McAfee EPOLICY ORCHESTRATOR 4.0.2 - User's Guide

McAfee Policy Auditor 5.0Product Guide

Using this guideThis guide provides basic information on configuring Policy Auditor. For information on configuringthe ePO server, refer to theMcAfee

Where to find McAfee product informationThe McAfee documentation is designed to provide you with the information you need duringeach phase of product

Configuring Policy AuditorPolicy Auditor is configured from the ePO Server. The ePO Server is the center of your managedenvironment and provides a sin

benchmarks determine compliance with its rules, but they also return results that can beconverted to a human-readable format.Server setting categories

Audit labelPolicy Auditor allows you to set the names used to describe whether an audit has a status ofpass, fail, or unknown. McAfee recommends that

What happens when I install new products?When a new extension is installed it might add one or more sections to the permission sets.For example, when

PermissionsPermission Set• Issue Management: Create, edit, view and purgeassigned issues• Policy Auditor: View Audits and Assignments• Policy Auditor:

Before you beginYou must have appropriate permissions to perform this task.TaskFor option definitions, click ? on the page displaying the options.1 Go

2 Click edit next to any section for which you want to grant permissions.3 On the Edit Permission Set page that appears, select the appropriate option

Complying with SCAPPolicy Auditor uses the Security Content Automation Protocol (SCAP) to perform automatedaudits, including policy compliance evaluat

COPYRIGHTCopyright © 2008 McAfee, Inc. All Rights Reserved.No part of this publication may be reproduced, transmitted, transcribed, stored in a retrie

Statement of CVE ImplementationMcAfee Policy Auditor 5.0 fully implements and supports the Common Vulnerabilities andExposures (CVE) standard vulnerab

characteristics. Using CVSS weighted scores can help an organization determine and prioritizeresponses to detected vulnerabilities.Policy Auditor supp

Managing the Policy Auditor Agent Plug-inThe Policy Auditor Agent Plug-in is an extension of the McAfee agent. The extension managesthe schedule for p

Supported platformsPolicy Auditor 5.0 and the Policy Auditor Agent Plug-in supports the following platforms:NotesOther ProcessorsX64X86OSXWindows 2000

Working with the McAfee Policy Auditor AgentPlug-inUse these tasks to manage the installation and uninstallation of the McAfee Policy AuditorPlug-in.T

Deploying the Policy Auditor Agent Plug-inUse this task to deploy the Policy Auditor Agent Plug-in to managed systems on your network.Before you begin

8 Send a manual wake-up call to the appropriate group if you want the task to runimmediately.Determining whether the Agent Plug-in is being deployedUs

Before you beginYou must have already installed the Policy Auditor Agent Plug-in on the systems for which youwant to verify communication.TaskFor opti

e Set whether to use the local system time or Coordinated Universal Time (UTC) forrunning the task.f For Schedule, select an option from the dropdown

3 Select More Actions at the bottom left of the page and select Show Agent Log. A newbrowser window will open that shows the agent log.4 Search the lo

ContentsIntroducing McAfee Policy Auditor 5.0. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Poli

Creating and Managing AuditsMcAfee Policy Auditor 5.0 makes it easy to demonstrate and report on compliance with recognizedcorporate and industry secu

DefinitionOptionCreate a new audit using the New Audit BuilderNew AuditDelete the selected auditsDeleteCreates an OVAL results file that conforms to t

Benchmarks contain rules describing the desired state of a managed system according torecognized standards.Figure 2: Policy TreeRules contain one or m

• Add Group — a group defined in the ePO System Tree• Add Tag — systems that have been tagged in the ePO System Tree, such as server,workstation, or l

Benchmark profiles and their impact on managedsystemsAudits have benchmarks assigned to them. Many benchmarks contain profiles, which are namedsets of

than 4 days. Blackout windows are set from 8am to 5pm on weekdays. Whiteout windows coverthe remaining period.If the benchmark is scheduled for re-eva

The page provides a control that allows you to view the results by system group, systemsubgroup, systems with a specific tag, or even individual syste

4 To block out a period of time when audits should not run, click a white square correspondingto your desired day and hour. To allow a period of time

TasksSelecting benchmarksDeleting AuditsSelecting benchmarksUse this task to select one or more benchmarks for use in an audit. If a benchmark has pro

b Select Criteria, then select one or more Available Properties to add to the ComputerProperties pane. Choose the Comparison and select or type in the

Statement of CVSS Implementation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Editing existing auditsUse these tasks to edit existing audits. Editing audits is useful in a number of situations, forexample:• The groups or systems

Before you beginYou must have appropriate permissions to perform this task.TaskFor option definitions, click ? on the page displaying the options.1 Se

TaskFor option definitions, click ? on the page displaying the options.1 Review your new audit. If changes need to be made, click Back until you have

Scoring AuditsWhen Policy Auditor performs an audit on a managed system, it accepts as input the state ofthe system and any benchmarks in the audit, a

model is easy to determine and to understand, scores between different managed systems maynot be directly comparable because the maximum score can var

Creating and Managing WaiversWaivers provide a way for you to temporarily affect audit scoring for managed systems. Waiversare useful when you have a

How waivers workWaivers temporarily affect audit scoring for managed systems. Policy Auditor provides threetypes of waivers with each one exhibiting d

DescriptionColumnThe date when a waiver takes effectStart DateA waiver may have a status of Requested, Upcoming,In-effect, or Expired.StatusThe system

• Example of scoring impact:A benchmark has 5 rules. An audit is run on a system and 4 rules pass and 1 fail, resultingin a score of 80%. If the syste

system-based only and, when you request a waiver, Policy Auditor does not allow you to assigna benchmark and rule.Waivers can only be applied to a sin

Flat unweighted scoring model. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44Absolute

DescriptionFiltergroup of the System Tree . When you select This Groupand all Subgroups, Policy Auditor shows waivers in theselected group of the Syst

As of today's date of 10/01/2008, Waiver A and Waiver B both have astatus of Upcoming. Use the calendar control to reset the As of date to12/02/2

2 Click New Waiver. The Waiver Request page appears.3 Name the waiver then select the type of waiver that you wish to create from the WaiverType drop-

Expiring waiversUse this task to make a waiver expire.Before you beginYou must have waiver grantor permissions to perform this task.TaskFor option def

Managing Issues and TicketsThe Issue extension allows you to create, modify, assign, and track issues. You can also addtickets to issues for tracking

How issues are managedHow issues are managed and their life cycles are defined by the user and the installed productextensions. An issue's state,

Why ticketed issues should not be edited manuallyEditing a ticketed issue manually breaks the relationship between the ticketed issue and theticket. T

• If the registered server for the ticketing server is deleted, the system changes the state ofeach ticketed issue to Assigned or to New if the ticket

Sample mappingsWhen you register your ticketing server, you must also configure the field mappings for issuesand tickets. These sample field mappings

Operation: Identity•• Source field: URLMap Ticket back to Issue Status fieldNOTE: Because this section only maps the ticket's state/status, you a

Working with issues. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

• Source field: Activity Log• Ticket field: Type the name or ID for any open text field• Operation: Identity• Source field: URLMap Ticket back to Issu

2 In the Action panel, select an issue type, then click OK. This choice determines the optionsavailable on the New Issue page.3 Type a name and descri

15 Accept the default values for state, priority, severity, and resolution, or select differentvalues.16 Type the name of the user to whom you want th

Editing issuesUse this task to edit an issue. An issue can be edited in a similar way when viewing its details.CAUTION: Editing a ticketed issue break

TaskFor option definitions, click ? on the page displaying the options.1 Go to Automation | Server Tasks, then click New Task. The Description page of

3 Select the General tab.4 Under Service status, click Stop. The server is now stopped.5 Copy the required files for your ticketing server, then repea

• arrpc51.dll• arutl51.dll• If using the Remedy 7.0 API files:• arapi70.dll• arjni70.dll• arrpc70.dll• arutiljni70.dll• arutl70.dll• arxmlutil70.dll•

Installing the ticketing server extensionsUse this task to install ticketing server extensions.Before you begin• Copy the files required for the ticke

• On the system running Service Desk 4.5, add the name of that system as a DNS suffixin the IP settings, then reboot the Service Desk 4.5 system.Figur

• Know which fields from the ticketing server need to be mapped.TasksMapping issues to ticketsMapping tickets back to issue statusMapping issues to ti

PA: Benchmark Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83PA:

Mapping tickets back to issue statusUse this task to configure the field mapping from the ticket back to the issue's status (state)field.NOTE: Be

Before you begin• Make sure the upgraded version of the ticketing server is running.TaskCAUTION: If the server task, which synchronizes ticketed issue

Task1 Go to Reporting | Issues, select the checkbox next to each issue, then click Add ticket.2 In the Action panel, click OK to add a ticket to each

Querying the DatabasePolicy Auditor ships with its own querying and reporting capabilities. These are highlycustomizable and provide flexibility and e

Exported resultsQuery results can be exported to four different formats. Exported results are historical data andare not refreshed like when using que

Query BuilderePolicy Orchestrator provides an easy, four-step builder with which to create and edit customqueries. With the wizard you can configure w

Table columnsSpecify columns for the table. If you select Table as the primary display of the data, thisconfigures that table. If you selected a type

Creating a Data Roll Up server taskRegistering ePO serversUse this task to register each ePO server with the reporting server that you want to include

Working with queriesUse these tasks to create, use, and manage queries.TasksCreating custom queriesRunning an existing queryRunning a query on a sched

Running an existing queryUse this task to run an existing query from the Queries page.TaskFor option definitions, click ? on the page displaying the o

Introducing McAfee Policy Auditor 5.0McAfee Policy Auditor evaluates the status of managed systems relative to audits that containbenchmarks. Benchmar

• Move To — Moves all systems in the query results to a group in the System Tree. Thisoption is only valid for queries that result in a table of syste

Making personal queries publicUse this task to make personal queries public. All users with permissions to public queries haveaccess to any personal q

2 Click Export, then OK in the Action panel. The File Download dialog box appears.3 Click Save, select the desired location for the XML file, then cli

Default queries and what they displayPolicy Auditor ships with a number of default queries that can be used for some of your mostcommon needs. Each of

DefinitionOptionExport the check in a ZIP formatExportRemove labels from checkRemove LabelsPA: Check Catalog Usage ListUse this page to view a list of

Before you beginThis query and its results depend on the Generate Compliance Event server task. Schedule thisserver task to run at a regular interval.

Assessing Your Environment With DashboardsDashboards allow you to keep a constant eye on your environment. Dashboards are collectionsof monitors. Moni

• McAfee Links — Hyperlinks to McAfee sites, including ePolicy Orchestrator Support, AvertLabs WebImmune, and Avert Labs Threat Library.Setting up das

Working with DashboardsUse these tasks to create and manage dashboards.TasksCreating dashboardsMaking a dashboard activeSelecting all active dashboard

TaskFor option definitions, click ? on the page displaying them.1 Go to Dashboards, click Options, then select Manage Dashboards. The ManageDashboards

ContentsPolicy Auditor components and what they doWhere to find McAfee product informationPolicy Auditor components and what they doMcAfee Policy Audi

TaskFor option definitions, click ? on the page displaying the options.1 Go to Dashboards, then select Manage Dashboards from the Options drop-down li

IndexAabsolute scoring model 44agent plug-inoverview 22responsibilities 22audience 10auditcreate 38audit benchmarks panebenchmark ID 35fail 35pass 35p

CVE Implementation 20CVSS Implementation 20Ddashboardsactive set 89chart-based queries and 86configuring access and behavior 87configuring refresh fre

permissions(continued)to dashboards 87policy auditoragent plug-in responsibilities 22Policy Auditoragent plug-in 9agent plug-in overview 22audience 10

server tasksscheduling a query 79serversimporting and exporting queries 81registering, for queries 77roll-up queries 77servertasksData Roll-Up 77Servi

waivers(continued)exemption, effect on audit results 47exemption, effect on scoring 47expired 48, 50, 53expires 46, 51expires date 48expires date, con

McAfee Policy Auditor 5.0 Product Guide96Index