Patch Notes for CTE-U

Resolved Issues

• AGT-47230: Missing IOCTL in CTE-U causes VMSec challenge to claim that a challenge is needed

  The fix was to make vmsec challenge issue the message that "Unlocking keys via challenge-response is not required at this time," when the keys are available.

• AGT-49688 [CS1486441]: Failed to start CTE-U & VMD services after CTE-U installation, error while loading shared libraries: libnsl.so.1

  CTE-U had a dependency on the library libnsl.so.1 files. RHEL 8 & 9 now support libnsl-2.28. CTE-U has now been upgraded to support the library: libnsl-2.28.

• AGT-50831 | AGT-51115 [CS1526318]: Failed to run mkdir from NFS client after guarded by CTE-U | chmod failure from NFS client

  The issue was that the HP-UX NFS client could not create a directory on the CTE-U GuardPoint exported from an NFS server. The solution was to add support for handling the make directory requests on CTE-U from the HP-UX client.

• AGT-51115 [CS1526300] chmod failure from NFS client

  Issue occurred because user sets were not supported with NFS export. This has been fixed. User set is now supported for NFS export.

• AGT-55245 | AGT-57814 |[CS1548036] [CS1457832]: Webadm user not defined in policy; it reads the user as root and allows permissions, while it should be denied permission

  The issue occurred because Oracle 7.9 was defaulting all the permission checks to root. The solution was to manage the access checks properly when the process kernel entry on the OS is different than expected.

• AGT-58615 [CS1552884]: Unable to perform mv operation on any file inside sub-directories under guarded NFS mounts

  The issue was that moving a file to a directory, inside of a GuardPoint, was triggering a permission denied error. The solution was to add a check for secondary group permissions for the mv command in CTE-U.

• AGT-58672: secfs_fuse defers vmd sigchld causing VMD to show defunct if it dies

  If VMD is stopped, it may display as <defunct>. The issue was caused because VMD was missing the sigchld signal. This issue has been fixed. This code change solves the missed signal problem so that the <defunct> process now behaves as expected.

• AGT-58695: CTE-LDT and CTE-U format compatibility issue

  The issue was that LDT for [CS1554828] CTE v7.6.0 was not data compatible with CTE-U 10.3 or previous versions. The solution was to add support for data compatibility with LDT for CTE v7.6.0 with CTE-U v10.3.0.70 and subsequent versions.

• AGT-58773 [CS1554828]: No authentication check for effective user

  The current user permissions were not being enforced when they changed (su) to a different role/user. Now that user retains their original permissions.

• AGT-59167: Moas test failed with HP-UX client

  Issue occurred when HP-UX is the NFS client accessing the NFS server encrypted GP with CTE-U. The issue was that anytime a hard link of a file was created on the client, and that file is deleted, any IO request to the hard link failed. This has been fixed.

• AGT-59425 [CS1554961]: Getting Transport Endpoint Not Connected Error

  The issue occurred because a large number of processes were being created, which increased the cache size. This, in turn, caused the memory section allocated to process X to run out of memory. The solution was to clean the cache at regular intervals.

Known Issues

• AGT-44852: Cannot delete very long file names in FreeBSD

  A path length longer than 1024 characters is not supported.

• AGT-45125: Execute program from the GuardPoint

  Due to the implementation of the FreeBSD kernel, process sets and signature sets are not supported in CTE-U in FreeBSD.

• AGT-46856: FUSE protocol violation warning message

  The kernel driver displays this message because the file size reported by CTE is different than the file size of the actual file. So FuseFS thinks something has changed and triggers the warning. This message is benign and can be ignored.

• AGT-47108: Enabling Concise logging does not reduce logs as compared to when it is disabled

  In the future, Thales will try to enhance this feature to reduce the logs more.

• AGT-48249: Direct IO does not work with mmap or buffered IO

  Writing to a file without direct IO, and then reading from the same file with direct IO, while using a different file descriptor, without syncing or closing the first file descriptor, causes the read to fail to get the correct data.

  Work-around

  Disable writeback cache:

  voradmin secfs config writeback_cache_local 0 <GP>
  

• AGT-48284: Access to the GuardPoint displays incorrect GuardPoint path and garbage in path on first access

  CTE-U does not support security rules with process sets, or user sets, for block devices. Refer to Sample Policy for Block Devices.

• AGT-48348: Raw device GuardPoint gets stuck in processing state after being removed from agent

  In SUSE Linux Enterprise Server 12 SP5, it is not possible to gracefully detach a GuardPoint from the loop device layer. As a result, it is not possible to cleanly stop secfs-fuse. Attempts to do so may result in a hang where recovery is only possible by power cycling the machine. For these reasons, block deviceGuardPoints are not currently supported on SUSE Linux Enterprise Server 12 SP5 or previous versions.

• AGT-48387: FreeBSD: Unable to run dataxform against the same directory more than once

  Work-around

  Run the following Data Transformation cleanup command before transforming the data:

  dataxform --cleanup --gp <gp_path>
  

• AGT-48502: CTE to CTE-U migration on NFS v3/v4 with backup user generates I/O error when restored on CTE-U NFS GuardPoint in SLES and RHEL 9.2

  If the file does not have write permissions, then when updating, the keyid fails and CTE-U generates an I/O error.

  Work-around

  In CTE to CTE-U migration, you must have full write OS permissions for the files copied from the CTE backup to the CTE-U GuardPoint.

• AGT-48532 [CS1506097] Using a Standard Policy with an XTS key, when user migrated from a CipherTrust Manager to another CipherTrust Manager, key stopped working

  When a key is backed up and restored to a different domain or CipherTrust Manager, the keyid may be changed and trigger a protection code in CTE-U that is designed to prevent accidental use of the wrong key or accidental double encryption.

  Work-around

  See Migrating an Encryption Key for more information.

• AGT-48659: CTE-CTE-U migration: embed GuardPoint command is not working

  After migration from CTE-CTE-U, the command dxf --embed --gp <path> is not embedding header info into the files.

• AGT-49859: GuardPoints are not healthy when partial config is enabled for CTE-U client

  The Partial Config feature in CipherTrust Manager v2.15 GA requires CTE-U v10.2.0.80, v10.3.0.19 or subsequent versions.

• AGT-54610: Failed to create a file with only a write action in the key rule

  When a policy on CipherTrust Manager has only write access for user/process set, the corresponding user/process set, on the agent, should be able to write to the file. However, due to the FUSE design, for every operation, CTE-U needs to check for getattr permissions. Due to this limitation, CTE-U did not give the user the write permission.

  Work-around

  Customers must grant read attribute permissions to all of the directories & files in the policy. Select the actions for d_rd_att, f_rd_att and write.

• AGT-55110: Switching existing MFA client profile, that used register_host, failed on CipherTrust Manager enrollment

  Work-around

  In CipherTrust Manager, change the existing Multifactor Authentication Select MFA Exempted User Set parameter to your new target user set.

End of Life

Thales is discontinuing support for Oracle 7 and SLES 11/12 starting with version 10.4.0.