Free DISA STIG and SRG Library | Vaulted

McAfee VSEL 1.9/2.0 Local Client Security Technical Implementation Guide

Version 1 Release 2
2016-04-22
U_McAfee_VSEL_1-9_2-0_Local_Client_STIG_V1R2_Manual-xccdf.xml
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.

Vulnerabilities (39)

The McAfee VirusScan Enterprise for Linux Web interface must be disabled unless the system is on a segregated network.

Finding ID
DTAVSEL-000
Rule ID
SV-77281r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000380
CCI
CCI-001813
Target Key
(None)
Documentable
No
Discussion

The McAfee VirusScan Enterprise for Linux WEB GUI is the method for configuring the McAfee VSEL on a non-managed Linux system. The WEB GUI on the system could be used maliciously to gain unauthorized access to the system. By restricting access to interface by implementing firewall rules, the risk of unauthorized access will be mitigated.

Fix Text

To validate without the Web interface, access the Linux system being reviewed, either at the console or by a SSH connection. At the command line, navigate to /var/opt/NAI/LinuxShield/etc. Modify the nailsd.cfg file. Find the line "nailsd.disableCltWebUI: false" Change the "false" to "true". Reload the nails processes by running the following command: /etc/init.d/nails reload

Check Content

Verify the location of the system being reviewed. If it is on a segregated network, without access to the Internet nor access to the Local Area Network, nor is it managed by a McAfee ePO server, this check is Not Applicable. If the system being reviewed has access to the Internet, is reachable from the Local Area Network and/or is managed by a McAfee ePO server, this check must be validated. To validate without the Web interface, access the Linux system being reviewed, either at the console or by a SSH connection. At the command line, navigate to /var/opt/NAI/LinuxShield/etc. Enter the command "grep "nailsd.disableCltWebUI" nailsd.cfg". If the response given for "nailsd.disableCltWebUI" is "false", this is a finding.

The anti-virus signature file age must not exceed 7 days.

Finding ID
DTAVSEL-001
Rule ID
SV-77561r1_rule
Severity
Cat I
CCE
(None)
Group Title
SRG-APP-000276
CCI
CCI-001240
Target Key
(None)
Documentable
No
Discussion

Anti-virus signature files are updated almost daily by anti-virus software vendors. These files are made available to anti-virus clients as they are published. Keeping virus signature files as current as possible is vital to the security of any system. By configuring a system to attempt an anti-virus update on a daily basis, the system is ensured of maintaining an anti-virus signature age of 7 days or less. If the update attempt were to be configured for only once a week, and that attempt failed, the system would be immediately out of date.

Fix Text

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, under "Schedule", select "Product Update". Under "When to update", select the "Immediately" radio button, and click on "Next". Under "Choose what to update", select "Virus definition files (also known as DAT files)", click on "Next". Under "Enter a task name", type a unique name for this task, and click on "Finish". Re-validate anti-virus signature file age. To run the Update task manually without the Web interface, access the Linux system being review, either at the console or by a SSH connection. Add a task to /etc/crontab to run the nails updater. At the command line, enter the command "/opt/NAI/LinuxShield/bin/nails task -l". After the task runs, a (Completed) response will be returned.

Check Content

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, under "View", select "Host Summary". In the "Host Summary", verify the "DAT Date:" is within the last 7 days. If the "DAT Date:" is not within the last 7 days, this is a finding. To validate without the Web interface, access the Linux system being reviewed, either at the console or by a SSH connection. At the command line, enter the command "ls -lt /opt/NAI/LinuxShield/engine/dat". The command will return a listing of the avvclean.dat, avvnames.dat and avvscan.dat files. If their respective file dates are not within the last 7 days, this is a finding.

The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x must be configured to receive automatic updates.

Finding ID
DTAVSEL-002
Rule ID
SV-77563r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000276
CCI
CCI-001240
Target Key
(None)
Documentable
No
Discussion

Anti-virus signature files are updated almost daily by anti-virus software vendors. These files are made available to anti-virus clients as they are published. Keeping virus signature files as current as possible is vital to the security of any system. The anti-virus software product must be configured to receive those updates automatically in order to afford the expected protection.

Fix Text

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, under "Schedule", select "Product Update". Under "1. When to update", select "Daily" and choose every "1" day(s), click on "Next". Under "2. Choose what to update", select "Virus definition files (also known as DAT files), and click on "Next". Under "3. Enter a task name", give the task a unique task name for the daily update, and click on "Finish". Configure an /etc/crontab entry for the LinuxShield Update. To run the Update task manually without the Web interface, access the Linux system being review, either at the console or by a SSH connection. At the command line, enter the command "/opt/NAI/LinuxShield/bin/nails task -l". After the task runs, a (Completed) response will be returned.

Check Content

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. Under "View", select "Scheduled Tasks". Under "Scheduled Tasks", under "Task Summaries", with the assistance of the McAfee VSEL SA, identify the VirusScan DAT update task. Verify the "Type" is "Update" and the "Status" is "Completed" with Results of "Update Finished". Under "Task Details" for the task, click on the "Modify" button. Choose "2. Choose what to update" and verify the "Virus definition files (also known as DAT files)" is selected. If there is not a task designated as the regularly scheduled DAT Update task, this is a finding. If there exists a task designated as the regularly scheduled DAT Update task, but "Virus definition files (also known as DAT files)" selection under the "2. Choose what to update" section is not selected, this is a finding. To validate without the Web interface, access the Linux system being reviewed, either at the console or by a SSH connection. At the command line, enter the command "/opt/NAI/LinuxShield/bin/nails task --list". The command will return a response similar to the following: LinuxShield configured tasks: 1 "LinuxShield Update" (Running) If the response does not return a configured task for "LinuxShield Update", this is a finding.

The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x must be configured to enable On-Access scanning.

Finding ID
DTAVSEL-003
Rule ID
SV-77565r1_rule
Severity
Cat I
CCE
(None)
Group Title
SRG-APP-000279
CCI
CCI-001243
Target Key
(None)
Documentable
No
Discussion

For anti-virus software to be effective, it must be running at all times, beginning from the point of the system's initial startup. Otherwise, the risk is greater for viruses, Trojans, and other malware infecting the system during that startup phase.

Fix Text

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, under "Configure", select "On-Access Settings". Under "Anti-virus Scanning Options", select the "Enable On-Access scanning" check box. In the "Quarantine directory" field, populate with "/quarantine" (or another valid location as determined by the organization). Click "Apply".

Check Content

Note: McAfee VSEL On-Access scan is not compatible with NFS Version 4. On client systems with the NFS 4.0 client as default, execute the following command to use NFS version 3.0 as a workaround: mount -t nfs -o nfsvers=3 <NFS_Path> <Mount_point> If mounting with NFS version 3.0 is not an option, this is a finding. Only in such case, if STIG ID DTAVSEL-100 is configured for a daily scheduled scan and DTAVSEL-101 through DTAVSEL-114 are not a finding, the severity of this check can be reduced to a CAT 2. From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, under "Configure", select "On-Access Settings". Under "Anti-virus Scanning Options", verify the "Enable On-Access scanning" check box is selected. Verify the "Quarantine directory" field is populated with "/quarantine" (or another valid location as determined by the organization). If the check box "Enable On-Access scanning" is not selected, this is a finding. If the "Quarantine directory" field is not populated, this is a finding. To validate without the Web interface, access the Linux system being reviewed, either at the console or by a SSH connection. At the command line, navigate to /var/opt/NAI/LinuxShield/etc. Enter the command "grep "oasEnabled" nailsd.cfg" If the response given is "nailsd.oasEnabled: false" or is "nailsd.oasEnabled: true" with a preceding #, this is a finding.

The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to decompress archives when scanning.

Finding ID
DTAVSEL-004
Rule ID
SV-77567r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000279
CCI
CCI-001243
Target Key
(None)
Documentable
No
Discussion

Malware can be hidden within archived files and passed from system to system undetected unless the archive is decompressed and each file scanned. By disabling the archive scanning capability, archives such as .tar and .tgz files will not be decompressed and any infected files in the archives would go undetected. Decompression can slow performance, however; any virus-infected file inside an archive cannot become active until it has been extracted. Recognizing the slow performance potential

Fix Text

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, under "Configure", select "On-Access Settings". Under "Anti-virus Scanning Options", select the "Decompress archives" check box. Click "Apply".

Check Content

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, under "Configure", select "On-Access Settings". Under "Anti-virus Scanning Options", verify the "Decompress archives" check box is selected. If the check box "Decompress archives" is not selected, this is a finding. If the check box for "Decompress archives" is not selected but the On-Demand scan decompress of archives is configured in the regularly scheduled scan, as specified in STIG ID DTAVSEL-101, this is a finding and severity of this can be dropped to a CAT 3. To validate without the Web interface, access the Linux system being reviewed, either at the console or by a SSH connection. At the command line, navigate to /var/opt/NAI/LinuxShield/etc. Enter the command "grep "decompArchive" nailsd.cfg" If the response given includes "nailsd.profile.OAS.decompArchive: false" or includes "nailsd.profile.OAS.decompArchive: true" with a preceding #, this is a finding.

The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to find unknown program viruses.

Finding ID
DTAVSEL-005
Rule ID
SV-77569r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000279
CCI
CCI-001243
Target Key
(None)
Documentable
No
Discussion

Due to the ability of malware to mutate after infection, standard anti-virus signatures may not be able to catch new strains or variants of the malware. Typically, these strains and variants will share unique characteristics with others in their virus family. By using a generic signature to detect the shared characteristics, using wildcards where differences lie, the generic signature can detect viruses even if they are padded with extra, meaningless code. This method of detection is Heuristic detection.

Fix Text

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, under "Configure", select "On-Access Settings". Under "Anti-virus Scanning Options", select the "Find unknown program viruses" check box. Click "Apply".

Check Content

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, under "Configure", select "On-Access Settings". Under "Anti-virus Scanning Options", verify the "Find unknown program viruses" check box is selected. If the check box "Find unknown program viruses" is not selected, this is a finding. To validate without the Web interface, access the Linux system being reviewed, either at the console or by a SSH connection. At the command line, navigate to /var/opt/NAI/LinuxShield/etc. Enter the command "grep "heuristicAnalysis" nailsd.cfg" If the response given is "nailsd.profile.OAS.heuristicAnalysis: false" or is "nailsd.profile.OAS.heuristicAnalysis: true" with a preceding #, this is a finding.

The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to find unknown macro viruses.

Finding ID
DTAVSEL-006
Rule ID
SV-77571r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000279
CCI
CCI-001243
Target Key
(None)
Documentable
No
Discussion

Interpreted viruses are executed by an application. Within this subcategory, macro viruses take advantage of the capabilities of applications' macro programming language to infect application documents and document templates, while scripting viruses infect scripts that are understood by scripting languages processed by services on the OS. Many attackers use toolkits containing several different types of utilities and scripts that can be used to probe and attack hosts. Scanning for unknown macro viruses will mitigate zero-day attacks.

Fix Text

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, under "Configure", select "On-Access Settings". Under "Anti-virus Scanning Options", select the "Find unknown macro viruses" check box. Click "Apply".

Check Content

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, under "Configure", select "On-Access Settings". Under "Anti-virus Scanning Options", verify the "Find unknown macro viruses" check box is selected. If the check box "Find unknown macro viruses" is not selected, this is a finding. To validate without the Web interface, access the Linux system being reviewed, either at the console or by a SSH connection. At the command line, navigate to /var/opt/NAI/LinuxShield/etc. Enter the command "grep "macroAnalysis" nailsd.cfg" If the response given is "nailsd.profile.OAS.macroAnalysis: false" or is "nailsd.profile.OAS.macroAnalysis: true" with a preceding #, this is a finding.

The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to find potentially unwanted programs.

Finding ID
DTAVSEL-007
Rule ID
SV-77573r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000279
CCI
CCI-001243
Target Key
(None)
Documentable
No
Discussion

Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attach mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the anti-virus software to attempt to clean the file first will allow for the possibility of a false positive. In most cases, however, the secondary action of delete will be used, mitigating the risk of the PUPs being installed and used maliciously.

Fix Text

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, under "Configure", select "On-Access Settings". Under "Anti-virus Scanning Options", select the "Find potentially unwanted programs" check box. Click "Apply".

Check Content

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, under "Configure", select "On-Access Settings". Under "Anti-virus Scanning Options", verify the "Find potentially unwanted programs" check box is selected. If the check box "Find potentially unwanted programs" is not selected, this is a finding. To validate without the Web interface, access the Linux system being reviewed, either at the console or by a SSH connection. At the command line, navigate to /var/opt/NAI/LinuxShield/etc. Enter the command "grep "OAS.program" nailsd.cfg" If the response given is "nailsd.profile.OAS.program: false" or is "nailsd.profile.OAS.program: true" with a preceding #, this is a finding.

The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to scan files when being written to disk.

Finding ID
DTAVSEL-008
Rule ID
SV-77575r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000279
CCI
CCI-001243
Target Key
(None)
Documentable
No
Discussion

Anti-virus software is the most commonly used technical control for malware threat mitigation. Real-time scanning of files as they are written to disk is a crucial first line of defense from malware attacks.

Fix Text

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, under "Configure", select "On-Access Settings". Under "Anti-virus Scanning Options", select the "Scan files when writing to disk" check box. Click "Apply".

Check Content

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, under "Configure", select "On-Access Settings". Under "Anti-virus Scanning Options", verify the "Scan files when writing to disk" check box is selected. If the check box "Scan files when writing to disk" is not selected, this is a finding. To validate without the Web interface, access the Linux system being reviewed, either at the console or by a SSH connection. At the command line, navigate to /var/opt/NAI/LinuxShield/etc. Enter the command "grep "scanOnWrite" nailsd.cfg" If the response given is "nailsd.profile.OAS.scanOnWrite: false" or is "nailsd.profile.OAS.scanOnWrite: true" with a preceding #, this is a finding.

The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to scan files when being read from disk.

Finding ID
DTAVSEL-009
Rule ID
SV-77577r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000279
CCI
CCI-001243
Target Key
(None)
Documentable
No
Discussion

Anti-virus software is the most commonly used technical control for malware threat mitigation. Real-time scanning of files as they are read from disk is a crucial first line of defense from malware attacks.

Fix Text

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, under "Configure", select "On-Access Settings". Under "Anti-virus Scanning Options", select the "Scan files when reading from disk" check box. Click "Apply".

Check Content

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, under "Configure", select "On-Access Settings". Under "Anti-virus Scanning Options", verify the "Scan files when reading from disk" check box is selected. If the check box "Scan files when reading from disk" is not selected, this is a finding. To validate without the Web interface, access the Linux system being reviewed, either at the console or by a SSH connection. At the command line, navigate to /var/opt/NAI/LinuxShield/etc. Enter the command "grep "scanOnRead" nailsd.cfg" If the response given is "nailsd.profile.OAS.scanOnRead: false" or is "nailsd.profile.OAS.scanOnRead: true" with a preceding #, this is a finding.

The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to scan all file types.

Finding ID
DTAVSEL-010
Rule ID
SV-77579r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000279
CCI
CCI-001243
Target Key
(None)
Documentable
No
Discussion

When scanning for malware, excluding specific file types will increase the risk of a malware-infected file going undetected. By configuring anti-virus software to scan all file types, the scanner has a higher success rate at detecting and eradicating malware.

Fix Text

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, under "Configure", select "On-Access Settings". Select the "Edit" button. Under "Extension Base Scanning", select the "Scan all files" radio button. Click "Apply".

Check Content

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, under "Configure", select "On-Access Settings". Under "Extension Base Scanning", verify the "Scan all files" radio button is selected. If the radio button "Scan all files" is not selected, this is a finding. To validate without the Web interface, access the Linux system being reviewed, either at the console or by a SSH connection. At the command line, navigate to /var/opt/NAI/LinuxShield/etc. Enter the command "grep "allFiles" nailsd.cfg" If the response given is "nailsd.profile.OAS.allFiles: false" or is "nailsd.profile.OAS.allFiles: true" with a preceding #, this is a finding.

The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner maximum scan time must not be less than 45 seconds.

Finding ID
DTAVSEL-011
Rule ID
SV-77581r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000279
CCI
CCI-001243
Target Key
(None)
Documentable
No
Discussion

When anti-virus software is not configured to limit the amount of time spent trying to scan a file, the total effectiveness of the anti-virus software, and performance on the system being scanned, will be degraded. By limiting the amount of time the anti-virus software uses when scanning a file, the scan will be able to complete in a timely manner. Although the description of this requirement indicates a "maximum scan time", the intent of this requirement is to explicitly set a maximum scan time without impacting the effectiveness of the scan. Left unconfigured, the scan could run indefinitely on one file. If configured with a value of less than 45 seconds, the scanning of some files will be skipped. If configured with 45 or more seconds, the success rate of files being completely scanned is higher.

Fix Text

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, under "Configure", select "On-Access Settings". Under "Anti-virus Scanning Options", configure the "Maximum scan time (seconds)" with at least "45" or more seconds. Click "Apply".

Check Content

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, under "Configure", select "On-Access Settings". Under "Anti-virus Scanning Options", verify the "Maximum scan time (seconds)" is configured with at least "45" or more seconds. If the "Maximum scan time (seconds)" is not configured with at least "45" or more seconds, this is a finding. To validate without the Web interface, access the Linux system being reviewed, either at the console or by a SSH connection. At the command line, navigate to /var/opt/NAI/LinuxShield/etc. Enter the command "grep "scanMaxTmo" nailsd.cfg" If the response given for "nailsd.profile.OAS_default.scanMaxTmo" is "44" or less, or if the response give for "nailsd.profile.OAS.scanMaxTmo" is "45" or more but with a preceding #, this is a finding.

The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must only be configured with exclusions that are documented and approved by the ISSO/ISSM/AO.

Finding ID
DTAVSEL-012
Rule ID
SV-77583r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000279
CCI
CCI-001243
Target Key
(None)
Documentable
No
Discussion

When scanning for malware, excluding specific files will increase the risk of a malware-infected file going undetected. By configuring anti-virus software without any exclusions, the scanner has a higher success rate at detecting and eradicating malware.

Fix Text

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, under "Configure", select "On-Access Settings". Click "Edit". Under "Paths Excluded From Scanning", remove all entries other than the default "/var/log". Click "Apply".

Check Content

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, under "Configure", select "On-Access Settings". Under "Paths Excluded From Scanning", verify no entries exist other than the following: /var/log /_admin/Manage_NSS /mnt/system/log /media/nss/.*/(\._NETWARE|\._ADMIN) /.*\.(vmdk|VMDK|dbl|DBL|ctl|CTL|log|LOG|jar|JAR|war|WAR|dtx|DTX|dbf|DBF|frm|FRM|myd|MYD|myi|MYI|rdo|RDO|arc|ARC) /cgroup /dev /proc /selinux /sys If any entries other than the above referenced paths are present in the "Paths Excluded From Scanning" field, verify the exclusion of those files and paths have been formally documented by the System Administrator and has been approved by the ISSO/ISSM. If they have not been formally documented by the System Administrator and approved by the ISSO/ISSM, this is a finding. If they have not been formally documented by the System Administrator and approved by the ISSO/ISSM but are validated as being scanned within the regularly scheduled scan, this is a finding but can be dropped to a CAT 3. To validate without the Web interface, access the Linux system being reviewed, either at the console or by a SSH connection. At the command line, navigate to /var/opt/NAI/LinuxShield/etc. Enter the command "grep "exclude-path" nailsd.cfg -A 5" If the response given is: "nailsd.profile.OAS.filter.varlog.type: exclude-path" and "nailsd.profile.OAS.filter.varlog.path:" includes anything other than the above paths", this is a finding.

The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to Clean as first action when a virus or Trojan is detected.

Finding ID
DTAVSEL-013
Rule ID
SV-77585r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000279
CCI
CCI-001243
Target Key
(None)
Documentable
No
Discussion

Malware may have infected a file that is necessary to the user. By configuring the anti-virus software to first attempt cleaning the infected file, availability to the file is not sacrificed. If a cleaning attempt is not successful, however, deleting the file is the only safe option to ensure the malware is not introduced onto the system or network.

Fix Text

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, under "Configure", select "On-Access Settings". Under "Anti-virus Actions", select "Clean" from the first drop-down list for "Actions for viruses and Trojans". Click "Apply".

Check Content

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, under "Configure", select "On-Access Settings". Under "Anti-virus Actions", verify "Clean" is selected from the first drop-down list for "Actions for viruses and Trojans". If "Clean" is not selected from the first drop-down list for "Actions for viruses and Trojans", this is a finding. To validate without the Web interface, access the Linux system being reviewed, either at the console or by a SSH connection. At the command line, navigate to /var/opt/NAI/LinuxShield/etc. Enter the command "grep "ScanAction" nailsd.cfg -A 5" nailsd.cfg" If the response given for "nailsd.profile.OAS.action.App.primary" is not "Clean", this is a finding.

The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to Quarantine if first action fails when a virus or Trojan is detected.

Finding ID
DTAVSEL-014
Rule ID
SV-77587r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000279
CCI
CCI-001243
Target Key
(None)
Documentable
No
Discussion

Malware may have infected a file that is necessary to the user. By configuring the anti-virus software to first attempt cleaning the infected file, availability to the file is not sacrificed. If a cleaning attempt is not successful, however, deleting the file is the only safe option to ensure the malware is not introduced onto the system or network.

Fix Text

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, under "Configure", select "On-Access Settings". Under "Anti-virus Actions", select "Quarantine" from the second drop-down list for "Actions for viruses and Trojans" if first action fails. Click "Apply".

Check Content

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, under "Configure", select "On-Access Settings". Under "Anti-virus Actions", verify "Quarantine" is selected from the second drop-down list for "Actions for viruses and Trojans". If "Quarantine" is not selected from the second drop-down list for "Actions for viruses and Trojans", this is a finding. To validate without the Web interface, access the Linux system being reviewed, either at the console or by a SSH connection. At the command line, navigate to /var/opt/NAI/LinuxShield/etc. Enter the command "grep "ScanAction" nailsd.cfg -A 5" nailsd.cfg" If the response given for "nailsd.profile.OAS.action.App.secondary" is not "Quarantine", this is a finding.

The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to Clean as first action when programs and jokes are found.

Finding ID
DTAVSEL-015
Rule ID
SV-77589r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000279
CCI
CCI-001243
Target Key
(None)
Documentable
No
Discussion

Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attach mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the anti-virus software to attempt to clean the file first will allow for the possibility of a false positive. In most cases, however, the secondary action of delete will be used, mitigating the risk of the PUPs being installed and used maliciously.

Fix Text

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, under "Configure", select "On-Access Settings". Under "Anti-virus Actions", select "Clean" from the first drop-down list for "Actions for Programs and Jokes". Click "Apply".

Check Content

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, under "Configure", select "On-Access Settings". Under "Anti-virus Actions", verify "Clean" is selected from the first drop-down list for "Actions for Programs and Jokes". If "Clean" is not selected from the first drop-down list for "Actions for Programs and Jokes", this is a finding. To validate without the Web interface, access the Linux system being reviewed, either at the console or by a SSH connection. At the command line, navigate to /var/opt/NAI/LinuxShield/etc. Enter the command "grep "ScanAction" nailsd.cfg -A 5" nailsd.cfg" If the response given for "nailsd.profile.OAS.action.Default.primary" is not "Clean", this is a finding.

The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to Quarantine if first action fails when programs and jokes are found.

Finding ID
DTAVSEL-016
Rule ID
SV-77591r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000279
CCI
CCI-001243
Target Key
(None)
Documentable
No
Discussion

Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attach mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the anti-virus software to attempt to clean the file first will allow for the possibility of a false positive. In most cases, however, the secondary action of delete will be used, mitigating the risk of the PUPs being installed and used maliciously.

Fix Text

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, under "Configure", select "On-Access Settings". Under "Anti-virus Actions", select "Quarantine" from the second drop-down list for "Actions for Programs and Jokes" if first action fails. Click "Apply".

Check Content

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, under "Configure", select "On-Access Settings". Under "Anti-virus Actions", verify "Quarantine" is selected from the second drop-down list for "Actions for Programs and Jokes". If "Quarantine" is not selected from the second drop-down list for "Actions for Programs and Jokes", this is a finding. To validate without the Web interface, access the Linux system being reviewed, either at the console or by a SSH connection. At the command line, navigate to /var/opt/NAI/LinuxShield/etc. Enter the command "grep "ScanAction" nailsd.cfg -A 5" nailsd.cfg" If the response given for "nailsd.profile.OAS.action.Default.secondary" is not "Quarantine", this is a finding.

The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to deny access to the file if an error occurs during scanning.

Finding ID
DTAVSEL-017
Rule ID
SV-77593r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000279
CCI
CCI-001243
Target Key
(None)
Documentable
No
Discussion

Anti-virus software is the most commonly used technical control for malware threat mitigation. Real-time scanning of files as they are read from disk is a crucial first line of defense from malware attacks.

Fix Text

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, under "Configure", select "On-Access Settings". Under "Anti-virus Actions", select the "Block" radio button for "Action if an error occurs during scanning". Click "Apply".

Check Content

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, under "Configure", select "On-Access Settings". Under "Anti-virus Actions", verify the "Block" radio button is selected for "Action if an error occurs during scanning". If the "Block" radio button is not selected for "Action if an error occurs during scanning", this is a finding. To validate without the Web interface, access the Linux system being reviewed, either at the console or by a SSH connection. At the command line, navigate to /var/opt/NAI/LinuxShield/etc. Enter the command "grep "ScanAction" nailsd.cfg -A 5" nailsd.cfg" If the response given for "nailsd.profile.OAS.action.error" is not "Block", this is a finding.

The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to allow access to files if scanning times out.

Finding ID
DTAVSEL-018
Rule ID
SV-77595r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000279
CCI
CCI-001243
Target Key
(None)
Documentable
No
Discussion

Anti-virus software is the most commonly used technical control for malware threat mitigation. Real-time scanning of files as they are read from disk is a crucial first line of defense from malware attacks.

Fix Text

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, under "Configure", select "On-Access Settings". Under "Anti-virus Actions", select the "Allow access" radio button for "Action on timeout". Click "Apply".

Check Content

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, under "Configure", select "On-Access Settings". Under "Anti-virus Actions", verify the "Allow access" radio button is selected for "Action on timeout". If the "Allow access" radio button is not selected for "Action on timeout", this is a finding. To validate without the Web interface, access the Linux system being reviewed, either at the console or by a SSH connection. At the command line, navigate to /var/opt/NAI/LinuxShield/etc. Enter the command "grep "ScanAction" nailsd.cfg -A 5" nailsd.cfg" If the response given for "nailsd.profile.OAS.action.timeout" is not "Pass", this is a finding.

The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be enabled to scan mounted volumes when mounted volumes point to a network server without an anti-virus solution installed.

Finding ID
DTAVSEL-019
Rule ID
SV-77597r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000278
CCI
CCI-001242
Target Key
(None)
Documentable
No
Discussion

Mounting network volumes to other network systems introduces a path for malware to be introduced. It is imperative to protect Linux systems from malware introduced from those other network systems by either ensuring the remote systems are protected or by scanning files from those systems when they are accessed.

Fix Text

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, under "Configure", select "On-Access Settings". Under "Anti-virus Scanning Options", select the check box for "Scan files on network mounted volumes". Click "Apply".

Check Content

With the System Administrator's assistance, determine network mounted volumes on the Linux system being reviewed. If network mounted volumes are mounted, verify whether anti-virus protection is locally installed on, and configured to protect, the network servers to which the mounted volumes connect. If all network servers to which mounted volumes connect are protected by locally installed and configured anti-virus protection, this check for the Linux system being reviewed is Not Applicable. If no network mounted volumes are configured on the Linux system being reviewed, this check is Not Applicable. If mounted volumes exist on the Linux system being reviewed which are connecting to network servers which lack locally installed and configured anti-virus protection, this check must be validated. From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, under "Configure", select "On-Access Settings". Under "Anti-virus Scanning Options", verify check box for "Scan files on network mounted volumes" is selected. If the check box for "Scan files on network mounted volumes" is not selected, this is a finding. To validate without the Web interface, access the Linux system being reviewed, either at the console or by a SSH connection. At the command line, navigate to /var/opt/NAI/LinuxShield/etc. Enter the command "grep "nailsd.profile.OAS.scanNWFiles:" nailsd.cfg" If the response given for "nailsd.profile.OAS.scanNWFiles" is not "true", this is a finding.

The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x must be configured to run a scheduled On-Demand scan at least once a week.

Finding ID
DTAVSEL-100
Rule ID
SV-77599r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000277
CCI
CCI-001241
Target Key
(None)
Documentable
No
Discussion

Anti-virus software is the most commonly used technical control for malware threat mitigation. Real-time scanning of files as they are read from disk is a crucial first line of defense from malware attacks but to ensure all files are frequently scanned, a regularly scheduled full scan will ensure malware missed by the real-time scanning will be detected and mitigated.

Fix Text

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, under "Schedule", select "On-Demand Scan". Under "1. When to Scan "select Weekly, Daily or Hourly and indicate day and/or time to regularly execute, and click "Next". Under "2. What to Scan", enter "/", click "Add". Click "Next". Under "3. Choose Scan Settings", select required settings as specified in remaining On-Demand scan requirements, and click "Next". Under "4. Enter a task name", type a unique name for the task to reflect its frequency, and click "Finish".

Check Content

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, review tasks under "View", "Scheduled Tasks". With the System Administrator's assistance, determine which task is intended as the regularly scheduled scan task. Click on the task and review the details under "Task Details for". If "Next run" does not specify "every 1 week", or more frequently, this is a finding. To validate without the Web interface, access the Linux system being reviewed, either at the console or by a SSH connection. At the command line, navigate to /var/opt/NAI/LinuxShield/etc. Enter the command "/opt/NAI/LinuxShield/bin/nails task --list". If the return does not show a task for the LinuxShield On-Demand Scan, this is a finding.

The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must be configured to decompress archives when scanning.

Finding ID
DTAVSEL-101
Rule ID
SV-77601r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000277
CCI
CCI-001241
Target Key
(None)
Documentable
No
Discussion

Malware is often packaged within an archive. In addition, archives might have other archives within. Not scanning archive files introduces the risk of infected files being introduced into the environment.

Fix Text

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, review tasks under "View", "Scheduled Tasks". With the System Administrator's assistance, determine which task is intended as the regularly scheduled scan task. Click on the task, and then click "Modify". Under "2. What to Scan", click "Next". Under "3. Choose Scan Settings", "Anti-virus Scanning Options", select the "Decompress archives" check box, click "Next", and then click "Finish".

Check Content

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, review tasks under "View", "Scheduled Tasks". With the System Administrator's assistance, determine which task is intended as the regularly scheduled scan task. Click on the task, and then click "Modify". Under "2. What to Scan", click "Next". Under "3. Choose Scan Settings", "Anti-virus Scanning Options", verify the "Decompress archives" check box has been selected. If the "Decompress archives" check box has not been selected, this is a finding. To validate without the Web interface, access the Linux system being reviewed, either at the console or by a SSH connection. At the command line, navigate to /var/opt/NAI/LinuxShield/etc. Enter the command "grep "ODS.decompArchive" ods.cfg" If the response given for "nailsd.profile.ODS.decompArchive" is not "true", this is a finding.

The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must be configured to find unknown program viruses.

Finding ID
DTAVSEL-102
Rule ID
SV-77603r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000277
CCI
CCI-001241
Target Key
(None)
Documentable
No
Discussion

Due to the ability of malware to mutate after infection, standard anti-virus signatures may not be able to catch new strains or variants of the malware. Typically, these strains and variants will share unique characteristics with others in their virus family. By using a generic signature to detect the shared characteristics, using wildcards where differences lie, the generic signature can detect viruses even if they are padded with extra, meaningless code. This method of detection is Heuristic detection.

Fix Text

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, review tasks under "View", "Scheduled Tasks". With the System Administrator's assistance, determine which task is intended as the regularly scheduled scan task. Click on the task, and then click "Modify". Under "2. What to Scan", click "Next". Under "3. Choose Scan Settings", "Anti-virus Scanning Options", select the "Perform heuristic virus analysis" check box, click "Next", and then click "Finish".

Check Content

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, review tasks under "View", "Scheduled Tasks". With the System Administrator's assistance, determine which task is intended as the regularly scheduled scan task. Click on the task, and then click "Modify". Under "2. What to Scan", click "Next". Under "3. Choose Scan Settings", "Anti-virus Scanning Options", verify the "Perform heuristic virus analysis" check box has been selected. If the "Perform heuristic virus analysis" check box has not been selected, this is a finding. To validate without the Web interface, access the Linux system being reviewed, either at the console or by a SSH connection. At the command line, navigate to /var/opt/NAI/LinuxShield/etc. Enter the command "grep "ODS.heuristicAnalysis" ods.cfg" If the response given for "nailsd.profile.ODS.heuristicAnalysis" is not "true", this is a finding.

The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must be configured to find unknown macro viruses.

Finding ID
DTAVSEL-103
Rule ID
SV-77605r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000277
CCI
CCI-001241
Target Key
(None)
Documentable
No
Discussion

Interpreted viruses are executed by an application. Within this subcategory, macro viruses take advantage of the capabilities of applications' macro programming language to infect application documents and document templates, while scripting viruses infect scripts that are understood by scripting languages processed by services on the OS. Many attackers use toolkits containing several different types of utilities and scripts that can be used to probe and attack hosts. Scanning for unknown macro viruses will mitigate zero-day attacks.

Fix Text

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, review tasks under "View", "Scheduled Tasks". With the System Administrator's assistance, determine which task is intended as the regularly scheduled scan task. Click on the task, and then click "Modify". Under "2. What to Scan", click "Next". Under "3. Choose Scan Settings", "Anti-virus Scanning Options", select the "Perform macro analysis" check box, click "Next", and then click "Finish".

Check Content

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, review tasks under "View", "Scheduled Tasks". With the System Administrator's assistance, determine which task is intended as the regularly scheduled scan task. Click on the task, and then click "Modify". Under "2. What to Scan", click "Next". Under "3. Choose Scan Settings", "Anti-virus Scanning Options", verify the "Perform macro analysis" check box has been selected. If the "Perform macro analysis" check box has not been selected, this is a finding. To validate without the Web interface, access the Linux system being reviewed, either at the console or by a SSH connection. At the command line, navigate to /var/opt/NAI/LinuxShield/etc. Enter the command "grep "ODS.macroAnalysis" ods.cfg" If the response given for "nailsd.profile.ODS.macroAnalysis" is not "true", this is a finding.

The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must be configured to find potentially unwanted programs.

Finding ID
DTAVSEL-104
Rule ID
SV-77607r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000277
CCI
CCI-001241
Target Key
(None)
Documentable
No
Discussion

Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attach mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the anti-virus software to attempt to clean the file first will allow for the possibility of a false positive. In most cases, however, the secondary action of delete will be used, mitigating the risk of the PUPs being installed and used maliciously.

Fix Text

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, review tasks under "View", "Scheduled Tasks". With the System Administrator's assistance, determine which task is intended as the regularly scheduled scan task. Click on the task, and then click "Modify". Under "2. What to Scan", click "Next". Under "3. Choose Scan Settings", "Anti-virus Scanning Options", select the "Find potentially unwanted programs" check box, click "Next", and then click "Finish".

Check Content

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, review tasks under "View", "Scheduled Tasks". With the System Administrator's assistance, determine which task is intended as the regularly scheduled scan task. Click on the task, and then click "Modify". Under "2. What to Scan", click "Next". Under "3. Choose Scan Settings", "Anti-virus Scanning Options", verify the "Find potentially unwanted programs" check box has been selected. If the "Find potentially unwanted programs" check box has not been selected, this is a finding. To validate without the Web interface, access the Linux system being reviewed, either at the console or by a SSH connection. At the command line, navigate to /var/opt/NAI/LinuxShield/etc. Enter the command "grep "ODS.program" ods.cfg" If the response given for "nailsd.profile.ODS.program" is not "true", this is a finding.

The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must be configured to scan all file types.

Finding ID
DTAVSEL-105
Rule ID
SV-77609r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000277
CCI
CCI-001241
Target Key
(None)
Documentable
No
Discussion

When scanning for malware, excluding specific file types will increase the risk of a malware-infected file going undetected. By configuring anti-virus software to scan all file types, the scanner has a higher success rate at detecting and eradicating malware.

Fix Text

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, review tasks under "View", "Scheduled Tasks". With the System Administrator's assistance, determine which task is intended as the regularly scheduled scan task. Click on the task, and then click "Modify". Under "2. What to Scan", click "Next". Under "3. Choose Scan Settings", "Extension Based Scanning", select the "Scan all files" check box, click "Next", and then click "Finish".

Check Content

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, review tasks under "View", "Scheduled Tasks". With the System Administrator's assistance, determine which task is intended as the regularly scheduled scan task. Click on the task, and then click "Modify". Under "2. What to Scan", click "Next". Under "3. Choose Scan Settings", "Extension Based Scanning", verify the "Scan all files" check box is selected. If the "Scan all files" check box is not selected, this is a finding. To validate without the Web interface, access the Linux system being reviewed, either at the console or by a SSH connection. At the command line, navigate to /var/opt/NAI/LinuxShield/etc. Enter the command "grep "ODS.allFiles" ods.cfg" If the response given for "nailsd.profile.ODS.allFiles" is not "true", this is a finding.

The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must be configured to Clean infected files automatically as first action when a virus or Trojan is detected.

Finding ID
DTAVSEL-106
Rule ID
SV-77611r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000277
CCI
CCI-001241
Target Key
(None)
Documentable
No
Discussion

Malware may have infected a file that is necessary to the user. By configuring the anti-virus software to first attempt cleaning the infected file, availability to the file is not sacrificed. If a cleaning attempt is not successful, however, deleting the file is the only safe option to ensure the malware is not introduced onto the system or network.

Fix Text

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, review tasks under "View", "Scheduled Tasks". With the System Administrator's assistance, determine which task is intended as the regularly scheduled scan task. Click on the task, and then click "Modify". Under "2. What to Scan", click "Next". Under "3. Choose Scan Settings", Anti-virus Actions", select "Clean" from the first dropdown list for "Actions for Viruses and Trojans", click "Next", and then click "Finish".

Check Content

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, review tasks under "View", "Scheduled Tasks". With the System Administrator's assistance, determine which task is intended as the regularly scheduled scan task. Click on the task, and then click "Modify". Under "2. What to Scan", click "Next". Under "3. Choose Scan Settings", "Anti-virus Actions", verify "Clean" is selected in the first dropdown list for "Actions for Viruses and Trojans". If "Clean" is not selected in the first dropdown list for "Actions for Viruses and Trojans", this is a finding. To validate without the Web interface, access the Linux system being reviewed, either at the console or by a SSH connection. At the command line, navigate to /var/opt/NAI/LinuxShield/etc. Enter the command "grep "ODS.action.App.primary" ods.cfg" If the response given for "nailsd.profile.ODS.action.App.primary" is not "Clean", this is a finding.

The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must be configured to Move infected files to the quarantine directory if first action fails when a virus or Trojan is detected.

Finding ID
DTAVSEL-107
Rule ID
SV-77613r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000277
CCI
CCI-001241
Target Key
(None)
Documentable
No
Discussion

Malware may have infected a file that is necessary to the user. By configuring the anti-virus software to first attempt cleaning the infected file, availability to the file is not sacrificed. If a cleaning attempt is not successful, however, deleting the file is the only safe option to ensure the malware is not introduced onto the system or network.

Fix Text

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, review tasks under "View", "Scheduled Tasks". With the System Administrator's assistance, determine which task is intended as the regularly scheduled scan task. Click on the task, and then click "Modify". Under "2. What to Scan", click "Next". Under "3. Choose Scan Settings", Anti-virus Actions", select "Quarantine" from the second dropdown list "Actions for Viruses and Trojans" if first action fails, click "Next", and then click "Finish".

Check Content

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, review tasks under "View", "Scheduled Tasks". With the System Administrator's assistance, determine which task is intended as the regularly scheduled scan task. Click on the task, and then click "Modify". Under "2. What to Scan", click "Next". Under "3. Choose Scan Settings", "Anti-virus Actions", verify "Quarantine" is selected in the second dropdown list "Actions for Viruses and Trojans" if first action fails. If "Quarantine" is not selected in the second dropdown list "Actions for Viruses and Trojans" if first action fails, this is a finding. To validate without the Web interface, access the Linux system being reviewed, either at the console or by a SSH connection. At the command line, navigate to /var/opt/NAI/LinuxShield/etc. Enter the command "grep "ODS.action.App.secondary" ods.cfg" If the response given for "nailsd.profile.ODS.action.App.secondary" is not "Quarantine", this is a finding.

The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must only be configured with exclusions that are documented and approved by the ISSO/ISSM/AO.

Finding ID
DTAVSEL-108
Rule ID
SV-77615r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000277
CCI
CCI-001241
Target Key
(None)
Documentable
No
Discussion

When scanning for malware, excluding specific files will increase the risk of a malware-infected file going undetected. By configuring anti-virus software without any exclusions, the scanner has a higher success rate at detecting and eradicating malware.

Fix Text

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, review tasks under "View", "Scheduled Tasks". With the System Administrator's assistance, determine which task is intended as the regularly scheduled scan task. Click on the task, and then click "Modify". Under "2. What to Scan", click "Next". Under "3. Choose Scan Settings", "Paths Excluded From Scanning", removed all unauthorized excluded paths, click "Next, and then click "Finish".

Check Content

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, review tasks under "View", "Scheduled Tasks". With the System Administrator's assistance, determine which task is intended as the regularly scheduled scan task. Click on the task, and then click "Modify". Under "2. What to Scan", click "Next". Under "3. Choose Scan Settings", "Paths Excluded From Scanning". If any paths other than the following paths are excluded, and the exclusions have not been documented and approved by the ISSO/ISSM/AO, this is a finding. /var/log /_admin/Manage_NSS /mnt/system/log /media/nss/.*/(\._NETWARE|\._ADMIN) /.*\.(vmdk|VMDK|dbl|DBL|ctl|CTL|log|LOG|jar|JAR|war|WAR|dtx|DTX|dbf|DBF|frm|FRM|myd|MYD|myi|MYI|rdo|RDO|arc|ARC) /cgroup /dev /proc /selinux /sys

The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must be configured to Clean infected files automatically as first action when programs and jokes are found.

Finding ID
DTAVSEL-110
Rule ID
SV-77617r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000277
CCI
CCI-001241
Target Key
(None)
Documentable
No
Discussion

Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attach mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the anti-virus software to attempt to clean the file first will allow for the possibility of a false positive. In most cases, however, the secondary action of delete will be used, mitigating the risk of the PUPs being installed and used maliciously.

Fix Text

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, review tasks under "View", "Scheduled Tasks". With the System Administrator's assistance, determine which task is intended as the regularly scheduled scan task. Click on the task, and then click "Modify". Under "2. What to Scan", click "Next". Under "3. Choose Scan Settings", Anti-virus Actions", select "Clean" from the first dropdown list for "Actions for Programs and Jokes", click "Next", and then click "Finish".

Check Content

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, review tasks under "View", "Scheduled Tasks". With the System Administrator's assistance, determine which task is intended as the regularly scheduled scan task. Click on the task, and then click "Modify". Under "2. What to Scan", click "Next". Under "3. Choose Scan Settings", "Anti-virus Actions", verify "Clean" is selected in the first dropdown list for "Actions for Programs and Jokes". If "Clean" is not selected in the first dropdown list for "Actions for Programs and Jokes", this is a finding. To validate without the Web interface, access the Linux system being reviewed, either at the console or by a SSH connection. At the command line, navigate to /var/opt/NAI/LinuxShield/etc. Enter the command "grep "ODS.action.Default.primary" ods.cfg" If the response given for "ODS.action.Default.primary" is not "Clean", this is a finding.

The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must be configured to Move infected files to the quarantine directory if first action fails when programs and jokes are found.

Finding ID
DTAVSEL-111
Rule ID
SV-77619r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000277
CCI
CCI-001241
Target Key
(None)
Documentable
No
Discussion

Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attach mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the anti-virus software to attempt to clean the file first will allow for the possibility of a false positive. In most cases, however, the secondary action of delete will be used, mitigating the risk of the PUPs being installed and used maliciously.

Fix Text

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, review tasks under "View", "Scheduled Tasks". With the System Administrator's assistance, determine which task is intended as the regularly scheduled scan task. Click on the task, and then click "Modify". Under "2. What to Scan", click "Next". Under "3. Choose Scan Settings", Anti-virus Actions", select "Quarantine" from the second dropdown list "Actions for Programs and Jokes" if first action fails, click "Next", and then click "Finish".

Check Content

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, review tasks under "View", "Scheduled Tasks". With the System Administrator's assistance, determine which task is intended as the regularly scheduled scan task. Click on the task, and then click "Modify". Under "2. What to Scan", click "Next". Under "3. Choose Scan Settings", "Anti-virus Actions", verify "Quarantine" is selected in the second dropdown list "Actions for Programs and Jokes" if first action fails. If "Quarantine" is not selected in the second dropdown list "Actions for Programs and Jokes" if first action fails, this is a finding. To validate without the Web interface, access the Linux system being reviewed, either at the console or by a SSH connection. At the command line, navigate to /var/opt/NAI/LinuxShield/etc. Enter the command "grep "ODS.action.Default.secondary" ods.cfg" If the response given for "ODS.action.Default.secondary" is not "Quarantine", this is a finding.

The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must be configured to decode MIME encoded files.

Finding ID
DTAVSEL-112
Rule ID
SV-77621r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000277
CCI
CCI-001241
Target Key
(None)
Documentable
No
Discussion

Malware is often packaged within an archive. In addition, archives might have other archives within. Not scanning archive files introduces the risk of infected files being introduced into the environment.

Fix Text

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, review tasks under "View", "Scheduled Tasks". With the System Administrator's assistance, determine which task is intended as the regularly scheduled scan task. Click on the task, and then click "Modify". Under "2. What to Scan", click "Next". Under "3. Choose Scan Settings", "Anti-virus Scanning Options", select the "Decode MIME encoded files" check box, click "Next", and then click "Finish".

Check Content

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, review tasks under "View", "Scheduled Tasks". With the System Administrator's assistance, determine which task is intended as the regularly scheduled scan task. Click on the task, and then click "Modify". Under "2. What to Scan", click "Next". Under "3. Choose Scan Settings", "Anti-virus Scanning Options", verify the "Decode MIME encoded files" check box has been selected. If the "Decode MIME encoded files" check box has not been selected, this is a finding. To validate without the Web interface, access the Linux system being reviewed, either at the console or by a SSH connection. At the command line, navigate to /var/opt/NAI/LinuxShield/etc. Enter the command "grep "nailsd.profile.ODS.mime" ods.cfg" If the response given for "nailsd.profile.ODS.mime" is not "true", this is a finding.

The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must be configured to include all local drives and their sub-directories.

Finding ID
DTAVSEL-113
Rule ID
SV-77623r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000277
CCI
CCI-001241
Target Key
(None)
Documentable
No
Discussion

When scanning for malware, excluding specific file types will increase the risk of a malware-infected file going undetected. By configuring anti-virus software to scan all file types, the scanner has a higher success rate at detecting and eradicating malware.

Fix Text

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, review tasks under "View", "Scheduled Tasks". With the System Administrator's assistance, determine which task is intended as the regularly scheduled scan task. Click on the task, and then click "Modify". Under "2. What to Scan", "Path", enter all mounted volumes or "\" and select the "Scan Sub-Directories" check box, click "Next", and then click "Finish".

Check Content

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, review tasks under "View", "Scheduled Tasks". With the System Administrator's assistance, determine which task is intended as the regularly scheduled scan task. Click on the task, and then click "Modify". Under "2. What to Scan", "Path", verify all mounted volumes or "\" is specified and the "Scan Sub-Directories" check box is selected. If all mounted volumes or "\" is not specified under "Path "or the "Scan Sub-Directories" check box is not selected for every "Path" specified, this is a finding. To validate without the Web interface, access the Linux system being reviewed, either at the console or by a SSH connection. At the command line, navigate to /var/opt/NAI/LinuxShield/etc. Enter the command "grep "nailsd.profile.ODS.scanNWFiles" ods.cfg" If the response given for "nailsd.profile.ODS.scanNWFiles" is not "true", this is a finding.

The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must be enabled to scan mounted volumes when mounted volumes point to a network server without an anti-virus solution installed.

Finding ID
DTAVSEL-114
Rule ID
SV-77625r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000278
CCI
CCI-001242
Target Key
(None)
Documentable
No
Discussion

Mounting network volumes to other network systems introduces a path for malware to be introduced. It is imperative to protect Linux systems from malware introduced from those other network systems by either ensuring the remote systems are protected or by scanning files from those systems when they are accessed.

Fix Text

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, review tasks under "View", "Scheduled Tasks". With the System Administrator's assistance, determine which task is intended as the regularly scheduled scan task. Click on the task, and then click "Modify". Select "2. What to Scan". Under "Path", add each otherwise unprotected network server to which this Linux system has mounted volumes, and click "Add". Once all mounted volumes have been added, click "Next", and then click "Finish"

Check Content

With the System Administrator's assistance, determine network mounted volumes on the Linux system being reviewed. If network mounted volumes are mounted, verify whether anti-virus protection is locally installed and configured to protect the network servers to which the mounted volumes connect. If all network servers to which mounted volumes connect are protected by locally installed and configured anti-virus protection, this check for the Linux system being reviewed is Not Applicable. If no network mounted volumes are configured on the Linux system being reviewed, this check is Not Applicable. If mounted volumes exist on the Linux system being reviewed which are connecting to network servers which lack locally installed and configured anti-virus protection, this check must be validated. From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, review tasks under "View", "Scheduled Tasks". With the System Administrator's assistance, determine which task is intended as the regularly scheduled scan task. Click on the task, and then click "Modify". Select "2. What to Scan". Verify all otherwise unprotected network servers to which this Linux system has mounted volumes have been included. If all otherwise unprotected network servers to which this Linux system has mounted volumes have not been included, this is a finding. To validate without the Web interface, access the Linux system being reviewed, either at the console or by a SSH connection. At the command line, navigate to /var/opt/NAI/LinuxShield/etc. Enter the command "grep "nailsd.profile.ODS.scanNWFiles" ods.cfg" If the response given for "nailsd.profile.ODS.scanNWFiles" is not "true", this is a finding.

The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x must scan all media used for system maintenance prior to use.

Finding ID
DTAVSEL-200
Rule ID
SV-77627r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000073
CCI
CCI-000870
Target Key
(None)
Documentable
No
Discussion

Removable media such as CD/DVDs allow a path for malware to be introduced to a Linux System. It is imperative to protect Linux systems from malware introduced from removable media by ensuring they are scanned before use.

Fix Text

Create procedures, or add to existing system administration procedures, which require the scanning of all media used for system maintenance before media is used.

Check Content

Consult with the System Administrator of the Linux system being reviewed. Verify procedures are documented which require the manual scanning of all media used for system maintenance before media is used. If a procedure is not documented requiring the manual scanning of all media used for system maintenance before media is used, this is a finding.

The McAfee VirusScan Enterprise must be configured to receive all patches, service packs and updates from a DoD-managed source.

Finding ID
DTAVSEL-201
Rule ID
SV-77629r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000131
CCI
CCI-001749
Target Key
(None)
Documentable
No
Discussion

Anti-virus signature files are updated almost daily by anti-virus software vendors. These files are made available to anti-virus clients as they are published. Keeping virus signature files as current as possible is vital to the security of any system. The anti-virus software product must be configured to receive those updates automatically in order to afford the expected protection. While obtaining updates, patches, service packs and updates from the vendor are timelier, the possibility of corruption or malware being introduced to the system is higher. By obtaining these from an official DoD source and/or downloading them to a separate system first and validating them before making them available to systems, the possibility of malware being introduced is mitigated.

Fix Text

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, under "Configure", select "Repositories". Under "Repository List", configure all repositories to point to a local or DoD-managed repository, and click "Apply".

Check Content

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, under "Configure", select "Repositories". Under "Repository List", verify all repositories listed point to a local or DoD-managed repository. If all repositories listed do not point to local or DoD-managed repository, this is a finding.

The nails user and nailsgroup group must be restricted to the least privilege access required for the intended role.

Finding ID
DTAVSEL-202
Rule ID
SV-77631r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000340
CCI
CCI-002235
Target Key
(None)
Documentable
No
Discussion

The McAfee VirusScan Enterprise for Linux software runs its processes under the nails user, which is part of the nailsgroup group. The WEB GUI is also accessed using the nails user. Ensuring this account only has access to the required functions necessary for its intended role will mitigate the possibility of the nails user/nailsgroup group from being used to perform malicious destruction to the system in the event of a compromise.

Fix Text

Access the Linux system console command line as root. Navigate to each path to which the nails user or nailsgroup group has unnecessary permissions/ownership. Using the chmod command, reduce, or remove permissions for the nails user. Using the chown command remove ownership by the nails user or nailsgroup group.

Check Content

Access the Linux system console command line as root. Execute the following commands. This command will pipe the results to text files for easier review. find / -group nailsgroup >nailsgroup.txt find / -user nails >nails.txt Execute the following commands to individually review each of the text files of results, pressing space bar to move to each page until the end of the exported text. more nailsgroup.txt more nails.txt When reviewing the results, verify the nailsgroup group and nails user only own the following paths. The following paths assume an INSTALLDIR of /opt/NAI/LinuxShield and a RUNTIMEDIR of /var/opt/NAI/LinuxShield. If alternative folders were used, replace the following paths accordingly when validating. /var/opt/NAI and sub-folders /opt/NAI and sub-folders /McAfee/lib /var/spool/mail/nails /proc/##### (where ##### represents the various process IDs for the VSEL processes.) If any other folder is owned by either the nailsgroup group or the nails user, this is a finding.

A notification mechanism or process must be in place to notify Administrators of out of date DAT, detected malware and error codes.

Finding ID
DTAVSEL-205
Rule ID
SV-77633r2_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000276
CCI
CCI-001240
Target Key
(None)
Documentable
No
Discussion

Failure of anti-virus signature updates will eventually render the software to be useless in protecting the Linux system from malware. Administration notification for failed updates, via SMTP, will ensure timely remediation of errors causing DATs to not be updated.

Fix Text

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, under "Configure", "Notifications", select the check box for "Item Detected". Select check boxes for "Viruses", "Trojans", "Programs", "Jokes" and "Include alerts for on-demand tasks". Select the check box for "Out of date" and configure "Alert for DAT files which are # days old" to "7" or less. Select the check box for "Configuration changes". Select the check box for "System events". Select check box for "Type" and select "Error" from drop-down list. Select check box for "Code" and configured with "3000-3999" in Code field. Configure the SMTP Settings with valid email address(es) for System Administrators.

Check Content

The preferred method for notification is via SMTP alerts. Consult with the System Administrator to determine whether SMTP alerts are configured or whether some other notification mechanism (i.e., regular manual review of reports)is used. If SMTP alerts are not configured, some other notification mechanism must be configured. For SMTP alert configuration in VSEL WEB Monitor: From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, review tasks under "Configure", "Notifications". Review the configured Notifications. Verify the check box for "Item Detected" is selected. Verify check boxes for "Viruses", "Trojans", "Programs", "Jokes" and "Include alerts for on-demand tasks" are selected. Verify the check box for "Out of date" is selected and "Alert for DAT files which are # days old" is configured to "7" or less. Verify the check box for "Configuration changes" is selected. Verify the check box for "System events" is selected. Verify check box for "Type" is selected and "Error" is selected from drop-down list. Verify check box for "Code" is selected and "3000-3999" is entered in Code field. Verify SMTP Settings are configured with valid email address(es) for System Administrators. For SMTP alert configuration without the Web interface: Access the Linux system being reviewed, either at the console or by a SSH connection. At the command line, navigate to /var/opt/NAI/LinuxShield/etc. Enter the command "grep "notifications.virusDetected.active" nailsd.cfg" If SMTP alert settings are not configured to send notifications to System Administrators, or some other mechanism is not used to provide this notification to System Administrators, this is a finding.

Access to the McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x Web UI must be enforced by firewall rules.

Finding ID
DTAVSEL-301
Rule ID
SV-77635r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000380
CCI
CCI-001813
Target Key
(None)
Documentable
No
Discussion

The McAfee VirusScan Enterprise for Linux WEB GUI is the method for configuring the McAfee VSEL on a non-managed Linux system. The WEB GUI on the system could be used maliciously to gain unauthorized access to the system. By restricting access to interface by implementing firewall rules, the risk of unauthorized access will be mitigated.

Fix Text

Configure a host-based firewall or network-based firewall with rules to restrict access to the McAfee VSEL Web UI, limiting access to specific IP addresses of System Administrators only.

Check Content

With the System Administrator's assistance, review the host-based firewall for rules to the McAfee VSEL Web UI's TCP/IP port. If the host-based firewall does not have rules to restrict access to the McAfee VSEL Web UI, limiting access to specific IP addresses of System Administrators only, determine if the network-based firewall provides for that restriction. If neither a host-based firewall nor a network-based firewall restricts access to the McAfee VSEL Web UI, this is a finding.