NetIQ Sentinel

Version 7.0.3

Release Notes

Date Published: January 2013
 

 

What's New?

System Requirements

Installing Sentinel 7.0.3

Upgrading to Sentinel 7.0.3

Known Issues

Contact Information

Legal Notice

 

 

Sentinel 7.0.3 improves usability and resolves several previous issues. Many of these improvements were made in direct response to suggestions from our customers. We thank you for your time and valuable input. We hope you continue to help us ensure our products meet all your needs. You can post feedback in the Sentinel Community Support Forums, our community Web site that also includes product notifications, blogs, and product user groups.

For more information about this release and for the latest release notes, see the Sentinel Documentation Web site. To download this product, see the Novell Downloads Web site.

What's New?

The following sections outline the key features and functions as well as issues resolved in this release:

Support for XFS File System

Sentinel 7.0.3 now supports XFS file system, which is useful particularly in high performance environments.

Plug-Ins Upgrade

Sentinel 7.0.3 includes new and updated versions of Sentinel plug-ins. The latest version of the Collectors and Connectors are available only when you perform a new installation. The latest versions of Integrators and Actions are available in both new and upgrade installations. For upgrade installations of Sentinel 7.0.3, you can visit the Sentinel Plug-ins Web site, review the revision history of the latest Collectors and Connectors in the specific documentation, and then determine whether to download and install the latest plug-ins.

Collectors

This Service Pack provides new and updated versions of the following Collectors in new installations of Sentinel 7.0.3:

  • Attachmate Luminet 2011.1r1 - New Collector.
  • Cisco Intrusion Prevention 6.1r4
  • IBM AIX 6.1r3
  • IBM iSeries 2011.1r2
  • Juniper Netscreen Series 2011.1r1
  • Microsoft Active Directory and Windows 2011.1r2
  • NetIQ Access Manager 2011.1r1
  • NetIQ Cloud Manager 2011.1r1
  • NetIQ Security Manager 2011.1r2
  • Oracle Directory Server Enterprise Edition 2011.1r1 - Replacement for Sun Java System Directory Server 6.1r1
  • Websense Web Security 2011.1r1

Connectors

This Service Pack provides updated versions of the following Connectors in new installations of Sentinel 7.0.3:

  • NetIQ Audit Connector 2011.1r1
  • Sentinel Link Connector 2011.1r2
  • Syslog Connector 2011.1r1

Solution Pack

This Service Pack includes the latest Sentinel Core Solution Pack, version 2011.1r3, which includes new correlation rules for Account Management and the latest Send E-mail action plug-in.

Actions

This Service Pack provides new and updated versions of the following Actions in both new and upgrade installations of Sentinel 7.0.3:

  • Sentinel Link Action 2011.1r2
  • WriteToMap 2011.1r2 - New Action

Integrator

This Service Pack provides the updated version of the following Integrator in both new and upgrade installations of Sentinel 7.0.3:

  • Sentinel Link Integrator 2011.1r2

Enhancements

Sentinel 7.0.3 includes the following enhancements:

Out-of the-Box Support for Synchronizing Data to PostgreSQL Databases

Sentinel versions prior to 7.0.3 allowed creating data synchronization policies that would synchronize event data to only external MS SQL 2008 and Oracle 11 databases. Syncing event data to the internal PostgreSQL database could be done only using Report Data Definitions (RDD). Sentinel 7.0.3 now allows you to create data synchronization policies that can synchronize event data to both internal and external PostgreSQL databases. (BUG 758956)

Ability to Configure the Number of Processors for mksqaushfs

Sentinel 7.0.3 includes a new property, mksquashfs.numprocessors, that allows you to specify the number of processors for mksquashfs to use when compressing the index on the event data. This capability enables you to make more use of additional CPUs that may be available on some systems. You can set this configuration in the configuration.properties file. (BUG 774458)

Implementation of Intruder Detection and Lockout Mechanisms

Sentinel now supports intruder detection and lockout to prevent potential brute-force attacks. Sentinel provides several configurable parameters that help you implement intruder detection and lockout mechanisms.

failedAuthDelay: Specifies the duration that a subsequent authentication request must wait after a failed authentication for a specific user. The default value is 2000 (2 seconds). If the value is 0, the delay is disabled. Note: You must set this value for each user. If an authentication request for User A fails, it does not cause a delay for an authentication request for User B.

intruderDetectInterval: Specifies the time period in which consecutive failed authentication requests for a user must occur for Sentinel to identify the failures as a possible intruder detection. For example, if the value is 300000 (5 minutes) and four failed authentication requests happen within 4 minutes, but the 5th consecutive request happens 5:01 (minutes:seconds) later than the 1st failed request, Sentinel does not consider the requests suspicious. If the value is 360000 (6 minutes) and the same sequence of failed requests happen, Sentinel considers the requests to be suspicious. The default value for this parameter is 300000 (5 minutes).

intruderDetectMaxFailedAttempts: Specifies the number of consecutive, failed authentication requests that must occur for Sentinel to consider a user name during the intruderDetectInterval for the requests as suspicious. If the value is 0 then intruder detection and lockout is disabled. The default value for this parameter is 5.

intruderDetectLockPeriod: Specifies the duration that a Sentinel user account remains locked when the user account is automatically locked in response to a suspicious series of failed authentication requests. If the value is 0, automatically locked accounts are not automatically unlocked. They must be unlocked manually by an administrator. The default value for this parameter is 900000 (15 minutes).

intruderDetectAdminAutoLock: Specifies whether or not the Sentinel admin account is subject to automatic locking in response to a series of failed authentication requests. The default is false since a denial-of-service attack exists in which an attacker can continually lock the built-in admin account, unless there is a separate administrator account.

The values listed above are defined in the AuthenticationService component of the /etc/opt/novell/sentinel/config/server.xml file. After you make any manual modifications to the values, you must place this component in the component properties override file: /etc/opt/novell/sentinel/config/obj-component.AuthenticationService.properties. This ensures that the modified settings are not lost during an upgrade.

(BUG 780789)

Software Fixes

Sentinel 7.0.3 provides software fixes for the following issues. For the list of software fixes and enhancements in previous releases, see the Sentinel 7.0 Documentation Web site.

Sentinel Server Runs Out of File Descriptors

Issue:

When a partition is corrupt and Sentinel tries to store events in the partition, an error occurs, but Sentinel fails to close the files it opened. As events keep coming in for the partition, Sentinel repeatedly attempts to reopen the files without properly closing them after errors occur. This gradually consumes the available file descriptors and results in Sentinel not being able to perform certain functions. (BUG 769306)

Fix:

Sentinel now handles errors effectively and cleans up open files when such errors occur.

Unable to Process Events

Issue:

A race condition, when hit, causes Sentinel to stop processing events. This results in caching the incoming events to temporary files. When these files grow in number over time, the file system runs out of inodes for storing the files. (BUG 766495)

Fix:

This Service Pack fixes the race condition and Sentinel will now continue processing events and perform other critical functions.

Sentinel Exceeds the Open Files Limit

Issue:

The maximum open files limit is set too low, which results in exceeding the limit faster and locks up the Sentinel server. (BUG 782832)

Fix:

This Service Pack changes the maximum open files limit from 16384 to 65536.

Sentinel Creates Two Different Database Entries for the Same Raw Data File

Issue:

A race condition in Sentinel can cause it to create two different entries in the database for the same raw data file, which might result in corrupt raw data zip files and incorrect checksums. (BUG 783741)

Fix:

This Service Pack fixes the race condition so that Sentinel creates only one entry in the database for any given raw data file.

Sentinel Closes Deletable Partitions Before They are Archived

Issue:

When the system is low on local storage space, Sentinel closes open partitions whose Keep at least retention period has elapsed to make space on the local storage. However, when more events arrive, Sentinel recreates the partitions, which results in multiple partitions with the same name. (BUG 786588)

Fix:

Sentinel no longer closes partitions that were opened or reopened for the current day, even if their Keep at least retention period has elapsed.

Sentinel Does Not Write Events to Corrupt Partitions

Issue:

Sentinel is unable to write events to corrupt partitions, causing Sentinel to drop events. (BUG 787709)

Fix:

Sentinel now writes events to a partition even if other parts of the partition are corrupt, to prevent event loss. These events are searchable and accessible even though other events in the corrupt part of the partition are not.

Certain System Activities Take Longer to Complete

Issue:

Sentinel partition management tasks, such as closing partitions, archiving partitions, and deleting expired partitions, run on a scheduled basis. Some of these management tasks might take some time to complete. Other unrelated administrative tasks and unrelated critical core functions sometimes wait for these long-running partition management tasks to complete. These unnecessary dependencies cause certain system activities to slow down or even halt. (BUG 773914)

Fix:

Sentinel 7.0.3 removes these dependencies and improves the overall system performance and responsiveness.

Sentinel Runs Out of Memory

Issue:

Sentinel runs an internal scheduled task every hour that does some administrative work on the newly generated correlated events and incidents. The task does not consider that millions of such events or incidents could accumulate since it last ran, and it runs out of memory trying to bring all of the events or incidents into memory. (BUG 768194)

Fix:

Sentinel now processes the correlated events or incidents without having to bring them all into memory at once.

Sentinel Logs Exceptions When Dealing With Large Amounts of Data

Issue:

Sentinel logs the java.lang.NumberFormatException exception constantly when dealing with large amounts of data. (BUG 778530)

Fix:

Sentinel now handles large amounts of data without logging exceptions.

The IndexedLogRebuild Utility Does Not Rebuild the Index

Issue:

The IndexedLogRebuild utility does a quick check to determine if the index needs to be rebuilt. Since this is not an in-depth check it may not detect some errors, which erroneously results in the index not being rebuilt and the possibility of the search functionality to not work. (BUG 775518)

Fix:

Sentinel 7.0.3 provides the -forcerebuild option that bypasses the quick check and rebuilds the index as necessary.

Cross-Site Scripting (XSS) Vulnerability

Issue:

When users specify a script in HTTP or RPC requests sent to the server, the browser executes the script, which could allow cross-site scripting (XSS) attacks. (BUG 779352)

Fix:

Sentinel now filters out such scripts and processes only the requests.

Issue With Data Retention Policies of One Day

Issue:

Sentinel allows configuration of data retention policies for one day, which results in the system removing out the events from local storage after just one day. (BUG 778771)

Fix:

The minimum number of days for a data retention policy is now two days.

Sentinel Services do not Restart

Issue:

When you configure the Sentinel Link Event Source Server and restart the Sentinel services, the Sentinel services do not restart. This is because of a conflict between the Tomcat services used in Sentinel Link and the Jetty services used in Sentinel.(BUG 783257)

Fix:

Sentinel 7.0.3 resolves this conflict and the Sentinel services now restart.

Sentinel Does Not Correlate Events That Come From Other Sentinel Systems

Issue:

To prevent feedback of correlation events, correlation engines drop all correlation events. In this process, the correlation engine improperly drops correlation events that come from external Sentinel systems. (BUG 788645)

Fix:

Correlation engines now evaluate all events that come from other Sentinel systems. Also, a new property, correlateLocalCorrelationEvents, is added in the correlation engine component of the /etc/opt/novell/sentinel/config/server.xml file. If this property is set to true, the correlation engine evaluates all events that come from the same Sentinel system. By default, this value is set to false.

Cannot Export Multiple Database Event Sources from Event Source Management

Issue:

Sentinel runs out of memory when you export multiple database event sources, Connectors, or Collectors at once. (BUG 700665)

Fix:

This service pack improves the overall system performance. You can now export multiple database event sources at once.

Sentinel Drops Events if the Severity is Not Set

Issue:

Sentinel drops events that do not have a severity set for them. (BUG 786981)

Fix:

Sentinel now sets the severity to 0 for events that do not have a severity to prevent event drops.

The EventSearch Audit Event Displays Incorrect Information

Issue:

When you perform searches from multiple remote machines, the EventSearch audit event reports invalid hostname (InitiatorUserName) and (IP address) SourceIP. (BUG 788181)

Fix:

The EventSearch audit event now displays the correct hostname and IP address.

Summary and Top N type Reports Display Incorrect Total Event Count

Issue:

The total events count in the report PDF does not match with the actual number of events in Summary and Top N type reports, such as Event Summary and Event Details reports. This mismatch happens when the values in the Primary Event Field values differ only by case-sensitivity. In such cases, the reports treat each value as unique, which results in incorrect total event count. (BUG 776771)

Fix:

The Summary and Top N type reports now treat the Primary Event Field values with case-insensitivity and display the actual total events count.

The IndexedLogCheck Utility Incorrectly Truncates the Milliseconds of an Event Timestamp

Issue:

The IndexedLogCheck utility incorrectly truncates the milliseconds of an event timestamp when comparing the timestamp from the log file to the one in the index. As a result, the utility incorrectly reports an error that the timestamp does not match. (BUG 776055)

Fix:

The IndexedLogCheck utility no longer truncates the milliseconds of an event timestamp.

Cannot Run Reports if the Primary Event Field Value is set to a MAC Address

Issue:

When you select a MAC address for the Primary Event Field parameter, the report displays an error and does not create the report. (BUG 786815)

Fix:

Sentinel now accepts MAC addresses and runs the reports as expected.

Sentinel Does Not Recover Gracefully From Out of Memory Conditions

Issue:

Sentinel server, remote correlation engine, and remote collector manager processes do not recover gracefully from out of memory conditions. (BUG 792541)

Fix:

Sentinel now performs the following steps when it runs out of memory:

  • Restarts the processes automatically
  • Saves a memory dump in the log directory
  • Logs an audit event to indicate that an out of memory condition occurred

Return to Top

System Requirements

You can upgrade to Sentinel 7.0.3 from Sentinel 7.0 or later, or perform a new installation.

For information on hardware requirements and supported operating systems, and browsers, see "Meeting System Requirements" in the NetIQ Sentinel 7.0 Installation and Configuration Guide.

Return to Top

Installing Sentinel 7.0.3

To install Sentinel 7.0.3, see the NetIQ Sentinel 7.0 Installation and Configuration Guide.

Installing the Xen Appliance

The Xen image has changed for this release. Therefore, to install the Xen appliance, you need to modify the xenconfig file. These modifications are in addition to the configuration changes mentioned in "Installing the Xen Appliance" in the NetIQ Sentinel 7.0 Installation and Configuration Guide.

Modify the xenconfig file as follows:

  1. Comment the following line:

    vfb=["type=vnc,vncunused=1,vnclisten=0.0.0.0"]

  2. Add the following line:

    extra = "console=hvc0 xencons=tty"

The final xenconfig file must be as follows:

# -*- mode: python; -*-

name=install_file_name

memory=4096

disk=["tap:aio:/var/lib/xen/images/install_directory/install_filename]

vif=[ "bridge=br0" ]

#vfb=["type=vnc,vncunused=1,vnclisten=0.0.0.0"]

extra = "console=hvc0 xencons=tty"

Post Installation on Non-Appliance Systems

Along with the Sentinel installation, install the supportutils RPMs as a root user on SLES systems to enable configuration information and log file retrieval for future troubleshooting. To install the supportutils RPMs, issue the following command:

rpm -Uvh supportutils*

Note: These steps are performed automatically on appliance installations of Sentinel.

Return to Top

Upgrading to Sentinel 7.0.3

To upgrade to Sentinel 7.0.3, see "Upgrading Sentinel" in the NetIQ Sentinel 7.0 Installation and Configuration Guide.

If you upgrade Sentinel from 7.0 to 7.0.3, perform the following post-upgrade procedure:

If you installed Sentinel in a non-default location, you must run the following commands as the novell user:

ln -s

"$RPM_INSTALLATION_PREFIX/opt/novell/sentinel/3rdparty/activemq/activemq-all-5.4.2.jar"

"$RPM_INSTALLATION_PREFIX/opt/novell/sentinel/lib/activemq-all-5.4.2.jar"

where $RPM_INSTALLATION_PREFIX is the location of the Sentinel installation.

Appliance Upgrade

If you are upgrading an appliance from Sentinel 7.0.1 or earlier, the upgrade fails in WebYaST because the vendor name for the patch has changed from Novell to NetIQ. You need to upgrade the appliance by using the zypper patch.

To upgrade the appliance using the zypper patch:

  1. Back up your configuration, then create an ESM export. For more information, see "Backing Up and Restoring Data" in the NetIQ Sentinel 7.0 Administration Guide.

  2. Log in to the appliance console as the root user.

  3. Run the following command:

    /usr/bin/zypper patch

  4. Enter 1 to accept the vendor change from Novell to NetIQ.

  5. Enter Y to proceed.

  6. Enter yes to accept the license agreement.

  7. Restart the Sentinel appliance.

Return to Top

Known Issues

NetIQ Corporation strives to ensure our products provide quality solutions for your enterprise software needs. The following issues are currently being researched. If you need further assistance with any issue, please contact Technical Support.

Sentinel Upgrade Fails if the dbauser Password Contains Special Characters

Issue:

Sentinel upgrade fails if the dbauser password contains special characters such as “$”,” _”, and “!”. (BUG 788395)

Workaround:

Change the password such that it does not include special characters:

  1. Log in to Sentinel as novell user.

  2. Change to the setup directory:

    cd /opt/novell/sentinel/setup

  3. Run the following script:

    ./configure.sh

  4. Change the dbauser password.

    For more information, refer to the knowledge base article# 7011336 in the NetIQ Support Web site.

Return to Top

Contact Information

Our goal is to provide documentation that meets your needs. If you have suggestions for improvements, please email Documentation-Feedback@netiq.com. We value your input and look forward to hearing from you.

For detailed contact information, see the Support Contact Information Web site.

For general corporate and product information, see the NetIQ Corporate Web site.

For interactive conversations with your peers and NetIQ experts, become an active member of Qmunity, our community Web site that offers product forums, product notifications, blogs, and product user groups.

Return to Top

Legal Notice

NetIQ Corporation, and its affiliates, have intellectual property rights relating to technology embodied in the product that is described in this document. In particular, and without limitation, these intellectual property rights may include one or more U.S. patents and one or more additional patents or pending patent applications in the U.S. and in other countries.

THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT ARE FURNISHED UNDER AND ARE SUBJECT TO THE TERMS OF A LICENSE AGREEMENT OR A NON-DISCLOSURE AGREEMENT. EXCEPT AS EXPRESSLY SET FORTH IN SUCH LICENSE AGREEMENT OR NON-DISCLOSURE AGREEMENT, NETIQ CORPORATION PROVIDES THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. SOME STATES DO NOT ALLOW DISCLAIMERS OF EXPRESS OR IMPLIED WARRANTIES IN CERTAIN TRANSACTIONS; THEREFORE, THIS STATEMENT MAY NOT APPLY TO YOU.

For purposes of clarity, any module, adapter or other similar material ("Module") is licensed under the terms and conditions of the End User License Agreement for the applicable version of the NetIQ product or software to which it relates or interoperates with, and by accessing, copying or using a Module you agree to be bound by such terms. If you do not agree to the terms of the End User License Agreement you are not authorized to use, access or copy a Module and you must destroy all copies of the Module and contact NetIQ for further instructions.

This document and the software described in this document may not be lent, sold, or given away without the prior written permission of NetIQ Corporation, except as otherwise permitted by law. Except as expressly set forth in such license agreement or non-disclosure agreement, no part of this document or the software described in this document may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, or otherwise, without the prior written consent of NetIQ Corporation. Some companies, names, and data in this document are used for illustration purposes and may not represent real companies, individuals, or data.

This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein. These changes may be incorporated in new editions of this document. NetIQ Corporation may make improvements in or changes to the software described in this document at any time.

U.S. Government Restricted Rights: If the software and documentation are being acquired by or on behalf of the U.S. Government or by a U.S. Government prime contractor or subcontractor (at any tier), in accordance with 48 C.F.R. 227.7202-4 (for Department of Defense (DOD) acquisitions) and 48 C.F.R. 2.101 and 12.212 (for non-DOD acquisitions), the government's rights in the software and documentation, including its rights to use, modify, reproduce, release, perform, display or disclose the software or documentation, will be subject in all respects to the commercial license rights and restrictions provided in the license agreement.

© 2013 NetIQ Corporation and its affiliates. All Rights Reserved.

For information about NetIQ trademarks, see http://www.netiq.com/company/legal/.

Return to Top