6. Upgrading from GOS 4 to GOS 5

Note

GOS 5 updates all vulnerability management components of the Greenbone Security Manager (GSM) to a major new version. This includes a complete rework of the web interface.

Only proceed with upgrading to GOS 5 after reading the release notes and performing a backup of the current data, either via the backup function of GOS or via a VM snapshot on the hypervisor. Further news and previews for GOS 5 can be found at https://community.greenbone.net/c/news.

In GOS 5 the ECDSA SSH host key algorithm has ben deprecated. When first logging in to the GSM with GOS 5 via SSH a warning saying “Remote Host Identification Has Changed” is displayed.

GOS 5 is not available for the GSM types GSM 500, GSM 510, GSM 550, GSM 100 and GSM 25. Any such GSM connected to a master appliance is not upgraded. Master-sensor setups with mixed GOS versions (e.g. GOS 4/GOS 5) are not supported.

The upgrade has to be carried out for every Greenbone Security Manager (GSM) separately, including sensors. Upgrading sensors to GOS 5 through their masters is not possible.

Before upgrading to GOS 5, the latest version of GOS 4 has to be installed on the GSM.

If there are any questions, contact the Greenbone Networks Support via e-mail (support@greenbone.net).

6.1. Upgrading the Greenbone Security Manager

The upgrade to GOS 5 can be carried out as follows:

  1. Select Maintenance and press Enter.

  2. Select Upgrade and press Enter.

  3. Select Switch Release and press Enter.

    → A warning informs that the GSM is upgraded to a major new version (see Fig. 6.1).

    _images/gos_menu_upgrade_gos5_2.png

    Fig. 6.1 Upgrading to GOS 5

  4. Select Continue and press Enter.

    → A warning informs that the GSM is locked during the upgrade to GOS 5 (see Fig. 6.2).

    Note

    No system operations can be run during the upgrade and all running system operations have to be closed before upgrading.

    _images/gos_menu_upgrade_gos5_3.png

    Fig. 6.2 Warning that system is locked during the upgrade

  5. Select Yes and press Enter.

    → A message informs that the upgrade was started.

    Note

    When the upgrade is finished, a message informs that a reboot is required to apply all changes (see Fig. 6.3).

    _images/gos_menu_upgrade_gos5_4.png

    Fig. 6.3 Message after a successful upgrade

  6. Select Reboot and press Enter.

6.2. Upgrading the Flash Partition to the Latest Version

The internal flash partition of the GSM contains a backup copy of GOS and is used in case of a factory reset.

Upgrading the GOS version stored on the flash partition is recommended (see Chapter 7.3.7).

6.3. Changes of Default Behaviour

The following list displays the changes of default behaviour from GOS 4 to GOS 5. Depending on the current features used, these changes may apply to the currently deployed setup.

Note

Check the following list to decide whether changes to the currently deployed setup are required. The Greenbone Networks Support (support@greenbone.net) may help during this process.

6.3.1. Web Interface

Added permissions for global objects
It is now possible to configure users, roles and groups to allow them only restricted usage of only a few, just one or even none of the predefined objects (port lists, scanners, scan configurations and report formats).
Added columns on pages Notes and Overrides
The columns Hosts and Location were added to the list pages of notes and overrides. This improves sorting and filtering for hosts and locations.
Extended dialog for editing overrides and notes
The dialog for editing notes and overrides now allows editing the NVT, the host, the location, the severity, the task and the result even if they were already defined.
Connected GSM user manual to the web interface
When clicking help on the web interface the online version of the GSM user manual is opened on the respective page.
Removed page Hosts (Classic)
The page Hosts (Classic) was removed. As already possible with GOS 4.3 a prognosis scan can be run using the CVE scanner.
Removed overrides indicator/switch
The indicator/switch for overrides in the header of the column Severity on the pages Tasks, Reports and Results was removed. The overrides can be enabled or disabled in the filter instead.
Added up to 10 user-defined dashboards
The single main dashboard on the page Dashboards is extended to have up to 10 user-defined named dashboards. For example, this allows to configure the dashboards „Europe“, „Asia“, „Last Week“, „Windows“ or „Printers“ by applying respective powerfilters to a individual chart selection. The page Dashboards replaces the separate dashboards for scans, assets and SecInfos.
Removed pre-defined severity classification scheme OpenVAS Classic
The pre-defined severity classification scheme OpenVAS Classic was removed. The scheme NVD is the default scheme. During migration, the scheme OpenVAS Classic is replaced by the scheme NVD in case a user configured it as a personal setting.
Renamed task status Internal Error to Interrupted
Scans that stopped for any other reason than the user pressing stop have the status Interrupted at X % which is shown in a red status bar on the web interface and and replaces the status Internal Error. After a reboot of the GSM, running tasks are set to Interrupted at X % instead of Stopped at X %. The status Stopped at X % remains reserved for user-intentional stopping of a task. In both cases the task can be resumed.
Extended dialog for creating schedules
More refined schedules can be created now, e.g. for specific days of the week.
Added tagging for multiple objects
It is now possible to assign the same tag to many objects with a single action rather than adding the tag to each object one by one. For example, 100 arbitrarily filtered hosts can easily be assign the tag Responsible:AdminTeam1 or AssetGroup:Printers in the host asset management.
Added encryption for alert e-mails
The alert method Email now allows the encryption of the e-mail using a S/MIME certificate or a PGP key owned by the recipient. This way a secure end-to-end encryption is established. The encryption keys can be uploaded as a new credential type.
Added scan report content composer
When exporting a report, triggering an alert for a report or creating an alert a dialog is opened for composing the report content of the XML that is passed on to the report format. It allows to configure whether notes should be added to the report and/or overrides should be marked in the report. Additionally, it shows the filter that is currently applied to the report. The content composer allows to reduce/extend the scope handled by the report format and is designed to be extended with further data groups in the future.

6.3.2. Report Format Plug-ins (RFP)

Removed report format HTML

The report format HTML was removed. The alternative report format GSR HTML is more advanced in any aspect. Alerts that were configured to use the report format HTML will automatically fall back to use the report format TXT.

Note

Change to the report format GSR HTML where considered appropriate.

6.3.3. OpenVAS Scanner

Extended vhost support
The scanner is much more smarter about finding all relationships between host names and IP addresses without needing extra user input. The previously used scanner preferences vhosts and vhosts_ip are dropped. What was configured there is now done automatically and reliably. In environments with virtual hosts, the scan results will have less results because duplicates are avoided now. The host name is now a field of its own in the web interface as well as in GMP.

6.3.4. Greenbone Management Protocol (GMP)

The Greenbone Management Protocol (GMP) has been updated to version 8.0 and the API has been adjusted slightly. The usage of some commands has changed and several commands, elements and attributes have been deprecated. The complete reference guide and the list of changes are available here.