23.4 enhancements and patches
23.4
Support for ARM architecture
This release supports the ARM64 (AArch64) architecture on the following platforms:
- SuSE Linux Enterprise Server 15.x
- Red Hat Enterprise Linux 8 x86_64
- Red Hat Enterprise Linux 9 x86_64
For a complete list of supported architectures, see Supported-platforms.
Support for Rocky Linux patching
This release is compatible with the Rocky Linux 8 x86_64 and Rocky Linux 9 x86_64 for patching.
For more information, see Preparing-the-configuration-file-for-Rocky-Linux.
Microsoft Office 365, 2019, and 2021 online patching
TrueSight Server Automation supports Microsoft Office patching solution which requires target servers to be connected to the internet. For more information, see Setting-up-online-patching-for-Microsoft-Office-365-2019-and-2021.
Online cleanup for list_bl_value and list_bl_value_element
The ListBLValue cleanup module is now enabled for the DBM Online cleanup framework.
For more information, see Types-of-data-commonly-included-in-cleanups.
Support for additional platforms
This release supports the following additional platforms:
- Debian 11 x86_64 (RSCD Agent, Smart Agent, Patching)
- Debian 12 x86_64 (RSCD Agent, Smart Agent, Patching)
- Microsoft Windows 11 (Console)
- Oracle Linux 8 x86_64 (Unified Product Installer, Application Server, Live Reporting)
- Oracle Linux 9 x86_64 (Unified Product Installer, Application Server, NSH, Live Reporting)
- Red Hat Enterprise Linux 8 AArch64 (RSCD Agent)
- Red Hat Enterprise Linux 9 AArch64 (RSCD Agent)
- SuSE Linux Enterprise Server 15 AArch64 (RSCD Agent)
For a complete list of supported platforms, see Supported-platforms.
Support for SYSTEM User Only Mapping on Microsoft Windows
You can now map all the configured or permitted roles and users to the SYSTEM user on the Microsoft Windows server. If your organization-wide security policy prohibits user impersonation, the Windows User Mapping or User Privilege Mapping (UPM) techniques cannot be used to enable a user to assume an effective user identity including a set of user permissions on remote servers. In such cases, use the SYSTEM User Only mapping technique.
When you use this user mapping, the RSCD service operates under the SYSTEM account, and during execution, establishes mappings to the configured user accounts.
Enhancing Yum’s performance and streamlining its efficiency by using the Include/ Exclude selection
To ensure a more efficient analysis process, the new pre-processing step in the Update Mode with the By Complete Package Name option selected to filter out RPMs that are not installed on the system before they are passed to Yum.
Security enhancements
Umasking enforcement in service startup scripts
For consistent and controlled permissions related to the artifacts created by TrueSight Server Automation, the umask value of 0022 is enforced in all the service startup scripts. This approach addresses the issue of unintended permissions that may arise due to a misconfigured umask in the system.
Enhanced security with the rootonly option in the RSCD agent
The RSCD Agent installer now includes a new option called rootonly. TrueSight Server Automation administrators can enable this option selectively, limiting it to situations where mapping all role:user pairs to the root user account is intended. When you enable this option on the servers, the common directories are protected from being writable by all users and additionally prevents the SUID (Set User ID) bit from being set on certain executables.
Enhancing RESTful API Security
You can now enhance your security by transmitting your login credentials, specifically the username and password, within the Header of your HTTP request by using authorize API. This method allows you to obtain the session ID and effectively mitigate any security concerns, which is a safer and a more secure way of interacting with RESTful services.
For more information, see Using-TrueSight-Server-Automation-RESTful-Web-Services
REST API enhancements
This version provides the following REST API enhancements:
Patching API enhancement
The REST API support is now available for Patching Jobs on Debian.
It is recommended to utilize the Debian filter option as a replacement for Ubuntu filter option, as it offers identical functionality.
For more information, see REST-API-endpoints.
BLPackage API enhancement
Use the following REST API to create the BLPackage:
POST /api/v1/blpackages: Creates a BLPackage for the Depot object type.
For more information, see REST-API-endpoints.
Leveraging REST API for efficient job retries
You can now execute the failed targets in the specific job run for a variety of jobs including Batch jobs, Compliance-jobs, File-deploy jobs, Deploy-jobs, nsh-script jobs, and Patching.
For example, to re-execute a file-deploy job against failed targets, use the PATCH method at this endpoint:
PATCH /api/v1/batch-jobs/{id}/jobruns/{run_id}/: Executes the batch job against failed targets.
For more information, see REST-API-endpoints.
Simplified job execution for specific targets
You can use the simplified API to execute specific jobs including servers and groups, Batch jobs, Compliance jobs, File-deploy jobs, Deploy jobs, NSH-script jobs, and Patching. Use the following endpoint to execute a specific job ID:
PATCH /api/v1/batch-jobs/{id}
Accessing file-deploy-jobs easily by using the simplified API
- Accessing all the file-deploy-job runs—Use GET/api/v1/file-deploy-jobs/{id}/jobruns to retrieve a comprehensive list of all file deploy job runs for a specific job ID.
- Fetching specific job run results—Utilize GET/api/v1/file-deploy-jobs/{id}/jobruns/{run_id}/results to fetch the file deploy job run results for a specific job ID and the associated job run ID.
Support for additional Compliance Content templates
This release supports the following additional Compliance Content templates:
- Center for Internet Security (CIS) template for SuSE 15, Version 1.1.1
- Defense Information Systems Agency (DISA) template for Windows Server 2022, Version 1 release 3
This release also supports the new benchmark version for Center for Internet Security (CIS) template for Windows Server 2016 - Security Configuration Benchmark Version 2.0.0
Java version upgrade from Java 11 to Java 17
The JRE version in TrueSight Server Automation 23.4 is upgraded from 11.0.17+8 to 17.0.8+7, which offers advantages such as performance improvements, security updates, extended support, enhanced language features, and improved library compatibility.
Support for stronger ciphers to enhance communication between the Application Server, Smart Hub, Smart Hub Gateway, and RSCD Agent
This release uses stronger cipher suites for communication between various architecture components. The new stronger cipher suites are used for the following communication options:
Communication from TrueSight Server Automation application server to the RSCD Agent
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_RSA_WITH_AES_256_CBC_SHA256
Communication from TrueSight Server Automation Console (RCP client) to the application server
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Communication from TrueSight Server Automation application server to the Smart Hub
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_RSA_WITH_AES_256_CBC_SHA256
- TLS_RSA_WITH_AES_256_CBC_SHA
Communication from TrueSight Server Automation application server to the Smart Hub Gateway
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_RSA_WITH_AES_256_CBC_SHA256
- TLS_RSA_WITH_AES_256_CBC_SHA
Discontinued support for the Process Spawner component
The Process Spawner component that was only used for spawning processes externally to the application server process has been discontinued in TrueSight Server Automation 23.4. The process spawner service is no longer available in a disabled state on a new application server. Additionally, you will not be able to manually enable and start it.
What else changed in this release
Update | Product behavior in versions earlier than 23.4 | Product behavior in version 23.4 |
|---|---|---|
Upon changing your password on the Application Server, any previously established sessions using RCP, BLCLI, SOAP, or REST will be invalidated. | Prior sessions remain active until either a timeout occurs or you log out. | If you currently have an active session using RCP, BLCLI, SOAP, or REST to run your APIs, and either you or RBACAdmin has recently changed your password on the Application Server, your existing session becomes invalid. To continue, you'll need to re-establish your session using the new password. For more details, see Changing-passwords. |
A pre-processing step is added before passing the RPMs to yum: This step removes the RPMs that are not installed on the system from the list. | The system passes all the RPMs to yum, which increases the load on yum. | The RPMs that are not installed on the system are filtered out by the new pre-processing step in the Update Mode with the By Complete Package Name option, before they are passed to yum. For more information, see Patching-Job-Analysis-Options-for-Red-Hat-Enterprise-Linux-Oracle-Enterprise-Linux-and-SUSE-Linux-Enterprise. |