Change Guardian 5.1.1 includes new platforms, library updates and resolves certain previous issues. Many of these improvements were made in direct response to suggestions from our customers. We thank you for your time and valuable input. We hope you continue to help us ensure that our products meet all your needs. You can post feedback in the Change Guardian forum in the NetIQ Communities, our online community that also includes product information, blogs, and links to helpful resources. You can also share your ideas for improving the product in the Ideas Portal.
The documentation for this product is available on the NetIQ website in HTML and PDF formats on a page that does not require you to log in. If you have suggestions for documentation improvements, click Change Guardian Documentation page. To download this product, see the Micro Focus Downloads website. To download patches for this product, see the Patch Finder website.at the bottom of any page in the HTML version of the documentation posted at the
The following sections outline the key features and functions provided by this version, as well as issues resolved in this release:
Change Guardian now replaces Oracle JDK with Azul Zulu OpenJDK, an open source alternative. This change does not have any functional impact. However, Micro Focus will no longer provide additional Oracle JDK updates for Security Agent for UNIX. Therefore, if there are security vulnerabilities or other bugs related to Oracle JDK, the primary solution is to upgrade to Change Guardian 5.1.1 or later.
A new permission,added, allows users to send events and attachments to the server. Ensure user accounts associated with an added event destination have permissions to send events and attachments. Also a new role added, Event Dispatcher, can only send events and attachments.
When you upgrade to Change Guardian 5.1.1, Change Guardian automatically assigns this permission to users in the Administrator role.
WARNING:If a non-administrator user sent events and attachments earlier, you must manually assign the new permission to such user, after upgrade to Change Guardian 5.1.1 to be able to continue to forward events to the server.
For more information, see Upgrading Change Guardian.
Change Guardian is now certified on the following platforms:
Server Installation: Red Hat Enterprise Linux Server (RHEL) 6.10 (64-bit)
Event Source: Security Agent for UNIX 7.6.1
Change Guardian 5.1.1 includes software fixes that resolve certain previous issues.
Issue: Certain special characters in password cause authentication failures.(Bug 1121512)
Fix: Passwords now support special characters and such authentication failures do not occur.
Fix: Policy Editor loads successfully when you enter your password; auto login is no longer available. (Bug 941549)
For information about hardware requirements, supported operating systems, and browsers, see the Technical Information page.
You can upgrade to Change Guardian 5.1.1 from Change Guardian 5.1. If you are on an earlier version, you must first upgrade to 5.1 and then 5.1.1. Also, ensure you manually assign the new permission to users who must forward events to the server, after you upgrade to Change Guardian 5.1.1
For more information, see Upgrading Change Guardian.
Micro Focus strives to ensure our products provide quality solutions for your enterprise software needs. The following issues are currently being researched. If you need further assistance with any issue, please contact Technical Support.
Issue: On RHEL 6 restarting Change Guardian services causes Elasticsearch to fail with the error: unable to install syscall filter.(Bug 1092421)
Workaround: Perform the following:
Log in to the Change Guardian server and switch to novell user.
Open the /etc/opt/novell/sentinel/3rdparty/elasticsearch/elasticsearch.yml file.
Set the value of bootstrap.system_call_filter to false.
Restart Change Guardian services.
If you renamed the .msi file when packaging the program to silently install a previous version of Change Guardian, the upgrade to the current release fails. During an upgrade, Microsoft Windows looks for an original installation with the same identification as the .msi package for the upgrade. For more information about this issue, see the Windows Installer Team Blog. (ENG328889)
With Microsoft KB article 951016, Microsoft introduced a feature called UAC remote restrictions, which removes the SID (security identifier) for the Administrators group from the logon token for local non-Administrator user accounts in the Administrators group. The actual Administrator account remains unchanged. As a result, to deploy agents to Windows computers, you must use the actual Administrator account or a domain account that has administrator access to the computer. For more information, see https://support.microsoft.com/en-us/kb/951016. (Bug 918180)
Issue: If the connection between Agent Manager and a monitored asset is lost, tasks related to that asset remain In Progress indefinitely. (Bug 941549)
Workaround: Manually cancel the task in Agent Manager.
If you create a policy to monitor for DNS Configuration Modified events, a limitation in Microsoft Windows prevents the policy from retrieving information about the users who performed the actions for which the policy is monitoring. As a result, Change Guardian does not support the following options when monitoring for DNS configuration changes:
Include Only or Exclude Events (Bug 906981)
Managed Events (Bug 906984)
If you create a policy to monitor for Local User and Groups Privilege events, a limitation in Microsoft Windows prevents the policy from retrieving information about the users who performed the actions for which the policy is monitoring. (Bug 957980)
If you run Change Guardian in FIPS mode, internal audit events go only to the primary event destination. They do not go to any additional event destinations in your environment. (Bug 956881)
Issue: If the Change Guardian Server is running in FIPS mode, when you browse data source objects while creating a policy, you will receive a Could not connect to Windows Data Source error. (Bug 956886)
Workaround: You can avoid this error by manually entering the file paths in the policy. To find the file paths, log on to the computer you want to monitor, and then use the cd and dir commands.
Issue: If you use Agent Manager to delete an asset, Agent Manager does not delete the Change Guardian Agent component from the Installed Programs list in Windows. To remove all asset components completely, uninstall the Change Guardian Agent component from the computer, and then use Agent Manager to delete the asset from Change Guardian. (Bug 940340)
If you delete a privilege from a user, and it was the only privilege assigned to that user, Change Guardian will not generate any events for that privilege. This is caused by a known issue with the way Microsoft implements the removal of some privileges for local users and groups. (Bug 957505)
Issue: If you manually uninstall an agent, Agent Manager continues to display version details for the agent. (Bug 946582)
Workaround: In Agent Manager, select the agent in the 'All Assets' group and delete it.
Issue: If your Change Guardian license expires, the web console displays a blank page. (Bug 949208)
Workaround: Add the license through the command line by using the softwarekey.sh script. For more information, see Adding a License Key in the Change Guardian User Guide.
Issue: If you have an agent on a Domain Controller, when domain users use their network credentials to log on or off from a remote domain member computer, Change Guardian cannot retrieve the events related to the users logging on or off. (Bug 939651)
Workaround: There is no workaround at this time.
Issue: If you delete a user from Active Directory, and then create a new user with same account name, Active Directory does not synchronize the new user. (Bug 940781)
Workaround: There is no workaround at this time.
To successfully install Change Guardian 4.2 or later, you cannot modify the default Database Service port. (ENG333165)
Change Guardian does not receive necessary information to generate or populate the following:
Groups: Create, Update, Delete Settings and Set group managed by.
Group Attributes: Classification, DirSyncEnabled, Is Membership Rule Locked, Is Public, Mail, Proxy Address and Well Known Object.
User Events: Update User Credentials, Set Force Change User Password, Set License Properties, Add role from template, Add scoped member to role, Remove scoped member from role and Update role.
User Attributes: Alternative Security Id, Invite Resources, MS Exchange Remote Recipient Type and Preferred Data Location.
NOTE:Change Guardian does not support the following:
Consolidating multiple events into a single event for Update User and Update Group event types.
Monitoring managed groups.
Following are few issues with the DRA coexisting with Change Guardian:
Change Guardian events does not display the actual user name in the following scenarios:
When you make any modifications in the Group scope or Group Type.
When you make changes to the remote access permission in Dial In tab in DRA, two modification events are populated.The event shows User-Parameters in the delta.
Change Guardian events do not display the actual user name, when you make changes in the following tabs in DRA:
Member of tab
Terminal Services tab
Dial in tab
Call back tab
Following are the issues with the removable media audit events:
When you audit a USB thumb drive it works and delivers events as expected. When you plug in a USB hard drive the policy does not trigger any events.
For windows, there are policies for removable media where you can get events for Device Attached, Device Detached, File Read, Write and Delete actions. For UNIX computers there are no policies for the removable media auditing.
(Bug 1031419 and 1044959)
Issue: AD Authentication on SSL supported asset fails when you use the Agent Manager to add asset that has LDAP Require signing enabled.
Workaround: Perform the following steps:
Enable TLS 1.1 or TLS 1.2 on your SSL enabled AD machine by adding the appropriate registry keys.
Add the client certificate of your SSL enabled AD machine to the root keystore in the Change Guardian server.
To add client certificate to root keystore, go to /opt/novell/sentinel/jdk/jre/lib/security and perform the following steps
Copy the client certificate.
Run the command - /opt/novell/sentinel/jdk/jre/bin/keytool -import -alias ourCA -file <client certificate> -keystore cacerts.
When prompted, specify the appropriate password.
When prompted, specify yes for Trust this certificate?.(Bug 983410)
Issue: When you upgrade Change Guardian to 5.0, change the keystore database password which consist of specific special characters, you will see the following exception: Failed to initialize Communicator
Enter the path of the file or directory you want to monitor manually, instead of browsing, to avoid this error.(Bug 1126213)
For specific product issues, contact Micro Focus Support at https://www.microfocus.com/support-and-services/.
Additional technical information or advice is available from several sources:
© Copyright 2019 Micro Focus or one of its affiliates.
The only warranties for products and services of Micro Focus and its affiliates and licensors (“Micro Focus”) are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Micro Focus shall not be liable for technical or editorial errors or omissions contained herein. The information contained herein is subject to change without notice.
For additional information, such as certification-related notices and trademarks, see https://www.microfocus.com/about/legal/