Chat now with support
Chat with Support

One Identity Safeguard for Privileged Sessions 5.9.0 - Release Notes

Release Notes

One Identity Safeguard for Privileged Sessions 5.9

Release Notes

November 2018

These release notes provide information about the One Identity Safeguard for Privileged Sessions 5 F9 release.

Topics:

About this release

The One Identity Safeguard Appliance is built specifically for use only with the Safeguard privileged management software, which is pre-installed and ready for immediate use. The appliance is hardened to ensure the system is secured at the hardware, operating system and software levels. The hardened appliance approach protects the privileged management software from attacks while simplifying deployment and ongoing management -- and shortening the timeframe to value.

The privileged management software provided with One Identity Safeguard consists of the following modules:

  • One Identity Safeguard for Privileged Passwords automates, controls and secures the process of granting privileged credentials with role-based access management and automated workflows. Deployed on a hardened appliance, Safeguard for Privileged Passwords eliminates concerns about secured access to the solution itself, which helps to speed integration with your systems and IT strategies. Plus, its user-centered design means a small learning curve and the ability to manage passwords from anywhere and using nearly any device. The result is a solution that secures your enterprise and enables your privileged users with a new level of freedom and functionality.
  • One Identity Safeguard for Privileged Sessions is part of One Identity's Privileged Access Management portfolio. Addressing large enterprise needs, Safeguard for Privileged Sessions is a privileged session management solution, which provides industry-leading access control, as well as session monitoring and recording to prevent privileged account misuse, facilitate compliance, and accelerate forensics investigations.

    Safeguard for Privileged Sessions is a quickly deployable enterprise appliance, completely independent from clients and servers - integrating seamlessly into existing networks. It captures the activity data necessary for user profiling and enables full user session drill-down for forensics investigations.

  • One Identity Safeguard for Privileged Analytics integrates data from Safeguard for Privileged Sessions to use as the basis of privileged user behavior analysis. Safeguard for Privileged Analytics uses machine learning algorithms to scrutinize behavioral characteristics and generates user behavior profiles for each individual privileged user. Safeguard for Privileged Analytics compares actual user activity to user profiles in real time and profiles are continually adjusted using machine learning. Safeguard for Privileged Analytics detects anomalies and ranks them based on risk so you can prioritize and take appropriate action - and ultimately prevent data breaches.

For details on this release, see New features.

NOTE:

For a full list of key features in One Identity Safeguard for Privileged Sessions, see Administration Guide.

New features

SIEM forwarder

You can now forward the log messages and events related to what happens in the privileged sessions to an external SIEM, such as Splunk or Arcsight, or other third-party systems that enable you to search, analyze, and visualize the forwarded data. SPS can send these events as industry-standard RFC3164 syslog messages, with the data formatted either as JSON or in Common Event Format (CEF).

For more information, see "Using the universal SIEM forwarder" in the Administration Guide.

Authenticate HTTP/HTTPS connections on the SPS gateway

SPS now provides a way to authenticate non-transparent HTTP/HTTPS connections on SPS to local and external backends (LDAP, Microsoft Active Directory, RADIUS). The client must support proxy authentication.

For more information, see "Creating a new HTTP authentication policy" in the Administration Guide.

Performance improvements in indexing graphical sessions

To make the text displayed in graphical sessions (for example, RDP) SPS uses optical character recognition. The way this is done has been greatly optimized. Depending on the exact scenario and the contents of the session, this can significantly decrease the time required to index the audit trails.

Gapminder algorithm

The gapminder algorithm is able to detect scripted sessions based on the time gaps between the sessions that belong to a given account. When the time gaps between sessions have typical, repeating values, then that suggests unnatural periodic behavior.

Using GSSAPI in SSH connections

You can now use an Authentication Policy with GSSAPI and a Usermapping Policy in SSH connections. When an SSH Connection Policy uses an Authentication Policy with GSSAPI, and a Usermapping Policy, then SPS stores the user principal as the Gateway username, and the username used on the target as the Server username.

Note that this change has the following side effect: when using an Authentication Policy with GSSAPI, earlier versions of SPS used the client-username@REALM username to authenticate on the target server. Starting with version 5.9.0, it uses the client-username as username. Configure your servers accordingly, or configure a Usermapping Policy for your SSH connections in SPS.

Hardware specifications

One Identity Safeguard for Privileged Sessions appliances are built on high performance, energy efficient, and reliable hardware that are easily mounted into standard rack mounts.

Table 1: Hardware specifications
Product Redundant PSU Processor Memory Capacity RAID IPMI
SPS T-1 No Intel(R) Xeon(R) X3430 @ 2.40GHz 2 x 4 GB 2 x 1 TB Software RAID Yes
SPS T-4 Yes Intel(R) Xeon(R) E3-1275V2 @ 3.50GHz 2 x 4 GB 4 x 2 TB LSI MegaRAID SAS 9271-4i SGL Yes
SPS T-10 Yes 2 x Intel(R) Xeon(R) E5-2630V2 @ 2.6GHz 8 x 4 GB 13 x 1 TB LSI 2208 (1GB cache) Yes

The SPS T-10 appliance is equipped with a dual-port 10Gbit interface. This interface has SFP+ connectors (not RJ-45) labeled A and B, and can be found right of the Label 1 and 2 Ethernet interfaces. If you want faster communication, for example, in case of high data load, you can connect up to two 10Gbit network cards. These cards are not shipped with the original package and have to be purchased separately.

Resolved Issues

The following is a list of issues addressed in this release.

Table 2: Resolved issues in version 5.9.0a
Resolved Issue Issue ID

Citrix ICA proxy generates lots of core files

In certain cases, the standalone ICA proxy generated lots of core files. This has been corrected.

PAM-7877

Extreme memory usage in indexing very large terminal SSH sessions

When indexing the SSH sessions that have the terminal set to unusually large, the indexer could consume the memory. This has been corrected.

PAM-7821
Table 3: General resolved issues
Resolved Issue Issue ID

Filtering gateway groups does not work for RDP Channel Policies

It is possible to restrict the usage of different protocol channels based on the group memberships of the gateway user in Channel Policies. This filtering was broken for RDP sessions and if a group restriction was specified, that channel was blocked for all users. The problem did not affect other protocols, nor the 5.0.x branch. The problem has been fixed and this restriction is now correctly applied.

PAM-7597

Upgrading the external-indexer on CentOS 7 loses the configuration

The location of the configuration file was changed in the latest version of the external indexer, but the old configuration file was not transferred to the new location during the upgrade. As a result, the indexer started with an empty configuration. This has been fixed and the configuration file is now moved to the new location during the upgrade process.

PAM-7559

Changing the configuration via REST API breaks plugin configuration access

If the configuration of the appliance was changed using the REST API, plugins that read their configuration from the configuration XML file directly (such as the Okta plugin) stopped working due to permission errors. This has been fixed.

PAM-7460

Certificate chains are not supported in LDAP/AD

Starting with version 5.7 certificate chains could not be used to verify TLS sessions for LDAP and AD connections, the only option was to upload a root CA certificate that signed the AD/LDAP server's certificate directly. This has been fixed and certificate chains are now fully supported again.

PAM-7244

Audit database cleanup does not work for sessions with failed authentication

Sessions with failed authentication were never deleted up from the audit database, regardless of the cleanup settings. This is now fixed and such sessions are also properly removed according to the configured policies.

PAM-7151

Statistics charts are not updated on the Search interface

The charts displayed on the Search interface were not updated after they were displayed the first time, even if the user refined the query. This is fixed and the charts are now properly updated after every user interaction.

PAM-7091

Improved handling of DNS hostname resolution failures in SSH connections

If the appliance could not resolve a DNS hostname during the establishment of SSH connections, the connection was denied without any error message in the logs that would have helped the troubleshooting process. The logs now show information about this fact.

PAM-7085

Startup failure after upgrade with large number of content-based alerts

If the audit database contains a huge number of content-based alerts, the upgrade could fail in a way that prevents the system from starting up correctly. Such databases are now handled correctly.

PAM-7014

Custom NTP settings are not applied

Starting with version 5.7, the NTP server settings were not applied and the appliances always tried to sync with ntp.ubuntu.com. This has been fixed and the NTP settings are applied properly again.

PAM-6985

Parenthesis '()' not usable in LDAP settings in samaccount name and user dn

If any parentheses were used in these settings for LDAP servers, the connections failed. This is now corrected and such settings are now handled properly.

PAM-6930

Memory leak in RDP proxy

Memory was leaked when domainless NLA, banner, or AA plugin was used in an RDP connection. This has been corrected.

PAM-6824

One Identity Safeguard for Privileged Passwords credential store plugin is case sensitive

Even though Active Directory user and domain names are not case sensitive, the credential store plugin for SPP was. This is fixed and all user and domain names can be used now in both upper- and lowercase form.

PAM-6701

Rotate and include Elasticsearch logs into the debug bundle

Logs of the Elasticsearch instance running on the appliance were neither rotated nor included in the support bundle. This could cause the firmware to fill up, and also made troubleshooting much harder. These logs are now both rotated and included in the bundle.

PAM-6648

Large number of connections while displaying a banner in RDP could result in crash

If a banner was displayed at the beginning of RDP connections and there was a high level of activity on the appliance it could result in the disruption of the service due to internal out of memory errors. Such a configuration is now handled correctly.

PAM-6348

HA replacement fails, because 5LTS firmware created smaller disk on T1, than 4 LTS

HA replacement failed, because 5LTS firmware created smaller disk on T1, than 4 LTS. As a result, procedure described in the official HA node replacement guide could not be completed, because the data cannot sync to the new HA node, which is newly installed and not upgraded from 4LTS.

PAM-6174

Window titles are included in the baselines for the command analysis algorithm of Safeguard for Privileged Analytics

For users that routinely performed both RDP and SSH sessions, the window titles displayed in the RDP sessions were also used to build a baseline for the SSH command algorithm. This is now fixed and only the real commands are used for the command baselines.

PAM-6089

No error message displayed if screenshot generation is requested on the Search interface without the proper private keys

If the audit trail files are encrypted, it is only possible to generate screenshots on the Search interface if the required private keys are uploaded into the keystore of the user. The lack of the key was not handled well on the Search interface, and we did not display an error message or any notification about this.

PAM-4770

Detailed analytics information is missing from the search results

When analytics functionality is turned on, in some rare cases the detailed analytics information is missing from the search results, both on the Search UI and from the REST response, too.

PAM-4525
Table 4: Safeguard Desktop Player resolved issues
Resolved Issue Issue ID

Follow mode in RDP does not work if a session contains multiple channels

Follow mode in RDP did not work if a session contained multiple channels, for example, a Drawing and an rdpdr-printer channel. This has been corrected, now the Safeguard Desktop Player application automatically selects the channel which contains all the necessary information is needed to follow the session.

PAM-6817

Application freezes if the downloaded .zat file is incomplete

The Safeguard Desktop Player application remained in loading phase if the end of the file record was missing from the audit trail being loaded. This has been corrected, the application now handles such errors properly.

PAM-6566

File association is not working

After installing the Safeguard Desktop Player application, the SRS and ZAT filetypes were not associated to the application. This has been corrected.

PAM-6437

The application fails to start

The Safeguard Desktop Player application failed to start on systems using a new Intel HD Graphics driver (Version: 23.20.16.4973), displaying the following error message:

"Unhandled exception at 0x00007FFF90E5BB6B (ig9icd64.dll) in player.exe: 0xC0000005: Access violation reading location 0xFFFFFFFFFFFFFFFF. occurred"

This has been corrected, now the application starts properly.

PAM-5489

Configuration files are inaccessible after a system-wide installation

After a system-wide install, if the user selected the 'Run Safeguard Desktop Player now' option in the installer, the application started with root permissions, and wrote configuration files into the users home directory.

Now this is not possible, as there is no option to launch the application from the installer on system-wide installations.

PAM-4523
Self Service Tools
Knowledge Base
Notifications & Alerts
Product Support
Software Downloads
Technical Documentation
User Forums
Video Tutorials
Contact Us
Licensing Assistance
Technical Support
View All
Related Documents