS#12 container

4.2.3.1.3.5. Generate

By choosing the option Generate you create a new self-signed certificate. The old private key and certificate are overwritten. You will be warned during the process that these old credentials will be lost after the process. Once the process is finished a message is displayed proposing the import of the certificate within the browser using the Download option (see section Download).

To enable the new certificate a Reboot of the GSM is required (see section Reboot).

4.2.3.1.3.6. PKCS12

To import both a private key and a signed certificate the option PKCS12 may be used. The private key and the certificate need to be formatted as PKCS#12 file. The file may be protected using an export password.

To import the PKCS#12 file choose the menu option. The GSM will start an upload server on an unprivileged port. The URL to use including the port will be displayed in the console (see figure Uploading the PKCS#12 container). Enter the URL in a browser, choose the file containing the PKCS#12 container and upload the file to the GSM.

If an export password was used to protect the PKCS#12 container you will be prompted to enter the password.

The certificate will be activated after a reboot (see section Reboot).

4.2.3.1.3.7. Certificate

Use the option Certificate to upload a certificate signed by an external authority. You will be warned that the old certificate will be overwritten in the process. After confirmation the GSM will start an upload server on an unprivileged port. The URL to use including the port will be displayed in the console. Enter the URL in a browser, choose the file containing the certificate in Base64 format and upload the file to the GSM.

_images/gsm-upload-cert.png

Uploading the signed certificate

Once the certificate is retrieved by the GSM the console will display the fingerprint of the certificate for verification. Check the fingerprint and confirm the certificate.

The certificate will be activated after a reboot (see section Reboot).

4.2.3.1.4. Fingerprints

To check and display the fingerprints of the certificate used by the GSM the menu option Fingerprints may be used. This option will just display the following fingerprints of the currently active certificate:

  • SHA1
  • SHA256
  • BB
_images/gsm-ssh-fingerprint.png

SSH Fingerprints

4.2.3.2. SSH

SSH access can also be configured in the GOS-Admin-Menu (Setup/Services/SSH). This menu offers three different options:

  • Enable
  • Fingerprint
  • Admin key
4.2.3.2.1. Enable

This option enables the SSH Server embedded in the GSM appliance. To activate the setting you need to save the configuration setting using the menu. A reboot of the appliance is not required!

_images/gsm-ssh-pk-upload.png

Public key upload

4.2.3.2.2. Fingerprint

SSH Fingerprint The GSM provides different host key pairs for its own authentication. The client decides which key pair to use. In the GOS menu on the console you may display the fingerprint of the public keys used by the SSH server of the appliance (see figure SSH Fingerprints). The MD5 fingerprints of the following keys are displayed:

  • DSA
  • ECDSA
  • ED25519
  • RSA
4.2.3.2.3. Admin key

GOS 4 offers the upload of public keys for the key-based authentication of the admin user. Once the appropriate option is selected in the menu the GSM will start a web page on an unprivileged port. This page will support the upload of a public key used for the authentication of the admin user via SSH (see figure Public key upload).

Once the key is uploaded the console will display the following notice:

_images/gsm-ssh-pk-accept.png

Public key accepted

Of course, the SSH server needs to be enabled to log in to the appliance. These keys may be generated using the command ssh-keygen when using OpenSSH on Linux or puttygen.exe when using Putty on Windows.

4.2.3.3. GMP

The Greenbone Management Protocol may be activated via the menu. Navigate to Setup followed by Services. Here the option GMP may be used.

_images/enablegmp.png

Enabling the Greenbone Management Protocol

4.2.3.4. SNMP

The GSM appliance supports SNMP. The SNMP support can both be used for sending of traps through alerts as well as the monitoring of vital parameters of the appliance.

The supported parameters are specified in a Management Information Base (MIB) file. The current MIB is available from the Greenbone tech [doc] portal.

The GSM appliance supports SNMP version 3 for read access and SNMPv1 for traps.

To configure the SNMPv3 navigate to Setup followed by Services. Here the option SNMP is available.

The menu supports: * Enabling/disabling of the SNMP service * Setting location and contact * Configuration of username, authentication and privacy passphrase for SNMPv3

_images/snmpv3.png

SNMPv3 configuration

When configuring the authentication and privacy passphrase please be aware of the fact that the GSM uses SHA-1 and AES128 respectively.

Afterwards test read access of the SNMP service under Linux/Unix with snmpwalk:

$ snmpwalk -v 3 -l authPriv -u user -a sha -A password -x aes -X key 192.168.222.115
iso .3.6.1.2.1.1.1.0 = STRING: "Greenbone Security Manager"
iso .3.6.1.2.1.1.5.0 = STRING: "gsm"
...

The following information may be gathered:

  • Uptime
  • Network interfaces
  • Memory
  • Harddisk
  • Load
  • CPU

4.2.4. Data import

If you are currently using a GSM running an older version of the GOS a direct upgrade is not possible. Rather than just installing an upgrade package like in the past, a complete reinstall of the GSM is required. This path is required because the underlying database system has been completely exchanged and depending on the model you are using the filesystem of the GSM is now encrypted as well.

To upgrade the GSM you now need to backup your data on the old GSM. After installing the new firmware you may import the backup using this option.

If you choose this option you are first warned that the import will overwrite all existing configuration on the GSM.

_images/gsm-di-warn.png

Data import warning message

Once you have confirmed the warning the GSM will start a webservice to upload the backup file.

_images/gsm-di-upload.png

Data import upload message

The import of the backup will take several minutes. During this period the GSM will not allow any web access. A detailed upgrade manual depicting the upgrade to GOS 4 from older versions for your model is available. Please contact the Greenbone Support.

4.2.5. Backup

The Greenbone Security Manager supports automatic backups. These backups may be stored locally or remote. The backups will be performed daily. Backups will be stored using the following schema:

  • Last 7 daily backups
  • Last 5 weekly backups
  • Last 12 monthly backups

Backups older than one year will be automatically deleted. In factory state the backups are disabled.

To enable the backups navigate to Setup followed by Backup.

_images/backup.png

Configuring Backups

By default the backups are stored locally. To store the backups on a remote server the server has to be setup appropriately. The GSM uses the SFTP protocol supported by the secure shell to transfer the backups. The remote server is therefore provided using a URL like the following:

username@hostname[:port]/directory

The optional port may be omitted if the server uses port 22.

The GSM will verify the identity of the remote server before logging in. To identify the remote server the GSM will use the public key of the remote host. To upload this public key use the menu option and a web browser.

The GSM uses a SSH private key to logon on the remote server. To enable this logon process the public key of the GSM must be enabled in the authorized_keys file on the remote server. To GSM generates such a private/public key pair. To download the public key use the menu option and download the key using a web browser.

If several GSM appliances upload their backups to the same remote server the files must be distinguishable. The admin has to set a unique backup identifier in these cases on each GSM appliance. If this value is not set the hostname will be used. If the hostname was modified from the default and is unique the backup files will be distinguishable as well.

Since the setup of the remote backup including the keys might be error-prone a test routine is available. This option will test the successful login to the remote system.

_images/testbackup.png

Testing the remote backup

4.2.6. Feed

The Feed menu underneath Setup support the configuration and setup of the Greenbone feed. The Greenbone feed provides updates to the network vulnerability tests (NVT), the SCAP data (CVE and CPE) and the advisories from the CERT Bund and DFNCERT. Additionally the feed provides updates to the GOS operating system.

To use the Feed a subscription key is required. This key entitles your GSM to download the commercial feed provided by Greenbone.

If no valid subscription key is stored on the appliance the appliance will use only the public Greenbone community feed and not the commercial grade Greenbone security feed.

To configure the feed several options are available:

  • Key Upload and Editor
  • Enable/Disable Synchronisation
  • Sync port
  • Sync proxy
  • Cleanup

These options are further explained in the following sections. Whenever configuring any of these options you will need to save the configuration.

4.2.6.1. Key

These menu options are used to store a new Greenbone security feed (GSF) subscription key on the appliance. Either HTTP upload or Copy/Paste may be used. Please use this option carefully because the new key will overwrite any key already stored on the device. You will be warned when selecting this option.

_images/gsm-gsfkey-upload.png

The new key will overwrite any stored key.

If the warning is confirmed the GSM will start a webserver for uploading. You can then use your Browser to upload the new key.

4.2.6.2. Synchronisation

This options supports the enabling and disabling of the automatic feed synchronisation. If your GSM does not have any internet access and you do not want the GSM to try to access the Greenbone services on the Internet this feature may be disabled. If the synchronisation has been disabled it may be enabled again using the same menu option.

_images/gsm-feed-enable.png

Enabling the feed synchronisation happens after saving.

The time of the feed synchronisation may be changed using Setup/Time (see section Time).

4.2.6.3. Sync port

The Greenbone security feed is provided by Greenbone on two different ports:

  • 24/tcp
  • 443/tcp

While port 24/tcp is the default port many firewall setups do not allow traffic to pass to this port on the Internet. Therefore this menu option allows the modification of the port to 443/tcp. This port is most often allowed.

_images/gsm-feed-port.png

The sync may use either 24/tcp or 443/tcp

Note

The port 443/tcp is usually used by https traffic. While the GSM may use this port the actual traffic is not https but ssh. The GSM uses rsync embedded in ssh to retrieve the feed. Firewalls support deep inspection and application awareness may still reject the traffic if these features are enabled.

4.2.6.4. Sync proxy

If the security policy does not allow for direct Internet access the GSM may deploy a https proxy service. This proxy must not inspect the SSL traffic but must support the CONNECT method. The traffic passing through the proxy is not https but ssh encapsulated in http-proxy.

To set the proxy the menu option Sync proxy may be used. Please ensure the following syntax when defining the proxy:

::
http://proxy:port
_images/gsm-feed-proxy.png

The sync may use a http proxy

4.2.6.5. Cleanup

This option removes the GSF subscription key. This option is useful if an appliance is at the end of life and needs to be removed from production. The cleanup ensures that no licenses are left on the device. Without the GSF subscription key the GSM will only retrieve the Community Feed. You will be warned accordingly when choosing this option.

_images/gsm-remove-gsf.png

Cleanup will remove the GSF key

4.2.7. Time Synchronisation

To synchronize the appliance with central time servers the GSM appliance supports the NTP-Protocol. Up to four different NTP servers can be configured. The appliance will choose the most suitable server. During an outage of one server the other server will be used automatically.

Both IP addresses and DNS names are supported.

_images/ntpconf.png

Up to four NTP servers are supported.

4.2.8. Keyboard

This menu displays the current keyboard layout of the appliance and if necessary supports the modification to your required needs and locale.

In Setup menu select the option Keyboard using the arrow keys and confirm with Enter [#enter]_. Select the desired layout in the new dialog.

_images/gsm-keyboard.png

Keyboard layout selection

After confirming the selection you will be prompted if you really want to change the keyboard layout. Confirmed your choice with Yes or discard it using No. The change will be confirmed with the message Keyboard layout set to ....

4.2.9. Mail Server

mailhub smart host

_images/mailhub.png

Configuring the smart host

If you want to send reports after completion of a scan automatically via email the appliance needs to be configured with a mail server. This server is called a mailhub or smart host. The appliance itself does not come with a mail server.

Confirm that the mail server that the mail server accepts emails sent form the appliance. The appliance does not store emails in case of delivery failure. A second delivery attempt at a later time will not be attempted. On the mail server possible spam protection such as grey listing must be deactivated for the appliance. Authentication using a username and password is also not supported by the appliance. The authentication must be done IP based!

To configure the mail server use the Mail option within the Setup menu.

_images/syslog.png

Configuring the remote syslog server

4.2.10. Central Logging Server

The GSM appliance supports the configuration of a central logging server for the collection of the logs. Either only the security relevant logs or all syslog logs may be sent to a remote logging server.

The GSM appliance uses the Syslog protocol. Central collection of the logs allows for central analysis, management and monitoring of logs. Additionally the logs are always also stored locally.

One logging servers can be configured for each kind of log (security or full). Both are used. As transport layer both UDP (default) and TCP can be used. TCP ensures delivery of the logs even when packet loss occurs. If packet loss occurs during a transmission via UDP the log messages will be lost.

To setup the log server use the option Remote Syslog within Setup. Choose either Security or Full and enter the remote syslog server.

If no port is specified the default port 514 will be used. If the protocol is not specified UDP will be used.

_images/gsm-feed-time.png

At maintenance time the feed synchronization happens.

4.2.11. Time

This option displays and supports the modification of the maintenance time. During maintenance the daily feed synchronisation takes place. You may choose any time during the day but from 10:00 to 13:00 UTC. During this period Greenbone itself updates the feed and disables the synchronization services.

If you are located in a different time zone please convert the time to UTC before entering in the dialogue.

4.3. Maintenance

The Maintenance option in the menu covers the main maintenance tasks:

  • Selfcheck
  • Manual Backup and Restore
  • Upgrade Management
  • Manual Feed Management
  • Power Management like shutdown and reboot
_images/selfcheck.png

Selfcheck checks the user configuration

4.3.1. Selfcheck

The selfcheck option checks the setup of the appliance. The selfcheck will display wrong or missing configuration details which might prevent the correct function of the appliance. The following items are checked:

  • Network connection
  • DNS resolution
  • Feed reachability
  • Available Updates
  • User configuration

Any found problems are listed on the result page.

4.3.2. Backup and Restore

While the Setup lists a backup option supporting scheduled local and remote backups the option within the Maintenance menu supports the manual run of a backup job. Depending on the backup location configured within Setup the manually triggered backups are stored remotely or locally. These backups may be transferred to a USB stick for offsite storage.

_images/manualbackup.png

Backups may be manually triggered

Alternatively the backups can be restored using this menu. Use the option List to display a list of available backups. Choose the correct backup file and restore it.

_images/restore.png

Restoring the appliance

4.3.3. Upgrade Management

During the feed update the appliance will also download new operating system upgrades when available. While this upgrades are automatically downloaded they are not automatically installed. Since these upgrades might interrupt current scan tasks they need to be carefully scheduled. The upgrades may only be installed manually using Upgrades within Maintenance.

You will be prompted to install the update if an update is available.

_images/update.png

No updates available

4.3.4. Feed Management

By default the appliance will try to download new feeds and operating system updates daily. The automatic feed synchronisation may be disabled. If the feed synchronisation needs to be triggered manually this can be achieved using Maintenance/Feed.

_images/feed.png

Manual feed update

4.3.5. Power Management

The Greenbone Security Manager should not be turned off using the powerswitch. Rather the appliance should be shutdown and rebooted using the menu. This ensures that mandatory cleanup processes are run during the shutdown and reboot.

4.3.5.1. Shutdown

To shutdown the appliance navigate to Maintenance followed by Power. Choose Shut down in the following menu and confirm your selection. The appliance will shutdown. The shutdown process may take up to several minutes.

This will shut down all running processes and scan tasks.

_images/shutdown.png

Shutting down the appliance.

4.3.5.2. Reboot

To reboot the appliance navigate to Maintenance followed by Power. Choose Reboot in the following menu and confirm your selection. The appliance will reboot. The reboot process may take up to several minutes.

This will shut down all running processes and scan tasks.

_images/reboot.png

Rebooting down the appliance.

4.4. Advanced

The Advanced option in the menu provides access to the support features of the GSM. Currently the Support option is the only option in this menu.

4.4.1. Support

The Support should only be used in concert with the Greenbone Support. If these options are used without guidance menu offers three different options:

  • Superuser
  • Support
  • Shell

These options will be explained in the following sections.

4.4.1.1. Superuser

On the GSM command line the menu option Shell starts a UNIX command line as unprivileged user admin. Any UNIX command can be executed.

To obtain root rights (superuser) on the GSM appliance the command su
needs to be entered. In the factory default settings this is only possible after first enabling the superuser and providing a password to this user.

The enabling of root access should only be done by exception and by consulting with Greenbone support.

This is done using this menu Superuser. This menu has two options:

  • Superuser
  • Password

Using the first option you may enable or disable the Superuser account. You will be warned that this should only be done by exception.

_images/gsm-superuser.png

Superuser warning

Once the superuser has been enabled the second option Password must be used to provide a password. To ensure the correctness of the password the password must be entered twice.

_images/gsm-su-password.png

Superuser password

All modifications need to be saved to be activated.

4.4.1.2. Support

Sometimes the Greenbone support requires additional information to troubleshoot and support customers. The required data is collected by the Support option. This option will create an encrypted support package including all configuration data of the GSM appliance. The package may be encrypted using the GPG public key of the Greenbone support team. The support package is stored on the appliance.

If an encrypted support package is generated it may be downloaded via http using a browser.

_images/gsm-dl-support.png

Downloading the encrypted support package

If the support package is not encrypted the download needs to be done using the Secure Copy Protocol. You need to enable the SSH service first (see section SSH).

_images/gsm-scp-support.png

Secure copy the unencrypted support package

4.4.1.3. Shell

For support reasons in consultation with the Greenbone support shell access is provided using this menu option. The shell access is not required for any administrative work but just for diagnostics and support. If you choose this options an appropriate warning is displayed.

_images/gsm-shell-warn.png

The shell should only be used for diagnostic purposes.

Once the warning is confirmed you are placed in a Linux shell using the unprivileged user admin. Root access requires the enabling of the superuser and the provision of a password. You may then switch to root using the command su. To leave the shell enter exit or Ctrl-D.

_images/gsm-shell.png

Accessing the local shell