Security Content Update
Release Notes for CCS 11.0
2014-4 Update
Security Content Update 2014-4 Release Notes
Legal Notice
Copyright © 2014 Symantec Corporation.
All rights reserved.
Symantec, the Symantec Logo, the Checkmark Logo, BV-Control, Enterprise Security Manager,
and LiveUpdate are trademarks or registered trademarks of Symantec Corporation or its
affiliates in the U.S. and other countries. Other names may be trademarks of their respective
owners.
The Licensed Software and Documentation are deemed to be commercial computer software
as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19
"Commercial Computer Software - Restricted Rights" and DFARS 227.7202, "Rights in
Commercial Computer Software or Commercial Computer Software Documentation", as
applicable, and any successor regulations. Any use, modification, reproduction release,
performance, display or disclosure of the Licensed Software and Documentation by the U.S.
Government shall be solely in accordance with the terms of this Agreement.
Contents
Chapter 1
What's New
............................................................................ 4
New standards in SCU 2014-4 .......................................................... 4
Addition in predefined platforms ........................................................ 4
Chapter 2
Resolved Issues ..................................................................... 6
Resolved issues in SCU 2014-4 ........................................................ 6
Chapter
1
What's New
This chapter includes the following topics:
■
New standards in SCU 2014-4
■
Addition in predefined platforms
New standards in SCU 2014-4
The SCU 2014-4 contains the following new standards:
■
Security Essentials for Red Hat Enterprise Linux 7.x
■
Security Essentials for Microsoft SQL Server 2014
Note: The SCU 2014-4 does not support data collection for Microsoft SQL
clusters.
SCU 2014-4 does not contain the following deprecated standards:
■
CIS Oracle 9i and 10g Database Security Benchmark v2.0
■
Security Essentials for VMware ESXi 4.x via vCenter
Addition in predefined platforms
The SCU 2014-4 updates the following predefined platforms:
■
Red Hat Enterprise Linux (RHEL)
The SCU 2014-4 contains the following additions for the RHEL predefined
platform:
What's New
Addition in predefined platforms
■
Target Type
The following target type is added to the platform in this
update:
■ Red Hat Enterprise Linux 7.x Machines
Asset Group
The following asset group is added to the platform in this
update:
■ Red Hat Enterprise Linux 7.x
SQL
Additions for the SQL predefined platform are as follows:
Target Type
The following target type is added to the platform in this
update:
■ SQL Server 2014 Instances
Asset Group
The following asset group is added to the platform in this
update:
■ All SQL Server 2014 Instances
5
Chapter
2
Resolved Issues
This chapter includes the following topics:
■
Resolved issues in SCU 2014-4
Resolved issues in SCU 2014-4
Table 2-1 lists the resolved issues in the 2014-4 Update.
Table 2-1
Resolved issues
Issue
Resolution
The query for RHEL patches incorrectly
reported all RHEL 6.x patches to be
up-to-date, when some patches were not
up-to-date.
Support for RHEL 6 platform is provided for
the Packages data source in CCS, and now
the RHEL patch query returns accurate
results.
The Login: Last Date/Time field in the Users Now, the Last command is used for all UNIX
data source failed to return the correct login platforms to collect the correct last login data.
data on Solaris 11 platform.
During ESXi asset import, the IP address of
an ESXi host was incorrectly identified in CCS
Asset System in case the asset had multiple
IP addresses.
To identify the IP address associated with
management NIC, you must manually add
the "ReportManagementNIC" configuration
key to the ConfigSettings.ini file of
VMware platform and set this value to 1 on
CCS Manager.
Resolved Issues
Resolved issues in SCU 2014-4
Table 2-1
Resolved issues (continued)
Issue
Resolution
Data collection on an agent-based SQL asset
for credentials with minimum required
privilege level failed, and the following error
message was displayed on the CCS console:
The domain user did not have access to the
UNC path specified for data collection and
hence, data collection failed. Now, local path
is set instead of UNC path. The data
collection job on an agent-based SQL asset
for credentials with minimum required
privilege level is now successfully executed.
No information available for this COM.
Note: For information about the required
privileges for data collection on SQL Server,
refer to the Symantec™ Control Compliance
Suite Data Collection Privileges Guide.
Even though the following asset fields were
not mandatory, the data collection on the
Oracle platform failed, because the values
for these asset fields were not populated:
■
ORCL.CONFIGUREDDATABASES.OSVERSION
■
ORCL.CONFIGUREDDATABASES.OSSYSTEM
Now, the code is modified to update the XML
Schema for Oracle configured databases.
Hence, even if these fields are not populated,
the data collection job is executed
successfully.
The FilesToIgnore parameter was missing
The FilesToIgnore parameter is now added
from the following checks in the CIS Solaris to the Solaris CIS standard.
10 Benchmark v4.0 standard:
5.6.1 Does the system contain any SUID
System Executables?
5.6.2 Does the system contain any SGID
System Executables?
In the Create Check Wizard, the name of the
Windows 2003 Member Servers target type
was not consistent with the labeling of other
target types in the Check Builder.
The name of the target type is changed to
Windows 2003 Standalone and Member
Servers. Now, the labeling of the target types
is consistent in the Check Builder.
While specifying the additional scope for a
The issue occurred because of the following
query by using the Find Options field in the reasons:
Additional Settings pane, an incorrect scope
■ Spaces used in the Find Options field
was created, and hence, incorrect data was
could not be detected.
reported.
■ When more than one parameter was
specified in the Find Options field, only
the first parameter was identified.
The code is modified to resolve the issue and
now, the correct data is reported.
7
Resolved Issues
Resolved issues in SCU 2014-4
Table 2-1
Resolved issues (continued)
Issue
Resolution
The -print parameter was used in the Find The support for the -print parameter is now
Options field in the Additional Settings
provided.
dialog box to specify the additional scope for
a query in the Files datasource. This
parameter was not supported in data
collection.
The 6.9.1.A Are the number of failed login The issue is resolved in the SCU 2014-4, and
attempts restricted to 3 or less for all
now, the check successfully reflects the Pass
users? check from the CIS Security
or the Fail status.
Benchmark for HP-UX v1.3.1 standard
reflected the Unknown status .
During data collection on the Users
The code is modified to resolve the issue and
datasource, if the account lockout duration now, the Lockout Duration field for Windows
for a Windows user was set to 0, the
users reflects the [Forever] value.
corresponding Lockout Duration field in the
View results window incorrectly reflected the
{Range Error} value.
CCS CIS Windows standard contained the The section description is added to avoid
Miscellaneous section. However, the checks ambiguity.
in this section were not mentioned in the CIS
standards. A special mention was required
to distinguish these checks from the CIS
standards.
When the ESXi asset import job failed for
Separate messages for connection errors and
reasons such as connection error or
credential errors are now added.
credential error, among others, the error
message did not describe the specific reason
of job failure.
During data collection for the Login: Last
Date/Time field in the Users datasource on
the Solaris platform, an error message was
displayed in the CCS logs. The message
indicated that the print $date command
had a new line between the $date and ending
double quotes.
Now, the new line character in the command
is removed. Earlier, the following print
$date command was used:
perl -e '$date = localtime(<local
time>);print "$date";\n'
This command is now modified to the
following:
perl -l -e '$date =
localtime(<local time>);print
"$date";
8