Symantec Corporation

SecurityExpressions Audit and Compliance Server 4.1.1

Release notes

September 2008

This document lists important issues and topics concerning the product. We recommend that you read the entire document before you install the software.

Whats in this file

You can find information on the following topics in this file:

New features

Creating the database

Instead of creating the database in a database application, you now have the option of creating the database using a setting on the Database Connection page.

Enhanced database cleanup

The Database Cleanup page offers new features, including the ability to create more than one cleanup task and more sophisticated options for determining how much data to clean up.

Platform support

Changes in platform support are the following:

Agent & audit targets

Windows Server 2008, 32-bit and 64-bit

 

Red Hat Enterprise Linux 4 and 5

 

Additional policy files

New policy files in this release are:

CIS for RHEL5.sif
CIS-Virtual-Machines-Linux-v1.0.sif
CIS-Virtual-Machines-Windows-v1.0.sif
CIS-VMware-ESX-Server.sif
FDCC 1.0.1 for Windows Vista.sif

FDCC 1.0.1 for Windows XP Pro.sif
Microsoft Guidelines for Windows 2008 Domain Policy.sif
Microsoft Guidelines for Windows 2008 Domain Controller.sif
Microsoft Guidelines for Windows 2008 Member Server.sif
PCI for RHEL5.sif

 

For more information on the new features and how to use them, check the Help.

Functions in the console and Web-server applications

The product offers access to SecurityExpressions functions through both a Windows console and an ASP.NET-IIS-based Web application. This gives your organization the flexibility to deploy a local Windows application for some users and to allow others to access functions using a Web browser. Not all functions are available from both user interfaces.

Both interfaces schedule audits, generate reports, configure notifications, audit with agent or agentlessly, store credentials securely
Console only customize policies and rules, remediate, create and manage global machine lists, perform instant audits, securely delegate credentials to server, authorized user list, set credentials for individual computers, machine lists, or audit tasks
Server only Audit-On-Connect, self-service audit, browse audit data, personal machine lists, user roles

System requirements

This product's system requirements are the following:

Product component

Supported platforms

Connection monitor

Windows 2000 or later

Server

Windows 2000 Server Service Pack 4 or later

Windows Server 2003 Service Pack 2 or later

Windows Server 2003 64-bit

Distributed proxy

Windows 2000 Server Service Pack 4 or later

Windows 2000 Professional Service Pack 4 or later

Windows XP Professional

Windows Server 2003 Service Pack 2 or later

Agent & audit targets

Windows NT 4 (agentless only)

Windows 2000 Server and Workstation

Windows XP Professional

Windows Server 2003 Service Pack 2 or later

Windows Server 2003 64-bit

Windows Vista, 32-bit and 64-bit

Windows Server 2008, 32-bit and 64-bit

Red Hat Linux 8 and 9, Enterprise Linux 4 and 5, and Advanced Server 3

Solaris 8 4u

Solaris 9 4u

Solaris 10 4u

Solaris 10 x86, 32-bit and 64-bit through 32-bit emulation

SUSE Linux Standard and Enterprise Server 8, 9, 10

AIX 5.1, 5.2, 5.3

HP-UX 11, 11i

ODBC-compliant database

SQL Server 2005 Express, 32-bit and 64-bit

SQL Server 2000, 2005

Installation instructions

This section contains installation notes and special topics on installation and configuration. For instructions on how to install and configure the software, see SecurityExpressions Audit and Compliance Server Getting Started Guide.

General notes

The following are general notes:

Installing a connection monitor

If you purchased a license for the server-software Audit-on-Connect feature, you'll need to install connection monitors on DHCP Servers, Active Directory Servers or other servers that coordinate Audit-on-Connect sequences.

Close all programs before installing any component in the software package.

To install connection monitors:

  1. Copy the \ConnectionMonitors\ or \ConnectionMonitorsX64\ folder from the Zip installation package to the server coordinating Audit-on-Connect sequences.
  2. Launch Setup.exe in the folder.
  3. When the setup wizard appears, click Next to begin the installation.
  4. In the License Agreement page, select I Agree and click Next.
  5. In the Choose Connection Monitors page, select one or more connection monitors you want to install on this server. Then click Next.
  6. If you selected Active Directory Monitor in step 5, the Active Directory Monitor User page appears. Type the user name and the password of the user you want the service to run as.

    Note: If you didn't select Active Directory Monitor in step 5, the Active Directory Monitor User page does not appear. Skip this step.

    This user must have the rights "Manage auditing and security log" and "Log on as a service." Also, the user name must be in the form domainname\username or .\username if the user belongs to the built-in domain. Before proceeding, make sure the user meets these requirements. To check user rights, select Local Security Policies from Administrative Tools and browse to Security Settings\Local Policies\User Right Assignments.
     
  7. In the Select Installation Folder page, browse to a new installation path if necessary. Then click Next.
  8. Click Next again to confirm that you want to install the connection monitors now.
  9. A status bar shows the progress of the installation. When the installation is complete, click Close to exit the setup wizard.

Now you may configure the connection monitor whenever you're ready. For instructions, open the server application, go to the Connection Monitors page and click the ? Help icon at the top of the page.

Resolved issues

Installing on a computer in a workgroup (7785)

Now you can install the software on a computer that's in a workgroup rather than in a domain.

Symantec AntiVirus and script rules executed remotely (7039)

If you're running Symantec AntiVirus on the computer running SecurityExpressions, script rules executed remotely no longer causes timeout errors when Windows Task Scheduler is the remote-execution method.

Default SSH version

When connecting to UNIX target systems using SSH, the software now attempts to connect using protocol version 2, then protocol version 1.

Known issues and workarounds

Installing the server and console software on the same computer (7889)

If you are installing the server and console software on the same computer, you must install them in the same path.

Server certificate for testing environments (7075)

The installation package installs a server certificate that makes a secure connection using HTTPS when you open the server application. We provided this certificate as a courtesy to use in test environments. We recommend installing a server certificate from a trusted authority to use in production environments.

Cleaning up audit results from unopened policy files (7875, 7895)

The policy files listed on the Database Cleanup page include only policy files that were opened in the console application or uploaded to the server application since installing version 4.0 or later. If the database contains audit results that were generated using policy files that were not opened or uploaded since installing version 4.0 or later, you can't clean up those audit results from the Database Cleanup page. To clean up audit results generated using those policy files, use the Results tab in the console application.

Auditing computers running Windows Vista or Windows Server 2008

Because of the unique security features of Windows Vista and Windows Server 2008, auditing computers running these operating systems often requires modifications to the operating system. For more information on auditing computers running Windows Vista, see Altiris Knowledgebase article number 41372. For more information on auditing computers running Windows Server 2008, see Altiris Knowledgebase article number 43505.

MDAC on computers running Windows 2000 Server (7554)

If you installed the server software on a computer running Windows 2000 Server, make sure the computer has Microsoft Data Access Components (MDAC) 2.6 or later before connecting the server application to the database. We recommend MDAC version 2.8 or later for its security enhancements and bug fixes. Windows comes with MDAC, but if the computer doesn't have the correct version, you'll need to obtain and install it before connecting the server application to the database.

Installing the software on Windows 2000 Server when the Internet guest account user name is not the default (7245)

The Setup program displays an error on Windows 2000 Server if the Internet guest account on the computer on which you're trying to install doesn't have the default user name "IUSR_computername," where computername is the name of the computer. If the computer is not using the default user name, do the following:

  1. Open a Windows Command Prompt.
  2. Go to the directory where you unzipped the installation package.
  3. Enter the following command:
    setup.exe IISUSER=username
    where username is the correct IIS user name.
  4. Complete the installation wizard.
Installing the software on a computer running Altiris. Notification Server 6.0 SP3 (7528)

The server software and Notification Server 6.0 SP3 use conflicting versions of the .NET framework. If you want to install the software on a computer running Notification Server 6.0 SP3, follow the instructions in Altiris Knowledgebase article number 41471 so they can reside on the same computer.

Using Windows authentication on Windows 2000 Server (7395)

To use Windows authentication to connect to the database on Windows 2000 Server, do the following before connecting to the database from the application:

  1. In Control Panel, open Administrative Tools and select Local Security Policy.
  2. In the left pane, expand Local Policies > User Rights Assignment.
  3. In the right pane, double-click Act as part of the operating system.
  4. In the Local Security Policy Settings dialog box, click Add.
  5. In the Select Users or Groups dialog box, select ASPNET and click Add.
  6. Click OK and then click OK again.
  7. In the right pane of Local Security Settings, double-click Impersonate a client after authentication.
  8. In the Local Security Policy Settings dialog box, click Add.
  9. In the Select Users or Groups dialog box, select IWAM_computername from the list, where computername is the name of the computer you're using, and click Add.
  10. Click OK and then click OK again.
  11. Open SecurityExpressions and connect to the database.
  12. Go back to Local Security Settings.
  13. In the right pane of Local Security Settings, double-click Impersonate a client after authentication.
  14. Remove IWAM_computername from the list in the Local Security Policy Settings dialog box and click OK.
  15. In the right pane of Local Security Settings, double-click Act as part of the operating system.
  16. Remove ASPNET from the list in the Local Security Policy Settings dialog box and click OK.
Notifications with reports created in the console application (7171)

If you want to use Console Notifications that generate reports in audits configured in the server application, the server application needs access to the reports in the console application . Either install the console application on the same computer running the server application or copy the console reports to the server. To copy the console reports, copy the \Program Files\Altiris\Security Management\SecurityExpressions\Reports\ folder from the computer running the console and paste it to the same path on the computer running the server. Note that the server software keeps its reports in a different path.

Remediation in Web services and case-sensitive databases (7367)

When using the Web-services interface to remediate audits saved to a case-sensitive database, you'll need to pass the names of the target computers as they appeared in the audit to the remediation function. This ensures the case used in the computer names matches between the audit and fix actions. You can use functions such as GetTargetSummaryResults, GetAuditSummaryResults, and GetAuditResults to look up target-computer names.

IP-address exceptions created prior to version 4.0 (7571)

If you created any IP-address exceptions in a version of the server application prior to version 4.0, and they still have Fully Qualified Domain Name set as the exception type, the exceptions won't be applied to Audit-on-Connect audits. To make the exception work, edit it and change the type from Fully Qualified Domain Name to IP Address or Range.

Server reports and interactive-audit results from the console (7569)

Reports generated in the server application can't display interactive-audit results generated by the console application prior to version 4.0.

Report profiles with policies selected prior to version 4.0 (7569)

If you created any report profiles on the Browse Audit Results page prior to version 4.0 with policies selected, the policies disappear from the report profile and reports generated from the report profile can't display scheduled-audit results from the console application. To enable the report to display these console audit results, you need to make the server application recognize the policy files used in the console audits. Once the server application recognizes the policy files, the policies appear in the report profile again.

To make the server application recognize the policy files used in the console audits:

  1. In the console-application welcome page, click Select a Policy File and locate the first policy file used to generate the console audit results you want in the report.
    If you don't know which policy file the audit used, check the audit results.
  2. Open the policy file.
  3. When the console application appears with the policy file loaded, close the application.
  4. Repeat steps 1 through 3 until you've opened all policy files used to generate the console audit results you want in the report.
  5. In the server-application home page, click Configure Servers.
  6. Click the Audit-on-Connect tab.
  7. In the Policies page, click Edit in the table row containing the first policy you want to add back to the report profile.
  8. In the policy options, select Make this Policy Active.
  9. Set the View Audit Results box so you have the rights to view audit results from this policy.
  10. Click Update.
  11. Repeat steps 7 through 10 until you've changed the settings on all policies you want to add back to the report profile.
  12. Go back to the server-application home page and click View Audit Reports.
  13. In the Browse Audit Results page, click Edit in the table row containing the report profile.
  14. Click Save without changing any settings in the report profile.
  15. Click Show in the table row containing the report profile. All audit results in range of the report profile now appear in the report.
Upgrading the database (6454, 6467)

If you are upgrading from a previous version of the software and want to use the same database, you must complete the database update before upgrading the server software in order to continue using scheduled tasks stored in the database.

To properly update the database:

  1. Install SecurityExpressions Console.
  2. Start the console application.
  3. From the View menu, select Options. When the Options dialog box appears, click the Database tab.
  4. Set the database options to correspond to the settings that you used in the previous version of SecurityExpressions.
  5. Click the OK button to connect to the database. When prompted to update that database, click OK.

After the database update finishes, you can upgrade the server software.

Database prefixes

If you use SecurityExpressions Audit and Compliance Server, do not use table prefixes in the database.

Viewing console audit results in the server (6372)

Whether or not you can view results from audits performed using the console application depends partially on the user-role settings in the server application. If you're having trouble using the server application to display certain results from audits performed using the console application, review the user-role settings throughout the server application. For more information on user roles and where to find settings for this feature, see About User Roles in the Help.

Entering Windows user groups (6235)

We recommend setting up user roles from the computer on which the server software is installed. If you must set up user roles remotely, make sure you type the Windows user group names correctly.

Character combination blocked by Microsoft (5859)

Entering the < (less than) character followed by any letter character in any text field in the application causes IIS to generate an exception error. This is because in XML code, the < (less than) and > (greater than) characters are used to enclose scripts. For security purposes, Microsoft validates all text strings to avoid cross-scripting attacks, blocking this character combination.

Policies saved to the database

Policies are saved to the database. If more than one person is editing the same policy at the same time, the version saved last is the only version that will be stored.

UNIX agents and OpenSSL (5700)

If you use one of the UNIX agents to audit a system with Pluggable Authentication Modules (PAM) configured to authenticate using any method that connects securely through OpenSSL, use OpenSSL 0.9.8, the only version the agent supports. The agent might work properly when using other versions of OpenSSL for PAM authentication, but only version 0.9.8 is supported.

Upgrading the agent (4149)

Before installing a newer version of the agent on a system, you must uninstall the previous version.

Entering credentials for a system in a workgroup

If you use both the scheduler and the Windows connection method to audit a system in a workgroup, you must include the system name in the Username box when setting the connection credentials. You must do this whether you're setting credentials for the scheduled task, machine list or just the system. Type your entry in the Username box in this format: systemname\username.

Remote server users in different time zones (4675, 4769)

Remote server users in different time zones than the one where the server resides cannot Browse Audit-on-Connect Activity or Browse Audit Results until real-time in their time zone matches the time the server posted the data. Also, policy cache does not account for time-zone difference and does not purge the cache until real-time matches the time the server posted the data.

Login and password used with LDAP URL is not encrypted (4875)

If you create a scope of type Org. Unit or Expression and specify an LDAP URL with a login and password in the Values field, the password is stored in the database and displayed in the Scopes table unencrypted. The password entered in the Password field, however, is encrypted.

Situations where you can avoid using passwords are local-domain Active Directory searches or searches of directories not part of your domain that permit anonymous searching.

Copyright

Copyright ) 2008 Symantec Corporation. All rights reserved.  Symantec, the Symantec Logo, and SecurityExpressions are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.
The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any.

THE DOCUMENTATION IS PROVIDED AS IS AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID.  SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION.  THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

Symantec Corporation
20330 Stevens Creek Blvd.
Cupertino, CA 95014
http://www.symantec.com