Date Published: January 2013
Sentinel 7.0.3 improves usability and resolves several previous issues. Many of these improvements were made in direct response to suggestions from our customers. We thank you for your time and valuable input. We hope you continue to help us ensure our products meet all your needs. You can post feedback in the Sentinel Community Support Forums, our community Web site that also includes product notifications, blogs, and product user groups.
The following sections outline the key features and functions as well as issues resolved in this release:
Support for XFS File System
Sentinel 7.0.3 now supports XFS file system, which is useful particularly in high performance environments.
Sentinel 7.0.3 includes new and updated versions of Sentinel plug-ins. The latest version of the Collectors and Connectors are available only when you perform a new installation. The latest versions of Integrators and Actions are available in both new and upgrade installations. For upgrade installations of Sentinel 7.0.3, you can visit the Sentinel Plug-ins Web site, review the revision history of the latest Collectors and Connectors in the specific documentation, and then determine whether to download and install the latest plug-ins.
This Service Pack provides new and updated versions of the following Collectors in new installations of Sentinel 7.0.3:
This Service Pack provides updated versions of the following Connectors in new installations of Sentinel 7.0.3:
This Service Pack includes the latest Sentinel Core Solution Pack, version 2011.1r3, which includes new correlation rules for Account Management and the latest Send E-mail action plug-in.
This Service Pack provides new and updated versions of the following Actions in both new and upgrade installations of Sentinel 7.0.3:
This Service Pack provides the updated version of the following Integrator in both new and upgrade installations of Sentinel 7.0.3:
Sentinel 7.0.3 includes the following enhancements:
Out-of the-Box Support for Synchronizing Data to PostgreSQL Databases
Sentinel versions prior to 7.0.3 allowed creating data synchronization policies that would synchronize event data to only external MS SQL 2008 and Oracle 11 databases. Syncing event data to the internal PostgreSQL database could be done only using Report Data Definitions (RDD). Sentinel 7.0.3 now allows you to create data synchronization policies that can synchronize event data to both internal and external PostgreSQL databases. (BUG 758956)
Ability to Configure the Number of Processors for mksqaushfs
Sentinel 7.0.3 includes a new property, mksquashfs.numprocessors, that allows you to specify the number of processors for mksquashfs to use when compressing the index on the event data. This capability enables you to make more use of additional CPUs that may be available on some systems. You can set this configuration in the configuration.properties file. (BUG 774458)
Implementation of Intruder Detection and Lockout Mechanisms
Sentinel now supports intruder detection and lockout to prevent potential brute-force attacks. Sentinel provides several configurable parameters that help you implement intruder detection and lockout mechanisms.
failedAuthDelay: Specifies the duration that a subsequent authentication request must wait after a failed authentication for a specific user. The default value is 2000 (2 seconds). If the value is 0, the delay is disabled. Note: You must set this value for each user. If an authentication request for User A fails, it does not cause a delay for an authentication request for User B.
intruderDetectInterval: Specifies the time period in which consecutive failed authentication requests for a user must occur for Sentinel to identify the failures as a possible intruder detection. For example, if the value is 300000 (5 minutes) and four failed authentication requests happen within 4 minutes, but the 5th consecutive request happens 5:01 (minutes:seconds) later than the 1st failed request, Sentinel does not consider the requests suspicious. If the value is 360000 (6 minutes) and the same sequence of failed requests happen, Sentinel considers the requests to be suspicious. The default value for this parameter is 300000 (5 minutes).
intruderDetectMaxFailedAttempts: Specifies the number of consecutive, failed authentication requests that must occur for Sentinel to consider a user name during the intruderDetectInterval for the requests as suspicious. If the value is 0 then intruder detection and lockout is disabled. The default value for this parameter is 5.
intruderDetectLockPeriod: Specifies the duration that a Sentinel user account remains locked when the user account is automatically locked in response to a suspicious series of failed authentication requests. If the value is 0, automatically locked accounts are not automatically unlocked. They must be unlocked manually by an administrator. The default value for this parameter is 900000 (15 minutes).
intruderDetectAdminAutoLock: Specifies whether or not the Sentinel admin account is subject to automatic locking in response to a series of failed authentication requests. The default is false since a denial-of-service attack exists in which an attacker can continually lock the built-in admin account, unless there is a separate administrator account.
The values listed above are defined in the AuthenticationService component of the /etc/opt/novell/sentinel/config/server.xml file. After you make any manual modifications to the values, you must place this component in the component properties override file: /etc/opt/novell/sentinel/config/obj-component.AuthenticationService.properties. This ensures that the modified settings are not lost during an upgrade.
Sentinel 7.0.3 provides software fixes for the following issues. For the list of software fixes and enhancements in previous releases, see the Sentinel 7.0 Documentation Web site.
Sentinel Server Runs Out of File Descriptors
Unable to Process Events
Sentinel Exceeds the Open Files Limit
Sentinel Creates Two Different Database Entries for the Same Raw Data File
Sentinel Closes Deletable Partitions Before They are Archived
Sentinel Does Not Write Events to Corrupt Partitions
Certain System Activities Take Longer to Complete
Sentinel Runs Out of Memory
Sentinel Logs Exceptions When Dealing With Large Amounts of Data
The IndexedLogRebuild Utility Does Not Rebuild the Index
Cross-Site Scripting (XSS) Vulnerability
Issue With Data Retention Policies of One Day
Sentinel Services do not Restart
Sentinel Does Not Correlate Events That Come From Other Sentinel Systems
Cannot Export Multiple Database Event Sources from Event Source Management
Sentinel Drops Events if the Severity is Not Set
The EventSearch Audit Event Displays Incorrect Information
Summary and Top N type Reports Display Incorrect Total Event Count
The IndexedLogCheck Utility Incorrectly Truncates the Milliseconds of an Event Timestamp
Cannot Run Reports if the Primary Event Field Value is set to a MAC Address
Sentinel Does Not Recover Gracefully From Out of Memory Conditions
You can upgrade to Sentinel 7.0.3 from Sentinel 7.0 or later, or perform a new installation.
For information on hardware requirements and supported operating systems, and browsers, see "Meeting System Requirements" in the NetIQ Sentinel 7.0 Installation and Configuration Guide.
Installing Sentinel 7.0.3
To install Sentinel 7.0.3, see the NetIQ Sentinel 7.0 Installation and Configuration Guide.
Installing the Xen Appliance
The Xen image has changed for this release. Therefore, to install the Xen appliance, you need to modify the xenconfig file. These modifications are in addition to the configuration changes mentioned in "Installing the Xen Appliance" in the NetIQ Sentinel 7.0 Installation and Configuration Guide.
Modify the xenconfig file as follows:
The final xenconfig file must be as follows:
Post Installation on Non-Appliance Systems
Along with the Sentinel installation, install the supportutils RPMs as a root user on SLES systems to enable configuration information and log file retrieval for future troubleshooting. To install the supportutils RPMs, issue the following command:
Note: These steps are performed automatically on appliance installations of Sentinel.
Upgrading to Sentinel 7.0.3
To upgrade to Sentinel 7.0.3, see "Upgrading Sentinel" in the NetIQ Sentinel 7.0 Installation and Configuration Guide.
If you upgrade Sentinel from 7.0 to 7.0.3, perform the following post-upgrade procedure:
If you installed Sentinel in a non-default location, you must run the following commands as the novell user:
If you are upgrading an appliance from Sentinel 7.0.1 or earlier, the upgrade fails in WebYaST because the vendor name for the patch has changed from Novell to NetIQ. You need to upgrade the appliance by using the zypper patch.
To upgrade the appliance using the zypper patch:
NetIQ Corporation strives to ensure our products provide quality solutions for your enterprise software needs. The following issues are currently being researched. If you need further assistance with any issue, please contact Technical Support.
Sentinel Upgrade Fails if the dbauser Password Contains Special Characters
Our goal is to provide documentation that meets your needs. If you have suggestions for improvements, please email Documentation-Feedback@netiq.com. We value your input and look forward to hearing from you.
For detailed contact information, see the Support Contact Information Web site.
For general corporate and product information, see the NetIQ Corporate Web site.
For interactive conversations with your peers and NetIQ experts, become an active member of Qmunity, our community Web site that offers product forums, product notifications, blogs, and product user groups.
NetIQ Corporation, and its affiliates, have intellectual property rights relating to technology embodied in the product that is described in this document. In particular, and without limitation, these intellectual property rights may include one or more U.S. patents and one or more additional patents or pending patent applications in the U.S. and in other countries.
THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT ARE FURNISHED UNDER AND ARE SUBJECT TO THE TERMS OF A LICENSE AGREEMENT OR A NON-DISCLOSURE AGREEMENT. EXCEPT AS EXPRESSLY SET FORTH IN SUCH LICENSE AGREEMENT OR NON-DISCLOSURE AGREEMENT, NETIQ CORPORATION PROVIDES THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. SOME STATES DO NOT ALLOW DISCLAIMERS OF EXPRESS OR IMPLIED WARRANTIES IN CERTAIN TRANSACTIONS; THEREFORE, THIS STATEMENT MAY NOT APPLY TO YOU.
For purposes of clarity, any module, adapter or other similar material ("Module") is licensed under the terms and conditions of the End User License Agreement for the applicable version of the NetIQ product or software to which it relates or interoperates with, and by accessing, copying or using a Module you agree to be bound by such terms. If you do not agree to the terms of the End User License Agreement you are not authorized to use, access or copy a Module and you must destroy all copies of the Module and contact NetIQ for further instructions.
This document and the software described in this document may not be lent, sold, or given away without the prior written permission of NetIQ Corporation, except as otherwise permitted by law. Except as expressly set forth in such license agreement or non-disclosure agreement, no part of this document or the software described in this document may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, or otherwise, without the prior written consent of NetIQ Corporation. Some companies, names, and data in this document are used for illustration purposes and may not represent real companies, individuals, or data.
This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein. These changes may be incorporated in new editions of this document. NetIQ Corporation may make improvements in or changes to the software described in this document at any time.
U.S. Government Restricted Rights: If the software and documentation are being acquired by or on behalf of the U.S. Government or by a U.S. Government prime contractor or subcontractor (at any tier), in accordance with 48 C.F.R. 227.7202-4 (for Department of Defense (DOD) acquisitions) and 48 C.F.R. 2.101 and 12.212 (for non-DOD acquisitions), the government's rights in the software and documentation, including its rights to use, modify, reproduce, release, perform, display or disclose the software or documentation, will be subject in all respects to the commercial license rights and restrictions provided in the license agreement.
© 2013 NetIQ Corporation and its affiliates. All Rights Reserved.
For information about NetIQ trademarks, see http://www.netiq.com/company/legal/.