Symantec Corporation

SecurityExpressions 4.1

Release notes

May 2008

Please read the following document carefully. This document lists important issues and topics concerning the product. We recommend that you read the entire document before you install the software.

Whats in this file?

You can find information on the following topics in this file:

New features

Windows authentication

Now you can use Windows authentication to access the database.

New platforms to audit

Among the new platforms you can audit is 64-bit Windows. See "Platform support" below for a complete list.

System-level credentials delegated

Now you can use the Host Info dialog box to delegate target computers' credentials for use in SecurityExpressions Server.

Authorized-users list

Now you may restrict access to the console application and its features by creating an authorized-users list. By adding Windows users and Windows user groups to the Authorized Users and Groups dialog box, you ensure that only those users can view or modify security-audit data. Not even those with Windows administrator accounts have access unless they are added to the list.

.NET version 2.0

The setup program automatically installs version 2.0 of the .NET framework, even if the computer already has a later version of .NET. This is because the software requires .NET 2.0. Both versions can reside on the same computer without causing problems.

64-bit notification connectors

Now you can run the notification connectors on 64-bit Windows computers.

Faster agentless UNIX audits

Improvements to how the software performs agentless UNIX audits result in faster audits.

Enhanced policy exceptions

When you add a policy exception to a target computer in the Host Info dialog box's Exceptions tab, now the exception applies just to the open policy file and to the rule you selected. The dialog box, however, displays all policy exceptions set for the target computer on which you're viewing host information, whether or not the exceptions are to the open policy file. A new column in the list shows which policy file the exception applies to.

You may delete any exception set for the target computer regardless of which policy file you have open, but you can only modify exceptions to the open policy file.

New installation wizard

The steps to install the software changed due to a new installation wizard.

New rules

ExistKey - A new registry rule that has options similar to the DeleteKey rule.
RegHasPerm - A new registry rule that has options similar to the RegPerm rule.
FileHasPerm - A new file rule that has options similar to the FilePerm rule.

New rule modifier

A new rule modifier called Check32 lets you set a rule to just search the 32-bit version of files and the registry, ignoring the 64-bit versions if applicable.

New WizParam control type

A new WizParam called pwdtext specifies a string value with a text-input box for encrypted passwords. WizParams control the rule wizard used to edit rules. You can find WizParams and all rule functionality in the Rules tab.

Platform support

Changes in platform support are:

ODBC-compliant databases

SQL Server Express added; Oracle no longer supported

   
Firebird default database no longer supported; must use ODBC-compliant database
   

Agent & audit targets

Windows NT 4 agentless only

 

Solaris 10 x86, 32 bit and 64 bit through 32-bit emulation

 

AIX 5.3 added; 4.33 no longer supported

  Windows 2003 Server 64 bit
  Windows Vista, 32 bit and 64 bit, agent or agentless
   
Notification connectors 64-bit Windows

 

Additional policy files

New policy files in this release are:

Accounts that are currently logged in.sif
Accounts that are disabled.sif
Accounts that are Inactive.sif
Accounts that are part of the Account Operators group.sif
Accounts that are part of the Administrators group.sif
Accounts that are part of the Backup Operators group.sif
Accounts that are part of the Domain Admins group.sif
Accounts that are part of the Local Administrators group.sif
Accounts that expire in 7 days.sif
Accounts that have 3 or more failed login attempts.sif
Accounts that have a blank password.sif
Accounts that have Admin Privileges.sif
Accounts that have expired passwords.sif
Accounts that have logged on in the past 24 hours.sif
Accounts that have never logged in.sif
Accounts that have non-expiring passwords.sif
Accounts that have not changed their password in 30 days.sif
Accounts that have not changed their password in X days.sif
Accounts that have the right to shutdown a system.sif
Accounts with Root group privileges.sif
Accounts with Root level privileges.sif
AIX Critical Patches.sif
AIX Security Patches.sif
Altiris agent check.sif
CIS for AIX.sif
CIS for MS SQL Server 2005 v1.0 - Windows 2003 Domain Member.sif
CIS for MS SQL Server 2005 v1.0 - Windows XP Desktop.sif
CIS for Oracle v2.01 - Linux.sif
CIS for Oracle v2.01 - Windows 2000 Server.sif

CIS SUSE.sif
CISExchangeServer2003.sif
CIS-Microsoft SQL Server 2000.sif
Enabled Guest accounts.sif
EveryoneAccess.sif
FISMA for Solaris 10.sif

GLBA Guidelines for AIX.sif
GLBA Guidelines for HPUX.sif
GLBA Guidelines for Linux.sif
GLBA Guidelines for Solaris 10.sif
GLBA Guidelines for Solaris.sif
GLBA Guidelines for Windows 2000.sif
GLBA Guidelines for Windows 2003.sif
GLBA Guidelines for Windows XP.sif
Group SIDs on the system.sif
Groups on the system.sif
HIPAA Guidelines for Solaris 10.sif

ISO 27002 Win2K Server.sif
ISO 27002 Windows XP.sif
ISO 27002 for AIX.sif
ISO 27002 for HPUX.sif
ISO 27002 for Linux.sif
ISO 27002 for RedHat Enterprise Linux.sif
ISO 27002 for Solaris 10.sif
ISO 27002 for Solaris.sif
ISO 27002 for Win2K-Pro.sif
ISO 27002 for Windows 2003 Server.sif
Local Accounts.sif
Local Groups.sif
MS Vista Default Security.sif
MS Vista EC.sif
MS Vista SSLF.sif
msupdate.sif
Passwords that are stored in clear text.sif
PCI for AIX.sif
PCI for HPUX.sif
PCI for Linux.sif
PCI for Redhat Enterprise Linux.sif
PCI for Solaris.sif
PCI for Solaris 10.sif
PCI for Win 2k Pro Lvl 2.sif
PCI for Win 2k Server Lvl 2.sif
PCI for Win2003-Legacy-Controller-v1[1].2.sif
PCI for Win2003-Legacy-Member-v1[1].2.sif
PCI for WinXP-Enterprise-Desktop-v2[1].0.1.sif
PCI for WinXP-Legacy-v2[1].0.1.sif
PCI forWinXP-SpecializedSecurity-v2[1].0.1.sif
PCI-Win2003-Enterprise-Controller-v1[1].2.sif
PCI-Win2003-Enterprise-Member-v1[1].2.sif
PCI-Win2003-SpecializedSecurity-Member-v1[1].2.sif
PCI-Win2K-Level-I-v1[1].2.1.sif
PCI-WinNT-Level-I-v1[1].0.5.sif
PCI-WinXP-Enterprise-Mobile-v2[1].0.1.sif
Permissions for X files-directories.sif
Sarbanes-Oxley for Solaris 10.sif
Shares List.sif
Solaris Accounts that are Inactive.sif
User Account that is currently logged in.sif
User SID on the system.sif
Verify that the Administrator Account has been renamed.sif
Verify that the Guest Account has been renamed.sif
Verify that the Guest Account is Disabled.sif

 

Discontinued policy files

Policy files discontinued as of this release are:

HPUX.sif
Solaris.sif

AuditExpress mode removed

The product no longer features an AuditExpress mode.

Notification-connector documentation now in on-line help

The contents of Altiris Notification Connector Configuration Guide are now available in the on-line help. This guide is no longer included in the product's documentation set.

Temporary report files removed

Now temporary report files generated as part of notifications are stored in the installation directory in a folder called NotificationsTmp and are deleted when the notification action is complete.

For more information on the new features and how to use them, refer to each application's on-line help.

Console or Web server?

The product offers access to SecurityExpressions functions through both a Windows console and an ASP.NET-IIS-based Web application. This gives your organization the flexibility to deploy a local Windows application for some users and allow others to access functions using a Web browser. Not all functions are available from both user interfaces.

Both interfaces:              schedule audits, generate reports, configure notifications, audit with agent or agentlessly, store credentials securely

Console only:                  customize policies and rules, remediate, create and manage global machine lists, perform instant audits, securely delegate credentials to server, authorized user list, set credentials for individual computers, machine lists, or audit tasks

Server only:                   Audit-On-Connect, self-service audit, browse audit data, personal machine lists, user roles

System requirements

Product component

Supported platforms

Console

Windows 2000 Server Service Pack 4 or higher

Windows 2000 Professional Service Pack 4 or higher

Windows XP Professional

Windows 2003 Server Service Pack 2 or higher

Distributed proxy

Windows 2000 Server Service Pack 4 or higher

Windows 2000 Professional Service Pack 4 or higher

Windows XP Professional

Windows 2003 Server Service Pack 2 or higher

Agent & audit targets

Windows NT 4 (agentless only)

Windows 2000 Server and Workstation

Windows XP Professional

Windows 2003 Server Service Pack 2 or higher

Windows 2003 Server 64 bit

Windows Vista, 32 bit and 64 bit

Red Hat 8, 9, and AS 3

SUSE Linux Standard and Enterprise Server 8, 9, 10

Solaris 8 4u

Solaris 9 4u

Solaris 10 4u

Solaris 10 x86, 32 bit and 64 bit through 32-bit emulation

AIX 5.1, 5.2, 5.3

HP-UX 11, 11i

ODBC-compliant database

SQL Server Express

SQL Server 2000, 2005

Note: Due to Windows Vista's unique security features, auditing computers running Windows Vista often requires modifications to the operating system. See Altiris Knowledgebase article number 41372 for more information.

Installation instructions

This section contains installation notes and special topics on installation and configuration. For instructions on how to install and configure the software, see SecurityExpressions Getting Started Guide.

General notes:

  • Close all programs before installing any component in the software package.
  • You must extract all files from the zipped software package before running the setup executable.
  • If you have multiple copies of the software installed on different computers using the same database, you must upgrade all of them in order for them to work with the updated database.
  • We do not support upgrading from versions of the software prior to version 3.4.

Database support when upgrading

The software no longer supports Oracle or Firebird databases. If you used Oracle or Firebird as your database software with the previous version of the software, a message appears the first time you start the application after upgrading, indicating that your database is no longer supported. Use the Database Options dialog box to connect to a supported database.

As always, back up your database before upgrading.

About deploying the console on a virtual machine

We fully support the console software when deployed on VMWare Workstation 4.0 and higher, as long as the virtual machine meets the console's system requirements listed above. We recommend you configure an Automatic Bridged virtual network on the virtual machine and not a NAT service.

As with all applications running on virtual machines, you might experience reduced performance.

Known issue - When auditing a target system that's a VMWare image of Microsoft Windows XP Service Pack 2 with the built-in firewall enabled, the audit might run slowly.

Installing, using, and upgrading the agent

Windows agents

To install and use the Windows agent on a Windows target system:

1.      Copy the file in the \Agent\Windows\ installation folder to the target system and run it.

2.      Follow the instructions as you are prompted through a standard installation process.

3.      In the application, place the target systems to be audited in a Machine List by right-clicking on the Machine List and choosing Add new host.

4.      Either right-click on the system name or the Machine List, select Edit, and then select the Connect tab in the dialog that appears. Enter the account used for auditing the target system through the agent in the Login for target computer section. This account requires NetLogonRight privileges on the target systems to be audited as well as the usual administrative privileges.

Automatic upgrades: When you upgrade the console application, agent upgrades automatically occur on all Windows target systems the first time you audit each target system.

UNIX agents

To install a UNIX agent on a UNIX target system:

1.    Copy the file in the appropriate \Agent\ installation subfolder for the operating system to the target system and run it.

2.   Configure the agent either manually or using Agent Access Setup.sif, located in \Agent\Configuration\.

3.   In the application, place the target systems to be audited in a Machine List by right-clicking on the Machine List and choosing Add new host.

4.   Either right-click on the system name or the Machine List, select Edit, and then select the Connect tab in the dialog that appears. Enter the account used for auditing the target system through the agent in the Login for target computer section. This account requires the usual administrative privileges on the target systems.

Upgrading: When you upgrade the console application, you must upgrade the agent on each UNIX target system manually by uninstalling the previous version and then running the installation program on the system.

Using the Windows distributed proxy to audit

If the application is unable to communicate directly with a target system, you can install the agent on a Windows proxy system and connect to it remotely. This becomes necessary if the target system is behind a firewall or other router that blocks Windows Networking or UNIX SSH.

To set up the agent on a Windows proxy system:

1.   Copy the file in the \Agent\Windows\ installation folder to the Windows system you plan to use as a proxy and run it on that system.

2.    Follow the instructions as you are prompted through a standard installation process.

3.   In the lower section of the Connect tab, select the check box to connect through the Proxy. Enter the name of the system on which the proxy resides, and the credentials used to authenticate to the system on which the proxy resides. This account must have administrative privileges on the system on which the proxy resides or belong to one of the agent access groups (see Using Privileged Agents with the Console below). Note that this is not the account on the target system to be audited, but an account used by the software to authenticate to the system on which the proxy resides.

4.    The application communicates with the proxy agent through an encrypted SSL session on port 9002 or a user-configurable port.

Configuring the application to use an ODBC-compliant database

If you prefer to use a ODBC-compliant database that you already own, you can configure the application to use that database.

Note: Although you may use a case-sensitive database, we don't recommend it.

To configure the console application to use another database:

1.  Select Options from the View menu.

2.  When the Options dialog box appears, click the Database tab.

3. Click the ODBC button to configure a data source. When the ODBC Data Source Administrator appears, click the System DSN tab and create a system data source. Close the ODBC Data Source Administrator when you're done.

4. When you return to the Database Options dialog box, select the data source you just created from the Datasource drop-down list.

5. Enter credentials and click OK to finish.

Configuring the database port number

If youre not using the standard port number (1433) to connect to the database, you need to make SecurityExpressions aware of the correct port number. You can do this in the Windows Registry.

To configure a nonstandard port number for use with the Audit and Compliance Server:

      1. Open the Windows Registry Editor.

2. Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSQLServer\Client\ConnectTo and add the following REG_SZ value:

servername1 REG_SZ connectiontype,servername2,port#

where:

servername1 is the name or IP address of the computer running the database software

connectiontype is the network-connection type, such as dbmssocn for Winsock TCP/IP

servername2 is the same string as servername1 (no interchanging IP addresses and computer names in the same value)

port# is the nonstandard port number youre using

Note: If the registry key doesn't exist, create it first.

3. Close Registry Editor.

About using privileged agents with the console

If you decide to use agents to connect the console to some remote target systems, you can use our Windows agent on your Windows systems and our UNIX agent on your UNIX systems. Each agent has its own configuration methods. To learn how to configure a Windows or UNIX agent on a remote system, open the on-line help. If you go to the Contents tab and double click the Agent and Agentless Auditing book, you'll find instructions on configuring both Windows and UNIX agents, as well as other information on using agents.

Resolved issues

For SQL Server - services require SQL authentication (4953) - Now you can use either Windows authentication or SQL Server authentication to access the database.

The database and MDAC 2.7 (4908) - The installation package no longer installs Microsoft Data Access Components (MDAC). The database works with whichever version of MDAC that came with your operating system.

Running scheduled tasks from Windows 2003 Server (4917) - Audits no longer return an "Access Denied" error due to a bug in Windows 2003 Server. See Microsoft knowledge base article number 913327 to learn more about the issue with Windows 2003 Server.

Creating machine lists from a SQL Query (5365) - Now you can use WHERE clauses that contain quotes when creating a SQL-query machine list.

Known issues and workarounds

Using Windows authentication on Windows 2000 operating systems (7395)

To use Windows authentication to connect to the database on a Windows 2000 operating system, do the following before connecting to the database from the application:

  1. In Control Panel's Administrative Tools, select Local Security Policy.
  2. In Local Security Settings' left pane, go to Local Policies > User Rights Assignment.
  3. In the right pane, double click Act as part of the operating system.
  4. In the Local Security Policy Settings dialog box, click Add.
  5. In the Select Users or Groups dialog box, select from the list the Windows account to which you're logged on and click Add.
  6. Click OK and then click OK again.
  7. Open SecurityExpressions and connect to the database.
  8. Go back to Local Security Settings and remove the Windows account from the list in the Local Security Policy Settings dialog box.
Wrapping commands with SUDO (5771)

If you're in the Connect tab in the Edit Machine List dialog box or the Host Info dialog box, and you select the Wrap Commands with SUDO option when SSH is not the connection method, the option won't be enabled after you click OK. If you want to wrap command with SUDO, select SSH as the connection method.

SUDO's targetpw option (7494)

SecurityExpressions doesn't support SUDO's targetpw option. If you try to audit a UNIX computer running SUDO with the targetpw option set, and the Wrap Commands with SUDO setting is selected as a connection option for that computer individually or as part of a machine list, you'll be unable to connect to it.

Adding policy exceptions to target computers (7206)

The Exceptions tab in the Host Info dialog box displays all policy exceptions set for the target computer on which you're viewing host information, whether or not the exceptions are to the open policy file. If you highlight an exception that is not an exception to the open policy file, and if that's the only exception in the list, the settings to add a new exception will be disabled. To enable the settings, close the dialog box and reopen it.

Symantec Antivirus and script rules executed remotely (7039)

If you're running Symantec Antivirus on the computer running SecurityExpressions, script rules executed remotely might cause time-out errors when Windows Task Scheduler is the remote-execution method. To work around this issue, you can either use another remote-execution method or disable scanning in Network Scanning Options, found under File System Auto-Protect in Symantec Antivirus.

Windows accounts and the console application

You must be logged on to a Windows administrator account when using the console application in order to use all of its features.

SIF criteria (7046)

By design, only simple rules are supported in SIF criteria. Some features not supported include global variables, rule variables (via the %get function), and the DependsOn parameter.

Using the COM or the command-line interface on a computer not running SecurityExpressions (4917, 6538)

If you're using SecurityExpressions' COM interface or command-line interface on a computer running Windows 2003 Server but not running the console or server application, you need to 1) make sure the computer has Windows 2003 Server Service Pack 2 or higher and 2) modify the Windows Registry. Open Microsoft knowledge base article number 913327 and follow the instructions in the Registry Information section of the Resolution.

Mixed scopes in notification conditions

If you use multiple conditions of different scopes in one notification, selecting Any Condition might cause a condition to cancel out another condition or otherwise not give you helpful results. If you plan to use conditions of different scopes, think carefully about whether or not it's logical to combine these conditions. If it is, select All Conditions so each condition is considered by the notification.

Database prefixes

If you use SecurityExpressions Audit and Compliance Server in addition to the console application, do not use the Table Prefixes field in the Database Options dialog box when connecting to an ODBC-compliant database.

Unexpected behavior when running reports (6514)

The application might exhibit unexpected behavior in the Reports tab if you run a report with the New Window check box for viewing reports selected and you accidentally right click in the right pane in the Reports tab after displaying the report.

UNIX agents and OpenSSL (5700)

If you use one of the UNIX agents to audit a system with Pluggable Authentication Modules (PAM) configured to authenticate using any method that connects securely through OpenSSL, use OpenSSL 0.9.8, the only version the agent supports. The agent might work properly when using other versions of OpenSSL for PAM authentication, but only version 0.9.8 is supported.

Upgrading the agent manually (4149)

If you upgrade the agent manually on any target systems, either by choice or because the target is a UNIX computer, you must uninstall the previous version of the agent before installing the newer version.

Updating policy files (5380)

If you made changes to any policy files (.sif) and did not save them under a different file name or in a different location, these custom policy files will be overwritten when you upgrade the software or download the latest policy files from our Web site's policy file library. If you want to continue using these custom policy files, change their file names or copy them to another location before upgrading the software or downloading the latest policy files.

Modifying the HasRight check (4971)

The MissingOK modifier does not work when used with the HasRight check.

Default SSH version

The software defaults to using SSH Version 2 when needed. To use SSH Version 1, under the registry key HKEY_LOCAL_MACHINE\Software\Altiris\Security Management\Options, add a string value named "plink" and set it to "-1".

Scheduling agentless audits for systems in a workgroup

If you use both the scheduler and the Windows connection method to audit one system in a workgroup, you must include the systems name in the Username box when setting the connection credentials in this format: systemname\username.

Restart after changing databases

Any time you connect to a different database using the Database Options dialog box (select Options from View menu and click Database tab), restart the application. This refreshes the connection between the database and each component in the application.

Lost network connections

If the console system becomes disconnected from the network while youre in the application, the application could encounter problems. If this happens, reinstate the network connection and restart the application.

Stopping audits in progress

If you stop an audit while it's in progress and then try to generate reports based on that audit, the Reports tab malfunctions and cannot generate accurate reports.

Modifying credential stores

When you open the Manage Credential Stores dialog box and opt to change a credential store, you'll notice the Password box is blank. That does not mean the credential store does not have a password assigned to it; nor does it mean if you leave the box alone and save changes to the credential store, you're removing the password (passwords cannot be blank). Leave this box alone unless you intend to change the password.

Removing systems from machine lists

The Delete button in the Edit Machine List dialog box's Members tab does not successfully remove systems from machine lists. To remove a system from a machine list, right click the system under the machine list's branch in the tree and select Remove from the menu that appears.

Dynamic machine lists shared between a console and server on separate systems (4617)

If the console software and the server software are installed on separate systems and you create a dynamic machine list on the console from a text file, make sure you import the text file from a network location the server software has access to. The server software cannot audit a dynamic machine list whose content is not accessible to the server.

Copyright

Copyright ) 2008 Symantec Corporation. All rights reserved.  Symantec, the Symantec Logo, and SecurityExpressions are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.
The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any.

THE DOCUMENTATION IS PROVIDED AS IS AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID.  SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION.  THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

Symantec Corporation
20330 Stevens Creek Blvd.
Cupertino, CA 95014
http://www.symantec.com