NetIQ Secure Configuration Manager Module for SCAP 3.0 (the SCAP module) adds support for Secure Configuration Manager 6.2 and Windows Agent 6.2.
Many of these improvements were made in direct response to suggestions from our customers. We thank you for your time and valuable input. We hope you continue to help us ensure our products meet all your needs. You can post feedback in the Secure Configuration Manager forum, our community website that also includes product notifications, blogs, and product user groups.
For more information about Secure Configuration Manager, see the Secure Configuration Manager website.
For the latest version of this release notes document, see the NetIQ Secure Configuration Manager 6.2 documentation website.
The following sections outline the key features and functions provided in this release.
NetIQ Secure Configuration Manager Module for SCAP 3.0 is enabled with SCAP version 1.2.
This release adds support for the following versions of the Secure Configuration Manager:
NetIQ Secure Configuration Manager 6.2
NetIQ Secure Configuration Manager Windows Agent 6.2
This release requires the following product versions, at a minimum:
NetIQ Secure Configuration Manager 6.2
NetIQ Secure Configuration Manager Windows Agent 6.2
For the most recently updated list of supported application versions, see the NetIQ Secure Configuration Manager Technical Information page. For detailed information on hardware requirements and supported operating systems, and browsers, see the NetIQ Secure Configuration Manager SCAP Module Guide.
You can upgrade to SCAP module 3.0 from version 2.3.
For information about installing or updating to SCAP module 3.0, see the NetIQ Secure Configuration Manager SCAP Module Guide.
When updating the SCAP module for Windows agent component, consider the following scenarios:
If you have Windows agents at version 5.9.1 or later without an SCAP module installed, update the agents to version 6.2 and install SCAP module.
If you have Windows agents at version 6.2, you can deploy SCAP module of Windows agent from the Secure Configuration Manager console using the deployment wizard.
Either install the SCAP module for Windows agent component locally on the agent computer or use the console to deploy a .nap package to remote agent computers. For more information about installing and deploying the SCAP module for Windows agent component, see the NetIQ Secure Configuration Manager SCAP Module Guide.
(Conditional) You can upgrade the SCAP Module for Secure Configuration Manager and the SCAP module for Windows agent from version 5.9.1 or later to version 6.2 on a local computer only by using the command line. For more information, see Installing or Upgrading the SCAP Module Components
in the NetIQ Secure Configuration Manager SCAP Module Guide.
For assistance with installation or upgrade, contact Technical Support.
Complete the following steps to verify that the installation was successful on the Core Services computer:
Log on to the Secure Configuration Manager console.
On the Help menu, click About NetIQ Secure Configuration Manager.
Under Patch Summary, click Database.
Verify that the Version tab lists 6.2 for the most recently installed SCAP Module.
NetIQ Corporation strives to ensure our products provide quality solutions for your enterprise software needs. The following issues are currently being researched. If you need further assistance with any issue, please contact Technical Support.
Section 5.1, Cannot Import SCAP Templates after Installing the SCAP Module
Section 5.2, Risk Score Might be Applied Inappropriately to Windows Server 2003 Endpoints
Section 5.3, XCCDF Conversion Utility Displays Errors during Successful Conversion
Section 5.4, Exported XCCDF File Might Report an Inaccurate Number of Windows XP and Vista Endpoints
Issue: After the installation, importing SCAP templates to Secure Configuration Manager console fails. (Bug 937972)
Workaround: Restart NetIQ Core Services.
Secure Configuration Manager might inappropriately apply a risk score to Windows Server 2003 endpoints for security checks that do not apply to the endpoints or when the policy template report lists the endpoint as “unknown”. This issue occurs when you run an SCAP policy template containing checks that apply to multiple endpoint types against multiple endpoints, including a Windows Server 2003 endpoint. (Bug 953300)
Workaround: There is no workaround at this time.
Issue: The XCCDF Conversion utility incorrectly reports errors while converting XCCDF benchmark files to templates. The following messages are examples of the incorrect errors:
cpe USGCB-ie8-cpe-dictionary.xml Invalid Error on line 105 of document http://cpe.mitre.org/files/cpe-dictionary_2.1.xsd: src-resolve: Cannot resolve the name 'xml:lang' to a(n) 'attribute declaration' component
cpe USGCB-Windows-7-firewall-cpe-dictionary.xml Invalid Error on line 105 of document http://cpe.mitre.org/files/cpe-dictionary_2.1.xsd: src-resolve: Cannot resolve the name 'xml:lang' to a(n) 'attribute declaration' component
cpe irm-10.8.10-cpe-dictionary.xml Invalid Error on line 105 of document http://cpe.mitre.org/files/cpe-dictionary_2.1.xsd: src-resolve: Cannot resolve the name 'xml:lang' to a(n) 'attribute declaration' component
(Bug 953314)
Workaround: Ignore these errors. Even though the messages report errors, the utility successfully creates the policy templates. You can import the templates and run them against endpoints displaying valid data.
Issue: If a managed group contains a combination of Windows XP and Windows Vista endpoints, exported SCAP results inaccurately report the number of endpoints per operating system type. This issue occurs because, when generating the XCCDF file, Secure Configuration Manager applies the type of the first reported endpoint to all endpoints in the group, such as Windows Vista. For example, the South Texas managed group contains three Windows XP endpoints and two Vista ones. You run an assessment against the South Texas group, export the results as XCCDF, and then run the FDCC Reporting Utility to generate a compliance report. The final report lists five Windows Vista endpoints and zero Windows XP systems. (Bug 953345)
Workaround: Create managed groups for each operating system type. You can nest managed groups within higher-level groups. For example, My Groups > South Texas > XP Laptops and My Groups > South Texas > Vista Laptops. Then run separate jobs against the lower-level groups, such as one job for the XP Laptops.
Issue: When you specify credentials for the Report Loader, Secure Configuration Manager displays asterisks for no more than 20 characters entered in the Password field. However, regardless of the asterisks displayed in the field, Secure Configuration Manager supports passwords up to 40 characters. (Bug 953348)
Workaround: There is no workaround at this time.
Issue: Creating FDCC compliance reports fails because you cannot export policy template reports to XCCDF format. (Bug 891524)
Workaround: There is no workaround at this time.
Our goal is to provide documentation that meets your needs. If you have suggestions for improvements, please email Documentation-Feedback@netiq.com. We value your input and look forward to hearing from you.
For detailed contact information, see the Support Contact Information Web site.
For general corporate and product information, see the NetIQ Corporate Web site.
For interactive conversations with your peers and NetIQ experts, become an active member of the Secure Configuration Manager forum, our community Web site that offers product forums, product notifications, blogs, and product user groups.
For information about NetIQ legal notices, disclaimers, warranties, export and other use restrictions, U.S. Government restricted rights, patent policy, and FIPS compliance, see http://www.netiq.com/company/legal/.
Copyright © 2016 NetIQ Corporation. All Rights Reserved.
For information about NetIQ trademarks, see http://www.netiq.com/company/legal/. All third-party trademarks are the property of their respective owners.