NetIQ Change Guardian 4.2 Service Pack 1 Release Notes

October 2016

NetIQ Change Guardian 4.2.1 improves usability and resolves several previous issues. Many of these improvements were made in direct response to suggestions from our customers. We thank you for your time and valuable input. We hope you continue to help us ensure that our products meet all your needs. You can post feedback in the Change Guardian forum in the NetIQ Communities, our online community that also includes product information, blogs, and links to helpful resources.

The documentation for this product is available on the NetIQ website in HTML and PDF formats on a page that does not require you to log in. If you have suggestions for documentation improvements, click comment on this topic at the bottom of any page in the HTML version of the documentation posted at the Change Guardian Documentation page. To download this product, see the NetIQ Downloads website. To download patches for this product, see the Patch Finder website.

1.0 What’s New?

The following outline the key features and functions provided by this version, as well as issues resolved in this release:

1.1 Updates to Certified Platforms

This release certifies the following platforms:

  • Red Hat Enterprise Linux 6.7

  • SUSE Linux Enterprise Server (SLES) 11 Service Pack 4

NOTE:SLES 11 Service Pack 3 is no longer a certified platform for Change Guardian because SUSE has dropped support for SLES 11 Service Pack 3.

For information about certified platforms, see the Technical Information page.

1.2 Software Fixes

Change Guardian 4.2 Service Pack 1 includes software fixes that resolve several previous issues.

Change Guardian Server Generates Asset Registration Events in FIPS Mode

Change Guardian now generates the following events when you are running the Change Guardian Server in FIPS mode:

  • Asset Registered

  • Asset Unregistered

(Bug 945664)

Agent Manager Configuration No Longer Fails When Browsing Assets from Child Domain

Issue: When you try to add or browse assets from child domains for Agent Manager, Change Guardian displays LDAP Connector exception.(Bug 975044)

Fix: You can now add or browse the child domains in Agent Manager.

Agent Manager Registration Points to Sentinel Event Destination Location

Issue: To register the Agent Manager points to the Standalone Sentinel server, which is not the default event destination for Change Guardian 4.2 and later. The registration fails and displays the following error: Failed to register agent in 300 seconds.(Bug 967724)

Fix: The agent manager now points to the default Change Guardian policy repository server to register agent manager services.

FIPS Mode Supports Forwarding Events to Syslog Servers

If you are running the Change Guardian Server in FIPS mode, it can now forward any events to Syslog servers in your environment. (Bug 956883)

Bypass Signature Verification for Change Guardian Agent Installation

Issue: The signature verification for the Change Guardian Agent MSI on the target machine fails during remote deployment using the Deployment Manager or when installing locally with the silent installer EXE because it cannot download the required latest root CA certificates due to no internet connection and outdated CA certificates. (Bugs 975833 and 972203)

Fix: To avoid the signature verification process, manually install the agent MSI directly on the target machine for the following conditions:

  • When the target machine does not have access to internet

  • When the Microsoft root CA certificates are outdated on the target machine

Perform the steps provided in the KB Article to install agents to computers.

Backup and Restore Utility Supports New Features

The backup and restore utility supports performing backup and restore of the following new features of Change Guardian 4.2 and later:

  • Alert Notifications and Triage

  • New License Usage Report

  • New Monitoring Capability for Active Directory

  • Enhanced Integration with Active Directory

  • Agent Manager

(Bug 941990)

Resolves the Bar Mitzvah Vulnerability

Change Guardian 4.2 SP 1 version resolves the Bar Mitzvah (CVE-2015-2808) security vulnerability issue.(Bug 956196)

Delta Information for AD Schema Changed Events is No Longer Missing

Issue: The events are missing delta information for AD schema change. The before and after information displays NA instead of the actual data.

Fix: Change Guardian now successfully generates events and displays the actual delta information for the AD schema changed events. (Bug 937902)

Internet Explorer and FireFox Correctly Display Agent Manager View

Issue: When you use Internet Explorer 11 or Firefox 45 to open Agent Manager in locale other than English, the options and drop-down menus are not loaded as expected.

Fix: The Agent Manager view, drop-down menus, and options are now available as expected in Internet Explorer 11 and Firefox 45. Because Change Guardian does not support localization, Agent Manager opens in English locale even when you use another language. (Bug 972518).

Email Sent After Modifying Email Settings

Issue: Change Guardian server is unable to send email notifications when STARTTLS protocol is enabled in email server. Change Guardian displays the following error: Failed to send email com.sun.mail.smtp.SMTPSendFailedException: 530 5.7.1 Client was not authenticated.

Fix: The Change Guardian email configuration now supports the STARTTLS protocol. It can now send email notifications successfully. For more information see, Adding Email Servers to Change Guardian (Bug 977238).

1.3 Enhancements

Addition of Attributes to Change Guardian Event Information

The Change Guardian event information now includes the following attributes:

  • TargetUserDomain: Displays the domain name from event source, where the account name is unique.

  • TargetUserName: Displays target user’s account name. (Bug 986263)

2.0 System Requirements

For information about hardware requirements, supported operating systems, and browsers, see the Technical Information page.

3.0 Upgrading Change Guardian

You can upgrade to Change Guardian 4.2 SP 1 from the following previous versions:

  • Change Guardian 4.1 Service Pack 1 Hotfix 2

  • Change Guardian 4.2

  • Change Guardian 4.2 Hotfix 1

  • Change Guardian 4.2 Hotfix 2

For information about the upgrade procedure, see Upgrading Change Guardian.

IMPORTANT:You cannot use Windows Agent 4.1.1 or earlier with this release. You must upgrade the Windows Agent to version 4.2.0 or later.

4.0 Known Issues

NetIQ Corporation strives to ensure our products provide quality solutions for your enterprise software needs. The following issues are currently being researched. If you need further assistance with any issue, please contact Technical Support.

4.1 Cannot View Alerts with IPv6 Data in Alert Views

Issue: Change Guardian alert views do not display alerts that have IPv6 addresses in IP address fields. (Bug 981570)

Workaround: To view alerts with IPv6 addresses in Change Guardian, perform the steps mentioned in NetIQ Knowledge base Article 7016555.

4.2 Cannot Install Change Guardian Server as Non-root User

The installation process does not support installing the Change Guardian Server as a non-root user. (Bug 948756)

4.3 Issues with Upgrading Agents Out of Order

The following issues occur if you upgrade agents in the incorrect order:

  • If an agent computer has both the agent and the Policy Editor installed, upgrading to Change Guardian 4.2 removes the Policy Editor from the computer. To avoid this, upgrade the Policy Editor first and then upgrade the agent. (Bug 936766)

  • If you upgrade the Windows agent before you upgrade the Change Guardian Server, the agent will not receive policy updates after the server upgrade. To enable the agent to receive policy updates again, restart the Change Guardian service on the agent machine. (ENG335193)

4.4 Upgrade Process Does Not Work with Custom Installation Location

If you installed a previous version of Change Guardian in a custom location, a known issue with the installation process prevents you from upgrading to version 4.2. To upgrade to version 4.2, contact Support for assistance. (Bug 946564)

4.5 Upgrade Process Fails if You Renamed the .msi Package for the Original Installation

If you renamed the .msi file when packaging the program to silently install a previous version of Change Guardian, the upgrade to the current release fails. During an upgrade, Microsoft Windows looks for an original installation with the same identification as the .msi package for the upgrade. For more information about this issue, see the Windows Installer Team Blog. (ENG328889)

4.6 Upgrade Process Displays Wrong Version Number

The upgrade process incorrectly displays, Upgrading to 7.3.1.. (Bug 945259)

4.7 Events Missing Delta and Diff Information After Upgrade

Change Guardian 4.1 SP 1 included an architectural change related to delta and diff storage. This change significantly improves the time required to retrieve delta and diff information. If you are upgrading from Change Guardian 4.1 or before, the delta and diff information for any pre-4.1 SP 1 events does not display after the upgrade process is complete. You can use reports to retrieve the delta and diff information for pre-4.1 SP 1 events. Change Guardian correctly displays delta and diff information for any events generated after the upgrade. (Bug 936002)

4.8 Manual Configuration Required to Use Registry Browser

To enable the Registry Browser in Change Guardian, you must set the repositoryEnabled flag (under HKLM\Software\NetIQ\ChangeGuardianAgent\repositoryEnabled) to 1, and then restart the agent.

If you do not manually set the flag to 1, when you use the Registry Browser, you will receive a Could not connect to Windows Data Source error. (Bug 945225)

4.9 Local Users in Administrator Group Cannot Deploy Agents to Windows Computers

With Microsoft KB article 951016, Microsoft introduced a feature called UAC remote restrictions, which removes the SID (security identifier) for the Administrators group from the logon token for local non-Administrator user accounts in the Administrators group. The actual Administrator account remains unchanged. As a result, to deploy agents to Windows computers, you must use the actual Administrator account or a domain account that has administrator access to the computer. For more information, see https://support.microsoft.com/en-us/kb/951016. (Bug 918180)

4.10 Issues with Security Agent for UNIX Version 7.4

The following are known issues with version 7.4 of the Security Agent for UNIX:

  • If the Change Guardian Server is running in FIPS mode, version 7.4 of the Security Agent for UNIX cannot register with the Change Guardian Policy Repository. (Bug 948202)

  • When you are creating a policy, if you browse to a Security Agent for UNIX that is version 7.4 or older, you will receive a Could not connect to UNIX Data Source error. You can avoid this error by manually entering the file paths in the policy. To find the file paths, log on to the UNIX or Linux computer you want to monitor, and then use the cd and ls commands. (Bug 953718)

  • If you are using a version of the Security Agent for UNIX released prior to December 2015, the Policy Name and Policy ID fields on UNIX events are blank. Functionality that uses the information in these fields, such as alerts, does not work. (Bug 906274)

NOTE:These issues are fixed in Security Agent for UNIX 7.5 version.

4.11 Agents on Windows Server 2003 Computers Do Not Receive Tasks When Expanding Users Containing {}

If you configure a policy to expand an Active Directory user that contains only the {} characters, and then assign the policy to an agent on a computer running Windows Server 2003, Change Guardian assigns the policy successfully but the task never arrives at the agent. (Bug 908543)

4.12 Option to Rerun Tasks from 'Failed Tasks' Does Not Work

Issue: If an agent installation, upgrade, or uninstall task fails, the option to re-run the task from the Failed Tasks list does not work. (Bug 942426)

Workaround: In Agent Manager, select the asset and run the task again.

4.13 Asset Tasks Remain 'In Progress' Indefinitely

Issue: If the connection between Agent Manager and a monitored asset is lost, tasks related to that asset remain In Progress indefinitely. (Bug 941549)

Workaround: Manually cancel the task in Agent Manager.

4.14 Issues Monitoring DNS Configuration Changes

If you create a policy to monitor for DNS Configuration Modified events, a limitation in Microsoft Windows prevents the policy from retrieving information about the users who performed the actions for which the policy is monitoring. As a result, Change Guardian does not support the following options when monitoring for DNS configuration changes:

  • Include Only or Exclude Events (Bug 906981)

  • Managed Events (Bug 906984)

4.15 Issue Monitoring Local User and Groups Privilege Events

If you create a policy to monitor for Local User and Groups Privilege events, a limitation in Microsoft Windows prevents the policy from retrieving information about the users who performed the actions for which the policy is monitoring. (Bug 957980)

4.16 Internal Audit Events Go Only to Primary Event Destination in FIPS Mode

If you run Change Guardian in FIPS mode, internal audit events go only to the primary event destination. They do not go to any additional event destinations in your environment. (Bug 956881)

4.17 Change Guardian Server Cannot Connect to Data Sources in FIPS Mode

Issue: If the Change Guardian Server is running in FIPS mode, when you browse data source objects while creating a policy, you will receive a Could not connect to Windows Data Source error. (Bug 956886)

Workaround: You can avoid this error by manually entering the file paths in the policy. To find the file paths, log on to the computer you want to monitor, and then use the cd and ls commands.

4.18 Enabling FIPS Mode Requires Restarting Services

Issue: When you enable FIPS mode on the Change Guardian Server, the connection between Agent Manager and the agent computers is lost. (Bugs 943730, 944285)

Workaround: Restart the NetIQ Client Agent Manager and NetIQ Change Guardian Agent services on each agent computer.

4.19 Approved Assets Incorrectly Require Authentication

Issue: If you select an asset in the All Assets list, and that asset has an agent installed on it, you are prompted for the username and password for that asset. (Bugs 942853)

Workaround: There is no workaround at this time.

4.20 Deleting an Asset with Agent Manager Does Not Delete All Components

Issue: If you use Agent Manager to delete an asset, Agent Manager does not delete the NetIQ Change Guardian Agent component from the Installed Programs list in Windows. To remove all asset components completely, uninstall the NetIQ Change Guardian Agent component from the computer, and then use Agent Manager to delete the asset from Change Guardian. (Bug 940340)

4.21 Issue with Privileges for Local Users and Groups Prevents Change Guardian from Generating an Event

If you delete a privilege from a user, and it was the only privilege assigned to that user, Change Guardian will not generate any events for that privilege. This is caused by a known issue with the way Microsoft implements the removal of some privileges for local users and groups. (Bug 957505)

4.22 Manually Uninstalling an Agent Does Not Remove the Agent's Version Details from Agent Manager

Issue: If you manually uninstall an agent, Agent Manager continues to display version details for the agent. (Bug 946582)

Workaround: In Agent Manager, select the agent in the 'All Assets' group and delete it.

4.23 Tips Table Search Does Not Return the Complete List of Alert Fields in Upgraded Installations

Issue: In upgraded installations, when you search for alert attributes in the Tips table in the web interface, the search does not return the complete list of alert fields. However, alert fields display correctly in the Tips table if you clear the search. (Bug 914755)

Workaround: There is no workaround at this time.

4.24 New Incoming Alerts Incorrectly Appear to be Selected When You Modify Existing Alerts

Issue: When you click Select All in alerts views to select alerts, deselect few alerts, and modify them, new incoming alerts are also selected in the refreshed alert views. This results in wrong count of alerts selected for modification, and also it appears as if you are modifying new incoming alerts too. However, only the originally selected alerts are modified. (Bug 904830)

Workaround: No new alerts will appear in the alert view if you create the alert view with a custom time range.

4.25 Change Guardian Web Console is Blank if the License is Expired

Issue: If your Change Guardian license expires, the web console displays a blank page. (Bug 949208)

Workaround: Add the license through the command line by using the softwarekey.sh script. For more information, see Adding a License Key through the Command Line in the Administrator Guide for Sentinel.

4.26 Change Guardian Cannot Retrieve Events Related to Users Logging On or Off a Domain Controller

Issue: If you have an agent on a Domain Controller, when domain users use their network credentials to log on or off from a remote domain member computer, Change Guardian cannot retrieve the events related to the users logging on or off. (Bug 939651)

Workaround: There is no workaround at this time.

4.27 Active Directory Does Not Synchronize New User if the Account Name is the Same as a Deleted User

Issue: If you delete a user from Active Directory, and then create a new user with same account name, Active Directory does not synchronize the new user. (Bug 940781)

Workaround: There is no workaround at this time.

4.28 Unsupported Event Routing Rules are Visible After Upgrading from 4.0

The following Event Routing rules are visible after you upgrade from Change Guardian 4.0:

  • Log to File

  • Log to Syslog

  • Send Events via Sentinel Link

  • Send SNMP Trap

For assistance removing these Event Routing Rules, contact Support. (DOC333152)

4.29 Default Database Service Port Must Be Used for Change Guardian Server

To successfully install Change Guardian 4.2, you cannot modify the default Database Service port. (ENG333165)

4.30 Event Severity is Always Calculated Automatically for Security Agent for UNIX Events

Event Severity is always calculated automatically for Security Agent for UNIX events, including events generated by policies configured with a custom severity. (DOC333969)

4.31 VMware vSphere 5.5 Web Client Cannot Import OVF Templates

Issue: An issue with VMware vSphere 5.5 Web Client prevents you from using it to import .ovf templates. (DOC332977)

Workaround: To import an .ovf template, you must use the VMware vSphere 5.5 Client.

4.32 Modifications to System-Only Object Might Not Generate Security Events

Change Guardian for Active Directory requires a security event to generate a Change Guardian event. System-only object attributes in Active Directory cannot be modified manually. They can only be modified internally by Active Directory. Modifications to system-only attributes do not generate security events, so Change Guardian is unaware of these changes and cannot track them or create Change Guardian events. (ENG332134)

4.33 Missing Sections in 'Process was Terminated' Events

If you create a process policy in Change Guardian for Windows that monitors an application for Process was Terminated events, and the monitored application is open before you assign the policy to the agent, when the monitored application shuts down, the generated event does not contain the Event Message and Who sections. To ensure that the generated event contains all sections, turn off the application you want to monitor before assigning the policy to the agent. After you assign the policy to the agent, start the application again. (ENG332876)

4.34 LDAP Settings Cannot Expand Group Members from Trusted Domains

If you configure LDAP settings for a group that contains members from a trusted domain other than the domain to which the group belongs, Change Guardian cannot expand the group members. (ENG331982)

4.35 LDAP Settings Do Not Support Parentheses

LDAP settings do not work on Active Directory users or users of groups if the name attribute contains open or close parentheses: ( ) . (ENG331896)

4.36 'Demoted from DC' Events are Not Generated on Windows Server 2003

If you configure Change Guardian for Active Directory to monitor for Computer Demoted from DC events, and the demoted computer is running Microsoft Windows Server 2003, a Computer Demoted from DC event is not generated. (ENG332176)

4.37 Change Guardian for Active Directory Does Not Generate Some Events on Microsoft Windows Server 2012 R2

If you run Change Guardian for Active Directory on a computer with the Microsoft Windows Server 2012 R2 operating system, Change Guardian for Active Directory does not generate some events. If you install Windows Update KB2911106, Change Guardian for Active Directory is able to generate all events except Active Directory Object was Renamed events. (ENG332396)

4.38 Microsoft Windows Server 2012 R2 + KB2887595 Can Cause Instability on Domain Controller

If your domain controller runs Windows Server 2012 R2, ensure that you have installed the most recent Windows updates. If the most recent Windows update you have installed is KB2887595, the computer can become unstable when the following are true:

  • Audit Directory Service Changes is enabled in Active Directory

  • An Active Directory object is renamed

(ENG332396)

4.39 Change Guardian for Windows Does Not Capture Some File Share Settings

Change Guardian for Windows does not capture modifications to the following types of share settings:

  • Management Properties

  • Quota

(ENG326828)

4.40 Migrating Locally Saved Policies is Not Supported

Before you upgrade the Policy Editor to the current version, ensure that you back up or submit locally saved policies to the Change Guardian Policy Repository. If you upgrade without backing up locally saved policies from version 4.0 or version 4.0.1, you will lose those policies. (DOC331358)

4.41 Active Directory Schema Events Might Display 'N/A' in Before and After Fields

The Schema Attribute Modified and Schema Class Modified events from Active Directory do not support Before and After fields, and display N/A. (ENG330960)

4.42 Reports Might Not Display Surrogate Characters Correctly

An issue with DevExpress prevents reports from displaying some surrogate characters correctly. (ENG332580)

4.43 A Nessus Scan Results in Loss of Communication with Change Guardian Server

An issue with proxy client connections causes Change Guardian to lose the connection with the Change Guardian server when you run a Nessus scan.

Workaround: Comment out the following section in the server.xml file:

<obj-component id="ProxyService"> <class>esecurity.ccs.comp.clientproxy.ClientProxyService</class> <property name="clientports">ssl:${clientproxyservice.port.client}</property> <property name="certclientports">ssl:${clientproxyservice.port.certclient}</property> <property name="keystore">${esecurity.config.home}/config/.proxyServerKeystore</property> <property name="certificateAlias">SentinelProxyServer</property> </obj-component>

(ENG334480, ENG334500)

4.44 Forwarded Events Might Contain Extra Characters

When you use the Syslog Dispatcher to forward events in Change Guardian, event attributes might contain additional backslash (\) characters to escape the following characters: \, =, and |. These extra characters are necessary to allow the event to conform to the Common Event Format (CEF) specification. To remove them, parse the events with a CEF parser. (ENG334907)

4.45 File Integrity Diff Data Might Be Truncated in Events Forwarded to Syslog Servers

If you configure the Change Guardian Server to forward File Integrity events to a Syslog Server, and then you modify a monitored file, the diff data in the forwarded event might be truncated if the diff data size is greater than 1 KB. The forwarded event provides a URL that allows you to view the full event and the complete file diff data in the Change Guardian Web console. (ENG335411)

4.46 Security Agent for UNIX Might Generate File Integrity Events without Diff Data

If a Security Agent for UNIX monitors for File Integrity changes, and a user modifies a monitored file, if the amount of modified data is larger than 1 KB, the generated event does not contain diff data. (ENG335309)

4.47 Events Not Generated When AD Schema Policies Created for Attributes and Class Together

Issue: When you assign the Active Directory schema policies which are created for Attribute and Class schema monitoring together to the monitor assets, the AD schema events are not generated successfully. (Bug 994045)

Workaround: You must assign Active Directory schema policies separately for Attributes and Class in the Policy Editor console for successful event generation.

4.48 Assets Installed Using Security Agent for UNIX 7.4 Cannot Communicate with Change Guardian 4.2.1 and Later

Issue: Security Agent for UNIX 7.4 is unable to communicate with Change Guardian 4.2 SP 1 server, because the agent uses RC4 ciphers for communication (Bug 991409).

Workaround: If you have Change Guardian 4.2 SP 1, before you upgrade Security Agent for UNIX7.4 agents:

WARNING:Performing this workaround overrides the fix for the Bar Mitzvah vulnerability.

  1. Log in to the Change Guardian server and open the /opt/netiq/cg/javos/javos.yml file.

  2. Uncomment the following: #supportedCipherSuites: [SSL_RSA_WITH_RC4_128_SHA].

  3. Restart Change Guardian server by using /opt/netiq/cg/scripts/cg_services.sh restart command.

4.49 Change Guardian Server Installation Fails on FIPS Enabled Operating System

Issue: Change Guardian server installation fails if the Operating system is in FIPS mode. (Bug 996277 and 993398)

Workaround: Perform the installation in the following sequence:

  • Install Operating System in non-FIPS mode

  • Install Change Guardian server in FIPS mode

  • Convert Operating System to FIPS mode after successful installation of Change Guardian server.

4.50 Unable to Browse File Locations And Active Directories Using Policy Editor File Browser

Issue: Following are the conditions:

  • Unable to browse to file locations within a policy.

  • Unable browse active directory from within a policy. (Bug 995355)

Workaround: To enable LDAP browsing in policy editor, perform the steps mentioned in NetIQ Knowledgebase Article 7017291.

4.51 Windows Agent 4.1.1 Cannot Communicate With Change Guardian 4.2.1 Server

Issue: Windows Agent 4.1.1 cannot communicate with the Change Guardian server 4.2.1 because of weak RC4 ciphers (Bug 995548).

Workaround: NetIQ recommends yo to upgrade the Windows Agent to 4.2.1. If you are unable to upgrade immediately, perform the following steps:

  1. Remove the following RC4 ciphers from the exclusion list at /etc/opt/novell/sentinel/3rdparty/jetty/ location:

    • <Item>SSL_RSA_WITH_RC4_128_SHA</Item>

    • <Item>SSL_RSA_WITH_RC4_128_MD5</Item>

  2. Restart Change Guardian services by running the following command:

    /opt/netiq/cg/scripts/cg_services.sh restart

4.52 Backup Directory Not Removed After Successful Restore

Issue: After a successful restore, the Change Guardian backup directory remains on the Change Guardian server. (Bug 997595)

Workaround: Although there is no impact to the functionality, NetIQ recommends you to delete the directory before taking a new backup.

4.53 Restoring Data to Remote Change Guardian Server Fails

Issue: The Agent Manager Server data and configuration are not restored successfully on the secondary servers, due to certificate issues. However, restoration on the primary server is successful. (Bug 999503)

Workaround: There is no workaround at this time.

5.0 Contact Information

Our goal is to provide documentation that meets your needs. If you have suggestions for improvements, please email Documentation-Feedback@netiq.com. We value your input and look forward to hearing from you.

For detailed contact information, see the Support Contact Information website.

For general corporate and product information, see the NetIQ Corporate website.

For interactive conversations with your peers and NetIQ experts, become an active member of our community. The NetIQ online community provides product information, useful links to helpful resources, blogs, and social media channels.

6.0 Legal Notice

For information about legal notices, trademarks, disclaimers, warranties, export and other use restrictions, U.S. Government rights, patent policy, and FIPS compliance, see https://www.netiq.com/company/legal/.

Copyright © 2016 NetIQ Corporation. All Rights Reserved.