4. Upgrading from GOS 3 to GOS 4

GOS 4 is the most extensive overhaul compared to any prior version. Many internal functions and features were redesigned. This also applies to the web interface and the command line interface for the administration.

Note

With increasing complexity of a GSM setup, the migration can get complex as well.

Plan and execute the migration in close coordination with the Greenbone Networks support.

4.1. GSM ONE

A usual update of the system for the GSM ONE like in the past is not supported.

The migration is done as follows:

  1. Contact the Greenbone Networks support and request a virtual image of GSM ONE with GOS 4.

    Note

    Provide the subscription key ID.

    → A virtual image with GOS 4 and a guide for the migration are provided.

  2. Perform a backup of the user data on the GSM ONE using GOS 3.1.

  3. Export the backup file.

  4. Import and restore the backup on the GSM ONE using GOS 4.

4.2. GSM 25V

Virtual sensors are replaced by new virtual images.

Contact the Greenbone Networks support and request a virtual image of the GSM 25V with GOS 4.

Note

Provide the subscriptions key ID for the respective sensor.

Because sensors do not store scan data, the setup and configuration of the sensor will only be done in GOS 4. No migration steps are required.

4.3. GSM 25 and GSM 100

The small enterprise/branch physical appliances GSM 25 and GSM 100 require a migration of the user data using a USB stick.

Contact the Greenbone Networks support to request a detailed guide for the migration as well as advice adjusted to the specific setup.

The following aspects are important when migrating a GSM 25 or GSM 100 to GOS 4:

  • If user data of the GSM should be kept, it is mandatory to create a user data backup using a USB stick.

    Note

    In case no physical access to the GSM is possible, contact the Greenbone Networks support for an alternative procedure involving additional manual steps.

  • A pre-condition for the migration of a GSM is that it has direct access to the Greenbone Security Feed service. If it does not, contact the Greenbone Networks support for an alternative procedure involving additional manual steps.

  • For the migration the appliance needs to be at least at GOS version 3.1.42 or newer. Earlier GOS versions do not offer a migration.

GOS 4 offers a guided setup. The user data backup is imported using the GOS administration menu.

4.4. GSM 400 up to GSM 6400

All physical appliances offer a seamless migration from GOS 3.1 to GOS 4. The user data will be moved to the new version and the system settings are kept for the most part. Especially complex setups like master-sensor setup, Airgap or Expert-Net should be planned carefully.

Contact the Greenbone Networks support to request a detailed guide for the migration as well as advice adjusted to the specific setup.

The following aspects are important when migrating a GSM 400 or higher to GOS 4:

  • While the user data should be moved automatically during the migration, a backup is a safety measure that should always be undertaken. Create a user data backup and store it on a USB stick.
  • A pre-condition for the migration of a GSM is that it has direct access to the Greenbone Security Feed service. If it does not contact the Greenbone Networks support for an alternative procedure involving additional manual steps.
  • For the migration the appliance needs to be at least at GOS version 3.1.42 or newer. Earlier GOS versions do not offer a migration.

GOS 4 offers a guided setup and migration. The migrated user data from 3.1 can be restored. This is a one-time offer. If the data are not restored, they are deleted from the appliance and the only copy left is the backup on the USB stick.

4.5. Upgrading GOS 4.2 to GOS 4.3

4.5.1. Upgrading GOS 4.2 to the Latest Patch Level

After migrating GOS 4.2 is at an old patch level. For the latest fixes and performance improvements a GOS upgrade is recommended.

First, a feed update has to be carried out as follows:

  1. In the GOS administration menu select Maintenance and press Enter.

  2. Select Feed and press Enter.

  3. Select Update and press Enter.

    → A message informs that the feed update was started in the background.

    Tip

    The currently running system operation can be displayed by selecting About and pressing Enter in the GOS administration menu.

  4. Press Enter.

After the feed update is finished, the GOS upgrade can be carried out.

Upgrading a master or stand-alone appliance is done as follows:

  1. Open the web browser and enter the following URL:

    https://www.greenbone.net/GBFeedSigningKey2018.gpg.asc

  2. Download the ASC file.

  3. In the GOS administration menu select Advanced and press Enter.

  4. Select New Update Key (HTTP) or New Update Key (Editor) and press Enter.

  5. In case New Update Key (HTTP) was selected, open the web browser and enter the displayed URL.

    Click Browse..., select the previously downloaded ASC file and click Upload.

    or

  1. In case New Update Key (Editor) was selected, copy the content of the previously downloaded ASC file and paste it into the editor.

    Press Ctrl + X. Press Y and Enter.

    → A message informs that the key is retrieved by the GSM.

  2. Press Enter.

  3. Select Maintenance and press Enter.

  4. Select Upgrade and press Enter.

  5. Select Update and press Enter.

    → A message informs that the upgrade was started in the background.

    Tip

    The currently running system operation can be displayed by selecting About and pressing Enter in the GOS administration menu.

    When the GOS upgrade is finished a Reboot of the GSM is required (see Chapter Rebooting the Appliance).

Upgrading a sensor is done as follows:

  1. Ensure that the master and the sensors are set up correctly (see Chapter Master-Sensor Setup).

  2. In the GOS administration menu of the master select Maintenance and press Enter.

  3. Select Feed and press Enter.

  4. Select Sensors and press Enter.

  5. Select the desired sensor and press Enter.

    → The current feed is pushed from the master to the sensors.

  6. Open the web browser and enter the following URL:

    https://www.greenbone.net/GBFeedSigningKey2018.gpg.asc

  7. Download the ASC file.

  8. In the GOS administration menu of the master select Advanced and press Enter.

  9. Select New Update Key (HTTP) or New Update Key (Editor) and press Enter.

  10. In case New Update Key (HTTP) was selected, open the web browser and enter the displayed URL.

    Click Browse..., select the previously downloaded ASC file and click Upload.

    or

  1. In case New Update Key (Editor) was selected, copy the content of the previously downloaded ASC file and paste it into the editor.

    Press Ctrl + X. Press Y and Enter.

    → A message informs that the key is retrieved by the GSM. The key is distributed to the sensors automatically.

    Perform the following steps for each sensor:

  2. In the GOS administration menu of the sensor select About and press Enter to check whether the feed update is finished.

  3. In the GOS administration menu of the master select Maintenance and press Enter.

  4. Select Upgrade and press Enter.

  5. Select Sensors and press Enter.

  6. Select the desired sensor and press Enter.

    → A message informs that the upgrade was started in the background.

    Tip

    The currently running system operation can be displayed by selecting About and pressing Enter in the GOS administration menu.

    When the GOS upgrade is finished a Reboot of the sensor is required (see Chapter Rebooting the Appliance).

  1. After upgrading all sensors, select Advanced in the GOS administration menu of the master and press Enter.
  2. Select Delete Update Key and press Enter.

4.5.2. Upgrading to GOS 4.3

After the appliance is upgraded to the latest GOS 4.2 patch level, upgrading to GOS 4.3 is possible as follows:

  1. In the GOS administration menu select Maintenance and press Enter.

  2. Select Upgrade and press Enter.

  3. Select Switch Release and press Enter.

    → A message informs that the release switch was started in the background.

    Tip

    The currently running system operation can be displayed by selecting About and pressing Enter in the GOS administration menu.

4.5.3. Updating the Flash Card to the Latest Version

The internal flash card of the GSM contains a backup copy of GOS and is used in case of a factory reset.

Updating the GOS version stored on the flash card is recommended.

  1. Ensure that the GSM has direct access to the Greenbone Security Feed (GSF).

  2. In the GOS administration menu select Maintenance and press Enter.

  3. Select Flash and press Enter.

  4. Select Sync and press Enter.

    → A message informs that the synchronization was started in the background.

    Tip

    The currently running system operation can be displayed by selecting About and pressing Enter in the GOS administration menu.

  5. Press Enter.

  6. When the synchronization is finished select Flash and press Enter.

    → A message informs that the process was started in the background.

    Tip

    The currently running system operation can be displayed by selecting About and pressing Enter in the GOS administration menu.

4.6. Changes of default behaviour

The following list displays the changes of default behaviour from GOS 3 to GOS 4. Depending on the current features used, these changes may apply to the currently deployed setup. Please check the following list to decide whether changes to the currently deployed setup are required. Greenbone Networks support may help during this process.

  • NVTs
    Starting with GOS 4.2 policy violation NVTs now have a score of 10 by default (see section Compliance and Special Scans). In the past these NVTs had a score of 0 and overrides were required (see section Severity, Severity, Severity, etc.)
  • GMP
    The OpenVAS Management Protocol has been replaced with the Greenbone Management Protocol (GMP). The major difference is the transport channel used. While OMP uses an SSL/TLS-encrypted channel on port 9390/tcp, GMP uses ssh. Therefore, the older omp.exe tool cannot connect to GOS 4 appliances. The new appliances require the GVM-Tools (see section Greenbone Management Protocol). The GVM-Tools are compatible with GOS 3.1, so that the scripts can be migrated prior to migrating the GSM.
  • GMP
    The Greenbone Management Protocol (GMP) changed the API lightly. New commands are available and some commands have changed their usage. The complete reference guide and the changes are available at https://docs.greenbone.net/API/OMP/omp-7.0.html#changes.
  • TLS
    If an external CA should be used (see section Managing Certificates), the certificate requests generated by the GOS menu option now generate 3072 bit keys. Some CAs do not support such long keys yet. In those cases the PKCS #12 import still support keys with a key length of 2048 bits.
  • Master/Sensor
    While deployment using GOS 3.1 require two ports for a master/sensor setup, only one port is needed when using GOS 4.2. The port 22/tcp is used for controlling the sensor and the synchronization of updates and feeds. The former used port 9390/tcp for the remote control of the sensors by the master is not used anymore. In addition, as a security measure, the identity of all linked master/sensor appliances is now validated via a key exchange in GOS 4. It will be necessary to perform this key exchange when migrating old GOS 3.1 sensors. Note that on GOS 4, sensors are regarded a special type of scanners and are configured in the web interface under the respective section.
  • Report Format Plug-ins (RFP)
    In contrast to GOS 3.1, in GOS 4 RFP connected to an alert will not be executed if the RFP was set to disabled.
  • Report Format Plug-ins (RFP)
    The filter defining the first element of the page (“first=”) has no longer an impact on the results exported in a report. All results are contained.
  • Report Format Plug-ins (RFP)
    All RFPs which were uploaded manually in GOS 3.1 or which were created by cloning another RFP will be automatically disabled during the migration to GOS 4. Some might not work on GOS 4 anymore. If they are not used anywhere, they should be removed. For some RFPs there are advanced versions in the pre-configured set of RFPs and it should be switched to those if they should be used. Before re-activating an RFP, test it with a report and make sure it is not automatically used with an alert in the background while it is tested. If in doubt, ask the Greenbone Networks support what to do with a certain RFP.
  • Expert-Net
    If Expert networking mode (Expert-Net) was enabled in GOS 3.1, the network configuration will be reset after upgrading to GOS 4. Please contact Greenbone Networks support for further details and be prepared to configure the GSM without remote network access.