Novell Sentinel 6.1 Rapid Deployment Service Pack 1 Readme

August 06, 2010

Sentinel 6.1 Rapid Deployment is a new packaging option for the Novell market-leading Sentinel Security Information and Event Management solution. Sentinel 6.1 Rapid Deployment includes full Sentinel functionality that can be installed on a single machine and is ideal for smaller organizations or regional installations. It is a SUSE Linux package and easily installs all components of the Sentinel system, including the database and reporting server.

Novell Sentinel 6.1 Rapid Deployment Service Pack 1 applies the latest defect fixes and enhancements to an existing installation of Sentinel 6.1 Rapid Deployment, Sentinel 6.1 Rapid Deployment Hotfix 1, or Sentinel 6.1 Rapid Deployment Hotfix 2. The new features and fixed defects depend on the version from which you upgrade.

1.0 What’s New

1.1 SLES 11 Support

Sentinel 6.1 Rapid Deployment is now supported on the SUSE Linux Enterprise Server (SLES) 11 64-bit platform in addition to the SLES 10 SP2 64-bit platform.

1.2 Download Manager

The Download Manager enables you to configure the Sentinel 6.1 Rapid Deployment server for automated downloading and processing of the feed files, such as the Advisor data feed, at fixed intervals. The Download Manager notifies the Sentinel processes to process the downloaded feed whenever a feed is downloaded.

For more information on the Download Manager feature, see Download Manager in the Sentinel 6.1 Rapid Deployment User Guide.

1.3 Backup and Restore Utility

The Backup and Restore utility performs a backup of the data on the Sentinel 6.1 Rapid Deployment server and also restores the data at any given point in time with minimal effort.

For more information on the Backup and Restore utility, see Backup and Restore Utility in the Utilities chapter of the Sentinel 6.1 Rapid Deployment User Guide.

1.4 Enhancements to Advisor

A new user interface is added to the Sentinel Control Center that enables you to perform several actions in Advisor:

  • Download the Advisor data feed.

  • Process the downloaded data feed either automatically or manually.

  • Configure the Advisor products that need to be included for exploit detection.

  • View the status of the processed feed.

For more information on Advisor, see Advisor Usage and Maintenance in the Sentinel 6.1 Rapid Deployment User Guide.

1.5 Enhancements to LDAP Authentication

  • A new option named LDAP is added in the Admin > User Configuration > Add User window of the Sentinel Control Center. The new option enables you to create user accounts that use LDAP authentication.

  • LDAP authentication can be performed with or without anonymous searches on the LDAP directory.

For more information on configuring a Sentinel 6.1 Rapid Deployment server for LDAP authentication, see LDAP Authentication in the Sentinel 6.1 Rapid Deployment Installation Guide.

1.6 Enhancements to the Database Cleanup Utility

The Database Cleanup utility now enables you to clean the Advisor, Asset, and Vulnerability data from the Sentinel database, in addition to cleaning the Incidents and Identities data.

For more information on the Database Cleanup utility, see Database Cleanup in the Sentinel 6.1 Rapid Deployment User Guide.

2.0 System Requirements

For detailed information on hardware requirements and supported operating systems, browsers, and event sources, see System Requirements in the Sentinel 6.1 Rapid Deployment Installation Guide.

3.0 Installing Novell Sentinel 6.1 Rapid Deployment

For information on installing Novell Sentinel 6.1 Rapid Deployment, see the Sentinel 6.1 Rapid Deployment Installation Guide.

4.0 Upgrading to Novell Sentinel 6.1 Rapid Deployment SP1

Before proceeding with the upgrade, ensure that you have installed one of the following on the system where you want to install this service pack:

  • Sentinel 6.1 Rapid Deployment

  • Sentinel 6.1 Rapid Deployment Hotfix 1

  • Sentinel 6.1 Rapid Deployment Hotfix 2

For information on installing Novell Sentinel 6.1 Rapid Deployment SP1, see Upgrading Sentinel 6.1 Rapid Deployment in the Sentinel 6.1 Rapid Deployment Installation Guide.

5.0 Defects Fixed

5.1 Defects Fixed in Sentinel 6.1 Rapid Deployment SP1

Table 1 Defects Fixed in Sentinel 6.1 Rapid Deployment SP1

Defect Number

Resolution

548219

The Apache ActiveMQ version is upgraded to the 5.3.2 version for performance improvements.

538081

The PostgreSQL database is upgraded to the 8.3.8 version to fix security vulnerabilities.

591878

When you add partitions and the online current partition is at P_MAX, the newly added partitions now have same permissions as that of P_MAX and no exceptions are logged in the SDM console and SDM 0.0.log.

573197

You can now configure a Sentinel 6.1 Rapid Deployment server to perform LDAP authentication without using anonymous searches on the LDAP directory.

538267

The URL for the About link in the Web user interface is renamed from aboutIdentityAuditManager.html to aboutSentinelRD.html.

612952

The typographical mistakes in the partition operations log messages are now fixed.

548164

Event Source Management nodes (Collectors, Connectors, Event Sources, etc.) can now be managed by using the esm_manager.sh script.

571789

The filename of a report result that is attached to an e-mail is now in the <report name_YYYYMMDD_ms time of day>.pdf format instead of result.pdf.

567015

You can now include extended characters in the passwords for dbauser and admin users.

557002

The das_query log does not display the actual password when the das_proxy_log.prop log level is set to ALL, but displays the password in the ******* format instead.

600972

The das_binary works as expected and does not crash, because the Web user interface search option is now disabled.

500791

The Save User Preferences window in the Sentinel Control Center now appears only when you make any changes in the Sentinel Control Center preferences.

501838

Event details in Active Views now display the correct Collector script version, when a legacy Collector is replaced by a JavaScript Collector.

502212

The Send Email JavaScript executes successfully in the JavaScript Debugger without any exceptions or errors.

518018

Performance has been improved for querying events in the Active Views snapshot.

532334

The Collector Manager does not need to be restarted when a Legacy Collector is replaced with a JavaScript Collector.

542155

The events generated in a remote Collector Manager machine are now successfully transferred to the Sentinel server.

557843

Memory leaks are fixed in the methods that are used to update dynamic lists.

560013

The Sentinel Control Center can now be launched when it is connected over a VPN.

539489

Database indexes that are used to run Novell Compliance Management Platform reports are now added to the database.

577820

Sentinel 6.1 Rapid Deployment hotfixes can now be installed from directories that include spaces in the directory name.

578931

The database patch installer script is improved to give enough time for starting up a slow database.

5.2 Defects Fixed in Sentinel 6.1 Rapid Deployment Hotfix 2

Table 2 Defects Fixed in Sentinel 6.1 Rapid Deployment Hotfix 2

Defect Number

Resolution

525484

Exceptions are not logged in the remote Collector Manager log when global filter is set to GUI only, and events are now successfully sent to Active Views.

530672

Reports now run successfully on the SLES 10 SP2 server.

538848

The Syslog Connector can now be imported into the Event Source Management when it is launched via Web start.

5.3 Defects Fixed in Sentinel 6.1 Rapid Deployment Hotfix 1

Table 3 Defects Fixed in Sentinel 6.1 Rapid Deployment Hotfix 1

Defect Number

Resolution

504678

Event insertion errors are now fixed and events are successfully stored in the database.

522565

The Solution Pack framework now supports Solution Packs that contain unsupported content.

531972

The Vulnerability tag is not deleted from the Event Configuration window when uninstalling a Solution Pack that contains the Vulnerability tag.

531971

An exception error no longer appears when uninstalling a control whose namespace is deleted manually.

531010

The content installer does not install a plug-in if it is not supported by its platform.

534350

The IsNull operator works as expected on filters.

534353

Attachments with short filenames (fewer than 3 characters) can be viewed in the Solution Manager.

531974

Solution Packs that are saved from the Solution Designer can now be imported successfully.

534447

Exceptions that were being logged in the control center log file while installing a Solution Pack created in the Solution Designer are now fixed.

6.0 Known Issues

6.1 The Search Option in the Web User Interface Is Disabled

To enhance the stability of Sentinel 6.1 Rapid Deployment, the ability to search events from the Web user interface has been disabled. The preferred methods for searching are in the Sentinel Control Center by using the following options:

You can use the following procedure to enable the Search option in the Web user interface. However, under load, enabling this option might lead to das_binary crashes and even event loss:

  1. Stop the Sentinel services:

    $APP_HOME/bin/sentinel.sh stop

  2. Open the das_binary.xml file for editing.

    $APP_HOME/config/das_binary.xml

  3. Uncomment the EventSearchComponent section:

    <!-- 
    <obj-component id=”EventSearchComponent”> 
     <class>esecurity.ccs.comp.textsearch.EventSearchComponent</class> 
     <property name="eventsearcher.sortableBatchSize">100000</property> 
     <obj-component-ref> 
     <name>EventProducer</name> 
     <ref-id>EventStoreService</ref-id> 
     </obj-component-ref> 
     </obj-component> 
     -->
    
  4. Restart the Sentinel services:

    $APP_HOME/bin/sentinel.sh restart

The Search option is now enabled and you can search for events from the Web user interface.

6.2 Other Issues

Table 4 Known Issues in Sentinel 6.1 Rapid Deployment SP1

Defect Number

Description

621141

Issue: In Active Views, if you right-click an event, then click Analyze > Asset data or Advisor data, the Asset data or the Advisor data is not displayed. This issue is observed only when the Sentinel Control Center is launched through the Web start.

Workaround: You can view the Asset data and the Advisor data on machines where the Sentinel Control Center is installed as a client application.

517568

Issue: The Sentinel Solution Designer is not installed when you select it as the only client application. However, the installation does not display any errors.

Workaround: To install the Sentinel Solution Designer, you must select either the Sentinel Control Center or the Sentinel Data Manager along with the Sentinel Solution Designer during the installation.

621558

Issue: In the Sentinel Control Center > Tools > Action Manager > Manage Plugins window, when you try to import an action plug-in from the directory that only contains a .js file, an error is displayed indicating that an invalid file is selected. This error occurs only when you attempt this action for the first time.

Workaround:

  1. Click OK in the error message window.

  2. Click Back, then click Next and navigate further to import the plug-in.

    The package.xml and package.xml.md5 files are now created successfully in the directory from which you imported the action plug-in.

568310

Issue: After installing the Sentinel Solution Designer, if you run the Client Installer again to install other client applications, the list that shows the installed components indicates that the Sentinel Solution Designer is not installed. This is because the Sentinel Solution Designer is not installed when it is selected as the only application.

Workaround: Install the Sentinel Solution Designer again, along with the Sentinel Control Center or the Sentinel Data Manager.

583248

Issue: In Sentinel Control Center > Incidents > Create New Incident > Advisor, when you double-click any attack information in the row, the Advisor Attack Details window is blank and does not show any attack information.

Workaround: You can view the Advisor attack details in Active Views. Right-click an event that has Vulnerability = 1, then click Analyze > Advisor data. Currently, the Advisor data is available on machines where the Sentinel Control Center is installed as a client application.

514199

Issue: You cannot set the memory configuration for the Collector Manager by using the Automatic Memory Configuration option during Collector Manager installation. The memory setting defaults to 1200 MB regardless of the value selected in the drop-down list.

Workaround: You can manually change the memory allocation after the installation. Modify the -Xmx value in the <Install_Directory>/config/configuration.xml file to change the memory allocated to the Collector Manager process.

475150

Issue: On a Windows machine, while configuring the File Connector, if you click Browse to add an event source, the file browser does not appear and exceptions are logged in the control center log file.

Workaround: Specify the desired file path into the field rather than using the Browse button. Also, if you run the Sentinel services as an administrator user, the Browse option works as expected.

622216

Issue: Exceptions are logged in the DAS_CORE log while the archive and delete partition operations are performed through Sentinel Data Manager jobs.

Workaround: None. Although exceptions are logged, the archive and delete partition operations are performed as expected.

623834

Issue: Error messages are logged in the DAS_CORE log indicating that online current partition is failing to drop, even though there is enough (80%) disk space available.

Workaround: This occurs on systems that do not meet the minimum requirements specified in the Sentinel 6.1 Rapid Deployment documentation. For more information, see System Requirements.

623838

Issue: In Sentinel Data Manager, the filename naming convention is different for partitions that are archived through jobs and for partitions that are manually archived. For example, the filename for a partition archived through a manual operation is ESEC_ARCH_EVENTS_events_p_2010071010000, but the filename for a partition that is archived through a job is ESEC_ARCH_events_p_2010071010000. As a result, when the partitions are archived through jobs, the Import and Release operations do not happen together for all the partitions and the last partition in the table group is not get imported.

Workaround: You must manually import the missing partitions by using the Import option. For more information, see Sentinel Data Manager in the Sentinel 6.1 Rapid Deployment User Guide.

625571

Issue: As of August 06, 2010, the Sentinel Core Solution Pack 6.1r2 packaged with Sentinel 6.1 Rapid Deployment is not available for download on the Sentinel 6.1 Plug-ins Web site. If you delete this Solution Pack, you cannot download a replacement at this time. The Sentinel Core Solution Pack 6.1r1 that is available on the plug-ins Web site does not include reports for Sentinel Rapid Deployment.

Workaround: None. Do not delete the Solution Packs. If they are deleted and Sentinel Core Solution Pack 6.1r2 or later is still unavailable on the plug-ins Web site, contact Novell Technical Services for a replacement.

580188

Issue: The default installation and configuration of the General Collector, which is provided for data collection testing purposes in the Sentinel 6.1 Rapid Deployment installation, outputs only severity 3 events.

Workaround: Create a new instance of the general Collector and start the Collector. Events to display all severities in the Active Views.

566973

Issue: The Correlation Engine Manager window appears blank when you reopen the Sentinel Control Center if you previously saved the user preferences with the Correlation Engine Manager window in the open state.

Workaround:

  1. Close the Correlation Engine Manager window, save the user preferences, and close the Sentinel Control Center.

  2. Launch the Sentinel Control Center again, and open the Correlation Engine Manager window.

    The Correlation Engine Manager window now displays the list of the Correlation Engines as expected.

535331

Issue: If there is a large amount of data in the Events table, reports generation might be slow.

Workaround: None.

622895

Issue: IO exceptions are logged in the Java console while launching the Sentinel Control Center through Webstart. However, the Sentinel Control Center launches successfully.

Workaround: None.

563950

Issue: Exceptions are logged in the das_core 0.0 log when the Sentinel Control Center is closed. However, the Sentinel Control Center closes successfully.

Workaround: None.

625542

Issue: Chatty warning messages are frequently logged in the das_core 0.0 log file after Sentinel 6.1 Rapid Deployment SP1 is installed. However, the application works as expected.

Workaround: None.

627850

Issue: The events from the online archived imported partitions are not displayed when queried through an Offline Query or Historical Query. However, the events are successfully being stored in the database.

Workaround: None.

7.0 Documentation

Sentinel technical documentation is available in several different volumes: