Change Guardian 5.1 includes new features, improves usability and resolves several previous issues. Many of these improvements were made in direct response to suggestions from our customers. We thank you for your time and valuable input. We hope you continue to help us ensure that our products meet all your needs. You can post feedback in the Change Guardian forum in the NetIQ Communities, our online community that also includes product information, blogs, and links to helpful resources. You can also share your ideas for improving the product in the Ideas Portal.
The documentation for this product is available on the NetIQ website in HTML and PDF formats on a page that does not require you to log in. If you have suggestions for documentation improvements, click comment on this topic at the bottom of any page in the HTML version of the documentation posted at the Change Guardian Documentation page. To download this product, see the Micro Focus Downloads website. To download patches for this product, see the Patch Finder website.
The following sections outline the key features and functions provided by this version, as well as issues resolved in this release:
Storage solutions such as NetApp store large amount of data and therefore can have large volume of audit events. Change Guardian now supports monitoring NetApp Storage. Change Guardian’s policy based monitoring capability can help you monitor and get alerts for changes to files and folders on NetApp Storage, which are most important and critical.
Change Guardian supports both CIFS (Common Internet File System) and NFS (Network File System) protocols for monitoring NetApp. You must use Security Agent for Unix 7.6 or later and also enable native auditing on NetApp shares to be monitored.
For more information, see Monitoring NetApp Storage in the Change Guardian User Guide.
Change Guardian now allows you to create alert rule definitions based on important event fields. In addition to creating alert definition for specific policy, you can now define additional alert rule conditions based on event name, event severity, users, and host event fields. These additional conditions help you to have more granular control of alert definitions and thereby generate alerts for the most important events.
For more information, see Managing Alert Rules.in the Change Guardian User Guide.
This version of Change Guardian includes several enhancements to Azure Active Directory Monitoring:
Change in Microsoft API: Microsoft has deprecated the API’s used for Azure monitoring in Change Guardian 5.0. Therefore you must use Change Guardian 5.1 or later to monitor Azure Active Directory.
Support for Role events: Change Guardian now supports monitoring Role events in Azure AD, in addition to users and group events monitoring. For example you can now monitor events for membership changes to the roles or application role modifications for users and group, and so on.
Change Monitoring for Additional Attributes: Change Guardian can monitor Azure Active Directory events for changes to few additional parameters for users and group.
For more information, see Understanding Azure Active Directory Monitoring in the Change Guardian User Guide.
This version of Change Guardian enriches events by displaying DRA strings in the Change Guardian event InitiatorServiceName field for the Active Directory events generated Directory Resource Administrator (DRA. Change Guardian also populates the DRA Transaction ID into the Change Guardian event field.This provides you the ease to view and filter the events generated by DRA.
Change Guardian now enriches additional information for Active Directory events, when the event is initiated by Directory Resource Administrator (DRA). This is done by populating the following additional fields in the Change Guardian event:
InitiatorServiceName field is populated as DRA
InitiatorServiceTransactionID is populated with DRA event transaction ID.
The above fields help you to retrieve and filter the events generated by DRA.
For more information, see Interoperability of Directory and Resource Administrator With Change Guardian For Privileged Monitoring in the Change Guardian User Guide.
To use the DRA integration capability, you must use Directory Resource Administrator 9.0 and later.
Fresh installations of Change Guardian appliance include SLES 12 SP3 operating system. The new appliance also provides a simple Web-based user interface that helps you to configure and manage the appliance. It replaces the existing WebYast functionality.
Change Guardian includes open-vm-tools out-of-the-box in SLES 12 SP3 appliance, which enhance the performance of virtual machines and allows better management of guests on the host server. For more information about open-vm-tools, see open-vm-tools documentation.
In upgrade installations of Change Guardian, you can choose to either upgrade Change Guardian without upgrading the SLES operating system or upgrade both Change Guardian and the SLES operating system. Since Change Guardian 5.1 appliance now includes SLES 12 SP3, the SLES 11 updates channel is now deprecated and will be removed when SUSE ends general support for SLES 11. Therefore, it is recommended that you upgrade the operating system to SLES 12 SP3 to continue receiving operating system updates and also leverage open-vm-tools.
For more information, see the Change Guardian User Guide.
There are several updates to the Change Guardian certified platforms.
For updated information about the certified platforms, see the Technical Information for Change Guardian web page.
Change Guardian is now certified on the following platforms:
Server Installation:
SUSE Linux Enterprise Server 12 SP3 64-bit (traditional and appliance installation)
Red Hat Enterprise Linux Server 7.5 64-bit (traditional installation)
Red Hat Enterprise Linux Server 7.4 64-bit (traditional installation
Red Hat Enterprise Linux Server 6.9 64-bit (traditional installation)
Windows Agent: Microsoft Windows 8.1
Event Source: Security Agent for UNIX 7.6
Windows Agent: Windows 8 (32-bit and 64-bit)
Policy Editor: Windows 8 (32-bit and 64-bit)
Appliance Update Channel: SLES 11 SP4
Change Guardian 5.1 includes software fixes that resolve several previous issues.
Issue: When there are several hprof files that are 10 GB or more in size, Change Guardian server becomes slow and unresponsive.(Bug 1010549)
Fix: The Change Guardian server can now handle hprof files that are large in size.
Change Guardian services restart after you reconfigure or upgrade Change Guardian.(Bug 1079888)
The policy template definitions are now modified to trigger events if permissions are modified.(Bug 1067894)
Issue: Change Guardian alert views do not display alerts that have IPv6 addresses in IP address fields. (Bugs 981570 and 977263)
Fix: Alert Views and Alert dashboards now display alerts that have IPv6 addresses in IP address fields.
Active Directory events trigger consistently across all Active Directory servers.(Bug 1099225)
Issue: Unable to login to Change Guardian after upgrading the appliance from 4.2.1 to 5.0 using Zypper. (Bugs 1068252)
Fix: You can now login to Change Guardian successfully.
You can now change the password of the email configuration in policy editor.(Bug 1058048)
For information about hardware requirements, supported operating systems, and browsers, see the Technical Information page.
For information about installing Change Guardian 5.1, see the Change Guardian User Guide
You can upgrade to Change Guardian 5.1 from Change Guardian 5.0. If you are on an earlier version, you must first upgrade to 5.0 and then upgrade to 5.1.
For information about the upgrade procedure, see Upgrading Change Guardian in the Change Guardian User Guide.
Micro Focus strives to ensure our products provide quality solutions for your enterprise software needs. The following issues are currently being researched. If you need further assistance with any issue, please contact Technical Support.
Issue: The Next and Back buttons in the appliance installation screens do not appear or are disabled in some cases, such as the following:
When you click Back from the Change Guardian precheck screen to edit or review the information in the Sentinel Server Appliance Network Settings screen, there is no Next button to proceed with the installation. The Configure button allows you to only edit the specified information.
If you have specified incorrect network settings, the Change Guardian Precheck screen indicates that you cannot proceed with the installation due to incorrect network information. There is no Back button to go the previous screen to modify the network settings.
(Bug 1089063)
Workaround: Restart the appliance installation.
Issue: On RHEL 6 restarting Change Guardian services causes Elasticsearch to fail with the error: unable to install syscall filter.(Bug 981570)
Workaround: Perform the following:
Log in to the Change Guardian server as novell user.
Open the /etc/opt/novell/sentinel/3rdparty/elasticsearch/elasticsearch.yml file.
Set the value of bootstrap.system_call_filter to false.
Restart Change Guardian services.
If you renamed the .msi file when packaging the program to silently install a previous version of Change Guardian, the upgrade to the current release fails. During an upgrade, Microsoft Windows looks for an original installation with the same identification as the .msi package for the upgrade. For more information about this issue, see the Windows Installer Team Blog. (ENG328889)
To enable the Registry Browser in Change Guardian, you must set the repositoryEnabled flag (under HKLM\Software\Wow6432Node\NetIQ\ChangeGuardianAgent\repositoryEnabled) to 1, and then restart the agent.
If you do not manually set the flag to 1, when you use the Registry Browser, you will receive a Could not connect to Windows Data Source error. (Bug 945225)
With Microsoft KB article 951016, Microsoft introduced a feature called UAC remote restrictions, which removes the SID (security identifier) for the Administrators group from the logon token for local non-Administrator user accounts in the Administrators group. The actual Administrator account remains unchanged. As a result, to deploy agents to Windows computers, you must use the actual Administrator account or a domain account that has administrator access to the computer. For more information, see https://support.microsoft.com/en-us/kb/951016. (Bug 918180)
Issue: If the connection between Agent Manager and a monitored asset is lost, tasks related to that asset remain In Progress indefinitely. (Bug 941549)
Workaround: Manually cancel the task in Agent Manager.
If you create a policy to monitor for DNS Configuration Modified events, a limitation in Microsoft Windows prevents the policy from retrieving information about the users who performed the actions for which the policy is monitoring. As a result, Change Guardian does not support the following options when monitoring for DNS configuration changes:
Include Only or Exclude Events (Bug 906981)
Managed Events (Bug 906984)
If you create a policy to monitor for Local User and Groups Privilege events, a limitation in Microsoft Windows prevents the policy from retrieving information about the users who performed the actions for which the policy is monitoring. (Bug 957980)
If you run Change Guardian in FIPS mode, internal audit events go only to the primary event destination. They do not go to any additional event destinations in your environment. (Bug 956881)
Issue: If the Change Guardian Server is running in FIPS mode, when you browse data source objects while creating a policy, you will receive a Could not connect to Windows Data Source error. (Bug 956886)
Workaround: You can avoid this error by manually entering the file paths in the policy. To find the file paths, log on to the computer you want to monitor, and then use the cd and dir commands.
Issue: If you use Agent Manager to delete an asset, Agent Manager does not delete the Change Guardian Agent component from the Installed Programs list in Windows. To remove all asset components completely, uninstall the Change Guardian Agent component from the computer, and then use Agent Manager to delete the asset from Change Guardian. (Bug 940340)
If you delete a privilege from a user, and it was the only privilege assigned to that user, Change Guardian will not generate any events for that privilege. This is caused by a known issue with the way Microsoft implements the removal of some privileges for local users and groups. (Bug 957505)
Issue: If you manually uninstall an agent, Agent Manager continues to display version details for the agent. (Bug 946582)
Workaround: In Agent Manager, select the agent in the 'All Assets' group and delete it.
Issue: If your Change Guardian license expires, the web console displays a blank page. (Bug 949208)
Workaround: Add the license through the command line by using the softwarekey.sh script. For more information, see Adding a License Key in the Change Guardian User Guide.
Issue: If you have an agent on a Domain Controller, when domain users use their network credentials to log on or off from a remote domain member computer, Change Guardian cannot retrieve the events related to the users logging on or off. (Bug 939651)
Workaround: There is no workaround at this time.
Issue: If you delete a user from Active Directory, and then create a new user with same account name, Active Directory does not synchronize the new user. (Bug 940781)
Workaround: There is no workaround at this time.
To successfully install Change Guardian 4.2 or later, you cannot modify the default Database Service port. (ENG333165)
Change Guardian does not receive necessary information to generate or populate the following:
Groups: Create, Update, Delete Settings and Set group managed by.
Group Attributes: Classification, DirSyncEnabled, Is Membership Rule Locked, Is Public, Mail, Proxy Address and Well Known Object.
User Events: Update User Credentials, Set Force Change User Password, Set License Properties, Add role from template, Add scoped member to role, Remove scoped member from role and Update role.
User Attributes: Alternative Security Id, Invite Resources, MS Exchange Remote Recipient Type and Preferred Data Location.
NOTE:Change Guardian does not support the following:
Consolidating multiple events into a single event for Update User and Update Group event types.
Monitoring managed groups.
Following are few issues with the DRA coexisting with Change Guardian:
Change Guardian events does not display the actual user name in the following scenarios:
When you make any modifications in the Group scope or Group Type.
When you make changes to the remote access permission in Dial In tab in DRA, two modification events are populated.The event shows User-Parameters in the delta.
Change Guardian events do not display the actual user name, when you make changes in the following tabs in DRA:
Account tab
Password tab
Member of tab
Terminal Services tab
Dial in tab
Call back tab
Following are the issues with the removable media audit events:
When you audit a USB thumb drive it works and delivers events as expected. When you plug in a USB hard drive the policy does not trigger any events.
For windows, there are policies for removable media where you can get events for Device Attached, Device Detached, File Read, Write and Delete actions. For UNIX computers there are no policies for the removable media auditing.
(Bug 1031419 and 1044959)
Issue: AD Authentication on SSL supported asset fails when you use the Agent Manager to add asset that has LDAP Require signing enabled.
Workaround: Perform the following steps:
Enable TLS 1.1 or TLS 1.2 on your SSL enabled AD machine by adding the appropriate registry keys.
Add the client certificate of your SSL enabled AD machine to the root keystore in the Change Guardian server.
To add client certificate to root keystore, go to /opt/novell/sentinel/jdk/jre/lib/security and perform the following steps
Copy the client certificate.
Run the command - /opt/novell/sentinel/jdk/jre/bin/keytool -import -alias ourCA -file <client certificate> -keystore cacerts.
When prompted, specify the password as changeit.
When prompted, specify yes for Trust this certificate?.(Bug 983410)
Issue: When you upgrade Change Guardian to 5.0, change the keystore database password which consist of specific special characters, you will see the following exception: Failed to initialize Communicator
(Bug 1055428)
For information about legal notices, trademarks, disclaimers, warranties, export and other use restrictions, U.S. Government rights, patent policy, and FIPS compliance, see https://www.netiq.com/company/legal/.
Copyright © 2018 NetIQ Corporation. All Rights Reserved.