Symantec Enterprise SecurityManager™ Modules forSybase Adaptive ServerEnterprise Release Notes_3.0

Release 3.0 for Symantec ESM 6.5.x and9.0.1

Symantec Enterprise Security Manager™ Modules forSybase Adaptive Server Enterprise Release Notes

The software described in this book is furnished under a license agreement andmay be usedonly in accordance with the terms of the agreement.

Documentation version: 3.0

Legal NoticeCopyright © 2009 Symantec Corporation. All rights reserved.

Symantec, the Symantec Logo, ActiveAdmin, BindView, bv-Control, Enterprise SecurityManager, andLiveUpdate are trademarks or registered trademarks of SymantecCorporationor its affiliates in the U.S. and other countries. Other names may be trademarks of theirrespective owners.

The product described in this document is distributed under licenses restricting its use,copying, distribution, and decompilation/reverse engineering. No part of this documentmay be reproduced in any form by any means without prior written authorization ofSymantec Corporation and its licensors, if any.

THEDOCUMENTATIONISPROVIDED"ASIS"ANDALLEXPRESSORIMPLIEDCONDITIONS,REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OFMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT,ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TOBELEGALLYINVALID.SYMANTECCORPORATIONSHALLNOTBELIABLEFORINCIDENTALOR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING,PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINEDIN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

The Licensed Software andDocumentation are deemed to be commercial computer softwareas defined in FAR12.212 and subject to restricted rights as defined in FARSection 52.227-19"Commercial Computer Software - Restricted Rights" and DFARS 227.7202, "Rights inCommercial Computer Software or Commercial Computer Software Documentation", asapplicable, and any successor regulations. Any use, modification, reproduction release,performance, display or disclosure of the Licensed Software andDocumentation by theU.S.Government shall be solely in accordance with the terms of this Agreement.

Symantec Corporation350 Ellis StreetMountain View, CA 94043

http://www.symantec.com

Technical SupportSymantec Technical Support maintains support centers globally. TechnicalSupport’s primary role is to respond to specific queries about product featuresand functionality. TheTechnical Support group also creates content for our onlineKnowledge Base. The Technical Support group works collaboratively with theother functional areas within Symantec to answer your questions in a timelyfashion. For example, theTechnical Support groupworkswithProductEngineeringand Symantec Security Response to provide alerting services and virus definitionupdates.

Symantec’s maintenance offerings include the following:

■ A range of support options that give you the flexibility to select the rightamount of service for any size organization

■ Telephone and Web-based support that provides rapid response andup-to-the-minute information

■ Upgrade assurance that delivers automatic software upgrade protection

■ Global support that is available 24 hours a day, 7 days a week

■ Advanced features, including Account Management Services

For information about Symantec’sMaintenance Programs, you can visit ourWebsite at the following URL:

www.symantec.com/techsupp/

Contacting Technical SupportCustomerswith a currentmaintenance agreementmay access Technical Supportinformation at the following URL:

www.symantec.com/techsupp/

Before contacting Technical Support, make sure you have satisfied the systemrequirements that are listed in your product documentation. Also, you should beat the computer onwhich theproblemoccurred, in case it is necessary to replicatethe problem.

When you contact Technical Support, please have the following informationavailable:

■ Product release level

■ Hardware information

■ Available memory, disk space, and NIC information

■ Operating system

■ Version and patch level

■ Network topology

■ Router, gateway, and IP address information

■ Problem description:

■ Error messages and log files

■ Troubleshooting that was performed before contacting Symantec

■ Recent software configuration changes and network changes

Licensing and registrationIf yourSymantecproduct requires registrationor a licensekey, access our technicalsupport Web page at the following URL:

www.symantec.com/techsupp/

Customer serviceCustomer service information is available at the following URL:

www.symantec.com/techsupp/

Customer Service is available to assist with the following types of issues:

■ Questions regarding product licensing or serialization

■ Product registration updates, such as address or name changes

■ General product information (features, language availability, local dealers)

■ Latest information about product updates and upgrades

■ Information about upgrade assurance and maintenance contracts

■ Information about the Symantec Buying Programs

■ Advice about Symantec's technical support options

■ Nontechnical presales questions

■ Issues that are related to CD-ROMs or manuals

Maintenance agreement resourcesIf you want to contact Symantec regarding an existing maintenance agreement,please contact the maintenance agreement administration team for your regionas follows:

customercare_apac@symantec.comAsia-Pacific and Japan

semea@symantec.comEurope, Middle-East, and Africa

supportsolutions@symantec.comNorth America and Latin America

Additional enterprise servicesSymantec offers a comprehensive set of services that allow you tomaximize yourinvestment in Symantec products and to develop your knowledge, expertise, andglobal insight, which enable you to manage your business risks proactively.

Enterprise services that are available include the following:

These solutions provide early warning of cyber attacks, comprehensive threatanalysis, and countermeasures to prevent attacks before they occur.

SymantecEarlyWarningSolutions

These services remove the burdenofmanaging andmonitoring security devicesand events, ensuring rapid response to real threats.

Managed Security Services

Symantec Consulting Services provide on-site technical expertise fromSymantec and its trustedpartners. SymantecConsultingServices offer a varietyof prepackaged and customizable options that include assessment, design,implementation,monitoring, andmanagement capabilities. Each is focused onestablishing andmaintaining the integrity and availability of your IT resources.

Consulting Services

Educational Services provide a full array of technical training, securityeducation, security certification, and awareness communication programs.

Educational Services

To access more information about Enterprise services, please visit our Web siteat the following URL:

www.symantec.com

Select your country or language from the site index.

What's new in this release

This document includes the following topics:

■ What's new in this release

■ New support

■ New module

■ New checks

■ New Template

■ Enhancements

■ Resolved issues

What's new in this releaseThe following are new in this release of Symantec ESM Sybase modules:

■ New platform support

■ New Sybase version support

■ LiveUpdate support

■ Sybase ASE Discovery module

■ Four new checks in the Sybase ASE Account module

■ Five new checks in the Sybase ASE Configuration module

■ Five new checks in the Sybase ASE Discovery module

■ Two new checks in the Sybase ASE Groups and Roles module

■ Four new checks in the Sybase ASE Object module

■ Ten new checks in the Sybase ASE Password Strength module

■ One new template in the Sybase ASE Object module

■ One new template in the Sybase ASE Password Strength module

■ Enhancements in the SybaseASEObject, SybaseASEPatches, andSybaseASEPassword Strength modules.

New supportThis release of Symantec ESM Modules for Sybase supports the following:

New platform support:

■ Red Hat Enterprise Linux - AS/ES (32-bit and 64-bit)

New Sybase version support:

■ Sybase 15.0.2

■ Sybase 15.0.3

LiveUpdate support:

■ LiveUpdate is available for the ESM Sybase modules. Before you use theLiveUpdate functionality ensure that you have the ESM Sybase version 2.0 orlater installed on the ESM agent computers.

For more information on the System requirements, see the Symantec EnterpriseSecurity Manager™Modules for Sybase Adaptive Server Enterprise User’s Guide.

New moduleThe following new module is added:

■ Sybase ASE Discovery

Sybase ASE DiscoveryThe checks in the Sybase ASE Discovery module automate the detection andconfiguration of new Sybase ASE servers that are not yet configured on the ESMagent computers. TheSybaseASEDiscoverymodule alsodetects andautomaticallyremoves thedeletedSybaseASEservers fromthe/esm/config/SybaseModule.datconfiguration file.

What's new in this releaseNew support

8

New checksNew checks are added in the following modules:

■ Sybase ASE Account (four new checks)

■ Sybase ASE Configuration (five new checks)

■ Sybase ASE Discovery (five new checks)

■ Sybase ASE Object (four new checks)

■ Sybase ASE Password Strength (ten new checks)

■ Sybase ASE Roles and Groups (two new checks)

Sybase ASE AccountThe following new checks are added in the Sybase ASE Account module:

■ Accounts with default master databases

■ Accounts with system roles

■ Database user aliases

■ Inactive accounts

■ Login triggers

Accounts with default master databasesThis check reports the accounts that have master as their default database. Usethe name list to include or exclude the login names that the check should reporton.

For more information on the Accounts with default master databases check, seethe Symantec Enterprise Security Manager™Modules for Sybase Adaptive ServerEnterprise User’s Guide.

Accounts with system rolesThis check reports the accounts that have both the sa_role and the sso_roleassigned to them. Use the name list to include or exclude the login names thatthe check should report on.

Formore information on the Accounts with system roles check, see the SymantecEnterprise Security Manager™Modules for Sybase Adaptive Server EnterpriseUser’s Guide.

9What's new in this releaseNew checks

Database user aliasesThis check reports the aliases of the database users that are present on the server.Use the name list to include or exclude the database users whose aliases youwantto report.

For more information on the Database user aliases check, see the SymantecEnterprise Security Manager™Modules for Sybase Adaptive Server EnterpriseUser’s Guide.

Inactive accountsThis check reports the unlocked Sybase ASE logins that have not logged on to theserver for more than the days that are specified in the Days since last login textbox. Use the name list to include or exclude the login names that the check shouldreport on. Sybase ASE 15.0.2 and later versions supports this check.

Formore information on the Inactive accounts check, see the SymantecEnterpriseSecurity Manager™Modules for Sybase Adaptive Server Enterprise User’s Guide.

Login triggersThis check reports the Sybase ASE logins that have login triggers assigned tothem and the global login trigger defined on the Sybase ASE server. Use the namelist to include or exclude the login names that the check should report on.

For more information on the Login triggers check, see the Symantec EnterpriseSecurity Manager™Modules for Sybase Adaptive Server Enterprise User’s Guide.

Sybase ASE ConfigurationThe following new checks are added in the Sybase ASE Configuration module:

■ Net password encryption

■ Database on master device

■ Sample databases

■ Sybase homes

■ Trusted remote logins

Net password encryptionThis check reports the remote servers for which the 'net password encryption'option is set to false.

What's new in this releaseNew checks

10

For more information on the Net password encryption check, see the SymantecEnterprise Security Manager™Modules for Sybase Adaptive Server EnterpriseUser’s Guide.

Databases on master deviceThis check reports the databases that are present on the master device. Use thename list to include or exclude the database names that the check should reporton.

Formore information on theDatabases onmaster device check, see the SymantecEnterprise Security Manager™Modules for Sybase Adaptive Server EnterpriseUser’s Guide.

Sample databasesThis check reports the Sample databases that you should remove from the SybaseASE Servers. Use the name list to include the database names that the checkshould report on. If the name list is left empty the check reports no problemsfound.

Formore information on the Sample databases check, see the SymantecEnterpriseSecurity Manager™Modules for Sybase Adaptive Server Enterprise User’s Guide.

Sybase homesThis check reports the Sybase home and the OCS directory for the Sybase ASEservers that are configured in the SybaseModule.dat file.

For more information on the Sybase homes check, see the Symantec EnterpriseSecurity Manager™Modules for Sybase Adaptive Server Enterprise User’s Guide.

Trusted remote loginsThis check reports any remote logins with the trusted status that are found onthe Sybase ASE servers.

For more information on the Trusted remote logins check, see the SymantecEnterprise Security Manager™Modules for Sybase Adaptive Server EnterpriseUser’s Guide.

Sybase ASE DiscoveryThe following new checks are added in the Sybase ASE Discovery module:

■ Detect new database server

11What's new in this releaseNew checks

■ Detect deleted database server

■ Automatically add new database server

■ Automatically remove deleted database server

■ Validate configuration

Detect new database serverThis check reports the Sybase ASE servers that are newly detected on the ESMagent computers and that were not configured earlier.

Formore information on the Detect new database server check, see the SymantecEnterprise Security Manager™Modules for Sybase Adaptive Server EnterpriseUser’s Guide.

Detect deleted database serverThis check reports the Sybase ASE servers that are deleted or unreachable butare still configured in the /esm/config/Sybasemodule.dat configuration file.

For more information on the Detect deleted database server check, see theSymantec Enterprise Security Manager™Modules for Sybase Adaptive ServerEnterprise User’s Guide.

Automatically add new database serverThis check works with the Detect new database server check. The checkAutomatically add new database server uses the generic credentials toautomatically configure the newly detected Sybase ASE servers.

For more information on the Automatically add new database server check, seethe Symantec Enterprise Security Manager™Modules for Sybase Adaptive ServerEnterprise User’s Guide.

Automatically remove deleted database serverThis checkworkswith theDetectdeleteddatabaseserver check to automaticallyremove the deleted Sybase ASE server records from theesm/config/Sybasemodule.dat configuration file.

Formore information on theAutomatically remove deleted database server check,see the Symantec Enterprise Security Manager™Modules for Sybase AdaptiveServer Enterprise User’s Guide.

What's new in this releaseNew checks

12

Validate configurationThis check validates the entries of the configuration records for successfulconnection and assigned roles. The Sybase ASE Discovery module automaticallycorrects the accounts, if the generic credential that is used is sa and theconfiguration record entry is SYMESMDBA.

For more information on the Validate configuration check, see the SymantecEnterprise Security Manager™Modules for Sybase Adaptive Server EnterpriseUser’s Guide.

Sybase ASE ObjectThe following new checks are added in the Sybase ASE Object module:

■ Accounts with CREATE permission

■ Accounts with set proxy permission

■ Grantees to check

■ Stored procedure signature

Accounts with CREATE permissionThis check reports the database users, roles, and groups that are explicitly grantedCREATE permissions. Use the Keys list to specify the CREATE permissions thatthe check should report on. Use the Databases to check name list to include orexclude the databases that you want the check to report on. Use the Grantees tocheck name list to include or exclude the grantees from the check to report on.

For more information on the Account with CREATE permission check, see theSymantec Enterprise Security Manager™Modules for Sybase Adaptive ServerEnterprise User’s Guide.

Accounts with set proxy permissionThis check reports the database users, roles, and groups that are explicitly grantedthe set proxy or set session authorization permissions. Use theGranteestocheckname list to include or exclude the grantees from the check to report on.

For more information on the Accounts with set proxy permission check, see theSymantec Enterprise Security Manager™Modules for Sybase Adaptive ServerEnterprise User’s Guide.

13What's new in this releaseNew checks

Grantees to checkUse thename list to include or exclude the grantees for theAccountwithCREATEpermission check and with the Accounts with set proxy permission check.

Stored procedure signatureThis check reports the occurrences of the stored procedures, whose signaturesare different from the signatures that you define in the template. If you do notdefine any signature for the stored procedure in the template, then the checkreports the signatures of thematched stored procedure. You canuse theTemplateupdate feature to update the template with the signatures that the check reports.

Formore information on the Stored procedure signature check, see the SymantecEnterprise Security Manager™Modules for Sybase Adaptive Server EnterpriseUser’s Guide.

See “New Template” on page 17.

Sybase ASE Password StrengthThe followingnewchecks are added in the SybaseASEPasswordStrengthmodule:

■ Hide guessed password details

■ Login options(account)

■ Maximum failed login attempts

■ Maximum reported messages

■ Monitor password age

■ Password complexity parameters

■ Roles to check

■ Roles - maximum failed login attempts

■ Roles - minimum password length

■ Roles - password expiration

Hide guessed password detailsWhen you enable this check, the security checks no longer display the details ofthe guessed password. This check works with the Password = login name,Password = any login name, password = wordlist word, Reverse order, Doubleoccurrences, Plural, Prefix, and Suffix checks.

What's new in this releaseNew checks

14

Login options(account)This checkworkswith thePasswordexpiration,Minimumpasswordlength, andMaximumfailedloginattempts checks. TheLoginoptions(account) check reportsthe individual login accounts that do not satisfy the condition that you specify inthe login configuration parameters-related checks. Use the name list to specifythe logon accounts that you want to include or exclude.

For more information on the Login options (account) check, see the SymantecEnterprise Security Manager™Modules for Sybase Adaptive Server EnterpriseUser’s Guide.

Maximum failed login attemptsThis check reports the Sybase ASE servers that have the system-wide ‘maximumfailed login attempts' configuration parameter set higher than the value that youspecify in theMaximumfailedloginattempts text box or that have the 'maximumfailed login attempts' configuration parameter less than or equal to 0. Enable thischeckwith the Loginoptions(account) check to report all the login accounts thathave the ‘maximum failed login attempts' configuration parameter more thanthe value that you specify. Enable this check with the Roles to check name list tospecify the roles whose members you want to include or exclude from reportingthe violations in the 'maximum failed login attempts' settings.

For more information on the Maximum failed login attempts check, see theSymantec Enterprise Security Manager™Modules for Sybase Adaptive ServerEnterprise User’s Guide.

Maximum reported messagesThis check limits the number of messages that the module returns.

You can specify a limit for the number of messages that the module returns. Onreaching themaximum limit for a singlemessage, themodule displays themessageagain with the number of the repeating instances of the message that are notreported.

Monitor password ageThis check reports any unlocked accounts with the passwords that are older thanthe limit that you specify.

For more information on the Monitor password age check, see the SymantecEnterprise Security Manager™Modules for Sybase Adaptive Server EnterpriseUser’s Guide.

15What's new in this releaseNew checks

Password complexity parametersThis check reports the values for the password complexity options that do notmatch with the values that you specify in the template. You can use the'sp_passwordpolicy' stored procedure to set the password complexity options.

Sybase ASE 12.5.4, 15.0.2, and 15.0.3 versions support this check.

For more information on the Password complexity parameters check, see theSymantec Enterprise Security Manager™Modules for Sybase Adaptive ServerEnterprise User’s Guide.

See “New Template” on page 17.

Roles to checkUse the name list to specify the roles that you want to include or exclude fromreporting violations. Use this name list with the Loginoptions(account) check toreport themembers of the roles that youwant to include or exclude fromreportingviolations.

Roles - maximum failed login attemptsThis check reports the roles that have the maximum failed login attemptsconfiguration parameter set higher than the value specified in the Maximumfailed login attempts text box or the roles that have the 'maximum failed loginattempts' configuration parameter less than or equal to 0. Enable this check withthe Roles to check name list to specify the roles you want to include or excludefrom reporting the violations in the 'maximum failed login attempts' settings.

For more information on the Roles - maximum failed login attempts check, seethe Symantec Enterprise Security Manager™Modules for Sybase Adaptive ServerEnterprise User’s Guide.

Roles - minimum password lengthThis check reports the roles that have the password length set less than the valuespecified in the Minimum password length text box. Enable this check with theRoles to checkname list to specify the roles you want to include or exclude fromreporting the violations in the 'minimum password length' settings.

For more information on the Roles - minimum password length check, see theSymantec Enterprise Security Manager™Modules for Sybase Adaptive ServerEnterprise User’s Guide.

What's new in this releaseNew checks

16

Roles - password expirationThis check reports the roles that have the 'password expiration' configurationparameter higher than the value that you specify or the roles that have the'password expiration' configuration parameter value set to 0. Enable this checkwith the Roles to check name list to specify the roles you want to include orexclude from reporting the violations in the 'password expiration' settings.

Formore information on the Roles - password expiration check, see the SymantecEnterprise Security Manager™Modules for Sybase Adaptive Server EnterpriseUser’s Guide.

Sybase ASE Roles and GroupsThe following new checks are added in the Sybase ASE Roles and Groupsmodule:

■ Accounts to check

■ Granted prohibited roles

Accounts to checkUse this check to include or exclude the login accounts for theGrantedprohibitedroles check.

Granted prohibited rolesThis check reports the accounts that have been granted specified roles. Use thename list to include or exclude the prohibited roles that the check should reporton.

For more information on the Granted prohibited roles check, see the SymantecEnterprise Security Manager™Modules for Sybase Adaptive Server EnterpriseUser’s Guide.

New TemplateThe following new templates are added in the Sybase ASE Release 3.0:

■ Sybase Stored Procedure Signatures (Sybase ASE Object)

■ Sybase Password Parameter (Sybase ASE Password Strength)

17What's new in this releaseNew Template

Sybase Password ParameterThe Sybase Password Parameter template is introduced for the Passwordcomplexityparameters check in the SybaseASEPassword Strengthmodule. Thistemplate outlines unauthorized password policy parameter values for Sybase.

The default template extension is .ssp.

Creating the Sybase Password Parameter templateYou must create and enable a new Sybase Password Parameter template beforeyou run thePasswordcomplexityparameters check in the SybaseASEPasswordStrength module.

To create a Sybase Password Parameter template

1 In the tree view, right-click Templates, then click New.

2 In the Create New Template dialog box, select Sybase PasswordParameter-all.

3 Type a new template file name of no more than eight characters, without afile extension.

Symantec ESM adds the appropriate extension to the file name.

4 Click OK.

Using the Sybase Password Parameter templateThe Sybase Password Parameter template contains the following fields:

Specify the name of the parameter that thecheck reports on.

Parameter name is the option that can be setusing the sp_passwordpolicy.

Parameter Name

Specify the comment that you want todisplay in the Information field of reportedmessages.

Comment

What's new in this releaseNew Template

18

Lets you specify the Sybase ASE version ofthe target server.

■ empty

All releases (default if no releasespecified)

■ 12.5.4

Release 12.5.4

■ +12.5

Release 12.5.x and later

■ +15

Release 15.x.x and later

■ +15.0

Release 15.0.x and later

Sybase ASE Version

Specify the severity for the messages thatESM reports on this data.

You can specify one of the following values:

■ Green

■ Yellow

■ Red

Severity Level

Lets you specify the parameter values byusing the Template Sublist Editor.

You can use the value of the option that youhave set using the sp_passwordpolicy.

Specify the following parameters in thissublist:

Prohibited: Lets you specify if the parametervalue that you have entered is prohibited.

Value: Lets you specify the value that isexpressed as a regular expression or as anumeric comparison for the parameter.

If the value begins with one of the followingoperators, a numeric comparison isperformed:

■ = equal to

■ < less than

■ > greater than

■ != not equal to

■ <= less than or equal to

■ >= greater than or equal to

Parameters Value

19What's new in this releaseNew Template

See “New checks” on page 9.

Sybase Stored Procedure SignaturesThe Stored procedure signature check uses the Sybase Stored ProcedureSignatures template to report the occurrences of the stored procedures, whosesignatures are different from the signatures that you define in the template.

The Stored Procedure Signatures template has a default .sps extension.

Creating the Sybase Stored Procedure Signatures templateYou must create and enable a new Sybase Stored Procedure Signatures templatebefore you run the Stored procedure signature check.

To create a Sybase Stored Procedure Signatures template

1 In the tree view, right-click Templates, then click New.

2 In the Create New Template dialog box, select Sybase Stored ProcedureSignatures-all.

3 Type a new template file name of no more than eight characters, without afile extension. Symantec ESM adds the .sps extension to the file name.

4 Click OK.

Using the Sybase Stored Procedure Signatures templateThe Sybase Stored Procedure Signatures template contains the following fields:

Specify a database name for the check toreport on.

Database

Specify a stored procedure for the check toreport on.

Stored procedure

Specify an additional comment on theparameter that you have added.

Comment

Specify the SybaseASE version of the targetserver that you want the check to report on.

Sybase ASE Version

What's new in this releaseNew Template

20

Select whether you want ESM to report thestored procedures that are optional ormandatory, in this sublist.

This sublist contains the following options:

■ Mandatory

ESM reports the stored procedure asmissing, if the Stored ProcedureSignatures check is unable to find thestored procedures.

■ Optional

ESMdoesnot report anything evenwhenthe Stored Procedure Signatures checkis unable to find the stored procedure.

Required

Leave the column blank if you are unsure ofthe correct versions of the stored proceduresignatures. When the check reports thesignatures, use theTemplateupdate featureto update the template with the signaturethat the check has reported.

Signature

See “New checks” on page 9.

EnhancementsThe following enhancements are made in this release:

The location of the configuration logs has changed from/esm/tmp to esm/system/#agent.

Configuration

The check Enabled Default Logon Accounts has beenrenamed to Unlocked default logon accounts.

This check has been modified to report the default logonaccounts that should be locked. Use the name list to includethe default logon accounts that you want the check to reporton. If thename list is left empty the check reports noproblemsfound.

Sybase ASE Account

21What's new in this releaseEnhancements

A new configuration option PrecreatedNoPassChange isnow added in the esm/config/esmsybaseenv.dat file.

If the parameter config PrecreatedNoPassChange 1 ispresent in theesm/config/esmsybaseenv.dat file, thenESMdoesnot change thepasswordof thepre-created account.

If pre-created credentials are to be configured as genericcredentials, then add config PrecreatedNoPassChange

1 in the esm/config/esmsybaseenv.dat file.

By default the value of the parameter is not set.

Sybase ASE Discovery

The check User access to database has been enhanced tosupport the exclude name list. Use the name list to includeor exclude the databases for the check to report on.

Sybase ASE Object

The Sybase ASE Objects Permissions template has beenenhanced to support wildcards.

Sybase ASE Object

The module has been enhanced to ship with a default SybaseASE Patch template. The default template is now availablewith the latest patches released by Sybase.

Sybase ASE Patches

The check Password = wordlist word has been modified byadding a Percentofwordsperpolicyrun text box to shortenthe policy run time. In the Percent of words per policy runtext box, you can type a number less than 100. The numberdefines the percentage of words that are examined duringeach run. In the word list, each run starts where the previousrun ended.

Sybase ASE PasswordStrength

The check Password contain a digit has been renamed toPassword contains digits.

This check has been enhanced to report the servers that haveminimum required digits in the password set less than thevalue specified in the Min digits in password text box. Thecheck searches for the valueminimumdigits in the passwordoption set by the sp_passwordpolicy stored procedure. Ifthe value is unavailable then the check uses the value ofthe'check password for digit' parameter of the global setting.

Sybase ASE PasswordStrength

What's new in this releaseEnhancements

22

The check Minimum password age has now been renamedto Password expiration.

The checkPasswordexpirationhas been enhanced to reporton both account level setting and systemwide settings on theESM agent computers. This check also reports on the‘sp-passwordpolicy' settings on the Sybase 12.5.4 and laterand Sybase 15.0.2 and later versions.

For more information on the Password expiration check, seethe Symantec Enterprise Security Manager™Modules forSybase Adaptive Server Enterprise User’s Guide.

Sybase ASE PasswordStrength

The check Minimum password lengthhas been enhanced toreport the Sybase ASE servers that have the system-wideminimum password length configuration parameter lessthan the value that you specify.

ThecheckMinimumpasswordlengthhasalsobeenenhancedto report on both the account level settings and the systemwide settings. This check also reports on thesp_passwordpolicy settings on theSybase 12.5.4 and laterand 15.0.2 and later versions.

For more information on the Minimum password lengthcheck, see the Symantec Enterprise Security Manager™Modules for Sybase Adaptive Server Enterprise User’s Guide.

Sybase ASE PasswordStrength

Resolved issuesThe following issues are resolved in this release:

The checksNewgrantedobjectpermission,Accountswithoutworkstationrestriction,andDeletedgrantedobjectpermissionhavebeen modified to report the Column namein the Information field.

Sybase ASE Object

TheSybaseSetuputilitynowreports a failuremessage if the configuration log file or thetmp folder is inaccessible.

Configuration and Installation

23What's new in this releaseResolved issues

Earlier, during installation or configuration,the passwords that were entered on thecommand prompt were visible with the pscommand. This issue has been resolved andnowyoucanuse the shell parameters insteadof the actual password strings.

For example,

#export ESMPASS = <esm-password>

#export ESMSYBPASS =<Sybase-account-password>

You do not have to provide the passwordoptions:

■ If you use the shell parameters duringinstall and configuration.

For example, ./SybaseSetup -a {SybaseASE} -S {sybase dir} -O {OCS dir} -A{account} [-n]

■ If you do not use the shell parametersduring installation and configuration.

For example, #./esmsyb.tpi –-it –{-m} {-U}{-p} {-P} {-g} {-Y} {-A} {-C}

./SybaseSetup -a {SybaseASE} -S {sybasedir} -O {OCS dir} -A {account} -P{password} [-n]

Configuration and Installation

The performance of the following checkshave been drastically improved by reducingthe number of the opened Sybase objects:

■ Object permission

■ Grantable object permission

■ Granted object permission

■ New granted object permission

■ Deleted granted object permission

Sybase ASE Object

What's new in this releaseResolved issues

24

The Sybase modules have been enhanced totimeout if the Sybase server is unable tocomplete the request within the specifiedtime. You can specify the timeout parameterin the#esm/config/esmsybaseenv.datfile. You can specify the timeout period inseconds as “config UsingTimeout <numberof seconds>”.

The module reports the message,“CT-LIBRARY error: ct_results(): user apilayer: internal Client Library error: Readfrom the server has timedout”. You canviewthe message in the ESMSybase_out file thatcanbe found in the#esm/system/<servername>/tmp folder.

All Sybase ASE modules

The performance of this module hasdrastically improvedby reducing thenumberof connections that are made to the Sybaseserver.

Sybase ASE Roles and Groups

The performance of the checks Rolegrantees,Newroles, andDeletedroleshavebeen drastically improved by reducing thenumber of connections that are made to theSybase database server.

Sybase ASE Roles and Groups

25What's new in this releaseResolved issues

What's new in this releaseResolved issues

26