NetIQ Security Manager UNIX agent failing to parse HP-UX audit events correctly. (NETIQKB72054)

  • 7772054
  • 25-Jan-2010
  • 28-Oct-2010

Environment

NetIQ UNIX Agent Manager

NetIQ 7.1 UNIX Agent

NetIQ Security Manager

Situation

Security Manger UNIX agent does not correctly parse events in the HP-UX audit trail output. This causes events to be missed and not sent in for processing by the SM Centeral Computer.

Resolution

  • Please apply the following Hotfixes to the UNIX Agent Manager (in the order below) *before* applying this hotfix to ensure you have the latest UNIX Agent Manager ruleset code...
    • Hotfix 71934
  • Apply the .um UNIX Agent Manager patch to the UNIX Agent Manager console via ' Help > Update UNIX Agent Manager '
    • This will introduce a new patch into patch manager (7.1.0.6) which needs to be applied to UNIX Agents
    • This will also update the default rule set to the latest code
  • After applying 7.1.0.6 to the UNIX Agents, please be sure to push the updated code within the default ruleset to the UNIX systems to ensure they have the required updates.

 

Cause

  • Security Manager Reports Zone Name for Events for Solaris Global Zones ? Security Manager now reports the name of the zone generating events in environments using Solaris Global Zones. (ENG284237)
  • Security Manager Reports Rules that the Operating System Prevents from Running ? Security Manager now reports an event when unable to run a rule because the operating system identified the rule as having aspects of what the operating system uses to identify unsafe code. (ENG265484)
  • Resolves an Issue with Events from the HP-UX Auditing System ? This Hotfix resolves an issue with the UNIX agent where NetIQ Security Manager did not report events from the HP-UX Auditing System. (ENG264251)
  • Resolves an Issue Where Oracle Audit Events are Not Reported ? This Hotfix resolves an issue where Security Manager fails to report Oracle audit events after a computer reboots because not all UNIX agent processes restart. (ENG283753)
  • Resolves an Issue with Editing Event Sources ? This Hotfix resolves an issue where UNIX Agent Manager incorrectly changes or removes the SID attribute when you edit an event source.(ENG284550)
  • Provides Support for Security Manager for UNIX Update ? This Hotfix provides support for changes currently being fixed in the next Security Manager for UNIX update. That Security Manager for UNIX release will improve data normalization to better align with other Security Manager providers. As a result of these changes, when you apply this Hotfix, alerts generated from rules in UNIX Agent Manager will now go to the Security Manager archive by default. For more information, see the NetIQ Security Manager for UNIX documentation.
  • Additional Information

    Formerly known as NETIQKB72054

    Detect rule set changes:

    There were several changes and enhancements to the default Detect rule set in this Hotfix since Hotfix 71934.  Please be sure to re-push the following updated rule sources as well as their respective rules to your UNIX systems to get the full benefit of this hotfix:

    • AIX Audit source
    • IRIX Audit source
    • Linux Audit source
    • Crontab source
    • NetParam source
    • Netstat source
    • Basic source
    • bsm source
    • filesystem source
    • heartbeat source
    • hp_audit source
    • nessus source
    • oracle audit source
    • sendmail source
    • syslog source
    • wtmp source

    Feel free to contact NetIQ technical support with any questions you may have on this hotfix and it's application.