NetIQ Change Guardian 4.2.1 improves usability and resolves several previous issues. Many of these improvements were made in direct response to suggestions from our customers. We thank you for your time and valuable input. We hope you continue to help us ensure that our products meet all your needs. You can post feedback in the Change Guardian forum in the NetIQ Communities, our online community that also includes product information, blogs, and links to helpful resources.
The documentation for this product is available on the NetIQ website in HTML and PDF formats on a page that does not require you to log in. If you have suggestions for documentation improvements, click comment on this topic at the bottom of any page in the HTML version of the documentation posted at the Change Guardian Documentation page. To download this product, see the NetIQ Downloads website. To download patches for this product, see the Patch Finder website.
The following outline the key features and functions provided by this version, as well as issues resolved in this release:
This release certifies the following platforms:
Red Hat Enterprise Linux 6.7
SUSE Linux Enterprise Server (SLES) 11 Service Pack 4
NOTE:SLES 11 Service Pack 3 is no longer a certified platform for Change Guardian because SUSE has dropped support for SLES 11 Service Pack 3.
For information about certified platforms, see the Technical Information page.
Change Guardian 4.2 Service Pack 1 includes software fixes that resolve several previous issues.
Change Guardian now generates the following events when you are running the Change Guardian Server in FIPS mode:
Asset Registered
Asset Unregistered
(Bug 945664)
Issue: When you try to add or browse assets from child domains for Agent Manager, Change Guardian displays LDAP Connector exception.(Bug 975044)
Fix: You can now add or browse the child domains in Agent Manager.
Issue: To register the Agent Manager points to the Standalone Sentinel server, which is not the default event destination for Change Guardian 4.2 and later. The registration fails and displays the following error: Failed to register agent in 300 seconds.(Bug 967724)
Fix: The agent manager now points to the default Change Guardian policy repository server to register agent manager services.
If you are running the Change Guardian Server in FIPS mode, it can now forward any events to Syslog servers in your environment. (Bug 956883)
Issue: The signature verification for the Change Guardian Agent MSI on the target machine fails during remote deployment using the Deployment Manager or when installing locally with the silent installer EXE because it cannot download the required latest root CA certificates due to no internet connection and outdated CA certificates. (Bugs 975833 and 972203)
Fix: To avoid the signature verification process, manually install the agent MSI directly on the target machine for the following conditions:
When the target machine does not have access to internet
When the Microsoft root CA certificates are outdated on the target machine
Perform the steps provided in the KB Article to install agents to computers.
The backup and restore utility supports performing backup and restore of the following new features of Change Guardian 4.2 and later:
Alert Notifications and Triage
New License Usage Report
New Monitoring Capability for Active Directory
Enhanced Integration with Active Directory
Agent Manager
(Bug 941990)
Change Guardian 4.2 SP 1 version resolves the Bar Mitzvah (CVE-2015-2808) security vulnerability issue.(Bug 956196)
Issue: The events are missing delta information for AD schema change. The before and after information displays NA instead of the actual data.
Fix: Change Guardian now successfully generates events and displays the actual delta information for the AD schema changed events. (Bug 937902)
Issue: When you use Internet Explorer 11 or Firefox 45 to open Agent Manager in locale other than English, the options and drop-down menus are not loaded as expected.
Fix: The Agent Manager view, drop-down menus, and options are now available as expected in Internet Explorer 11 and Firefox 45. Because Change Guardian does not support localization, Agent Manager opens in English locale even when you use another language. (Bug 972518).
Issue: Change Guardian server is unable to send email notifications when STARTTLS protocol is enabled in email server. Change Guardian displays the following error: Failed to send email com.sun.mail.smtp.SMTPSendFailedException: 530 5.7.1 Client was not authenticated.
Fix: The Change Guardian email configuration now supports the STARTTLS protocol. It can now send email notifications successfully. For more information see, Adding Email Servers to Change Guardian (Bug 977238).
The Change Guardian event information now includes the following attributes:
TargetUserDomain: Displays the domain name from event source, where the account name is unique.
TargetUserName: Displays target user’s account name. (Bug 986263)
For information about hardware requirements, supported operating systems, and browsers, see the Technical Information page.
You can upgrade to Change Guardian 4.2 SP 1 from the following previous versions:
Change Guardian 4.1 Service Pack 1 Hotfix 2
Change Guardian 4.2
Change Guardian 4.2 Hotfix 1
Change Guardian 4.2 Hotfix 2
For information about the upgrade procedure, see Upgrading Change Guardian.
IMPORTANT:You cannot use Windows Agent 4.1.1 or earlier with this release. You must upgrade the Windows Agent to version 4.2.0 or later.
NetIQ Corporation strives to ensure our products provide quality solutions for your enterprise software needs. The following issues are currently being researched. If you need further assistance with any issue, please contact Technical Support.
Issue: Change Guardian alert views do not display alerts that have IPv6 addresses in IP address fields. (Bug 981570)
Workaround: To view alerts with IPv6 addresses in Change Guardian, perform the steps mentioned in NetIQ Knowledge base Article 7016555.
The installation process does not support installing the Change Guardian Server as a non-root user. (Bug 948756)
The following issues occur if you upgrade agents in the incorrect order:
If an agent computer has both the agent and the Policy Editor installed, upgrading to Change Guardian 4.2 removes the Policy Editor from the computer. To avoid this, upgrade the Policy Editor first and then upgrade the agent. (Bug 936766)
If you upgrade the Windows agent before you upgrade the Change Guardian Server, the agent will not receive policy updates after the server upgrade. To enable the agent to receive policy updates again, restart the Change Guardian service on the agent machine. (ENG335193)
If you installed a previous version of Change Guardian in a custom location, a known issue with the installation process prevents you from upgrading to version 4.2. To upgrade to version 4.2, contact Support for assistance. (Bug 946564)
If you renamed the .msi file when packaging the program to silently install a previous version of Change Guardian, the upgrade to the current release fails. During an upgrade, Microsoft Windows looks for an original installation with the same identification as the .msi package for the upgrade. For more information about this issue, see the Windows Installer Team Blog. (ENG328889)
The upgrade process incorrectly displays, Upgrading to 7.3.1.. (Bug 945259)
Change Guardian 4.1 SP 1 included an architectural change related to delta and diff storage. This change significantly improves the time required to retrieve delta and diff information. If you are upgrading from Change Guardian 4.1 or before, the delta and diff information for any pre-4.1 SP 1 events does not display after the upgrade process is complete. You can use reports to retrieve the delta and diff information for pre-4.1 SP 1 events. Change Guardian correctly displays delta and diff information for any events generated after the upgrade. (Bug 936002)
To enable the Registry Browser in Change Guardian, you must set the repositoryEnabled flag (under HKLM\Software\NetIQ\ChangeGuardianAgent\repositoryEnabled) to 1, and then restart the agent.
If you do not manually set the flag to 1, when you use the Registry Browser, you will receive a Could not connect to Windows Data Source error. (Bug 945225)
With Microsoft KB article 951016, Microsoft introduced a feature called UAC remote restrictions, which removes the SID (security identifier) for the Administrators group from the logon token for local non-Administrator user accounts in the Administrators group. The actual Administrator account remains unchanged. As a result, to deploy agents to Windows computers, you must use the actual Administrator account or a domain account that has administrator access to the computer. For more information, see https://support.microsoft.com/en-us/kb/951016. (Bug 918180)
The following are known issues with version 7.4 of the Security Agent for UNIX:
If the Change Guardian Server is running in FIPS mode, version 7.4 of the Security Agent for UNIX cannot register with the Change Guardian Policy Repository. (Bug 948202)
When you are creating a policy, if you browse to a Security Agent for UNIX that is version 7.4 or older, you will receive a Could not connect to UNIX Data Source error. You can avoid this error by manually entering the file paths in the policy. To find the file paths, log on to the UNIX or Linux computer you want to monitor, and then use the cd and ls commands. (Bug 953718)
If you are using a version of the Security Agent for UNIX released prior to December 2015, the Policy Name and Policy ID fields on UNIX events are blank. Functionality that uses the information in these fields, such as alerts, does not work. (Bug 906274)
NOTE:These issues are fixed in Security Agent for UNIX 7.5 version.
If you configure a policy to expand an Active Directory user that contains only the {} characters, and then assign the policy to an agent on a computer running Windows Server 2003, Change Guardian assigns the policy successfully but the task never arrives at the agent. (Bug 908543)
Issue: If an agent installation, upgrade, or uninstall task fails, the option to re-run the task from the Failed Tasks list does not work. (Bug 942426)
Workaround: In Agent Manager, select the asset and run the task again.
Issue: If the connection between Agent Manager and a monitored asset is lost, tasks related to that asset remain In Progress indefinitely. (Bug 941549)
Workaround: Manually cancel the task in Agent Manager.
If you create a policy to monitor for DNS Configuration Modified events, a limitation in Microsoft Windows prevents the policy from retrieving information about the users who performed the actions for which the policy is monitoring. As a result, Change Guardian does not support the following options when monitoring for DNS configuration changes:
Include Only or Exclude Events (Bug 906981)
Managed Events (Bug 906984)
If you create a policy to monitor for Local User and Groups Privilege events, a limitation in Microsoft Windows prevents the policy from retrieving information about the users who performed the actions for which the policy is monitoring. (Bug 957980)
If you run Change Guardian in FIPS mode, internal audit events go only to the primary event destination. They do not go to any additional event destinations in your environment. (Bug 956881)
Issue: If the Change Guardian Server is running in FIPS mode, when you browse data source objects while creating a policy, you will receive a Could not connect to Windows Data Source error. (Bug 956886)
Workaround: You can avoid this error by manually entering the file paths in the policy. To find the file paths, log on to the computer you want to monitor, and then use the cd and ls commands.
Issue: When you enable FIPS mode on the Change Guardian Server, the connection between Agent Manager and the agent computers is lost. (Bugs 943730, 944285)
Workaround: Restart the NetIQ Client Agent Manager and NetIQ Change Guardian Agent services on each agent computer.
Issue: If you select an asset in the All Assets list, and that asset has an agent installed on it, you are prompted for the username and password for that asset. (Bugs 942853)
Workaround: There is no workaround at this time.
Issue: If you use Agent Manager to delete an asset, Agent Manager does not delete the NetIQ Change Guardian Agent component from the Installed Programs list in Windows. To remove all asset components completely, uninstall the NetIQ Change Guardian Agent component from the computer, and then use Agent Manager to delete the asset from Change Guardian. (Bug 940340)
If you delete a privilege from a user, and it was the only privilege assigned to that user, Change Guardian will not generate any events for that privilege. This is caused by a known issue with the way Microsoft implements the removal of some privileges for local users and groups. (Bug 957505)
Issue: If you manually uninstall an agent, Agent Manager continues to display version details for the agent. (Bug 946582)
Workaround: In Agent Manager, select the agent in the 'All Assets' group and delete it.
Issue: In upgraded installations, when you search for alert attributes in the Tips table in the web interface, the search does not return the complete list of alert fields. However, alert fields display correctly in the Tips table if you clear the search. (Bug 914755)
Workaround: There is no workaround at this time.
Issue: When you click Select All in alerts views to select alerts, deselect few alerts, and modify them, new incoming alerts are also selected in the refreshed alert views. This results in wrong count of alerts selected for modification, and also it appears as if you are modifying new incoming alerts too. However, only the originally selected alerts are modified. (Bug 904830)
Workaround: No new alerts will appear in the alert view if you create the alert view with a custom time range.
Issue: If your Change Guardian license expires, the web console displays a blank page. (Bug 949208)
Workaround: Add the license through the command line by using the softwarekey.sh script. For more information, see Adding a License Key through the Command Line in the Administrator Guide for Sentinel.
Issue: If you have an agent on a Domain Controller, when domain users use their network credentials to log on or off from a remote domain member computer, Change Guardian cannot retrieve the events related to the users logging on or off. (Bug 939651)
Workaround: There is no workaround at this time.
Issue: If you delete a user from Active Directory, and then create a new user with same account name, Active Directory does not synchronize the new user. (Bug 940781)
Workaround: There is no workaround at this time.
The following Event Routing rules are visible after you upgrade from Change Guardian 4.0:
Log to File
Log to Syslog
Send Events via Sentinel Link
Send SNMP Trap
For assistance removing these Event Routing Rules, contact Support. (DOC333152)
To successfully install Change Guardian 4.2, you cannot modify the default Database Service port. (ENG333165)
Event Severity is always calculated automatically for Security Agent for UNIX events, including events generated by policies configured with a custom severity. (DOC333969)
Issue: An issue with VMware vSphere 5.5 Web Client prevents you from using it to import .ovf templates. (DOC332977)
Workaround: To import an .ovf template, you must use the VMware vSphere 5.5 Client.
Change Guardian for Active Directory requires a security event to generate a Change Guardian event. System-only object attributes in Active Directory cannot be modified manually. They can only be modified internally by Active Directory. Modifications to system-only attributes do not generate security events, so Change Guardian is unaware of these changes and cannot track them or create Change Guardian events. (ENG332134)
If you create a process policy in Change Guardian for Windows that monitors an application for Process was Terminated events, and the monitored application is open before you assign the policy to the agent, when the monitored application shuts down, the generated event does not contain the Event Message and Who sections. To ensure that the generated event contains all sections, turn off the application you want to monitor before assigning the policy to the agent. After you assign the policy to the agent, start the application again. (ENG332876)
If you configure LDAP settings for a group that contains members from a trusted domain other than the domain to which the group belongs, Change Guardian cannot expand the group members. (ENG331982)
LDAP settings do not work on Active Directory users or users of groups if the name attribute contains open or close parentheses: ( ) . (ENG331896)
If you configure Change Guardian for Active Directory to monitor for Computer Demoted from DC events, and the demoted computer is running Microsoft Windows Server 2003, a Computer Demoted from DC event is not generated. (ENG332176)
If you run Change Guardian for Active Directory on a computer with the Microsoft Windows Server 2012 R2 operating system, Change Guardian for Active Directory does not generate some events. If you install Windows Update KB2911106, Change Guardian for Active Directory is able to generate all events except Active Directory Object was Renamed events. (ENG332396)
If your domain controller runs Windows Server 2012 R2, ensure that you have installed the most recent Windows updates. If the most recent Windows update you have installed is KB2887595, the computer can become unstable when the following are true:
Audit Directory Service Changes is enabled in Active Directory
An Active Directory object is renamed
(ENG332396)
Change Guardian for Windows does not capture modifications to the following types of share settings:
Management Properties
Quota
(ENG326828)
Before you upgrade the Policy Editor to the current version, ensure that you back up or submit locally saved policies to the Change Guardian Policy Repository. If you upgrade without backing up locally saved policies from version 4.0 or version 4.0.1, you will lose those policies. (DOC331358)
The Schema Attribute Modified and Schema Class Modified events from Active Directory do not support Before and After fields, and display N/A. (ENG330960)
An issue with DevExpress prevents reports from displaying some surrogate characters correctly. (ENG332580)
An issue with proxy client connections causes Change Guardian to lose the connection with the Change Guardian server when you run a Nessus scan.
Workaround: Comment out the following section in the server.xml file:
<obj-component id="ProxyService"> <class>esecurity.ccs.comp.clientproxy.ClientProxyService</class> <property name="clientports">ssl:${clientproxyservice.port.client}</property> <property name="certclientports">ssl:${clientproxyservice.port.certclient}</property> <property name="keystore">${esecurity.config.home}/config/.proxyServerKeystore</property> <property name="certificateAlias">SentinelProxyServer</property> </obj-component>
(ENG334480, ENG334500)
When you use the Syslog Dispatcher to forward events in Change Guardian, event attributes might contain additional backslash (\) characters to escape the following characters: \, =, and |. These extra characters are necessary to allow the event to conform to the Common Event Format (CEF) specification. To remove them, parse the events with a CEF parser. (ENG334907)
If you configure the Change Guardian Server to forward File Integrity events to a Syslog Server, and then you modify a monitored file, the diff data in the forwarded event might be truncated if the diff data size is greater than 1 KB. The forwarded event provides a URL that allows you to view the full event and the complete file diff data in the Change Guardian Web console. (ENG335411)
If a Security Agent for UNIX monitors for File Integrity changes, and a user modifies a monitored file, if the amount of modified data is larger than 1 KB, the generated event does not contain diff data. (ENG335309)
Issue: When you assign the Active Directory schema policies which are created for Attribute and Class schema monitoring together to the monitor assets, the AD schema events are not generated successfully. (Bug 994045)
Workaround: You must assign Active Directory schema policies separately for Attributes and Class in the Policy Editor console for successful event generation.
Issue: Security Agent for UNIX 7.4 is unable to communicate with Change Guardian 4.2 SP 1 server, because the agent uses RC4 ciphers for communication (Bug 991409).
Workaround: If you have Change Guardian 4.2 SP 1, before you upgrade Security Agent for UNIX7.4 agents:
WARNING:Performing this workaround overrides the fix for the Bar Mitzvah vulnerability.
Log in to the Change Guardian server and open the /opt/netiq/cg/javos/javos.yml file.
Uncomment the following: #supportedCipherSuites: [SSL_RSA_WITH_RC4_128_SHA].
Restart Change Guardian server by using /opt/netiq/cg/scripts/cg_services.sh restart command.
Issue: Change Guardian server installation fails if the Operating system is in FIPS mode. (Bug 996277 and 993398)
Workaround: Perform the installation in the following sequence:
Install Operating System in non-FIPS mode
Install Change Guardian server in FIPS mode
Convert Operating System to FIPS mode after successful installation of Change Guardian server.
Issue: Following are the conditions:
Unable to browse to file locations within a policy.
Unable browse active directory from within a policy. (Bug 995355)
Workaround: To enable LDAP browsing in policy editor, perform the steps mentioned in NetIQ Knowledgebase Article 7017291.
Issue: Windows Agent 4.1.1 cannot communicate with the Change Guardian server 4.2.1 because of weak RC4 ciphers (Bug 995548).
Workaround: NetIQ recommends yo to upgrade the Windows Agent to 4.2.1. If you are unable to upgrade immediately, perform the following steps:
Remove the following RC4 ciphers from the exclusion list at /etc/opt/novell/sentinel/3rdparty/jetty/ location:
<Item>SSL_RSA_WITH_RC4_128_SHA</Item>
<Item>SSL_RSA_WITH_RC4_128_MD5</Item>
Restart Change Guardian services by running the following command:
/opt/netiq/cg/scripts/cg_services.sh restart
Issue: After a successful restore, the Change Guardian backup directory remains on the Change Guardian server. (Bug 997595)
Workaround: Although there is no impact to the functionality, NetIQ recommends you to delete the directory before taking a new backup.
Issue: The Agent Manager Server data and configuration are not restored successfully on the secondary servers, due to certificate issues. However, restoration on the primary server is successful. (Bug 999503)
Workaround: There is no workaround at this time.
Our goal is to provide documentation that meets your needs. If you have suggestions for improvements, please email Documentation-Feedback@netiq.com. We value your input and look forward to hearing from you.
For detailed contact information, see the Support Contact Information website.
For general corporate and product information, see the NetIQ Corporate website.
For interactive conversations with your peers and NetIQ experts, become an active member of our community. The NetIQ online community provides product information, useful links to helpful resources, blogs, and social media channels.
For information about legal notices, trademarks, disclaimers, warranties, export and other use restrictions, U.S. Government rights, patent policy, and FIPS compliance, see https://www.netiq.com/company/legal/.
Copyright © 2016 NetIQ Corporation. All Rights Reserved.