Security Agent for UNIX includes new features, improves usability, and resolves several previous issues. Many of these improvements were made in direct response to suggestions from our customers. We thank you for your time and valuable input. We hope you continue to help us ensure that our products meet all your needs. You can post feedback on NetIQ Communities, our online community that also includes product information, blogs, and links to helpful resources.
The documentation for this product is available on the NetIQ website in HTML and PDF formats on a page that does not require you to log in. If you have suggestions for documentation improvements, click comment on this topic at the bottom of any page in the HTML version of the documentation posted at the Security Agent for UNIX NetIQ Documentation page. To download this product, see the Security Agent for UNIX Product Upgrade website.
The following outline the key features and functions provided by this version, as well as issues resolved in this release:
There are several updates to the Change Guardian certified platforms:
Security Agent for UNIX is now certified on the following platforms:
SUSE Linux Enterprise Server (SLES) 12 SP2 64-bit
Red Hat Enterprise Linux Server (RHEL) 7.3 64-bit
Red Hat Enterprise Linux Server (RHEL) 6.8 64-bit
Oracle Linux 7.3 64-bit
Oracle Linux 6.8 64-bit
Cent OS 7 (1611) 64-bit
Cent OS 6.9 64-bit
Security Agent for UNIX is deprecated on the following platforms:
SUSE Linux Enterprise Server 11 SP3 64-bit
SUSE Linux Enterprise Server 12 SP1 64-bit
SUSE Linux Enterprise Server 12 64-bit
Red Hat Enterprise Linux Server 7.0 64-bit
Red Hat Enterprise Linux Server 7.1 64-bit
Oracle Linux 7.1 64-bit
Oracle Linux 7.0 64-bit
Cent OS 7.2 64-bit
Cent OS 6.8 64-bit
For more information see, Technical Information page.
Change Guardian 5.0 bundles the Security Agent for UNIX 7.5 SP1 installer and makes it easy to install through the Change Guardian Agent Manager. The packaging and deployment model is similar to the model for the Windows agent that was introduced in Change Guardian 4.2.
You can use UNIX Agent Manager or Change Guardian Agent Manager (CG AM) to deploy and manage your agents. Both UAM and CG AM allow you to remotely install one or more Agents. However, there are certain specific functionalities available only on UAM or CG AM. Depending on your requirements, you can decide whether you need to install UAM, CG AM, or both. UAM and CG AM can coexist. For more information see Comparison of UAM and CG AM functionalities.
To get an overview of the most important considerations to make when you are installing or upgrading Security Agent for UNIX, see Deployment Considerations in Security Agent for UNIX documentation.
Security Agent for UNIX includes enhancements and software fixes that resolve several previous issues.
Issue: The disk space is getting filled with the following error messages after installing Security Agent for UNIX because of the BadPath errors captured by the agent:
NetIQ::CGU::realPath()[line 2942] - ERROR: bad pathNetIQ::CGU::realPath()[line 2957] - ERROR: path . is not an absolute path.
Fix: There are no BadPath errors found in the log files and hence log messages no longer fill up disk space. (Bug 1030546)
Issue: In Oracle Database 11g R2 versions and later, a null character is added to the query for the following SQL actions:
alter session set
select distinct sid
Because of null character in query, the Security Agent for UNIX sends events to Sentinel in invalid JSON format.
Fix: Security Agent for UNIX will now remove the null character from the events, before sending events to Sentinel. It now send the events to Sentinel in the correct JSON format. (Bug 983686)
Issue: In Solaris, when a user switches between multiple accounts, Security Agent for UNIX does not populate RealUserName event field for BSM events.
Fix: Security Agent for UNIX now populates the RealUserName event field appropriately. (Bug 1031690)
Issue: In Solaris and Linux, when a file is modified by a non-root user, Sentinel event indicates that the file was modified by a root user.
Fix: Security Agent for UNIX now populates the EffectiveUserName event field to capture the actual user name that modified the file. (Bug 1022116)
Issue: When you try to update log level properties of vigilent or detectd using UAM, the update fails with following error:
ERROR: Configuration failed - Operation timeout
Fix: You can now update the Security Agent for UNIX properties using UAM. (Bug 1016530)
Issue: Security Agent for UNIX for Change Guardian shows inefficient scanning and indexing while monitoring large number of files (more that 50000 files), because scanning large number of files and indexing them takes lot of time which stops the agent from forwarding events to Change Guardian server.
Fix: Security Agent for UNIX now sends events while monitoring large number of files without any delay. (Bug 1031757)
For detailed information on hardware requirements and supported operating systems and browsers, see Technical Information page.
You can deploy and manage Security Agent for UNIX using the following:
NetIQ UNIX Agent Manager (UAM)
Change Guardian Agent Manager (CG AM)
Both UAM and CG AM allow you to remotely install one or more Agents. They also allow you to install and reconfigure the selected Agent components directly on the assets you need to monitor without having to interact with the Agents individually. However, there are certain specific functionalities available only on UAM or CG AM. Depending on your requirements, you can decide whether you need to install UAM, CG AM, or both. UAM and CG AM can coexist. For more information, see Understanding Security Agent for UNIX.
Review the deployment considerations to understand how you can install and manage agents. For more information, see Deployment Considerations.
For more information about installing these components, see the Security Agent for UNIX Installation and Configuration Guide, on the Security Agent for UNIX Documentation Web site.
To upgrade Security Agent for UNIX prior to 7.5 versions, you must use UAM only.
To upgrade Security Agent for UNIX 7.5 and later, in addition to UAM, you can now use CG AM. However, if you do not plan to enable the agent for Change Guardian, you can use only UAM. In deployments where you have agents enabled for Sentinel or SCM along with Change Guardian, review the deployment considerations to understand how you can upgrade and manage agents. For more information, see Deployment Considerations.
For Change Guardian 4.2.1, if you want to upgrade your agents only to 7.5.1 version, you must perform the procedure in the following section: Section 5.18, Upgrading Security Agent for UNIX from 7.5 to 7.5.1 With Change Guardian 4.2.1.
For more information about upgrading Security Agent for UNIX, see the Security Agent for UNIX Installation and Configuration Guide, on the Security Agent for UNIX Documentation Web site.
NetIQ Corporation strives to ensure our products provide quality solutions for your enterprise software needs. The following issues are currently being researched. If you need further assistance with any issue, please contact Technical Support.
The installation process does not support installing the Security Agent for UNIX as a non-root user. (Bug 1052123)
The HP-UX 11iv3 auditing subsystem does not provide information for the utimes, utime, dup, or dup2 system calls. This limitation means that Change Guardian is not able to report events for the utimes access type in the CGU FileMod object and cannot report events when the contents of a file changes.
When you monitor changes to the attributes of a file on a HP-UX computer, Change Guardian does not generate events when the time attribute changes. (Bug 969023)
The Security Agent for UNIX on RHEL 7.2 does not generate file handling events while using the Vi command, because the auditing system cannot generate utime events. (Bug 968824)
Issue: When you forward File Integrity Changed events from the agent for Change Guardian to the Standalone Sentinel server, file integrity attachments might display the following exception: Error parsing JSON: ReferenceError: changed is not defined.(Bug 971624)
Note: This issue is not found in Sentinel 7.4 or later versions.
Workaround: Ignore the exception. There is no impact to the performance because of this exception.
Issue: When you enable the Including Subdirectories or Excluding Subdirectories filter for monitoring file deletion, the events generated for file deletion do not display correct path information for the deleted files. The events are generated as file deletion events when you delete directories and sub-directories, even though the policy applied is for monitoring file deletion only.
When you enable Excluding Subdirectories filter, events are generated when you delete files under subdirectories also.(Bug 975953)
When you delete or rename directories on Linux platforms, the audit logs show null value for the directory name. Change Guardian might not capture the correct directory name in the audit logs. (Bug 974273)
Issue: When the UNIX Agent Manager is running in FIPS mode, it does not support the remote deployment of the agents. (Bug 989710)
Workaround: You should manually install the agents, and then add them to UAM using Add Host.
To enable the UNIX file system browser in Change Guardian, you must set the repositoryEnabled flag (under HKLM\Software\NetIQ\ChangeGuardianAgent\repositoryEnabled) to 1, and then restart the agent.
If you do not manually set the flag to 1, when you use the Registry Browser, you will receive a Could not connect to UNIX Data Source error. (Bug 981826)
NOTE:To enable browsing for UNIX data sources while creating a policy, the computer where you install the Policy Editor must have a Windows agent. If you do not install an agent on the Policy Editor computer, you must manually enter the data source paths while creating a policy.
When the operating system is running in FIPS mode, UNIX Agent Manager 7.5 (Linux and Windows) cannot deploy the Security Agent for UNIX. It displays the following error:
SSH Install Failed - Session.connect: java.io.IOException: End of IO Stream ReadInstallation Failed - Session.connect: java.io.IOException: End of IO Stream Read.(Bug 999496)
Issue: The communication between UNIX Agent Manager 7.5.1 and Security Agent for UNIX 7.4 fails due to protocol mismatch.
Workaround: Upgrade Security Agent for UNIX 7.4 to 7.5 and then to 7.5.1 version. For more information about upgrading to Security Agent for UNIX 7.5, see Upgrading Agent Using UNIX Agent Manager (Bug 989481).
The Assets Monitoring Failures report contains Windows assets only. It does not contain data related to the UNIX assets (Bug 906282).
Issue: File was deleted events are not generated when soft link for file is deleted. (Bug 975575)
Issue: Sentinel Agent Manager Connector does not work in FIPS mode.
Workaround: For the Sentinel Agent Manager Connector to work in FIPS mode, perform the steps mentioned in NetIQ Knowledge Base Article 7018187. (Bug 997589)
Issue: UAM 7.4 is packaged and is compatible with AppManager Agent for UNIX 8.1. When the Security Agent for UNIX 7.5 is installed on the same host as the AppManager Agent for UNIX, it becomes incompatible with UAM 7.4 due to secure communication incompatibilities. Therefore, UAM 7.5 must be used to manage the Security Agent for UNIX 7.5 on the host.
NOTE:UAM 7.5 is not compatible with AppManager Agent for UNIX.
Workaround: For instructions on managing the AppManager Agent for UNIX installations on the hosts where Security Agent for UNIX 7.5 is also installed, use the procedure, Installing Locally on a UNIX or Linux Computer in NetIQ AppManager for UNIX and Linux Servers Management Guide. (Bug 1001277)
Issue: When you add an asset to one UAM the following error message is displayed because the same asset is already registered with a different UAM:
invalid credential
Workaround: You have to delete the asset from the previous UAM asset list.
NOTE:You can also manually go to /usr/netiq/cmnagent/config location and delete the acctToken file.
(Bug 1048907)
When you install Security Agent for UNIX 7.5 SP1 using CG AM for new installation of Change Guardian 5.0 and SCM 6.x on the same computer, SCM registration fails because of the dynamic certificate changes.(Bug 1045613)
Issue: SCM Registration Fails While Upgrading Security Agent for UNIX from 7.5 to 7.5.1 using CG AM where SCM and Change Guardian are enabled. (Bug 1056447)
Workaround: Perform the following steps from UAM to re-register Security Agent for UNIX with SCM server:
Go to Configure > SCM Options.
Click Configure button.
In the SCM Configuration window, ensure that the Core Services Address is same as SCM Core IP Address and click Save.
Restart the agent service by selecting Stop and Start buttons in the Agent Controls panel.
OR
You can perform the following manual registration steps on Security Agent for UNIX:
Navigate to the following location: /usr/netiq/bin
Run the following command: #./wcRegister
Run the following command to restart SCM services: #/etc/init.d/uvserv restart
Issue: Upgrading Security Agent for UNIX from 7.5 to 7.5.1 using UAM or manually fails to authenticate with Change Guardian 4.2.1.
Workaround:
Perform the following steps:
On Change Guardian server 4.2.1, navigate to /opt/netiq/cg/javos location and open javos.yml file.
Comment out the existing excludedCipherSuites list by prefixing with #.
Add the following line (including the two spaces at the beginning) under the line commented out in Step 2:
excludedCipherSuites: [SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA]
Run the following command to restart javos:
/etc/init.d/nq_javos restart
NOTE:If you want to manage Security Agent for UNIX 7.4 or earlier versions, perform the following steps:
Uncomment the following entry (including the two spaces at the beginning) from javos.yml file:
# supportedCipherSuites: [SSL_RSA_WITH_RC4_128_SHA]
Remove the following cipher from the list of excludedCipherSuites:
SSL_RSA_WITH_RC4_128_SHA
Run the following command to restart javos:
/etc/init.d/nq_javos restart.
Our goal is to provide documentation that meets your needs. If you have suggestions for improvements, please email Documentation-Feedback@netiq.com. We value your input and look forward to hearing from you.
For detailed contact information, see the Support Contact Information website.
For general corporate and product information, see the NetIQ Corporate website.
For interactive conversations with your peers and NetIQ experts, become an active member of our community. The NetIQ online community provides product information, useful links to helpful resources, blogs, and social media channels.
For information about legal notices, trademarks, disclaimers, warranties, export and other use restrictions, U.S. Government rights, patent policy, and FIPS compliance, see https://www.netiq.com/company/legal/.
Copyright © 2017 NetIQ Corporation. All Rights Reserved.