NetIQ Secure Configuration Manager 6.2 Release Notes

October 2016

Secure Configuration Manager 6.2 includes new features, improves usability, and resolves several previous issues.

Many of these improvements were made in direct response to suggestions from our customers. We thank you for your time and valuable input. We hope you continue to help us ensure our products meet all your needs. You can post feedback in the Secure Configuration Manager forum, our community website that also includes product notifications, blogs, and product user groups.

For more information about Secure Configuration Manager, see the Secure Configuration Manager website.

For the latest version of this release notes document, see the NetIQ Secure Configuration Manager 6.2 documentation website.

1.0 What’s New?

The following sections outline the key features and functions provided by this version, and issues resolved in this release.

1.1 SCAP Version 1.2

Secure Configuration Manager 6.2 is enabled with SCAP version 1.2. For more information, see NetIQ Secure Configuration Manager Module for SCAP 3.0 Release Notes.

1.2 Java Upgrade

Secure Configuration Manager 6.2 includes Java 8 update 92, which includes fixes for several security vulnerabilities and also improves Secure Configuration Manager performance.

1.3 Check Status Distribution Chart Added to the Dashboard

Secure Configuration Manager Dashboard 6.2 includes a new chart called Check Status Distribution that displays the collective status of the security checks that have been run in the network. For more information about this chart, see Charts in the Secure Configuration Manager Dashboard in the NetIQ Secure Configuration Manager Dashboard User Guide.

1.4 Security Checks

Secure Configuration Manager 6.2 includes new security checks, and also enhances some existing security checks.

New Security Checks

Secure Configuration Manager 6.2 includes the following new security checks:

Generic Audit Policy

This security check reports the security audit settings of the endpoint (computer), which determine the type of security events the computer writes to its logs. (Bug 985402)

IP Forwarding Information

This check reports whether IP forwarding is enabled in the endpoint. This check supports Linux, SunOS, and AIX endpoints.(Bug 940689)

Users Having Weak Passwords

This check reports user accounts with weak passwords within the provided list of user accounts. (Bug 920646)

Enhancements to Security Checks

Secure Configuration Manager 6.2 provides enhancements to the following security checks:

Generic Registry

Rather than reporting just the numeric value of a registry key, this check now reports key-value mapping. This helps you to quickly identify endpoint vulnerabilities. For example, if the registry key value is 0, the check reports the value as disabled. (Bug 985398)

Validate Multiple Regular Expressions Against Multiple Files

The existing Validate multiple regular expressions against multiple files with file size support check now consumes user-defined comparator-delimiter values if those are not part of the regular expression. (Bug 919560)

1.5 Enhancements

Secure Configuration Manager 6.2 includes the following enhancements.

Support for Reports on Individual Checks that are Run as Part of Templates to be Sent to the Third-Party SIEM Solutions

You can now send reports on individual checks that are run as part of templates to the third-party Security Information and Event Management (SIEM) solutions. When you enable this option, Secure Configuration Manager sends a report to the third-party SIEM solution for each check that is run as part of templates.

For more information about enabling this feature, see the Integration of Secure Configuration Manager with Third-Party SIEM Solutions Whitepaper.

(Bug 983299)

Auditing for Updates Done in Report Options

Secure Configuration Manager now provides auditing information about changes made to report options while running or scheduling a run of policy templates. Console users with the View Audit History permission can view these types of updates, such as what changes were made and which user has made the changes.

For more information about viewing the audit history log, see Understanding Console User and Administrator Auditing in the NetIQ Secure Configuration Manager User Guide.

(Bug 977707)

1.6 Software Fixes

Secure Configuration Manager 6.2 includes software fixes that resolve several issues.

Core Services Might Stop while Registering Endpoints

Issue: Secure Configuration Manager Core Services sometimes stops when you try to register endpoints. This issue occurs because the database connections that are made while registering endpoints are not closed correctly. (Bug 965169)

Fix: Secure Configuration Manager now closes the database connections after registering endpoints correctly.

Report Options are not Retained if the Template is Edited

Issues:

  • When you edit a template, Secure Configuration Manager generates a new version of the template with default report options and deletes any previously configured report options. (Bug 959639)

  • If you edit a template after it is scheduled, Secure Configuration Manager does not retain the options for the scheduled jobs report. Instead, Secure Configuration Manager generates a new version of the template but the scheduler still works on the old template version. So if you update report options post-schedule, the scheduler does not reflect the changes. (Bug 979308)

Fix: Secure Configuration Manager now retains report options even if you edit and update the template.

Cannot Edit Exceptions that are Created Against Groups

Issue: Secure Configuration Manager displays an error when you try to edit an exception if you have run the template that is specified in the exception against a different group.

This issue occurs because Secure Configuration Manager selects the latest job that is run against the relevant template while editing the exception. If the template is run against a different group in last run, then there will be a group mismatch. (Bug 974964)

Fix: You can now edit exceptions at any time.

2.0 System Requirements

For information about hardware requirements, supported operating systems, and browsers, see the NetIQ Secure Configuration Manager Technical Information web page.

3.0 Installing Secure Configuration Manager 6.2

To install Secure Configuration Manager 6.2, see the NetIQ Secure Configuration Manager Installation Guide.

4.0 Upgrading to Secure Configuration Manager 6.2

You can upgrade to Secure Configuration Manager 6.2 from 5.9 Service Pack 1 or later versions.

For more information, see Upgrading Secure Configuration Manager in the NetIQ Secure Configuration Manager Installation Guide.

NetIQ recommends that you review the following considerations before upgrading to this version:

  • To deploy NetIQ Secure Configuration Manager Windows Agent (Windows agent) version 6.2 to Windows agents already registered with Secure Configuration Manager, you must locally upgrade at least one agent in each domain. Secure Configuration Manager uses the first upgraded agent as a Deployment Agent for the domain. Once an agent is upgraded, Secure Configuration Manager can automatically assign it as a Deployment Agent. For more information about deployment and Deployment Agents, see the NetIQ Secure Configuration Manager Windows Agent Installation and Configuration Guide and the NetIQ Secure Configuration Manager User Guide.

  • The setup program automatically adds a Windows agent to the Core Services computer, if no agent previously existed on the computer. If a Windows agent exists on the computer, the setup program upgrades the agent to version 6.2. Secure Configuration Manager assigns this agent as the default Deployment Agent. During installation, you should ensure that the run-as account specified for the NetIQ Security Agent for Windows service has the credentials to deploy to remote computers. For example, specify a domain administrator account.

  • To immediately upgrade your Windows agents to version 6.2, you might need to re-register the agents before using the Deployment feature in the console. Secure Configuration Manager requires that the Properties window for each agent specifies a fully qualified host name (FQHN) for the agent computer. Secure Configuration Manager needs to know in which domain each agent resides so that Core Services can assign a Deployment Agent to use for deploying version 6.2 to the agents.

    However, if you upgrade your Windows agents more than 30 days after upgrading the Secure Configuration Manager infrastructure to version 6.2, you might not need to re-register your Windows agents. The Asset Details and Discovery job might collect the FQHN during a regularly scheduled run since this job enables Core Services to update agent and endpoint properties. You can also run this job manually from the Scheduled Jobs queue.

  • When the upgraded agent registers with Core Services, the default communication port changes from 1626 to 1627. If you upgrade an agent that communicates with Core Services on a port other than the default ports, you must manually re-register the upgraded agent.

  • The upgrade process removes all existing records from the Discovered Host table in the database. This means that the upgrade also removes all systems from the Discovered Systems content pane. After you successfully upgrade or install Secure Configuration Manager and register your agents, the Asset Details and Discovery job automatically adds application endpoints discovered on currently registered Windows and UNIX systems.

    To manually repopulate Discovered Systems with unmanaged systems, update the Discovery settings in the Core Services Configuration Utility, and then initiate the discovery process. For more information about discovery, see the Help and the NetIQ Secure Configuration Manager User Guide.

  • To discover systems in Active Directory, you must update the settings on the Discovery tab of the Core Services Configuration Utility.

  • If you want to re-deploy an agent that has already been successfully deployed to a remote computer, you must uninstall the agent first. For example, you might want to change the credentials of the NetIQ Security Agent for Windows service or resolve issues with the agent. The Deployment wizard does not change the settings for a previously installed agent, even though you modify the settings as part of the deployment process. The Windows agent setup program prevents you from installing an agent when the same version already exists on the computer, but the Deployment wizard does not.

5.0 Known Issues

NetIQ Corporation strives to ensure our products provide quality solutions for your enterprise software needs. The following issues are currently being researched. If you need further assistance with any issue, please contact Technical Support.

5.1 Exporting Full Delta Reports to Microsoft Excel Format Fails

Issue: Secure Configuration Manager does not export full delta reports to Microsoft Excel format. (Bug 1001599)

Workaround: You can export delta reports in any other file formats such as .pdf, .tsv, .rtf, or .xml.

5.2 Problem with Clicking the Back Button While Upgrading in Distributed Setup

Issue: While upgrading Secure Configuration Manager to version 6.2 in the distributed setup in a computer where Core Services and the console are installed, the installation wizard displays incorrect screens if you click Back after the License Agreement screen. (Bug 994646)

Workaround: Cancel the upgrade process by closing the wizard, and start upgrading again.

5.3 Installation Fails on Computers that have Microsoft .Net Framework Version 4.5 Installed and Microsoft .Net Framework Version 3.5 is Not Enabled

Issue: If the computer on which you are installing contains Microsoft .NET framework version 4.5 and Microsoft .NET framework version 3.5 is not enabled, Secure Configuration Manager installation fails. (Bug 921158)

Workaround: Perform the steps specified in NetIQ Knowledgebase Article 7017878 before installing Secure Configuration Manager.

5.4 Cannot Upgrade Standalone AutoSync Client from Version 6.0

Issue: Upgrading the standalone AutoSync client 6.0 to this version fails. Although the installation completes when you run the installation setup program, the standalone AutoSync client does not upgrade to version 6.2. (Bug 971092)

Workaround: Uninstall standalone AutoSync client 6.0 and perform a fresh installation of standalone AutoSync client 6.2. If you have configured any specific settings for your standalone AutoSync client 6.0, you must reconfigure those settings manually, using the AutoSync Configuration Utility.

5.5 Cannot Create, Install, or View Security Certificates Using the sslkey.bat File

Issue: You cannot create, install, or view security certificates in your Core Services computer by running the sslkey tool. Secure Configuration Manager displays an error when you run the sslkey.bat file. (Bug 971532)

Workaround: You can use any third-party tool to create, install, or view security certificates.

5.6 Weekly and Daily Scheduled Jobs Do Not Save and Apply the Updated Recurrence Time Schedule

Issue: When you edit an existing weekly or daily scheduled job for recurrence time schedule and save it, Secure Configuration Manager does not save and apply the updated recurrence schedule. The next run date is not updated as per the updated recurrence schedule. (Bug 971902)

Workaround: Delete the scheduled job you intend to update and create a new schedule job with the same parameters but with the new, intended recurrence time schedule.

5.7 Endpoint Registration Fails after Regenerating Crypto Keys

Issue: While registering or reregistering an endpoint, if you regenerate the crypto key for SSH, the registration fails. This occurs because the key is not replaced in the .ssh/known_hosts file. (Bug 860552)

Workaround: Delete the .ssh/known_hosts file and register the endpoint again.

5.8 Retry Option in the Installation Program Does Not Work on Windows 7 and Windows Server 2008 R2

Issue: When you try to uninstall a Secure Configuration Manager component using the installation program on a computer that has Windows 7 or Windows Server 2008 R2, and if some files that belong to the component are in use, the installation program displays a File in Use dialog box. If you click Retry in that dialog box, ideally uninstallation should not continue and the error message should persist, but uninstallation resumes. (Bug 893069)

Workaround: Install the Microsoft KB 2649868.

5.9 Issues with Check Output View when the Data is High

Issue: The check output view in Secure Configuration Manager reports has the following issues when the amount of the data is high:

  • The output view is incomplete.

  • The scroll bar function is not supported.

(Bug 852044)

Workaround: There is no workaround at this time.

6.0 Contact Information

Our goal is to provide documentation that meets your needs. If you have suggestions for improvements, please email Documentation-Feedback@netiq.com. We value your input and look forward to hearing from you.

For detailed contact information, see the Support Contact Information Web site.

For general corporate and product information, see the NetIQ Corporate Web site.

For interactive conversations with your peers and NetIQ experts, become an active member of the Secure Configuration Manager forum, our community Web site that offers product forums, product notifications, blogs, and product user groups.