6 Upgrading the Greenbone Enterprise Appliance to the Latest Major Version

GOS 21.04 provides seamless upgrades to the new major version GOS 22.04.

All system settings and user data are retained and automatically migrated to the new version unless a change in default behavior affects a specific setting or data. For a list of changes to the default behavior, see Chapter 6.4.

6.1 Upgrading the Greenbone Operating System

Note

Before upgrading to GOS 22.04, some requirements must be met in GOS 21.04:

  • The latest version of GOS 21.04 must be installed on the appliance.
  • A Feed Import Owner must be set as described here.
  • The data objects must be installed. For this, a feed update is required after setting the Feed Import Owner.

It is recommended to switch to the networking mode gnm before upgrading to GOS 22.04 (see Chapter 7.2.2.1).

The upgrade to GOS 22.04 can be carried out as follows:

  1. Select Maintenance and press Enter.

  2. Select Upgrade and press Enter.

    → A message informs that a new GOS release is available.

  3. Press Enter to close the message.

  1. Select Switch Release and press Enter.

    → A warning informs that the appliance is upgraded to a major new version (see Fig. 6.1).

    _images/gos_menu_upgrade_gos_1.png

    Fig. 6.1 Warning when upgrading to GOS 22.04

  2. Select Continue and press Enter.

    → A warning informs that the appliance is locked during the upgrade to GOS 22.04 (see Fig. 6.2).

    Note

    No system operations can be run during the upgrade and all running system operations must be completed before upgrading.

    _images/gos_menu_upgrade_gos_2.png

    Fig. 6.2 Warning that system is locked during the upgrade

  3. Select Yes and press Enter.

    → A message informs that the upgrade was started.

    Note

    When the upgrade is finished, a message informs that a reboot is required to apply all changes (see Fig. 6.3).

    _images/gos_menu_upgrade_gos_3.png

    Fig. 6.3 Message after a successful upgrade

  4. Select Reboot and press Enter.

    → After the reboot is finished, it is checked if there are any unfinished setup steps. If there are unfinished steps, a message asks whether they should be completed now.

    Note

    A feed update must be performed after upgrading to GOS 22.04 in order to make use of new features such as the Notus Scanner (see Chapter 6.4).

6.2 Upgrading the Flash Partition to the Latest Version

The internal flash partition of the appliance contains a backup copy of GOS and is used in case of a factory reset.

Upgrading the GOS version stored on the flash partition is recommended (see Chapter 7.3.8).

6.3 Reloading the Web Interface After an Upgrade

After an upgrade from one major version to another, the cache of the browser used for the web interface must be emptied. Clearing the browser cache can be done in the options of the used browser.

Alternatively, the page cache of every page of the web interface can be emptied by pressing Ctrl and F5.

Note

Clearing the page cache must be done for every single page.

Clearing the browser cache is global and applies to all pages.

6.4 New Features and Changes of Default Behavior

The following list displays the major additions and changes of default behavior between GOS 21.04 and GOS 22.04.

Depending on the currently used features, these changes may affect the currently deployed setup. For a full list of changes, see the Roadmap & Lifecycle page.

6.4.1 Notus Scanner

With GOS 22.04, the new Notus Scanner is implemented. It scans after every regular scan, so no user interaction is necessary.

The Notus Scanner offers better performance due to less system resource consumption and thus, faster scanning.

When creating a scan configuration manually and the Notus Scanner is supposed to work, the VT Determine OS and list of installed packages via SSH login (OID: 1.3.6.1.4.1.25623.1.0.50282) must be activated.

The Notus Scanner replaces the logic of potentially all NASL-based local security checks (LSCs). A comparison of installed software on a host against a list of known vulnerable software is done instead of running a VT script for each LSC.

The regular OpenVAS Scanner loads each NASL LSC individually and executes it one by one for every host. A single known vulnerability is then compared to the installed software. This is repeated for all LSCs.

With the Notus Scanner, the list of installed software determined during a scan is directly compared to all known vulnerabilities. This eliminates the need to run the LSCs because the information about the known vulnerable software is collected in one single list and not distributed in individual NASL scripts.

Currently, Notus data exists for the following LSC VT families:

  • Amazon Linux Local Security Checks
  • Oracle Linux Local Security Checks
  • EulerOS Local Security Checks
  • SuSE Local Security Checks
  • Mageia Linux Local Security Checks
  • Slackware Local Security Checks
  • Rocky Linux Local Security Checks

The setting Report vulnerabilities of inactive Linux kernel(s) separately in the VT Options for Local Security Checks is deprecated. However, the setting is still visible, but no longer functional.

6.4.2 Appliance Feature Set

With GOS 22.04, the feature set for some appliances is extended:

  • The SNMP service (GOS menu Setup > Services > SNMP) is made available for the appliance models Greenbone Enterprise 150, Greenbone Enterprise 35 and Greenbone Enterprise 25V.
  • The automatic time synchronization via NTP (GOS menu Setup > Timesync) is made available for the appliance model Greenbone Enterprise 25V.
  • The remote and local backup functionality (GOS menus Setup > Backup, Maintenance > Backup > Incremental Backup and Maintenance > Backup > List) is made available for the appliance model Greenbone Enterprise CENO.

6.4.3 Virtual Appliances

With GOS 22.04, the virtual hard disk sizes for virtual appliances are changed.

The new sizes are:

  • Greenbone Enterprise EXA: 225 GB
  • Greenbone Enterprise DECA/PETA/EXA: 220 GB
  • Greenbone Enterprise CENO: 135 GB
  • Greenbone Enterprise ONE: 130 GB
  • Greenbone Enterprise 25V: 70 GB

The new sizes are only relevant for newly installed virtual appliances. Upgraded appliances keep their partition layout and thus, their required disk size.

6.4.4 HTTP Web Interface Access

With GOS 22.04, unencrypted HTTP access for the web interface is not supported anymore. HTTPS must be used instead.

A valid HTTPS certificate (either self-signed, or signed by a CA) must now be configured on the appliance to use the web interface (see Chapter 7.2.4.1.7).

6.4.5 Backups

6.4.5.1 Password for Remote Backup Repository

With GOS 22.04, it is possible to change the password of the remote backup repository. For this, the menu option Setup > Backup > Backup Password is added to the GOS administration menu. The menu option is only visible if the backup location is configured as remote.

Changing the backup password is recommended.

If multiple appliances use the same remote backup repository, it is recommended that each appliance uses its own unique backup password.

6.4.5.2 obnam

With GOS 20.08, the backend for managing backups in GOS was changed from obnam to restic. However, obnam remained available in GOS 20.08 and 21.04 as did the backups created with obnam in GOS 6 or earlier.

With GOS 22.04, obnam and all backups created with obnam are removed. Incremental backups created with GOS 6 and earlier will be removed due to incompatibility and to reclaim disk space.

If these old backups should be kept, a copy of the files must be made before upgrading to GOS 22.04. If there are any questions, contact the Greenbone Enterprise Support.

6.4.6 Mail Server

With GOS 22.04, a new option for enforcing the usage of SMTPS for e-mails sent by a Greenbone Enterprise Appliance is added.

For this, the GOS administration menu contains the new menu Setup > Mail > SMTP Enforce TLS.

6.4.7 Web Interface

6.4.7.1 Business Process Map

With GOS 22.04, the Business Process Map (BPM) functionality is removed from the web interface. Existing Business Process Maps will be deleted and will not be recoverable. If the information contained in a Business Process Map is to be saved, this must be done in GOS 21.04.

6.4.7.2 Task Setting Network Source Interface

With GOS 22.04, the task setting Network Source Interface is removed. If this setting was previously configured for a task, it will be ignored.

6.4.7.3 User Setting Interface Access

As the task setting Network Source Interface is removed with GOS 22.04, the user setting Interface Access is removed as well. If this setting was previously configured for a user, it will be ignored.

6.4.7.4 OVAL Definitions

With GOS 22.04, the OVAL definitions are removed from the SecInfo management in the web interface. The previous OVAL definitions were outdated and no longer served any purpose.

6.4.7.5 OSP Scanners

With GOS 22.04, the scanner type OSP Scanner is removed. It is no longer possible to create OSP scanners and select them to run scans.

This only affects the scanner type OSP Scanner, not the OSP protocol in general. The scanner type Greenbone Sensor will continue to use OSP.

6.4.8 Quality of Detection (QoD)

With GOS 22.04, the new quality of detection (QoD) level package_unreliable is implemented with a QoD of 30 %. It is used for authenticated package-based checks which are not always fully reliable for, e.g., Linux(oid) systems.

6.4.9 Vulnerability References

With GOS 22.04, the tag script_bugtraq_id(); which references a BID of www.securityfocus.com is no longer supported. For VTs with such tag, the BID was displayed under References on the web interface. Since bugtraq.securityfocus.com is not maintained anymore, the reference only led to confusion.

All existing BID references were migrated to Other references and will appear there as URLs on the web interface. However, the URLs re-direct to the general web page https://bugtraq.securityfocus.com/archive. To access the contents of the URLs, common services such as archive.org can be used.

6.4.10 Greenbone Management Protocol (GMP)

The Greenbone Management Protocol (GMP) has been updated to version 22.04 and the API has been adjusted slightly. The usage of some commands has changed and several commands, elements and attributes have been deprecated. The complete reference guide and the list of changes are available here.