Oct 2010 SM UNIX Hotfix (NETIQKB72577)

  • Document ID:7772577
  • Creation Date:14-Sep-2010
  • Modified Date:25-Oct-2010
    • Micro Focus Products:
      Security Manager

Environment

NetIQ UNIX Agent 7.1

Security Manager UNIX

Situation

Hotfix to address several small issues present within the 7.1 UNIX Agent for Security Manager

Resolution

  • Please apply the following Hotfixes to the UNIX Agent Manager (in the order below) *before* applying this hotfix to ensure you have the latest UNIX Agent Manager rulesets...
    • Hotfix 71934
    • Hotfix 72054
  • Apply the .um UNIX Agent Manager patch to the UNIX Agent Manager console via ' Help > Update UNIX Agent Manager '
    • This will introduce a new patch into patch manager (7.1.0.21) which needs to be applied to UNIX Agents
    • This will also update the default rule set to the latest code
  • After applying 7.1.0.21 to the UNIX Agents, please be sure to push the updated code within the default ruleset to the UNIX systems to ensure they have the required updates.

Cause

  • Resolves an issue where the UNIX agent generated false positive events when the audit UID field is not present in the Linux audit record. (ENG295496).
  • Resolves an issue where the UNIX agent did not properly process data from the /var/adm/wtmps and /var/adm/btms files on HP-UX 11.23 and later. (ENG290320)
  • Resolves an issue where the UNIX agent did not properly process data from HP-UX audisp. (ENG290487)
  • Resolves an issue where the UNIX agent reported multiple errors when trying to process spool logs that no longer existed and logged the following errors in the syslog (ENG291426):
    Jun 17 23:59:58 uxserver1 ./alert_agent[18666]: Error opening Linux_Audit.1276820056.00000.idmef_alerts
    Jun 17 23:59:58 uxserver1 ./alert_agent[18666]: Failed opening alert file, /usr/netiq/vsau/bin/./../local/spool/Linux_Audit.1276820056.00000.idmef_alerts: No such file or directory
  • Resolves an issue where the UNIX agent did not process long hexadecimal numbers from the Linux audit trail and logged the following errors in the syslog (ENG291460):
    Tue Sep 21 16:20:08 2010 29103 DBG grp 4: at parseLinuxAudit() line 107: key=(null) Integer overflow in hexadecimal number at parseLinuxAudit() line 117. Integer overflow in hexadecimal number at parseLinuxAudit() line 117.
  • Resolves an issue where the UNIX agent running on a 64-bit operating system used 32-bit event codes. (ENG292047)
  • Resolves an issue where the UNIX agent would not trigger AIX NISPOM and AIX NISPOM-root rules for open-with-write only system calls. (ENG295269)

Additional Information

Formerly known as NETIQKB72577

If you have any additional questions on applying this hotfix, please feel free to contact NetIQ technical support.