Secure Configuration Manager 6.2 includes new features, improves usability, and resolves several previous issues.
Many of these improvements were made in direct response to suggestions from our customers. We thank you for your time and valuable input. We hope you continue to help us ensure our products meet all your needs. You can post feedback in the Secure Configuration Manager forum, our community website that also includes product notifications, blogs, and product user groups.
For more information about Secure Configuration Manager, see the Secure Configuration Manager website.
For the latest version of this release notes document, see the NetIQ Secure Configuration Manager 6.2 documentation website.
The following sections outline the key features and functions provided by this version, and issues resolved in this release.
Secure Configuration Manager 6.2 is enabled with SCAP version 1.2. For more information, see NetIQ Secure Configuration Manager Module for SCAP 3.0 Release Notes.
Secure Configuration Manager 6.2 includes Java 8 update 92, which includes fixes for several security vulnerabilities and also improves Secure Configuration Manager performance.
Secure Configuration Manager Dashboard 6.2 includes a new chart called Check Status Distribution that displays the collective status of the security checks that have been run in the network. For more information about this chart, see NetIQ Secure Configuration Manager Dashboard User Guide.
Secure Configuration Manager 6.2 includes new security checks, and also enhances some existing security checks.
Secure Configuration Manager 6.2 includes the following new security checks:
This security check reports the security audit settings of the endpoint (computer), which determine the type of security events the computer writes to its logs. (Bug 985402)
This check reports whether IP forwarding is enabled in the endpoint. This check supports Linux, SunOS, and AIX endpoints.(Bug 940689)
This check reports user accounts with weak passwords within the provided list of user accounts. (Bug 920646)
Secure Configuration Manager 6.2 provides enhancements to the following security checks:
Rather than reporting just the numeric value of a registry key, this check now reports key-value mapping. This helps you to quickly identify endpoint vulnerabilities. For example, if the registry key value is 0, the check reports the value as disabled. (Bug 985398)
The existing (Bug 919560)check now consumes user-defined comparator-delimiter values if those are not part of the regular expression.
Secure Configuration Manager 6.2 includes the following enhancements.
You can now send reports on individual checks that are run as part of templates to the third-party Security Information and Event Management (SIEM) solutions. When you enable this option, Secure Configuration Manager sends a report to the third-party SIEM solution for each check that is run as part of templates.
For more information about enabling this feature, see the Integration of Secure Configuration Manager with Third-Party SIEM Solutions Whitepaper.
Secure Configuration Manager now provides auditing information about changes made to report options while running or scheduling a run of policy templates. Console users with the View Audit History permission can view these types of updates, such as what changes were made and which user has made the changes.
For more information about viewing the audit history log, see NetIQ Secure Configuration Manager User Guide.
Secure Configuration Manager 6.2 includes software fixes that resolve several issues.
Issue: Secure Configuration Manager Core Services sometimes stops when you try to register endpoints. This issue occurs because the database connections that are made while registering endpoints are not closed correctly. (Bug 965169)
Fix: Secure Configuration Manager now closes the database connections after registering endpoints correctly.
When you edit a template, Secure Configuration Manager generates a new version of the template with default report options and deletes any previously configured report options. (Bug 959639)
If you edit a template after it is scheduled, Secure Configuration Manager does not retain the options for the scheduled jobs report. Instead, Secure Configuration Manager generates a new version of the template but the scheduler still works on the old template version. So if you update report options post-schedule, the scheduler does not reflect the changes. (Bug 979308)
Fix: Secure Configuration Manager now retains report options even if you edit and update the template.
Issue: Secure Configuration Manager displays an error when you try to edit an exception if you have run the template that is specified in the exception against a different group.
This issue occurs because Secure Configuration Manager selects the latest job that is run against the relevant template while editing the exception. If the template is run against a different group in last run, then there will be a group mismatch. (Bug 974964)
Fix: You can now edit exceptions at any time.
For information about hardware requirements, supported operating systems, and browsers, see the NetIQ Secure Configuration Manager Technical Information web page.
To install Secure Configuration Manager 6.2, see the NetIQ Secure Configuration Manager Installation Guide.
You can upgrade to Secure Configuration Manager 6.2 from 5.9 Service Pack 1 or later versions.
For more information, see NetIQ Secure Configuration Manager Installation Guide.
NetIQ recommends that you review the following considerations before upgrading to this version:
To deploy NetIQ Secure Configuration Manager Windows Agent (Windows agent) version 6.2 to Windows agents already registered with Secure Configuration Manager, you must locally upgrade at least one agent in each domain. Secure Configuration Manager uses the first upgraded agent as a Deployment Agent for the domain. Once an agent is upgraded, Secure Configuration Manager can automatically assign it as a Deployment Agent. For more information about deployment and Deployment Agents, see the NetIQ Secure Configuration Manager Windows Agent Installation and Configuration Guide and the NetIQ Secure Configuration Manager User Guide.
The setup program automatically adds a Windows agent to the Core Services computer, if no agent previously existed on the computer. If a Windows agent exists on the computer, the setup program upgrades the agent to version 6.2. Secure Configuration Manager assigns this agent as the default Deployment Agent. During installation, you should ensure that the run-as account specified for the NetIQ Security Agent for Windows service has the credentials to deploy to remote computers. For example, specify a domain administrator account.
To immediately upgrade your Windows agents to version 6.2, you might need to re-register the agents before using the Deployment feature in the console. Secure Configuration Manager requires that the Properties window for each agent specifies a fully qualified host name (FQHN) for the agent computer. Secure Configuration Manager needs to know in which domain each agent resides so that Core Services can assign a Deployment Agent to use for deploying version 6.2 to the agents.
However, if you upgrade your Windows agents more than 30 days after upgrading the Secure Configuration Manager infrastructure to version 6.2, you might not need to re-register your Windows agents. The Asset Details and Discovery job might collect the FQHN during a regularly scheduled run since this job enables Core Services to update agent and endpoint properties. You can also run this job manually from the Scheduled Jobs queue.
When the upgraded agent registers with Core Services, the default communication port changes from 1626 to 1627. If you upgrade an agent that communicates with Core Services on a port other than the default ports, you must manually re-register the upgraded agent.
The upgrade process removes all existing records from the Discovered Host table in the database. This means that the upgrade also removes all systems from the Discovered Systems content pane. After you successfully upgrade or install Secure Configuration Manager and register your agents, the Asset Details and Discovery job automatically adds application endpoints discovered on currently registered Windows and UNIX systems.
To manually repopulate Discovered Systems with unmanaged systems, update the Discovery settings in the Core Services Configuration Utility, and then initiate the discovery process. For more information about discovery, see the Help and the NetIQ Secure Configuration Manager User Guide.
To discover systems in Active Directory, you must update the settings on the Discovery tab of the Core Services Configuration Utility.
If you want to re-deploy an agent that has already been successfully deployed to a remote computer, you must uninstall the agent first. For example, you might want to change the credentials of the NetIQ Security Agent for Windows service or resolve issues with the agent. The Deployment wizard does not change the settings for a previously installed agent, even though you modify the settings as part of the deployment process. The Windows agent setup program prevents you from installing an agent when the same version already exists on the computer, but the Deployment wizard does not.
NetIQ Corporation strives to ensure our products provide quality solutions for your enterprise software needs. The following issues are currently being researched. If you need further assistance with any issue, please contact Technical Support.
Issue: Secure Configuration Manager does not export full delta reports to Microsoft Excel format. (Bug 1001599)
Workaround: You can export delta reports in any other file formats such as .pdf, .tsv, .rtf, or .xml.
Issue: While upgrading Secure Configuration Manager to version 6.2 in the distributed setup in a computer where Core Services and the console are installed, the installation wizard displays incorrect screens if you click after the License Agreement screen. (Bug 994646)
Workaround: Cancel the upgrade process by closing the wizard, and start upgrading again.
Issue: If the computer on which you are installing contains Microsoft .NET framework version 4.5 and Microsoft .NET framework version 3.5 is not enabled, Secure Configuration Manager installation fails. (Bug 921158)
Workaround: Perform the steps specified in NetIQ Knowledgebase Article 7017878 before installing Secure Configuration Manager.
Issue: Upgrading the standalone AutoSync client 6.0 to this version fails. Although the installation completes when you run the installation setup program, the standalone AutoSync client does not upgrade to version 6.2. (Bug 971092)
Workaround: Uninstall standalone AutoSync client 6.0 and perform a fresh installation of standalone AutoSync client 6.2. If you have configured any specific settings for your standalone AutoSync client 6.0, you must reconfigure those settings manually, using the AutoSync Configuration Utility.
Issue: You cannot create, install, or view security certificates in your Core Services computer by running the sslkey tool. Secure Configuration Manager displays an error when you run the sslkey.bat file. (Bug 971532)
Workaround: You can use any third-party tool to create, install, or view security certificates.
Issue: When you edit an existing weekly or daily scheduled job for recurrence time schedule and save it, Secure Configuration Manager does not save and apply the updated recurrence schedule. The next run date is not updated as per the updated recurrence schedule. (Bug 971902)
Workaround: Delete the scheduled job you intend to update and create a new schedule job with the same parameters but with the new, intended recurrence time schedule.
Issue: While registering or reregistering an endpoint, if you regenerate the crypto key for SSH, the registration fails. This occurs because the key is not replaced in the .ssh/known_hosts file. (Bug 860552)
Workaround: Delete the .ssh/known_hosts file and register the endpoint again.
Issue: When you try to uninstall a Secure Configuration Manager component using the installation program on a computer that has Windows 7 or Windows Server 2008 R2, and if some files that belong to the component are in use, the installation program displays a dialog box. If you click in that dialog box, ideally uninstallation should not continue and the error message should persist, but uninstallation resumes. (Bug 893069)
Workaround: Install the Microsoft KB 2649868.
Issue: The check output view in Secure Configuration Manager reports has the following issues when the amount of the data is high:
The output view is incomplete.
The scroll bar function is not supported.
Workaround: There is no workaround at this time.
Our goal is to provide documentation that meets your needs. If you have suggestions for improvements, please email Documentation-Feedback@netiq.com. We value your input and look forward to hearing from you.
For detailed contact information, see the Support Contact Information Web site.
For general corporate and product information, see the NetIQ Corporate Web site.
For interactive conversations with your peers and NetIQ experts, become an active member of the Secure Configuration Manager forum, our community Web site that offers product forums, product notifications, blogs, and product user groups.
For information about NetIQ legal notices, disclaimers, warranties, export and other use restrictions, U.S. Government restricted rights, patent policy, and FIPS compliance, see http://www.netiq.com/company/legal/.
Copyright © 2016 NetIQ Corporation. All Rights Reserved.
For information about NetIQ trademarks, see http://www.netiq.com/company/legal/. All third-party trademarks are the property of their respective owners.