Imperva SecureSphere v13.3 Agent Release Notes

Agent
Release Notes
v13.3
December 2018
Copyright Notice
© 2002 - 2018 Imperva, Inc. All Rights Reserved.
Follow this link to see the SecureSphere copyright notices and certain open source license terms:
https://www.imperva.com/sign_in.asp?retURL=/articles/Reference/SecureSphere-License-and-Copyright-Information
This document is for informational purposes only. Imperva, Inc. makes no warranties, expressed or implied.
No part of this document may be used, disclosed, reproduced, transmitted, transcribed, stored in a retrieval
system, or translated into any language in any form or by any means without the written permission of Imperva,
Inc. To obtain this permission, write to the attention of the Imperva Legal Department at: 3400 Bridge Parkway,
Suite 200, Redwood Shores, CA 94065.
Information in this document is subject to change without notice and does not represent a commitment on the
part of Imperva, Inc. The software described in this document is furnished under a license agreement. The software
may be used only in accordance with the terms of this agreement.
This document contains proprietary and confidential information of Imperva, Inc. This document is solely for the
use of authorized Imperva customers. The information furnished in this document is believed to be accurate and
reliable. However, no responsibility is assumed by Imperva, Inc. for the use of this material.
TRADEMARK ATTRIBUTIONS
Imperva and SecureSphere are trademarks of Imperva, Inc.
All other brand and product names are trademarks or registered trademarks of their respective owners.
PATENT INFORMATION
The software described by this document is covered by one or more of the following patents:
US Patent Nos. 7,640,235, 7,743,420, 7,752,662, 8,024,804, 8,051,484, 8,056,141, 8,135,948, 8,181,246, 8,392,963,
8,448,233, 8,453,255, 8,713,682, 8,752,208, 8,869,279 and 8,904,558, 8,973,142, 8,984,630, 8,997,232, 9,009,832,
9,027,136, 9,027,137, 9,128,941, 9,148,440, 9,148,446 and 9,401,927.
Imperva Inc.
3400 Bridge Parkway
Redwood Shores, CA 94065
United States
Tel: +1 (650) 345-9000
Fax: +1 (650) 345-9004
 Website: http://www.imperva.com
 General Information: info@imperva.com
 Sales: sales@imperva.com
 Professional Services: consulting@imperva.com
 Technical Support: support@imperva.com
Imperva-SecureSphere-v13.3-Agent-Release-Notes-v3
SecureSphere Agent Release Notes 2

Release Highlights
Release Highlights
SecureSphere Agents Features Released with the GA
 Database Discovery: SecureSphere Agents now support the automatic discovery of data interfaces for
Teradata and SAP-HANA databases. This contributes to a fast and automatic database onboarding process,
reduces the need to manually explore, and adds monitoring for these services
 Solaris ASO (NDE): SecureSphere Agents now support the monitoring of NDE (ASO) connections with Oracle
databases on Solaris OS when databases are running in both global and kernel zones. Supported with Solaris
SPARC 10 and 11 running Oracle Databases 11.2 through 12.2
 ASO IPC Interfaces for Oracle: SecureSphere Agents now supports the monitoring of NDE (ASO) encrypted
connections over IPC interfaces for Oracle databases
 Audit Fidelity
 Enhanced Capping Mode: SecureSphere Agents now offer an enhanced capping mode. During system
overload, it's now possible to auto exclude read/write operations while maintaining monitoring for
login/logout operations
 ASO Notification: The SecureSphere Agent can now notify users when monitoring of NDE connection (ASO)
with Oracle databases is required even though SecureSphere isn't configured to do so
 EIK as Default: SecureSphere Agents for DAM now include a default configuration that uses EIK (as opposed to
PCAP). EIK enables additional advanced functionalities. For more information, see the topic Monitoring
External Traffic Using PCAP and EIK in the Database Security User Guide
 Expanded OS Coverage: SecureSphere Agent for Database packages now support SUSE Linux Enterprise Server
(SLES) 12 Service Pack 3
 64 bit Solaris with 32 bit GLIBC Wrapper: SecureSphere Agents now support 64 bit Solaris OS installation
without needing to install a 32 bit GLIBC wrapper
SecureSphere Features that work with the SecureSphere Agent:
 Teradata Monitoring Enhancements: SecureSphere now incorporates new technology for intercepting traffic
using database vendor APIs for auditing and enforcing security policies. This provides:
 Monitoring (and blocking) of encrypted connections
 Support for monitoring database client details, OS user chaining, and failed logins, without needing a log
collector
 Hot upgrade and API load/unload (doesn't require database shutdown)
 New API enhancements, supported with Teradata 16.10 and later
SecureSphere Agents Features Released with v13.1

 MSSQL 2017 over Linux: SecureSphere DAM now supports MSSQL 2017 running on Linux systems
 Oracle ASO over Solaris Monitoring: SecureSphere now supports Oracle ASO monitoring on the Solaris OS,
enabling the monitoring of connections opened before the Agent began operating
 Automatic Agent Database Discovery: The SecureSphere Agent now offers DB instance discovery for MySQL
and MariaDB, reducing the need to manually track and configure monitoring for new instances

Release Highlights

Agent Support
 Auto-discovery on PostgreSQL: SecureSphere Agents now support auto-discovery of PostgreSQL services
 Secure Boot Support: SecureSphere Agents can now be configured on Oracle OEL v7.x and Windows 2016
servers to operate with Secure Boot
Database Agent Support in Amazon EC2

 Oracle 12c on OEL 7
 MSSQL 2012 and 2014 on Windows 2012
 Informix 11.70 on SUSE 11 SP4

 Oracle ASO Support: SecureSphere Agents now support Oracle Shared-Server utilizing ASO (Advanced Security
Option)
 Expanded Secure Boot Support: SecureSphere Agents can now be configured to operate with Secure Boot on
Oracle OEL v6.x and v7.x, RHEL v7, and SUSE v11 and v12 servers
4 SecureSphere Agent Release Notes

Installing SecureSphere Agents

Installing and Upgrading SecureSphere Agents
Before downloading the SecureSphere Agent installation file(s), please read carefully the "Installing SecureSphere
Agents" chapter in the SecureSphere Administration Guide.
Note: In Unix and Unix-like systems, the bash shell must be available before installing the SecureSphere
Agent.
Required Permissions for Agent Installation/Configuration

To install and configure agents, you require administrator privileges. To run with administrator privileges:
 In Windows: Open the Windows Start Menu, search for ‘cmd,’ then right-click cmd.exe and select "Run as
administrator." In command window, navigate to location of installation package and run as required.
 In Unix/Linux: Run as root user (uid=0)
SecureSphere Agent Package

SecureSphere supports downloading and deploying agents from the Software Updates screen in the SecureSphere
GUI. The agent is provided as a compressed file (.tar.gz for Unix, .zip for Windows), which includes a number of
other files.
Notes:
 When downloading and installing agents for use with a Management Server v10.5 and later, the
additional files are used as part of the installation. Installation is conducted as described in the
13.3 Administration guide.
 When downloading and installing agents for use with a Management Server earlier than v10.5,
the additional files should be ignored, and installation is conducted as described in that version's
Administration Guide.
The content of the compressed file include:
 An installation file for the SecureSphere Agent. This file is a .bsx for Unix or .msi for Windows and its name
contains the string ragent.
 An installation file for the SecureSphere Agent Installation Manager. This file is a .bsx for Unix or .msi for
Windows and its name contains the string ragentinstaller.
 An installation batch file (install.sh). This file is only part of the Unix installation package. It is not included with
the Windows installation package.
 A readme file.
 A file with the suffix "metadata" which is used by the agent installation manager.

Platform Specific Notes for the SecureSphere Agent

This section reviews platform specific information for SecureSphere Agents.
Note: The topics in this section explicitly related to standard SecureSphere Agents, they are not
relevant for SecureSphere Agent for Big Data.
This section reviews the following:

Special Considerations for Certain Linux Platforms 6
SecureSphere Agent for Database in Amazon Web Services (AWS) 6
SecureSphere Agents for Database in Microsoft Azure 6
SecureSphere Agents for Database in Microsoft Hyper-V 7
SecureSphere Agents on Microsoft Windows 7
SecureSphere Agents on Ubuntu 7
Special Considerations for Certain Linux Platforms

Some Linux platforms maintain several versions of their OS, and service packs for each version. Additionally,
SUSE, Teradata, and OEL UEK, periodically release updates to service packs, which sometimes include updated
versions of the kernel.
As such, there are a number of items that should be taken into account and understood before installing
SecureSphere Agents on these Operating Systems. For more information, see topics in the SecureSphere Agent
Installation chapter of the SecureSphere Administration Guide that discuss special considerations.
SecureSphere Agent for Database in Amazon Web Services (AWS)

SecureSphere Agent for Database can be installed on databases running in Amazon Web Services (AWS) EC2
instances and communicate with SecureSphere on-premise or cloud-based Management Servers and Gateways.
SecureSphere Agents for Database in AWS are currently supported as follows:
 OEL 7: Oracle 12c
 RHEL 5, 6 and 7: All databases except DB2
 SUSE 11 SP4: Informix 11.70
 SUSE 12.2: SAP Hana 2 SP2
 Windows 2008 R2: All databases except Oracle and DB2
 Windows 2012: MSSQL 2012 and 2014
 Windows 2016: MSSQL 2016
SecureSphere Agents for Database in Microsoft Azure

SecureSphere Agent for Database can be installed on databases in Microsoft Azure and communicate with
SecureSphere on-premise Management Servers and Gateways.
SecureSphere Agents for Database in Microsoft Azure are currently supported as follows:
 Windows 2012 R2: All databases except Oracle and DB2

SecureSphere Agents for Database in Microsoft Hyper-V

SecureSphere Agents for Database in the Microsoft Hyper-V hypervisor are currently supported with the following
Operating Systems:
 OEL 6 UEK 4 64-bit
 OEL 7 UEK 4 64-bit
 RHEL 6 64-bit SMP
 RHEL 7 64-bit SMP
 SUSE 11 64-bit SP4
 SUSE 12 64-bit SP2
 Windows 2008-R2-64bit
 Windows 2012
 Windows 2012-R2
 Windows 2016
SecureSphere Agents on Microsoft Windows

When working with the SecureSphere Agent on Microsoft Windows 2008 and newer, Base Filtering Engine (BFE)
service must be enabled on the database server. For more information, see Microsoft Windows documentation.
SecureSphere Agents on Ubuntu

Please note the following considerations for the SecureSphere Agent when installed on Ubuntu:
 The installation folder for the SecureSphere Agent on Ubuntu is /usr/imperva and cannot be modified.
 Databases that support the SecureSphere Agent on Ubuntu include Postgre SQL and MySQL.

Agent Installation Requirements

This section reviews SecureSphere Agent installation requirements, including the following:
Agent Memory Requirements 8
Agent Disk Space Requirements 8
Agent Memory Requirements

The SecureSphere Agent requires memory for operation based on different factors. The following lists the amount
of memory that is required for operation based on the number of CPU cores:
Name Windows Linux/Unix
1-32 cores 300MB 360MB
32-128 cores 500MB 660MB
>128 cores 2GB 2GB
Agent Disk Space Requirements

The SecureSphere Agent uses up to 500 MB of database server disk space for its normal operation, logging, storing
configuration, and more. In addition, to ensure audit information is preserved in the event of network problems,
the SecureSphere Agent reserves 8 GB of database server disk space by default. You can change the amount of disk
space being reserved, as well as the location where this information is saved. For information on how to change
this value, see the article Agents - Modifying the PCAP quota created on the Database in the Imperva Customer
Portal.
Diskspace Requirements
Operation AIX
Solaris HPUX Linux Windows
Normal operation, logging,

storing configuration, and more 500 MB 500 MB 500 MB 500 MB 500 MB
(Installation folder)
Ensure audit information is
preserved in the event of 8 GB 8 GB 8 GB 8 GB 8 GB
network problems
Required when Upgrading
750 MB 1500 MB 1250 MB 250 MB 300 MB
Agents*
*Disk space allocation used when upgrading is divided between the tmp folder and Agent folder. For more
information see the following article titled What is the minimum disk space requirement to install the agent in the
Imperva Customer Portal.

Upgrading SecureSphere Agents

To upgrade the SecureSphere Agent, you simply install it.
Notes:
 In both Windows and Unix, there is no need to re-register an upgraded SecureSphere Agent.
 When upgrading SecureSphere Agent's for AIX, you need to restart the database after agent
upgrade is complete.
 When installing or upgrading the SecureSphere Agent for SharePoint, the web frontend servers
may become unavailable for a several minutes.
 When upgrading the SecureSphere Agent to v13.0, EIK is enabled by default. You can disable it by
setting <external-traffic-monitoring-in-kern> to false under Agent Advanced Configuration. For
more information see the topic Monitoring External Traffic Using PCAP and EIK in the Database
Security User Guide.
To upgrade a Unix Agent to v13.3:
1. Download the new agent package.
 To determine what installation package you need to download, see Determining Which non-Windows
SecureSphere Agent Package to Install on page 10
 For a list of available agent package file names, see SecureSphere Agent Package Installation File Names on
page 11
2. Untar (uncompress) the agent package as follows:
cd <folder>
unzip -c <filename>.tar.gz | tar xvf <agent-tar-filname>
3. Install the new SecureSphere Agent using the following upgrade parameters:
./install.sh
Note: If installing on SUSE or UEK for the first time you need to add the following to the above
command
-k kabi_<n>.txt
For more information on using this command see the SecureSphere Admin Guide.
To upgrade a Windows agent to v13.3:
1. Download and unzip the new agent package file (.zip).
2. Double-click the file named Imperva-ragent-Windows-<fileversion>.msi, the agent is upgraded.
3. Install the installation manager: Double-click the file named Imperva-ragentinstaller-Windows-
<fileversion>.msi, the agent installation manager is installed. Note: this step is only relevant when installing
with a management server version 10.5 or newer.
SecureSphere Agent Installation Files

Note on Agent Package Numbers
Starting with SecureSphere v13.0, Agent version build numbers (all digits that appear in the last part of the version
string) are composed of six numbers, they were previously composed of four numbers. This change has no impact
on SecureSphere operation.

Determining Which non-Windows SecureSphere Agent Package to Install
Note: This section is not relevant to Windows SecureSphere Agents, because there is only one
installation package for all supported versions of Windows.
To determine which non-Windows SecureSphere Agent package to download and install, see SecureSphere Agent
Package on page 5.
Alternatively, you can use the which_ragent_package_xxxx.sh script (where xxxx is the version number of the
script) which you can download from the Imperva FTP site at
/Downloads/SecureSphere_Agents/Misc/
The script should be run on the database server and takes a single parameter, the SecureSphere Agent version
number you want to install.
Table 1 which_ragent_package_xxxx.sh Parameters
Parameter Description
-v The SecureSphere Agent version number you want to install.
For example:
[root@agents-system tmp]# ./which_ragent_package_[version].sh -v 13.0
This means that you want the script to return the name of the SecureSphere Agent version v 13.0 package for the
platform on which the script is run.
The script returns the OS, OS version, platform, kernel version and the name of the SecureSphere Agent package
you should download and install. For example:
[root@prod-rhel6-64-smp ~]# ./which_ragent_package_0157.sh -v 13.0

OS: RHEL
Version: 6
Platform: x86_64
Kernel: SMP
Latest DAM Agent package is: Imperva-ragent-RHEL-v6-kSMP-px86_64-
b13.3.0.10.0.551148.tar.gz
Latest Big Data Agent package is: Imperva-ragent-bigdata-RHEL-v6-kSMP-px86_64-
b13.3.0.10.0.551148.tar.gz
The above is a recommendation only. It is not a guarantee of agent support.
For an official list of agent packages and their supported platforms, please see
the latest SecureSphere Agent Release Notes.
*** Please verify that you run the latest version of which_ragent_package available
at https://ftp-us.imperva.com ***
Notes:
 For servers that can host both regular and Big Data Agents, output includes the requisite package
for both scenarios, as seen in the above example.
 Always download the latest version of the which_ragent_package_xxxx.sh before using it,
otherwise it may point you to an out-of-date SecureSphere Agent package.
 Before downloading the SecureSphere Agent package, verify that the script has correctly
identified your OS, OS version, platform and kernel version.
SecureSphere Agent Package Installation File Names

The installation package is used to install the SecureSphere Agent.
 For a list of standard agents for Database, File ,and SharePoint , see:
 Database and File Agent Packages Released with GA on page 11
 Database and File Agent Packages Released with v13.1 on page 13
 Database and File Agent Packages Released with v13.2 on page 14
 Database, Big Data and File Agent Packages Released with v13.3 on page 16
The SecureSphere Agent’s build number is embedded in the name of the installation file.
Notes:
 The SecureSphere Agent for DB2 z/OS installation files and procedure are given in the
SecureSphere Administration Guide.
 Other SecureSphere Agents are available in this release only for the OS Versions listed in the
table below.
For minimum SecureSphere Agent disk space and memory requirements, see Agent Installation Requirements on
page 8. Once the SecureSphere Agent begins to monitor traffic, it requires additional memory and disk space,
depending on the volume of monitored traffic. For additional information, see the "SecureSphere Agents" chapter
in the SecureSphere User Guide, under the Advanced Configuration section of the Settings tab.
Database and File Agent Packages Released with GA

The following table lists agent packages used for Database and File products released with the SecureSphere v13.0
GA.
OS / Version Installation File Name
Note: All platforms listed below additionally support patches installed on the listed versions.
Unix-based Agents
AIX
AIX 7.1 64-bit Imperva-ragent-AIX-v71-ppowerpc64-b13.0.0.10.0.505755.tar.gz
HP-UX
HP-UX B11.31 Itanium Imperva-ragent-HPUX-v11.31-pia64-b13.0.0.10.0.505755.tar.gz
HP-UX B11.31 PA-RISC Imperva-ragent-HPUX-v11.31-phppa-b13.0.0.10.0.505755.tar.gz
OEL
Note: These agents require downloading both the installation file listed here and the kabi_<n>.txt file. For more
information, see Special Considerations for Certain Linux Platforms on page 6 .
OEL 5 UEK 1 64-bit (2.6.32-100.26.2) Imperva-ragent-OEL-v5-kUEK-v1-ik1-px86_64-b13.0.0.10.0.512018.tar.gz
OEL 5 UEK 1 64-bit (2.6.32-300.7.1 to Imperva-ragent-OEL-v5-kUEK-v1-ik2-px86_64-b13.0.0.10.0.512018.tar.gz
2.6.32-300.39.2)
OEL 5 UEK 1 64-bit (2.6.32-400.23 to Imperva-ragent-OEL-v5-kUEK-v1-ik4-px86_64-b13.0.0.10.0.512018.tar.gz
the latest version of 2.6.32-400 UEK
kernel series supported by Oracle)
OEL 5 UEK 2 64-bit (2.6.39-400.17.1 to Imperva-ragent-OEL-v5-kUEK-v2-px86_64-b13.0.0.10.0.512018.tar.gz

OEL 6 UEK 3 64-bit (3.8.13-16 to the Imperva-ragent-OEL-v6-kUEK-v3-px86_64-b13.0.0.10.0.512018.tar.gz
latest version of 3.8.13 UEK kernel
series supported by Oracle)
the latest version of4.1.12 UEK kernel
the latest version of 3.8.13 UEK kernel
Red Hat (includes Oracle Linux and

CentOS)
RHEL 5 32-bit PAE Imperva-ragent-RHEL-v5-kPAE-pi386-b13.0.0.10.0.512018.tar.gz
RHEL 5 32-bit SMP Imperva-ragent-RHEL-v5-kSMP-pi386-b13.0.0.10.0.512018.tar.gz
RHEL 5 64-bit SMP Imperva-ragent-RHEL-v5-kSMP-px86_64-b13.0.0.10.0.512018.tar.gz
RHEL 5 64-bit XEN Imperva-ragent-RHEL-v5-kXEN-px86_64-b13.0.0.10.0.512018.tar.gz
Solaris
Sun 5.10 SPARC Imperva-ragent-SunOS-v5.10-psparcv9-b13.0.0.10.0.507771.tar.gz
Sun 5.10 x86 64-bit Imperva-ragent-SunOS-v5.10-px86_64-b13.0.0.10.0.505755.tar.gz
SUSE
SUSE 10 64bit SP3 for Teradata Imperva-ragent-TD-SLE-v10SP3-kTD-px86_64-b13.0.0.10.0.505755.tar.gz
(2.6.16.60-0.91.TDC.1.R.0 to 2.6.16.60-
0.9999.TDC.1.R.0)
SUSE 11 64 bit SP3 bigSMP Imperva-ragent-SLE-v11SP3-kBIGSMP-px86_64-b13.0.0.10.0.505755.tar.gz
SUSE 11 64 bit SP3 Imperva-ragent-SLE-v11SP3-kSMP-px86_64-b13.0.0.10.0.505755.tar.gz

(2.6.32.54-0.23.TDC.1.R.2)
SUSE 11 64bit SP1 for Teradata Imperva-ragent-TD-SLE-v11SP1-kTD-ik2-px86_64-b13.0.0.10.0.505755.tar.gz
(2.6.32.54-0.35.TDC.1.R.1 to 2.6.32.54-
0.9999.TDC.1.R.1)
(3.0.101-0.116.TDC.1.R.0 to 3.0.101-
0.9999.TDC.1.R.0)
SUSE 11 64-bit SP4 Imperva-ragent-SLE-v11SP4-kSMP-px86_64-b13.0.0.10.0.505755.tar.gz
Ubuntu
Ubuntu 14.04 (4.2.0-27 and 4.4.0-34) Imperva-ragent-UBN-v14-kUBN-px86_64-b13.0.0.10.0.505755.tar.gz
Windows-based Agents
For detailed information see Supported Windows Platforms below. This version supports: 32-bit and 64-bit
Windows Imperva-ragent-Windows-b13.0.0.10.0.512010.zip
Database and File Agent Packages Released with v13.1

Unix-based Agents
OEL
OEL 7 UEK 4 64-bit Imperva-ragent-OEL-v7-kUEK-v4-px86_64-b13.1.0.10.0.531235.tar.gz

CentOS)
Solaris
SUSE


Ubuntu
Ubuntu 16.04+ Imperva-ragent-UBN-px86_64-b13.1.0.10.0.533133.tar.gz
Database and File Agent Packages Released with v13.2

Unix-based Agents
AIX

HP-UX

OEL

2.6.32-300.39.2)

latest version of 3.8.13 UEK kernel



CentOS)
Solaris

SUSE
(2.6.16.60-0.91.TDC.1.R.0 to 2.6.16.60-
0.9999.TDC.1.R.0)
SUSE 11 64 bit SP3 bigSMP Imperva-ragent-SLE-v11SP3-kBIGSMP-px86_64-b13.2.0.10.0.545875.tar.gz
SUSE 11 64 bit SP3 Imperva-ragent-SLE-v11SP3-kSMP-px86_64-b13.2.0.10.0.545875.tar.gz
(2.6.32.54-0.23.TDC.1.R.2)
SUSE 11 64bit SP1 for Teradata Imperva-ragent-TD-SLE-v11SP1-kTD-ik2-px86_64-b13.2.0.10.0.545875.tar.gz
(2.6.32.54-0.35.TDC.1.R.1 to 2.6.32.54-
0.9999.TDC.1.R.1)


(3.0.101-0.101.TDC.1.R.0 to 3.0.101-
0.9999.TDC.1.R.0)
Ubuntu
Ubuntu 14.04 (4.2.0-27 and 4.4.0-34 Imperva-ragent-UBN-v14-kUBN-px86_64-b13.2.0.10.0.545875.tar.gz

and 4.4.0-112)
Note: For detailed information see Supported Windows Platforms below. This version supports: 32-bit and 64-bit.
Database, Big Data and File Agent Packages Released with v13.3
Agents packages in this patch include fixes for the Spectre Variant 2 vulnerability which include CVE-2017-5715,
CVE-2017-5753, and CVE-2017-5754.
Important Note: Starting in Q3 2019, Imperva Agents will no longer support older database kernels that are
exposed to any known variant of the Spectre vulnerability. Imperva Agent released past this date will only support
updated kernels that no longer include those vulnerabilities. In order to provide continuation of support for new
Imperva Agents starting in Q3 2019, it will be required that database OSs running Imperva Agents be patched.
Unix-based Agents
AIX
HP-UX
OEL

2.6.32-300.39.2)
the latest version of 2.6.32-400
OEL 5 UEK 2 64-bit (2.6.39-400.17.1 Imperva-ragent-OEL-v5-kUEK-v2-px86_64-b13.3.0.10.0.555141.tar.gz
to the latest version of 2.6.39-400
OEL 6 UEK 2 64-bit (2.6.39-400.17.1 Imperva-ragent-OEL-v6-kUEK-v2-px86_64-b13.3.0.10.0.555141.tar.gz
to the latest version of 2.6.39-400
latest version of 3.8.13 series
supported by Oracle)
the latest version of 4.1.12 series

CentOS)


RHEL 6 64-bit SMP BigData Imperva-ragent-bigdata-RHEL-v6-kSMP-px86_64-
b13.3.0.10.0.555141.tar.gz
RHEL 7 64-bit SMP BigData Imperva-ragent-bigdata-RHEL-v7-kSMP-px86_64-
b13.3.0.10.0.555141.tar.gz
Solaris
SUSE
(2.6.16.60-0.91.TDC.1.R.0 to
2.6.16.60-0.9999.TDC.1.R.0)
(2.6.32.54-0.23.TDC.1.R.2)
SUSE 11 64bit SP1 for Teradata Imperva-ragent-TD-SLE-v11SP1-kTD-ik2-px86_64-
(2.6.32.54-0.35.TDC.1.R.1 to b13.3.0.10.0.555141.tar.gz
2.6.32.54-0.9999.TDC.1.R.1) Note: This package does not include a fix for the Spectre v2 vulnerability.
(3.0.101-0.101.TDC.1.R.0 to 3.0.101-
0.9999.TDC.1.R.0)

Ubuntu
Ubuntu 14.04 (4.2.0-27 and 4.4.0-34 Imperva-ragent-UBN-v14-kUBN-px86_64-b13.3.0.10.0.555141.tar.gz
and 4.4.0-112)
Note: For detailed information see Supported Windows Platforms below. This version supports: 32-bit and 64-bit
Supported Windows Platforms

This section lists support for the SecureSphere Agent on Microsoft Windows. For information regarding supported
Windows platforms for specific SecureSphere products, please see that specific product’s User Guide.
The SecureSphere Agent is supported on the following Windows Platforms:
 Windows 2008-32bit
 Windows 2008-64bit
 Windows 2008-R2-64bit
 Windows 2012
 Windows 2012-R2
 Windows 2016
After Installing the SecureSphere Agent

The following topics review important post installation information for the SecureSphere Agent:
AIX Post Installation Information 19
Locally Caching Monitored Traffic 20
AIX Post Installation Information

 If you are connecting locally over shared memory, then you must restart all DB2 database instances after the
first time you start the SecureSphere Agent. There is no need to reboot the machine.
 If you have installed the SecureSphere Agent on a machine on which no SecureSphere Agent was previously
installed, or if a version 8.5 or lower SecureSphere Agent was installed, then:
 If you want to monitor local DB2 shared memory traffic, you must restart all DB2 database instances after
the first time you start the SecureSphere Agent.
 If you want to enable the source IP address feature, you must restart the login servers (SSH, Telnet, Rlogin)
after the first time you start the SecureSphere Agent.
There is no need to reboot the machine.

Open Issues
Locally Caching Monitored Traffic

When the SecureSphere Agent is unable to send database traffic to the Gateway (for example, if the
communication link to the Gateway is down) it stores the data to disk until such time as the data can be sent to the
Gateway. Parameters controlling the location and size of these disk files can be configured in the Advanced
Configuration section of the SecureSphere Agent’s Settings tab. For more information, see the SecureSphere User
Guide.
Open Issues
ID OS DB/ Product Description
When working in PCAP mode on TCP external, when all channels are
AGNT-6537 AIX All Databases removed from a specific interface, the agent process is restarted.
User name' is not part of the process argument, and therefore cannot be
excluded as part of the 'argument' in the process details criteria.
Workaround: use the 'user name' field instead of the 'process argument'
AGNT-7542 AIX All Databases field.
When monitoring Informix SHM, audit data may be missing for large
AGNT-7249 AIX Informix responses.
In AIX 7.1, in rare cases, when monitoring Informix SHM large responses,
AGNT-7513 AIX Informix part of the response is missing in the audit.
AGNT-9115 AIX Informix Traffic might not be audited for local connections for Informix v10.
AGNT-8223 AIX Oracle Audit loss of up to 0.3% of the traffic was encountered.
AGNT-8446 AIX Oracle Limitation: ASO is not supported on AIX WPAR.
Only 126 ASO connections out of 200 that are opened concurrently are
AGNT-9801 AIX Oracle monitored.
If ASO interception is disabled in the Agent, and there are ASO connections
AIX, Linux, in the Database, alarm won't be generated until a new ASO connection
AGNT-10234 Solaris Oracle starts.
When monitoring external traffic in PCAP mode, an agent move to a
gateway that was not a part of the original cluster (the cluster when the
AIX, Solaris, agent registered to it) could have caused packet loss. Relevant to AIX,
AGNT-8556 Windows All Databases Windows and Solaris 11.
When upgrading the agent from version earlier than 12 Patch 7 to version
13 and above, database discovery might fail. Workaround: manually
update the ACP using MX under Setting > Software Update > More >
AGNT-10076 All All Databases Import Agent Compatibly Package.
If the RemoteAgent listener in the SecureSphere Gateway is changed from
non SSL to SSL, the SecureSphere Agents registered to this Gateway will no
longer be able to communicate with the gateway. Workaround: re-register
AGNT-10194 All All Databases relevant SecureSphere Agents.

Open Issues
On rare occasions, when unregistering an Agent from SecureSphere that

was in 'full-trust' trust mode, and then registering it to SecureSphere
without trust enabled, the agent will not be able to start. Workaround:
AGNT-10206 All All Databases uninstall and reinstall the agent.
Combining two or more monitoring rules, with some of them Agent criteria
AGNT-10228 All All Databases and others gateway criteria does not work properly.
The equals sign (=) is not supported for the password of the Imperva user
when registering agent to the gateway using command line. Using the
AGNT-10281 All All Databases equals sign in the password when registering from the CLI works.
In cases where the SecureSphere RemoteAgent restarts many times, some
AGNT-10673 All All Databases connections will have 'Connected User' in audit.
AGNT-6402 All All Databases On rare occasions, Time Of Day exclusions do not work.
On rare occasions when a local connection to a database is open for a very
long period, and there is large number of connections being opened and
AGNT-7057 All All Databases closed, the "user" in audit data may appear as "connected user."
After gateway restart, wrong event capture time is reported for logout
AGNT-7676 All All Databases operations.
AGNT-7981 All All Databases Disabled Agents remain disabled after registering to a different gateway.
In cases when the system parameter max_pid was modified after ragent
AGNT-8084 All All Databases was loaded, some audit will be lost.
During agent move, Agent status might temporarily change to Running
AGNT-8151 All All Databases With Errors 'Data connection to gateway has been lost'.
Agent and gateway cannot communicate when the gateway is configured
AGNT-8268 All All Databases as Reverse Proxy and to accept only ECDH ciphers.
During an automatic agent move, the agent's status might temporarily
AGNT-8395 All All Databases change to "Bad Connectivity."
AGNT-8487 All All Databases When the agent is disconnected from the Gateway, audit loss may occur.
After upgrading an Agent from a pre v12.0 to v12.0 or above while the
agent is registered to a Large Server Cluster, the agent does not function.
Workaround: move the agent out of the Large Server Cluster, and then
AGNT-8531 All All Databases move it back to the Large Server Cluster.
In cases where the server had no free disk space, after freeing some space
the RACLI interface may show errors. Agent stop/start via the Agent CLI
AGNT-8558 All All Databases may resolve the issue.
AGNT-8559 All All Databases On rare occasions, the Remote Agent process crashes during shutdown.
After re-registering the agent to a different MX, the hostname might not be
AGNT-8790 All All Databases correctly reflected in the MX.
Traffic on sub network interface might still be audited even though the
AGNT-8949 All All Databases channel is configured as disabled.
When installing the SecureSphere Agent Installation Manager only, users
AGNT-8981 All All Databases cannot change the path of the download directory in the MX GUI.

Open Issues
Advanced configuration of "kernel-max-pid" and of "kernel-max-pid-limit"

will not affect the agent if their value is higher than maximum number of
AGNT-9034 All All Databases process defined in the operating system.
Agent crashes when enabling "send-ack" configuration from additional-
configuration. Workaround: disable configuration. Additionally, agent
AGNT-9151 All All Databases crashes working with a gateway earlier than v10.5 GA.
If PCAP is used to monitor external traffic (i.e., EIK is disabled), Remote
Agent process may crash when it's stopped or when an IPv4 interface is
AGNT-9247 All All Databases removed.
In rare cases the agent may fail to get a valid certificate when starting trust
AGNT-9362 All All Databases migration.
Remote Agent CTRL process uses high CPU when setup has trust and
AGNT-9850 All All Databases gateway cluster.
AGNT-9882 All All Databases In rare scenarios, agent log files can take more disk space than defined.
AGNT-9939 All All Databases The agent cannot communicate with Gateways v10.0 and earlier.
When monitoring DB2 Shared memory connections, the response size in
AGNT-7232 All DB2 audit appears as 0.
When configuring Traffic Monitoring Rule with Process details - Agent
criteria, and using the arguments parameter, the character @ is not
AGNT-7272 All Informix supported.
SecureSphere doesn't audit activity that takes place in shared memory, for
AGNT-9919 All Progress example activity of the Progress Openedge utility.
AGNT-7821 HP-UX All Databases Agent may fail to start and then provides a non-informative error message.
In a trusted environment, the SecureSphere Agent could temporarily have
AGNT-9141 HP-UX All Databases high CPU usage when renewing its certificate.
AGNT-9262 HP-UX All Databases Pcap on HP-UX may use promiscuous mode without explicit request.
AGNT-10549 HP-UX PostgreSQL No audit data is available for local connections.
In some cases, the SecureSphere Agent might create an empty
AGNT-10512 Linux All Databases /boot/System.map file.
RHEL6 K0 (kernel patches lower than p5): the SecureSphere Agent cannot
AGNT-7660 Linux All Databases coexist with the Vormetric Agents.
Connections that are established just after the database starts might be
AGNT-10127 Linux MSSQL audited as a 'connected user.'
MSSQL, Changing the ragent installation directory while upgrading ragent version
AGNT-10072 Linux Teradata may cause audit loss until next database restart.
MSSQL, If Data Interface discovery is disabled, there is no audit for MsSQL on Linux
AGNT-10128 Linux Teradata and Teradata version 16.1 and up.
MSSQL, User space monitoring will not work when the agent installation directory
AGNT-10195 Linux Teradata is larger then 75 characters.
When inline mode is configured, ASO shared mode results in a connection
AGNT-10561 Linux Oracle delay.

Open Issues
In rare scenarios and on servers with mounts, the database discovery

AGNT-10280 Linux, Unix All Databases process might hang and channels are not be discovered.
Agent requires a loop-back interface with address of 127.0.0.1 to be
AGNT-9148 Linux, Unix All Databases present in the server.
Vendor Meltdown patches for RHELv7 and for RHELv6 operating systems
AGNT-9964 RHEL All Databases cause the SecureSphere Agent to fail during start.
Cloudera Username may not be reported for old versions of HBase (up to Cloudera
AGNT-10210 RHEL HBase 5.6).
Cloudera Column names in HBase are missing in some of the translated queries in
AGNT-9999 RHEL HBase Cloudera 5.7.1 and up.
Cloudera
HDFS,
Hortonworks When performing an operation in HDFS through REST API, the source IP in
AGNT-10655 RHEL HDFS MX audit will always be the local IP of the server
Cloudera
HDFS,
Hortonworks When performing operations in HDFS through the NameNode WebUI
AGNT-10657 RHEL HDFS service, the operation might be monitored twice in MX File Audit Data
Cloudera
AGNT-10006 RHEL Impala A few types of SQL exceptions are not reported in Impala.
DataStax Agent upgrade to 13.0.0.0 and above require database restart for
AGNT-10224 RHEL Cassandra Cassandra databases.
When connecting to MongoDB with a user, and afterwards switching to a
different user, the following Audit will display the previous user in the MX
AGNT-10320 RHEL MongoDB phase 1 User field.
SecureSphere Agent does not support authentication in MongoDB client
AGNT-10328 RHEL MongoDB versions older than 3.0.
SecureSphere Agent does not audit failed logins for nonexistent users in
AGNT-10566 RHEL MongoDB MongoDB v4.
If the Agent driver fails to start, the Injection Manager process might
AGNT-10120 RHEL Oracle eventually crash.
Registering a File Agent for local traffic monitoring will result in monitoring
AGNT-7722 RHEL, Solaris NFS external traffic as well.
MariaDB,
MSSQL,
RHEL, MySQL, Audit loss may be experienced with connections that are opened shortly
AGNT-10705 ubuntu PostgreSQL (seconds) after database restart when user-space interception is active.
AGNT-10668 Solaris All Databases SecureSphere Agent v13.3 can't be installed on Solaris 11.4.
When running GTI on Solaris 10, the error message "ln: cannot create [...]:
AGNT-7856 Solaris All Databases File exists" may appear.
When upgrade from v13.0 to v13.1 or later, open mode connections won't
AGNT-10249 Solaris Oracle be audited. Workaround: Restart the Database after the upgrade.

Open Issues
'Source of activity' field mistakenly displays 'remote' for local connection

AGNT-8958 Solaris Oracle on Solaris global zone.
GTI doesn't collect ASO logs when "shared" folder is defined in non default
AGNT-9378 Solaris Oracle location.
AGNT-9681 Solaris Oracle Agent ASO on Solaris SPARC monitors databases in Global Zone only.
When 200 simultaneous ASO connections are open, some are not being
AGNT-9785 Solaris Oracle monitored.
When the Oracle database is installed on a Solaris zone which isn't Global
and the Agent ASO is enabled, Agent may display error with message
AGNT-9847 Solaris Oracle "Oracle ASO monitoring failed".
In rare cases, due to startup scheduling, a complete loss of audit data may
AGNT-10146 SUSE All Databases occur. Workaround: restart the agent.
Vendor Meltdown patches for SUSE Operating Systems cause the
SecureSphere Agent to fail during startup. Partial work around, for external
AGNT-9946 SUSE All Databases traffic only, is the use PCAP mode.
When using SAP-HANA 12, moving from sniffing to inline mode and visa
AGNT-8696 SUSE SAP-HANA versa doesn't work with local TCP connections.
If TCP channel is ignored, and then the channel is un-ignored, a redundant
AGNT-10625 SUSE Teradata 'logout' packet will appear in audit data.
AGNT-7657 SUSE Teradata Blocking is not supported in inline mode for local TCP connections.
In Teradata 16.1 and above the CPU consumption of ragent process is
higher than in older Teradata versions. Work around: Client may disable
TD-API method using advanced config in order to work the same as older
AGNT-9471 SUSE Teradata Teradata versions.
On rare occasions, uninstalling the SecureSphere Agent might cause the
AGNT-9959 SUSE Teradata Teradata database to freeze up.
The Ubuntu 14.04 agent can't be installed or upgraded using Software
AGNT-9947 ubuntu All Databases Update.
First queries received with an Agent with open mode connections are not
AGNT-10165 Unix All Databases audited.
When using EIK and upgrading from agent version 11.0 and earlier to
version 11.5 "connected user" is displayed on connections opened before
AGNT-7381 Unix All Databases the upgrade was conducted.
When using LDAP authentication on a 64bit machine without the 32bit
LDAP libraries installed, the users in OS user chain are displayed as GUID
AGNT-7654 Unix All Databases instead of user names.
When connecting to a machine before the agent is working, the remote
login isn't detected. Some applications (such as SecureCRT) reuse previous
AGNT-9265 Unix All Databases SSH connections thereby preventing the remote login from being detected.
AGNT-9456 Unix All Databases Agent fails to start if the agent folder is located on XFS with 64bit i-nodes.
MariaDB, In cases where the database executable file was deleted, Database
AGNT-10659 Unix MySQL discovery might fail.

Open Issues
Incomplete audit for TCP local traffic. Workaround: Add the following item
in the SecureSphere Agent's Advanced Configuration pane:
<kernel_support_local_traffic_in_server_side>0</kernel_support_local_tra
AGNT-10266 Unix MySQL ffic_in_server_side>.
When agent is being update from a version that does not support open-
mode to a version that supports open mode, open-mode ASO connections
AGNT-10040 Unix Oracle are not monitored.
If Oracle is configured to work in shared-server-mode, Diffie-Hellman
AGNT-10042 Unix Oracle connections will not be monitored.
ASO | No audit is available for Diffie Hellman encrypted traffic if the Oracle
AGNT-7902 Unix Oracle database being audited is configured to work in 'shared mode.'
Open mode is not supported for encrypted and non-encrypted Oracle
connections during upgrade from Agent version less than v12 to Agent
version v12 and newer, when ASO monitoring is enabled prior to the
AGNT-8409 Unix Oracle upgrade.
If monitoring Diffie-Helman traffic while ASO in the agent is disabled, agent
enters running with errors. If disabling DH traffic on the database while
AGNT-9389 Unix Oracle ASO is still disabled in the agent, running-with-errors persists.
AGNT-9649 Unix Oracle The Injection Manager process may crash when it's stopped.
When working with connections that utilize high ports with Progress DB,
AGNT-8054 Unix Progress open mode is not supported.
When upgrading from agent versions earlier than 11.0, server might cause
lower agent performance. Workaround: Reboot the database server
AGNT-6189 Windows All Databases after upgrade.
AGNT-6256 Windows All Databases On rare occasions, agent uninstall may fail.
AGNT-7084 Windows All Databases Upgrading the Windows Agent to the same Agent version will fail.
When working in PCAP mode, if WINPCAP is not installed and the TCP
external data interface exists, then the TCP loopback data interface might
AGNT-7109 Windows All Databases not be monitored.
When executing first time installation of the SecureSphere Agent or
upgrading from v11.0 and earlier and working with EIK on Windows Server
2008 and newer, SecureSphere cannot monitor previously established
AGNT-7369 Windows All Databases connections.
AGNT-7533 Windows All Databases On rare occasions, process details are missing.
On rare occasions, after uninstalling the SecureSphere Agent, its related
AGNT-8158 Windows All Databases processes might still be running.
When a MySQL, Oracle or DB2 database is accessed using Windows
authentication and Kerberos authentication is used, the username will not
AGNT-8680 Windows All Databases be audited.
On Windows Server 2012, if open connections exist prior to installing the
agent, running new short connections could cause non-existent logouts to
AGNT-8764 Windows All Databases appear in audit of open mode connections.
AGNT-8765 Windows All Databases Updating a channel (etc. disabling then re-enabling) causes audit loss.

Open Issues
AGNT-8915 Windows All Databases DrWeb antivirus mistakenly detects Imperva agent as a Trojan.
When external traffic is monitored by pcap on windows platforms,
disabling and enabling network interface while agent is running will cause
AGNT-8920 Windows All Databases complete audit loss. Workaround: restart the Agent.
On Windows 2000 servers, the SecureSphere Agent might report the
AGNT-8960 Windows All Databases wrong number of cores.
AGNT-8127 Windows CIFS Audit is missing for shared folders with a name longer than 260 characters.
Source IP address may be missing for access on path longer than 260
AGNT-8129 Windows CIFS characters.
When configuring a user exclusion, only users that appear in remote traffic
AGNT-8303 Windows CIFS are excluded, while users in local access are not excluded.
Multichannel connections may be audited with 0.0.0.0 source IP in cases
AGNT-8771 Windows CIFS that the server network adapter enables IPv6.
Limitation: "Source IP" audit parameter not supported with IPv6 related
AGNT-8772 Windows CIFS file operations. "0.0.0.0" is displayed under these conditions.
When two clients access the same file at the same time, source IP address
AGNT-8797 Windows CIFS is reported as 0.0.0.0 for both clients.
Missing source IP on Create and Read when accessing a Windows share
AGNT-8919 Windows CIFS from Linux smbclient.
When using an SMB1 client and trying to access a file without permission
AGNT-9595 Windows CIFS no source IP is audited.
When trying to access a folder without permission, the attempt is audited
AGNT-9596 Windows CIFS as access to a file, rather than a folder.
If the DB client connects to the DB server via 'shared memory,' the
AGNT-8678 Windows DB2 source IP address in audit is missing.
AGNT-8393 Windows MariaDB Maria DB IPC channel is not supported.
Certificate discovery might not work properly if two different databases are
AGNT-10137 Windows MSSQL running with the same user but with different domains.
Incorrect OS user chain in MX appears for external connections when
AGNT-10217 Windows MSSQL MSSQL Advanced Monitoring is enabled.
When applying non-exportable certificate for MSSQL2008 32 bit, no
AGNT-10390 Windows MSSQL external audit is monitored and there is no hashed user for local traffic.
After blocking in sniffing mode for local TCP connections, it takes about a
AGNT-6398 Windows MSSQL minute for the client to close the local TCP session.
In order for an MSSQL NP interface to be monitored, the MSSQL service
AGNT-6505 Windows MSSQL needs write privileges to the agents folders.
Local (loop-back) TCP traffic that is generated by client applications
AGNT-7947 Windows MSSQL based on the JDBC driver is not monitored by SecureSphere Agent.
When changing the login user of MSSQL server, its corresponding IPC
channel log directory needs to be manually deleted. Otherwise, there will
AGNT-7994 Windows MSSQL be no audit.

Open Issues
In cases where there is more than one MSSQL database on a server, all
databases are running and RC4 user is used for Kerberos, Hashed Users
AGNT-8087 Windows MSSQL may appear in audit.
Agent fails to discover certificate after changing user that runs the MSSQL
service. Workaround: Restart the database to discover the new certificate.
AGNT-8923 Windows MSSQL Relevant for MSSQL 2016.
In advanced mode, if a user ignores IPC channel and then un-ignores it,
AGNT-8988 Windows MSSQL existing connections are not monitored.
AGNT-9013 Windows MSSQL Blocking is not supported with MSSQL Advanced Monitoring.
Open mode connections are not monitored on remote-named-pipe
AGNT-9032 Windows MSSQL channel.
With an open mode connection in advanced monitoring mode, the user
AGNT-9138 Windows MSSQL name isn't displayed if the SecureSphere version is older than v12 Patch 1.
User name is not displayed for open mode connections in advanced
AGNT-9140 Windows MSSQL monitoring mode if the database is 32bit MSSQL.
AGNT-9234 Windows MSSQL Advanced monitoring mode does not support MSSQL 2008 32 bit.
User name detection in advanced monitoring mode is not supported in
AGNT-9235 Windows MSSQL MSSQL 32 bit.
When a machine has more than one MsSql server installed that are running
under the same user name but from different domains, the default MsSql
AGNT-9874 Windows MSSQL certificate might not be extracted for some of the servers.
MySQL connections may not be monitored if Diffie-Hellman authentication
AGNT-8606 Windows MySQL is used.
AGNT-5730 Windows SharePoint Revoke permissions for an attachment under a list item is not supported.
A SharePoint security policy configured to block upon file object
AGNT-6330 Windows SharePoint modification also blocks list objects.
AGNT-9116 Windows SharePoint Operations on checked out files are not blocked.
On SharePoint sites authenticated using "Claims," security polices using a
AGNT-9123 Windows SharePoint group based match criteria cannot block the activity
SharePoint security policy blocking cannot be disabled by changing the
AGNT-9193 Windows SharePoint action to "None."
In rare cases when uploading files to a SharePoint 2013 site by dragging the
files to the browser, the deletion of these files is not blocked by the
AGNT-9205 Windows SharePoint security policy.
AGNT-9610 Windows SharePoint SharePoint Blocking doesn't always block folder delete operation.
AGNT-9611 Windows SharePoint SharePoint Blocking doesn't always block folder creation.
When sending a query from a client in one domain to an MSSQL server in
Windows another domain with MSSQL service running an AD user in the first
AGNT-8913 2012 All Databases domain, hashed user is received.

Fixed Issues with SPHR Agent - v13.3
Fixed Issues with SPHR Agent -

v13.3
AGNT-10523 AIX Oracle ASO monitoring was not supported in some Oracle versions.
AGNT-10531 AIX Oracle Agent caused high CPU usage when ASO monitoring was enabled.
AIX, Linux, On rare occasions, Running with Errors was encountered due to the
AGNT-10358 Solaris Oracle SecureSphere Agent failing to inject processes that were no longer running.
When a pattern for core file naming is configured, the limitation for the
AGNT-10157 All All Databases maximum number of core files did not work.
AGNT-10453 All All Databases Agent was Running with Errors even after it was restarted.
Cloudera
Hbase, SecureSphere RemoteAgent monitors only the first 10,000 HBase
Hortonworks connections. In addition, logout events in HBase could be displayed in MX
AGNT-10408 Linux HBase long time after the actual logout occurred.
After upgrading the SecureSphere Agent from v11.5 to v12.0 or higher,
AGNT-10118 Linux Oracle Oracle ASO open mode connections weren't audited.
Oracle ASO monitoring didn't work when root umask value is other than
AGNT-10427 Linux Oracle 0022.
Linux, RHEL, Spectre v2 mitigation retpoline might have been disabled in kernel when
AGNT-10230 SUSE, UEK All Databases Agent was installed on newer kernel versions.
When SecureSphere Agent was installed in a non-default location, the log
folder for Big Data discovery was
AGNT-10492 RHEL All Databases "/opt/imperva/ragent/etc/logs/discoveryRagent/ProcessDiscovery/".
Cloudera
Hbase,
Cloudera
HDFS,
Cloudera Hive,
DataStax
Cassandra,
Hortonworks
HBase,
Hortonworks
HDFS,
Hortonworks When SecureSphere Agent is installed in a non-default location, audit for
AGNT-10482 RHEL Hive HBase, Hive, HDFS and Cassandra may not have worked.
Cloudera
Hbase, Short user name was displayed in MX for HBase query events (non
Hortonworks login/logout). Full user name is displayed for all HBase events from HBase
AGNT-10378 RHEL HBase 1.1.3.

Cloudera
AGNT-10417 RHEL Impala Big Data Agent failed to audit Impala on Cloudera version 5.10.2.
When running on Hortonworks (HDP) HBase with Ranger plugin enabled,
Hortonworks Big Data agent was either running with errors or not monitoring grant and
AGNT-10437 RHEL HBase revoke commands.
In the event of a Failed Login in MongoDB, no error message was displayed
AGNT-10409 RHEL MongoDB in the MX phase 2 audit data SQL exception string field.
AGNT-10669 Solaris All Databases Imperva Agent caused a crash on Solaris 11.4 and above.
On some Solaris kernels (not common versions), after agent installation,
the agent moved to running with errors state with message "Couldn't
AGNT-6637 Solaris All Databases initialize TCP local traffic monitor."
When root user couldn't perform sudo, the Agent failed to monitor
AGNT-10117 SUSE Teradata Teradata traffic.
AGNT-10558 SUSE Teradata Teradata API monitoring didn't always work after agent restart.
AGIM-318 UEK All Databases No external traffic when EIK was enabled on kernel version 4.1.12-94.7.8
AGNT-10462 Unix Oracle When using Oracle 18 with ASO, no audit was available.
ACP was not working when the <package-dir> was not configured as
AGNT-10451 Windows MSSQL <intall-root-dir>.
AGNT-10494 Windows MSSQL Logs were created containing no information.

v13.2
ID Agent OS Agent Description
DB/Product
AGNT-10250 AIX, Linux, Oracle In rare cases, a SecureSphere Agent log files could have grown very large.
Solaris
AGNT-10349 AIX, Linux, Oracle SecureSphere Agent was printing errors and listing changes in kernel
Solaris system log.
AGNT-10358 AIX, Linux, Oracle On rare occasions, Running with Errors was encountered due to the
Solaris SecureSphere Agent failing to inject processes that were no longer
running.
AGNT-10065 Linux MSSQL Overall CPU utilization of SecureSphere Agent on MSSQL over Linux could
have reached 20%-25%.
AGNT-10074 Linux Oracle Oracle database froze when running external table queries.
AGNT-10118 Linux Oracle After upgrading the SecureSphere Agent from v11.5 to v12.0 or higher,
Oracle ASO open mode connections weren't audited.

ID Agent OS Agent Description

DB/Product
AGNT-9952 Linux, RHEL All Databases SecureSphere Agent may not have audited traffic if Symantec Data
Center Security (DCS) was installed.
AGNT-10185 Solaris All Databases In rare cases, database server crashed when Agent driver kernel memory
was low.
AGNT-10019 SUSE All Databases In rare cases, due to startup scheduling, complete audit loss can occur.
AGNT-10117 SUSE Teradata When root user couldn't perform sudo, the Agent failed to monitor
Teradata traffic.
AGNT-9887 SUSE Teradata When using Teradata v16.10 or newer, and the database was under
heavy load, some of the connections would lack the client process details
AGNT-9913 SUSE Teradata With Teradata v16.10 and newer, a long agent installation path (longer
than 40 characters) could have caused ragent process crash on startup.
AGIM-318 UEK All Databases No external traffic when EIK was enabled on kernel version 4.1.12-94.7.8
AGNT-10225 UEK All Databases SecureSphere Agent failed to start with OEL UEK version 4.1.12-
94.7.8.el6uek.
AGNT-10201 Ubuntu All Databases RemoteAgent GTI (get tech info) could only be taken from the MX and
not through the RemoteAgent CLI.
AGNT-10063 Unix All Databases In rare cases, a small amount of audit loss could have been encountered.
AGNT-10056 Windows All Databases Running with errors "Agent restarting. Reason: System Capping event
occurred" was not always removed once the issue was resolved.
AGNT-9898 Windows MSSQL The Agent could have been running with errors when MSSQL Advanced
Monitoring was enabled and MSSQL database was uninstalled.

v13.1
ID OS Agent Description
DB/Product
AGNT-9747 AIX Oracle In rare cases, Agent ASO on AIX might cause system to crash.
AGNT-9749 AIX Oracle Agent status could has been running with errors if there were open-
mode connections which the InjectionManager didn't succeed in
monitoring.
AGIM-290 All All Databases Agent memory usage passed limit when registered to trusted
environment.
AGNT-9516 All All Databases In some cases, Agents report running status instead of running with
errors, even though the gateway the agent is assigned to is disconnected.
AGNT-9759 All All Databases Agent memory usage exceeded limit when registered to a trusted
environment.
DB/Product
AGNT-9828 All All Databases The ragent process could crash when the kernel upgraded.
AGNT-9894 All All Databases When the agent was restarted due to capping event, system event
"agent status change" to disabled did not appear in the MX.
AGNT-9714 HP-UX All Databases Trying to retrieve Get Tech Info did not succeed and froze up.
AGNT-9772 HP-UX, Oracle Some Oracle cluster DB data interfaces were not auto discovered on HP-
Solaris UX and Solaris 11.
AGNT-9565 Linux All Databases Agent memory usage exceeded limit.
AGNT-9778 Linux All Databases The agent process could crash on start in 64-bit operation systems. The
problem occurred only when there was another driver that intercepted
the system calls.
AGNT-9761 Linux Oracle Upgrading Oracle 12.1 ASO monitoring to patch id 8841764 caused audit
loss.
AGNT-9812 RHEL All Databases Following OS kernel update for Meltdown and Spectre issues on x86_64
processors: Remote agent failed to start on kernel version 3.10.0-693.11
and up.
AGNT-9832 RHEL All Databases Following OS kernel update for Meltdown issue on Intel processors:
Remote agent failed to start on updated RHEL6.
AGNT-9961 RHEL, UEK All Databases Vendor Meltdown patches for RHEL and OEL6,7 UEK4 caused Agent to
fail during startup.
AGNT-10185 Solaris All Databases Database server might has crashed when Agent driver kernel memory is
low.
AGNT-9355 Solaris Oracle Open mode Oracle ASO connections were not being monitored on
Solaris.
AGNT-10019 SUSE All Databases In rare cases, due to startup scheduling, complete audit loss can occur.
AGNT-9941 SUSE All Databases Vendor Meltdown patches for SUSE caused the SecureSphere Agent to
fail during start.
AGNT-9693 SUSE Oracle The SecureSphere Agent for DAM could not decrypt traffic encrypted
using ASO when installed on Oracle Databases running on SUSE 12 SP2.
AGNT-9764 SUSE Teradata In Teradata when agent was in EIK mode there could have been loss of
audit when user connected to the database using ODBC.
AGNT-9913 SUSE Teradata With Teradata v16.10 and newer, a long agent installation path (longer
than 40 characters) could have caused ragent process crash on startup.
AGIM-295 UEK All Databases Agent didn't monitor traffic after OS update, resulting in running with
errors.
AGIM-301 UEK All Databases Following OS kernel update for Meltdown issue on Intel processors:
Remote agent failed to start on updated OEL7.
AGNT-9834 UEK All Databases Following OS kernel update for Meltdown issue on Intel processors:
Remote agent failed to start on updated OEL7.
AGNT-9780 Unix All Databases Localhost connections on IPV6 were not monitored.
AGIM-266 Windows All Databases Upgrading the SecureSphere Agent failed.

Fixed Issues with SPHR Agent GA
DB/Product
AGNT-9598 Windows MSSQL MSSQL Advanced Monitoring could have failed to inject the DLL when
ACP update was done before the MSSQL database was started.
AGNT-9612 Windows MSSQL MSSQL DB process might have crashed if the Agent was stopped quickly
and MSSQL Advanced Monitoring was enabled.
AGNT-9926 Windows MSSQL When MsSQL Advanced-Monitoring is enabled and there are high
number of concurrent connections, high System CPU might be
experienced.

The following table lists the issues resolved in the SecureSphere Agent 13.0 GA release.
ID Agent Description
Environment
AGIM-270 AIX Software upgrade could have failed due to MD5 verification.
AGNT-7768 AIX Couldn't install agent package.
AGNT-8623 AIX AIX agent would not always get assigned to a cluster.
AGNT-8993 AIX Oracle ASO open mode connection might have been missed if no /etc/oratab
was present.
AGNT-9747 AIX In rare cases, Agent ASO on AIX might cause system to crash.
AGNT-8360 AIX, Linux ASO monitoring injected code default directory (/lib/imperva) could be changed
by using <aso-shared-object-location> via advanced config.
AGNT-8488, AIX, Linux ASO logs folder (/opt/imperva/shared) had a 777 permission by default which
AGNT-8359 could have been reduced to 770 if the <shared-dir-group-owner> was used.
AGNT-8763 AIX, Linux, Oracle When working with ASO, open-mode connections were not audited.
AGNT-8505 AIX, RHEL, Solaris, IPC traffic was not intercepted or audited when working with ASO.
SUSE, UEK
AGNT-9271 AIX, Solaris When using ClusterManager and gateway is down, agent may require manual
restart in order to reconnect to one of the gateways.
AGIM-276 All OS Platforms Agent\Installer installation could have failed when environment variable TMPDIR
was set to a path other than "/tmp."
AGIM-290 All OS Platforms Agent memory usage passed limit when registered to trusted environment.
AGNT-6348 All OS Platforms SecureSphere failed to monitor traffic to databases when sub-interfaces with
new IP addresses were added while the agent was running.
AGNT-8548 All OS Platforms If memory allocation operation failed during driver initialization, the kernel
module would fail to load.
AGNT-8563 All OS Platforms The no-traffic system event could have been sent when no channels were
assigned.

Environment
AGNT-8588 All OS Platforms When the agent is configured to work in manual mode, data interface
configuration won't be applied on the agent and related traffic will be lost.
AGNT-8620 All OS Platforms When moving an agent from a Large Server Cluster to another Large Server
Cluster audit loss can occur.
AGNT-8656 All OS Platforms Agent failed to recover from disconnected state due to NTP time change.
AGNT-8697 All OS Platforms Agent log files could have taken up more disk space than allocated.
AGNT-9101 All OS Platforms Certain scenarios might cause the RemoteAgent or the Controller to crash when
receiving a new Agent Compatibility Package.
AGNT-9165 All OS Platforms After receiving a new ACP package, the Controller or Ragent processes of the
Remote Agent could have crashed.
AGNT-9180 All OS Platforms Possible memory corruption when receiving a new ACP package.
AGNT-9246 All OS Platforms No " DB IPV6 listener is identified" system event is sent when ipv6 is configured
on a loopback interface.
AGNT-9460 All OS Platforms Agent could cause system crash if number of CPUs were bigger than 2048.
AGNT-9525 All OS Platforms Installing agent or installer failed when environment variable TMPDIR was set to
a path other than "/tmp."
AGNT-9759 All OS Platforms Agent memory usage exceeded limit when registered to a trusted environment.
AGNT-8905 All OS Platforms, IPC channel was not supported with PostgreSQL DB.
Postgre
AGNT-8741 CIFS Missing source IP on Create and Read when accessing a Windows share from
Linux smbclient.
AGNT-8928 CIFS, Windows Audit records were missing the source IP when reading and writing lots of files
from a client.
AGNT-8107 HPUX, Linux, On high load systems audit loss could have occurred on local TCP. Additionally
Windows could have failed to load local tcp driver after agent restart. This could have
occurred on Linux when changing max processes ID in the system without
restating the agent.
AGIM-268 Linux Agent could fail to start if the agent folder was located on XFS with 64bit i-nodes.
AGNT-7440 Linux Request for gateway to block a response could have been ignored.
AGNT-8944 Linux Under rare circumstances, process creation might have crashed the server.
AGNT-9060 Linux IP addresses on loop-back interface that were different from 127.*.*.* were not
added to discovered Data Interface.
AGNT-9436 Linux Agent could have caused the database server to freeze when OS kernel version
was above 4.1.
AGNT-9442 Linux Agent could fail to start if the agent folder was located on XFS with 64bit i-nodes.
AGNT-9476 Linux RemoteAgent process might fail to initialize local traffic sniffer on Linux 32bit
operating systems. Workaround: configure "kernel-builder-size" to 4096 via
advanced configuration on the Agent tab in Management Server.
AGNT-9565 Linux Agent memory usage exceeded limit.

Environment
AGNT-9144 Linux, Oracle On rare occasions, when working with Oracle ASO, the SecureSphere Agent may
not be able to start properly after it was stopped.
AGNT-9309 Linux, Oracle The Injection Manager could have failed to inject the ASO DSO to the Oracle
process if "umask" was defined to mask read or execute permissions for group
or others.
AGIM-295 Linux, UEK Agent didn't monitor traffic after OS update, resulting in running with errors.
AGNT-8288 Linux, Unix Agent failed to install due to missing permissions to /tmp.
AGNT-8437 MS SQL When connecting remotely to Named pipe interface, the source IP in audit
screen was displayed as 0.0.0.0 .
AGNT-8924 MS SQL When connecting remotely to Named pipe interface and "mssql-advanced-
monitoring" was set in MX Advanced Configuration, source IP in audit screen
was displayed as 0.0.0.0 and source of activity was local.
AGNT-8761 MS SQL, Windows 32bit MSSQL server could have crashed when Remote Agent was started.
AGNT-8894 MS SQL, Windows On rare occasions, MSSQL Advanced Monitoring wouldn't have audited traffic on
MSSQL 2008 R2 32bit.
AGNT-8917 MS SQL, Windows Intercepting named-pipe channels might have failed in rare cases because of
connection issues between the Remote Agent and the MSSQL server.
AGNT-9206 MS SQL, Windows If ACP file content has been corrupted, new ACP file wouldn't properly function.
This could have resulted in no audit in advanced monitoring mode.
AGNT-9598 MS SQL, Windows MSSQL Advanced Monitoring may fail to inject the DLL when ACP update was
done before the MSSQL database was started.
AGNT-9612 MS SQL, Windows MSSQL DB process might crash if the Agent was stopped quickly and MSSQL
Advanced Monitoring was enabled.
AGNT-9281 Oracle When working in EIK mode with Oracle 12.2, some audit for open mode
connections might be missing at the beginning.
AGNT-9693 Oracle, SUSE The SecureSphere Agent for DAM could not decrypt traffic encrypted using ASO
when installed on Oracle Databases running on SUSE 12 SP2.
AGNT-9343 Oracle, Unix Agent driver failed to load on OEL5 UEK6.
AGNT-9373 RHEL In RHEL 7.4 database server would freeze up when SecureSphere Agent was
started with ASO enabled.
AGNT-9761 RHEL Upgrading Oracle 12.1 ASO monitoring to patch id 8841764 caused audit loss.
AGNT-9812 RHEL Following OS kernel update for Meltdown and Spectre issues on x86_64
processors: Remote agent failed to start on kernel version 3.10.0-693.11 and up.
AGNT-9832 RHEL Following OS kernel update for Meltdown issue on Intel processors: Remote
agent failed to start on updated RHEL6.
AGNT-8657 Solaris Agent failed to start.
AGNT-8719 Solaris SecureSphere Agent used a legacy method to start during reboot on Solaris 10 or
11 systems.
AGNT-8806 Solaris Failed to initialize local traffic. Couldn't initialize TCP local traffic monitor.

Environment
AGNT-8931 Solaris Destination IP is replaced with source IP with connections related to Solaris
zones.
AGNT-8955, Solaris A system event was not sent when an IPv6 listener was identified on a Solaris
AGNT-9291 server.
AGNT-9445 Solaris System\CPU capping could not be enabled.
AGNT-9527 Teradata SecureSphere Agent failed to get group_name.
AGNT-9764 Teradata In Teradata when agent was in EIK mode there could have been loss of audit
when user connected to the database using ODBC.
AGNT-9174 UEK Installing or running the SecureSphere Agent for Database failed when running
on a Nano UEK kernel.
AGNT-9711 UEK SecureSphere Agent couldn't be installed on OEL with ueknano kernel.
AGNT-9834, UEK Following OS kernel update for Meltdown issue on Intel processors: Remote
AGIM-301 agent failed to start on updated OEL7.
AGNT-8085 Unix Agent failed to monitor local traffic after uninstall and install
AGNT-8640 Unix Sybase detection didn't discover channels when the prefix for the database is
too long.
AGNT-8783 Unix Intercepting traffic of kragent process caused a leak in driver resources. Leak
could have ended without audit.
AGNT-9452 Unix Audit for local TCP connection in Netezza database wasn't collected.
AGIM-266 Windows Upgrading the SecureSphere Agent failed.
AGIM-274 Windows Imperva processes were not signed by Imperva signature.
AGNT-5026 Windows When connecting remotely to Named pipe interface, the Source of Activity in
audit screen was displayed as "Local."
AGNT-5460 Windows General improvements made to RemoteAgentCli Windows utility that are
related to starting, stopping and restarting the Remote Agent.
AGNT-8141 Windows Imperva processes were not signed with an Imperva signature.
AGNT-8301 Windows On rare occasions, adding a channel may have failed after the driver was loaded
for the first time. As a result, traffic wouldn't be monitored.
AGNT-8479 Windows Agent was running multiple msinfo32.exe instances when using CPU capping.
AGNT-8700 Windows Enabling the ECN bit may cause re-transmissions of packets between the Agent
and the Gateway.
AGNT-8708 Windows When disk becomes full, Agent may fail to receive configuration updates even
after disk space is freed. Workaround: Restart the agent.
AGNT-8794 Windows If associated data interfaces were modified (e.g. by disabling then enabling
them) while external TCP connections were running. Inaccurate logouts would
have been displayed.
AGNT-8862 Windows When both SecureSphere Agent and McAfee are installed on the server, McAfee
caused higher CPU consumption. Workaround: Configure the "enable-discovery-
processes" change in Advanced Configuration to "false."

Environment
AGNT-8868 Windows Warning message saying "Unable to find InstanceName for path" encountered
resulting from mismatch between the sqlservr executable path and the path in
the registry. Also caused obsolete keys to be added in the database discovery
process.
AGNT-8893 Windows When external traffic was monitored by pcap on windows platforms, disabling
and enabling network interface while agent was running caused complete audit
loss. Bug was fixed on all Windows platforms except windows 2003 and below.
Workaround: restart the Agent.
AGNT-8973 Windows WinPcap installation was required and the following message was displayed
"The installer detected that WinPCap is not installed."
AGNT-9143 Windows Stopping kragent driver through "net stop" command could have caused drivers
not to load next time agent was started, which would lead to loss of audit.
AGNT-9477 Windows Audit loss may occur when MSSQL Advanced Monitoring is enabled and the
agent is restarted when the injected DLL takes too long to detach. Workaround:
restart the agent.
AGNT-9219 Windows 2008 Agent process crashed accompanied with error "Maximum process terminations
exceeded."
AGNT-9257 Windows 2008 Logouts were not monitored by the agent with EIK connections.
AGNT-9426 Windows 2008 Windows agent crashed due to driver path offset.
AGNT-8899 Windows 2008, In Windows 2008 and newer, when local driver load is failing there is no running
Windows 2012. with errors message issued.
Windows 2016

Imperva SecureSphere v13.3 Agent Release Notes

Uploaded by

Copyright:

Available Formats

You might also like

Imperva SecureSphere v13.3 Agent Release Notes

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Imperva SecureSphere v13.3 Agent Release Notes

Uploaded by

Copyright:

Available Formats

Agent

SecureSphere Agent Release Notes 2

SecureSphere Agents Features Released with v13.1

SecureSphere Agent Release Notes 3

SecureSphere Agents Features Released with v13.2

Database Agent Support in Amazon EC2

SecureSphere Agents Features Released with v13.3

4 SecureSphere Agent Release Notes

Installing SecureSphere Agents

Required Permissions for Agent Installation/Configuration

SecureSphere Agent Package

SecureSphere Agent Release Notes 5

Platform Specific Notes for the SecureSphere Agent

This section reviews the following:

Special Considerations for Certain Linux Platforms

SecureSphere Agent for Database in Amazon Web Services (AWS)

SecureSphere Agents for Database in Microsoft Azure

6 SecureSphere Agent Release Notes

SecureSphere Agents for Database in Microsoft Hyper-V

SecureSphere Agents on Microsoft Windows

SecureSphere Agents on Ubuntu

SecureSphere Agent Release Notes 7

Agent Installation Requirements

Agent Memory Requirements

Name Windows Linux/Unix

1-32 cores 300MB 360MB

32-128 cores 500MB 660MB

>128 cores 2GB 2GB

Agent Disk Space Requirements

Normal operation, logging,

8 SecureSphere Agent Release Notes

Upgrading SecureSphere Agents

SecureSphere Agent Installation Files

SecureSphere Agent Release Notes 9

Determining Which non-Windows SecureSphere Agent Package to Install

-v The SecureSphere Agent version number you want to install.

[root@prod-rhel6-64-smp ~]# ./which_ragent_package_0157.sh -v 13.0

SecureSphere Agent Package Installation File Names

Database and File Agent Packages Released with GA

OS / Version Installation File Name

OEL 5 UEK 2 64-bit (2.6.39-400.17.1 to Imperva-ragent-OEL-v5-kUEK-v2-px86_64-b13.0.0.10.0.512018.tar.gz

Red Hat (includes Oracle Linux and

OS / Version Installation File Name

SUSE 11 64bit SP1 for Teradata Imperva-ragent-TD-SLE-v11SP1-kTD-px86_64-b13.0.0.10.0.505755.tar.gz

Database and File Agent Packages Released with v13.1

Red Hat (includes Oracle Linux and

SecureSphere Agent Release Notes 13

OS / Version Installation File Name

SUSE 12 64-bit SP0 Imperva-ragent-SLE-v12SP0-kSMP-px86_64-b13.1.0.10.0.533133.tar.gz

Database and File Agent Packages Released with v13.2

AIX 7.1 64-bit Imperva-ragent-AIX-v71-ppowerpc64-b13.2.0.10.0.539983.tar.gz

HP-UX B11.31 Itanium Imperva-ragent-HPUX-v11.31-pia64-b13.2.0.10.0.539983.tar.gz

OEL 5 UEK 1 64-bit (2.6.32-300.7.1 to Imperva-ragent-OEL-v5-kUEK-v1-ik2-px86_64-b13.2.0.10.0.545875.tar.gz

OEL 5 UEK 1 64-bit (2.6.32-400.23 to Imperva-ragent-OEL-v5-kUEK-v1-ik4-px86_64-b13.2.0.10.0.545875.tar.gz

14 SecureSphere Agent Release Notes

OS / Version Installation File Name

OEL 6 UEK 4 64-bit (4.1.12-32.1.2 to Imperva-ragent-OEL-v6-kUEK-v4-px86_64-b13.2.0.10.0.545875.tar.gz

Red Hat (includes Oracle Linux and