Product guide

ManualsBrandsMcafee ManualsOtherUNINSTALLER 6.0

McAfee Policy Auditor 6.0 software

Product Guide for ePolicy Orchestrator 4.6

Summary of content (98 pages)

PAGE 1
McAfee Policy Auditor 6.0 software Product Guide for ePolicy Orchestrator 4.
PAGE 2
COPYRIGHT Copyright © 2011 McAfee, Inc. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies.
PAGE 3
Contents Introducing McAfee Policy Auditor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Audience. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Conventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 4
Contents Data collection scans. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 The Maintain Foundstone Audits server task. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 The Data Import server task. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 Server support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 5
Contents Create, edit, and delete Service Level Agreements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 How viewing audit results works. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 Exporting audits and audit results. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 Export audits. . . . . . . . . . . . . . . . . . . . . . .
PAGE 6
Contents Create a file integrity monitoring policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 Apply a policy to systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 Compare file versions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 Accept file integrity monitoring events. . . . . . . . . . . .
PAGE 7
Contents Appendix A: Implementing the Security Content Automation Protocol. . . . . . . . . . . . . . . . . 87 Statement of FDCC compliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 Statement of SCAP implementation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 Statement of CVE implementation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 8
Introducing McAfee Policy Auditor ® McAfee Policy Auditor version 6.0 automates the process required for system compliance audits. It measures compliance by comparing the actual configuration of a system to the desired state of a system. To understand what the software does and how to use it, you must be familiar with these basics: • What an audit is, when you should use it, and why you should use it. • The supported deployment solutions based on the type(s) of systems you want to audit.
PAGE 9
Introducing McAfee Policy Auditor Finding product documentation User input or Path Commands and other text that the user types; the path of a folder or program. Code A code sample. User interface Words in the user interface including options, menus, buttons, and dialog boxes. Hypertext blue A live link to a topic or to a website. Note Additional information, like an alternate method of accessing an option. Tip Suggestions and recommendations.
PAGE 10
Getting started with McAfee Policy Auditor McAfee Policy Auditor is an extension to ePolicy Orchestrator software software versions 4.5 and 4.6 that automates the process for risk and compliance system audits. Audits can perform tasks such as check system settings, including password length, open or closed ports, file changes, and the presence of software updates.
PAGE 11
Getting started with McAfee Policy Auditor Auditing systems Auditing systems An audit is an independent evaluation of a computer system to determine whether it is in compliance with corporate and industry security standards. Audit results show recommended improvements to reduce risks. McAfee Policy Auditor evaluates systems against independent standards developed by government and private industry. It can also evaluate systems against standards that you create yourself.
PAGE 12
Getting started with McAfee Policy Auditor Software components and what they do • Entitlement reporting — Entitlement reporting is an enhancement to the Policy Auditor File Integrity Monitoring feature that produces custom file entitlement reports. It has these capabilities: • Monitors file entitlements, such as read and write attributes. • Monitors files for changes. • Monitors and displays changes to text files. • Support for OVAL 5.7 – 5.
PAGE 13
Getting started with McAfee Policy Auditor Use of ePolicy Orchestrator software features Installing the agent plug-in adds a product icon to the McAfee Agent system tray. In Windows environments, the product icon optionally displays a balloon tip to indicate the system is being audited. Systems that have the McAfee Policy Auditor agent plug-in installed are known, in McAfee Policy Auditor terminology, as managed systems.
PAGE 14
Getting started with McAfee Policy Auditor Managed systems vs. unmanaged systems ePolicy Orchestrator feature Location Used by McAfee Policy Auditor Policy Catalog Menu | Policy | Policy Catalog • To manage the times when audits are allowed to audit systems. • To manage settings for the file integrity monitor. Queries Menu | Reporting | Queries To create and maintain database queries regarding system security information.
PAGE 15
Getting started with McAfee Policy Auditor Managed systems vs. unmanaged systems Auditing managed systems When connected to a network managed by ePolicy Orchestrator software, managed systems can exchange information with the ePolicy Orchestrator server as scheduled. The primary advantage of managed systems is that they are audited by the agent even when they are not connected to the network. When they are reconnected, the Agent plug-in communicates the results to McAfee Policy Auditor.
PAGE 16
Configuring McAfee Policy Auditor McAfee Policy Auditor is configured from the ePolicy Orchestrator server. The server is the center of your security environment, providing a single location from which to administer system security throughout your network.
PAGE 17
Configuring McAfee Policy Auditor Server settings and what they control Server setting Description Audit score An audit score indicates how well a system conforms to the ideal settings specified in an audit. McAfee Policy Auditor allows you to change the scoring definitions to reflect your organization's determination of what constitutes a passed or failed audit.
PAGE 18
Configuring McAfee Policy Auditor Edit McAfee Policy Auditor server settings Server setting Description system data maintenance tasks to run. When the server task restarts, it resumes where it left off. The default setting is to let this task run for 2 hours. Frequency to run update audit assignments Defines the value, in hours, for running the PA: Update Audit Assignments server task. McAfee Policy Auditor sends audit content only to systems that are scheduled to receive the content.
PAGE 19
Configuring McAfee Policy Auditor Default permission sets to the set. One or more permission sets can be assigned to users who are not global administrators (global administrators have all permissions to all products and features). Permission sets only grant rights and access — no permission ever removes rights or access. When multiple permission sets are applied to a user account, they aggregate.
PAGE 20
Configuring McAfee Policy Auditor Default permission sets Permission set PA Audit Admin Permissions Benchmark Editor • View and export checks • View and export benchmarks Findings • View and hide/unhide findings Issue Management • Basic: Create issues and edit, view, and purge issues created by or assigned to me McAfee Policy Auditor PA Benchmark Activator PA Benchmark Editor PA Viewer • View Waivers • Allow access to Foundstone Enterprise Manager (EM) • Add, remove, and change audits and
PAGE 21
Configuring McAfee Policy Auditor Edit permission sets Edit permission sets You can edit the default McAfee Policy Auditor permission sets or create your own. Before you begin You must be a global administrator to perform this task. Task For option definitions, click ? in the interface. 1 In the ePolicy Orchestrator user interface, click Menu | User Management | Permission Sets, then select the permission set. 2 Click Edit next to the McAfee Policy Auditor permission group.
PAGE 22
Using the McAfee Policy Auditor agent plug-in The McAfee Policy Auditor agent plug-in (agent plug-in) extends the features of the McAfee Agent. It manages the schedule for performing audits, runs the audits, and returns the results to the server. You install the McAfee Agent and the agent plug-in on managed systems. This enables audits to be conducted even if a system is not connected to the network.
PAGE 23
Using the McAfee Policy Auditor agent plug-in Supported platforms Operating system X86 support X64 support Other processors AIX 5.3 TL8 SP5 Power5, Power6 AIX 6.1 TL2 SP0 Power5, Power6 Notes Apple Mac OS X 10.4 X X PowerPC Universal binary Apple Mac OS X 10.5 X X PowerPC Universal binary Apple Mac OS X 10.6 X X PowerPC Universal binary HP-UX 11i v1 RISC HP-UX 11i v2 RISC HP-UX 11i v2 Itanium RISC HP-UX 11i v3 RISC HP-UX 11i v3 Itanium RISC Red Hat Linux AS, ES, WS 4.
PAGE 24
Using the McAfee Policy Auditor agent plug-in How content is managed How content is managed Content for McAfee Policy Auditor consists of benchmarks and checks. The content package is included when the product is installed, and is placed into the ePolicy Orchestrator master repository. Before you can use benchmarks in audits, you must activate them in McAfee Benchmark Editor. See the McAfee Benchmark Editor Product Guide for information about how to do this.
PAGE 25
Using the McAfee Policy Auditor agent plug-in Install and uninstall the agent plug-in d In Tags, select which systems in the selected group on which you want to install the agent plug-in. 4 • Send this task to all computers — Install the agent plug-in on all systems in the selected group. • Send this task to only computers which have the following criteria — Use the edit buttons to include or exclude systems with tags. See the ePolicy Orchestrator documentation for information on working with tags.
PAGE 26
Using the McAfee Policy Auditor agent plug-in Display the system tray icon on Windows systems Before you begin Before sending the agent wake-up call to a group, make sure that wake-up support for the systems’ groups is enabled and applied on the General tab of the McAfee Agent policy pages. This is enabled by default. Task For option definitions, click ? in the interface. 1 In the ePolicy Orchestrator user interface, click Menu | Systems | System Tree, then select the group in the System Tree.
PAGE 27
Configuring agentless audits McAfee Policy Auditor can register a McAfee Vulnerability Manager 6.8 or 7.0 (formerly Foundstone) server to conduct agentless audits. Agentless audits allow you to audit systems that do not have the McAfee Policy Auditor agent plug-in installed. McAfee Vulnerability Manager searches for systems using a Host Name or IP range, adds them to the System Tree, and conducts agentless audits. Installing the Foundstone ePO Data Integration (ePO 4.5 server or ePO 4.
PAGE 28
Configuring agentless audits How McAfee Policy Auditor integrates with the McAfee Vulnerability Manager extension • When you change a system from unmanaged to managed, this distinction is reflected in queries and page views. • McAfee Policy Auditor supports an all agent-based System Tree, an all agentless System Tree, and a mix of agent-based and agentless devices. A group can contain both managed and unmanaged systems.
PAGE 29
Configuring agentless audits Configure McAfee Vulnerability Manager and the ePolicy Orchestrator extension The installation application automatically creates a server task named PA: Maintain Foundstone audits when you install the McAfee Vulnerability Manager extension. The task runs once per day by default. If you need to change the schedule, you should schedule it to run after the Data Collection Scan has had the opportunity to conduct audits so that audit results stay current.
PAGE 30
Configuring agentless audits Configure McAfee Vulnerability Manager and the ePolicy Orchestrator extension Manage McAfee Vulnerability Manager credential sets Create an Asset Discovery scan Create an MVM Data Import task Add systems found by McAfee Vulnerability Manager scans to the System Tree Create a Data Collection Scan View McAfee Vulnerability Manager scan status Create a McAfee Vulnerability Manager workgroup Create a McAfee Vulnerability Manager workgroup and administrator for your McAfee Policy A
PAGE 31
Configuring agentless audits Configure McAfee Vulnerability Manager and the ePolicy Orchestrator extension Task For option definitions, click ? in the interface. 1 In the ePolicy Orchestrator user interface, click Menu | Configuration | Server Settings and select Foundstone API Server. 2 Click Edit, select Enable Policy Auditor to use these server settings, and type an organization, user name, and password. 3 Click Save. 4 Go to Automation | Server Tasks.
PAGE 32
Configuring agentless audits Configure McAfee Vulnerability Manager and the ePolicy Orchestrator extension 5 Select a Schedule Type and set the scheduling options. 6 Determine how you want to configure the McAfee Vulnerability Manager Integration pane. Select ePolicy Orchestrator server to received the data and select the appropriate McAfee Vulnerability Manager organization or workgroup. Click Save.
PAGE 33
Configuring agentless audits Configure McAfee Vulnerability Manager and the ePolicy Orchestrator extension Manage McAfee Vulnerability Manager credential sets You can create, edit, and delete credential sets for systems managed by McAfee Vulnerability Manager. Credential sets grant McAfee Vulnerability Manager access to systems and, depending on the operating system, may use Windows authentication or a user name with password. Task For option definitions, click ? in the interface.
PAGE 34
Configuring agentless audits Configure McAfee Vulnerability Manager and the ePolicy Orchestrator extension 6 Click Next. The Settings tab appears. 7 Select credentials and click on the appropriate account type in the tree pane or from the Account Type drop-down list. Type the required credential information in the appropriate fields. Click Add. 8 You can specify multiple credentials, such as credentials for each domain in the search range, and click Add after specifying each credential. Click Next.
PAGE 35
Configuring agentless audits Configure McAfee Vulnerability Manager and the ePolicy Orchestrator extension Add systems found by McAfee Vulnerability Manager scans to the System Tree You can add systems discovered during a McAfee Vulnerability Manager scan to the ePolicy Orchestrator server System Tree.
PAGE 36
Configuring agentless audits How to handle missing audit results 6 Select Credentials and click on the appropriate account type in the tree pane or from the Account Type drop-down list. Type the required credential information in the appropriate fields. Click Add. 7 You can specify multiple credentials, such as credentials for each domain in the search range, and click Add after specifying each credential. Consult the McAfee Vulnerability Manager documentation for details on other settings for this tab.
PAGE 37
Configuring agentless audits How to handle mismatched McAfee Vulnerability Manager certificates Troubleshoot missing audit results Configure McAfee Vulnerability Manager to ensure that the latest audit results appear in queries and reports. The Data Collection Scan, PA: Maintain Foundstone audits server task, and MVM Data Import server task can all be run manually from the interface.
PAGE 38
Configuring agentless audits How to handle mismatched McAfee Vulnerability Manager certificates Troubleshoot mismatched McAfee Vulnerability Manager certificates Use this task to re-establish or change SSL communication between McAfee Policy Auditor and a McAfee Vulnerability Manager server. Task For option definitions, click ? in the interface. 38 1 From the McAfee Vulnerability Manager Configuration Manager, select the McAfee Policy Auditor server that needs new certificates.
PAGE 39
Creating and managing audits McAfee Policy Auditor allows you to create audits based on benchmarks and assign them to run on systems. You can create audits from a McAfee-supplied selection of predefined benchmarks established by government and industry such as SOX, HIPAA, PCI, and FISMA. You can also create audits based on third-party benchmarks or benchmarks that you create yourself.
PAGE 40
Creating and managing audits Audits and how they work When you run an audit against a system, the audit reports the comparison between the configuration status of the system and the rules in the benchmarks. When the default audit scoring model is used, the audit also reports a comparative score of the system ranging from 0 to 100. Audit frequency Audit frequency describes how often data should be gathered.
PAGE 41
Creating and managing audits Audits and how they work You can create or edit an audit so that it retains audit or Findings information for a different period of time than is specified in the global system settings. Benchmark profiles and their effect on audits Audits have benchmarks assigned to them. Many benchmarks contain profiles, which are named sets of selected groups, rules, and values targeted toward different computer system configurations and threat risks.
PAGE 42
Creating and managing audits Activate benchmarks When you assign a benchmark to an audit, the benchmark selection process provides a drop-down list showing all available benchmark labels. This tool allows you to filter benchmarks based on the label that you want to use for your audit. Findings McAfee Policy Auditor provides enhanced results for checks, also known as findings.
PAGE 43
Creating and managing audits Create an audit Create an audit Audits determine whether systems comply with your security needs and the results tell you what, if anything, needs to be done to make the systems compliant. Before you begin • You must have permissions to add, remove, and change audits and assignments. • You must have a benchmark that you have activated for use in the audit. • McAfee Policy Auditor must be integrated with McAfee Vulnerability Manager if you plan to create an agentless audit.
PAGE 44
Creating and managing audits Disable an audit Disable an audit You can disable an existing audit. When an audit is disabled, McAfee Policy Auditor continues to purge information according to the schedule you have set. The audit will not run until you re-enable it. Task For option definitions, click ? in the interface. 1 Click Menu | Policy | Audits. 2 Select an audit, then click Actions | Edit Audit. The New Audit Builder opens. 3 Click Next to display the properties page.
PAGE 45
Creating and managing audits Service Level Agreements Task For option definitions, click ? in the interface. 1 Click Menu | Systems | System Tree and select the Assigned Policies tab. 2 Select McAfee Policy Auditor Agent 6.0.0 from the Product drop-down list. 3 Under the Actions column, click edit assignments. The Policy Assignment page appears. 4 Under Assigned policy, click Edit Policy. The whiteout/blackout page appears.
PAGE 46
Creating and managing audits How viewing audit results works Option Definition Delete SLA Delete the Service Level Agreement How viewing audit results works McAfee Policy Auditor software offers a number of options for viewing audit results. Several options are available for viewing system and rule compliance.You can view audit results by clicking an audit from the Audits page.
PAGE 47
Creating and managing audits Exporting audits and audit results • Rules Other — The number of systems that had a result other than pass or fail. The page provides a control that allows you to view the results by system group, system subgroup, systems with a specific tag, or even individual systems. You can also adjust the results timeframe to select an audit to review. View Rule Results column Under the View Results column, clicking rule allows you to view the rule results for each system audited.
PAGE 48
Creating and managing audits Export audits 48 3 The File Download dialog box appears. Click Save. The Save As dialog box appears. 4 Give the export ZIP file an appropriate name and click Save. McAfee Policy Auditor 6.0 software Product Guide for ePolicy Orchestrator 4.
PAGE 49
Scoring Audits When McAfee Policy Auditor performs an audit on a system, it generates information about system compliance that includes a compliance score. The software supports the four scoring models described in the National Institute of Standards and Technology (NIST) document Specification for the Extensible Configuration Checklist Description Format (XCCDF) Version 1.1.4 (http://csrc.nist.gov/publications/nistir/ir7275r3/NISTIR-7275r3.
PAGE 50
Scoring Audits Flat unweighted scoring model Since the maximum possible score can vary from audit to audit and from system to system, it is difficult to compare audit scores. The primary use for this scoring model is for comparing historical audit scores on the same system. Flat unweighted scoring model The flat unweighted scoring model computes the score (the number of rules that passed) and compares it against the maximum possible score.
PAGE 51
Scoring Audits Absolute scoring model Rule Assigned weight Laptop maximum rule score Non-laptop maximum rule score Port 8015 on a laptop system is closed 3 3 0 Password on any system must be 10 or more characters 1 1 1 4 1 Maximum possible score The maximum possible audit score for a laptop is 4. On desktop systems, the software ignores the closed port rule and the maximum possible score is 1.
PAGE 52
Managing Audit Waivers Waivers allow you to temporarily affect how systems are audited and have the potential to affect audit scores. They are useful when you have a system that you know may be out of compliance but you do not want to bring the system into compliance for a temporary period. For example, you may have systems in the Accounting Department that you do not want to patch near the end of an accounting cycle.
PAGE 53
Managing Audit Waivers Types of waivers Exception waivers Exception waivers potentially affect the audit scores of selected systems by forcing the audit result of a benchmark rule to have a status of pass. The primary use of an exception waiver is to force audit rules to pass. Exception waivers have these characteristics: • They apply to selected systems and groups in the System Tree. • They require you to select an audit benchmark and a rule contained in the benchmark.
PAGE 54
Managing Audit Waivers Waiver status Waiver status Waivers can have one of four status properties. Status Description Requested A waiver has been requested but approval has not been granted for it to take effect. Requested waivers do not appear on the Waivers tab, but appear in the Issue Catalog (go to Menu | Automation | Issues). Requested waivers can be deleted. Upcoming A waiver has been requested and granted approval but the waiver is not in effect because the start date has not yet arrived.
PAGE 55
Managing Audit Waivers Filtering waivers by group These assumptions apply to the filtering examples: • Today's date is November 10, 2012. • Waiver A has a start date of November 1, 2012 and an expiration date of November 15, 2012. • Waiver B has a start date of November 15, 2012 and an expiration date of December 1, 2013. Filter by today's date Next to the As of date, click Today. The date is set to today's date of November 10, 2012. The Waivers tab shows: • Waiver A has a status of In-effect.
PAGE 56
Managing Audit Waivers How waiver requests and grants work 1 Click Menu | Risk & Compliance | Waivers. 2 Select the group containing the waivers from the System Tree. 3 From the Filter drop-down list, select This Group Only. The waivers tab shows only the waivers for systems in the selected group. 4 Select This Group and all Subgroups from the Filter drop-down list. The Waivers tab shows waivers for systems in the selected group and any subgroups of the selected group.
PAGE 57
Managing Audit Waivers Making waivers expire 6 Use the calendar control next to the Start Date and an Expires Date to select dates for the waiver to be in effect. The < and > controls move the month backward and forward. The << and >> controls move the year backward and forward. 7 Click Request Waiver. The Waivers tab appears. The requested waiver does not appear in the Waivers tab because the waiver had not been granted yet. Requested waivers appear in the Issues Catalog (Reporting | Issues).
PAGE 58
Managing Audit Waivers Deleting waivers Before you begin You must have permissions to grant waivers. Task For option definitions, click ? in the interface. 1 Click Menu | Risk & Compliance | Waivers. The Waivers tab appears. 2 Select a waiver with a status of Upcoming and click View. 3 Click Delete Waiver. The deleted waiver no longer appears on the Waivers tab. 58 McAfee Policy Auditor 6.0 software Product Guide for ePolicy Orchestrator 4.
PAGE 59
File Integrity Monitoring and entitlement reporting File integrity monitoring notifies you of changes to specified text files on managed systems. Entitlement reporting informs you of changes to user and group rights to files. These features are useful for complying with government and industry standards, such as the Payment Card Industry (PCI) Data Security Standard.
PAGE 60
File Integrity Monitoring and entitlement reporting How file integrity monitoring works • Show a side-by-side comparison of file changes and indicate which lines have been added, deleted, or modified. File information monitored The file integrity monitoring feature of McAfee Policy Auditor tracks a number of file attributes. A change in an attribute generates an event notifying you of the change. The monitored attributes differ between the various supported operating systems.
PAGE 61
File Integrity Monitoring and entitlement reporting How file integrity monitoring works Wildcard characters Monitored and excluded paths and file names support the * and ? wildcard characters. The * wildcard character represents one or more characters and the ? wildcard represents a single character. You can choose to monitor a single file by typing the name of the file when you create a file integrity monitoring policy. By using wildcard characters, you can monitor files or paths of a specific type.
PAGE 62
File Integrity Monitoring and entitlement reporting Entitlement reporting File version comparison The comparison feature allows you to view the contents of a versioned file and compare the text file content with other files. The software uses a color-coding system to identify file lines that are equal, empty, deleted, inserted, or modified. You can compare a stored version of the text with: • The file baseline. • Previous file versions. • A specified file on another system.
PAGE 63
File Integrity Monitoring and entitlement reporting Create and apply a file integrity monitoring policy One aspect of compliance monitoring is knowing which accounts have access to which files. McAfee Policy Auditor monitors these access permissions. • User — User who has access to the file. • Is Group — Whether the User is a group. • Read Data — Whether the User has the ability to read the file. • Write Data — Whether the User has the ability to write to the file.
PAGE 64
File Integrity Monitoring and entitlement reporting Create and apply a file integrity monitoring policy 6 Option Definition Create a policy based on this existing policy Select an existing policy, such as My Default, or another file integrity monitoring policy. Policy Name Type a meaningful name for the policy Notes Type information about the policy. This field is optional. Click OK. The policy configuration window opens. Use the three tabs to configure the policy.
PAGE 65
File Integrity Monitoring and entitlement reporting Create and apply a file integrity monitoring policy Use this: To do this: Remove Remove the selected file from the list of files to be monitored. Table 3: General tab 7 Use this: To do this: Run every Set the monitoring frequency for the file. By default, this is set to one hour. Click Save. Apply a policy to systems When you create a file integrity monitoring policy, you can apply it to systems in a selected System Tree group.
PAGE 66
File Integrity Monitoring and entitlement reporting Create and apply a file integrity monitoring policy 3 The file in the File 1 pane is the file you selected. You can use the File name drop-down list to select another file and the Version drop-down list to select a different file version. Click Preview to see the file contents. 4 Select the options for the File 2 paneL 5 Use this.... To do this Compare with the baseline on the above host Compare the file in the File 1 pane to the baseline version.
PAGE 67
File Integrity Monitoring and entitlement reporting Query reports for file integrity monitoring 3 Edit the dialog box to purge events older than the specified time. Select Purge Baseline Events to discard stored baseline settings, including the file text if versioning is enabled. Click OK. Create a new file integrity monitoring baseline You can create a new file integrity monitoring baseline for all monitored files on a system.
PAGE 68
Rollup reporting You can run queries that report on summary data from multiple ePolicy Orchestrator databases. McAfee Policy Auditor can use this feature to create rollup reports for audit results. Contents Rollup capabilities Rollup reporting considerations Rollup server tasks Rollup reports Configure rollup reporting Rollup capabilities You can roll up three types of audit information from multiple servers.
PAGE 69
Rollup reporting Rollup server tasks Rollup server tasks McAfee Policy Auditor includes three predefined server tasks to provide rollup reporting. The tasks are disabled by default. The tasks can roll up information to provide a meaningful view of audit results from multiple servers. The server tasks have predefined settings that do not limit the data returned. You can configure the settings by editing the tasks from the server tasks page.
PAGE 70
Rollup reporting Rollup server tasks Rollup Data - PA: Audit Rule Result This task rolls up audit rule results and its associated database tables.
PAGE 71
Rollup reporting Rollup reports Rollup Data - PA: Audit Patch Check Result This task rolls up audit rule results and its associated database tables.
PAGE 72
Rollup reporting Configure rollup reporting The predefined reports show different aspects of audit results and use aggregation and grouping to help you interpret the information. You can drill down into each of the reports to find more detailed information. • PA Rollup Audit Rule Results Pass-Fail-Other — Shows audit rules by status. • PA Rollup Benchmark Results - Failed by Scoring Category — Shows benchmark results, categorized by scoring category, where the system failed the audit benchmark.
PAGE 73
Rollup reporting Configure rollup reporting 2 3 Configure and enable these server tasks on each server, including the rollup server: • Rollup Data - PA: Audit Benchmark Results • Rollup Data - PA: Audit Rule Result • Rollup Data - PA: Audit Patch Check Result Configure and enable the Roll Up Data (Local ePO Server) server task on the reporting server. McAfee Policy Auditor 6.0 software Product Guide for ePolicy Orchestrator 4.
PAGE 74
Findings Findings supplement the results of an audit check with additional information about the state of the machine. Instead of seeing a value of false for a test result, Findings give more meaningful information such as "The minimum password length is set to 6 but it should be set to 8 or higher." Contents How findings work Hide or unhide Findings results How findings work McAfee Policy Auditor reports Findings, which are enhanced results, for supported checks.
PAGE 75
Findings Hide or unhide Findings results Types of violations McAfee Policy Auditor shows information in reports and queries for three types of violations: • Positive feedback — Additional information is shown when a rule passes. For example, if a rule determines whether the password age of a system is less than 90 days and the password is 60 days old, the enhanced results show that the expected value is <90 and the actual value is 60.
PAGE 76
Findings Hide or unhide Findings results 76 4 From the Checks pane, click Results. The Results page appears. 5 Select Findings that wish to hide or show. Use this... To do this... Actions | Hide Findings Hide Findings in reports for the check in this audit. Actions | Unhide Findings Show Findings in reports for the check in this audit. McAfee Policy Auditor 6.0 software Product Guide for ePolicy Orchestrator 4.
PAGE 77
Dashboards and Queries Dashboards allow you to keep constant watch on your environment. Dashboards are collections of monitors, or reports. Monitors can be anything from a chart-based query, to a small web application, like the MyAvert Security Threats, that is refreshed at a user-configured interval. You can create your own dashboards from query results or use the McAfee Policy Auditor default dashboards. Users must have the appropriate permissions to use and create dashboards.
PAGE 78
Dashboards and Queries Policy Auditor default dashboards • PA: MS Patch Status Summary • PA: Operations • PA: PCI Summary You can make other dashboards visible from the Dashboards page by clicking Options | Select Active Dashboards, and selecting Available Dashboards. Default McAfee Policy Auditor queries The Queries & Reports page provides a set of queries that provide high-level reports on benchmarks, checks, rules, audit results, file integrity monitoring, findings, rollup reporting, and waivers.
PAGE 79
Dashboards and Queries Policy Auditor default dashboards • PA: File Integrity Event Counts — Displays a chart of File Integrity events grouped by event type. • PA: File Integrity Events By System/Baseline Date — Displays a count of the File Integrity exceptions encountered after a baseline reset, grouped by system and baseline date. • PA: File Integrity Events By System/Event Type — Displays a list of counts of the File Integrity Events grouped by system.
PAGE 80
Dashboards and Queries Policy Auditor default dashboards PA: Compliance Summary dashboard The Compliance Summary dashboard provides a high-level overview of audit results with links and drill down access to detailed information. PA: Compliance Summary dashboard The monitors included in this dashboard are: • PA: Benchmark Results - Pass/Fail/Unknown — Displays a pie chart, grouped by benchmark results and classified by status.
PAGE 81
Dashboards and Queries Policy Auditor default dashboards PA: Operations dashboard The monitors included in this dashboard are: • PA: Unprocessed Audits Results by Audit — Displays unprocessed audit results grouped by audit. • PA: Unprocessed Finding Results by Audit — Displays unprocessed finding results grouped by audit. • PA: Agent Events Grouped by Event Type — Displays events reported by McAfee Policy Auditor agent plug-in grouped by the event type.
PAGE 82
Dashboards and Queries Queries as dashboard monitors • PCI Req 6.4: Automate documentation — Displays a grouped bar chart with each bar representing the number of benchmark results. The benchmark results are categorized by benchmark group. • PCI Req 7: Restrict Access to Data — Displays a list of waivers currently in effect, grouped by first-level System Tree group and classified by type of waiver.
PAGE 83
Policy Auditor agent plug-in debug tool The Policy Auditor agent plug-in debug tool allows you to run audits, benchmarks, and checks on system and save the results, including debug information and the log file, to a ZIP file. The debug tool has an interactive console interface for all operating systems as well as a graphical interface for Windows systems. The graphical interface includes these buttons: Audits, Benchmarks, Checks, Run Selected Item, Save Debug Info, and Close.
PAGE 84
Policy Auditor agent plug-in debug tool Display help Display help You can obtain online help on running the tool from the command prompt or command-line interface. Task 1 Open a command prompt on a Windows system or a command-line interpreter on a non-Windows system. 2 Navigate to the folder containing the agent plug-in. On Windows systems, this is usually c:\Program Files (x86)\McAfee\Policy Auditor Agent. 3 Execute the tool, then type the appropriate command to display help.
PAGE 85
Policy Auditor agent plug-in debug tool Run a benchmark Run a benchmark Run a benchmark on a system and save the results to a file. Task 1 Execute the agent plug-in debug tool. 2 Save the debug information to a file. Interface Definition Graphical 1 Click Benchmarks. A list of available benchmarks on the system appears. 2 Select a benchmark that you wish to run and click Run Selected Item. 3 A Save As dialog box appears. Navigate to the desired location and click OK to save the results file.
PAGE 86
Policy Auditor agent plug-in debug tool Save debug information Interface Definition 2 Enter ovList. A list of checks and their ID appears. 3 Enter ovRun . where is the name of the check. The audit results are saved to the results file specified in step 1. Save debug information You can save debug information, including the log file and database, to a ZIP file on the system. Task 1 Execute the agent plug-in debug tool and perform an action, such as run an audit.
PAGE 87
Appendix A: Implementing the Security Content Automation Protocol McAfee Policy Auditor version 6.0 uses the Security Content Automation Protocol (SCAP) version 1.1. Security content conforming to the SCAP standard can be used by any product supporting the standard and the results can be shared between these products. SCAP is a collection of six open standards developed jointly by various United States government organizations and the private sector.
PAGE 88
Appendix A: Implementing the Security Content Automation Protocol Statement of SCAP implementation Statement of SCAP implementation The Security Content Automation Protocol (SCAP) is a collection of six open standards developed jointly by various United States government organizations and the private sector. Security content conforming to the SCAP standard can be used by any product that supports the standard and the results can be shared among these products.
PAGE 89
Appendix A: Implementing the Security Content Automation Protocol Statement of CCE implementation McAfee Policy Auditor patch and vulnerability definitions are updated periodically when new content is available. The audit results can be viewed from the Audits, Reports, or Dashboard user interfaces. CVE information is accessible from the Checks interface, which displays details of Common Vulnerabilities.
PAGE 90
Appendix A: Implementing the Security Content Automation Protocol Statement of CVSS implementation Statement of CVSS implementation McAfee Policy Auditor version 6.0 incorporates version 2.0 of the Common Vulnerability Scoring System (CVSS). CVSS is a standardized open framework for measuring the impact of vulnerabilities. Each CVE includes an associated CVSS vector to determine the relative severity of vulnerabilities.
PAGE 91
Appendix A: Implementing the Security Content Automation Protocol Statement of OVAL implementation When a system is audited, the OVAL content is processed according to the information in the XCCDF benchmarks contained in the audit. The OVAL content captures the state of the system at the particular point in time that the audit is run. The results are returned to McAfee Policy Auditor for analysis and reporting.
PAGE 92
Appendix B: Common Criteria requirements ePolicy Orchestrator software has functional modifications that meet specific Common Criteria requirements. This information is intended for use by government agencies that are required to use only National Information Assurance Partnership (NIAP) Common Criteria validated security products. It describes functional modifications that meet specific Common Criteria requirements, and provides advice on best practices for satisfying those requirements.
PAGE 93
Appendix B: Common Criteria requirements Administrators who must adhere to the requirements of the National Information Assurance Partnership (NIAP) Common Criteria Validation Scheme (CCEVS) are directed to assign passwords employing ePolicy Orchestrator software authentication only. McAfee recommends that the network IT administrator assign passwords that meet the following requirements: • Must be at least 10 characters in length.
PAGE 94
Index A absolute scoring model, Policy Auditor 51 accept events, file integrity monitoring 62, 66 agent plug-in debug tool display help 84 execute tool 83 run a benchmark 85 run a check 85 run an audit 84 save debug information 86 audience for Policy Auditor Product Guide 8 audit creation and editing activate a benchmark for use in audit 42 assign benchmark profiles 41 filter benchmarks based on labels 41 selecting benchmarks 43 using audit builder 43 audits add group 41 add system 41 add tag 41 benchmarks
PAGE 95
Index file integrity monitoring (continued) apply a policy to systems 65 baselines 60 built-in query reports 67 compare file versions 62, 65 concept 59 configuring number of versions stored 61 create a policy 63 entitlement reporting 62 excluding paths and files 60 file information monitored 60 file validation 60 file versions 61 frequency 59 including paths and files 60 purge events 62, 66 reset baseline 67 wildcard characters 60 file version comparison 62, 65 file versions, file integrity monitoring 61 f
PAGE 96
Index Policy Auditor, waivers (continued) exception waivers, effects on audits and scoring 53 exemption waivers 52 exemption waivers, effects on audits and scoring 53 expiration date 54 filtering by date 55 filtering by date, examples 54 filtering by group 55 filtering by status 54 granting 56, 57 making waivers expire 57 requesting 56 start date 54 status 54 suppression waivers 52 suppression waivers, effects on audits and scoring 53 Policy Auditor, what's new agent debug support 11 agent support for new
PAGE 97
Index Vulnerability Manager ePO Extension (continued) registering a server 32 setting up single sign-on feature 30 synchronizing with ePO server data 31 uniform system management 27 view scan status 36 W waivers, Policy Auditor deleting 57 exception waivers 52 exception waivers, effects on audits and scoring 53 exemption waivers 52 exemption waivers, effects on audits and scoring 53 expiration date 54 filtering by date 55 filtering by date, examples 54 filtering by group 55 filtering by status 54 granting
PAGE 98
Index 98 McAfee Policy Auditor 6.0 software Product Guide for ePolicy Orchestrator 4.