Altiris, Inc.

AuditExpress 1.4

Release Notes

February 2007

Please read the following document carefully. This document lists important issues and topics concerning the product. We recommends that you read the entire document before you install the software.

Whats In This File?

You can find information on the following topics in this file:

What's New?

Notifications Redesigned

Audit notifications were redesigned to offer more features and more control. Notifications created using previous versions of the software are converted to the new format upon upgrade. Changes are:

Using Audits to Perform Tasks in Altiris. Notification Server Solutions

New options available when scheduling an audit or starting a manual audit let you use basic audit data with Notification Server to perform tasks in Notification Server solutions.

Note: In order to take advantage of this feature, you must install the Altiris Agent on the computer running the server application. You can accomplish this through the Altiris Consoles Solution Center by pushing the Altiris Agent to the computer running the server application. To learn more about the Altiris Agent, Altiris Console, or Notification Server, you can download the documentation for these and any other Altiris product from www.altiris.com/Support/Documentation.

Using Keys for SSH Authentication When Auditing UNIX Targets

A new dialog box lets you use SSH keys in a scheduled task when auditing UNIX targets. You can access this dialog box from the Connection tab of the Edit Machine List and Host Info dialog boxes.

Release Notes in the Altiris Knowledgebase

Now you can check the Altiris knowledgebase to see if these release notes received updates since this version of the software was released. To find the knowledgebase article, go to http://kb.altiris.com. Locate the product under Altiris Products in the left pane, selecting the correct version number. A list of articles appears in the right pane. To narrow down the list, use the Search this Category feature in the upper right to search for "release notes."

Platform Support

Changes in platform support are:

Optional ODBC-Compliant Database Oracle 10
Agent & Audit Targets Windows Vista
  Windows x64 platforms (agentless only)
  SuSE Linux Standard and Enterprise Server 8, 9, 10
  Solaris 4m no longer supported

Foreign-Language Operating Systems Supported

Now you can audit and run any component of this software on the following foreign-language operating systems:

Spanish
Portuguese
French
German
Italian
Russian
Dutch
Swedish

Installing the Software

General Note: You must extract all files from the zipped installation package before running the setup executable.

System Requirements

Product Component Supported Platforms
Console Windows 2000 Server
Windows 2000 Professional
Windows XP Professional
Windows 2003 Server
Distributed Proxy Windows 2000 Server
Windows 2000 Professional
Windows XP Professional
Windows 2003 Server
Agent Windows NT4
Windows 2000 Server and Workstation
Windows XP Professional
Windows 2003 Server
Windows Vista
Windows x64 platforms (agentless only)
Red Hat 8, 9, and AS 3
Solaris 8 4u
Solaris 9 4u
Solaris 10 4u
SuSE Linux Standard and Enterprise Server 8, 9, 10
AIX 4.33, 5.1, 5.2, 5.3
HP-UX 11, 11i
Optional ODBC-Compliant Database Oracle 8, 9, 10
SQL Server 2000, 2005

Deploying the Console on a Virtual Machine

We fully support the console software when deployed on VMWare Workstation 4.0 and higher, as long as the virtual machine meets the console's system requirements listed above. We recommend you configure an Automatic Bridged virtual network on the virtual machine and not a NAT service.

As with all applications running on virtual machines, you might experience reduced performance.

Known Issue - When auditing a target system that's a VMWare image of Microsoft Windows XP Service Pack 2 with the built-in firewall enabled, the audit might run slowly.

Upgrading the Console Software

If you have an older version of the console software, installing this version will upgrade it with the latest features and fixes.

Note: If you have multiple copies of the software installed on different computers using the same database, you must upgrade all of them in order for them to work with the updated database.

To upgrade the console software:

1.   If you currently use a database with the console, back up the database.

      Note: The upgrade procedure upgrades the database schema. The database will no longer work with older versions of the console software.

2.   Extract all installation files from the ZIP file locally onto the console system.

3.      Launch Setup.exe to run the installation program.

4.   If you plan on connecting this console to an enterprise database, such as SQL Server, or to a default database on a different system, you may perform a Custom installation and disable the SQL Server Database feature to save disk space.

      Tip: If you're not sure whether or not you'll be connecting this console to a different database, you may perform a Typical installation. The software operates normally whether or not you install the default database.

5.      Launch the console application and do one of the following:

Installing, Using, and Upgrading the Agent

Windows Agents

To install and use the Windows agent on a Windows target system:

1.      Copy the file in the \Agent\Windows\ installation folder to the target system and run it.

2.      Follow the instructions as you are prompted through a standard installation process.

3.      In the application, place the target systems to be audited in a Machine List by right-clicking on the Machine List and choosing Add new host.

4.      Either right-click on the system name or the Machine List, select Edit, and then select the Connect tab in the dialog that appears. Enter the account used for auditing the target system through the agent in the Login for target computer section. This account requires NetLogonRight privileges on the target systems to be audited as well as the usual administrative privileges.

Automatic Upgrades: When you upgrade the console application, agent upgrades automatically occur on all Windows target systems the first time you audit each target system.

UNIX Agents

To install a UNIX agent on a UNIX target system:

1.      Copy the file in the appropriate \Agent\ installation subfolder for the operating system to the target system and run it.

2.   Configure the agent either manually or using Agent Access Setup.sif, located in \Agent\Configuration\.

3.      In the application, place the target systems to be audited in a Machine List by right-clicking on the Machine List and choosing Add new host.

4.      Either right-click on the system name or the Machine List, select Edit, and then select the Connect tab in the dialog that appears. Enter the account used for auditing the target system through the agent in the Login for target computer section. This account requires the usual administrative privileges on the target systems.

Upgrading: When you upgrade the console application, you must upgrade the agent on each UNIX target system manually by uninstalling the previous version and then running the installation program on the system.

Using the Windows Distributed Proxy to Audit

If the application is unable to communicate directly with a target system, you can install the agent on a Windows proxy system and connect to it remotely. This becomes necessary if the target system is behind a firewall or other router that blocks Windows Networking or UNIX SSH.

To set up the agent on a Windows proxy system:

1.   Copy the file in the \Agent\Windows\ installation folder to the Windows system you plan to use as a proxy and run it on that system.

2.      Follow the instructions as you are prompted through a standard installation process.

3.      In the application, configure the proxy. In the lower section of the Connect tab, select the check box to connect through the Proxy. Enter the name of the system on which the proxy resides, and the credentials used to authenticate to the system on which the proxy resides. This account must have administrative privileges on the system on which the proxy resides or belong to one of the agent access groups (see Using Privileged Agents with the Console below). Note that this is not the account on the target system to be audited, but an account used by the software to authenticate to the system on which the proxy resides.

The application communicates with the proxy agent through an encrypted SSL session on port 9002 or a user-configurable port.

Configuring the Applications to Use an ODBC-Compliant Database

The product installs a small database engine with the software. If you prefer to use a high-volume ODBC-compliant database that you already own, such as Oracle or SQL Server, you can configure the application to use that database instead.

Note: Although you may use a case-sensitive database, we don't recommend it.

To configure the console application to use another database:

1.      Select Options from the View menu.

2.      When the Options dialog box appears, click the Database tab.

3.      Click the Connect to Your Own Database radio button.

4.   Click the ODBC button to configure a data source. When the ODBC Data Source Administrator appears, click the System DSN tab and create a system data source. Close the ODBC Data Source Administrator when you're done.

5.   When you return to the Database Options dialog box, select the data source you just created from the Datasource drop-down list.

6.   Enter credentials and click OK to finish.

Configuring the Port Number for SQL Server Users

If youre using Microsoft SQL Server as your database software and are not using the standard port number (1433) to connect to it, you need to make the  software aware of the correct port number. You can do this  in the Windows Registry.

To configure a nonstandard port number for use with the Audit and Compliance Server:

  1. Open the Windows Registry Editor.
  2. Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSQLServer\Client\ConnectTo and add the following REG_SZ value:

    servername1 REG_SZ connectiontype,servername2,port#

    where:

    servername1 is the name or IP address of the computer running SQL Server

    connectiontype is the network-connection type, such as dbmssocn for Winsock  TCP/IP

    servername2 is the same string as servername1 (no interchanging IP addresses and computer names in the same value)

    port# is the nonstandard port number youre using

  3. Close Registry Editor.

Using Privileged Agents with the Console

If you decide to use agents to connect the console to some remote target systems, you can use our Windows agent on your Windows systems and our UNIX agent on your UNIX systems. Each agent has its own configuration methods. To learn how to configure a Windows or UNIX agent on a remote system, open the on-line help. If you go to the Contents tab and double click the Agent and Agentless Auditing book, you'll find instructions on configuring both Windows and UNIX agents, as well as other information on using agents.

What's Fixed?

Oracle and ODBC Drivers - Now you can use the Oracle ODBC driver to connect to an Oracle database from the software. Do not use the ODBC driver from Microsoft.

Setting Connection Credentials for Systems in Dynamic Machine Lists - Now you can successfully set connection credentials for individual systems in dynamic machine lists. To set connection credentials at the system level, right click a system in a dynamic machine list and select Edit from the menu. The Host Info dialog box appears. Click the Connections tab and enter the connection credentials required to access the system.

Known Issues

Running Scheduled Tasks from Windows 2003 Server Service Pack 1 (4917)

A bug in Windows 2003 Server Service Pack 1 causes some audits to return an "Access Denied" error. If running Windows 2003 Server Service Pack 1, you need to install the Microsoft Hotfix in Microsoft KB article number 913327.

Oracle Driver Versions (6187)

When using Oracle as your database, you must use the following versions of the driver:

Version 8 - 8.1.5.5 or later

Version 9 - 9.2.0.2 or later

Version 10 - 10.1.0.5 or later

Mixed Scopes in Notification Conditions

If you use multiple conditions of different scopes in one notification, selecting Any Condition might cause a condition to cancel out another condition or otherwise not give you helpful results. If you plan to use conditions of different scopes, think carefully about whether or not it's logical to combine these conditions. If it is, select All Conditions so each condition is considered by the notification.

Unexpected Behavior when Running Reports (6514)

The application might exhibit unexpected behavior in the Reports tab if you run a report with the New Window check box for viewing reports selected and you accidentally right click in the right pane in the Reports tab after displaying the report.

UNIX Agents and OpenSSL (5700)

If you use one of the UNIX agents to audit a system with Pluggable Authentication Modules (PAM) configured to authenticate using any method that connects securely through OpenSSL, use OpenSSL 0.9.8, the only version the agent supports. The agent might work properly when using other versions of OpenSSL for PAM authentication, but only version 0.9.8 is supported.

Upgrading the Agent (4149)

Before installing a newer version of the agent on a system, you must uninstall the previous version.

Default Database Capacity

The default database installed with the software has a sizeable capacity, but not as large as the supported enterprise databases, such as Microsoft SQL Server and Oracle. This is due to the maximum table size the database permits. It allows you to audit an approximate maximum of 100,000 "systems" over time (if you audit one system several times before reaching the limit, that one system counts several times toward the 100,000 total). Once you reach the total, the database won't be able to accept any more audit results.

If Windows 2000, Install SP2 or Higher

If you install the console or proxy on a system with Microsoft Windows 2000 Professional or Server, make sure you have Service Pack 2 or higher installed.

Default Database on Systems with Names Longer than 15 Characters (5025)

Due to NetBIOS restrictions, you cannot install the software with the default database on a system with a name longer than 15 characters. You may, however, install an enterprise ODBC-compliant database on this system or connect to a default database installed on a different system.

Database Requires MDAC 2.7 (4908)

When you install the software, we install Microsoft Data Access Components (MDAC) 2.7 for you. You need MDAC regardless of the database software you use with the product. If you find later that you don't have it installed, install it.

Connecting to a Remote Default Database

If you're installing the application and you plan to connect it to a default database on another application, be sure to perform a typical installation. This ensures that you install the correct drivers and therefore can connect to a remote database later.

Configuring the Default Database Through Remote Desktop

You might not be able to configure the default-database password through Remote Desktop. You must install and configure the software directly on the system from which you plan to run it. Then you can use the software from Remote Desktop.

Default SSH Version

The software defaults to using SSH Version 2 when needed. To use SSH Version 1, under the registry key HKLM\Software\Altiris\Security Management\Options, add a string value named "plink" and set it to "-1".

For SQL Server - Services Requires SQL Authentication

In order to properly access objects in the database (i.e., machine lists, credentials), you must configure the ODBC system DSN for your SQL Server database to use SQL authentication. SecurityExpressions services cannot use native NT authentication to access the database. For more information on configuring database options, see the on-line help.

Entering Credentials for a System in a Workgroup

If you use both the scheduler and the Windows connection method to audit a system in a workgroup, you must include the system's name in the Username box when setting the connection credentials. You must do this whether you're setting credentials for the scheduled task, machine list or just the system. Type your entry in the Username box in this format: systemname\username.

Restart After Changing Databases

Any time you connect to a different database using the Database Options dialog box (select Options from View menu and click Database tab), restart the application. This refreshes the connection between the database and each component in the application.

Lost Network Connections

If the console system becomes disconnected from the network while youre in the application, the application could encounter problems. If this happens, reinstate the network connection and restart the application.

Stopping Audits in Progress

If you stop an audit while it's in progress and then try to generate reports based on that audit, the Reports tab malfunctions and cannot generate accurate reports.

Browsing Results for an Audit in Progress (5384)

The interactive-browse display for certain systems and security checks might be blank while an audit is in progress.

Delayed Hourly Policy Updates

If you configure the update service to update policy content hourly in the Updates Options dialog box, the first update won't occur until the following day.

Modifying Credential Stores

When you open the Manage Credential Stores dialog box and opt to change a credential store, you'll notice the Password box is blank. That does not mean the credential store does not have a password assigned to it; nor does it mean if you leave the box alone and save changes to the credential store, you're removing the password (passwords cannot be blank). Leave this box alone unless you intend to change the password.

Removing Systems from Machine Lists

The Delete button in the Edit Machine List dialog box's Members tab does not successfully remove systems from machine lists. To remove a system from a machine list, right click the system under the machine list's branch in the tree and select Remove from the menu that appears.

Creating Machine Lists from a SQL Query (5365)

If you create a machine list from a SQL query (in the Audit tab, right click Database Machine Lists in the left pane and select Add new list > SQL query), do not use WHERE clauses that contain quotes in the query at first. If you do, the machine list disappears after you exit the application. In order to use WHERE clauses that contain quotes in a SQL-query machine list, create the list using a simple query with no WHERE clauses containing quotes. Then, once you've determined the machine list was created successfully, redefine the machine list and add the WHERE clause(s) with quotes to the query.

You may, however, use WHERE clauses that do not contain quotes when creating a SQL-query machine list.

Audit Tab's Home Button

The Home button that appears in the Audit tab's lower right pane when navigating results from a manual audit always displays audit results from the first manual audit performed that session, even if you've performed other manual audits during the session. If you want to return to the top level of the results you're viewing, avoid the Home button and click the appropriate link in the Summary pane again.

This issue does not affect the Home button in the Browse tab.

Wscript.exe and Checking for Allowed Local Administrators

If you audit a target system containing a version of Windows Script Host (wscript.exe) earlier than 5.6 and the Allowed Local Administrators security check from the Users Group category is selected in the policy used to audit, that security check might return no data or an error.

Loading Policies (5141)

When clicking a policy in the Policies tab's left navigation pane, wait for the right pane to finish displaying it before clicking a different policy. Failure to do so might cause the policy to load incorrectly.

Characters Not Allowed in Policy Names (4219)

When creating a policy, do not use the following characters in the policy's name.

"   double quotes

'    single quote

&   ampersand

Lock Screen Saver Enabled Security Check

The Lock Screen Saver Enabled security check in the Minimum Security Configuration category might return incorrect audit results if:

  1. you're running the console on a system not logged into a domain and the target system is on a domain

or

  1. you are using the agent to connect to the target system

Contacting Customer Support

Altiris has performed extensive testing before releasing the product. If you find a problem or have questions, please contact customer support at http://www.altiris.com/support. You may also send an e-mail message to support@altiris.com or call +1 801 226 8500.

World Wide Web: http://www.altiris.com