6 Upgrading the Greenbone Enterprise Appliance to the Latest Major Version¶
Note
All GOS versions below GOS 22.04 are retired. Upgrading these versions to GOS 22.04 is no longer officially supported and may be subject to technical problems.
For assistance with migrating an old version to a supported version, contact the Greenbone Enterprise Support.
6.1 New Features and Changes of Default Behavior¶
The following list displays the major additions and changes of default behavior between GOS 21.04 and GOS 22.04.
Depending on the currently used features, these changes may affect the currently deployed setup. For a full list of changes, see the Roadmap & Lifecycle page.
6.1.1 Notus Scanner¶
With GOS 22.04, the new Notus Scanner is implemented. It scans after every regular scan, so no user interaction is necessary.
The Notus Scanner offers better performance due to less system resource consumption and thus, faster scanning.
When creating a scan configuration manually and the Notus Scanner is supposed to work, the VT Determine OS and list of installed packages via SSH login (OID: 1.3.6.1.4.1.25623.1.0.50282) must be activated.
The Notus Scanner replaces the logic of potentially all NASL-based local security checks (LSCs). A comparison of installed software on a host against a list of known vulnerable software is done instead of running a VT script for each LSC.
The regular OpenVAS Scanner loads each NASL LSC individually and executes it one by one for every host. A single known vulnerability is then compared to the installed software. This is repeated for all LSCs.
With the Notus Scanner, the list of installed software determined during a scan is directly compared to all known vulnerabilities. This eliminates the need to run the LSCs because the information about the known vulnerable software is collected in one single list and not distributed in individual NASL scripts.
Currently, Notus data exists for the following LSC VT families:
AlmaLinux Local Security Checks
Amazon Linux Local Security Checks
Debian Local Security Checks
EulerOS Local Security Checks
Mageia Linux Local Security Checks
Oracle Linux Local Security Checks
Red Hat Linux Local Security Checks
Rocky Linux Local Security Checks
Slackware Local Security Checks
SuSE Local Security Checks
Ubuntu Local Security Checks
The setting Report vulnerabilities of inactive Linux kernel(s) separately in the VT Options for Local Security Checks is deprecated. However, the setting is still visible, but no longer functional.
6.1.2 Appliance Feature Set¶
With GOS 22.04, the feature set for some appliances is extended:
The SNMP service (GOS menu Setup > Services > SNMP) is made available for the appliance models Greenbone Enterprise 150, Greenbone Enterprise 35, Greenbone Enterprise CENO and Greenbone Enterprise 25V.
The automatic time synchronization via NTP (GOS menu Setup > Timesync) is made available for the appliance models Greenbone Enterprise CENO and Greenbone Enterprise 25V.
The remote and local backup functionality (GOS menus Setup > Backup, Maintenance > Backup > Incremental Backup and Maintenance > Backup > List) is made available for the appliance model Greenbone Enterprise CENO.
6.1.3 HTTP Web Interface Access¶
With GOS 22.04, unencrypted HTTP access for the web interface is not supported anymore. HTTPS must be used instead.
A valid HTTPS certificate (either self-signed, or signed by a CA) must now be configured on the appliance to use the web interface (see Chapter 7.2.4.1.7).
6.1.4 Backups¶
6.1.4.1 Password for Remote Backup Repository¶
With GOS 22.04, it is possible to change the password of the remote backup repository. For this, the menu option Setup > Backup > Backup Password is added to the GOS administration menu. The menu option is only visible if the backup location is configured as remote.
Changing the backup password is recommended.
If multiple appliances use the same remote backup repository, it is recommended that each appliance uses its own unique backup password.
6.1.4.2 obnam¶
With GOS 20.08, the backend for managing backups in GOS was changed from obnam to restic. However, obnam remained available in GOS 20.08 and 21.04 as did the backups created with obnam in GOS 6 or earlier.
With GOS 22.04, obnam and all backups created with obnam are removed. Incremental backups created with GOS 6 and earlier will be removed due to incompatibility and to reclaim disk space.
If these old backups should be kept, a copy of the files must be made before upgrading to GOS 22.04. If there are any questions, contact the Greenbone Enterprise Support.
6.1.5 Mailhub¶
With GOS 22.04, a new option for enforcing the usage of SMTPS for e-mails sent by a Greenbone Enterprise Appliance is added.
For this, the GOS administration menu contains the new menu Setup > Mail > SMTP Enforce TLS.
6.1.6 Increased RAM, Disk Space and Feed Partition Size¶
With GOS 22.04.23, the resources for some appliance models were increased.
All virtual appliances: 500 GB virtual disk size
Greenbone Enterprise 5400 R2: 24 GB RAM
Greenbone Enterprise 35/25V: 8 GB RAM
Greenbone Enterprise DECA/TERA: 14 GB RAM
Greenbone Enterprise CENO/ONE: 12 GB RAM
Greenbone Enterprise 400 R1/450 R1/600 R1/650 R1/5400 R1/6500 R1: 24 GB feed partition size
Greenbone Enterprise CENO/DECA/EXA/ONE/PETA/TERA/25V: 24 GB feed partition size
Greenbone Enterprise 150/35: 55 GB root partition size
Note
After the upgrade, a reboot is required. Afterwards, the self-check must be observed for the necessary steps for the used appliance model.
In case of a virtual appliance, the self-check displayed after upgrading GOS and rebooting shows which resources must be increased in the hypervisor settings. Before changing the hypervisor settings, the appliance must be shut down.
For the required settings in the hypervisor, the following instructions can be used:
VMware
Hyper-V
VirtualBox
Note
After changing the settings in the hypervisor, the self-check must be observed for the necessary steps for the used appliance model.
To use the new partition layout, the disk volumes must be extended. For this, the menu option Maintenance > Extend disk volumes is added to the GOS administration menu. After extending the disk volumes, the menu option is not displayed anymore.
6.1.7 Web Interface¶
6.1.7.1 Business Process Map¶
With GOS 22.04, the Business Process Map (BPM) functionality is removed from the web interface. Existing Business Process Maps will be deleted and will not be recoverable. If the information contained in a Business Process Map is to be saved, this must be done in GOS 21.04.
6.1.7.2 Task/Audit Setting Network Source Interface¶
With GOS 22.04, the task/audit setting Network Source Interface is removed. If this setting was previously configured for a task or an audit, it will be ignored.
6.1.7.3 User Setting Interface Access¶
As the task/audit setting Network Source Interface is removed with GOS 22.04, the user setting Interface Access is removed as well. If this setting was previously configured for a user, it will be ignored.
6.1.7.4 OVAL Definitions¶
With GOS 22.04, the OVAL definitions are removed from the SecInfo management in the web interface. The previous OVAL definitions were outdated and no longer served any purpose.
6.1.7.5 OSP Scanners¶
With GOS 22.04, the scanner type OSP Scanner is removed. It is no longer possible to create OSP scanners and select them to run scans.
This only affects the scanner type OSP Scanner, not the OSP protocol in general. The scanner type Greenbone Sensor will continue to use OSP.
The credential type Client Certificate that was used for (custom) OSP scanners was removed as well. Existing credentials of this type will not be affected or removed. They can still be accessed, but they are of no use anymore, and can be deleted manually.
6.1.8 Quality of Detection (QoD)¶
With GOS 22.04, the new quality of detection (QoD) level package_unreliable is implemented with a QoD of 30 %. It is used for authenticated package-based checks which are not always fully reliable for, for example, Linux(oid) systems.
6.1.9 Vulnerability References¶
With GOS 22.04, the tag script_bugtraq_id(); which references a BID of Bugtraq is no longer supported. For VTs with such tag, the BID was displayed under References on the web interface. Since bugtraq.securityfocus.com is not maintained anymore, the reference only led to confusion.
All existing BID references were migrated to Other references and will appear there as URLs on the web interface. To access the contents of the URLs, common services such as archive.org can be used.
6.1.10 Greenbone Management Protocol (GMP)¶
The Greenbone Management Protocol (GMP) has been updated to version 22.04 and the API has been adjusted slightly. The usage of some commands has changed and several commands, elements and attributes have been deprecated. The complete reference guide and the list of changes are available here.