NetIQ Change Guardian 5.0 improves usability and resolves several previous issues. Many of these improvements were made in direct response to suggestions from our customers. We thank you for your time and valuable input. We hope you continue to help us ensure that our products meet all your needs. You can post feedback in the Change Guardian forum in the NetIQ Communities, our online community that also includes product information, blogs, and links to helpful resources.
The documentation for this product is available on the NetIQ website in HTML and PDF formats on a page that does not require you to log in. If you have suggestions for documentation improvements, click Change Guardian Documentation page. To download this product, see the NetIQ Downloads website. To download patches for this product, see the Patch Finder website.at the bottom of any page in the HTML version of the documentation posted at the
For the latest version of these release notes, see Change Guardian 5.0 Release Notes
The following outlines the key features and functions provided by this version, as well as issues resolved in this release:
This version of Change Guardian supports monitoring functionality on the Azure Active Directory along with on-premises Active Directory. For information about the capabilities that are supported in this version of Change Guardian, see Understanding Azure Active Directory Monitoring in Change Guardian User Guide.
NOTE:During upgrade from Change Guardian 4.2 or later to Change Guardian 5.0, ensure that you reconfigure the Windows agent to enable Azure AD monitoring.
Change Guardian 5.0 bundles the Security Agent for UNIX 7.5 SP1 installer and makes it easy to install through the Change Guardian Agent Manager. The packaging and deployment model is similar to the model for the Windows agent that was introduced in Change Guardian 4.2.
You can use UNIX Agent Manager or Change Guardian Agent Manager (CG AM) to deploy and manage your agents. Both UAM and CG AM allow you to remotely install one or more Agents. However, there are certain specific functionalities available only on UAM or CG AM. Depending on your requirements, you can decide whether you need to install UAM, CG AM, or both. UAM and CG AM can coexist. For more information see Comparison of UAM and CG AM functionalities.
Change Guardian 5.0 introduces a new Threat Response Dashboard. The Threat Response Dashboard is the main user interface for viewing and triaging alerts. Any user with permission to manage alerts can use the Threat Response Dashboard.
Change Guardian 5.0 provides enhanced user monitoring in conjunction with Directory and Resource Administrator 9.1. Together they provide an integrated solution to control, manage and monitor the Active Directory environment.
When you use DRA to make changes to Active Directory, for example, when you create a user using Interoperability of Directory and Resource Administrator With Change Guardian For Privileged Monitoring.wizard in DRA, Change Guardian server gets notified and displays the actual user name, domain name and System ID of the user who logged in to DRA to make AD changes. For more information, see
Before you upgrade Change Guardian to 5.0, you must first upgrade the Directory Resource Administrator to 9.1 or later.
When you log in to a host and make any changes to Active Directory in the domain controller machine, Change Guardian displays the IP address and the Active Directory hostname of the computer (through which you have logged in to the domain controller) in the event list on the Change Guardian web console.
The following logon types are supported:
Remote Interactive logon
Remote Desktop logon
For example, when you modify the Active Directory attributes from the member server, the event that is forwarded to Change Guardian web console displays the actual user name and IP address in the event list.
NOTE:If you restart Change Guardian Windows Agent, you must restart the AD tools.
For Remote Interactive logon through domain controller, the source initiator IP address is displayed in the event list on Change Guardian web console.
To improve the security posture and to prevent known vulnerabilities, now you can disable TLSv1.0 so that Change Guardian can use a higher version of TLS such as TLSv1.1 and TLSv1.2. For more information, see Enabling Higher Versions of TLS for Communication in the NetIQ Change Guardian User Guide.
NOTE:For upgrades, TLS 1.0 is enabled to ensure backward compatibility, but it will be disabled in a future release. Therefore, ensure that you upgrade all communications to TLS 1.1 or later.
For new installations, TLS 1.0 is disabled for enhanced security. Ensure that all the components communicating with Change Guardian are configured to use TLS 1.1 or 1.2.
Change Guardian bundles a newer version of OpenSSL to support new protocols and address known vulnerabilities.
There are several updates to the Change Guardian certified platforms.
For more information about the certified platforms, see the Technical Information for Change Guardian web page.
Change Guardian is now certified on the following platforms:
Traditional installation: Red Hat Enterprise Linux Server (RHEL) 6.8 64-bit
VMware ESX 6.0
VMWare ESX 6.5
Hyper-V Server 2016
VMware ESX 6.0
VMWare ESX 6.5
Event Source: Security Agent for UNIX 7.5 SP1
Web Browser: Microsoft Edge
Red Hat Enterprise Linux Server 6.6 64-bit
Red Hat Enterprise Linux Server 6.7 64-bit
Appliance Installation: Citrix XenServer 6.5 (for both ISO and OVF)
Web Browser: Microsoft Internet Explorer 10
Data Synchronization: Microsoft SQL Server 2005
Change Guardian 5.0 includes software fixes that resolve several previous issues.
Issue: LDAP browsing displays a blank screen in the following scenarios:
Parent-child domain configuration, while browsing child domain. (Bug 984258)
Parent-child domain configuration, while browsing parent domain. (Bug 1005384)
Primary and multiple backups, if either of the computers are down. (Bug 981222 and 996346)
Fix: LDAP browsing does not display a blank screen now. It supports displaying more than 7000 users.
Issue: The syslog event forwarding is not working if the filter is not applied. (Bug 1008162)
Fix: Specify the filter string for seamless forwarding of syslog events.
Examples of filters: pn:"NetIQ Change Guardian" AND (sev:[0 TO 1])
pn:"NetIQ Change Guardian" AND (sev:[2 TO 5])
For more information see the following KB articles.
Issue: The Domain Controller hostname and IP address information was displayed for all Change Guardian Active Directory events.
Fix: The actual hostname and IP address of the computer from where the changes are made is displayed for all Change Guardian Active Directory events. (Bug 1042678)
Issue: An issue with VMware vSphere 5.5 Web Client prevents you from using it to import .ovf templates. (DOC332977)
Workaround: You can now import an .ovf template, using the VMware vSphere 5.5 Client.
You no longer need to provide username and password, when you select an asset in the All Assets list and that asset has an agent installed on it. (Bugs 942853)
Due to certificate updates, the Agent Manager Server data and configuration are now restored successfully on the secondary servers. (Bug 999503)
For information about hardware requirements, supported operating systems, and browsers, see the Technical Information page.
You can upgrade to Change Guardian 5.0 from Change Guardian 4.2 or later.
For information about the upgrade procedure, see Upgrading Change Guardian.
To upgrade the appliance, use the zypper command line utility because user interaction is required to complete the upgrade. WebYaST is not capable of facilitating the required user interaction. For more information about upgrading the appliance using zypper, see Upgrading the Appliance by Using zypper in the NetIQ Change Guardian User Guide. (Bug 1054209)
NetIQ Corporation strives to ensure our products provide quality solutions for your enterprise software needs. The following issues are currently being researched. If you need further assistance with any issue, please contact Technical Support.
Issue: Change Guardian alert views do not display alerts that have IPv6 addresses in IP address fields. (Bug 981570)
Workaround: To view alerts with IPv6 addresses in Change Guardian, perform the steps mentioned in NetIQ Knowledge base Article 7016555.
The installation process does not support installing the Change Guardian Server as a non-root user. (Bug 948756)
If you renamed the .msi file when packaging the program to silently install a previous version of Change Guardian, the upgrade to the current release fails. During an upgrade, Microsoft Windows looks for an original installation with the same identification as the .msi package for the upgrade. For more information about this issue, see the Windows Installer Team Blog. (ENG328889)
To enable the Registry Browser in Change Guardian, you must set the repositoryEnabled flag (under HKLM\Software\Wow6432Node\NetIQ\ChangeGuardianAgent\repositoryEnabled) to 1, and then restart the agent.
If you do not manually set the flag to 1, when you use the Registry Browser, you will receive a Could not connect to Windows Data Source error. (Bug 945225)
With Microsoft KB article 951016, Microsoft introduced a feature called UAC remote restrictions, which removes the SID (security identifier) for the Administrators group from the logon token for local non-Administrator user accounts in the Administrators group. The actual Administrator account remains unchanged. As a result, to deploy agents to Windows computers, you must use the actual Administrator account or a domain account that has administrator access to the computer. For more information, see https://support.microsoft.com/en-us/kb/951016. (Bug 918180)
Issue: If an agent installation, upgrade, or uninstall task fails, the option to re-run the task from the Failed Tasks list does not work. (Bug 942426)
Workaround: In Agent Manager, select the asset and run the task again.
Issue: If the connection between Agent Manager and a monitored asset is lost, tasks related to that asset remain In Progress indefinitely. (Bug 941549)
Workaround: Manually cancel the task in Agent Manager.
If you create a policy to monitor for DNS Configuration Modified events, a limitation in Microsoft Windows prevents the policy from retrieving information about the users who performed the actions for which the policy is monitoring. As a result, Change Guardian does not support the following options when monitoring for DNS configuration changes:
Include Only or Exclude Events (Bug 906981)
Managed Events (Bug 906984)
If you create a policy to monitor for Local User and Groups Privilege events, a limitation in Microsoft Windows prevents the policy from retrieving information about the users who performed the actions for which the policy is monitoring. (Bug 957980)
If you run Change Guardian in FIPS mode, internal audit events go only to the primary event destination. They do not go to any additional event destinations in your environment. (Bug 956881)
Issue: If the Change Guardian Server is running in FIPS mode, when you browse data source objects while creating a policy, you will receive a Could not connect to Windows Data Source error. (Bug 956886)
Workaround: You can avoid this error by manually entering the file paths in the policy. To find the file paths, log on to the computer you want to monitor, and then use the cd and dir commands.
Issue: If you use Agent Manager to delete an asset, Agent Manager does not delete the NetIQ Change Guardian Agent component from the Installed Programs list in Windows. To remove all asset components completely, uninstall the NetIQ Change Guardian Agent component from the computer, and then use Agent Manager to delete the asset from Change Guardian. (Bug 940340)
If you delete a privilege from a user, and it was the only privilege assigned to that user, Change Guardian will not generate any events for that privilege. This is caused by a known issue with the way Microsoft implements the removal of some privileges for local users and groups. (Bug 957505)
Issue: If you manually uninstall an agent, Agent Manager continues to display version details for the agent. (Bug 946582)
Workaround: In Agent Manager, select the agent in the 'All Assets' group and delete it.
Issue: In upgraded installations, when you search for alert attributes in the Tips table in the web interface, the search does not return the complete list of alert fields. However, alert fields display correctly in the Tips table if you clear the search. (Bug 914755)
Workaround: There is no workaround at this time.
Issue: If your Change Guardian license expires, the web console displays a blank page. (Bug 949208)
Workaround: Add the license through the command line by using the softwarekey.sh script. For more information, see Adding a License Key in the Change Guardian User Guide.
Issue: If you have an agent on a Domain Controller, when domain users use their network credentials to log on or off from a remote domain member computer, Change Guardian cannot retrieve the events related to the users logging on or off. (Bug 939651)
Workaround: There is no workaround at this time.
Issue: If you delete a user from Active Directory, and then create a new user with same account name, Active Directory does not synchronize the new user. (Bug 940781)
Workaround: There is no workaround at this time.
To successfully install Change Guardian 4.2 or later, you cannot modify the default Database Service port. (ENG333165)
Event Severity is always calculated automatically for Security Agent for UNIX events, including events generated by policies configured with a custom severity. (DOC333969)
When you use the Syslog Dispatcher to forward events in Change Guardian, event attributes might contain additional backslash (\) characters to escape the following characters: \, =, and |. These extra characters are necessary to allow the event to conform to the Common Event Format (CEF) specification. To remove them, parse the events with a CEF parser. (ENG334907)
If you configure the Change Guardian Server to forward File Integrity events to a Syslog Server, and then you modify a monitored file, the diff data in the forwarded event might be truncated if the diff data size is greater than 1 KB. The forwarded event provides a URL that allows you to view the full event and the complete file diff data in the Change Guardian Web console. (ENG335411)
Issue: When you assign the Active Directory schema policies which are created for Attribute and Class schema monitoring together to the monitor assets, the AD schema events are not generated successfully. (Bug 994045)
Workaround: You must assign Active Directory schema policies separately for Attributes and Class in the Policy Editor console for successful event generation.
Issue: Following are the conditions:
Unable to browse to file locations within a policy.
Unable browse active directory from within a policy. (Bug 995355)
Workaround: To enable LDAP browsing in policy editor, perform the steps mentioned in NetIQ Knowledgebase Article 7017291.
Issue: After a successful restore, the Change Guardian backup directory remains on the Change Guardian server. (Bug 997595)
Workaround: Although there is no impact to the functionality, NetIQ recommends you to delete the directory before taking a new backup.
Issue: When you launch the Agent Manager using Internet Explorer, and add an asset, the newly added assets are not populated in the Explorer until you do a manual refresh. (Bug 992655)
Workaround: Complete the following setting changes in IE browser each time you launch the Agent Manager:
Go to> .
In thetab, click button under the space.
In thewindow, select the radio button and click .
In thewindow, click to save the setting.
Issue: When you have Security Agent for UNIX7.5 with Sentinel and SCM, and you want to install Change Guardian 5.0, Change Guardian 5.0 cannot manage 7.5 agents due to a profile mismatch.(Bug 1056377)
Workaround: Upgrade your agents to 7.5 SP1 or later using UAM.
Change Guardian is unable to generate events from Azure Active Directory for the following events and attributes:
Create Group Settings
Update Group Settings
Delete Group Settings
Set group managed by
Is Membership Rule Locked
Well Known Object
Update User Credentials
Set Force Change User Password
Set License Properties
Alternative Security Id
MS Exchange Remote Recipient Type
Preferred Data Location
NOTE:Change Guardian does not support the following:
Consolidating multiple events into a single event for Update user and Update group events.
Monitoring the managed groups.
Following are few issues with the DRA coexisting with Change Guardian:
Change Guardian events does not display the actual user name in the following scenarios:
When you define the computer account enabled or disabled, User account unlock policies.
When you make any modifications in the Group scope or Group Type.
When you make changes to the remote access permission in Dial In tab in DRA, two modification events are populated.The event shows User-Parameters in the delta.
Change Guardian events do not display the actual user name, when you make changes in the following tabs in DRA:
Member of tab
Terminal Services tab
Dial in tab
Call back tab
Following are the issues with the removable media audit events:
When you audit a USB thumb drive it works and delivers events as expected. When you plug in a USB hard drive the policy does not trigger any events.
For windows, there are policies for removable media where you can get events for Device Attached, Device Detached, File Read, Write and Delete actions. For UNIX computers there are no policies for the removable media auditing.
(Bug 1031419 and 1044959)
Issue: With new platform support in Change Guardian 5.0. release, the following message appears during installation:
su: ignoring --preserve-environment, it's mutually exclusive with --login
Workaround: You can safely ignore this message. There is no functional impact. (Bug 1044685)
Issue: AD Authentication on SSL supported asset fails when you use the Agent Manager to add asset that has LDAP Require signing enabled.
Workaround: Perform the following steps:
Enable TLS 1.1 or TLS 1.2 on your SSL enabled AD machine by adding the appropriate registry keys.
Add the client certificate of your SSL enabled AD machine to the root keystore in the Change Guardian server.
To add client certificate to root keystore, go to /opt/novell/sentinel/jdk/jre/lib/security and perform the following steps
Copy the client certificate.
Run the command - /opt/novell/sentinel/jdk/jre/bin/keytool -import -alias ourCA -file <client certificate> -keystore cacerts.
When prompted, specify the password as changeit.
When prompted, specify yes for Trust this certificate?.(Bug 983410)
Issue: Change Guardian server installation fails if the Operating system is in FIPS mode. (Bug 996277 and 993398)
Workaround: Perform the installation in the following sequence:
Install Operating System in non-FIPS mode
Install Change Guardian server in FIPS mode
Convert Operating System to FIPS mode after successful installation of Change Guardian server.
Issue: Change Guardian alert views do not display alerts when OS is in FIPS mode. (Bug 1052197)
Workaround: There is no workaround at this time.
Issue: When you upgrade Change Guardian to 5.0, change the keystore database password which consist of specific special characters, you will see the following exception: Failed to initialize Communicator
Issue: You will not be able to change the password of the existing email configurations. (Bug 1058048)
Workaround: If you change your email password, you must perform the following steps to receive email notifications:
Issue: A workaround in the User Guide > Troubleshooting section suggests to install Change Guardian on SLES 12 SP4 and Red Hat Enterprise Linux 7.3, which are not certified platforms. This incorrect reference is only in the documentation available with the Change Guardian installation files.
Our goal is to provide documentation that meets your needs. If you have suggestions for improvements, please email Documentation-Feedback@netiq.com. We value your input and look forward to hearing from you.
For detailed contact information, see the Support Contact Information website.
For general corporate and product information, see the NetIQ Corporate website.
For interactive conversations with your peers and NetIQ experts, become an active member of our community. The NetIQ online community provides product information, useful links to helpful resources, blogs, and social media channels.
For information about legal notices, trademarks, disclaimers, warranties, export and other use restrictions, U.S. Government rights, patent policy, and FIPS compliance, see https://www.netiq.com/company/legal/.
Copyright © 2017 NetIQ Corporation. All Rights Reserved.