McAfee UNINSTALLER 6.0 User's Guide

McAfee Policy Auditor 6.0 softwareProduct Guide for ePolicy Orchestrator 4.6

Getting started with McAfee Policy AuditorMcAfee Policy Auditor is an extension to ePolicy Orchestrator software software versions 4.5and 4.6 that aut

Auditing systemsAn audit is an independent evaluation of a computer system to determine whether it is incompliance with corporate and industry securit

• Entitlement reporting — Entitlement reporting is an enhancement to the Policy Auditor FileIntegrity Monitoring feature that produces custom file ent

Installing the agent plug-in adds a product icon to the McAfee Agent system tray. In Windowsenvironments, the product icon optionally displays a ballo

Used by McAfee Policy AuditorLocationePolicy Orchestrator featureMenu | Policy | PolicyCatalogPolicy Catalog• To manage the times when auditsare allow

Auditing managed systemsWhen connected to a network managed by ePolicy Orchestrator software, managed systemscan exchange information with the ePolicy

Configuring McAfee Policy AuditorMcAfee Policy Auditor is configured from the ePolicy Orchestrator server. The server is thecenter of your security en

DescriptionServer settingAn audit score indicates how well a system conforms to the ideal settingsspecified in an audit. McAfee Policy Auditor allows

DescriptionServer settingsystem data maintenance tasks to run. When the server task restarts, itresumes where it left off.The default setting is to le

to the set. One or more permission sets can be assigned to users who are not globaladministrators (global administrators have all permissions to all p

COPYRIGHTCopyright © 2011 McAfee, Inc. All Rights Reserved.No part of this publication may be reproduced, transmitted, transcribed, stored in a retrie

PermissionsPermission setBenchmark EditorPA Audit Admin• View and export checks• View and export benchmarksFindings• View and hide/unhide findingsIssu

Edit permission setsYou can edit the default McAfee Policy Auditor permission sets or create your own.Before you beginYou must be a global administrat

Using the McAfee Policy Auditor agent plug-inThe McAfee Policy Auditor agent plug-in (agent plug-in) extends the features of the McAfeeAgent. It manag

NotesOtherprocessorsX64 supportX86 supportOperating systemPower5,Power6AIX 5.3 TL8 SP5Power5,Power6AIX 6.1 TL2 SP0Universal binaryPowerPCXXApple Mac O

How content is managedContent for McAfee Policy Auditor consists of benchmarks and checks. The content packageis included when the product is installe

d In Tags, select which systems in the selected group on which you want to install theagent plug-in.• Send this task to all computers — Install the ag

Before you beginBefore sending the agent wake-up call to a group, make sure that wake-up support for thesystems’ groups is enabled and applied on the

Configuring agentless auditsMcAfee Policy Auditor can register a McAfee Vulnerability Manager 6.8 or 7.0 (formerlyFoundstone) server to conduct agentl

• When you change a system from unmanaged to managed, this distinction is reflected inqueries and page views.• McAfee Policy Auditor supports an all a

The installation application automatically creates a server task named PA: Maintain Foundstoneaudits when you install the McAfee Vulnerability Manager

ContentsIntroducing McAfee Policy Auditor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Manage McAfee Vulnerability Manager credential setsCreate an Asset Discovery scanCreate an MVM Data Import taskAdd systems found by McAfee Vulnerabili

TaskFor option definitions, click ? in the interface.1 In the ePolicy Orchestrator user interface, click Menu | Configuration | Server Settingsand sel

5 Select a Schedule Type and set the scheduling options.6 Determine how you want to configure the McAfee Vulnerability Manager Integration pane.Select

Manage McAfee Vulnerability Manager credential setsYou can create, edit, and delete credential sets for systems managed by McAfee VulnerabilityManager

6 Click Next. The Settings tab appears.7 Select credentials and click on the appropriate account type in the tree pane or from theAccount Type drop-do

Add systems found by McAfee Vulnerability Manager scans to theSystem TreeYou can add systems discovered during a McAfee Vulnerability Manager scan to

6 Select Credentials and click on the appropriate account type in the tree pane or from theAccount Type drop-down list.Type the required credential in

Troubleshoot missing audit resultsConfigure McAfee Vulnerability Manager to ensure that the latest audit results appear in queriesand reports.The Data

Troubleshoot mismatched McAfee Vulnerability Manager certificatesUse this task to re-establish or change SSL communication between McAfee Policy Audit

Creating and managing auditsMcAfee Policy Auditor allows you to create audits based on benchmarks and assign them torun on systems.You can create audi

Data collection scans. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28T

When you run an audit against a system, the audit reports the comparison between theconfiguration status of the system and the rules in the benchmarks

You can create or edit an audit so that it retains audit or Findings information for a differentperiod of time than is specified in the global system

When you assign a benchmark to an audit, the benchmark selection process provides adrop-down list showing all available benchmark labels.This tool all

Create an auditAudits determine whether systems comply with your security needs and the results tell youwhat, if anything, needs to be done to make th

Disable an auditYou can disable an existing audit. When an audit is disabled, McAfee Policy Auditor continuesto purge information according to the sch

TaskFor option definitions, click ? in the interface.1 Click Menu | Systems | System Tree and select the Assigned Policies tab.2 Select McAfee Policy

DefinitionOptionDelete the Service Level AgreementDelete SLAHow viewing audit results worksMcAfee Policy Auditor software offers a number of options f

• Rules Other — The number of systems that had a result other than pass or fail.The page provides a control that allows you to view the results by sys

3 The File Download dialog box appears. Click Save. The Save As dialog box appears.4 Give the export ZIP file an appropriate name and click Save.Creat

Scoring AuditsWhen McAfee Policy Auditor performs an audit on a system, it generates information aboutsystem compliance that includes a compliance sco

Create, edit, and delete Service Level Agreements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45How viewing audit res

Since the maximum possible score can vary from audit to audit and from system to system, itis difficult to compare audit scores.The primary use for th

Non-laptopmaximum rulescoreLaptopmaximum rulescoreAssigned weightRule033Port 8015 on a laptop system is closed111Password on any system must be 10 or

Managing Audit WaiversWaivers allow you to temporarily affect how systems are audited and have the potential to affectaudit scores.They are useful whe

Exception waiversException waivers potentially affect the audit scores of selected systems by forcing the auditresult of a benchmark rule to have a st

Waiver statusWaivers can have one of four status properties.DescriptionStatusA waiver has been requested but approval has not beengranted for it to ta

These assumptions apply to the filtering examples:• Today's date is November 10, 2012.• Waiver A has a start date of November 1, 2012 and an expi

1 Click Menu | Risk & Compliance | Waivers.2 Select the group containing the waivers from the System Tree.3 From the Filter drop-down list, select

6 Use the calendar control next to the Start Date and an Expires Date to select dates forthe waiver to be in effect. The < and > controls move t

Before you beginYou must have permissions to grant waivers.TaskFor option definitions, click ? in the interface.1 Click Menu | Risk & Compliance |

File Integrity Monitoring and entitlement reportingFile integrity monitoring notifies you of changes to specified text files on managed systems.Entitl

Create a file integrity monitoring policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63Apply a p

• Show a side-by-side comparison of file changes and indicate which lines have been added,deleted, or modified.File information monitoredThe file inte

Wildcard charactersMonitored and excluded paths and file names support the * and ? wildcard characters. The *wildcard character represents one or more

File version comparisonThe comparison feature allows you to view the contents of a versioned file and compare thetext file content with other files.Th

One aspect of compliance monitoring is knowing which accounts have access to which files.McAfee Policy Auditor monitors these access permissions.• Use

DefinitionOptionSelect an existing policy, such as My Default, or anotherfile integrity monitoring policy.Create a policy based on this existing polic

To do this:Use this:Remove the selected file from the list of files to bemonitored.RemoveTable 3: General tabTo do this:Use this:Set the monitoring fr

3 The file in the File 1 pane is the file you selected.You can use the File name drop-downlist to select another file and the Version drop-down list t

3 Edit the dialog box to purge events older than the specified time. Select Purge BaselineEvents to discard stored baseline settings, including the fi

Rollup reportingYou can run queries that report on summary data from multiple ePolicy Orchestrator databases.McAfee Policy Auditor can use this featur

Rollup server tasksMcAfee Policy Auditor includes three predefined server tasks to provide rollup reporting. Thetasks are disabled by default.The task

Appendix A: Implementing the Security Content Automation Protocol. . . . . . . . . . . . . . . . . 87Statement of FDCC compliance. . . . . . . . . . .

Rollup Data - PA: Audit Rule ResultThis task rolls up audit rule results and its associated database tables.ActionsData rolled upAudit Rule Result Rol

Rollup Data - PA: Audit Patch Check ResultThis task rolls up audit rule results and its associated database tables.ActionsData rolled upAudit Check Re

The predefined reports show different aspects of audit results and use aggregation and groupingto help you interpret the information.You can drill dow

2 Configure and enable these server tasks on each server, including the rollup server:• Rollup Data - PA: Audit Benchmark Results• Rollup Data - PA: A

FindingsFindings supplement the results of an audit check with additional information about the state ofthe machine.Instead of seeing a value of false

Types of violationsMcAfee Policy Auditor shows information in reports and queries for three types of violations:• Positive feedback — Additional infor

4 From the Checks pane, click Results. The Results page appears.5 Select Findings that wish to hide or show.To do this...Use this...Hide Findings in r

Dashboards and QueriesDashboards allow you to keep constant watch on your environment. Dashboards are collectionsof monitors, or reports. Monitors can

• PA: MS Patch Status Summary• PA: Operations• PA: PCI SummaryYou can make other dashboards visible from the Dashboards page by clicking Options | Sel

• PA: File Integrity Event Counts — Displays a chart of File Integrity events grouped byevent type.• PA: File Integrity Events By System/Baseline Date

Introducing McAfee Policy AuditorMcAfee®Policy Auditor version 6.0 automates the process required for system complianceaudits. It measures compliance

PA: Compliance Summary dashboardThe Compliance Summary dashboard provides a high-level overview of audit results with linksand drill down access to de

PA: Operations dashboardThe monitors included in this dashboard are:• PA: Unprocessed Audits Results by Audit — Displays unprocessed audit results gro

• PCI Req 6.4: Automate documentation — Displays a grouped bar chart with each barrepresenting the number of benchmark results. The benchmark results

Policy Auditor agent plug-in debug toolThe Policy Auditor agent plug-in debug tool allows you to run audits, benchmarks, and checkson system and save

Display helpYou can obtain online help on running the tool from the command prompt or command-lineinterface.Task1 Open a command prompt on a Windows s

Run a benchmarkRun a benchmark on a system and save the results to a file.Task1 Execute the agent plug-in debug tool.2 Save the debug information to a

DefinitionInterface2Enter ovList. A list of checks and theirID appears.3Enter ovRun <checkname>. where<checkname> is the name of the check

Appendix A: Implementing the Security ContentAutomation ProtocolMcAfee Policy Auditor version 6.0 uses the Security Content Automation Protocol (SCAP)

Statement of SCAP implementationThe Security Content Automation Protocol (SCAP) is a collection of six open standards developedjointly by various Unit

McAfee Policy Auditor patch and vulnerability definitions are updated periodically when newcontent is available.The audit results can be viewed from t

Commands and other text that the user types; the path of a folder orprogram.User input or PathA code sample.CodeWords in the user interface including

Statement of CVSS implementationMcAfee Policy Auditor version 6.0 incorporates version 2.0 of the Common Vulnerability ScoringSystem (CVSS). CVSS is a

When a system is audited, the OVAL content is processed according to the information in theXCCDF benchmarks contained in the audit.The OVAL content ca

Appendix B: Common Criteria requirementsePolicy Orchestrator software has functional modifications that meet specific Common Criteriarequirements.This

Administrators who must adhere to the requirements of the National Information AssurancePartnership (NIAP) Common Criteria Validation Scheme (CCEVS) a

IndexAabsolute scoring model, Policy Auditor 51accept events, file integrity monitoring 62, 66agent plug-in debug tooldisplay help 84execute tool 83ru

file integrity monitoring (continued)apply a policy to systems 65baselines 60built-in query reports 67compare file versions 62, 65concept 59configurin

Policy Auditor, waivers (continued)exception waivers, effects on audits and scoring 53exemption waivers 52exemption waivers, effects on audits and sco

Vulnerability Manager ePO Extension (continued)registering a server 32setting up single sign-on feature 30synchronizing with ePO server data 31uniform

McAfee Policy Auditor 6.0 software Product Guide for ePolicy Orchestrator 4.698Index