Security Content Update Release Notes for CCS 11.0. 2013-1 Update

Security Content Update Release Notes for CCS 11.0 2013-1 Update

Security Content Update 2013-1 Release Notes Legal Notice Copyright 2013 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, the Checkmark Logo, BV-Control, Enterprise Security Manager, and LiveUpdate are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, "Rights in Commercial Computer Software or Commercial Computer Software Documentation", as applicable, and any successor regulations. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.

Contents Chapter 1 Enhancements... 5 Enhancements in SCU 2013-1... 5 New standards... 7 New additions in predefined platforms... 7 Chapter 2 Resolved Issues... 11 Resolved Issues... 11 Chapter 3 Files Added or Updated... 15 Files added or updated for SCU 2013-1... 15 Chapter 4 Known Issues... 17 Known Issues... 17

4 Contents

Chapter 1 Enhancements This chapter includes the following topics: Enhancements in SCU 2013-1 New standards New additions in predefined platforms Enhancements in SCU 2013-1 The Security Content Update (SCU) 2013-1 contains the following enhancements: New standards See New standards on page 7. Target types, asset groups, entities, and fields for the predefined platforms. See New additions in predefined platforms on page 7. Windows Agent-based data collection for Windows Server 2012 is now supported in 2013-1 Update. The Windows 2012 Agent and the relevant infrastructure changes required for the data collection will be available with the CCS 11.0 Product Update 2013-2. CCS now reports only actionable messages as Warnings and messages which do not require any actions to be taken are displayed as information. For example, messages related to permissions or denied access are displayed as warnings, and messages related to file not found or registry not found are displayed as information. Now data collection can be done on the Windows target computers using the Patch assessment data source even when the Remote Registry Service is not running.

6 Enhancements Enhancements in SCU 2013-1 Microsoft SQL You can now collect data from the Microsoft SQL Server target computers in Non-trusted Domains. Policy The following policy content is added to CCS in 2013-1 Update: SANS Top 20 Security Controls COBIT 5.0 Windows Domain Cache In a multiple domain controller environment, you can now specify a particular domain controller to be used for cache building. To specify a domain controller, add the following information in the ConfigurationSettings.xml file that is located at <CCS_install_directory>\DPS\control\Windows: <PlatformSetting> <Key>DCForCacheToUse</Key> <Value><![CDATA[DomainName:DomainControllerName;Domain1:DomianController1]]></Value> </PlatformSetting> You must specify only one domain controller for a domain. You can provide either the host name, IP address, or FQDN of the domain controller. Ensure that the domain controller you provide gets resolved from the CCS Manager computer. If the domain controller specified in the ConfigurationSettings.xml file is not reachable, then CCS uses any other available domain controller on the network, to build or refresh the cache. You can now specify the cache build retry interval. Specifying an appropriate cache build retrieval ensures that jobs do not remain in executing state for a long time if cache building fails. The default cache build retry interval is 30 minutes. To specify a custom cache build retry interval, add the following information in the ConfigurationSettings.xml file that is located at <CCS_install_directory>\DPS\control\Windows. PlatformSetting <Key>CacheFailureRetryInterval</Key> <Value><![CDATA[30]]></Value> </PlatformSetting> To see all warnings related to Domain Cache, in the Symantec.CSM.DPS.config file that is located at

Enhancements New standards 7 <CCS_install_directory>\Reporting and Analytics, set the following parameter to true: <add key="enablerecordswarnings" value="false" /> If the above parameter does not exist in the file, add the parameter and then set the value to true. Note: After applying SCU 2013-1, the first data collection job or the first query job requires more time to complete the job run. New standards SCU 2013-1 adds the following new standards: Security Essentials for Red Hat Enterprise Linux 6.x CIS Security Configuration Benchmark for Microsoft SQL 2008 R2 Database v1.0.0 Security Essentials for Windows 2012 The following standard is modified in SCU 2013-1: CIS Benchmark v1.1.2 for Red Hat Enterprise Linux 5.0 and 5.1 New additions in predefined platforms SCU 2013-1 updates the following predefined platforms: Microsoft SQL Additions for the Microsoft SQL predefined platform are as follows:

8 Enhancements New additions in predefined platforms Fields This update adds the following new fields in the Servers data source for the platform: Server Login Audit This field returns the login auditing setting for each server instance. Is SQL Server Database Engine Instance Hidden? This filed returns true if the 'Hide Instance' option is set to 'Yes' for SQL Server instances. This update adds the following new fields in the Databases data source for the platform: Are Orphaned Users Removed From SQL Server Databases? This field returns true if orphaned users are not present in databases. Is CLR Assembly Permission Set value set to SAFE_ACCESS? This field returns true if the value for CLR Assembly Permission Set is set to SAFE_ACCESS. UNIX Additions for the UNIX predefined platform are as follows: Target types Fields This update adds the following new target type for the platform: Red Hat Enterprise Linux 6.x Machines This update adds the following new field in the Processes data source for the platform: Is Daemon Unconfined?

Enhancements New additions in predefined platforms 9 Asset Groups This update adds the following asset groups for the platform: Red Hat Enterprise Linux 6.x Servers Unix Machine Operating Distribution Field Equal To(=)*Red Hat Enterprise Linux* and Unix Machine Operating System Version Equal To(=) 6 or Unix Machine Operating System Version Equal To(=) 6.x

10 Enhancements New additions in predefined platforms

Chapter 2 Resolved Issues This chapter includes the following topics: Resolved Issues Resolved Issues The 2013-1 Update resolves the following issues: Standards The following issues are resolved for this module: The check "9.41 Is RESOURCE role not assigned to any user or role?", reported incomplete evidence results. The evidence results failed to provide the user or the role name that have the Resource role assigned. 2013-1 Update resolves this issue The following checks in the CIS Oracle 9i and 10g Database Security Benchmark v2.0, displayed incorrect file permissions in the evaluation result: 3.02 Do all files in the $ORACLE_HOME/bin directory on a UNIX server have permissions set to 0755 or less? 3.03 Do all files in the $ORACLE_HOME directories have permissions set to 0750 or less? (All except /bin) The file permission values are displayed as 000 2013-1 Update resolves this issue and the checks display the accurate file permissions in the evaluation result. Queries executed on CIS Oracle 9i and 10g Database Security Benchmark v2.0, displayed an error message about incorrect parameters. This issue was observed as some primary fields were missing in the data collection queries for the following check.

12 Resolved Issues Resolved Issues 2.12 Is service name and SID not ORCL? 2013-1 Update resolves this issue. The check 2.12 Is service name and SID not ORCL?, is now updated and the data collection queries are executed without any error The following checks in the CIS Oracle 9i and 10g Database Security Benchmark v2.0, displayed files from all Oracle home directories in evaluation results instead of only the files from scoped database s oracle home: 3.02 Do all files in the $ORACLE_HOME/bin directory on a UNIX server have permissions set to 0755 or less? 3.03 Do all files in the $ORACLE_HOME directories have permissions set to 0750 or less? (All except /bin) Files from all the Oracle home directories were fetched instead of fetching from only the scoped Oracle databases. The check for processing the duplicate UIDs and GIDs was not executing accurately. The check was being marked as Fail even when the Allow Duplicate Names parameter was set to True and there were duplicate entries for user name, group name and their corresponding IDs. 2013-1 Update resolves this issue. The data collection for CIS Oracle 9i and 10g Database Security Benchmark v2.0 time out due to recursive file search option in the following checks. 3.02 Do all files in the $ORACLE_HOME/bin directory on a UNIX server have permissions set to 0755 or less? 3.03 Do all files in the $ORACLE_HOME directories have permissions set to 0750 or less? (All except /bin) 2013-1 Update resolves this issue. The file search option is changed to scan only the oracle home directory which resolves the time out issue. Data collection queries executed on Oracle computers failed and the following error message was displayed: Oracle home not found This issue was observed when the oratab file had trailing comments, spaces, or tabs. 2013-1 Update resolves this issue. Data collection queries failed to execute on Oracle servers that were in Windows untrusted domain. 2013-1 Update resolves this issue. Oracle data collection jobs failed to execute on UNIX target computers and the following error message was displayed:

Resolved Issues Resolved Issues 13 Unable to detect oracle home 2013-1 Update resolves this issue. Jobs The following issues are resolved for this module: The collection-evaluation-reporting jobs and data source queries executed on the Oracle databases that were hosted on the Windows environment, failed and the following error message was displayed: The Remote Procedure Call Failed and did not execute.=0d=0a. 2013-1 Update resolves this issue. The data CER jobs and data course queries are now executed accurately. For agent-based SQL Assets, the content update should be run for Windows along with SQL after applying the 2013-1 Update. Asset import job for the Oracle assets on UNIX failed when the su functionality was disabled on the target and the following error was displayed:.../bin/su permission denied' and 'incorrect password error This issue was observed in an UNIX environment where the su functionality was disabled. 2013-1 Update resolves this issue. While executing the data collection or the asset import job the job stopped responding. This issue was observed if any UNIX agent was frozen and the query continued to ping the agent. 2013-1 Update resolves this issue. Now the query time-out is handled accurate for agents that have stopped responding. The data collection jobs stopped responding for the last few assets. The jobs got stuck on the assets that had RPC and timeout issues. 2013-1 Update resolves this issue. Now the data collection job executes accurately for assets that are responding properly and successfully ignores the assets that have RPC and timeout issues. The job still remains in the hanged state however, the data collection for remain assets is successful. After executing an evaluation job for the USGCB: Guidance for Securing Microsoft Windows 7 Systems for IT Professional benchmark, the evaluation window failed to launch and the following error was displayed: Failed to retrieve evaluation results. This may be because there are no evaluation results associated with the job run. Check the summary of the job run to determine the cause. 2013-1 Update resolves this issue. Queries The following issues are resolved for this module:

14 Resolved Issues Resolved Issues The Password analysis queries executed against the workgroup machines returned the value Unknown or NA for particular fields. This issue was observed for fields such as: Maximum password age, Minimum password age, Password history length, Password minimum length, Account lockout duration, Lock out observation window, and Lockout threshold. 2013-1 Update resolved this issue. Queries executed on the Windows Machine Directory, incorrectly displayed the IP\User Name instead of Machine\Username in the evaluation results. Domain Cache The following issues are resolved for this module: Data collection failed while creating the domain cache causing the subsequent jobs to fail. This issue was caused due to misconfiguration of the Active Directory. This issue was observed when the targets belonged to a hierarchy of parent-child domain topology. 2013-1 Update resolves this issue. During data collection the tables created by domain cache were empty. This issue occurred when the trusted domain list for the scoped asset exceeded 255 characters. 2013-1 Update resolves this issue. Now the trusted domain list that has more than 255 characters is populated successfully. While building the trusted domain cache, all the data collection jobs got stuck. This issue occurred because the RPC stopped responding while fetching the domain controller. 2013-1 Update resolves this issue. Intermittently the domain cache got corrupted. This issue was observed when the file copy from the temporary cache to the final cache was not synchronized. 2013-1 Update resolves this issue. In case the cache still gets corrupted then the cache is rebuilt. While executing the data collection jobs, if the domain cache got corrupted then the subsequent jobs failed. The corrupted cache needed to be manually deleted and the CCS Manager restarted for further data collection jobs to execute. 2013-1 Update resolves this issue. Now in case the domain cache is corrupted then the corrupted cache is deleted and new domain cache is rebuilt.

Chapter 3 Files Added or Updated This chapter includes the following topics: Files added or updated for SCU 2013-1 Files added or updated for SCU 2013-1 The following files are updated in SCU 2013-1: Note: The version number for all the files is <11.0.546.10300> ORCL.Schema.dll Windows.Schema.dll Symantec.CSM.SqlPlatformContent.CISSQL2008R2.dll Symantec.CSM.OraclePlatformContent.Oracle_v2.dll Symantec.CSM.Content.Localization.Resources.dll Symantec.CSM.UnixPlatformContent.RHELv1.0.5.dll Unix.Schema.dll Symantec.CSM.OraclePlatformContent.Oracle11g.dll Symantec.CSM.ESM.Integration.dll Symantec.CSM.Resources.ESMSUResources.dll UnixScopes.dll Dbif.schema.dll PatchAssessMentDC.dll

16 Files Added or Updated Files added or updated for SCU 2013-1

Chapter 4 Known Issues This chapter includes the following topics: Known Issues Known Issues The following known issues are observed in 2013-1 Update: Table 4-1 Issue Known issues for Windows domain cache Description / Workaround Cache file size for a domain reaches 2 GB limit Domain cache is a Microsoft Access database file which contains information about users, groups, computers, and miscellaneous objects that are required during data collection. This cache is required to optimize the data collection job. The cache gets refreshed at periodic intervals. However, if the size of the cache file reaches the limit of 2 GB, cache refresh does not happen completely. If the cache is not refreshed completely, CCS may be able to collect and evaluate data, if the cache file is valid. However, the compliance posture displayed by evaluated data may not be correct, as the evaluation is performed against incomplete or older cache.

18 Known Issues Known Issues Table 4-1 Issue Known issues for Windows domain cache (continued) Description / Workaround The FSP table in the domain cache does not get refreshed when the domain cache is refreshed in a non-administrator user context. The Deleted objects such as Computers\Groups\Users in the domain cache do not get refreshed when the domain cache is refreshed in a non-administrator user context. If you change the logon name or the SAM Account Name of a user, the domain cache does not update the changed name. Instead it adds a duplicate entry for the name in the User table. This issue occurs if appropriate permissions are not provided to the non-administrator user configured for Domain Cache creation on the FSP object. You must provide full control to the FSP (Foreign Security Principal) object in the Active Directory. 1 On the Active Directory computer, using ADSI Edit, right-click the domain controller, and click Properties. 2 In the Security tab, click Advanced. 3 In the Permissions tab, click Add. 4 In the Object tab, in the Name field select the domain cache user, Applyonto Foreign Security Principal objects, and then select Full Control from the permissions list. This issue occurs if appropriate permissions are not provided to the non-administrator user configured for Domain Cache creation on the deleted objects container. You must provide the List Contents and Read Property permissions on the deleted objects container in your domain. For information on how provide permissions on the Active Directory deleted objects container for various platforms such as Windows Server 2003 or Windows Server 2008, see the Microsoft Support Web site Having duplicate entries for a user in the domain cache may result in incorrect data collection and increase in cache size. Symantec recommends to rebuild the domain cache by performing the following steps in order: 1 Delete the existing domain cache. 2 Restart the Symantec Data Processing Service. 3 Perform data collection using the Data Collection or Collection-Evaluation-Reporting (CER) job. Note: As you are deleting and then rebuilding the domain cache, the first data collection job or the first query job will require more time to complete the job run.

Known Issues Known Issues 19 Table 4-1 Issue Known issues for Windows domain cache (continued) Description / Workaround Data collection fails on Windows and the Workerprocess terminated message is displayed. This issue is observed if a large number of deleted objects are present in the active directory when the domain cache is being refreshed. The worker process terminates while synchronizing the deleted objects in the domain cache causing the data collection to fail and display one of the following messages: Workerprocess terminated or Workerprocess terminated with system memory unavailable Symantec recommends to rebuild the domain cache by performing the following steps in order: 1 Delete the existing domain cache. 2 Restart the Symantec Data Processing Service. 3 Perform data collection using the Data Collection or Collection-Evaluation-Reporting (CER) job. Note: As you are deleting and then rebuilding the domain cache, the first data collection job or the first query job will require more time to complete the job run.

20 Known Issues Known Issues