Greenbone: GSM: Upgrade

Home » Learning Center » GSM: Upgrade

Page as PDF
Page content»

GSM: Upgrade

The subscription for the Greenbone Security Manager includes upgrades for new versions of scan engine, web-interface etc. The upgrades are easy to execute.

Greenbone continuously provides new upgrades. The users can decide on their own whether and when they want to execute the upgrade.

Details on new upgrades are described on this page with guides on how to execute the updates.

Current (2010-06-15): GSM 1.2.0 with GSA 1.0.0-7

top^

The items marked with (*) will change the default behaviour.

New Feature: Pausing a scan

Running scans can be paused. In contrast to stopping a task, the scan is not aborted, but rather all network activity is hold back until the scan is resumed.
Task status: Progress of stopped or paused scan now displayed

Instead of just "Stopped" or "Paused", the task status now shows for example "Stopped at 8%" or "Paused at 20%".
Result Filter: CVSS Support

It is possible to filter results with a given minimum CVSS value.
Result Filter: Supressing of hosts with no results possible.
(*) Task Details: Direct download supresses now hosts without results according to the default filter.
Scan Config Family Details and Scan Config NVT Details: Risk category (always) and CVSS-Wert (if present) of NVTs is shown.
(*) Optimization of pre-defined scan configurations (Full and Fast etc.)

For all target hosts now a ping is executed and hosts that do not answer will not be considered for the subsequent scan. This accelerates especially those scans with large IP ranges and few active hosts. In cases where active systems intentionally will not react upon ping, a scan configuration without upfront ping test should be used, for example Full-and-fast-all-IPs.xml.
Escalators: New condition for threat level changes between two subsequent scans.
NVT Preferences: Upload of files improved. Download now also possible.
Reports: Start and end scan times for each single host are now provided.
Support of NTLMSSP.
CLI-Admin: Feed management now also possible via console (current version, sync start and sync progress).
CLI-Admin: Software management now also possible via console (current version, download and upgrade).
CLI-Admin: Software upgrade, backup/resotore management: maximum duration drops from 2 hours to 1 hour.

Outlook on next upgrade

top^

Please note that neither a version number nor the release date of the next upgrade is preassigned. Also the feature list will undergo further changes.

The items marked with (*) will change the default behaviour.

New Feature: Centralized user management via Univention Corporate Server

For the Univention Corporate Server (UCS) 2.3 a extension is provided to allow full GSM user admininistration. UCS-managed accounts can easily be flagged as authorized GSM users.
New Feature: Centralized user management via Microsoft Active Directory Server

For the Microsoft Active Directory Server (ADS) a extension is provided to allow full GSM user admininistration. ADS-managed accounts can easily be flagged as authorized GSM users.
New Feature: Target system lists can be retrieved from external LDAP-based system management solutions.

Pre-configured support is available for Univention Corporate Server (UCS) 2.3 and Microsoft Active Directory Service (ADS).
New Feature: False-Positive management

The new severity filter does not only allow comfortable tagging of false positives. This feature allows the management of a complete individual threat classification.
New Feature: VHosts support

It is now possible to specify a number of virtual web hostnames for a IP address. These "vhosts" will all be tried during a scan in order to detect the different services that are behind a central web server.

Check version of your GSM

top^

The version of your GSM is directly visible on the console prompt without the need to log in:

Welcome to the Greenbone Security Manager 1.1.0-1greenbone1 2.6.26-2-686 ttyS0


gsm login:

Alternatively the version is displayed via SSH after logging in with the account "admin":

$ ssh admin@192.168.99.123
admin@192.168.99.123's password:

Welcome to the Greenbone Security Manager 1.1.0-1greenbone1

The version of the web interface GSA (Greenbone Security Assistant) can be checked by any scan-user via the navigation menu item Help->About.

Execute GSM System Upgrade

top^

Backup Management

The GSM has an integrated internal backup management as part of its maintenance operating system.

In case you already have scan data, configurations etc. of relevance on your GSM, it is recommended to create a internal backup before installing the upgrade. Of course it is generally recommended to take care of backups independent from upgrades.

Follow these steps for a backup:

During a reboot running scans would be stopped. Wait for all scan tasks to finish if you do not wish to stop running tasks.

Log into the CLI-Admin interface (see also the manual "GSM Command Line Interface: Administrator Guide") and enter the command "systembackup".

Within the next 2 hours the system will automatically shut down, create a full internal backup of the system and then boot up the system again.

System Upgrade

The upgrade can be executed without shutting down the system. In general it is recommended to choose a time when no scan tasks are running. For a short time (usually a few seconds, one minute in worst case) the web application is blocked and you might need to login anew.

It is recommended to consider creating a local backup of the current status using the built-in method of the GSM. This will take around 2 hours.

Upgrading a GSM 1.2

The Upgrade procedure was simplified and accelerated since Version 1.2.

Log into the CLI-Admin interface (see also the manual "GSM Command Line Interface: Administrator Guide").

Independent of the automatic update every 24 hours you can download the current software status immediately. The following command is not necessary if the GSM is running since at least 24 hours with network connection.

gsm> softwarestartsync
Software synchronization scheduled (executed within next 10 minutes)
gsm> softwaresyncstatus
Software synchronization is scheduled.
(... ca. 5-15 minutes ...)
gsm> softwaresyncstatus
Software synchronization neither in progress nor scheduled.

Now the upgrade can be executed. The GSM will not open any Internet connection during the upgrade. All data for this upgrade are now already stored on the GSM.

gsm> systemupgrade
System upgrade scheduled (executed within next 10 minutes)
gsm> systemupgradestatus
System upgrade is scheduled.
(... ca. 5-15 minutes ...)
gsm> systemupgradestatus
System upgrade neither in progress nor scheduled.

A successful upgrade can be verified either via the GSM version number which is shown as welcome message after logging into CLI-Admin interface (after a reboot) or via the GSA version number in the "About" dialog of the Greenbone Security Assistant (immediately).

Upgrading a GSM 1.0 or 1.1

Important for GSM 1.0 to 1.1: The upgrade is automatically downloaded in conjunction with the feed. This means, the upgrade is only available if the GSM is at least 24 hours in operation and has internet access. This limitation is dropped from version 1.2 on.

Log into the CLI-Admin interface (see also the manual "GSM Command Line Interface: Administrator Guide") and enter the command "systemupgrade".

Now it takes a maximum of 2 hours until the upgrade is finished. Depending on the extent and daytime the upgrade might finish much faster.

The GSM will not open any Internet connection during the upgrade. All data for this upgrade were already downloaded to the GSM during the last Feed synchronisation.

Previous Upgrades

top^

2010-04-27: GSM 1.1.0 with GSA 1.0.0-6

New Feature: Schedules

A schedule describes a start time and optional a repeat interval and a maximum scantime. Linking a scan task with a schedule and a EMail escalator establishes a automatic background vulerability alarm system.
New Feature: Resume stopped scans

Running scans that were stopped via the respective button or by other circumstances can now be resumed.
New Feature: Task editor

A new dialog allows to change title, comment, schedule and escalator of a scan task.
The Feed management page of GSA now shows the version of the Feed as present on the GSM.
NVT details: Risk factor and CVSS risk were added to the overview.
Improved service detection.
The server time (UTC) is displayed in the header of GSA.
The Feed synchronisation process has been accelerated.
The help system is now integrated in a dynamic way. Thus you can see the logged in user and server time now also in the help system.
Upgrade of the integrated web aplication scanner w3af.

2010-03-11: GSM 1.0.1 with GSA 1.0.0-5

Significant acceleration of web interface.
New Feature: Notes Management.

Each single result of a report can be associated with an individual note. It is possible to generalize the note regarding IP, severity or port in order to attach the note to any past and future report where the same condition is present. The notes can also be included into the PDF reports.
New Feature: ITG report format for tabular summaries of IT-Grundschutz compliance checks.

If an IT-Grundschutz Scan was executed, it contains tabular overviews of the outcome of the tests. The download of an ITG report delivers a CSV file which could be directly imported into a spreadsheet application, a database or some other specialised application.
New Feature: CPE report format for tabular summary of CPE inventory lists.

If a CPE-based Inventory Scan was executed, it contains tabular overviews of the outcome of the tests. The download of a CPE report delivers a CSV file which could be directly imported into a spreadsheet application, a database or some other specialised application.
Improved WMI Support: This will allow the IT-Grundschutz checks to collect even more results.
Various graphical improvements to the web interface as well as to the report types PDF and HTML.
Improved import of scan configurations.
Improved support for further browsers such as Konqueror.
Improved multi-user handling.
Improved Reports: Non-printable characters are replaced by blanks.