Security Content UpdateRelease Notes for CCS 11.0
2012-3 Update
Security Content Update 2012-3 Release Notes
Legal NoticeCopyright © 2012 Symantec Corporation.
All rights reserved.
Symantec and the Symantec Logo are trademarks or registered trademarks of SymantecCorporation or its affiliates in theU.S. and other countries. Other namesmaybe trademarksof their respective owners.
The Licensed Software andDocumentation are deemed to be commercial computer softwareas defined in FAR12.212 and subject to restricted rights as defined in FARSection 52.227-19"Commercial Computer Software - Restricted Rights" and DFARS 227.7202, "Rights inCommercial Computer Software or Commercial Computer Software Documentation", asapplicable, and any successor regulations. Any use, modification, reproduction release,performance, display or disclosure of the Licensed Software andDocumentation by theU.S.Government shall be solely in accordance with the terms of this Agreement.
Chapter 1 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Post-install Configuration .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Chapter 2 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Enhancements in SCU 2012-3 .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7New checks .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9New standards ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9New additions in predefined platforms .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Chapter 3 Resolved Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Resolved Issues ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Chapter 4 Known Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Known Issues ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Chapter 5 Files Added or Updated . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Files added or updated for Windows .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Files added or updated for UNIX .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21Files added or updated for VMware .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Contents
Contents4
Getting Started
This chapter includes the following topics:
■ Post-install Configuration
Post-install ConfigurationBefore you begin using the Security content update 2012-3 you may need to dothe following:
■ Updating the VMware ESXi Machine assets for the VMware platformRefer to the sectionUpgradingVMwaredatacollectionforSCU2012-3 in theSecurity Content Update Getting Started Guide
■ Upgrade the CCS assets for Apache Tomcat StandardRefer to the section Upgrading the CCS assets for Apache Tomcat Standardin the Security Content Update Getting Started Guide
1Chapter
Getting StartedPost-install Configuration
6
Enhancements
This chapter includes the following topics:
■ Enhancements in SCU 2012-3
■ New checks
■ New standards
■ New additions in predefined platforms
Enhancements in SCU 2012-3TheSecurity ContentUpdate (SCU) 2012-3 contains the following enhancements:
■ New standardsSee “New standards” on page 9.
■ New checksSee “New checks” on page 9.
■ Target types, asset groups, entities, and fields for the predefined platforms.See “New additions in predefined platforms” on page 10.
■ VMware Platform2012-3 Update now enhances the CCS Manager with built-in capabilities tocollect data from VMware assets.A new perdefined VMware platform is now added to enable collection of datafor VMware ESX/ESXi through vCenter.
Note: The settings page for VMware Information Server will not be availableafter upgrading to SCU.
2Chapter
Refer to the Upgrading VMware data collection for SCU 2012-3 section in theSecurity Content Update Getting Started Guide
■ Windows PlatformThe following standard is updated for Windows platform:
■ CIS Windows Server 2003 Legacy Security Settings for Domain MemberServers v2.0
■ PolicyThe following policy content is added to CCS in 2012-3 Update:
■ MAS IBTRMV3 - Monetary Authority of Singapore Internet Banking andTechnology Risk Management Guidelines.
■ FEDRAMP - Federal Risk and Authorization Management Program
■ ESM release information
■ New platform support
■ SQL Server 2012
■ The 2012-3 Update adds the following new standards:
■ CIS_for_Sybase_v1.1.0
■ CIS Security Benchmark for AIX v5.3 and 6.1
■ Check for missing or installed Windows patches on your Windows assetsTheCreate orEditQuerywizard lets you select theWindows -PatchAssessmententity, to create a query to check for missing or installed Windows patches onyour Windows assets. While selecting a scope to patch, you can specifyadditional scope for patch assessment in the Additional Settings box. Alongwith the version numbers, you can also match the checksum of the files toverify installed or missing patches. You can check for all patches for allproducts, or specific patches for one or more bulletins.
Note: This enhancement is available only after you install the Product Update2012-1 or later on CCS 11.0.
■ Web console - PoliciesCCS 11.0 now allows you to raise an exception for policies that are acceptedby enabling a key in web.config file.To enable the ‘Request Exception’ option for accepted policies do the following:
■ Take a backup of web.config file located at the folder,<InstallDir>\CCS\Reporting and Analytics\WebPortal
EnhancementsEnhancements in SCU 2012-3
8
■ Under <appSettings> inweb.config file, add the following key and save thechanges. <add key="EnablePolicyExceptionOnAcceptedPolicy"value="true"/> for enabling the ‘Request Exception’optiononuser acceptedpolicies.
Note: If you set the value of the key as “false” or do not specify any value, thenthe ‘Request Exception’ option does not get enabled on user accepted policies.
New checksSCU 2012-3 adds new checks to the following standards:
Windows platform
■ The following check is updated for the standard, US Federal Desktop CoreConfiguration Standard (FDCC) V1.0.1 for Windows Vista:
■ Is Service Pack 2 or later applied?
UNIX Platform
■ The following checks are updated for the standard, Security Essentials forAIX5.x and 6.1:
■ Is Service Pack 6100-07-03 or later applied on AIX 6.1 machines?
■ Renamed from 'LatestMaintenance LevelApplied?' to 'Ismaintenance level5100-09 applied on AIX 5.1 machines?'
SQL Platform
■ The following check is updated for the standard, Security Essentials forMicrosoft SQL Server 2008:
■ Is service pack 3 or higher applied on SQL Server 2008 and service pack 1or higher applied on SQL Server 2008 R2?
■ The following check is updated for the standard, CIS Security ConfigurationBenchmark for Microsoft SQL Server 2005 v1.1.1:
■ Is service pack 4 or higher applied on SQL Server 2005?
New standardsSCU 2012-3 adds the following new standards:
■ Security Essentials for Apache Tomcat Server 5.5/6.0
9EnhancementsNew checks
■ VMware Hardening Guidelines for vCenter Servers
■ CIS Security Benchmark for VMware ESX 4.1 v1.0.0This standard is applicable toUNIX ESXmachines 4.1. This standard contains78 checks.
■ Advanced Checks on UNIX platform
Note: If you have existing Windows Machine assets, Symantec recommends thatyou execute the Asset Import Job with theUpdate rule for assets evaluation. Onlythen the Windows Machine assets get updated for the field property, VMwarevCenter Server Version, for 2012-3 Update.
New additions in predefined platformsSCU 2012-3 updates the following predefined platforms:
■ WindowsThe additions for the Windows predefined platform are as follows:
This update adds the following new targettype for the platform:
■ Windows computers with ApacheTomcat Server Installed
■ VMware vCenter 4.0, 4.1, and 5.0Servers
Target types
EnhancementsNew additions in predefined platforms
10
This update adds the following new fieldsin the Machines datasource for theplatform:
■ Is Apache Tomcat Server installed
This update adds the following optionalfield to the Windows machines asset:
■ Is Apache Tomcat Server installed
This field returnsYES if apache tomcatserver is installed as a service orrunning by executing startup.bat fileotherwise returns NO
This update adds the following new fieldsin the Machines datasource for theplatform:
■ VMware vCenter Server Version
This update adds the following optionalfield to the Windows machines asset:
■ VMware vCenter Server Version
This field reports the version ofVMware vCenter Server.
Fields
This update adds the following assetgroups for the platform:
■ Apache Tomcat Server
Windows Machine - Is Apache TomcatServer installed Equal To (=) True
■ VMware vCenter 4.0 Servers
Windows Machine - VMware vCenterServerVersionEqual To (=) '4.0.0.7797'
■ VMware vCenter 4.1 Servers
Windows Machine - VMware vCenterServer Version Equal To (=) '4.1.0.12319’
■ VMware vCenter 5.0 Servers
Windows Machine - VMware vCenterServer Version Equal To (=) '5.0.0.16964 '
Asset Groups
This update adds the following newdatasource for the platform:
■ Apache Tomcat Server
■ VMware vCenter Server Settings
Data Sources
■ UNIX
11EnhancementsNew additions in predefined platforms
The additions for the UNIX predefined platform are as follows:
This update adds the following new targettype for the platform:
■ Solaris 11 Machines
Target types
This update adds the following new fieldsin the UNIX Machines datasource for theplatform:
■ SSL Private Key file
■ SSL Certificate file
Fields
■ Microsoft SQLAddition for the Microsoft SQL predefined platform is as follows:
This update adds the following new targettype for the platform:
■ SQL Server 2012 Instances
Target types
EnhancementsNew additions in predefined platforms
12
Resolved Issues
This chapter includes the following topics:
■ Resolved Issues
Resolved IssuesThe 2012-3 Update resolves the following issues:
■ QueriesThe following issues are resolved for this module:
■ Executing data collection queries on the Linux Server assets caused thesystem to reboot. This issue was observed when the open system call wasexecuted on the file /dev/watchdog.2012-3 Update resolves this issue.
■ Queries executed on the Content field of the Files datasource failed torespond when it was scoped to /dev and /proc directory.2012-3 Update resolves this issue by blocking the content field for thefollowing cases:
■ dev is mounted at default /dev location.
■ proc is mounted at default /proc location.
■ Proc is mounted at custom location other than /proc.
This solutionworks for the proc file systemswhich are present in /etc/mtabfile. If proc file systems are present on the targets that are not present inthe /etc/mtab, thendata for the content field is fetched for suchdirectoriesif requested.
■ Checks for Symantec home directory were retrieving incorrect results.Home directory query scoped to a user having “/” as a home directory wasreporting extra records.
3Chapter
2012-3 Update resolves this issue and no extra records are reported.
■ StandardsThe following issues are resolved for this module:
■ Checks executed on Crontab were incorrectly fetching results for /dev and/dev/null also.2012-3 Update fixes this issue and now results for /dev and /dev/null arenot fetched.
■ Standard "CobiT 4.1 - CIS Benchmark v1.1.2 for Red Hat Enterprise Linux5.0 and 5.1" Check"Are there no . or group/world-writable directories inroots $PATH? results to unknown.2012-3 Update fixes this issue. Now accurate results are fetched for the"Are there no . or group/world-writable directories in roots $PATH?" check.
■ For all serverswhichhaveSEP12.1 installed, the check "Is Liveupdate/virusdefinition 5 days or less"within standard "security Essentials for SymantecEndpoint Protection" will get "Not Applicable" result.SCU 2012-3 resolves this issue.
■ The check “Is the Syslog daemon accepting messages from other systemson the network?” for the standard " CIS Security Benchmark for HP-UXv.1.3.1" displayed incorrect results.The2012-3Update resolves the issue andnowaccurate results are returned.
■ Evaluation results for the check "Do unowned files exist on the system?"displayed an error and failed to return any value.2012-3 Update resolves this issue.
■ The check "Are dot files in user homedirectoriesworldwritable?" returnedpartially incorrect results. This issue was observed when the check wasexecuted on the home directories.The 2012-3Update resolves the issue. Now accurate results are fetched forthe "Are dot files in user home directories world writable?" check.
■ Running a Collection-Evaluation-Reporting job with the standard, "CISbenchmark v1.1.2 for RedHat Enterprise Linux 5.0 and 5.1" on agent-lessRHEL5.x asset resulted in the following error:Error Special Value encountered in FILE.CONTENT field” for the section11.2 checks:No duplicate uids exist in /etc/passwdNo duplicate username exist in /etc/passwd.2012-3 Update resolves this issue and accurate results are reported.
■ Queries executed on the standard "CIS Security Benchmark for HP-UX v1.3.1" displayed incorrect results.
Resolved IssuesResolved Issues
14
2012-3 Update resolves this issue and accurate results are now fetched onthe HP-UX 11.23 target computers.
15Resolved IssuesResolved Issues
Resolved IssuesResolved Issues
16
Known Issues
This chapter includes the following topics:
■ Known Issues
Known IssuesThe following known issues are observed in the 2012-3 Update:
■ After upgrading to 2012-3 Update, the settings page for Information Serverregistration of VMware is displayed, however the VMware data collection isnot done using the Information Server.
■ When you install SCU on a stand-alone CCS Manager, the following messageappears in the Warning panel:Delete ESM standard platform container from the Directory Server.You can ignore the warning and click Next to proceed to the Finish panel.
■ After upgrading to 2012-3 Update the following QuickFix updates will notwork as expected:
■ QF 10005An Active Directory user who is not a domain administrator but has readaccess over theRootDSE objects of ActiveDirectory, cannowbe configuredto successfully create the domain cache.
■ QF 10006Data collection is now possible from the target computers in Non-trustedDomains.
4Chapter
Known IssuesKnown Issues
18
Files Added or Updated
This chapter includes the following topics:
■ Files added or updated for Windows
■ Files added or updated for UNIX
■ Files added or updated for VMware
Files added or updated for WindowsThe following files are updated for 2012-3:
Note: The version number for all the files is <11.0.546.10100>
5Chapter
Windows.Schema.dll
Symantec.CSM.Wnt.UIControls.dll
VMware.Schema.dll
WntScopes.dll
Symantec.CSM.CredentialMgmt.PlatformCredentials.dll
Symantec.CSM.Content.Localization.Resources.dll
Symantec.CSM.WindowsPlatformContent.WindowsFilePermissions.dll
Symantec.CSM.VMwarePlatformContent.VMwareESXi4x.dll
Unix.Schema.dll
Symantec.CSM.UnixPlatformContent.VMEsx3x.dll
UnixScopes.dll
Symantec.CSM.UnixPlatformContent.RHELv1.0.5.dll
VMwareScopes.dll
Symantec.CSM.Control.JobError.MessageSource.dll
Symantec.CSM.WindowsPlatformContent.WindowsSettings.dll
Symantec.CSM.Resources.ESMSUResources.dll
Symantec.CSM.UnixPlatformContent.AIXv1.0.1.dll
AgentCleanUp.exe
CCSDissolvingAgentStub.exe
CCSDissolvingAgentStubx64.exe
PAUtility.exe
PWCleanUp.exe
PWHashDump.exe
PWHashDumpX64.exe
ADObjectResolver.dll
ADPermissions.dll
AuditSubCategoryDC.dll
BVNTError.dll
BVNTObjects.dll
BVNTPostFilterEnumerators.dll
BVNTProcess.dll
BVNTQuery.dll
Files Added or UpdatedFiles added or updated for Windows
20
BVNTSysObjs.dll
BVVNTScopes.dll
CommonExceptions.dll
DumpSAM.dll
DumpSAMX64.dll
Logging.dll
NTADProcess.dll
NTAnalysis.dll
NTBackEndSnapin.dll
NTCommonUtils.dll
NTFunctions.dll
NTLegacy.dll
NTScopeRefinery.dll
NTTIVExtensions.dll
PortObjectDC.dll
QESharedObjs.dll
RegistrySecurityDC.dll
SecurityAdvisor.dll
SharePointDC.dll
SharePointDCx64.dll
SharePointServer2k7.dll
SharePointServer2k7x64.dll
TextFileContentDC.dll
WinFileHandlers.dll
XMLFileContentDC.dll
Files added or updated for UNIXThe following files are updated in SCU 2012-3:
Note: The version number for all the files is <11.0.546.10100>
21Files Added or UpdatedFiles added or updated for UNIX
UNIXTIVSnapin.dll
BVUnixUsersDataSource.dll
BVUnixSystemDataSource.dll
BVUnixFilesystemDataSource.dll
BVUnixGroupsDataSource.dll
BVUnixMachineDatasource.dll
BvUnixFilesDataSource.dll
BVUnixACLSecurityDatasource.dll
BvCUWinRDCCoreLib.dll
BvCURDCCoreLib.dll
BvUnixServicesDataSource.dll
BVUnixProdInfoDataSource.dll
BVUnixDataSourceImpl.dll
BvUnixPackagesDataSource.dll
BVUnixAPARDataSource.dll
BVUnixFileSync.dll
Files added or updated for VMwareThe following files are added or updated in SCU 2012-3:
Note: The version number for the files is <11.0.546.10100>
VMwareRDCCoreLib.dll
VMwareWinRDCCoreLib.dll
VMwareMachineDatasource.dll
VMWARETIVSnapin.dll
VMwareNetworkDataSource.dll
FieldMetaData.mdb
Vmware.assettypedefaultvalues.xml
VMwarevCenterServer.Common.EntitySchema.xml
VMware.schema.dll
Files Added or UpdatedFiles added or updated for VMware
22