McAfee Policy Auditor 6.0 softwareProduct Guide for ePolicy Orchestrator 4.6
Getting started with McAfee Policy AuditorMcAfee Policy Auditor is an extension to ePolicy Orchestrator software software versions 4.5and 4.6 that aut
Auditing systemsAn audit is an independent evaluation of a computer system to determine whether it is incompliance with corporate and industry securit
• Entitlement reporting — Entitlement reporting is an enhancement to the Policy Auditor FileIntegrity Monitoring feature that produces custom file ent
Installing the agent plug-in adds a product icon to the McAfee Agent system tray. In Windowsenvironments, the product icon optionally displays a ballo
Used by McAfee Policy AuditorLocationePolicy Orchestrator featureMenu | Policy | PolicyCatalogPolicy Catalog• To manage the times when auditsare allow
Auditing managed systemsWhen connected to a network managed by ePolicy Orchestrator software, managed systemscan exchange information with the ePolicy
Configuring McAfee Policy AuditorMcAfee Policy Auditor is configured from the ePolicy Orchestrator server. The server is thecenter of your security en
DescriptionServer settingAn audit score indicates how well a system conforms to the ideal settingsspecified in an audit. McAfee Policy Auditor allows
DescriptionServer settingsystem data maintenance tasks to run. When the server task restarts, itresumes where it left off.The default setting is to le
to the set. One or more permission sets can be assigned to users who are not globaladministrators (global administrators have all permissions to all p
COPYRIGHTCopyright © 2011 McAfee, Inc. All Rights Reserved.No part of this publication may be reproduced, transmitted, transcribed, stored in a retrie
PermissionsPermission setBenchmark EditorPA Audit Admin• View and export checks• View and export benchmarksFindings• View and hide/unhide findingsIssu
Edit permission setsYou can edit the default McAfee Policy Auditor permission sets or create your own.Before you beginYou must be a global administrat
Using the McAfee Policy Auditor agent plug-inThe McAfee Policy Auditor agent plug-in (agent plug-in) extends the features of the McAfeeAgent. It manag
NotesOtherprocessorsX64 supportX86 supportOperating systemPower5,Power6AIX 5.3 TL8 SP5Power5,Power6AIX 6.1 TL2 SP0Universal binaryPowerPCXXApple Mac O
How content is managedContent for McAfee Policy Auditor consists of benchmarks and checks. The content packageis included when the product is installe
d In Tags, select which systems in the selected group on which you want to install theagent plug-in.• Send this task to all computers — Install the ag
Before you beginBefore sending the agent wake-up call to a group, make sure that wake-up support for thesystems’ groups is enabled and applied on the
Configuring agentless auditsMcAfee Policy Auditor can register a McAfee Vulnerability Manager 6.8 or 7.0 (formerlyFoundstone) server to conduct agentl
• When you change a system from unmanaged to managed, this distinction is reflected inqueries and page views.• McAfee Policy Auditor supports an all a
The installation application automatically creates a server task named PA: Maintain Foundstoneaudits when you install the McAfee Vulnerability Manager
ContentsIntroducing McAfee Policy Auditor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Manage McAfee Vulnerability Manager credential setsCreate an Asset Discovery scanCreate an MVM Data Import taskAdd systems found by McAfee Vulnerabili
TaskFor option definitions, click ? in the interface.1 In the ePolicy Orchestrator user interface, click Menu | Configuration | Server Settingsand sel
5 Select a Schedule Type and set the scheduling options.6 Determine how you want to configure the McAfee Vulnerability Manager Integration pane.Select
Manage McAfee Vulnerability Manager credential setsYou can create, edit, and delete credential sets for systems managed by McAfee VulnerabilityManager
6 Click Next. The Settings tab appears.7 Select credentials and click on the appropriate account type in the tree pane or from theAccount Type drop-do
Add systems found by McAfee Vulnerability Manager scans to theSystem TreeYou can add systems discovered during a McAfee Vulnerability Manager scan to
6 Select Credentials and click on the appropriate account type in the tree pane or from theAccount Type drop-down list.Type the required credential in
Troubleshoot missing audit resultsConfigure McAfee Vulnerability Manager to ensure that the latest audit results appear in queriesand reports.The Data
Troubleshoot mismatched McAfee Vulnerability Manager certificatesUse this task to re-establish or change SSL communication between McAfee Policy Audit
Creating and managing auditsMcAfee Policy Auditor allows you to create audits based on benchmarks and assign them torun on systems.You can create audi
Data collection scans. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28T
When you run an audit against a system, the audit reports the comparison between theconfiguration status of the system and the rules in the benchmarks
You can create or edit an audit so that it retains audit or Findings information for a differentperiod of time than is specified in the global system
When you assign a benchmark to an audit, the benchmark selection process provides adrop-down list showing all available benchmark labels.This tool all
Create an auditAudits determine whether systems comply with your security needs and the results tell youwhat, if anything, needs to be done to make th
Disable an auditYou can disable an existing audit. When an audit is disabled, McAfee Policy Auditor continuesto purge information according to the sch
TaskFor option definitions, click ? in the interface.1 Click Menu | Systems | System Tree and select the Assigned Policies tab.2 Select McAfee Policy
DefinitionOptionDelete the Service Level AgreementDelete SLAHow viewing audit results worksMcAfee Policy Auditor software offers a number of options f
• Rules Other — The number of systems that had a result other than pass or fail.The page provides a control that allows you to view the results by sys
3 The File Download dialog box appears. Click Save. The Save As dialog box appears.4 Give the export ZIP file an appropriate name and click Save.Creat
Scoring AuditsWhen McAfee Policy Auditor performs an audit on a system, it generates information aboutsystem compliance that includes a compliance sco
Create, edit, and delete Service Level Agreements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45How viewing audit res
Since the maximum possible score can vary from audit to audit and from system to system, itis difficult to compare audit scores.The primary use for th
Non-laptopmaximum rulescoreLaptopmaximum rulescoreAssigned weightRule033Port 8015 on a laptop system is closed111Password on any system must be 10 or
Managing Audit WaiversWaivers allow you to temporarily affect how systems are audited and have the potential to affectaudit scores.They are useful whe
Exception waiversException waivers potentially affect the audit scores of selected systems by forcing the auditresult of a benchmark rule to have a st
Waiver statusWaivers can have one of four status properties.DescriptionStatusA waiver has been requested but approval has not beengranted for it to ta
These assumptions apply to the filtering examples:• Today's date is November 10, 2012.• Waiver A has a start date of November 1, 2012 and an expi
1 Click Menu | Risk & Compliance | Waivers.2 Select the group containing the waivers from the System Tree.3 From the Filter drop-down list, select
6 Use the calendar control next to the Start Date and an Expires Date to select dates forthe waiver to be in effect. The < and > controls move t
Before you beginYou must have permissions to grant waivers.TaskFor option definitions, click ? in the interface.1 Click Menu | Risk & Compliance |
File Integrity Monitoring and entitlement reportingFile integrity monitoring notifies you of changes to specified text files on managed systems.Entitl
Create a file integrity monitoring policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63Apply a p
• Show a side-by-side comparison of file changes and indicate which lines have been added,deleted, or modified.File information monitoredThe file inte
Wildcard charactersMonitored and excluded paths and file names support the * and ? wildcard characters. The *wildcard character represents one or more
File version comparisonThe comparison feature allows you to view the contents of a versioned file and compare thetext file content with other files.Th
One aspect of compliance monitoring is knowing which accounts have access to which files.McAfee Policy Auditor monitors these access permissions.• Use
DefinitionOptionSelect an existing policy, such as My Default, or anotherfile integrity monitoring policy.Create a policy based on this existing polic
To do this:Use this:Remove the selected file from the list of files to bemonitored.RemoveTable 3: General tabTo do this:Use this:Set the monitoring fr
3 The file in the File 1 pane is the file you selected.You can use the File name drop-downlist to select another file and the Version drop-down list t
3 Edit the dialog box to purge events older than the specified time. Select Purge BaselineEvents to discard stored baseline settings, including the fi
Rollup reportingYou can run queries that report on summary data from multiple ePolicy Orchestrator databases.McAfee Policy Auditor can use this featur
Rollup server tasksMcAfee Policy Auditor includes three predefined server tasks to provide rollup reporting. Thetasks are disabled by default.The task
Appendix A: Implementing the Security Content Automation Protocol. . . . . . . . . . . . . . . . . 87Statement of FDCC compliance. . . . . . . . . . .
Rollup Data - PA: Audit Rule ResultThis task rolls up audit rule results and its associated database tables.ActionsData rolled upAudit Rule Result Rol
Rollup Data - PA: Audit Patch Check ResultThis task rolls up audit rule results and its associated database tables.ActionsData rolled upAudit Check Re
The predefined reports show different aspects of audit results and use aggregation and groupingto help you interpret the information.You can drill dow
2 Configure and enable these server tasks on each server, including the rollup server:• Rollup Data - PA: Audit Benchmark Results• Rollup Data - PA: A
FindingsFindings supplement the results of an audit check with additional information about the state ofthe machine.Instead of seeing a value of false
Types of violationsMcAfee Policy Auditor shows information in reports and queries for three types of violations:• Positive feedback — Additional infor
4 From the Checks pane, click Results. The Results page appears.5 Select Findings that wish to hide or show.To do this...Use this...Hide Findings in r
Dashboards and QueriesDashboards allow you to keep constant watch on your environment. Dashboards are collectionsof monitors, or reports. Monitors can
• PA: MS Patch Status Summary• PA: Operations• PA: PCI SummaryYou can make other dashboards visible from the Dashboards page by clicking Options | Sel
• PA: File Integrity Event Counts — Displays a chart of File Integrity events grouped byevent type.• PA: File Integrity Events By System/Baseline Date
Introducing McAfee Policy AuditorMcAfee®Policy Auditor version 6.0 automates the process required for system complianceaudits. It measures compliance
PA: Compliance Summary dashboardThe Compliance Summary dashboard provides a high-level overview of audit results with linksand drill down access to de
PA: Operations dashboardThe monitors included in this dashboard are:• PA: Unprocessed Audits Results by Audit — Displays unprocessed audit results gro
• PCI Req 6.4: Automate documentation — Displays a grouped bar chart with each barrepresenting the number of benchmark results. The benchmark results
Policy Auditor agent plug-in debug toolThe Policy Auditor agent plug-in debug tool allows you to run audits, benchmarks, and checkson system and save
Display helpYou can obtain online help on running the tool from the command prompt or command-lineinterface.Task1 Open a command prompt on a Windows s
Run a benchmarkRun a benchmark on a system and save the results to a file.Task1 Execute the agent plug-in debug tool.2 Save the debug information to a
DefinitionInterface2Enter ovList. A list of checks and theirID appears.3Enter ovRun <checkname>. where<checkname> is the name of the check
Appendix A: Implementing the Security ContentAutomation ProtocolMcAfee Policy Auditor version 6.0 uses the Security Content Automation Protocol (SCAP)
Statement of SCAP implementationThe Security Content Automation Protocol (SCAP) is a collection of six open standards developedjointly by various Unit
McAfee Policy Auditor patch and vulnerability definitions are updated periodically when newcontent is available.The audit results can be viewed from t
Commands and other text that the user types; the path of a folder orprogram.User input or PathA code sample.CodeWords in the user interface including
Statement of CVSS implementationMcAfee Policy Auditor version 6.0 incorporates version 2.0 of the Common Vulnerability ScoringSystem (CVSS). CVSS is a
When a system is audited, the OVAL content is processed according to the information in theXCCDF benchmarks contained in the audit.The OVAL content ca
Appendix B: Common Criteria requirementsePolicy Orchestrator software has functional modifications that meet specific Common Criteriarequirements.This
Administrators who must adhere to the requirements of the National Information AssurancePartnership (NIAP) Common Criteria Validation Scheme (CCEVS) a
IndexAabsolute scoring model, Policy Auditor 51accept events, file integrity monitoring 62, 66agent plug-in debug tooldisplay help 84execute tool 83ru
file integrity monitoring (continued)apply a policy to systems 65baselines 60built-in query reports 67compare file versions 62, 65concept 59configurin
Policy Auditor, waivers (continued)exception waivers, effects on audits and scoring 53exemption waivers 52exemption waivers, effects on audits and sco
Vulnerability Manager ePO Extension (continued)registering a server 32setting up single sign-on feature 30synchronizing with ePO server data 31uniform
McAfee Policy Auditor 6.0 software Product Guide for ePolicy Orchestrator 4.698Index
Comments to this Manuals