Symantec™ Enterprise Security Manager Modules for Oracle ...

Symantec™ Enterprise Security Manager Modules for Oracle Databases Release Notes Release 4.1 for Symantec ESM 6.5.x and 9.0 For Red Hat Enterprise Linux, HP-UX, AIX, Solaris, and Windows

Symantec™ Enterprise Security Manager Modules for Oracle Release Notes The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement. Documentation version: Release 4.1

Legal Notice Copyright © 2009 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, ActiveAdmin, BindView, bv-Control, and LiveUpdate are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any. THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, "Rights in Commercial Computer Software or Commercial Computer Software Documentation", as applicable, and any successor regulations. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.

Symantec Corporation 350 Ellis Street Mountain View, CA 94043 http://www.symantec.com

Technical Support Symantec Technical Support maintains support centers globally. Technical Support’s primary role is to respond to specific queries about product features and functionality. The Technical Support group also creates content for our online Knowledge Base. The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion. For example, the Technical Support group works with Product Engineering and Symantec Security Response to provide alerting services and virus definition updates. Symantec’s maintenance offerings include the following: ■

A range of support options that give you the flexibility to select the right amount of service for any size organization

■

Telephone and Web-based support that provides rapid response and up-to-the-minute information

■

Upgrade assurance that delivers automatic software upgrade protection

■

Global support that is available 24 hours a day, 7 days a week

■

Advanced features, including Account Management Services

For information about Symantec’s Maintenance Programs, you can visit our Web site at the following URL: www.symantec.com/techsupp/

Contacting Technical Support Customers with a current maintenance agreement may access Technical Support information at the following URL: www.symantec.com/techsupp/ Before contacting Technical Support, make sure you have satisfied the system requirements that are listed in your product documentation. Also, you should be at the computer on which the problem occurred, in case it is necessary to replicate the problem. When you contact Technical Support, please have the following information available: ■

Product release level

■

Hardware information

■

Available memory, disk space, and NIC information

■

Operating system

■

Version and patch level

■

Network topology

■

Router, gateway, and IP address information

■

Problem description: ■

Error messages and log files

■

Troubleshooting that was performed before contacting Symantec

■

Recent software configuration changes and network changes

Licensing and registration If your Symantec product requires registration or a license key, access our technical support Web page at the following URL: www.symantec.com/techsupp/

Customer service Customer service information is available at the following URL: www.symantec.com/techsupp/ Customer Service is available to assist with the following types of issues: ■

Questions regarding product licensing or serialization

■

Product registration updates, such as address or name changes

■

General product information (features, language availability, local dealers)

■

Latest information about product updates and upgrades

■

Information about upgrade assurance and maintenance contracts

■

Information about the Symantec Buying Programs

■

Advice about Symantec's technical support options

■

Nontechnical presales questions

■

Issues that are related to CD-ROMs or manuals

Maintenance agreement resources If you want to contact Symantec regarding an existing maintenance agreement, please contact the maintenance agreement administration team for your region as follows: Asia-Pacific and Japan

[email protected]

Europe, Middle-East, and Africa

[email protected]

North America and Latin America

[email protected]

Additional enterprise services Symantec offers a comprehensive set of services that allow you to maximize your investment in Symantec products and to develop your knowledge, expertise, and global insight, which enable you to manage your business risks proactively. Enterprise services that are available include the following: Symantec Early Warning Solutions These solutions provide early warning of cyber attacks, comprehensive threat analysis, and countermeasures to prevent attacks before they occur. Managed Security Services

These services remove the burden of managing and monitoring security devices and events, ensuring rapid response to real threats.

Consulting Services

Symantec Consulting Services provide on-site technical expertise from Symantec and its trusted partners. Symantec Consulting Services offer a variety of prepackaged and customizable options that include assessment, design, implementation, monitoring, and management capabilities. Each is focused on establishing and maintaining the integrity and availability of your IT resources.

Educational Services

Educational Services provide a full array of technical training, security education, security certification, and awareness communication programs.

To access more information about Enterprise services, please visit our Web site at the following URL: www.symantec.com Select your country or language from the site index.

Release Notes for Symantec ESM modules for Oracle Release 4.1 This document includes the following topics: ■

What's new in this release

■

New support

■

New checks

■

Enhancements

■

Resolved issue

■

Known issues

What's new in this release The following are new in this release of Symantec ESM Oracle Database modules: ■

New platform support

■

Real Application Cluster (RAC) support

■

One new check in the Oracle Accounts module (Windows and UNIX)

■

One new check in the Oracle Networks module (Windows and UNIX)

8

Release Notes for Symantec ESM modules for Oracle Release 4.1 New support

New support This release of Symantec ESM Modules for Oracle Database supports the following: New Platform support ■

AIX (64-bit) PPC64 (6.1)

■

Red Hat Enterprise Linux (32-bit) x86 (5.x)

■

Red Hat Enterprise Linux (32-bit) x86 (AS 3 and AS 4)

■

Windows (64- bit) x64 (Windows 2003)

■

Windows (32-bit) x86 (Windows 2008)

■

Windows (64-bit) x64 (Windows 2008)

New Oracle version support ■

HP-UX 11.31 (PARISC and IA64) with Oracle 10.2.0.x

Real Application Cluster (RAC) support ■

HP-UX 11.31 PARISC with Oracle 10.2.0.x

■

HP-UX 11.31 IA64 with Oracle 10.2.0.x, 11.1.0.6.0

■

Solaris 2.10 SPARC with Oracle 10.2.0.x, 11.1.0.6.0

■

Red Hat Enterprise Linux (32-bit) x86 (4,5) with Oracle 10.2.0.3 and 11.2.0.1

■

Windows 2003 (32-bit) x86 with Oracle 9.2.0.x, 10.2.0.x, 11.1.0.6.0

New checks New checks are added to the following module: ■

Oracle Accounts (Windows and UNIX)

■

Oracle Networks (Windows and UNIX)

Oracle Accounts (Windows and UNIX) The following new check has been added to the Oracle Accounts: ■

Globally authenticated users

Globally authenticated users This check reports the users that are authenticated globally by SSL, whose database access is through global roles, authorized by an enterprise directory. Use the Users to Skip name list to exclude the users from reporting.

Release Notes for Symantec ESM modules for Oracle Release 4.1 Enhancements

For more information on the Globally authenticated users check, see the Symantec™ Enterprise Security Manager Modules for Oracle Databases User Guide.

Oracle Networks (Windows and UNIX) The following new check has been added to the Oracle Networks: ■

Oracle EXTPROC listeners

Oracle EXTPROC listeners This check reports the Oracle listeners that have EXTPROC-specific entries. In the text box, specify 1 to allow the TCP Protocol, on doing so the database listener ports should be different than the EXTPROC ports. Separate listeners must be specified for the Oracle Databases and for the EXTPROC process. You must use the IPC protocol for the listeners that are configured for EXTPROC. For more information on the Oracle EXTPROC listeners check, see the Symantec™ Enterprise Security Manager Modules for Oracle Databases User Guide.

Enhancements The following have been enhanced in this release: Oracle Auditing (Windows and UNIX)

The check Audit trail enabled has been enhanced to report the message audit trail disabled, if the flag audit_trail in v$parameter view is set to FALSE or NONE.

Oracle Profiles (Windows and UNIX)

The check Password grace time has been enhanced wherein you can use the comparison operators before specifying a value in the text box. The value that you specify in the text box refers to the number of days where a warning is given before your password expires. For more information on the Password grace time check, see the Symantec™ Enterprise Security Manager Modules for Oracle Databases User Guide.

9

10

Release Notes for Symantec ESM modules for Oracle Release 4.1 Resolved issue

Oracle Tablespaces (Windows and UNIX)

The check Tablespaces has now been enhanced to report the encryption status of the tablespaces on Oracle 11G and later versions. For more information on the Tablespaces check, see the Symantec™ Enterprise Security Manager Modules for Oracle Databases User Guide.

Resolved issue The following issue is resolved in this release: Oracle Profiles (Windows and UNIX)

The following checks now report correct message when a numeric limit is set for the corresponding profile resource parameter and you specify UNLIMITED in the respective text boxes: ■

Failed logins

■

CPU time per session

■

CPU time per call

■

Connection time

■

Idle time

■

Sessions per user

■

Password duration

■

Password lock time

■

Password reuse max

■

Password reuse time

For example, Password lock time check If the profile resource PASSWORD_LOCK_TIME is set to 4 and in the Min Pswd Lock text box, you enter UNLIMITED, then the check reports correct message.

Known issues The following issues are known in this release:

Release Notes for Symantec ESM modules for Oracle Release 4.1 Known issues

Oracle Configuration (Windows and UNIX)

When you upgrade to Oracle 4.1, the new column named Display configuration value in the Oracle configuration watch template is not editable. To resolve this issue, delete the existing template and create the template again after you upgrade to Oracle 4.1. For more information, see the Oracle configuration watch template section in the Checks and Templates Reference (CHM).

Installation and Configuration (Windows 2003 x64 )

On Windows 64-bit ESM agent computers, Oracle is unable to parse the program locations that contain parenthesis in the path to the executable. For example: \Program Files (x86). While you configure the ESM application module for Oracle, the connection to the database fails with the error code “ORA-06413”. To resolve this issue, install the ESM agent and the ESM application module for Oracle at a different location without using the parenthesis in the path.

Oracle Passwords (Windows 2008 64-bit SP1) The check Password = wordlist word does not report for the agents on Windows 2008 SP1 platform. The policy runs appear to be in a running state, but does not return any results. Oracle Patch (Windows and UNIX)

The module still may not display correct results if multiple Oracle versions are installed on the same computer with the central inventory. However, the Oracle Patch module reports correctly if the Oracle SIDs are configured with the local inventory.

11

12

Release Notes for Symantec ESM modules for Oracle Release 4.1 Known issues

Oracle SID Discovery (Windows)

The module fails to configure only on Oracle 9i instance if the Automatically Add New Instance check is enabled. You cannot snapshot update the messages that the Oracle Discovery module reports. To configure the Oracle 9i instance, use the Correct option. Alternatively, run the ESM agent service in the context of an account that is equivalent to local administrator and then configure the Oracle 9i instance by using the update snapshot feature.