Symantec Corporation

SecurityExpressions 4.1.1

Release notes

September 2008

This document lists important issues and topics concerning the product. We recommend that you read the entire document before you install the software.

Whats in this file

You can find information on the following topics in this file:

New features

Creating the database

Instead of creating the database in a database application, you now have the option of creating the database using a setting on the Database Connection page.

Dynamic machine lists from LDAP queries

Now you can create a dynamic machine list from the results of an LDAP (Lightweight Directory Access Protocol) query.

Policy files in the reports

Now the reports that are generated from the Reports tab list the policy files that are used to perform the audits that are featured in the reports.

Platform support

Changes in platform support are the following:

Agent & audit targets

Windows 2008, 32 bit and 64 bit, agent or agentless

 

Red Hat Enterprise Linux 4 and 5

 

Additional policy files

New policy files in this release are:

CIS for RHEL5.sif
CIS-Virtual-Machines-Linux-v1.0.sif
CIS-Virtual-Machines-Windows-v1.0.sif
CIS-VMware-ESX-Server.sif
FDCC 1.0.1 for Windows Vista.sif

FDCC 1.0.1 for Windows XP Pro.sif
Microsoft Guidelines for Windows 2008 Domain Policy.sif
Microsoft Guidelines for Windows 2008 Domain Controller.sif
Microsoft Guidelines for Windows 2008 Member Server.sif
PCI for RHEL5.sif

 

For more information on the new features and how to use them, check the Help.

Functions in the console and Web-server applications

The product offers access to SecurityExpressions functions through both a Windows console and an ASP.NET-IIS-based Web application. This gives your organization the flexibility to deploy a local Windows application for some users and to allow others to access functions using a Web browser. Not all functions are available from both user interfaces.

Both interfaces schedule audits, generate reports, configure notifications, audit with agent or agentlessly, store credentials securely
Console only customize policies and rules, remediate, create and manage global machine lists, perform instant audits, securely delegate credentials to server, authorized user list, set credentials for individual computers, machine lists, or audit tasks
Server only Audit-On-Connect, self-service audit, browse audit data, personal machine lists, user roles

System requirements

This product's system requirements are the following:

Product component

Supported platforms

Console

Windows 2000 Server Service Pack 4 or later

Windows 2000 Professional Service Pack 4 or later

Windows XP Professional

Windows Server 2003 Service Pack 2 or later

Distributed proxy

Windows 2000 Server Service Pack 4 or later

Windows 2000 Professional Service Pack 4 or later

Windows XP Professional

Windows Server 2003 Service Pack 2 or later

Agent & audit targets

Windows NT 4 (agentless only)

Windows 2000 Server and Workstation

Windows XP Professional

Windows Server 2003 Service Pack 2 or later

Windows Server 2003 64-bit

Windows Vista, 32-bit and 64-bit

Windows Server 2008, 32-bit and 64-bit

Red Hat Linux 8 and 9, Enterprise Linux 4 and 5, and Advanced Server 3

SUSE Linux Standard and Enterprise Server 8, 9, 10

Solaris 8 4u

Solaris 9 4u

Solaris 10 4u

Solaris 10 x86, 32-bit and 64-bit through 32-bit emulation

AIX 5.1, 5.2, 5.3

HP-UX 11, 11i

ODBC-compliant database

SQL Server 2005 Express, 32-bit and 64-bit

SQL Server 2000, 2005

Installation instructions

This section contains installation notes and special topics on installation and configuration. For instructions on how to install and configure the software, see SecurityExpressions Getting Started Guide.

General notes

The following are general notes:

  • Close all programs before installing any component in the software package.
  • Back up your database before upgrading.
  • You must extract all files from the zipped software package before running the setup executable.
  • If you have multiple copies of the software installed on different computers using the same database, you must upgrade all of them in order for them to work with the updated database.
  • We do not support upgrading from versions of the software prior to version 4.0.
  • If you are installing the server and console software on the same computer, you must install them in the same path.

About deploying the console on a virtual machine

We fully support the console software when deployed on VMware Workstation 4.0 and later, as long as the virtual machine meets the system requirements listed in this file. We recommend that you configure an Automatic Bridged virtual network on the virtual machine and not a NAT service.

As with all applications running on virtual machines, you might experience reduced performance.

Known issue - When auditing a target system that's a VMware image of Microsoft Windows XP Service Pack 2 with the built-in firewall enabled, audits might run slowly.

Installing, using, and upgrading the agent

Windows agents

To install and use the Windows agent on a Windows target system:

1.    Copy the file in the \Agent\Windows\ installation folder to the target system and run it.

2.    Follow the instructions as you are prompted through a standard installation process.

3.    In the application, place the target systems to be audited in a Machine List by right-clicking on the Machine List and choosing Add new host.

4.    Either right-click on the system name or the Machine List, select Edit, and then select the Connect tab in the dialog that appears. Enter the account used for auditing the target system through the agent in the Login for target computer section. This account requires NetLogonRight privileges on the target systems to be audited as well as the usual administrative privileges.

Automatic upgrades: When you upgrade the console application, agent upgrades automatically occur on all Windows target systems the first time you audit each target system.

UNIX agents

To install a UNIX agent on a UNIX target system:

1.    Copy the file in the appropriate \Agent\ installation subfolder for the operating system to the target system and run it.

2.   Configure the agent either manually or using Agent Access Setup.sif, located in \Agent\Configuration\.

3.   In the application, place the target systems to be audited in a Machine List by right-clicking on the Machine List and choosing Add new host.

4.   Either right-click on the system name or the Machine List, select Edit, and then select the Connect tab in the dialog that appears. Enter the account used for auditing the target system through the agent in the Login for target computer section. This account requires the usual administrative privileges on the target systems.

Upgrading: When you upgrade the console application, you must upgrade the agent on each UNIX target system manually by uninstalling the previous version and then running the installation program on the system.

Using the Windows distributed proxy to audit

If the application is unable to communicate directly with a target system, you can install the agent on a Windows proxy system and connect to it remotely. This becomes necessary if the target system is behind a firewall or other router that blocks Windows Networking or UNIX SSH.

To set up the agent on a Windows proxy system:

1.   Copy the file in the \Agent\Windows\ installation folder to the Windows system you plan to use as a proxy and run it on that system.

2.    Follow the instructions as you are prompted through a standard installation process.

3.   In the lower section of the Connect tab, select the check box to connect through the Proxy. Enter the name of the system on which the proxy resides, and the credentials used to authenticate to the system on which the proxy resides. This account must have administrative privileges on the system on which the proxy resides or belong to one of the agent access groups (see Using Privileged Agents with the Console below). Note that this is not the account on the target system to be audited, but an account used by the software to authenticate to the system on which the proxy resides.

4.    The application communicates with the proxy agent through an encrypted SSL session on port 9002 or a user-configurable port.

About using privileged agents with the console

If you decide to use agents to connect the console to some remote target systems, you can use our Windows agent on your Windows systems and our UNIX agent on your UNIX systems. Each agent has its own configuration methods. To learn how to configure a Windows or UNIX agent on a remote system, see the Help. If you go to the Contents tab and double-click the Agent and Agentless Auditing book, you'll find instructions on configuring both Windows and UNIX agents, as well as other information on using agents.

Resolved issues

Removing systems from machine lists (7618)

Now you can use the Delete button found in the Members tab in the Edit Machine List dialog box to remove systems from machine lists.

Scheduling audits that aren't saved to the database (7670)

Now you can schedule audits when the Save Audit Results to the Database box in the Main Options dialog box is unchecked.

Remediating target computers with uppercase characters in the name (7728)

Fixes made to target computers with uppercase characters in the name are now applied.

Remote script execution and wrapping commands with SUDO (7662)

Now rules executed with a script that specify a shell in the first line are audited correctly when the audit is run with the Wrap Commands with SUDO option selected in the Connect tab found in either the Edit Machine List or Host Info dialog box.

Symantec AntiVirus and script rules executed remotely (7039)

If you're running Symantec AntiVirus on the computer running SecurityExpressions, script rules executed remotely no longer causes timeout errors when Windows Task Scheduler is the remote-execution method.

Default SSH version

When connecting to UNIX target systems using SSH, the software now attempts to connect using protocol version 2, then protocol version 1.

Known issues and workarounds

Installing the server and console software on the same computer (7889)

If you are installing the server and console software on the same computer, you must install them in the same path.

Auditing LDAP dynamic machine lists created using SSL on a schedule (7803)

If you want to use a scheduled task to audit an LDAP dynamic machine list that uses SSL, and if the LDAP server requires SSL client authentication, you must do one of the following:

  • Run the Altiris Security Audit Scheduler service as a user account instead of as the local system account. Make sure that this user's certificate store contains a valid certificate that can be used for SSL authentication.
  • Enter the credentials of a user account as the credentials for the scheduled task. Make sure that the user account has a Windows profile on the computer running SecurityExpressions and that this user's certificate store contains a valid certificate that can be used for SSL authentication.
LDAP query limits (7823)

The Result Options in the Directory/LDAP Query dialog box are only guaranteed to limit the number of computers the query returns if searching Active Directory. If searching a different kind of LDAP server, these options might not be able to limit the query results.

Auditing computers running Windows Vista or Windows Server 2008

Because of the unique security features of Windows Vista and Windows Server 2008, auditing computers running these operating systems often requires modifications to the operating system. For more information on auditing computers running Windows Vista, see Altiris Knowledgebase article number 41372. For more information on auditing computers running Windows Server 2008, see Altiris Knowledgebase article number 43505.

Using Windows authentication on Windows 2000 operating systems (7395)

To use Windows authentication to connect to the database on a Windows 2000 operating system, do the following before connecting to the database from the application:

1. In Control Panel, open Administrative Tools and select Local Security Policy.

2. In the left pane, expand Local Policies > User Rights Assignment.

3. In the right pane, double-click Act as part of the operating system.

4. In the Local Security Policy Settings dialog box, click Add.

5. In the Select Users or Groups dialog box, select from the list the Windows account to which you're logged on and click Add.

6. Click OK and then click OK again.

7. Open SecurityExpressions and connect to the database.

8. Go back to Local Security Settings and remove the Windows account from the list in the Local Security Policy Settings dialog box.

Wrapping commands with SUDO (5771)

If you're in the Connect tab in the Edit Machine List dialog box or the Host Info dialog box, and you select the Wrap Commands with SUDO option when SSH is not the connection method, the option won't be enabled after you click OK. If you want to wrap command with SUDO, select SSH as the connection method.

SUDO targetpw option (7494)

SecurityExpressions doesn't support the SUDO option targetpw. If you try to audit a UNIX computer running SUDO with the targetpw option set, and the Wrap Commands with SUDO setting is selected as a connection option for that computer individually or as part of a machine list, you'll be unable to connect to it.

Adding policy exceptions to target computers (7206)

The Exceptions tab in the Host Info dialog box displays all policy exceptions set for the target computer on which you're viewing host information, whether or not the exceptions are to the open policy file. If you highlight an exception that is not an exception to the open policy file, and if that's the only exception in the list, the settings to add a new exception will be disabled. To enable the settings, close the dialog box and reopen it.

Windows accounts and the console application

You must be logged on to a Windows administrator account when using the console application in order to use all of its features.

SIF criteria (7046)

By design, only simple rules are supported in SIF criteria. Some features not supported include global variables, rule variables (via the %get function), and the DependsOn parameter.

Using the COM or the command-line interface on a computer not running SecurityExpressions (4917, 6538)

If you're using the SecurityExpressions COM interface or command-line interface on a computer running Windows Server 2003 but not running the console or server application, you need to 1) make sure the computer has Windows Server 2003 Service Pack 2 or later and 2) modify the Windows Registry. Open Microsoft knowledge base article number 913327 and follow the instructions in the Registry Information section of the Resolution.

Mixed scopes in notification conditions

If you use multiple conditions of different scopes in one notification, selecting Any Condition might cause a condition to cancel out another condition or otherwise not give you helpful results. If you plan to use conditions of different scopes, think carefully about whether or not it's logical to combine these conditions. If it is, select All Conditions so each condition is considered by the notification.

Database prefixes

If you use SecurityExpressions Audit and Compliance Server in addition to the console application, do not use the Table Prefixes field in the Database Options dialog box when connecting to an ODBC-compliant database.

Unexpected behavior when running reports (6514)

The application might exhibit unexpected behavior in the Reports tab if you run a report with the New Window check box for viewing reports selected and you accidentally right-click in the right pane in the Reports tab after displaying the report.

UNIX agents and OpenSSL (5700)

If you use one of the UNIX agents to audit a system with Pluggable Authentication Modules (PAM) configured to authenticate using any method that connects securely through OpenSSL, use OpenSSL 0.9.8, the only version the agent supports. The agent might work properly when using other versions of OpenSSL for PAM authentication, but only version 0.9.8 is supported.

Upgrading the agent manually (4149)

If you upgrade the agent manually on any target systems, either by choice or because the target is a UNIX computer, you must uninstall the previous version of the agent before installing the newer version.

Updating policy files (5380)

If you made changes to any policy files (.sif) and did not save them under a different file name or in a different location, these custom policy files will be overwritten when you upgrade the software or download the latest policy files from the policy file library our Web site. If you want to continue using these custom policy files, change their file names or copy them to another location before upgrading the software or downloading the latest policy files.

Modifying the HasRight check (4971)

The MissingOK modifier does not work when used with the HasRight check.

Scheduling agentless audits for systems in a workgroup

If you use both the scheduler and the Windows connection method to audit one system in a workgroup, you must include the systems name in the Username box when setting the connection credentials in this format: systemname\username.

Restart after changing databases

Any time you connect to a different database using the Database Options dialog box (select Options from View menu and click Database tab), restart the application. This refreshes the connection between the database and each component in the application.

Lost network connections

If the console system becomes disconnected from the network while youre in the application, the application could encounter problems. If this happens, reinstate the network connection and restart the application.

Stopping audits in progress

If you stop an audit while it's in progress and then try to generate reports based on that audit, the Reports tab malfunctions and cannot generate accurate reports.

Modifying credential stores

When you open the Manage Credential Stores dialog box and opt to change a credential store, you'll notice the Password box is blank. That does not mean the credential store does not have a password assigned to it; nor does it mean if you leave the box alone and save changes to the credential store, you're removing the password (passwords cannot be blank). Leave this box alone unless you intend to change the password.

Dynamic machine lists shared between a console and server on separate systems (4617)

If the console software and the server software are installed on separate systems and you create a dynamic machine list on the console from a text file, make sure you import the text file from a network location the server software has access to. The server software cannot audit a dynamic machine list whose content is not accessible to the server.

Copyright

Copyright ) 2008 Symantec Corporation. All rights reserved.  Symantec, the Symantec Logo, and SecurityExpressions are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.
The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any.

THE DOCUMENTATION IS PROVIDED AS IS AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID.  SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION.  THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

Symantec Corporation
20330 Stevens Creek Blvd.
Cupertino, CA 95014
http://www.symantec.com