Tenable Hardware Appliance Upgrade Guide June 4, 2012 (Revision 3) The newest version of this document is available at the following URL: http://static.tenable.com/prod_docs/tenable_hardware_appliance_upgrade.pdf Copyright 2002-2012 Tenable Network Security, Inc. Tenable Network Security, Nessus and ProfessionalFeed are registered trademarks of Tenable Network Security, Inc. Tenable, the Tenable logo, the Nessus logo, and/or other Tenable products referenced herein are trademarks of Tenable Network Security, Inc., and may be registered in certain jurisdictions. All other product names, company names, marks, logos, and symbols may be the trademarks of their respective owners. Tenable Network Security, Inc. 7063 Columbia Gateway Drive, Suite 100, Columbia, MD 21046 410.872.0555 sales@tenable.com www.tenable.com
Table of Contents Introduction... 3 Standards and Conventions... 3 Abbreviations... 3 Tenable Appliance Platform... 3 Skill Requirements... 3 Tenable Hardware Appliance Update... 3 Prerequisites... 4 Obtain the Update... 4 Apply Update... 4 Additional Steps... 6 Troubleshooting... 6 Acknowledgements... 8 About Tenable Network Security... 11 Copyright 2002-2012 Tenable Network Security, Inc. 2
INTRODUCTION This document describes upgrading the Tenable Hardware Appliance from version 1.0.4 to 2.0.1. Please see the Tenable Appliance Guide for information describing the installation and operation of the Tenable Appliance. Please email any comments and suggestions to support@tenable.com. STANDARDS AND CONVENTIONS Throughout the documentation, filenames, daemons and executables are indicated with a courier bold font such as gunzip, httpd and /etc/passwd. Important notes and considerations are highlighted with this symbol and grey text boxes. Tips, examples and best practices are highlighted with this symbol and white on blue text. ABBREVIATIONS The following abbreviations are used throughout this documentation: LCE PVS SC VM SSL Log Correlation Engine Passive Vulnerability Scanner SecurityCenter Virtual Machine Secure Socket Layer TENABLE APPLIANCE PLATFORM The Tenable Appliance that is available pre-installed on hardware comes in Series 100 and 200 models and can be obtained by contacting sales@tenable.com. SKILL REQUIREMENTS The Tenable Appliance must be configured by a staff member that is familiar with the Nessus vulnerability scanner, Tenable Enterprise Solutions (SecurityCenter, LCE and PVS) and the site security policies and procedures. If training is required for Nessus or Tenable Enterprise Solutions, please visit: http://tenable.com/training/. TENABLE HARDWARE APPLIANCE UPDATE This section describes the steps required to upgrade the Tenable Hardware Appliance from version 1.0.4 to 2.0.1. As a part of the update process the Appliance IP address is reset to the factory default of 192.168.168.21 and must be reset to work in your environment. You will also need to restore your appliance applications from a backup that is taken during the update process. The Tenable Appliance upgrade process described in this document is to migrate from version 1.0.4-x to version 2.0.1-0. In order to upgrade to appliance version 2.2.0-0 or higher this document must be followed first, then an upgrade from Copyright 2002-2012 Tenable Network Security, Inc. 3
version 2.0.1-x to the desired version as described in the main Tenable Appliance documentation located on the Tenable Support Portal. There is no direct upgrade route from the 1.0.4 hardware appliance to version 2.2.0 or higher. Please review this section entirely before beginning the process to minimize potential issues. PREREQUISITES It is recommended that the Tenable Appliance software be updated to the latest revision available at https://support.tenable.com/ before installing the Appliance update. Before beginning the update, make sure you have access to the appliance console and make a note of the current IP address and DNS settings. Security Center 3 is not supported on the Tenable Appliance 2.0.1 (or higher) hardware. If you are currently using Security Center 3 you must upgrade to SecurityCenter 4 prior to running this update. See the Tenable Appliance documentation for information on this process. If SC3 is installed, this update will halt and display a message in the logs indicating such. OBTAIN THE UPDATE The update package to migrate the Tenable Appliance hardware version 1.0.4 to 2.0.1 is available from the Tenable Support Portal downloads section at https://support.tenable.com/ under the file name Hardware-Migration-2.0.1.tar.gz. APPLY UPDATE Once the update has been acquired from the Tenable Support Portal you may begin the process of applying it to your appliance. Log into your appliance management interface at https://<ipaddress>:8000 and navigate to the Administration tab. If your system is up to date with patches, go to the Update Appliance section. Click on the Browse button and select the file that was downloaded from the Tenable Support Portal. Click the Apply Update button. If your system has an older version of the Tenable Appliance software there will be a section at the bottom of the page called Support Actions. Click on the title to expand the options window. Click the Browse button and select the file that was downloaded from the Tenable Support Portal. Then click the Upload Support File button. Copyright 2002-2012 Tenable Network Security, Inc. 4
Once the appliance is uploaded a screen will be displayed similar to the following: Click on the Perform Action button to proceed with the update. Once the process has begun, you can monitor syslog messages by selecting System Logs under the Logs tab. If you have access to the console you may watch system messages in real time on tty3. To access tty3 press and hold the alt and F3 keys. To return to the main appliance console screen at tty1 press and hold the alt and F1 keys. When the upgrade process is complete there will be a log entry that reads: Oct 17 12:12:42 tnsappliance migration_setup[4236]: Migration Backup Completed. Oct 17 12:12:42 tnsappliance migration_setup[4238]: You may now download the backup for safe keeping if you wish. Oct 17 12:12:42 tnsappliance migration_setup[4240]: Reboot the appliance whenever you are ready to proceed. Oct 17 12:12:42 tnsappliance migration_setup[4241]: As part of the upgrade process a backup file will have been created for the system configuration and each installed application. Navigate to the Administration tab and go to the Available Backups section, which will have a list of available backups for the SystemConfiguration and each installed application with the date and time of the backup. Select a backup from the list and click the Download Backup button if you wish to save a copy in a separate location. Copyright 2002-2012 Tenable Network Security, Inc. 5
Once you have confirmed the backup exists and optionally downloaded a copy, reboot the appliance via the console or Restart Appliance button on the Administration page. During the reboot cycle the appliance will restart twice as it performs the upgrade process from version 1.0.4 to 2.0.1. After the second reboot is complete you will be presented with a clean Tenable Appliance 2.0.1 installation. This can be confirmed by going to the appliance console and selecting Appliance Information from the menu. ADDITIONAL STEPS When the upgrade is complete you must complete the following steps. The details for each action may be reviewed in the Tenable Appliance Guide available on the Tenable Support Portal at http://cgi.tenable.com/tenable_appliance.pdf. As a part of the process the IP address is reset to the factory default of 192.168.168.21 and must be reset to work in your environment. Once the IP address has been reset navigate to the main appliance page at https://<ipaddress>:8000 and set the admin password. Navigate to the Administration page and proceed to restore your applications from the Available Backups section. When restoring, it is recommended to begin with the SystemConfiguration backup. Then you may choose to restore each application from the list you wish to continue using with previous data on the appliance. It is recommended, though not required, to restore in the following order for installed applications: SystemConfiguration, SecurityCenter, Nessus and then PVS. If SecurityCenter is being restored, an updated license key is required. Please ensure that you have obtained a SecurityCenter 4.2 key from the Tenable Support Portal prior to upgrading. TROUBLESHOOTING Q. I forgot the IP address of the appliance. How do I retrieve it? A. If you forget the IP address of the appliance, access the appliance console and move the arrow keys to highlight Appliance Information and press Enter. Copyright 2002-2012 Tenable Network Security, Inc. 6
Q. I cannot log into the web interface for the Tenable Appliance. Is it possible to see error messages on the console? A. While a history of messages is not available, you can see the current messages being written to the system log. If you go to the console of your appliance and type Alt-F3 (hold down Alt while pressing the F3 key), you will see the current messages, which may help narrow down issues with the appliance. Typing Alt-F1 (hold down Alt while pressing the F1 key) will return you to the main appliance console screen. Copyright 2002-2012 Tenable Network Security, Inc. 7
ACKNOWLEDGEMENTS This product uses the scripting language written by Lua.org (http://www.lua.org/). Copyright 1994-2011 Lua.org, PUC-Rio. Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. This product uses the lighttpd web server written by Jan Kneschke. Copyright (c) 2004, Jan Kneschke, incremental. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: - Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. - Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. - Neither the name of the 'incremental' nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. This product uses Aranha, a Lua/FastCGI web application platform written by Daniel Silverstone (dsilvers@digital-scurf.org). Copyright 2004-2008 Daniel Silverstone dsilvers@digital-scurf.org Copyright 2002-2012 Tenable Network Security, Inc. 8
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. The Tenable Appliance console menu is provided by Pdmenu (http://kitenet.net/~joey/code/pdmenu/), written by Joey Hess joey@kitenet.net. This program is Copyright 1995-2002 by Joey Hess, and may be distributed under the terms of the GPL. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details (http://www.gnu.org/licenses/). The Tenable Appliance internal interface uses lbase64 (http://www.tecgraf.pucrio.br/~lhf/ftp/lua/#lbase64), software that has been placed in the public domain. The Tenable Appliance internal interface uses LuaFileSystem (http://keplerproject.org/luafilesystem/), designed and implemented by Roberto Ierusalimschy, André Carregal and Tomás Guisasola. Copyright 2003 Kepler Project. Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, Copyright 2002-2012 Tenable Network Security, Inc. 9
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. The Tenable Appliance internal interface uses LuaLogging (http://keplerproject.org/lualogging/), designed by Danilo Tuler and implemented by Danilo Tuler, Thiago Ponte and André Carregal. Copyright 2004-2007 Kepler Project. Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. The Tenable Appliance internal interface uses (Lua) MD5 (http://www.keplerproject.org/md5/), designed and implemented by Roberto Ierusalimschy and Marcela Ozório Suarez. The DES 56 C library, as used in (Lua) MD5, was implemented by Stuart Levy. Copyright 2003 PUC-Rio. All rights reserved. Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. Copyright 2002-2012 Tenable Network Security, Inc. 10
ABOUT TENABLE NETWORK SECURITY Tenable Network Security, the leader in Unified Security Monitoring, is the source of the Nessus vulnerability scanner and the creator of enterprise-class, agentless solutions for the continuous monitoring of vulnerabilities, configuration weaknesses, data leakage, log management and compromise detection to help ensure network security and FDCC, FISMA, SANS CAG and PCI compliance. Tenable s award-winning products are utilized by many Global 2000 organizations and Government agencies to proactively minimize network risk. For more information, please visit http://www.tenable.com/. Tenable Network Security, Inc. 7063 Columbia Gateway Drive Suite 100 Columbia, MD 21046 410.872.0555 www.tenable.com Copyright 2002-2012 Tenable Network Security, Inc. 11