McAfee PASCDE-AB-IA, Policy Auditor 6.0 Product Manual

McAfee Policy Auditor 6.0 software

Product Guide for ePolicy Orchestrator 4.6

or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies.

TRADEMARK ATTRIBUTIONS

AVERT, EPO, EPOLICY ORCHESTRATOR, FOUNDSTONE, GROUPSHIELD, INTRUSHIELD, LINUXSHIELD, MAX (MCAFEE SECURITYALLIANCE EXCHANGE), MCAFEE, NETSHIELD, PORTALSHIELD, PREVENTSYS, SECURITYALLIANCE, SITEADVISOR, TOTAL PROTECTION, VIRUSSCAN, WEBSHIELD are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. McAfee Red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners.

LICENSE INFORMATION License Agreement

NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND.

McAfee Policy Auditor 6.0 software Product Guide for ePolicy Orchestrator 4.62

Contents

Introducing McAfee Policy Auditor. . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ..8

Getting started with McAfee Policy Auditor . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . .... . . . 10

Configuring McAfee Policy Auditor. . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ..16

Audience. .... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . .... . 8

Conventions.... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . ...8

Finding product documentation. . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . 9

Introduction to compliance audits. . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . 10

Auditing systems. .... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . 11

What's new. . .... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . .11

Software components and what they do. .... . . . . . . . . . ... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . 12

Use of ePolicy Orchestrator software features.... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . 13

Managed systems vs. unmanaged systems.. . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . 14

Server settings and what they control. . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . 16

Edit McAfee Policy Auditor server settings. ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . ... . . . . . . . . . ...18

How permission sets work. . . . . .... . . . . . . . . . ... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . 18

Default permission sets. . . .... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ..19

Edit permission sets. . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . ...21

Using the McAfee Policy Auditor agent plug-in. . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . .22

The agent plug-in and how it works. . . .... . . . . . . . . . ... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . 22

Supported platforms. . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . ..22

How content is managed. . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . ..24

Install and uninstall the agent plug-in. . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... 24

Install the McAfee Policy Auditor agent plug-in. . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . ..24

Uninstall the agent plug-in. . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . 25

Send a manual wake-up call to a group of systems... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ..25

Display the system tray icon on Windows systems. . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . .... . . 26

Configuring agentless audits. . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . 27

How McAfee Policy Auditor integrates with the McAfee Vulnerability Manager extension. . . . . . ... . . . . . . . 27

Uniform system management. . . .... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . ...27

McAfee Vulnerability Manager extension integration with scannable systems. .... . . . . . . . . . ... . 28

Asset Discovery scans. . . .... . . . . . . . . . ... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . 28

3McAfee Policy Auditor 6.0 software Product Guide for ePolicy Orchestrator 4.6

Contents

Data collection scans. . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . 28

The Maintain Foundstone Audits server task... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . 28

The Data Import server task. . . . . . . .... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . 29

Server support. . . . . . . .... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . 29

Configure McAfee Vulnerability Manager and the ePolicy Orchestrator extension. . . . . . ... . . . . . . . . . ...29

Create a McAfee Vulnerability Manager workgroup. . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . 30

Configure the McAfee Vulnerability Manager single sign-on feature. . . . . ... . . . . . . . . . .... . . . . . 30

Create a data source to synchronize McAfee Vulnerability Manager and ePolicy Orchestrator. . . . 31

Manage McAfee Vulnerability Manager credential sets. . . . . . . .... . . . . . . . . . ... . . . . . . . . . ... . 33

Create an Asset Discovery scan. . . .... . . . . . . . . . ... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . .33

Create an MVM Data Import task. . . . . . . .... . . . . . . . . . ... . . . . . . . . . ... . . . . . . . . . .... . . . . . 34

Add systems found by McAfee Vulnerability Manager scans to the System Tree. . . . . .... . . . . . . 35

Create a Data Collection Scan. . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . .35

View McAfee Vulnerability Manager scan status.. . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . 36

How to handle missing audit results. . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . 36

Troubleshoot missing audit results. . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . .... . . 37

How to handle mismatched McAfee Vulnerability Manager certificates. . .... . . . . . . . . . ... . . . . . . . . . ... 37

Troubleshoot mismatched McAfee Vulnerability Manager certificates. . . . . . . . .... . . . . . . . . . ... 38

Creating and managing audits. . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . 39

Audits and how they work... . . . . . . . . . ... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . .... . 39

Audit frequency. .... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . 40

When audits are run. . . . . .... . . . . . . . . . ... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . 40

Per audit data maintenance... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . 40

Benchmark profiles and their effect on audits. . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . ...41

Considerations for including systems in an audit. ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . ...41

Benchmark labels and how they are used. . .... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . 41

Findings. . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . .... . . . . 42

Agentless audits. . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . .42

Activate benchmarks. . . .... . . . . . . . . . ... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . .... . 42

Create an audit. . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . .... . . . . . 43

Run an audit manually. . . .... . . . . . . . . . ... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . .... 43

Disable an audit. . .... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . 44

Delete audits. . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . 44

Audit whiteout and blackout periods. . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . .44

Set whiteout and blackout periods.... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . ...44

Service Level Agreements. .... . . . . . . . . . ... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . ...45

McAfee Policy Auditor 6.0 software Product Guide for ePolicy Orchestrator 4.64

Contents

Create, edit, and delete Service Level Agreements... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . ..45

How viewing audit results works. .... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . .... . . . . . . 46

Exporting audits and audit results. . . . . . . .... . . . . . . . . . ... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... 47

Export audits. . . . . . . .... . . . . . . . . . ... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . .... . . . . 47

Scoring Audits. ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ..49

Default scoring model. . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . .... . 49

Flat unweighted scoring model. . . . .... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . .... . . . . 50

Flat scoring model. . . . . .... . . . . . . . . . ... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . .... . 50

Absolute scoring model. . . . . .... . . . . . . . . . ... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . .51

Changing the scoring model. . . . . .... . . . . . . . . . ... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . 51

Managing Audit Waivers. . .... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ..52

Types of waivers. . . . . . . .... . . . . . . . . . ... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . .... . 52

Exception waivers. ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . ...53

Exemption waivers.. . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . 53

Suppression waivers. ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . 53

Waiver status.. . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ..54

Filtering waivers by status.... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . .... . . . . . 54

How start and expiration dates work. . . .... . . . . . . . . . ... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . 54

Examples of filtering waivers by date.... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . .... . . . 54

Filtering waivers by date.... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . .... . . . . . . 55

Filtering waivers by group... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . 55

How waiver requests and grants work. . . . . . . .... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . 56

Requesting waivers. ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . .56

Granting waivers... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . .... . 57

Making waivers expire.. . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . 57

Deleting waivers. ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . 57

File Integrity Monitoring and entitlement reporting. . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . 59

How file integrity monitoring works. . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . 59

File information monitored. . . .... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . .... . . 60

File baselines. . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . ...60

Monitored and excluded files. .... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . .... . . 60

File versioning. . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . .... . 61

File version comparison. . . .... . . . . . . . . . ... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . 62

Accept file integrity monitoring events. .... . . . . . . . . . ... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . 62

Purge file integrity monitoring events. .... . . . . . . . . . ... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . 62

Entitlement reporting. . . . . . . .... . . . . . . . . . ... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . .62

Create and apply a file integrity monitoring policy. . . . . .... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . 63

5McAfee Policy Auditor 6.0 software Product Guide for ePolicy Orchestrator 4.6

Contents

Create a file integrity monitoring policy. . . . . .... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . 63

Apply a policy to systems. . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . 65

Compare file versions. . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . 65

Accept file integrity monitoring events. .... . . . . . . . . . ... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . 66

Purge file integrity monitoring events. .... . . . . . . . . . ... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . 66

Create a new file integrity monitoring baseline. . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . ..67

Query reports for file integrity monitoring. . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . .... . . . . 67

Rollup reporting. . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . .... . . . . 68

Rollup capabilities. . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . .... . . . 68

Rollup reporting considerations. . . . . . .... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . .... . . 68

Rollup server tasks. . . . .... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . 69

Rollup Data - PA: Audit Benchmark Results. . . . . .... . . . . . . . . . ... . . . . . . . . . ... . . . . . . . . . ...69

Rollup Data - PA: Audit Rule Result . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . .... . . . . . . 70

Rollup Data - PA: Audit Patch Check Result ... . . . . . . . . . ... . . . . . . . . . ... . . . . . . . . . .... . . . . 71

Rollup reports. . . . . . . .... . . . . . . . . . ... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . .... . . . 71

Configure rollup reporting. . . . . . . .... . . . . . . . . . ... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . 72

Findings. . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . 74

How findings work. . . .... . . . . . . . . . ... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . .... . . . 74

Types of violations. . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . .... . 74

Violation limit. . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . .... 75

Other Findings enhancements. . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . .75

Hide or unhide Findings results. . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . 75

Dashboards and Queries. . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . ..77

Policy Auditor default dashboards. . . . .... . . . . . . . . . ... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . 77

PA: Compliance Summary dashboard. . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . ...80

PA: MS Patch Status Summary dashboard. . . . . .... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ..80

PA: Operations. . . . . .... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . 80

PA: PCI Summary. . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . 81

Queries as dashboard monitors. . . . . .... . . . . . . . . . ... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . 82

Policy Auditor agent plug-in debug tool. . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . .... . . . . . . 83

Execute the agent plug-in debug tool... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . 83

Display help. .... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . ..84

Run an audit. . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . 84

Run a benchmark. . . . . .... . . . . . . . . . ... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . .... . . 85

Run a check. . .... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . 85

Save debug information. . . . . . . .... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . 86

McAfee Policy Auditor 6.0 software Product Guide for ePolicy Orchestrator 4.66

Contents

Appendix A: Implementing the Security Content Automation Protocol. . . . ... . . . . . . . . . .87

Statement of FDCC compliance. . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . 87

Statement of SCAP implementation. . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . 88

Statement of CVE implementation. . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . 88

Statement of CCE implementation. . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . 89

Statement of CPE implementation. . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . 89

Statement of CVSS implementation. . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . 90

Statement of XCCDF implementation. . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... 90

Statement of OVAL implementation. . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . 90

Appendix B: Common Criteria requirements... . . . . . . . . . .... . . . . . . . . . ... . . . . . . . . . .... . . . . 92

7McAfee Policy Auditor 6.0 software Product Guide for ePolicy Orchestrator 4.6

Introducing McAfee Policy Auditor

McAfee®Policy Auditor version 6.0 automates the process required for system compliance audits. It measures compliance by comparing the actual configuration of a system to the desired state of a system.

T o understand what the softw are does and how to use it, you m ust be familiar with these basics:

• What an audit is, when you should use it, and why you should use it.

• The supported deployment solutions based on the type(s) of systems you want to audit.

• The system classifications that determine which functional components can be used.

• The functional components you can use to audit systems.This includes leveraging the

software with McAfee Policy Auditor and other McAfee and third-party software.

• The functional components you can use to audit systems.This includes leveraging the software with McAfee®Vulnerability Manager and other McAfee and third-party software.

This document introduces these concepts, successively builds y our understanding, and provides details about the use of each functional component. In addition, it helps you understand how the software fits into the framework provided by McAfee®ePolicy Orchestrator®.

Contents

Audience Conventions Finding product documentation

Audience

McAfee documentation is carefully researched and written for the target audience. The information in this guide is intended primarily for two audiences:

• Network administrators who are responsible for implementing and enforcing the policy for protecting the company's intellectual property.

• Security officers who are responsible for determining sensitive and confidential data, and defining the corporate policy that protects the company's intellectual property.

Conventions

This guide uses the following typographical conventions.

McAfee Policy Auditor 6.0 software Product Guide for ePolicy Orchestrator 4.68

Title of a book, chapter, or topic; introduction of a new term; emphasis.Book title or Emphasis Text that is strongly emphasized.Bold

Introducing McAfee Policy Auditor Finding product documentation

User input or Path

Code

User interface

Important/Caution

Commands and other text that the user types; the path of a folder or program.

A code sample. Words in the user interface including options, menus, buttons, and dialog

boxes. A live link to a topic or to a website.Hypertext blue Additional information, like an alternate method of accessing an option.Note Suggestions and recommendations.Tip Valuable advice to protect your computer system, software installation,

network, business, or data. Critical advice to prevent bodily harm when using a hardware product.Warning

Finding product documentation

McAfee provides the inf ormation you need during each phase of product implementation, from installing to using and troubleshooting. After a product is released, information about the product is entered into the McAfee online KnowledgeBase.

1 Go to the McAfeeTechnical Support ServicePortal at http://mysupport.mcafee.com. 2 Under Self Service, access the type of information you need:

Do this...To access...

User Documentation 1 Click Product Documentation.

2 Select a Product, then select a Version. 3 Select a product document.

KnowledgeBase • Click Search the KnowledgeBase f or answers to your product questions .

• Click Browse the KnowledgeBase for articles listed by product and

version.

9McAfee Policy Auditor 6.0 software Product Guide for ePolicy Orchestrator 4.6

Getting started with McAfee Policy Auditor

McAfee Policy Auditor is an extension to ePolicy Orchestrator software software versions 4.5 and 4.6 that automates the process for risk and compliance system audits. Audits can perform tasks such as check system settings, including password length, open or closed ports, file changes, and the presence of software updates.

Contents

Introduction to compliance audits Auditing systems What's new Software components and what they do Use of ePolicy Orchestrator software features Managed systems vs. unmanaged systems

Introduction to compliance audits

Before using McAfee Policy Auditor, it is important to understand what audits are, when you should use them, and why you should use them.

What are compliance audits?

A compliance audit is a comprehensive review of an organization's adherence to external regulatory guidelines or internal best practices.McAfeeP olicy A uditor automates the compliance audit process and allows you to demonstrate compliance to auditors by producing an audit tr ail showing compliance, compliance history , and actions tak en to mitigate risks. Organizations that are out of compliance might be subject to fines or other sanctions, including criminal liability.

When should you use audits?

Use compliance audits when you are subject to government regulations that require your organization to determine system compliance and maintain records.You should also use audits to determine compliance with organizational requirements such as password complexity, password length, the presence of unsupported software, and software patch requirements.

Why should you use audits?

McAfee Policy Auditor automates the process for mandated and organizational audits. Its companion product, McAfee Benchmark Editor, contains built-in benchmarks that the software can use for mandated audits, such as Sarbanes-Oxley (SOX) and the Payment Card Industry Data Security Standards (PCI DSS).The reporting system allows you to demonstrate compliance to auditors while the Findings feature helps you to find solutions to audit issues.

McAfee Policy Auditor 6.0 software Product Guide for ePolicy Orchestrator 4.610

Getting started with McAfee Policy Auditor Auditing systems

Auditing systems

An audit is an independent evaluation of a computer system to determine whether it is in compliance with corporate and industry security standards. Audit results show recommended improvements to reduce risks.

McAfee Policy Auditor evaluates systems against independent standards developed by government and private industry . It can also ev aluate systems against standards that you create yourself.McAfee Policy Auditor uses audits to determine the compliance status of systems and returns results indicating any areas where the system is out of compliance.

Scoring audits

When you audit a system with McAfee Policy A uditor, it returns a score indicating how well the system complied with the audit.McAfee Policy Auditor supports the four scoring models described in the eXtensible Configuration Checklist Description Format (XCCDF) 1.1.4 specifications.

What's new

McAfee Policy Auditor has a number of new features to enhance user experience and expand capabilities.

These are the major new features for this software release:

• McAfee®Policy Auditor Content Creator — Allows users to create simple benchmarks and fill in the rule values manually or import them from an existing system.

• McAfee Benchmark Editor enhancements — McAfee added these new capabilities to the software:

• Ability to drag and drop groups

• Ability to drag and drop rules between groups

• Ability to delete groups

• Enhanced display of expired results — Provides detailed inf ormation about expired results

to help users determine what steps to take.

• Server performance improvements — The server database has been rewritten to speed processing and to eliminate duplicate storage.McAfee added four new dashboards to help users understand the status of audits.

• Database health tools — McAfee added daily and weekly server tasks to speed database access by reducing fragmentation and rebuilding fragmented indexes.

• Improved audit failure status — McAf eePolicy Auditor agent plug-in audit exceptions are logged in the ePolicy Orchestrator software server event log.The exceptions can be seen through a new McAfee Policy Auditor server query and dashboard.

• Agent debug support — The McAfee Policy Auditor agent plug-in includes a tool to help you solve problems on managed systems.The tool has these features:

• Interface — Graphical for Windows systems, console f or all supported operating systems.

• Audits — Displays and allows you to run available audits.

• Benchmarks — Displays and allows you to run available benchmarks.

• Checks — Displays and allows you to run available checks.

• Debug information — Collect and sav e inf ormation, including the log file and database,

to a ZIP file.

11McAfee Policy Auditor 6.0 software Product Guide for ePolicy Orchestrator 4.6

Getting started with McAfee Policy Auditor Software components and what they do

• Entitlement reporting — Entitlement reporting is an enhancement to the Policy Auditor File Integrity Monitoring feature that produces custom file entitlement reports. It has these capabilities:

• Monitors file entitlements, such as read and write attributes.

• Monitors files for changes.

• Monitors and displays changes to text files.

• Support for OVAL 5.7 – 5.9 — The software adds support for Open Vulnerability and

Assessment Language (OVAL) versions 5.7, 5.8, and 5.9.

• Support for SCAP 1.1 — The software adds support for Security Content Automation Protocol (SCAP) version 1.1.

• Agent support for new operating system platforms — The McAfee Policy Auditor agent plug-in supports these new platforms:

• HP-UX 11i v2 Itanium

• HP-UX 11i v3 Itanium

• Red Hat Enterprise Linux 6.0

• SuSE Linux Enterprise Server 11

Software components and what they do

McAfee Policy Auditor installs components that help you analyze systems for compliance with recognized, open-source standards and standards that you can create yourself.

These are the McAfee Policy Auditor components as they appear in the interface:

• Benchmark Editor — A utility used to enable, disable, create, and edit benchmarks. Each audit must contain at least one benchmark. Ideally, audits should contain only one benchmark.

• Benchmark Editor Content Distributor — Distributes content downloaded from McAfee Labs™ to systems.

• Findings — Manages findings, which help you understand why an audit check failed and provides information about how to fix the problem.

• PACore — The primary portion of the software that controls all other features.

• P ARollup — Uses the rollup capabilities of eP olicyOrchestrator software to collect summary

information from registered ePolicy Orchestrator servers and show aggregated data.

• Policy Auditor — Handles policy and task management, audit schedules, and system management.

McAfee Policy Auditor agent plug-in

The McAfee Policy Auditor agent plug-in expands the ability of the McAfee Agent to support McAfee Policy Auditor.

When audits are deployed to systems with the McAfee Agent, the agent plug-in determines when the audits should be run.The agent plug-in conducts audits at the appropriate time and returns the results to the ePolicy Orchestrator server.The agent plug-in can conduct audits when the managed system is off the network, and returns results to the ePolicy Orchestrator server once the system is reconnected to the network.

McAfee Policy Auditor 6.0 software Product Guide for ePolicy Orchestrator 4.612

Getting started with McAfee Policy Auditor Use of ePolicy Orchestrator software features

Installing the agent plug-in adds a product icon to the McAfee Agent system tray. In Windows environments, the product icon optionally displays a balloon tip to indicate the system is being audited.

Systems that have the McAf eePolicy A uditor agent plug-in installed are known, in McAf eePolicy Auditor terminology, as managed systems.

Use of ePolicy Orchestrator software features

McAfee Policy Auditor is an extension of ePolicy Orchestrator software, and uses and relies upon many of its features.

McAfee Policy Auditor is configured from the ePolicy Orchestrator server.The ePolicy Orchestrator server is the center of your managed environment and provides a single location where you can administer and monitor security settings throughout your network.You can use the default settings or configure the settings to match your organizational needs.

This table lists the applicable ePolicy Orchestrator software features and describes how they are used by McAfee Policy A uditor.You should become familiar with each of the listed features and their uses.

Assign Policies

Client tasks

Contacts

Dashboards and Monitors

Detected Systems (Rogue System Detection)

Menu | Systems | System Tree | Assigned Policies

Menu | Systems | System Tree | Client Tasks

Menu | User Management | Contacts

Menu | Reporting | Dashboards

Menu | Systems | Detected Systems

Used by McAfee Policy AuditorLocationePolicy Orchestrator feature

To assign policies, like file integrity monitor, to managed systems.

• To deploy the McAfee Policy Auditor agent plug-in to detected systems.

• To update the McAfee Policy Auditor agent plug-into the latest version.

• To wake up the McAfee Agent on selected systems.

To create user contact information when you want to notify specific personnel by email of an event.

• To create a new dashboard containing McAfee Policy Auditor monitors

• To manage the various dashboards you use for policy audits

• To access detailed information about policy audits

• To identify systems detected by McAfee Foundstone

• To determine whether the coverage of network enforcement appliances is sufficient.

Issues

Menu | Automation | Issues

To prioritize, assign, and track issues. Issues can also be associated with tickets in a third-party ticketing server .

13McAfee Policy Auditor 6.0 software Product Guide for ePolicy Orchestrator 4.6

Getting started with McAfee Policy Auditor Managed systems vs. unmanaged systems

Used by McAfee Policy AuditorLocationePolicy Orchestrator feature

Policy Catalog

Queries

Registered Executables

Repositories

Server Settings

Server Tasks

Menu | Policy | Policy Catalog

Menu | Reporting | Queries

Menu | Configuration | Registered Executables

Menu | Software | Master Repository

Menu | Configuration | Server Settings

Menu | Automation | Server Tasks

• To manage the times when audits are allowed to audit systems.

• To manage settings for the file integrity monitor.

To create and maintain database queries regarding system security information.

To register a command that can be run on the server as part of an automatic response.

To check in and manage content required by McAfee Policy Auditor, such as the Audit Engine content containing all the compliance and threat checks and published benchmarks.

To specify parameter values affecting the operations of McAfee Policy Auditor.

• To synchronize data with McAfee Vulnerability Manager using the Maintain McAfee Vulnerability Manager Audits task.

• To import McAfee Vulnerability Manager data into McAfee Policy Auditor.

• T o manage Ex emption Expiration.

• To process audit results.

Tag Catalog

Users

Menu | Systems | Tag Catalog

Menu | User Management | Users

To create tags that can be used to help organize your systems.

To create or edit a specific person as a user of McAfee Policy Auditor and their permission type.

Managed systems vs. unmanaged systems

Knowing how McAfeePolicy Auditor classifies systems on your network is important for setting up and using the product, and for using its features. McAfee Policy Auditor uses two system classifications: Managed systems and unmanaged systems.

• Managed systems — Systems in the System Tree that have both the McAf ee Agent and the McAfee Policy Auditor Agent plug-in installed.

• Unmanaged systems — Systems in the System Tree that do not have the McAfee Policy Auditor agent plug-in installed.

These classifications, and their characteristics and requirements, apply exclusively to McAfee Policy Auditor functionality. Other McAfee products might use the same classifications, but with different characteristics or requirements.

McAfee Policy Auditor 6.0 software Product Guide for ePolicy Orchestrator 4.614

Getting started with McAfee Policy Auditor Managed systems vs. unmanaged systems

Auditing managed systems

When connected to a network managed by ePolicy Orchestrator software, managed systems can exchange information with the ePolicy Orchestrator server as scheduled.The primary advantage of managed systems is that they are audited by the agent even when they are not connected to the network.When they are reconnected, the Agent plug-in communicates the results to McAfee Policy Auditor.The Agent plug-in slightly increases memory and processor use.

Auditing unmanaged systems

Unmanaged systems can be audited by registering a McAfee Vulnerability Manager 6.8 or McAfee Vulnerability Manager 7.0 server with McAfee Policy Auditor.McAfee Vulnerability Manager performs the audits and returns the results to McAfee Policy Auditor.The primary advantage of unmanaged systems is that you can audit them without installing an agent. Unmanaged systems cannot be audited when they are disconnected from the network.

15McAfee Policy Auditor 6.0 software Product Guide for ePolicy Orchestrator 4.6

Configuring McAfee Policy Auditor

McAfee Policy Auditor is configured from the ePolicy Orchestrator server.The server is the center of your security environment, providing a single location from which to administer system security throughout your network.

Contents

Server settings and what they control Edit McAfee Policy Auditor server settings How permission sets work Default permission sets Edit permission sets

Server settings and what they control

McAfee supplies default settings f or McAf eeP olicy Auditor and findings .Y ou can change server settings to fit your organizational needs.

These are the server settings for McAfee Policy Auditor.

DescriptionServer setting

Audit data retention

Audit label

As the amount of audit data grows, you can purge all audit data older than a designated date.Y ou can also manage the purge settings for individual audits. In large and complex organizations, the retention times for audit data may vary by audit.The ability to specify data maintenance per audit lowers the cost of maintaining audit data.

• Enable findings data purging — Allow McAfeePolicy Auditor to purge audit results data older than a specified date.This setting is enabled by default.

• Purge findings data after — Edit to specify how long findings data should be retained.The default setting is 12 months.

• Stop Data Maintenance after — If the PA: Purge Audit Results server task runs longer than the time specified in this setting, it stops to allow other system data maintenance tasks to run.When the server task restarts, it resumes where it left off.The default setting is to let this task run for 2 hours.

• Remove related Findings results when purging Audit Results — Select to purge Findings data when purging audit results.This setting is selected by default.

Audit labels allow you to use different descriptions for the default labels of Pass, F ail, P ass-Expired, Fail-Expired, or Other-Expired. F or example , instead of the word Pass, you can choose to use the word Successful. McAfee recommends that you keep the default settings , because most users find them appropriate and intuitive.

McAfee Policy Auditor 6.0 software Product Guide for ePolicy Orchestrator 4.616

Configuring McAfee Policy Auditor Server settings and what they control

DescriptionServer setting

Audit score

Audit score categories

An audit score indicates how well a system conforms to the ideal settings specified in an audit.McAf eePolicy Auditor allows you to change the scoring definitions to reflect your organization's determination of what constitutes a passed or failed audit.

• Minimum High Score — Any score equal to or greater than this setting means that the system passed the audit.The default setting is 80, meaning that an audit score above 80 is assigned a score category of Pass.

• Audit Score – Fail — Any audit score equal to or lower than this setting means that the system failed the audit.The default setting is 60, meaning that an audit score below 60 is assigned a score category of Fail.

• Maximum Low Score — Any score less than the Minimum High Score but higher than the Audit Score - Fail setting means that the audit had mixed results: it neither passed or failed. By default, an audit score between 60 and 80 is assigned a score category of Other.

McAfee Policy Auditor software provides four categories with default names and colors that describe the success of an audit.You can change the names to fit your organization's requirements, but most users find the def ault names appropriate and easy to understand.

• High — The system passed the audit.

• Low — The system failed the audit.

• Medium — The system has mixed audit results . Critical systems warrant

attention to fix the audit failures, while non-critical systems may be left as is.

• Unknown — McAfee Policy Auditor is unable to determine whether the system passed an audit. Situations yielding a status of Unknown include systems taken off the network or turned off.

rebuild of indexes Database Maintenance - maintain

indexes whose fragmentation e xceeds this percentage

Database Maintenance – stop processing after this time

Default Scoring Model

Differentiate expired results in a query

Findings data retention

Enables database maintenance features, including the reb uilding of indexes.Database Maintenance - allow online

Specifies the amount of fragmentation that triggers index rebuilding and related maintenance.

Specifies the amount of time, in hours, that database maintenance tasks run before stopping.

McAfee Policy Auditor supports the four standard eXtensible Configuration Checklist Description Format (XCCDF) scoring models.These scoring models are described in detail in Scoring Audits.

Controls whether expired results are differentiated in a query.You can show expired results as expired or differentiate them as follows:

• pass-expired — The results have expired but the last audit results evaluated to pass.

• fail-expired — The results ha ve expired b ut the last audit results ev aluated to fail.

• other-expired — The results hav e e xpired and the pre vious audit results evaluated to a condition other than pass or fail.

Findings provide information about why checks f ailed in an audit.This setting defines how long findings information is retained.

• Enable findings data purging — Allow McAfeePolicy Auditor to purge findings information after older than a specified date. By default, this setting is enabled.

• Purge findings data after — Specifies how long findings data should be retained.The default setting is 12 months.

• Stop Data Maintenance after— If the FND: Purge Findings server task runs longer than the time specified in this setting, it stops to allow other

17McAfee Policy Auditor 6.0 software Product Guide for ePolicy Orchestrator 4.6

Configuring McAfee Policy Auditor Edit McAfee Policy Auditor server settings

DescriptionServer setting

system data maintenance tasks to run.When the server task restarts, it resumes where it left off.The default setting is to let this task run for 2 hours.

Frequency to run update audit assignments

Full OVAL Results

Max number of FIM version files

Minimum pass percentage for rule aggregation

per batch Threads for audit results processing

Violation limit

Defines the value, in hours, for running the PA: Update Audit Assignments server task. McAfeePolicy Auditor sends audit content only to systems that are scheduled to receive the content.This reduces bandwidth and lessens client system disk space requirements.

Allows you to retain full O VAL results for failed, non-patch checks that do not have Findings information.When you enable this setting, the software retains full OVAL results so that you can determine the cause of the failure.This setting is disabled by default and retains "thin" O V AL results , not the full OVAL results.

Defines the number of file integrity file versions to store.You can store the contents of up to 6 text files, including the baseline version. See the File Integrity Monitoring section for more information on baselines and file versions.

When the percentage of rules that pass in an audit exceed the defined percentage, the software will aggregate the results in queries and reports.

The number of benchmark results purged when purging audit results.Number of benchmark results to purge

The number of processing threads allotted to audit results.The default number is 5.

Findings provide information about why checks failed in an audit. Since an audit may report thousands of violations, you can limit the number of violation shown in reports through the Violation Limit setting. By default, McAf eePolicy Auditor truncates the number of violation results to 300.

Edit McAfee Policy Auditor server settings

Edit the McAfee Policy Auditor server settings to fit your organizational and business needs.

Before you begin

You must be a global administrator to perform this task.

Task

For option definitions, click ? in the interface. 1 From the interface, click Menu | Configuration | Server Settings. 2 Under Setting Categories, select Policy A uditor.The McAfee Policy Auditor server settings

appear in the main panel.

3 Click Edit.The settings page appears. 4 Change the settings to the desired values, then click Save.

How permission sets work

When McAfee Policy Auditor is installed, it adds a permission group to each permission set. When you create a new permission set, the McAfee Policy Auditor permission group is added

McAfee Policy Auditor 6.0 software Product Guide for ePolicy Orchestrator 4.618

Configuring McAfee Policy Auditor Default permission sets

to the set. One or more permission sets can be assigned to users who are not global administrators (global administrators have all permissions to all products and features).

Permission sets only grant rights and access — no permission ever removes rights or access. When multiple permission sets are applied to a user account, they aggregate. For example, if one permission set does not provide any permissions to server tasks, but another permission set applied to the same account grants all permissions to server tasks, that account has all permissions to server tasks. Consider this as you plan your strategy for granting permissions to the users in your environment.

How users, groups, and permission sets fit together

Access to items within ePolicy Orchestrator is controlled b y interactions between users, g roups, and permission sets. For more information on how they interact, see How users, groups, and permission sets fit together in the McAfee ePolicy Orchestrator 4.6 Software Product Guide.

Default permission sets

McAfee Policy Auditor includes seven default permission sets that provide permissions for McAfee Policy Auditor and related applications.

PermissionsPermission set

Benchmark EditorPA Admin

• Activate benchmarks

• Edit benchmark tailoring

• Create, delete, and apply labels

• Create, delete, modify, import, and unlock

benchmarks

• Create, delete, and import checks

Findings

• View and hide/unhide findings

Issue Management

• Create, edit, view, and purge assigned issues

Policy Assignment Rule

• View and edit rules

McAfee Policy Auditor

• Accept and delete events, and reset system baseline

• Allow access to Foundstone Enterprise Manager

(EM)

• Grant and modify waivers

• Allow access to File Entitlement

• Add, remove, and change audits and assignments

Policy Auditor Agent

• View and change settings

Policy Auditor Rollup

• View Policy Auditor rollup reports

McAfee Policy Auditor AgentPA Agent Admin

• View and change settings

19McAfee Policy Auditor 6.0 software Product Guide for ePolicy Orchestrator 4.6

Configuring McAfee Policy Auditor Default permission sets

PermissionsPermission set

Benchmark EditorPA Audit Admin

• View and export checks

• View and export benchmarks

Findings

• View and hide/unhide findings

Issue Management

• Basic: Create issues and edit, view , and purge issues created by or assigned to me

McAfee Policy Auditor

• View Waivers

• Allow access to Foundstone Enterprise Manager

(EM)

• Add, remove, and change audits and assignments

McAfee Benchmark EditorPA Benchmark Activator

• Activate benchmarks

• View and export checks

• View and export benchmarks

McAfee Benchmark EditorPA Benchmark Editor

• Edit benchmark tailoring

• Create, delete, and apply labels

• Create, delete, and import checks

• Create, delete, modify, and import benchmarks

McAfee Benchmark EditorPA Viewer

• View and export checks

• View and export benchmarks

Findings

• View findings

McAfee Policy Auditor

• View waivers

• View audits and assignments

McAfee Benchmark EditorPA Waiver Granter

• View and export benchmarks

• View and export checks

Findings

• View findings

Issue Management

• Create, edit, view, and purge assigned issues

McAfee Policy Auditor

• View audits and assignments

• Grant and modify waivers

McAfee Policy Auditor 6.0 software Product Guide for ePolicy Orchestrator 4.620

Configuring McAfee Policy Auditor Edit permission sets

Edit permission sets

You can edit the default McAfee Policy Auditor permission sets or create your own.

Before you begin

You must be a global administrator to perform this task.

Task

For option definitions, click ? in the interface. 1 In the ePolicy Orchestrator user interface, click Menu | User Management | Permission

Sets, then select the permission set.

2 Click Edit next to the McAfee Policy Auditor permission group.The Edit Permission Set

page appears.

3 Select the appropriate options, then click Save. 4 Repeat for all appropriate sections of other permission sets.

21McAfee Policy Auditor 6.0 software Product Guide for ePolicy Orchestrator 4.6

Using the McAfee Policy Auditor agent plug-in

The McAfee Policy Auditor agent plug-in (agent plug-in) extends the features of the McAfee Agent. It manages the schedule for performing audits, runs the audits, and returns the results to the server.

You install the McAfee Agent and the agent plug-in on managed systems.This enables audits to be conducted even if a system is not connected to the network. Once the system reconnects to the network, it returns audit information to the server and receives updated content and schedules for future audits from the McAfee Policy Auditor server.

Contents

The agent plug-in and how it works Supported platforms How content is managed Install and uninstall the agent plug-in

The agent plug-in and how it works

The McAfee Policy Auditor agent plug-in updates the audit schedule on managed systems, launches audit scans according to a schedule, and returns results to the server.

The schedule relies on whiteout and blackout periods that you set. Audit whiteout periods are times when an audit can run on a system or group of systems. A udit blac k out periods are times when an audit can't run.The agent plug-in determines the age of the current information and uses any pending blackout or whiteout windows to determine when content should be re-evaluated.

Upon receipt or completion of an audit, the agent plug-in calculates and stores the date and time of the next scheduled audit.You can use the Run Audits feature of ePolicy Orchestrator to force an immediate scan.When you do this, the agent plug-in marks the frequency information as expired and recalculates the date and time for the next scheduled audit.The recalculated date and time are always scheduled during a whiteout period.

The agent plug-in can perform audits when a system is not connected to its network. Once the system reconnects to the network, the agent plug-in returns the results to the server.

Supported platforms

The McAfeeP olicy Auditor agent plug-in supports a number of Windo ws, Linux, and Unix-based operating systems.

McAfee Policy Auditor 6.0 software Product Guide for ePolicy Orchestrator 4.622

Using the McAfee Policy Auditor agent plug-in Supported platforms

AIX 5.3 TL8 SP5

AIX 6.1 TL2 SP0

X64 supportX86 supportOperating system

processors

Power5, Power6

RISCHP-UX 11i v1 RISCHP-UX 11i v2 RISCHP-UX 11i v2 Itanium RISCHP-UX 11i v3 RISCHP-UX 11i v3 Itanium

XXRed Hat Linux AS, ES, WS 4.0

XXRed Hat Enterprise Linux 5.0, 5.1

XXRed Hat Enterprise Linux 6.0

NotesOther

Universal binaryPowerPCXXApple Mac OS X 10.4 Universal binaryPowerPCXXApple Mac OS X 10.5 Universal binaryPowerPCXXApple Mac OS X 10.6

32-bit agent on 64-bit hardware

32-bit agent on 64-bit

hardware SPARCSolaris 8 SPARCSolaris 9 SPARCSolaris 10

XXSuSE Linux 9

XXSuSE Linux Enterprise Server 10

XXSuSE Linux Enterprise Server 11

XWindows 2000 Professional XWindows 2000 Server XWindows 2000 Advanced Server

32-bit agent on 64-bit

hardware

32-bit agent on 64-bit

hardware

32-bit agent on 64-bit

hardware

Native 32- and 64-bit agentXXWindows XP Professional

Native 32- and 64-bit agentXXWindows Server 2003 Standard Edition

Native 32- and 64-bit agentXXWindows Server 2003 Enterprise Edition

Native 32- and 64-bit agentXXWindows Vista

Native 32- and 64-bit agentXXWindows 2008 Server

Native 32- and 64-bit agentXXWindows 7

23McAfee Policy Auditor 6.0 software Product Guide for ePolicy Orchestrator 4.6

Using the McAfee Policy Auditor agent plug-in How content is managed

How content is managed

Content for McAfee Policy Auditor consists of benchmarks and checks.The content package is included when the product is installed, and is placed into the ePolicy Orchestrator master repository.

Before you can use benchmarks in audits, y ou must activate them in McAf eeBenchmark Editor. See the McAfee Benchmark Editor Product Guide for information about how to do this.

The master repository is updated daily by a server task that is included with the software. If you want to update McAfee Policy Auditor on a different schedule, you can create a new server task.You must verify that the task is enabled.

The master repository is configured when installed. Howe ver , you must ensure that pro xy server settings, if any, are configured correctly . By default, eP olicyOrchestrator uses Microsoft Internet Explorer proxy settings.

For information about repository management, proxy settings, and server tasks, see the ePolicy Orchestrator software documentation.

Install and uninstall the agent plug-in

Managed systems under McAfee Policy Auditor must have the McAfee Agent and the McAfee Policy Auditor agent plug-in.

For information on installing and working with the McAfee Agent, see the ePolicy Orchestrator documentation.

Tasks

Install the McAfee Policy Auditor agent plug-in Uninstall the agent plug-in Send a manual wake-up call to a group of systems

Install the McAfee Policy Auditor agent plug-in

Install the McAfee Policy Auditor agent plug-in before you run audits on managed systems.

Task

For option definitions, click ? in the interface. 1 In the ePolicy Orchestrator user interface, click Menu | Systems | System Tree then click

the Systems tab.

2 Select the System Tree group containing the systems on which you want to install the agent

plug-in.

3 Click Actions | New Tasks.The Description page of the Client Task Builder appears. Fill

in the settings, then click Next. a Type an appropriate name for the task, such as Install McAfee Policy Auditor Windows

agent plug-in.

b Optionally, provide a description in the Notes text box. c From the Type drop-down list, select Product Deployment.

McAfee Policy Auditor 6.0 software Product Guide for ePolicy Orchestrator 4.624

Using the McAfee Policy Auditor agent plug-in Install and uninstall the agent plug-in

d In Tags, select which systems in the selected group on which you want to install the

agent plug-in.

• Send this task to all computers — Install the agent plug-in on all systems in the selected group.

• Send this task to only computers which have the following criteria — Use the edit buttons to include or exclude systems with tags. See the ePolicy Orchestrator documentation for information on working with tags.

4 Fill in all settings on the Configuration page, then click Next.

a Select Windows for the Target Platform. b For Products and components, select these options from the drop-down lists.

• McAfee Policy Auditor for Windows 6.0.0.

• Action — Install.

• Language — The language used on the systems.

• Branch — Current.

c For Options, you can select Run at every policy enforcement (Windows only) to

re-install the plug-in at the next policy enforcement interval if a user has removed the product or component.

d Click Next.The Schedule page appears. 5 Configure the schedule details as needed, then click Next. 6 Review the task settings, then click Save.The task is added to the list of client tasks for

the selected group and any group that inherits the task.

7 To run the client task immediately, send a manual wake-up call to the systems.

Uninstall the agent plug-in

Uninstall the McAfee Policy Auditor agent plug-in from systems on your network if you do not want them to be managed by McAfee Policy Auditor content.This is useful when you want to convert a managed system to an unmanaged system and reduce the load on system resources.

Task

For option definitions, click ? in the interface. 1 Follow the procedure for installing the agent plug-in. On the Configuration page, select

Remove from the Action drop-down list. Set the other options as needed 2 Review the task settings on the Summary page, then click Save to store the task. 3 Send a manual wake-up call to run the task immediately.

Send a manual wake-up call to a group of systems

Send manual wake-up calls to a System Tree group to verify that the McAfee Agent and ePolicy Orchestrator server are communicating.This is useful when you make policy changes and want agents to download the update.

25McAfee Policy Auditor 6.0 software Product Guide for ePolicy Orchestrator 4.6

Using the McAfee Policy Auditor agent plug-in Display the system tray icon on Windows systems

Before you begin

Before sending the agent wake-up call to a group, make sure that wake-up support for the systems’ groups is enabled and applied on the General tab of the McAfee Agent policy pages. This is enabled by default.

Task

For option definitions, click ? in the interface. 1 In the ePolicyOrchestrator user interf ace, click Men u | Systems | System T ree, then select

the group in the System Tree. 2 Select the systems from the list, then click Actions | Wake Up Agents.The Wake Up

McAfee Agent page appears.

3 Verify that the systems appear next to Target systems. 4 Next to Wake-up call type, select whether to send an Agent Wake-Up Call or a

SuperAgent Wake-Up Call. 5 Accept the default Randomization (0 – 60 minutes) or type a different value.

NOTE:If you type 0, agents respond immediately . Consider carefully the number of systems

that are receiving the wake-up call and how much bandwidth is available. 6 By default, Get full product pr operties is selected.This causes the agent plug-in to send

complete system properties to McAfee Policy Auditor. Deselect this option if you want to

send only properties that have changed since the last agent-server communication.

7 Click OK to send the wake-up call. 8 Verify that the agent plug-in and ePolicy Orchestrator server are communicating: go to

Reporting | Audit Log and search the log for an entry Wake Up Agents | Succeeded.

Display the system tray icon on Windows systems

You can configure McAfee Policy Auditor to display a system tray icon on Windows systems. The icon cannot is not available for non-Windows systems.

The icon allows the user to see the status of audits, including whether an audit is running, scheduled, not scheduled, or disabled. It optionally displays a balloon tip to indicate that the system is being audited.

Task

For option definitions, click ? in the interface. 1 In the ePolicyOrchestrator user interface, clic k Men u | Systems | System T ree, then clic k

the Assigned Policies tab. 2 From the Product drop-down list, select Policy Auditor Agent. 3 Under the Policy column in the My Def ault ro w, click Edit Settings.The whiteout/blackout

page appears.

4 Next to General Options, select Show the Policy Auditor system tray icon (Windows

only), then click Save.

McAfee Policy Auditor 6.0 software Product Guide for ePolicy Orchestrator 4.626

Configuring agentless audits

McAfee Policy Auditor can register a McAfee Vulnerability Manager 6.8 or 7.0 (formerly Foundstone) server to conduct agentless audits.

Agentless audits allow you to audit systems that do not have the McAfee Policy Auditor agent plug-in installed.McAfee Vulner ability Manager searches for systems using a Host Name or IP range, adds them to the System Tree, and conducts agentless audits.

Installing the Foundstone ePO Data Integration (ePO 4.5 server or ePO 4.6 server) allows y ou to import McAfee Vulnerability Manager data into your ePolicy Orchestrator database and view that data in reports.

T o use the e xtension with eP olicyOrchestrator software, you must also ha ve an e xisting McAfee Vulnerability Manager installation with scanned asset data.

Contents

How McAfee Policy Auditor integrates with the McAfee Vulnerability Manager extension Configure McAfee Vulnerability Manager and the ePolicy Orchestrator extension How to handle missing audit results How to handle mismatched McAfee Vulnerability Manager certificates

How McAfeePolic y Auditor integrates with the McAfee Vulnerability Manager extension

McAfee Policy Auditor and McAfee Vulnerability Manager integrate seamlessly to gather data, share information, and perform both agent- and system-based audits.

Systems with the agent plug-in installed are referred to as managed systems. Systems without the agent plug-in are called unmanaged systems.

Uniform system management

McAfeePolicy A uditor and McAf ee V ulnerability Manager support uniform system management under ePolicy Orchestrator software.

Managed and unmanaged system are supported the same way:

• Assets from a McAfee V ulnerability Manager Discov ery Scan are matched to system already

managed by the ePolicy Orchestrator server to avoid duplication. Each system is uniquely identified. Systems with duplicate names can be added to the System T ree, b ut the y are still managed as different systems.

• A System Tree group can contain both managed and unmanaged systems.

27McAfee Policy Auditor 6.0 software Product Guide for ePolicy Orchestrator 4.6

Configuring agentless audits How McAfee Policy Auditor integrates with the McAfee Vulnerability Manager extension

• When you change a system from unmanaged to managed, this distinction is reflected in

queries and page views.

• McAfee Policy Auditor supports an all agent-based System Tree, an all agentless System

Tree, and a mix of agent-based and agentless devices. A group can contain both managed and unmanaged systems.

• Communication between McAfeeP olicy Auditor and McAf ee V ulnerability Manager is through

a single channel and can pass through common firewall configurations without reconfiguration.

McAfee V ulnerability Manager extension integration with scannab le systems

The McAfee Vulnerability Manager extension can scan most operating systems supported by McAfee Policy Auditor.

McAfee Vulnerability Manager can scan these operating systems:

Windows Server 2003 Enterprise EditionWindows 2000 Server Windows 2008 ServerWindows 2000 Advanced Server Solaris 8Windows 2000 Professional Solaris 9Windows XP Professional Solaris 10Windows Server 2003 Standard Edition Red Hat Enterprise Linux 5.0, 5.1Windows Server 2003 Advanced Edition

AIX 5.3, 6.1

Asset Discovery scans

ePolicyOrchestrator software supports the manual and automatic importing of systems into the System Tree.

When McAfee Vulnerability Manager discovers new systems during a McAfee Vulnerability Manager Asset Discovery Scan, it designates them as rogue systems. Regardless of how assets are imported, users must add, or promote, them to the ePolicyOrchestrator server System Tree before they can be audited.

McAfee V ulnerability Manager can only audit systems that hav e a Foundstone ID .The association between a system and a Foundstone ID is established when a system is imported from McAfee Vulnerability Manager and added to the System Tree.

Data collection scans

The McAfee Vulnerability Manager extension uses the Data Collection Scan to audit systems and gather compliance data. For audit results to remain current, the scan must be scheduled with sufficient time to audit systems before running the the PA: Maintain Foundstone server task.

The Maintain Foundstone Audits server task

The Maintain Foundstone Audits server task is responsible for setting audit frequency requirements, synchronizing audit information, distributing audit content, and performing cleanup tasks.

McAfee Policy Auditor 6.0 software Product Guide for ePolicy Orchestrator 4.628

Configuring agentless audits Configure McAfee Vulnerability Manager and the ePolicy Orchestrator extension

The installation application automatically creates a server task named P A: Maintain F oundstone audits when you install the McAfee Vulnerability Manager extension.The task runs once per day by def ault. If you need to change the schedule, you should schedule it to run after the Data Collection Scan has had the opportunity to conduct audits so that audit results stay current.

The purpose of the PA: Maintain Foundstone audits server task is to:

• Adhere to audit frequency requirements by requesting audit results from McAfee V ulnerability

Manager for any systems whose results expire within the next 24 hours.The task does not retrieve results from McAfee Vulnerability Manager, but requests McAfee Vulnerability Manager to update and assemble audit results from data in preparation for scanning systems and returning the results to McAfee Policy Auditor.

• Synchronize information between McAfee Vulnerability Manager and McAfee Policy A uditor.

For example, if you add or delete an audit from McAfee Vulnerability Manager, the task will add or delete an audit from McAfee Policy Auditor.

• Distribute content, such as benchmarks, to the McAfee Vulnerability Manager server. If the

benchmark has been updated on the ePolicy Orchestrator server, the task will update the benchmark on the McAfee Vulnerability Manager server.

• Perform assorted cleanup tasks on the McAfee Vulnerability Manager server.

The Data Import server task

McAfee Vulnerability Manager uses the MVM Data Import server task to populate the ePolicyOrchestrator server database with system data from the McAfee Vulner ability Manager database.

The server task automatically gathers new McAfee Vulnerability Manager database asset data on a regular schedule. For audit results to remain current, the task must be scheduled to run after the PA: Maintain Audits Server task has finished running.

Server support

Before configuring McAfee Vulnerability Manager server, it is important to understand how McAfee Vulnerability Manager and ePolicy Orchestrator work together.

One McAfee Vulnerability Manager server can support multiple ePolicy Orchestrator servers running McAfee Policy Auditor. However , an ePolicy Orchestrator server running McAfee Policy Auditor can only integrate with one McAfee Vulnerability Manager server.

Configure McAfee Vulnerability Manager and the ePolicy Orchestrator extension

You can configure McAfee V ulner ability Manager and the McAfee V ulnerability Manager extension to discover systems, collect data, and synchroniz e this information with McAfee Policy Auditor.

Tasks

Create a McAfee Vulnerability Manager workgroup Configure the McAfee Vulnerability Manager single sign-on feature Create a data source to synchronize McAfee Vulnerability Manager and ePolicyOrchestrator Register a McAfee Vulnerability Manager database server with McAfee Policy Auditor

29McAfee Policy Auditor 6.0 software Product Guide for ePolicy Orchestrator 4.6

Configuring agentless audits Configure McAfee Vulnerability Manager and the ePolicy Orchestrator extension

Manage McAfee Vulnerability Manager credential sets Create an Asset Discovery scan Create an MVM Data Import task Add systems found by McAfee Vulnerability Manager scans to the System Tree Create a Data Collection Scan View McAfee Vulnerability Manager scan status

Create a McAfee Vulnerability Manager workgroup

Create a McAfee Vulnerability Manager workgroup and administrator for your McAfee Policy Auditor administrator and users.

McAfee recommends that you give the McAfee Policy Auditor administrator only the access of a McAfee Vulnerability Manager workgroup administrator, not full access of an organization administrator.Workgroup administrators can make changes that affect their workgroup only. Organization administrators can make changes that affect the whole organization, including workgroups unrelated to the McAfee Policy Auditor group.

You must perform this task in the McAfee Vulnerability Manager Enterprise Manager.

Before you begin

Before you can create a McAfee Vulnerability Manager workgroup, you must:

• Install and set up McAfee Vulnerability Manager.

• Create an organization.

• Specify an administrator for the organization.

Task

For option definitions, click ? in the interface. 1 From McAfee Vulnerability Manager Enterprise Manager, go to Manage | Users/Groups. 2 Select the organization that you have already created. 3 Right-click the organization and select New Workgroup. 4 On the General page, type the workgroup name and description, then click Next.The IP

Pool page appears. 5 Type the IP ranges to be used in this workgroup, then click Next.The Administrator page

appears.

6 Type the information for the workgroup administrator. 7 Click Finish.

Configure the McAfee Vulnerability Manager single sign-on feature

You can enable the McAfee Vulnerability Manager single-sign-on feature in McAfee Policy Auditor.This gives McAfee Policy Auditor users access to portions of the McAfee Vulnerability Manager Enterprise Manager.

Before you begin

Using single sign-on requires that you create a McAfee Vulnerability Manager workgroup.

McAfee Policy Auditor 6.0 software Product Guide for ePolicy Orchestrator 4.630

+ 68 hidden pages

McAfee PASCDE-AB-IA, Policy Auditor 6.0 Product Manual

Specifications and Main Features

Frequently Asked Questions

User Manual