Secure Configuration Manager 6.0 (SCM) includes new features, improves usability, and resolves several previous issues.
Many of these improvements were made in direct response to suggestions from our customers. We thank you for your time and valuable inputs. We hope you continue to help us ensure our products meet all your needs. You can post feedback in the Secure Configuration Manager forum, our community Web site that also includes product notifications, blogs, and product user groups.
For more information about this release and for the latest release notes, see the Secure Configuration Manager Documentation Web site. To download this product, see the Secure Configuration Manager Web site.
The following sections outline the key features and functions provided by this version, and issues resolved in this release.
SCM can now send compliance information as events to NetIQ Sentinel. For more information, see Integrating Secure Configuration Manager with Sentinel in the NetIQ Secure Configuration Manager User Guide.
SCM allows you to manage network device endpoints using the Windows Agent. For more information, see Managing Network Device Endpoints in the Installation and Configuration Guide for NetIQ Secure Configuration Manager Windows Agent.
SCM allows you to limit the maximum number of concurrent Web and client console sessions for each user by using the session limit option for the user role. For more information, see Assigning Session Limit to Roles in the NetIQ Secure Configuration Manager User Guide.
SCM 6.0 uses the Windows Installer to significantly simplify the installation. For the updated installation procedure, see Installing Secure Configuration Manager Components in the Installation Guide for NetIQ Secure Configuration Manager.
NOTE:SCM upgrade supports the disaster recovery process. This process describes how to back up SCM configuration data and recover it in case of failed or interrupted upgrade. For more information, see Backing Up Configuration Data and Recovering Configuration Data in the Installation Guide for NetIQ Secure Configuration Manager.
SCM 6.0 adds support for the following operating systems and SQL Server versions:
|
Operating Systems |
Windows Server 2012 R2 |
|
SQL Server |
Microsoft SQL Server 2014 Microsoft SQL Server 2012 Microsoft SQL Server 2012 SP1 and SP2 |
For more information, see Planning Your Secure Configuration Manager Environment in the Installation Guide for NetIQ Secure Configuration Manager.
SCM leverages Unified Compliance Framework (UCF) to enable GRC integration. GRC Manager is a new tool introduced in this release to manage UCF and SCM integration.
The GRC Manager tool integrates SCM and UCF to provide audit and configuration assessment of the endpoints to the Governance, Risk, and Compliance vendors. For more information about GRC Manager, see the Secure Configuration Manager Product Upgrades page.
SCM 6.0 adds support for JRE 64-bit. When you are installing SCM 6.0, the installation program detects the version of the operating system and installs a 32-bit or 64-bit JRE appropriately.
NOTE:If FIPS mode is enabled in SCM through Core Services Configuration Utility, then JRE 32-bit is used irrespective of whether the computer is 32-bit or 64-bit.
This release resolves the following major customer issues. For the list of software fixes and enhancements in previous releases, see the Secure Configuration Manager Documentation page.
Issue: On Linux, the Minimum Password Length check reports differently in the Unix Agent 7.3 than the Unix Agent 7.1. In the Unix Agent 7.1, data is received from the /etc/login.def file, and in the Unix Agent 7.3, data is received from the /etc/pam.d/system-auth file. (BUG 868705)
Fix: The Minimum Password Length check is modified, and this issue is resolved.
Issue: Some endpoints time out, which results in agents timing out. As a result, reports are not run completely. (BUG 871895)
Fix: This release resolves the issue, as there are performance improvements.
Issue: The getMetricSnapshot API returns the wrong checks for a particular policy. If the API is run with a Database Server policy, the API returns the checks for the OS policy instead of Database Server policy. (BUG 877793)
Fix: The getMetricSnapshot API now returns checks correctly.
Issue: When SCM is in FIPS mode, capturing SSL traffic with Wireshark fails. (BUG 897800)
Fix: The stored procedure is modified to fix this issue.
Issue: Exceptions are not displayed in the SCM Console, though they are still applied to reports. (BUG 846445)
Fix: NetIQ recommends that you use a network monitoring tool to view the SSL traffic.
Issue: When you log in to the SCM Core, a timeout operation is displayed. (BUG 877808)
Fix: This release resolves this issue.
Issue: You cannot import or export domain keys if you installed or upgraded to Secure Configuration Manager 5.9 Service Pack 1. (BUG 853992)
Fix: With this release, you can export and import domain keys. For more information about domain keys, see Section B.1.3, Storing a Copy of the Domain Keys and Section B.2.7, Restoring Domain Keys in the User Guide for Secure Configuration Manager.
Issue: When a scheduled job runs and creates a report from the policy template, the delta report is not generated. (BUG 833785)
Fix: Delta reports are generated correctly in this release.
Issue: In an environment where there are many assets, displaying IT assets takes very long time.((BUG 877811)
Fix: SCM improves system performance and immediately displays the requested assets.
Issue: On AIX 5.3.0.0, the agent hangs when running Oracle checks. The uvservd process hangs and does not close. (BUG 830948)
Fix: Set the right permissions while running Oracle checks.
Issue: Delayed response of the getCheckDataDetail API results in slow loading of the dashboard. (BUG 877779)
Fix: SCM 6.0 improves the getCheckDataDetail API performance.
Issue: When you import a new version of the template, existing xccdf files are overwritten. This occurs because the ThreatGuard either versions or renames the files based on the template. (BUG 877780)
Fix: When importing the template, SCM 6.0 copies the associated files of the template at C:\Program Files (x86)\NetIQ\Secure Configuration Manager\Core Services\web\webapps\root\ThreatGuard\<template_id>. When the SCAP template is run, Agents pick the files from the new location.
Issue: When you delete the template, xccdf files are deleted from the core server in a multi-core environment. (BUG 877782)
Fix: SCM 6.0 now deletes the associated files of the template from all the core servers in a multi-core environment.
Issue: The getCheckDataDetail API returns data that contains a dataset for each endpoint specified in the request. This dataset contains a field for the endpointName attribute. Data is not populated in this attribute, it needs to be populated with the endpointName value. (BUG 877783)
Fix: The endpoint settings are now updated to populate the data for the endpointName attribute when the getCheckDataDetail API is called.
Issue: If your environment has many console users, the Console Permissions wizard takes a long time to start.(BUG 877784)
Fix: This issue is resolved through reduction of redundant calls to the SCM database.
Issue: In the Report Viewer console, endpoints are not available in the Windows group under IT Assets. (BUG 877785)
Fix: The stored procedures for the SCM database are enhanced to resolve this issue.
Issue: When you import a template and run it against an endpoint, and apply an exception (after excepting one or more error checks), it is expected that the endpoint is in compliance with the specified exception. But some errors are not excepted. (BUG 877786)
Fix: This release resolves by handling the creation of exceptions for error checks.
Issue: The getComputerInMetric API fails to retrieve the lastInComplianceJobID attribute details. (BUG 877787)
Fix: This release includes lastInComplianceJobID attribute in the getComputerInMetric API to ensure that the API query returns the value of this attribute.
A new scoring mechanism, related to InCompliance/OutOfCompliance/UnknownCompliance, is added. For the new scoring mechanism to function correctly, add the following lines to the mk.options file:
gladiator/ticket/hvc/compliance=true
gladiator/ticket/high/value/passed=90.0
gladiator/ticket/high/value/weight=10
Issue: The getComputerInMetric API does not return error checks in unknownList element. (BUG 877788)
Fix: SCM now ensures that the unknownList element is verified to have error checks data.
Issue: The compliance score needs to be adjusted to not count errored checks against compliance. (BUG 877789)
Fix: SCM introduces a new mechanism that calculates the baseline and benchmark scores by subtracting the missing score.
Issue: The SCM uninstallation process does not clean all the GUI files from the installation directory. However, the uninstallation completes without any errors. (BUG 882007)
Fix: This issue is resolved in the new installer supported in this release.
Issue: While running a policy template against a large group of servers, the report times out for some servers. (BUG 858694)
Fix: The performance of reports is improved in this release, which resolves this issue.
Issue: The getMetricSnapshot API returns the following error when the job is deleted: (BUG 877794)
Fault occurred while processing
Fix: SCM now handles this exception correctly while running the API.
Issue: Some endpoints appear offline; checking the heartbeat does not bring them back online. The only way to bring the endpoints back online is to re-register them. (BUG 878718)
Fix: The endpoint performance is improved in this release.
Issue: If you try to schedule a template to run at a specific time, the template runs one hour after the time specified in the schedule. The template fails to run on specified time even if you edit the scheduled time manually.(BUG 840061)
Fix: The scheduling templates is are now modified in this release.to run correctly at specific times.
Issue: When you open a report in the completed job queue, it takes a very long time to display the report.(BUG 877804)
Fix: With this release, reports in the completed job queue open considerably faster.
Issue: The getMetricSnapshot API takes a long time to load SADR. (BUG 877796)
Fix: The getMetricSnapshot API performance is now improved.
Issue: Major and minor version details of some Windows servers are not populated while adding endpoints. (BUG 890676)
Fix: This issue no longer exists with the improved performance of the endpoint discovery performance in this release.
Issue: You cannot re-import SCAP templates. (BUG 877807)
Fix: With this release, you can re-import the SCAP templates, which results in replacing the older template successfully.
Issue: The getMetricSnapshot API returns incorrect scanned date. Instead of displaying the date and time of the job run, the scanned date is shown as the date and time when the API was executed. (BUG 877797)
Fix: With this release, the scanned date and time in the getMetricSnapshot API display the date and time when the job was run.
Issue: The Operator and Criteria fields in the filter screen do not work as expected. Some values are missing in the Operator Values List, such as 'less than', 'greater than', and few other values. The Criteria column displays 'Unknown', whereas the value should be an integer. (BUG 864977)
Fix: This issue is resolved, as the Agent performance is improved in this release.
Issue: In console computers that are on Windows, no data is visible in some task reports. Blank reports are displayed.(BUG 835069)
Fix: This issue is resolved, as the reports performance is improved in this release.
Issue: When an administrator needs to approve an exception, they need to view the exception and compare the output with their standards. But exception details are not displayed correctly, incorrect data is displayed instead of the exception information. (BUG 831169)
Fix: This issue is resolved, as the exceptions approvals process is optimized in this release.
Issue: When scheduling a job, the scheduled job and the completed job do not have corresponding descriptions for cross-reference. (BUG 877810)
Fix: With this release, descriptions are added in the completed job queues for schedule name and schedule description.
Issue: In the Task reports, the data in the headers and the parameters area is not displayed. Also, the data in the report is not displayed correctly and some data is displayed in incorrect columns. (BUG 842875)
Fix: This issue is resolved, as the reports performance is improved in this release.
Issue: Some checks fail when they are part of a template and the particular template is run. The same checks run correctly when run in individually. (BUG 890427)
Fix: This issue is resolved, as the checks are updated in this release.
Issue: Completed jobs are not being purged as per the retention period for non-admin users. Non-admin users’ reports remain in the completed job queue even after the time duration mentioned in the retention period. (BUG 839760)
Fix: This issue is resolved, as the expected behavior of job queue is updated in this release.
Issue: The getGroupMetric API does not populate errored checks in the unknownList element.(BUG 877814)
Fix: This issue is resolved, as the unknownList element shows the errored checks in this release.
Issue: The calculateGroupMetricTrend API returns 0 for all values of outOfCompliantCount and inCompliantCount attributes. (BUG 877803)
Fix: With this release, the calculateGroupMetricTrend API returns correct values for the outOfCompliantCount and inCompliantCount attributes.
For information about hardware requirements, supported operating systems, and browsers, see Planning to Install Secure Configuration Manager in the Installation Guide for NetIQ Secure Configuration Manager.
To install Secure Configuration Manager 6.0, see the Installation Guide for NetIQ Secure Configuration Manager.
You can upgrade to Secure Configuration Manager 6.0 from Secure Configuration Manager 5.9.1 or 5.9. To upgrade to Secure Configuration Manager 6.0, see Upgrading Secure Configuration Manager in the Installation Guide for NetIQ Secure Configuration Manager.
NetIQ recommends that you review the following considerations before upgrading to this version:
If you want to deploy NetIQ Secure Configuration Manager Windows Agent version 6.0 to Windows agents already registered with Secure Configuration Manager, you must locally upgrade at least one agent in each domain. Secure Configuration Manager uses this first upgraded agent as a Deployment Agent for the domain. Once an agent is upgraded, Secure Configuration Manager can automatically assign it as a Deployment Agent. For more information about deployment and Deployment Agents, see the Installation and Configuration Guide for NetIQ Secure Configuration Manager Windows Agent and the NetIQ Secure Configuration Manager User Guide.
The setup program automatically adds a Windows agent to the Core Services computer, if no agent previously existed on the computer. If a Windows agent exists on the computer, the setup program upgrades the agent to NetIQ Security Agent for Windows 6.0. Secure Configuration Manager assigns this agent as the default Deployment Agent. During installation, you should ensure that the run-as account specified for the NetIQ Security Agent for Windows service has the credentials to deploy to remote computers. For example, specify a domain administrator account.
If you want to immediately upgrade your Windows agents to version 6.0, you might need to re-register the agents before using the Deployment feature in the console. Secure Configuration Manager requires that the Properties window for each agent specifies a fully qualified host name (FQHN) for the agent computer. Secure Configuration Manager needs to know in which domain each agent resides so that Core Services can assign a Deployment Agent to use for deploying version 6.0 to the agents.
However, if you upgrade your Windows agents more than 30 days after upgrading the Secure Configuration Manager infrastructure to version 6.0, you might not need to re-register your Windows agents. The Asset Details and Discovery job might collect the FQHN during a regularly scheduled run since this job enables Core Services to update agent and endpoint properties. You can also run this job manually from the Scheduled Jobs queue.
When the upgraded agent registers with Core Services, the default communication port changes from 1626 to 1627. If you upgrade an agent that communicates with Core Services on a port other than the default ports, you must manually re-register the upgraded agent.
The upgrade process removes all existing records from the Discovered Host table in the database. This means that the upgrade also removes all systems from the Discovered Systems content pane. After you successfully upgrade or install Secure Configuration Manager and register your agents, the Asset Details and Discovery job automatically adds application endpoints discovered on currently registered Windows and UNIX systems.
To manually repopulate Discovered Systems with unmanaged systems, update the Discovery settings in the Core Services Configuration Utility, and then initiate the discovery process. For more information about discovery, see the Help and the NetIQ Secure Configuration Manager User Guide.
If you want to discover systems in Active Directory, you must update the settings on the Discovery tab of the Core Services Configuration Utility. This version requires different settings for searching Active Directory (AD) for new systems to add to the asset map.
If you want to re-deploy an agent that has already been successfully deployed to a remote computer, you must uninstall the agent first. For example, you might want to change the credentials of the NetIQ Security Agent for Windows service or resolve issues with the agent. The Deployment wizard does not change the settings for a previously installed agent, even though you modify the settings as part of the deployment process. The Windows agent setup program prevents you from installing an agent when the same version already exists on the computer, but the Deployment wizard does not.
NetIQ Corporation strives to ensure our products provide quality solutions for your enterprise software needs. The following issues are currently being researched. If you need further assistance with any issue, please contact Technical Support.
For the list of known issues in previous releases, see the Secure Configuration Manager Documentation Web site.
Issue: While registering or reregistering an endpoint, if you regenerate the crypto key for SSH, the registration fails. This occurs because the key is not replaced in the .ssh/known_hosts file.(BUG 860552)
Workaround: Delete the .ssh/known_hosts file and register the endpoint again.
Issue: When you try to uninstall an SCM application using the SCM installer on a computer that has Windows 7 or Windows Server 2008 R2, and if some files that belong to the application are in use, a File in Use dialog box is displayed. If you click Retry in that dialog box, ideally uninstallation should not continue and the error message should persist, but uninstallation resumes. (BUG 893069)
Workaround: Install the Microsoft KB 2649868.
Issue: Upgrade from SCM 5.9 or 5.9.1 to SCM 6.0 fails on Windows 2003 Standard SP2 and displays the following error: (BUG 900050)
File .msi was rejected by digital signature policy.
Workaround: Install the Microsoft KB 925336.
The command Execute check output view is incomplete in SCM reports. Also, the scroll bar function is not supported in reports. (BUG 852044)
Our goal is to provide documentation that meets your needs. If you have suggestions for improvements, please email Documentation-Feedback@netiq.com. We value your input and look forward to hearing from you.
For detailed contact information, see the Support Contact Information Web site.
For general corporate and product information, see the NetIQ Corporate Web site.
For interactive conversations with your peers and NetIQ experts, become an active member of the Secure Configuration Manager forum, our community Web site that offers product forums, product notifications, blogs, and product user groups.
THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT ARE FURNISHED UNDER AND ARE SUBJECT TO THE TERMS OF A LICENSE AGREEMENT OR A NON-DISCLOSURE AGREEMENT. EXCEPT AS EXPRESSLY SET FORTH IN SUCH LICENSE AGREEMENT OR NON-DISCLOSURE AGREEMENT, NETIQ CORPORATION PROVIDES THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. SOME STATES DO NOT ALLOW DISCLAIMERS OF EXPRESS OR IMPLIED WARRANTIES IN CERTAIN TRANSACTIONS; THEREFORE, THIS STATEMENT MAY NOT APPLY TO YOU.
For purposes of clarity, any module, adapter or other similar material (“Module”) is licensed under the terms and conditions of the End User License Agreement for the applicable version of the NetIQ product or software to which it relates or interoperates with, and by accessing, copying or using a Module you agree to be bound by such terms. If you do not agree to the terms of the End User License Agreement you are not authorized to use, access or copy a Module and you must destroy all copies of the Module and contact NetIQ for further instructions.
This document and the software described in this document may not be lent, sold, or given away without the prior written permission of NetIQ Corporation, except as otherwise permitted by law. Except as expressly set forth in such license agreement or non-disclosure agreement, no part of this document or the software described in this document may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, or otherwise, without the prior written consent of NetIQ Corporation. Some companies, names, and data in this document are used for illustration purposes and may not represent real companies, individuals, or data.
This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein. These changes may be incorporated in new editions of this document. NetIQ Corporation may make improvements in or changes to the software described in this document at any time.
U.S. Government Restricted Rights: If the software and documentation are being acquired by or on behalf of the U.S. Government or by a U.S. Government prime contractor or subcontractor (at any tier), in accordance with 48 C.F.R. 227.7202-4 (for Department of Defense (DOD) acquisitions) and 48 C.F.R. 2.101 and 12.212 (for non-DOD acquisitions), the government's rights in the software and documentation, including its rights to use, modify, reproduce, release, perform, display or disclose the software or documentation, will be subject in all respects to the commercial license rights and restrictions provided in the license agreement.
© 2015 NetIQ Corporation. All Rights Reserved.
For information about NetIQ trademarks, see http://www.netiq.com/company/legal/.