Change Guardian 5.1.1 Release Notes

February 2019

Change Guardian 5.1.1 includes new platforms, library updates and resolves certain previous issues. Many of these improvements were made in direct response to suggestions from our customers. We thank you for your time and valuable input. We hope you continue to help us ensure that our products meet all your needs. You can post feedback in the Change Guardian forum in the NetIQ Communities, our online community that also includes product information, blogs, and links to helpful resources. You can also share your ideas for improving the product in the Ideas Portal.

The documentation for this product is available on the NetIQ website in HTML and PDF formats on a page that does not require you to log in. If you have suggestions for documentation improvements, click comment on this topic at the bottom of any page in the HTML version of the documentation posted at the Change Guardian Documentation page. To download this product, see the Micro Focus Downloads website. To download patches for this product, see the Patch Finder website.

1.0 What’s New?

The following sections outline the key features and functions provided by this version, as well as issues resolved in this release:

1.1 Open JDK

Change Guardian now replaces Oracle JDK with Azul Zulu OpenJDK, an open source alternative. This change does not have any functional impact. However, Micro Focus will no longer provide additional Oracle JDK updates for Security Agent for UNIX. Therefore, if there are security vulnerabilities or other bugs related to Oracle JDK, the primary solution is to upgrade to Change Guardian 5.1.1 or later.

1.2 Enhanced Security to Send Events and Attachments

A new permission, Send events and attachments added, allows users to send events and attachments to the server. Ensure user accounts associated with an added event destination have permissions to send events and attachments. Also a new role added, Event Dispatcher, can only send events and attachments.

When you upgrade to Change Guardian 5.1.1, Change Guardian automatically assigns this permission to users in the Administrator role.

WARNING:If a non-administrator user sent events and attachments earlier, you must manually assign the new permission to such user, after upgrade to Change Guardian 5.1.1 to be able to continue to forward events to the server.

For more information, see Upgrading Change Guardian.

1.3 New Certified Platforms

Change Guardian is now certified on the following platforms:

  • Server Installation: Red Hat Enterprise Linux Server (RHEL) 6.10 (64-bit)

  • Event Source: Security Agent for UNIX 7.6.1

1.4 Software Fixes

Change Guardian 5.1.1 includes software fixes that resolve certain previous issues.

Windows agent fails to install when password has special characters.

Issue: Certain special characters in password cause authentication failures.(Bug 1121512)

Fix: Passwords now support special characters and such authentication failures do not occur.

Policy Editor does not launch as IQCDWrapper.DLL fails to load

Fix: Policy Editor loads successfully when you enter your password; auto login is no longer available. (Bug 941549)

2.0 System Requirements

For information about hardware requirements, supported operating systems, and browsers, see the Technical Information page.

3.0 Upgrading to Change Guardian 5.1.1

You can upgrade to Change Guardian 5.1.1 from Change Guardian 5.1. If you are on an earlier version, you must first upgrade to 5.1 and then 5.1.1. Also, ensure you manually assign the new permission to users who must forward events to the server, after you upgrade to Change Guardian 5.1.1

For more information, see Upgrading Change Guardian.

4.0 Known Issues

Micro Focus strives to ensure our products provide quality solutions for your enterprise software needs. The following issues are currently being researched. If you need further assistance with any issue, please contact Technical Support.

4.1 Alert Visualization Dashboard does not Work on Restart of Change Guardian on RHEL 6

Issue: On RHEL 6 restarting Change Guardian services causes Elasticsearch to fail with the error: unable to install syscall filter.(Bug 1092421)

Workaround: Perform the following:

  1. Log in to the Change Guardian server and switch to novell user.

  2. Open the /etc/opt/novell/sentinel/3rdparty/elasticsearch/elasticsearch.yml file.

  3. Set the value of bootstrap.system_call_filter to false.

  4. Restart Change Guardian services.

4.2 Upgrade Process Fails if You Renamed the.msi Package for the Original Installation

If you renamed the .msi file when packaging the program to silently install a previous version of Change Guardian, the upgrade to the current release fails. During an upgrade, Microsoft Windows looks for an original installation with the same identification as the .msi package for the upgrade. For more information about this issue, see the Windows Installer Team Blog. (ENG328889)

4.3 Local Users in Administrator Group Cannot Deploy Agents to Windows Computers

With Microsoft KB article 951016, Microsoft introduced a feature called UAC remote restrictions, which removes the SID (security identifier) for the Administrators group from the logon token for local non-Administrator user accounts in the Administrators group. The actual Administrator account remains unchanged. As a result, to deploy agents to Windows computers, you must use the actual Administrator account or a domain account that has administrator access to the computer. For more information, see (Bug 918180)

4.4 Asset Tasks Remain 'In Progress' Indefinitely

Issue: If the connection between Agent Manager and a monitored asset is lost, tasks related to that asset remain In Progress indefinitely. (Bug 941549)

Workaround: Manually cancel the task in Agent Manager.

4.5 Issues Monitoring DNS Configuration Changes

If you create a policy to monitor for DNS Configuration Modified events, a limitation in Microsoft Windows prevents the policy from retrieving information about the users who performed the actions for which the policy is monitoring. As a result, Change Guardian does not support the following options when monitoring for DNS configuration changes:

  • Include Only or Exclude Events (Bug 906981)

  • Managed Events (Bug 906984)

4.6 Issue Monitoring Local User and Groups Privilege Events

If you create a policy to monitor for Local User and Groups Privilege events, a limitation in Microsoft Windows prevents the policy from retrieving information about the users who performed the actions for which the policy is monitoring. (Bug 957980)

4.7 Internal Audit Events Go Only to Primary Event Destination in FIPS Mode

If you run Change Guardian in FIPS mode, internal audit events go only to the primary event destination. They do not go to any additional event destinations in your environment. (Bug 956881)

4.8 Change Guardian Server Cannot Connect to Data Sources in FIPS Mode

Issue: If the Change Guardian Server is running in FIPS mode, when you browse data source objects while creating a policy, you will receive a Could not connect to Windows Data Source error. (Bug 956886)

Workaround: You can avoid this error by manually entering the file paths in the policy. To find the file paths, log on to the computer you want to monitor, and then use the cd and dir commands.

4.9 Deleting an Asset with Agent Manager Does Not Delete All Components

Issue: If you use Agent Manager to delete an asset, Agent Manager does not delete the Change Guardian Agent component from the Installed Programs list in Windows. To remove all asset components completely, uninstall the Change Guardian Agent component from the computer, and then use Agent Manager to delete the asset from Change Guardian. (Bug 940340)

4.10 Issue with Privileges for Local Users and Groups Prevents Change Guardian from Generating an Event

If you delete a privilege from a user, and it was the only privilege assigned to that user, Change Guardian will not generate any events for that privilege. This is caused by a known issue with the way Microsoft implements the removal of some privileges for local users and groups. (Bug 957505)

4.11 Manually Uninstalling an Agent Does Not Remove the Agent's Version Details from Agent Manager

Issue: If you manually uninstall an agent, Agent Manager continues to display version details for the agent. (Bug 946582)

Workaround: In Agent Manager, select the agent in the 'All Assets' group and delete it.

4.12 Change Guardian Web Console is Blank if the License is Expired

Issue: If your Change Guardian license expires, the web console displays a blank page. (Bug 949208)

Workaround: Add the license through the command line by using the script. For more information, see Adding a License Key in the Change Guardian User Guide.

4.13 Change Guardian Cannot Retrieve Events Related to Users Logging On or Off a Domain Controller

Issue: If you have an agent on a Domain Controller, when domain users use their network credentials to log on or off from a remote domain member computer, Change Guardian cannot retrieve the events related to the users logging on or off. (Bug 939651)

Workaround: There is no workaround at this time.

4.14 Active Directory Does Not Synchronize New User if the Account Name is the Same as a Deleted User

Issue: If you delete a user from Active Directory, and then create a new user with same account name, Active Directory does not synchronize the new user. (Bug 940781)

Workaround: There is no workaround at this time.

4.15 Default Database Service Port Must Be Used for Change Guardian Server

To successfully install Change Guardian 4.2 or later, you cannot modify the default Database Service port. (ENG333165)

4.16 Issues with Azure Active Directory For Change Guardian

Change Guardian does not receive necessary information to generate or populate the following:

  • Groups: Create, Update, Delete Settings and Set group managed by.

  • Group Attributes: Classification, DirSyncEnabled, Is Membership Rule Locked, Is Public, Mail, Proxy Address and Well Known Object.

  • User Events: Update User Credentials, Set Force Change User Password, Set License Properties, Add role from template, Add scoped member to role, Remove scoped member from role and Update role.

  • User Attributes: Alternative Security Id, Invite Resources, MS Exchange Remote Recipient Type and Preferred Data Location.

NOTE:Change Guardian does not support the following:

  • Consolidating multiple events into a single event for Update User and Update Group event types.

  • Monitoring managed groups.

4.17 Issues with DRA Coexisting with Change Guardian

Following are few issues with the DRA coexisting with Change Guardian:

  • Change Guardian events does not display the actual user name in the following scenarios:

    • When you make any modifications in the Group scope or Group Type.

    • When you make changes to the remote access permission in Dial In tab in DRA, two modification events are populated.The event shows User-Parameters in the delta.

  • Change Guardian events do not display the actual user name, when you make changes in the following tabs in DRA:

    • Account tab

    • Password tab

    • Member of tab

    • Terminal Services tab

    • Dial in tab

    • Call back tab

4.18 Issue With Removable Media Audit Events

Following are the issues with the removable media audit events:

  • When you audit a USB thumb drive it works and delivers events as expected. When you plug in a USB hard drive the policy does not trigger any events.

  • For windows, there are policies for removable media where you can get events for Device Attached, Device Detached, File Read, Write and Delete actions. For UNIX computers there are no policies for the removable media auditing.

    (Bug 1031419 and 1044959)

4.19 AD Authentication Fails when ‘LDAP Require Signing’ Is Enabled for an Asset Supporting SSL Protocol

Issue: AD Authentication on SSL supported asset fails when you use the Agent Manager to add asset that has LDAP Require signing enabled.

Workaround: Perform the following steps:

  1. Enable TLS 1.1 or TLS 1.2 on your SSL enabled AD machine by adding the appropriate registry keys.

  2. Add the client certificate of your SSL enabled AD machine to the root keystore in the Change Guardian server.

  3. To add client certificate to root keystore, go to /opt/novell/sentinel/jdk/jre/lib/security and perform the following steps

    1. Copy the client certificate.

    2. Run the command - /opt/novell/sentinel/jdk/jre/bin/keytool -import -alias ourCA -file <client certificate> -keystore cacerts.

  4. When prompted, specify the appropriate password.

  5. When prompted, specify yes for Trust this certificate?.(Bug 983410)

4.20 Exception After Changing Keystore Password With Specific Special Characters

Issue: When you upgrade Change Guardian to 5.0, change the keystore database password which consist of specific special characters, you will see the following exception: Failed to initialize Communicator

(Bug 1055428)

4.21 Policy Editor Crashes While Browsing Policy Directory as IQCDWrapper.DLL Fails to Load

Enter the path of the file or directory you want to monitor manually, instead of browsing, to avoid this error.(Bug 1126213)

5.0 Contacting Micro Focus

For specific product issues, contact Micro Focus Support at

Additional technical information or advice is available from several sources:

6.0 Legal Notice

© Copyright 2019 Micro Focus or one of its affiliates.

The only warranties for products and services of Micro Focus and its affiliates and licensors (“Micro Focus”) are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Micro Focus shall not be liable for technical or editorial errors or omissions contained herein. The information contained herein is subject to change without notice.

For additional information, such as certification-related notices and trademarks, see