NetIQ Secure Configuration Manager |
Version 5.9 Service Pack 1 |
Release Notes |
Date Published: June 2013 |
|
|
This service pack improves usability and resolves several previous issues. Many of these improvements were made in direct response to suggestions from our customers. We thank you for your time and valuable input. We hope you continue to help us ensure our products meet all your needs. You can post feedback in the Secure Configuration Manager forum on Qmunity, our community Web site that also includes product notifications, blogs, and product user groups. For more information about this release and for the latest Release Notes, see the Secure Configuration Manager Documentation web site. To download this product, see the Secure Configuration Manager Service Packs Web site. What's New?The following outline the key features and functions provided by this version, as well as issues resolved in this release:
Operating System SupportYou can install the Secure Configuration Manager console and Core Services components on a computer running Windows Server 2012. You can also install the console on a computer running Windows 8 (32-bit and 64-bit). Additional Agent SupportThis service pack adds support for NetIQ Secure Configuration Manager Windows Agent 5.9 Service Pack 1 (Windows agent). It also includes Hotfix 73317, which adds and updates objects and attributes in the UNIX namespace to support NetIQ Secure Configuration Manager UNIX Agent 7.2 (UNIX agent), at a minimum. For detailed information on these agents, see the respective release notes on the Secure Configuration Manager Documentation Web site. For more information about the hotfix, see Previous Releases. Additional Windows EndpointsSecure Configuration Manager adds support for the following Windows endpoint types:
Secure Configuration Manager places SQL Server 2012 endpoints in the MS SQL Server category in the console. Enhancements and Software FixesSecure Configuration Manager 5.9 Service Pack 1 includes software fixes that resolve several previous issues. For the list of software fixes and enhancements in previous releases, see Previous Releases.
Improved Information about an Agent's Last ActivityThis service pack modifies the way that Secure Configuration Manager reports the last activity of a security agent. The Last Activity field in IT Assets > Agents now represents only the last successful communication:
Previously, Secure Configuration Manager reported every attempted communication with the agent, regardless of success or failure. With this improvement, you can use Last Activity to verify the status of an agent. Adds an Attribute to the UNIX Agent PropertiesThe service pack adds an attribute to the UNIX Agent Properties window: Number of CPUs. Secure Configuration Manager populates this field when you run the Discovery - System Details for the UNIX Endpoint security check. To ensure that you have the latest version of the check, use the AutoSync update service. (ENG323011) Provides Additional Options for Scheduled JobsThis release provides the following improvements for scheduled jobs:
Hide Exceptions in a Distributed ReportIf a policy template or security check report contains exceptions, Secure Configuration Manager now allows you to hide the excepted rows when you distribute or export the report. This improvement applies to reports in both .pdf and .xml format. Reports exported or distributed in other formats already hide excepted rows when required. (ENG321607) Administrators Can Create Delta Reports that Include Reports Run by Other UsersThe delta reporting feature allows you to observe changes in an endpoint's results for a policy template or security check report over time. This version of Secure Configuration Manager allows members of the Administrators console role to create a delta report that compares the reports run by other users. Previously, console accounts with the Administrators role could view reports by other users but not include those reports in a delta comparison. Delta reporting also allows you to compare results of a known, good endpoint against those of another endpoint for the same template or check run. For more information about delta reports, see the Help and the User Guide for NetIQ Secure Configuration Manager. (ENG297189) Adds Security Check Name to the Policy Template Preview FileThe Policy Template - Print Preview file now lists the security check name associated with each description of the check. To see the preview, right-click a policy template in Security Knowledge and then click Print. (ENG325613) Temporarily Enables WUS when Running Security Checks for Patch AssessmentWhen you run security checks that assess the patch-level status of your Windows endpoints, the Windows agent needs Windows Update or Automatic Update services enabled on the endpoint to complete the query. If the Windows Update Service (WUS) is disabled, the agent temporarily enables WUS while running the check, and then disables the service upon completing the query. For more information, see the Release Notes for NetIQ Secure Configuration Manager Windows Agent 5.9 Service Pack 1. ENG329077 Normalizes Names of Windows Service Accounts in Reports
Filter Window in the Security Check Wizard Does Not Allow Incomplete Custom Check Filter ValuesThe Security Check wizard now provides controls that improve your ability to create, edit, and delete parameter filters. For example, one option enables you to delete an unfinished filter row. Another option lets you accept the edits and move to the next filter row or click Next to continue to the next window in the wizard. The Filter window displays the new options above Attribute Description. (ENG292940) Cannot Report Some Tasks Scheduled on Windows Vista or Windows Server 2008Secure Configuration Manager now collects scheduled task information when the tasks are created by the Task Scheduler on Windows Vista or Windows Server 2008. (ENG255154) Cannot Use SSL Algorithms for Communication between Core Services and the Database When You Enable FIPS Mode
Window Lists Agent Properties in an Inconsistent Order
Cannot Import an Edited or Custom Policy Template
Scheduled Jobs Stop Running when You Delete a Targeted Endpoint
Cannot Export Data View Results when the First Endpoint Has No Data
Maximum Log Size Reverts to Default Value after Upgrading Core Services
Using Special Characters Affects Windows Agent Deployment
System RequirementsThis service pack includes a full version of Secure Configuration Manager 5.9. For detailed information on hardware requirements and supported operating systems for version 5.9, see the Installation Guide for NetIQ Secure Configuration Manager. Also, when determining the system requirements for applying this service pack to a previous version, NetIQ Corporation recommends that you review the following considerations:
For the most recently updated list of supported application versions, see the Secure Configuration Manager Technical Information page. Installing This VersionNetIQ Corporation recommends that you review the following considerations before installing or upgrading to this version:
Verifying the InstallationComplete the following steps to verify that the installation was successful. To check the installed version:
Known IssuesNetIQ Corporation strives to ensure our products provide quality solutions for your enterprise software needs. The following issues are currently being researched. If you need further assistance with any issue, please contact Technical Support.
Upgrade Process Resets Console Settings to Default ValuesWhen you upgrade to this version, the installation process resets the configuration settings for the console. For more information about saving your settings before upgrading, see Installing this Version. (ENG328791) Filtered Lists in the Security Checkup Results Viewer Do Not Save Custom Policy Templates with Commas in Their NamesThe Security Checkup Results Viewer allows you to create a filtered list of custom policy templates, including templates that have a comma (,) in their name. However, after you save and reopen the filtered list, the list does not include the policy templates with commas. (ENG322291) Using Special Characters Affects Returned DataUsing special characters, such as !*#)_%, to name user-defined items can adversely affect returned data. The following issues can occur:
Wildcards Not Supported for Custom Check FiltersWhen you create a filter for a custom security check, Secure Configuration Manager does not support the use of wildcards as filter values. (DOC182820) Only Console Administrators Can Edit and Delete Custom Tasks and Task SuitesSecure Configuration Manager allows only console users with administrator permissions to edit or delete a custom task or task suite. Users without administrator permissions can still create tasks and task suites. (ENG321120) Exceptions Wizard Might List More Security Checks Than You Can ExceptThe Select Check window in the Exceptions wizard might display more security checks than you can apply exceptions against. This issue occurs when you run a policy template containing checks for multiple platforms, such as Windows and UNIX, and you attempt to apply an exception against a group of endpoints. (ENG318704) Process Namespace Object Reports Only One Instance of a ProcessWhen you use the Process object in the Windows namespace to search for processes and the computer has multiple instances of a process with the same name, Secure Configuration Manager reports only one instance of that process. This issue occurs on computers running Windows XP Service Pack 2 and Windows Server 2003 Service Pack 2 operating systems. (ENG241828) Some Ports Not Reported by Port ObjectThe Port object in the Windows namespace does not return data for all existing ports when the managed system has more than one IP address and Secure Configuration Manager communicates with each IP address through the same port. The Port object returns data for only one of the ports because the Port object places the port number in the name field and then reports only one instance of that name. (ENG257340) Password Object is Not Supported on Microsoft Windows 64-bit Operating SystemsThe Password object in the Windows namespace uses methods that are not supported on 64-bit computers to obtain password hashes. Security checks using this object do not return valid results on 64-bit computers. (DOC243481) Custom Check Namespace Changes Might Cause IssuesIf you wrote custom security checks in Secure Configuration Manager 5.6, you might need to modify those checks to work properly in this version of the product due to namespace changes. Changing an IP Address Affects SQL Server and Core ServicesIf you change the IP address on a system, you might need to restart SQL Server. If you restart SQL Server, you must then restart Core Services. Database Connection DifficultyIf you are having difficulty connecting to the Secure Configuration Manager database from the console, create a server alias in the SQL Server Client Network Utility for the database and set up the alias to use the TCP/IP network library. (ENG123939) Aliased Security Check Exceptions InconsistentPolicy templates can use an aliased instance of a security check to check different parameters of an endpoint. When exceptions are created and approved for policy templates that use aliases, application of the exceptions can be inconsistent. (ENG236185) Data Caching Turned Off for Active Directory Objects by DefaultWhen you add a custom attribute from an extended Active Directory (AD) schema, that attribute might not be added to the data cache, and will return void for a field that actually contains valid data. Therefore, to ensure the data validity of your security checkup reports, Secure Configuration Manager is delivered with caching turned off for AD objects. In extremely large AD environments, the lack of caching might cause an increase in the processing time of AD-specific reports, but this precaution ensures the validity of those reports. For more information about caching options, contact NetIQ Technical Support. (DOC236909) Deleting Non-Mandatory Attribute String Might Cause Inaccurate DataActive Directory user and group reports might return inaccurate data if a user deletes a non-mandatory string attribute in Active Directory. If a non-mandatory string attribute is deleted, the agent cache does not reflect the change in Active Directory. (DOC184047) Latest Version of Scheduled Task Suites Does Not RunIf you schedule a task suite, and then edit the task suite after you schedule it, Secure Configuration Manager runs the originally scheduled task suite instead of the latest version. (ENG136763) Canceling Jobs for Windows Agents Might Cause IssuesWhen you cancel a currently running job for a Windows agent, any process for the Windows agent that is actively running might not stop. Console Might Not Exit Gracefully when Database Connection is LostWhen the Secure Configuration Manager console loses its database connection, the console might not exit gracefully. Policy Template Requires NetIQ Group Policy Administrator or Group Policy ObjectsThe AD Computer Analysis policy template can return data only in an environment with NetIQ Group Policy Administrator or Group Policy Objects in place. (DOC228702) Console Might Take A Long Time to Import and Display Policy Templates with a Large Volume of ChecksWhen you import and attempt to view a policy template that contains a large volume of security checks, the console might require extra time to respond. For example, a policy template with more than 1,000 security checks might require more than five minutes to import. (ENG317381) Scheduled Jobs Do Not Run At Expected Times in a Distributed EnvironmentWhen you use Secure Configuration Manager in an environment distributed across multiple time zones, scheduled jobs might not run or might run at a time other than the scheduled hour. This issue occurs because of the discrepancy between the time zones for the Core Services computer, the database computer, and the console computers. For example, a console user in London schedules a job to run at 4 a.m., with the assumption that the job runs according to Greenwich Mean Time. However, the Core Services computer in New York City runs the job at 4 a.m. Eastern Daylight Time, which is five hours later than the user planned. (ENG321656) Might Need to Register iSeries Agents Multiple TimesWhen you register an existing or new agent for NetIQ Security Solutions for iSeries with Core Services, you might need to register the agent more than once before Core Services updates the registration status. This issue occurs because the registration process initiates a security check that verifies information about the agent and its host computer. The security check starts the PSEAGENT job, but does not stop the job. When you re-register the agent, the job PSEAGENT stops and Core Services verifies agent registration. (ENG323220) Some Components Cannot be Installed in a FIPS-Enabled Environment or Function on a FIPS-Enabled Computer
Managing IIS Endpoints with Windows Server 2003 Agent Computers Might Cause Issues
Password Policy Changes Do Not Update When Connecting Multiple Core Services to the Same Database
Some Internet Browsers Display Logon Fields for the Results Viewer in an Odd Location
Additional Folder Installed in the Root Directory on the Core Services Computer
Cannot Use WordPad to View a List Exported in .rtf Format
Cannot Uninstall Secure Configuration Manager from a Drive Other than C:
Some Asset Compliance View Reports Fail to Display All Data Columns on the Same Page
Additions to DocumentationThis service pack does not provide updated guides for Secure Configuration Manager or the Windows agent. The following topics describe additions and modifications to the installation, user, and Windows agent guides. For the most recent documentation, see the NetIQ Secure Configuration Manager Documentation Web site. For more information about supported versions, see the NetIQ Secure Configuration Manager Technical Specification Web site. Installation GuideThe Installation Guide for NetIQ Secure Configuration Manager does not include the following updated information:
Windows Agent GuideThe Installation and Configuration Guide for NetIQ Secure Configuration Manager Windows Agent does not include the following updated information:
Previous ReleasesThis service pack includes a full version of Secure Configuration Manager 5.9. For more information about that release, see the Version 5.9 Release Notes. This service pack also includes enhancements added in Hotfixes 73317, 7011456, and 7011592. For more information, review the following descriptions:
Adds Objects and Attributes to the Namespace for NetIQ Secure Configuration Manager UNIX AgentHotfix 73317 adds and updates objects and attributes in the UNIX namespace for NetIQ Secure Configuration Manager UNIX Agent 7.2 (UNIX agent), at a minimum. You can use the objects and attributes to create custom security checks and policy templates. (ENG316503) Cannot View or Edit Exceptions After Upgrading to Secure Configuration Manager 5.9Hotfix 7011456 resolves an issue where the console does not display nor allow you to edit exceptions after you upgrade to Secure Configuration Manager 5.9. (ENG325250) Adds and Updates Stored Procedures in the DatabaseHotfix 7011592 adds or updates stored procedures that resolve the following issues:
Reduces Conflicts that Occur when Concurrently Purging and Adding Records in the DatabaseThis hotfix updates the SPADDRDATAREQUEST stored procedure to reduce potential conflicts that occur when Core Services attempts to delete old data while concurrently adding new data to the same tables in the database. This issue might occur when you run a policy template while simultaneously purging old reports. (ENG325017) Improves the Process for Purging Database RecordsThis hotfix updates two stored procedures that resolve two issues in the automatic process for purging reports from the Secure Configuration Manager database:
Adds Ability to Delete Custom Agent and System PropertiesThis hotfix adds the following stored procedure that enables you to remove custom attributes from the properties that define the agents and systems in your asset map: SPDeleteServerAgentAttribute. For example, you might have added a property that specifies the department to which a system belongs, and you no longer want to use that property. For more information about running the stored procedure, see NetIQ Knowledge Base article 7011394. (ENG324820) Updates a Stored Procedure that Deletes Orphan Records from the DatabaseThis hotfix updates the SPDeleteOrphans stored procedure, which deletes orphan records from the Secure Configuration Manager database. The updated stored procedure does not look for the discovered agent table. The table exists in previous versions of the database but is not in version 5.9. (ENG324551) Contact InformationOur goal is to provide documentation that meets your needs. If you have suggestions for improvements, please email Documentation-Feedback@netiq.com. We value your input and look forward to hearing from you. For detailed contact information, see the Support Contact Information Web site. For general corporate and product information, see the NetIQ Corporate Web site. For interactive conversations with your peers and NetIQ experts, become an active member of Qmunity, our community Web site that offers product forums, product notifications, blogs, and product user groups. Legal NoticeNetIQ Secure Configuration Manager is protected by United States Patent No: 5829001 and 7707183. THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT ARE FURNISHED UNDER AND ARE SUBJECT TO THE TERMS OF A LICENSE AGREEMENT OR A NON-DISCLOSURE AGREEMENT. EXCEPT AS EXPRESSLY SET FORTH IN SUCH LICENSE AGREEMENT OR NON-DISCLOSURE AGREEMENT, NETIQ CORPORATION PROVIDES THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. SOME STATES DO NOT ALLOW DISCLAIMERS OF EXPRESS OR IMPLIED WARRANTIES IN CERTAIN TRANSACTIONS; THEREFORE, THIS STATEMENT MAY NOT APPLY TO YOU. For purposes of clarity, any module, adapter or other similar material ("Module") is licensed under the terms and conditions of the End User License Agreement for the applicable version of the NetIQ product or software to which it relates or interoperates with, and by accessing, copying or using a Module you agree to be bound by such terms. If you do not agree to the terms of the End User License Agreement you are not authorized to use, access or copy a Module and you must destroy all copies of the Module and contact NetIQ for further instructions. This document and the software described in this document may not be lent, sold, or given away without the prior written permission of NetIQ Corporation, except as otherwise permitted by law. Except as expressly set forth in such license agreement or non-disclosure agreement, no part of this document or the software described in this document may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, or otherwise, without the prior written consent of NetIQ Corporation. Some companies, names, and data in this document are used for illustration purposes and may not represent real companies, individuals, or data. This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein. These changes may be incorporated in new editions of this document. NetIQ Corporation may make improvements in or changes to the software described in this document at any time. U.S. Government Restricted Rights: If the software and documentation are being acquired by or on behalf of the U.S. Government or by a U.S. Government prime contractor or subcontractor (at any tier), in accordance with 48 C.F.R. 227.7202-4 (for Department of Defense (DOD) acquisitions) and 48 C.F.R. 2.101 and 12.212 (for non-DOD acquisitions), the government's rights in the software and documentation, including its rights to use, modify, reproduce, release, perform, display or disclose the software or documentation, will be subject in all respects to the commercial license rights and restrictions provided in the license agreement. © 2013 NetIQ Corporation and its affiliates. All Rights Reserved. For information about NetIQ trademarks, see http://www.netiq.com/company/legal/. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||