Secure Configuration Manager 7.2 includes new features and resolves previous issues.
Many of these improvements were made in direct response to suggestions from our customers. We thank you for your time and valuable input. We hope you continue to help us ensure our products meet all your needs. You can post feedback in the Secure Configuration Manager forum, our community website that also includes product notifications, blogs, and product user groups.
The documentation for this product is available in HTML and PDF formats on a page that does not require you to log in. If you have suggestions for documentation improvements, click comment on this topic at the bottom of any page in the HTML version of the documentation posted at the Secure Configuration Manager Documentation page. To download this product, see the Secure Configuration Manager Product Upgrade website.
The following sections outline the key features and functions provided by this version, and issues resolved in this release.
Change Guardian monitors critical files and configurations in real time and notifies of changes. Secure Configuration Manager now provides the ability to integrate with Change Guardian and utilize the latter’s capability, to monitor compliance. Upon integration, Secure Configuration Manager notifies of changes to monitored templates and emails alerts on account of associated drifts in compliance. This is currently supported only for the latest CIS templates on Windows platforms.
For more information, see Understanding Secure Configuration Manager and Change Guardian Integration in the User’s Guide for Secure Configuration Manager.
This release introduces the following policy templates, certified by the Center for Internet Security (CIS) against CIS Benchmarks:
Windows Server 2012 R2 Benchmark v2.3.0 for Level 1 - Domain Controller
Windows Server 2012 R2 Benchmark v2.3.0 for Level 1 - Domain Member Server
Windows Server 2012 R2 Benchmark v2.3.0 for Level 2 - Domain Controller
Windows Server 2012 R2 Benchmark v2.3.0 for Level 2 - Domain Member Server
Windows Server 2016 Benchmark v1.1.0 for Level 1 - Domain Controller
Windows Server 2016 Benchmark v1.1.0 for Level 1 - Domain Member Server
Windows Server 2016 Benchmark v1.1.0 for Level 2 - Domain Controller
Windows Server 2016 Benchmark v1.1.0 for Level 2 - Domain Member Server
NOTE:In the Windows console, select a policy template and click Template Details to view CIS control numbers that Secure Configuration Manager does not support.
This release also updates support for the policy template: NetIQ CIS Level One Benchmark for RHEL 7 v2.2.0 - Level 1 Server.
Secure Configuration Manager now includes the following enhancements for reporting:
You can now download Dynamic Reports and Assessment Reports in Excel format.
You can now distribute assessment reports in either PDF or Excel format to specified email addresses or distribution lists.
Secure Configuration Manager Windows Agent 7.2 includes support for: Microsoft Windows Server 2019
Secure Configuration Manager 7.2 includes software fixes that resolve certain previous issues.
Issue: Downloading SCAP reports fail with an error message, Failed to download the report. Please try again.
(Bug 1124750)
Fix: SCAP reports download successfully.
Issue: Secure Configuration Manager installation does not start on computers where Microsoft .NET Framework 4 and later is installed and Microsoft .NET Framework 3.5 is not enabled in the operating system.(Bug 1049005)
Fix: Secure Configuration Manager installation starts as expected.
Issue: If the standalone AutoSync client is not installed in the default location and you attempt to upgrade the AutoSync client, it fails to start the AutoSync service.(Bug 1115570)
Fix: The AutoSync service starts after an upgrade.
For information about hardware requirements, supported operating systems, and browsers, see: System Requirements for Secure Configuration Manager 7.2
You can upgrade to Secure Configuration Manager 7.2 from versions 7.1 and 7.1.1.
For more information, see Upgrading Secure Configuration Manager.
Micro Focus strives to ensure our products provide quality solutions for your enterprise software needs. The following issues are currently being researched. If you need further assistance with any issue, please contact Technical Support.
Core Services Log Lists Erroneous Windows Version after Installation
Exporting Full Delta Reports to Microsoft Excel Format Fails
Cannot Create, Install, or View Security Certificates Using the sslkey.bat File
Weekly and Daily Scheduled Jobs Do Not Save and Apply the Updated Recurrence Time Schedule
Running the AIX 6.1 SCAP 1.1 Template Returns an Error Message
The following issues relate to installation and upgrade of Secure Configuration Manager components:
Issue: You cannot upgrade Secure Configuration Manager with TLS 1.2 enabled and can do so only with TLS 1.0 enabled. (Bug 1156297)
Workaround: Perform the following steps:
Disable TLS 1.2.
Enable TLS 1.0.
Restart your computer.
Upgrade to Secure Configuration Manager 7.2.
Make appropriate Microsoft SQL Server driver changes. For more information, see the Knowledgebase Article 7023700.
Enable TLS 1.2.
Restart the computer.
In a distributed environment, restart the Secure Configuration Manager related services. For example, restart the Dashboard services.
IMPORTANT:After you enable TLS 1.2, Secure Configuration Manager does not work on FIPS mode. There is no workaround for this issue.
Issue: When you try to uninstall a Secure Configuration Manager component using the installation program on a computer that has Windows 7 or Windows Server 2008 R2, and if some files that belong to the component are in use, the installation program displays a File in Use dialog box. If you click Retry in that dialog box, ideally uninstallation should not continue and the error message should persist, but uninstallation resumes. (Bug 893069)
Workaround: Install the Microsoft KB 2649868.
Issue: Security settings on Windows 10 computers might prevent you from starting the Secure Configuration Manager upgrade. The launch might either fail with an error indicating that another user canceled the operation, or fail without displaying any error. (Bug 1069836)
Workaround: To upgrade on Windows 10, complete one of the following steps:
Have your system administrator enable Do not preserve zone information in file attachments in the gpedit.msc group policy on the desired computer. Then download and perform the upgrade.
Manually modify the MSP files.
Right-click the file, then select Properties.
In the General tab, select Unblock.
For more information, see the following explanations of this Microsoft issue:
Issue: Secure Configuration Manager components fail to install as a domain user (and local administrator) from a windows installer (.msi file) package. (Bug 1098523)
Workaround: You must upgrade Secure Configuration Manager components and run all the patch installers (.msp files) from the command prompt with administrator rights.
The following issues apply only to the Web console, which this release introduces:
Issue: If the IP address of the computer on which the Dashboard is installed changes, dynamic report generation fails. (Bug 1154727)
Workaround: In the Web Console > Settings, update the Dashboard and Analytics database IP addresses to generate dynamic reports successfully.
Issue: When you view the details for a batch-created exception that has expired, the Web console erroneously updates the Date last modified. The time should reflect when the exception expired, which is midnight on the expiration date. Instead, the time corresponds with the moment that you refresh the page to view the details or run a policy template. (Bug 1099937)
Workaround: None.
Issue: Microsoft Internet Explorer 11 does not support the underlying code that the Web console uses to display the Vulnerability and Compliance Prediction content in an assessment report. (Bug 1097429)
Workaround: To view the prediction content in an assessment report, use one of the other supported browsers, such as Google Chrome, Microsoft Edge, or Mozilla Firefox.
Issue: In the Web console, the following security checks erroneously require you to specify an integer instead of alpha-numeric characters to indicate an enabled/disabled value for a parameter:
|
Platform |
Security Check |
|---|---|
|
IIS |
FTP logging enabled |
|
UNIX |
Ownership and permissions of files under /etc Minimum Password length restrictions |
|
Windows |
Service status User list by status |
(Bug 1068913)
Workaround: When you run these security checks, enter 1 to represent enabled and 0 for disabled.
Alternatively, you can use the Windows console to run the security checks.
The Web console might display the following anomalous behavior when you view a job that is in progress:
Issue: If you open a job that is in progress, the Web console might display an erroneous number of endpoints associated with the job. To determine the appropriate number of endpoints, check the value listed in the Name & Endpoints column of the Jobs > In Progress list. (Bug 1067395)
Workaround: None
Issue: When you click View Report for a desired report, the Web console might display the following message:
Cannot display the report because it does not exist.
This message occurs in the following circumstances:
Someone deleted the report in the Web console. For example, a different user deleted the report, and your browser had not refreshed the list of reports.
The report existed in a previous version of Secure Configuration Manager. However, either no one had opened the report in that version or the report’s schedule expired before you upgraded to this release.
(Bug 1071856)
Workaround: Try opening the report in the Windows console. Once Secure Configuration Manager generates the report in the Windows console, you can view it in the Web console.
Issue: When you use Internet Explorer 11, the Web Console occasionally might fail to display icons or images. For example, the images that indicate Online and Offline endpoints might disappear. However, the text indicating the status of the endpoints continues to be visible. (Bug 1070011)
Workaround: If this issue occurs, clear the cache in Internet Explorer. Alternatively, use one of the other supported Web browsers, such as Firefox, Edge, or Chrome.
You can apply a batch-created exception that includes multiple policy templates for a particular set of endpoints or groups. This functionality works only in the Web console. In other Secure Configuration Manager components, the following issues might occur:
Issue: The Windows console does not support batch-created exceptions. Therefore, the Admin Report Exceptions, which you run in the Windows console, does not provide data about this type of exceptions.
NOTE:In the Web console, you can also create an exception within an assessment report. This exception applies only to the endpoints and security checks associated with that policy template run, which is similar behavior as creating an exception in the Windows console. The Exceptions report does include data for this type of exception, regardless of the console that created the exception.
Workaround: The Web console lists all exceptions, regardless of the console that created the exception. In the Web console, go to Utilities > Exceptions. Select all exceptions in the current tab, then click Export to CSV.
Issue: If you enable batch-created exceptions in the Web console, the Dashboard does not provide an indication that these exceptions exist. When you review an assessment report in the Dashboard, the GroupCheckExceptions field equals zero, rather than accurately reporting the number of exceptions that have been applied to the results.
Workaround: Disable batch-created exceptions. For more information, see Allowing Exceptions in the Web console
in the Web console Help.
Issue: Sentinel fails to retrieve the data when you configure Secure Configuration Manager to send events only. This issue occurs only when both Sentinel and Secure Configuration Manager are in FIPS mode.
Workaround: For more information about configuring FIPS mode, see Enabling FIPS Communication in the User’s Guide for Secure Configuration Manager. (Bug 1068366)
Issue: If you install a Secure Configuration Manager component on a computer running Windows Server 2016 or 2019, the Core Services log lists an erroneous version for the Windows platform:
Secure Configuration Manager does know that the platform is Windows Server 2016 or 2019. The log simply lists the incorrect version. (Bug 1065829,Bug 1136912)
Workaround: None.
The following issues occur if you use Security Agent for UNIX 7.5.1 (UNIX agent) or later with both Change Guardian 5.0 and Secure Configuration Manager, and you use Change Guardian AM to upgrade or install the UNIX agent:
Issue: When you install Security Agent for UNIX 7.5.1 or later, as part of a new installation of Change Guardian 5.0 on the same computer as Secure Configuration Manager, the agent registration fails in Secure Configuration Manager because of the dynamic certificate changes. (Bug 1045613)
Workaround: To configure Security Configuration Manager server, see the Knowledge Base Article 7023134.
Issue: Secure Configuration Manager fails to register the UNIX agent if you upgrade the agent to 7.5.1 or later using Change Guardian AM.
Workaround: Perform the following steps from UAM to re-register the UNIX agent in Secure Configuration Manager:
Go to Configure > SCM Options.
Click Configure.
In the SCM Configuration window, ensure that the Core Services Address is same as the SCM Core IP Address, then click Save.
Restart the agent service by selecting Stop and Start in the Agent Controls panel.
OR
You can manually register the UNIX agent:
Navigate to the /usr/netiq/bin file.
Run the following command:
#./wcRegister
To restart Secure Configuration Manager services, run the following command:
#/etc/init.d/uvserv restart
Issue: Secure Configuration Manager does not export full delta reports to Microsoft Excel format. (Bug 1001599)
Workaround: You can export delta reports in any other file formats such as.pdf,.tsv,.rtf, or.xml.
Issue: You cannot create, install, or view security certificates in your Core Services computer by running the sslkey tool. Secure Configuration Manager displays an error when you run the sslkey.bat file. (Bug 971532)
Workaround: You can use any third-party tool to create, install, or view security certificates.
Issue: When you edit an existing weekly or daily scheduled job for recurrence time schedule and save it, Secure Configuration Manager does not save and apply the updated recurrence schedule. The next run date is not updated as per the updated recurrence schedule. (Bug 971902)
Workaround: Delete the scheduled job you intend to update and create a new schedule job with the same parameters but with the new, intended recurrence time schedule.
Issue: While registering or reregistering an endpoint, if you regenerate the crypto key for SSH, the registration fails. This occurs because the key is not replaced in the.ssh/known_hosts file. (Bug 860552)
Workaround: Delete the.ssh/known_hosts file and register the endpoint again.
Issue: The check output view in Secure Configuration Manager reports has the following issues when the amount of the data is high:
The output view is incomplete.
The scroll bar function is not supported.
(Bug 852044)
Workaround: There is no workaround at this time.
Issue: After downloading the AIX 6.1 SCAP 1.1 template, if you import it to Secure Configuration Manager and run on an AIX endpoint, Secure Configuration Manager returns an error message No data returned from scat
.(Bug 1119645)
Workaround: Perform an offline assessment with the AIX template, and manually import the report to Secure Configuration Manager. For more information about offline assessment see the Secure Configuration Manager SCAP Module Installation & Configuration Guide.
You can upgrade Secure Configuration Manager components as a member of the computer’s Administrator group. You must run all the patch installers (.msp files) with administrative rights by using the command prompt. (Bug 1098523)
© Copyright 2019 Micro Focus or one of its affiliates.
The only warranties for products and services of Micro Focus and its affiliates and licensors (“Micro Focus”) are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Micro Focus shall not be liable for technical or editorial errors or omissions contained herein. The information contained herein is subject to change without notice.
For additional information, such as certification-related notices and trademarks, see http://www.microfocus.com/about/legal/.