Security Content Update 2016-1 Release Notes Versions: CCS 11.1 and CCS 11.5
SCU 2016-1 Release Notes for CCS 11.1 and CCS 11.5 Legal Notice Copyright 2016 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, and the Checkmark Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any. THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. Symantec Corporation 350 Ellis Street Mountain View, CA 94043 http://www.symantec.com
Technical Support Contacting Technical Support Symantec Technical Support maintains support centers globally. Technical Support s primary role is to respond to specific queries about product features and functionality. The Technical Support group also creates content for our online Knowledge Base. The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion. For example, the Technical Support group works with Product Engineering and Symantec Security Response to provide alerting services and virus definition updates. Symantec s support offerings include the following: A range of support options that give you the flexibility to select the right amount of service for any size organization Telephone and/or Web-based support that provides rapid response and up-to-the-minute information Upgrade assurance that delivers software upgrades Global support purchased on a regional business hours or 24 hours a day, 7 days a week basis Premium service offerings that include Account Management Services For information about Symantec s support offerings, you can visit our website at the following URL: www.symantec.com/business/support/ All support services will be delivered in accordance with your support agreement and the then-current enterprise technical support policy. Customers with a current support agreement may access Technical Support information at the following URL: www.symantec.com/business/support/ Before contacting Technical Support, make sure you have satisfied the system requirements that are listed in your product documentation. Also, you should be at the computer on which the problem occurred, in case it is necessary to replicate the problem. When you contact Technical Support, please have the following information available: Product release level Hardware information
Available memory, disk space, and NIC information Operating system Version and patch level Network topology Licensing and registration Customer service Router, gateway, and IP address information Problem description: Error messages and log files Troubleshooting that was performed before contacting Symantec Recent software configuration changes and network changes If your Symantec product requires registration or a license key, access our technical support Web page at the following URL: support.symantec.com Customer service information is available at the following URL: www.symantec.com/business/support/ Customer Service is available to assist with non-technical questions, such as the following types of issues: Questions regarding product licensing or serialization Product registration updates, such as address or name changes General product information (features, language availability, local dealers) Latest information about product updates and upgrades Information about upgrade assurance and support contracts Information about the Symantec Buying Programs Advice about Symantec's technical support options Nontechnical presales questions Issues that are related to CD-ROMs, DVDs, or manuals
Support agreement resources If you want to contact Symantec regarding an existing support agreement, please contact the support agreement administration team for your region as follows: Asia-Pacific and Japan Europe, Middle-East, and Africa North America and Latin America customercare_apj@symantec.com semea@symantec.com supportsolutions@symantec.com
Contents Technical Support... 3 Chapter 1 Prerequisites for Security Content Updates... 7 Prerequisites for Security Content Updates... 7 Chapter 2 What's New... 8 New features in SCU 2016-1... 8 New standards in SCU 2016-1... 14 New regulatory standards in SCU 2016-1... 14 Files added or updated for SCU 2016-1... 14 Chapter 3 Resolved Issues... 15 Resolved issues in SCU 2016-1... 15
Chapter 1 Prerequisites for Security Content Updates This chapter includes the following topics: Prerequisites for Security Content Updates Prerequisites for Security Content Updates The following are the prerequisites to install the Security Content Updates: Symantec Control Compliance Suite 11.1 or later versions Before you install the Security Content Update (SCU), you must have Symantec Control Compliance Suite 11.1 or later versions installed on your computer. New signing certificate for CCS files A new signing certificate is used for all CCS files that are signed after February 23, 2016. Before you install the SCU, you must install the updated CCS certificate information necessary to validate the new signing certificate. For this update, you must install either of the following: Quick Fix 10212 To install the SCU 2016-1 or later, you must apply the Quick Fix 10212. The Quick Fix 10212 includes the Symantec.CSM.AssemblyVerifier.dll, which contains the updated CCS certificate information necessary to validate the certificate. You can download the Quick Fix 10212 from the following location: http://www.symantec.com/docs/tech228300 Symantec Control Compliance Suite 11.5 (Product Update 2016-1) This Product update recognizes and validates Symantec binaries that are signed by using the new certificate, in addition to recognizing the older binaries.
Chapter 2 What's New This chapter includes the following topics: New features in SCU 2016-1 New standards in SCU 2016-1 New regulatory standards in SCU 2016-1 Files added or updated for SCU 2016-1 New features in SCU 2016-1 The Security Content Update (SCU) 2016-1 contains the following enhancements: Data collection support for Packages entity on Oracle Solaris 11 platform Agent-based Data collection support for File Watch entity for Windows and UNIX platforms Enhanced script-based check feature Enhanced mechanism for Oracle asset import Asset-specific domain cache credentials Data collection support for Packages entity on Oracle Solaris 11 platform Data collection support for the Packages entity on your Oracle Solaris 11 platform is available in the SCU 2016-1. The Image Packaging System (IPS) in Oracle Solaris 11 provides an integrated solution that simplifies and automates the process of maintaining and upgrading system software across the data center. Patch updates and package updates are integrated in IPS, and so, after you install the upgraded versions of the software packages, you do not have to install system patches separately.
What's New New features in SCU 2016-1 9 You must run a query created for the Packages entity on your Oracle Solaris 11 target machine to collect information about the packages in your system that are up-to-date and about the packages that need to be updated. Based on the query results, you must install the exact set of software package versions across the systems. All the fields in the Packages entity that are used for data collection on Oracle Solaris 10 platform are available in the Packages entity to be used for data collection on Oracle Solaris 11 platform. However, because of the IPS in Oracle Solaris 11, the following patches-related fields in the Packages entity have become obsolete: Recommended Patches Cumulative Patch Criticality Are Patches Up to Date? Patch Number Patch Version Patches Applied to this Package Patches Requiring Update Query results for the obsolete fields show the Not Applicable status. Note: For this support to function as expected, the package commands must run successfully on the target machine. Agent-based Data collection support for File Watch entity for Windows and UNIX platforms Prerequisites CCS 11.5 Agent Product Update (APU) SCU 2016-1 Agent-based data collection support for the File Watch entity both for Windows and UNIX platforms is available in the SCU 2016-1. The file watch feature enables you to take a snapshot of a file or a directory in your system, monitor the specified properties of the file or the directory and report on them. To monitor modifications in a file or in a directory in your system, you must create a query with reference to the File Watch entity on your Windows or UNIX platform. After every run of the File Watch query, the snapshot of a file or a directory is updated automatically.
What's New New features in SCU 2016-1 10 Before you create a query, you must configure the input parameters by using an input file in the.csv format. This input file is used to specify the properties of a file or a directory for which you want to collect data. A sample input file is stored in Excel format at the following location on the application server: <install dir>\application Server\FileWatch\FileWatchInputs.xlsx Also, you must use a keywords file to list keywords that are used in the input.csv file and their respective values. In this file, you can specify the registry or the directory path, which is used to resolve the value of the keyword. A sample keywords file is located in the File Watch folder on the CCS Application Server. This file contains some standard keywords. You can also add keywords to this file as per your requirement. The following tables list the supported fields for the File Watch entity for Windows and UNIX platforms. When you create a query for the File Watch entity, some fields are selected by default. You must select the other fields manually while creating the query. See Table 2-1 on page 10. See Table 2-2 on page 11. Table 2-1 Supported fields for Windows Field Name Domain/ Workgroup Name Machine Name File or Directory name (with path) Is New? Is Removed? Owner Has Owner Changed? Old Owner Signature Has Signature Changed? Old Signature Modified Time Selected by default
What's New New features in SCU 2016-1 11 Table 2-1 Supported fields for Windows (continued) Field Name Has Modified Time Changed? Old Modified Time Is Event Log Information Available? Events <LIST> Are Directories to be Ignored? Selected by default Table 2-2 Supported fields for UNIX Field Name Machine Name IP Address File or Directory name (with path) Is New? Is Removed? Owner Permissions Signature Modified Time Has Permission Changed? Old Permission Has Signature Changed Old Signature Has Ownership Changed? Old Owner Has Modified Time Changed Old Modified Time Audit Log Information Selected by default
What's New New features in SCU 2016-1 12 Table 2-2 Field Name Supported fields for UNIX (continued) Selected by default Is Signature Using Prelink Ignore Directories Ignore Symbolic Links Note: For more information about Agent-based Data collection support for FileWatch entity for Windows and UNIX platforms, refer to the Security Content Update Getting Started Guide (Version 11.5). Enhanced script-based check feature Prerequisites CCS 11.5 CCS 11.5 Agent Product Update (APU) SCU 2016-1 The script-based check feature, which was introduced in the SCU 2015-3, is enhanced in the SCU 2016-1 with the following highlights: Now, you can enter additional information about a script-based check. This information includes check remediation, issue description, common vulnerabilities and exposures, and external references. This information is optional. For check execution, you can use the script file that you have uploaded earlier in the /esm/scripts folder on your CCS agent or you can upload a new script file by browsing through the file location on your machine. If you upload a new script file with the same name as the existing file in the/esm/scripts folder, the existing file is replaced by the new file. If you upload a new script file, you can delete it after check execution on the agent. To delete this file, you must confirm that the value of the DeleteCustomScriptAfterExecution configuration parameter in the AppserverService.exe file on the Application Server is set to 'True'. If this value is set to 'False', the script file is stored in the /esm/scripts folder on the CCS agent. By default, this value is set to 'True'. You can configure whether the output that is generated upon check execution should be considered as a single record or multiple records. By default the output is considered as a single record. By using this option, you can create a check that is based on keywords which reflect the Fail status in the script output and the evidence shows lines matching to such keywords only.
What's New New features in SCU 2016-1 13 Note: For more information about the script-based check feature, refer to the Security Content Update Getting Started Guide (Version 11.5). Enhanced mechanism for Oracle asset import Dependency on oratab and listener.ora files for Oracle asset import is removed in the SCU 2016-1. In the enhanced mechanism, Oracle assets are imported to CCS asset system with reference to the processes running on the Oracle server for an instance. New asset type property: Service Names Now, after an Oracle asset is added to the CCS asset system, a new asset type property Service Names is displayed. It is a comma-separated list of names by which clients can connect to an instance. Service names are registered with the listener. Note: For more information about the modifications in the Oracle asset import mechanism, refer to the Security Content Update Getting Started Guide (Version 11.5). Asset-specific domain cache credentials Now, you can configure asset-specific Windows Domain Cache credentials to optimize data collection from your Windows targets. Earlier, the user could not specify domain cache credentials for assets in different domains but with same short NetBIOS name. Now, such configuration is supported in CCS. While configuring asset specific domain cache credentials, you must select individual assets or the asset folder for which the specified credentials must be used. Consider that you are building cache for assets that have two different domains with the same NetBIOS name. In this case, you must have a separate CCS Manager for each of these domains. You must also create a rule to route data collection jobs to the respective CCS Managers. The same CCS Manager cannot be used for data collection from two domains with same NetBIOS name. However, one CCS manager can collect data from domains with different NetBIOS names. The infrastructure updates for this support are available in CCS 11.5. To enable this support with SCU 2016-1 but without upgrading to CCS 11.5, install QF 10211. You can download this QF from the following location: https://support.symantec.com/en_us/article.tech234598.html
What's New New standards in SCU 2016-1 14 To enable this support on CCS 11.5 without installing SCU 2016-1, install QF 10501. You can download this QF from the following location: https://support.symantec.com/en_us/article.tech234598.html New standards in SCU 2016-1 The SCU 2016-1 contains the following new standard: CIS Red Hat Enterprise Linux 6.x Benchmark v1.4.0 New regulatory standards in SCU 2016-1 The SCU 2016-1 contains the following new regulatory standard: ISO/IEC 27002:2013 This regulatory standard provides guidelines for the information security standards and information security management practices implemented by an organization depending on the information security risk environment(s) of the organization. Files added or updated for SCU 2016-1 The following files are modified in SCU 2016-1: Unix.Schema.dll UnixScopes.dll Symantec.CSM.UnixPlatformContent.RHELv1.0.5.dll Symantec.CSM.VMwarePlatformContent.VMwareESXi4x.dll Symantec.CSM.CredentialMgmt.PlatformCredentials.dll Symantec.CSM.Wnt.UIControls.dll WntScopes.dll Windows.Schema.dll ORCL.Schema.dll Note: The version number for all the files mentioned earlier is 11.10.10600.1090.
Chapter 3 Resolved Issues This chapter includes the following topics: Resolved issues in SCU 2016-1 Resolved issues in SCU 2016-1 Table 3-1 lists the resolved issues for the SCU 2016-1. Table 3-1 Resolved Issues Issue Resolution A query that was created for a domain asset or a domain controller asset in the Users or the Groups entity for Windows platform stopped returning data after it was run for several times. After the user deleted the cache file, and the new cache file was created, the query execution was successful. The code has been modified to resolve this issue. Now, the query returns the expected results without having to delete the cache file. Oracle data collection failed when Oracle listener was configured on secondary NIC and custom port. The code has been modified to resolve this issue. Now, Oracle data collection is successful even when listener is configured on secondary NIC and custom port. For more information, see Enhanced mechanism for Oracle asset import.
Resolved Issues Resolved issues in SCU 2016-1 16 Table 3-1 Issue Resolved Issues (continued) Resolution The following check in the CIS Oracle Database Server 11g Security Benchmark v1.0.1 standard incorrectly reflected the Unknown status when it was run on an Oracle 11.2 RAC cluster: 3.05 Are permissions to init.ora restricted to the owner of the Oracle software and the dba group? When the user tried to start Symantec Control Studio, the Control Management Data Access error occurred. Data collection and evaluation for the following checks in the Security Essentials for Solaris 11 standard failed: 3.4.18 Has sending of ipv4 redirect errors been disabled? 3.4.19 Has sending of ipv6 redirect errors been disabled? During data collection for the Security Essentials for AIX 5.x and 6.1 standard, timeout errors were displayed. The error message was similar to the following: This query was halted before completion - Query timed out in command execution: sudo -S -E env PATH=:/bin:/usr/bin:/usr/sbin:/sbin:$PATH Find command in predefined RHEL standards did not work as expected, and data collection for these standards consumed a lot of time. The code has been modified to resolve this issue. Now, the check reflects the Pass or Fail status as expected. Now, a duplicate record that causes the problem is deleted and the Control Studio starts without any error. The user can now map control statements to policies. Now, both the ipadm and the ndd commands are used to fetch all the kernel parameters and so, the checks mentioned in the issue return the expected results. Now, the FindOptions parameter for several checks in the Security Essentials for AIX 5.x and 6.1 standard is modified to exclude the AutoFS directories during data collection, and as a result, data collection is successful. Now, -prune find option is used during data collection for RHEL checks that run find command. Now, remote mounts are not considered for data collection, which results in faster data collection.
Resolved Issues Resolved issues in SCU 2016-1 17 Table 3-1 Issue Resolved Issues (continued) Resolution Despite successful data collection, data evaluation for the following checks in the CIS Red Hat Enterprise Linux 6.x Benchmark v1.2.0 standard failed: 5.2.8 Are Login and Logout Events recorded? 5.2.15 Are changes to System Administration Scope (sudoers) recorded? Data collection for a single check in a custom standard for the Group Policy Settings entity for Windows 2012 R2 platform failed because domain cache did not exist. Data collection for the entire custom standard was successful and domain cache was built during this process. Later, when the same check was executed again, data collection was successful. On a Windows target computer with Oracle 11g database, during data collection for the 1.11 Is OSAUTH_PREFIX_DOMAIN registry key set to TRUE? check in the CIS Oracle Database Server 11g Security Benchmark v1.0.1 standard, the following error message was displayed: Catastrophic failure=0d=0a.scope is server '{hostname}' While creating queries for certain entities for Windows platform, the user must specify the absolute path or the share name as an additional scope for a query. If the user specified the absolute path for an entity that allowed only the share name as a scope, no error message was displayed during data collection for that query. No data was collected either. The code has been modified. Now, the data evaluation for the checks mentioned in the issue is successful. The code has been modified to resolve this issue. Now, domain cache is built for checks created for the Group Policy Settings entity for Windows 2012 R2 platform, and so, data collection for custom checks is successful. Now, the code has been modified to handle the Catastrophic Failure exception when the Oracle key present on the machine does not contain information related to Oracle Home. Now, the code has been modified to remove inconsistencies that were observed while specifying additional scope for queries for Windows platform.
Resolved Issues Resolved issues in SCU 2016-1 18 Table 3-1 Issue Resolved Issues (continued) Resolution The following check in the Security Essentials for ESXi 6.x via vcenter standard returned incorrect results: Now, the check behavior is modified, and hence, the check returns the correct results. Is AD group used by vsphere is not set to the default 'ESX Admins'?