Secure Configuration Manager |
Version 5.8 Service Pack 1 |
Release Notes |
Date Published: May 2010 |
|
|
This service pack for the NetIQ Secure Configuration Manager product improves usability and resolves several previous issues. Many of these improvements were made in direct response to suggestions from our customers. We thank you for your time and valuable input. We hope you continue to help us ensure our products meet all your needs. You can post feedback in the Secure Configuration Manager forum on Qmunity, our community Web site that also includes product notifications, blogs, and product user groups. This document outlines why you should install this service pack, provides information about installing the service pack, and identifies known issues. For more information about this release and for the latest Release Notes, see the Secure Configuration Manager Documentation web site. Why Install This Service Pack?Secure Configuration Manager is an enterprise-scale product that protects your corporate assets, manages policy compliance, and lets you effectively remediate policy exceptions by taking actions directly from the console. This product automatically discovers assets in your enterprise, organizes and maps the network topology, and deploys agents as needed to assess your protection levels. This service pack provides new features and addresses issues in the following areas:
Provides More Specific Status Messages in the Job QueuesSecure Configuration Manager now provides more specific status messages in the job queues. Rather than displaying a status of Failed, the Secure Configuration Manager console now indicates the reason the job did not complete. For example, the connection was refused, the task timed out, the job was canceled, the agent reported an error, or the job is pending. (ENG282410) Also, the Completed and Pending job queues no longer display the Job Name and Job ID columns in the lower content pane when you select the Endpoints tab. The date submitted now represents the time when Core Services sent the request to the agent. Provides a Status Message when the Asset Compliance View Cannot Display DataSecure Configuration Manager now provides a "No data" status message in the Asset Compliance View for the following scenarios:
(ENG277022) Now Audits Creation and Deletion of a Managed GroupSecure Configuration Manager now updates the Audit History log each time you add or delete a managed group or modify a managed group's properties. Audit History lets you view and export actions that console users and administrators perform. (ENG277611) Sybase Information Removed from Secure Configuration ManagerSecure Configuration Manager no longer supports Sybase systems and endpoints. This service pack removes all references to Sybase from the console, installation programs, wizards, and Core Services. (ENG282724) Resolves an Issue where Asset Compliance View Columns Reset to a Default WidthThis service pack resolves an issue where Secure Configuration Manager resets the Check Data Details and Check Data column widths to the default widths on the Asset Compliance View > Systems > Detailed Data window after you customize the widths and then select a different check to view. (ENG270123) Resolves an Issue where the Filter Editor Lists Columns That Are Not DisplayedThis service pack resolves an issue where the Asset Compliance View filter editor lists columns that do not appear in the Asset Compliance View window. (ENG275727) Resolves an Issue where the Console is Unresponsive when You Import Large Policy TemplatesThis service pack resolves an issue where the Secure Configuration Manager console becomes unresponsive when you import large policy template files, such as the SCAP-FDCC-Windows-XP-v1.2.1.0-federal_desktop_core_configuration_version_1.2.1.0.tpl file. When you next log in to the console after importing the templates, Secure Configuration Manager lists the policy template but the template may not include all the required security checks. (ENG281594) Resolves an Issue where the Secure Configuration Manager Console Quits UnexpectedlyThis service pack resolves an issue where the Secure Configuration Manager console quits unexpectedly when you select multiple managed systems under IT Assets > Managed Systems, and then click the Tools menu. (ENG276600) Resolves an Issue where an Error Occurs when You Close the Bottom Content PaneThis service pack resolves an issue where the Secure Configuration Manager console displays an error message when you close the lower content pane. Before you apply this service pack, when you view IT Assets > Discovered Systems, Secure Configuration Manager displays a list of systems in the lower content pane. When you close the lower content pane, Secure Configuration Manager displays an error message until you restart the console. After you apply this service pack, you will not see an error message. (ENG273277) Resolves an Issue with Blank Reports in the Completed Jobs Queue and Memory ErrorsThis service pack resolves an issue where Secure Configuration Manager Core Services runs out of memory while performing concurrent memory-intensive tasks, such as running policy templates with many checks against a large number of endpoints. When a memory problem occurs, the resulting reports may be blank or the Secure Configuration Manager console may display out of memory error messages. (ENG280770) Resolves an Issue where the Secure Configuration Manager Database Increases in SizeThis service pack resolves an issue where the size of the Secure Configuration Manager database increases after you upgrade to Secure Configuration Manager 5.8. After you apply this service pack, the database size should decrease. (ENG281501) Resolves Issues Where Policy Template Runs Do Not Include Recent EditsThis service pack resolves an issue where Secure Configuration Manager does not use the most recent version of a policy template for a scheduled run. Before you apply this service pack, if you schedule a policy template to run, and then edit the template at a later date, Secure Configuration Manager runs the version of the policy template in use when you created the schedule. After you apply this service pack, Secure Configuration Manager runs the most recently edited version of the scheduled policy template. (ENG256016) This service pack also resolves an issue where policy template runs do not include the most recently edited version of a security check. (ENG283505) Resolves an Issue with Missing Endpoint Data in an Exported Full ReportThis service pack resolves an issue where an exported full report does not include detailed data for all endpoints in the report. The exported report provides detailed data for the first endpoint only. After you apply this service pack, the exported report displays detailed data for all endpoints in the report. (ENG278015) Resolves an Issue where the Custom Check Wizard Incorrectly Formats DataThis service pack resolves an issue where the Custom Check wizard may incorrectly format the data type of some Active Directory attributes. (ENG275560) Resolves an Issue where Editing an Exception Takes a Long TimeThis service pack resolves an issue where the Secure Configuration Manager console responds slowly or does not respond at all when you edit an exception. The issue usually occurs when you create exceptions for a security checkup report containing a large quantity of checks, endpoints, or violations. (ENG281357) Resolves an Issue with Importing Policy Templates that Include Duplicate Check NamesThis service pack resolves an issue where Secure Configuration Manager allows you to import a policy template containing checks or check aliases with duplicate names. After installing this service pack, you cannot import policy templates with duplicate check or alias names. (ENG278005) Resolves an Issue where Duplicate Exceptions May Appear in the Exception Admin ReportThis service pack resolves an issue where, after you upgrade from version 5.6 or 5.7, Secure Configuration Manager may display duplicate exceptions in the Exception Admin Report. (ENG280224) Resolves an Issue where Systems with Deleted Agents Remain in the Discovered Systems ListThis service pack resolves an issue where, after you delete an agent from your IT asset map, the Secure Configuration Manager console continues to list the system in the Discovered Systems content pane. This issue occurs because Secure Configuration Manager does not allow you to delete any system hosting an agent from the Discovered Systems list. After applying this service pack, you can delete the system. You must refresh the Discovered Systems list to ensure the Secure Configuration Manager console displays the system changes. For more information about deleting systems and agents and unregistering agents, see the User Guide for Secure Configuration Manager. (ENG282695) Resolves an Issue where Secure Configuration Manager Reports an In-Compliance Status Without Receiving Data from the EndpointThis service pack resolves an issue where Secure Configuration Manager reports an in-compliance status for an endpoint without gathering data for that endpoint. For example, Secure Configuration Manager displays an endpoint as In Compliance even though the endpoint was offline when you ran the policy template. After you apply this service pack, Secure Configuration Manager reports compliance results based on the most recent template run containing a complete set of data within the specified time frame. (ENG283562) Resolves an Issue with Managing Multiple Endpoints SimultaneouslyThis service pack resolves an issue where you receive an invalid IP address error message when you select multiple systems on the Discovered Systems pane and then click Actions > Manage System. After applying this service pack, you can simultaneously add multiple systems to your IT asset map. (ENG282701) Resolves an Issue where Secure Configuration Manager Reuses Job IDsThis service pack resolves an issue where Secure Configuration Manager reuses the IDs of deleted jobs for new jobs. After you apply this service pack, Secure Configuration Manager will not re-assign deleted job IDs. (ENG282780) Resolves an Issue where Using Multiple Instances of a Security Check in a Policy Template Can Adversely Affect Delta ReportingThis service pack resolves an issue where Secure Configuration Manager provides inaccurate delta report results when a policy template contains multiple instances of a security check with blank check alias names. After applying this service pack, when you add a security check to a policy template, the Policy Template wizard automatically enters the security check name in the Check Alias field. The wizard requires you revise the alias if the name is not unique within the policy template. (ENG281592) Resolves an Issue where Secure Configuration Manager Displays an Error Message When You Re-Run Reports for Failed EndpointsThis service pack resolves an issue where Secure Configuration Manager displays an error message after you re-run a report for failed endpoints. For example, Report A includes failed endpoints, and you run the report again for those endpoints. The resulting job, Report B, also includes failed endpoints. You receive an error message when you re-run Report B for the failed endpoints. (ENG275289) Resolves an Issue where the Report Viewer Responds Slowly or Fails when You Want to View a Full ReportThis service pack resolves an issue where the Secure Configuration Manager Report Viewer responds slowly or does not respond when you access the Full Report. This issue occurs when the report contains an extremely large amount of data, such as a policy template with many security checks run against hundreds of endpoints. After you install this service pack, if the Full Report requires more than 50,000 pages, Secure Configuration Manager creates a second .pdf file for the additional pages and adds "-1" to the file name. Secure Configuration Manager continues to generate additional .pdf files and append the file name for each set of 50,000 pages. For information about configuring the number of pages per .pdf file, contact NetIQ Technical Support. (ENG280769) Resolves an Issue where Delta Reports Do Not Return Accurate ResultsThis service pack resolves an issue where a delta report run from the Policy Template wizard does not provide accurate results for the specified delta criteria. (ENG285177) Resolves an Issue where Secure Configuration Manager Defaults to the Core Services Setting for Sending Email AlertsThis service pack resolves an issue where Secure Configuration Manager defaults to the Core Services setting for sending email compliance alerts. For example, you initially enable email alerts on the Out of Compliance Alerts tab in the Core Services Configuration Utility. Then, when you run a policy template, you choose to disable the email compliance alerts option in the Run Options window. Secure Configuration Manager overrides the change made in the Policy Template wizard and sends an email if an endpoint reports as out of compliance. After you apply this service pack, Secure Configuration Manager defaults to the email alerts setting in the Policy Template wizard. (ENG285011) Installing This Service PackBecause this service pack includes a change to the way you create policy templates, NetIQ recommends you update all custom policy templates after service pack installation. For more information, see Updating Check Aliases in Your Custom Policy Templates. Installing the Service PackComplete the following steps to install this service pack.
To install this service pack:
Updating Check Aliases in Your Custom Policy TemplatesAfter you install this service pack, NetIQ recommends you update check aliases in all custom policy templates that include the same security check multiple times. A check alias specifies an alternate name that describes the unique instance of the selected security check for that policy template. Having a unique check alias for each instance of a security check ensures accurate reporting, particularly for delta reports. All recent NetIQ policy templates include unique, relevant security check aliases for checks used more than once in the template. For examples of check aliases, see the NetIQ Enhanced Security Settings for Windows XP Professional Service Pack 2 policy template. (DOC286122) To update check aliases in a custom policy template:
Known IssuesNetIQ Corporation strives to ensure our products provide quality solutions for your enterprise software needs. The following issue is currently being researched. If you need further assistance with any issue, please contact Technical Support.
Comparing Columns that Include Duplicate Data Can Cause Inaccurate Delta Report ResultsDelta reports provide inaccurate results when you compare columns containing rows of duplicate data. For example, the Missing Microsoft patches security check returns the same patch product and title names for two endpoints. If you try to compare data in those columns, Secure Configuration Manager returns inaccurate results. To work around this issue, when you specify the delta criteria in the Delta Comparison wizard, enable the Matching Key for all columns for which the check returns duplicate rows of data. Enable the Comparison option only for columns that contain unique data. (ENG285934) Cannot Distribute Delta Reports in Any Format if You Select .xls Format and Excel is Not Installed on the Core Services ComputerSecure Configuration Manager requires Microsoft Excel be installed on the Core Services computer to enable delta report distribution in .xls format. If Excel is not installed and you choose to distribute a delta report in both .xls format and other formats such as .pdf or .txt then Secure Configuration Manager does not distribute the report in any of the selected formats. To work around this issue, either install Excel on the Core Services computer or do not include an .xls distribution option when you also select other formats to distribute the report. (ENG288074) SCAP Security Checks Return Inaccurate Results when Run Individually or in Custom TemplatesNetIQ Corporation designed the security checks for the Security Content Automation Protocol (SCAP) module to run specifically within the provided SCAP policy templates. When you run the SCAP security checks individually or in a custom template, Secure Configuratiom Manager may return inaccurate results. To work around this issue, run only the built-in SCAP policy templates. (ENG288093) Previous ReleasesThis service pack also includes enhancements added in Secure Configuration Manager Hotfixes 71875, 71897, and 71918.
Resolves an Issue where the Asset Compliance View and Security and Compliance Dashboard Display Extra Systems in Managed GroupsThis service pack includes Hotfix 71875, which resolves an issue where an environment with more than 10,000 endpoints displays extra systems in managed groups when using the Asset Compliance View and Security and Compliance Dashboard. (ENG277685) Resolves an Issue with Find Violations and Get Endpoint Compliance Aegis ActivitiesThis service pack includes Hotfix 71875, which resolves an issue where the Aegis activities Find Violations and Get Endpoint Compliance display endpoints with failed policy templates as In Compliance. (ENG277176) Resolves an Issue with the Get Security Check Results Detail Aegis ActivityThis service pack includes Hotfix 71875, which resolves an issue where the Aegis activity Get Security Check Results Detail fails when exceptions are applied to the security check. (ENG277342) Resolves an Issue with User Permissions for Remote Secure Configuration Manager ConsolesThis service pack includes Hotfix 71897, which resolves an issue where console users do not have permission to see certain menu items or perform certain tasks on remote Secure Configuration Manager console computers after installing Secure Configuration Manager 5.8. (ENG277181) Ensure you log on to the Secure Configuration Manager console computer with a user account that is a member of the VigilEnt_Users local group on the Database computer and the Power Users local group on the console computer. Resolves an Issue with Data Level Exceptions on Security Checks with Simple Value ScoringThis service pack includes Hotfix 71918, which resolves an issue where applying a data level exception to a security check with simple value scoring can cause unexpected scoring results. (ENG277828) Resolves an Issue with Security Check Alias Names when Editing ExceptionsThis service pack includes Hotfix 71918, which resolves an issue where a security check alias name is not retained if you edit and save an exception from the Exception Wizard. (ENG279185) Resolves an Issue with Excepted Risk Scores when Duplicate Exceptions ExistThis service pack includes Hotfix 71918, which resolves an issue where creating a duplicate exception causes an incorrect excepted risk score. (ENG279658) Resolves an Issue with an Incorrect Error in the Security Checkup Report Full Report when Exceptions are HiddenThis service pack includes Hotfix 71918, which resolves an issue where the security checkup report Full Report tab displays the error This check returned no data in the Security Checks Detailed Data when all data is excepted and excepted rows are hidden. (ENG277796) Contact InformationPlease contact us with your questions and comments. We look forward to hearing from you. For detailed contact information, see the Support Contact Information Web site. For interactive conversations with your peers and NetIQ experts, become an active member of Qmunity, our community Web site that offers product forums, product notifications, blogs, and product user groups. Legal NoticeNetIQ Secure Configuration Manager is protected by United States Patent No: 5829001 and 7093251. THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT ARE FURNISHED UNDER AND ARE SUBJECT TO THE TERMS OF A LICENSE AGREEMENT OR A NON-DISCLOSURE AGREEMENT. EXCEPT AS EXPRESSLY SET FORTH IN SUCH LICENSE AGREEMENT OR NON-DISCLOSURE AGREEMENT, NETIQ CORPORATION PROVIDES THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. SOME STATES DO NOT ALLOW DISCLAIMERS OF EXPRESS OR IMPLIED WARRANTIES IN CERTAIN TRANSACTIONS; THEREFORE, THIS STATEMENT MAY NOT APPLY TO YOU. This document and the software described in this document may not be lent, sold, or given away without the prior written permission of NetIQ Corporation, except as otherwise permitted by law. Except as expressly set forth in such license agreement or non-disclosure agreement, no part of this document or the software described in this document may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, or otherwise, without the prior written consent of NetIQ Corporation. Some companies, names, and data in this document are used for illustration purposes and may not represent real companies, individuals, or data. This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein. These changes may be incorporated in new editions of this document. NetIQ Corporation may make improvements in or changes to the software described in this document at any time. © 2010 NetIQ Corporation. All Rights Reserved. U.S. Government Restricted Rights: If the software and documentation are being acquired by or on behalf of the U.S. Government or by a U.S. Government prime contractor or subcontractor (at any tier), in accordance with 48 C.F.R. 227.7202-4 (for Department of Defense (DOD) acquisitions) and 48 C.F.R. 2.101 and 12.212 (for non-DOD acquisitions), the government's rights in the software and documentation, including its rights to use, modify, reproduce, release, perform, display or disclose the software or documentation, will be subject in all respects to the commercial license rights and restrictions provided in the license agreement. Check Point, FireWall-1, VPN-1, Provider-1, and SiteManager-1 are trademarks or registered trademarks of Check Point Software Technologies Ltd. ActiveAudit, ActiveView, Aegis, AppManager, Change Administrator, Change Guardian, Compliance Suite, the cube logo design, Directory and Resource Administrator, Directory Security Administrator, Domain Migration Administrator, Exchange Administrator, File Security Administrator, Group Policy Administrator, Group Policy Guardian, Group Policy Suite, IntelliPolicy, Knowledge Scripts, NetConnect, NetIQ, the NetIQ logo, PSAudit, PSDetect, PSPasswordManager, PSSecure, Secure Configuration Manager, Security Administration Suite, Security Manager, Server Consolidator, VigilEnt, and Vivinet are trademarks or registered trademarks of NetIQ Corporation or its subsidiaries in the USA. All other company and product names mentioned are used only for identification purposes and may be trademarks or registered trademarks of their respective companies. For purposes of clarity, any module, adapter or other similar material ("Module") is licensed under the terms and conditions of the End User License Agreement for the applicable version of the NetIQ product or software to which it relates or interoperates with, and by accessing, copying or using a Module you agree to be bound by such terms. If you do not agree to the terms of the End User License Agreement you are not authorized to use, access or copy a Module and you must destroy all copies of the Module and contact NetIQ for further instructions. | ||||
Template date: March 3, 2010 | |||||