Change Guardian

Version 4.0.0

Release Notes

Date Published: March 2013

 
 

 

The NetIQ Change Guardian product (Change Guardian) is a file integrity management solution that provides organizations with the ability to monitor for changes to critical system and corporate files. Change Guardian events allow you to see file changes, as well as who made the change, the time of the change, and the computer from which the user initiated the change. In many cases, Change Guardian provides the before and after values for the change so organizations have enough information to take needed action.

Many improvements were made in direct response to suggestions from our customers. We thank you for your time and valuable input. We hope you continue to help us ensure our products meet all your needs. You can post feedback in the Change Guardian forum on Qmunity, our community Web site that also includes product notifications, blogs, and product user groups.

What's New?

This version of Change Guardian provides a new user interface that allows you to easily create policies that monitor changes in your Windows, Group Policy, Active Directory, UNIX and Linux environments.

Return to Top

System Requirements

You must install the Change Guardian Policy Editor on a computer running one of the following operating systems:

  • Windows XP (32- and 64-bit version)
  • Windows Server 2003 (32- and 64-bit version)
  • Windows Server 2008 (32- and 64-bit version)
  • Windows Server 2008 R2
  • Windows 7 (32- and 64-bit version)
  • Windows Vista (32- and 64-bit version)

NOTE: If you install the Policy Editor on a computer running Microsoft Windows XP (64-bit) or Windows 2003 (64-bit), you must install Microsoft Windows Hotfix 942589. For more information, see http://support.microsoft.com/kb/942589.

The Policy Editor computer must include Microsoft .NET Framework 3.5 Service Pack 1 or later.

NOTE: The Policy Editor does not support .NET Framework 4 Client Profile. If you install .NET Framework 4 Client Profile, you cannot connect to an event destination when configuring email. The Policy Editor does support .NET Framework 4 Extended.

Return to Top

Agent Computer Requirements

Change Guardian communicates with monitored computers through agents you install on those computers. Agents receive policy information from the Policy Repository on the Change Guardian server, and send events back to the Change Guardian server. Each Change Guardian module supports specific operating systems.

Change Guardian for Windows

Change Guardian for Windows monitors computers with the following operating systems:

  • Windows Server 2003 SP 1 and higher (32- and 64-bit version)
  • Windows Server 2003 R2 (32- and 64-bit version)
  • Windows Server 2008 (32- and 64-bit version)
  • Windows Server 2008 R2 – all versions, including Server Core
  • Windows 7 (32- and 64-bit version)
  • Windows Vista (32- and 64-bit version)
  • Windows XP SP 3 and higher (32- and 64-bit version)

NOTE: Change Guardian for Windows does not support Registry and File Share events.

Change Guardian for Active Directory

Change Guardian for Active Directory monitors computers with the following operating systems:

  • Windows Server 2003 SP 1 and higher (32- and 64-bit versions)
  • Windows Server 2003 R2 (32- and 64-bit versions)
  • Windows Server 2008 (32- and 64-bit versions)
  • Windows Server 2008 R2 (all versions, including Server Core)

Change Guardian for Group Policy

Change Guardian for Group Policy monitors computers with the following operating systems:

  • Windows Server 2003 SP 1 and higher (32- and 64-bit versions)
  • Windows Server 2003 R2 (32- and 64-bit versions)
  • Windows Server 2008 (32- and 64-bit versions)
  • Windows Server 2008 R2 (all versions, including Server Core)

Change Guardian for UNIX and Linux

Change Guardian for UNIX and Linux monitors computers with the following operating systems:

  • CentOS: 4, 5, and 6
  • IBM AIX on IBM Power: 5.3 and 6.1
  • HP-UX on PA-RISC: 11.1x, 11iv2, and 11iv3
  • HP-UX on IA64: 11.1x, 11iv2, and 11iv3
  • Oracle Linux: 4, 5, and 6
  • Oracle Solaris on SPARC: 9, 10, and 11
  • Oracle Solaris on x86_64: 10 and 11
  • Red Hat Enterprise Server: 4, 5, and 6
  • SUSE Enterprise Linux: 10 and 11

Return to Top

Known Issues

NetIQ Corporation strives to ensure our products provide quality solutions for your enterprise software needs. The issues associated with the following modules are currently being researched. If you need further assistance with any issue, please contact Technical Support.

Change Guardian Server

The Change Guardian Server Does Not Accept Some Special Characters in Passwords

Issue:

When creating the admin password during Change Guardian server installation, you can use special characters, but when the server prompts you for the admin passwords, the password cannot always be verified. (ENG324740)

Workaround:

Avoid the use of special characters in the admin password. If you must use special characters, only use @, /, ~, {, }, [, ], =, ^, ?, :, +, %.

Change Guardian Policy Editor

The Change Guardian for Windows Module Cannot Browse Some Windows XP Computers

Issue:

The Policy Editor cannot connect to a computer running the Windows XP 32-bit operating system if you create or edit a Change Guardian for Windows policy constraint using the browse option. (DOC320465)

Workaround:

Manually enter the file or directory you want to monitor.

The Policy Editor Cannot Connect to the Policy Repository Using an IPv6 Address

Issue:

The Policy Editor cannot connect to the Policy Repository using an IPv6 address. (ENG321461)

Workaround:

Use the Policy Repository fully-qualified domain name or IPv4 address to connect to the Policy Repository.

An Administrative Report Can Display Repeated Information

Issue:

When you run the report Assigned Policies by Asset, and you choose the constraint Show policies assigned to assets in these asset groups the report lists the assets multiple times. (ENG326663)

Workaround:

Disregard duplicated entries.

Browsing AD Groups or Users Loads the Previously Created Filter After Refreshing the User or Group Browser

Issue:

If you create a filter to browse Active Directory users or groups, close the dialog box in which you configured the filter, reopen the dialog box to browse more Active Directory users or groups, and then click Refresh, the Policy Editor loads the previously created filter, even if the filter section appears empty. (ENG326630)

Workaround:

Close and restart the Policy Editor.

Policy Set Names Cannot Include Some Special Characters

Issue:

If you create a policy set with a name that includes the & character, the Policy Assignment page does not display the policies within the policy set. (ENG326610)

Workaround:

Do not use the & character in policy set names.

Rebooting the Change Guardian Server Can Cause the Policy Editor to Fail

Issue:

If you reboot the Change Guardian server while the Policy Editor is open the following conditions can occur:

  • The Policy Editor requests your credentials until the Change Guardian server completes the reboot.
  • The Policy Editor displays an error message and closes.
  • You cannot access Administrative Reports
(ENG326533/ENG326534)

Workaround:

If you must reboot the Change Guardian server, save your work and close the Policy Editor until the Change Guardian server completes rebooting.

Return to Top

Change Guardian for Windows

Modifying an Empty Registry Binary Value Generates a Registry Value was Created Event

If you modify an empty binary value of a monitored registry key, Change Guardian treats the change as a created binary value, rather than a modified binary value. Change Guardian correctly generates a modified binary value change event for subsequent changes to the binary value. (DOC312594)

File Owner Filtering Does Not Work on Files on FAT32 Partitions

Do not use the File Owner Filtering feature when creating policies for files you want to monitor in the FAT32 partition. Files located in the FAT32 partition do not have owners, so the feature is ineffective. (DOC305580)

Changes to File Share Entries on Windows 2008 Failover Clusters Do Not Generate Events

Change Guardian for Windows does not support monitoring changes to file share entries on Windows Server 2008 failover clusters. The best practice is to monitor for changes to specified file share entries located on the shared disks of the cluster node computers, rather than to monitor for changes to files share entries on the failover cluster itself. (DOC261632)

The Registry Browser Can Display Nested Registry Keys as Recursive Registry Keys

If you monitor a nested registry key within the Wow6432Node registry with the same name as the Wow6432Node Registry key, the registry browser displays the key recursively. (DOC280520)

Monitoring an Administrative Share Does Not Generate Events

Every Windows computer supported by Change Guardian for Windows automatically creates an administrative share of every hard drive. In other words, the C:\ drive is shared as C$. Since administrative shares are special shares created by the operating system by default, and are not user initiated, Change Guardian cannot monitor them. To monitor file shares on C:\, you must create a new file share with a different name.

Return to Top

Change Guardian for Active Directory

Some Events Contain Empty User or Domain Information

In situations where Change Guardian for Active Directory generates a large number of events of various types, a small number of the events do not contain information for the user performing the change and from which domain the user performed the change. (DOC322255)

Erroneous Success Event Generated for an Unsuccessful Contact Move to a Restricted Active Directory Container

If someone attempts to move a monitored contact to a restricted Active Directory container, an error displays, and the contact is not moved. Windows logs the operation as successful in the Windows event log. Change Guardian for Active Directory, in turn, interprets the action as a successful move and generates a "Success" event. (DOC321953)

Changes By Managed Users in Trusted Domains Can Appear as Unmanaged Changes

Active Directory changes performed by managed users in trusted domains appear in the Change Guardian Web console as unmanaged changes. (ENG322995)

Return to Top

Change Guardian for Group Policy

Some Event Deltas Can Contain Incorrect Path Information

If you make a change to a Windows Server 2003 Domain Controller (DC) from a Windows Server 2008 computer with GPMC, Change Guardian displays the path for the Windows Server 2008 computer, rather than for the Windows Server 2003 DC where the change took place. (DOC318950)

Return to Top

Change Guardian for UNIX and Linux

Some Failed Attribute Changes Are Not Reported for AIX

When monitoring directory attribute changes on AIX computers, Change Guardian does not always reports events when chown and touch system calls fail.

NOTE: Change Guardian only reports failed system call events if the system call does not complete as designed. If a user provides incorrect arguments, the system call does not succeed, but it works as designed, so Change Guardian does not attempt to report a failed event. (ENG320366)

Time and Content Changes Not Reported for HP-UX 11iv3

The HP-UX 11iv3 auditing subsystem does not provide information for the utimes, utime, dup, or dup2 system calls. This limitation results in Change Guardian not reporting events for the utimes access type in the CGU FileMod object and not reporting events when the contents of a file changes. (ENG319908)

Failed Mount Attempted on HP-UX Are Reported as Successful Mounts

Change Guardian does not properly identify failed mount attempts on HP-UX computers, and interprets all mounts as successful. (DOC319906)

Changes to Directory Contents Do Not Generate Events

When you monitor changes to the attributes of a directory, Change Guardian does not generate events when the contents of the directory change, for example, when a file is added, even though the directory's time attribute changes. (DOC319386)

Read Events for Public Files Are Not Reported for Solaris

By default, the Solaris auditing subsystem does not report read operations for public files. Public files are files that are owned by root, readable by all users, but not writable by all users. To get events about reads of public files, use the auditconfig command with the public option enabled. (ENG320922)

Question Marks Reported as User Name for HP-UX Trusted Computers

For events from HP-UX trusted computers, Change Guardian reports question marks in place of user names. (ENG318593)

Events Are Not Reported for Control+C Process Terminations for Linux

On Linux computers, Change Guardian only reports events generated by a kill command as process terminations. If a process terminates in any other way, using a Control+C key combination, for example, Change Guardian does not report an event. (DOC323792)

Wildcards Not Recognized in Subdirectories when Monitoring Mount and Unmount Events

When you are monitoring mount and unmount events, you can use a wildcard (*) at the root directory, but not in a subdirectory. (DOC325452)

Delta Information for Mount Events on AIX Is Not Reported

For mount and unmount events on AIX computers, Change Guardian does not report permission changes. (DOC325454)

Changes to the Time Attribute Do Not Generate Events for HP-UX

When you monitor changes to the attributes of a file on a HP-UX computer, Change Guardian does not generate events when the time attribute changes. (DOC320724)

Incorrect Process File Path Reported for Unmount Events on Solaris 10

For unmount events on Solaris 10 computers, Change Guardian reports incorrect process file path. (ENG322149)

Return to Top

Contact Information

Our goal is to provide documentation that meets your needs. If you have suggestions for improvements, please email Documentation-Feedback@netiq.com. We value your input and look forward to hearing from you.

For detailed contact information, see the Support Contact Information Web site.

For general corporate and product information, see the NetIQ Corporate Web site.

For interactive conversations with your peers and NetIQ experts, become an active member of Qmunity, our community Web site that offers product forums, product notifications, blogs, and product user groups.

Return to Top

Legal Notice

Return to Top