McAfee VSEL 1.9/2.0 Local Client Security Technical Implementation Guide

V1R3 2019-01-02       U_McAfee_VSEL_1-9_2-0_Local_Client_STIG_V1R3_Manual-xccdf.xml
V1R2 2016-03-31       U_McAfee_VSEL_1-9_2-0_Local_Client_STIG_V1R2_Manual-xccdf.xml
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: [email protected]
Comparison
All 39
No Change 33
Updated 6
Added 0
Removed 0
V-62791 No Change
Findings ID: DTAVSEL-000 Rule ID: SV-77281r1_rule Severity: medium CCI: CCI-001813

Discussion

The McAfee VirusScan Enterprise for Linux WEB GUI is the method for configuring the McAfee VSEL on a non-managed Linux system. The WEB GUI on the system could be used maliciously to gain unauthorized access to the system. By restricting access to interface by implementing firewall rules, the risk of unauthorized access will be mitigated.

Checks

Verify the location of the system being reviewed. If it is on a segregated network, without access to the Internet nor access to the Local Area Network, nor is it managed by a McAfee ePO server, this check is Not Applicable.

If the system being reviewed has access to the Internet, is reachable from the Local Area Network and/or is managed by a McAfee ePO server, this check must be validated.

To validate without the Web interface, access the Linux system being reviewed, either at the console or by a SSH connection.

At the command line, navigate to /var/opt/NAI/LinuxShield/etc.
Enter the command "grep "nailsd.disableCltWebUI" nailsd.cfg".

If the response given for "nailsd.disableCltWebUI" is "false", this is a finding.

Fix

To validate without the Web interface, access the Linux system being reviewed, either at the console or by a SSH connection.

At the command line, navigate to /var/opt/NAI/LinuxShield/etc.

Modify the nailsd.cfg file.
Find the line "nailsd.disableCltWebUI: false"
Change the "false" to "true".

Reload the nails processes by running the following command:
/etc/init.d/nails reload
V-63071 No Change
Findings ID: DTAVSEL-001 Rule ID: SV-77561r1_rule Severity: high CCI: CCI-001240

Discussion

Anti-virus signature files are updated almost daily by anti-virus software vendors. These files are made available to anti-virus clients as they are published. Keeping virus signature files as current as possible is vital to the security of any system. By configuring a system to attempt an anti-virus update on a daily basis, the system is ensured of maintaining an anti-virus signature age of 7 days or less. If the update attempt were to be configured for only once a week, and that attempt failed, the system would be immediately out of date.

Checks

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account.

In the VSEL WEB Monitor, under "View", select "Host Summary".
In the "Host Summary", verify the "DAT Date:" is within the last 7 days.

If the "DAT Date:" is not within the last 7 days, this is a finding.

To validate without the Web interface, access the Linux system being reviewed, either at the console or by a SSH connection.
At the command line, enter the command "ls -lt /opt/NAI/LinuxShield/engine/dat".

The command will return a listing of the avvclean.dat, avvnames.dat and avvscan.dat files. If their respective file dates are not within the last 7 days, this is a finding.

Fix

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account.

In the VSEL WEB Monitor, under "Schedule", select "Product Update".
Under "When to update", select the "Immediately" radio button, and click on "Next".
Under "Choose what to update", select "Virus definition files (also known as DAT files)", click on "Next".
Under "Enter a task name", type a unique name for this task, and click on "Finish".

Re-validate anti-virus signature file age.
To run the Update task manually without the Web interface, access the Linux system being review, either at the console or by a SSH connection.
Add a task to /etc/crontab to run the nails updater.
At the command line, enter the command "/opt/NAI/LinuxShield/bin/nails task -l".
After the task runs, a (Completed) response will be returned.
V-63073 No Change
Findings ID: DTAVSEL-002 Rule ID: SV-77563r1_rule Severity: medium CCI: CCI-001240

Discussion

Anti-virus signature files are updated almost daily by anti-virus software vendors. These files are made available to anti-virus clients as they are published. Keeping virus signature files as current as possible is vital to the security of any system. The anti-virus software product must be configured to receive those updates automatically in order to afford the expected protection.

Checks

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account.

Under "View", select "Scheduled Tasks".
Under "Scheduled Tasks", under "Task Summaries", with the assistance of the McAfee VSEL SA, identify the VirusScan DAT update task.
Verify the "Type" is "Update" and the "Status" is "Completed" with Results of "Update Finished".
Under "Task Details" for the task, click on the "Modify" button.
Choose "2. Choose what to update" and verify the "Virus definition files (also known as DAT files)" is selected.

If there is not a task designated as the regularly scheduled DAT Update task, this is a finding.

If there exists a task designated as the regularly scheduled DAT Update task, but "Virus definition files (also known as DAT files)" selection under the "2. Choose what to update" section is not selected, this is a finding.

To validate without the Web interface, access the Linux system being reviewed, either at the console or by a SSH connection.
At the command line, enter the command "/opt/NAI/LinuxShield/bin/nails task --list".

The command will return a response similar to the following:
LinuxShield configured tasks:
1 "LinuxShield Update" (Running)

If the response does not return a configured task for "LinuxShield Update", this is a finding.

Fix

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account.

In the VSEL WEB Monitor, under "Schedule", select "Product Update".
Under "1. When to update", select "Daily" and choose every "1" day(s), click on "Next".
Under "2. Choose what to update", select "Virus definition files (also known as DAT files), and click on "Next".
Under "3. Enter a task name", give the task a unique task name for the daily update, and click on "Finish".

Configure an /etc/crontab entry for the LinuxShield Update.
To run the Update task manually without the Web interface, access the Linux system being review, either at the console or by a SSH connection.
At the command line, enter the command "/opt/NAI/LinuxShield/bin/nails task -l".
After the task runs, a (Completed) response will be returned.
V-63075 No Change
Findings ID: DTAVSEL-003 Rule ID: SV-77565r1_rule Severity: high CCI: CCI-001243

Discussion

For anti-virus software to be effective, it must be running at all times, beginning from the point of the system's initial startup. Otherwise, the risk is greater for viruses, Trojans, and other malware infecting the system during that startup phase.

Checks

Note: McAfee VSEL On-Access scan is not compatible with NFS Version 4. On client systems with the NFS 4.0 client as default, execute the following command to use NFS version 3.0 as a workaround:
mount -t nfs -o nfsvers=3 <NFS_Path> <Mount_point>

If mounting with NFS version 3.0 is not an option, this is a finding.

Only in such case, if STIG ID DTAVSEL-100 is configured for a daily scheduled scan and DTAVSEL-101 through DTAVSEL-114 are not a finding, the severity of this check can be reduced to a CAT 2.

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account.

In the VSEL WEB Monitor, under "Configure", select "On-Access Settings".
Under "Anti-virus Scanning Options", verify the "Enable On-Access scanning" check box is selected.
Verify the "Quarantine directory" field is populated with "/quarantine" (or another valid location as determined by the organization).

If the check box "Enable On-Access scanning" is not selected, this is a finding.

If the "Quarantine directory" field is not populated, this is a finding.

To validate without the Web interface, access the Linux system being reviewed, either at the console or by a SSH connection.
At the command line, navigate to /var/opt/NAI/LinuxShield/etc.
Enter the command "grep "oasEnabled" nailsd.cfg"

If the response given is "nailsd.oasEnabled: false" or is "nailsd.oasEnabled: true" with a preceding #, this is a finding.

Fix

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account.

In the VSEL WEB Monitor, under "Configure", select "On-Access Settings".
Under "Anti-virus Scanning Options", select the "Enable On-Access scanning" check box.
In the "Quarantine directory" field, populate with "/quarantine" (or another valid location as determined by the organization).
Click "Apply".
V-63077 No Change
Findings ID: DTAVSEL-004 Rule ID: SV-77567r1_rule Severity: medium CCI: CCI-001243

Discussion

Malware can be hidden within archived files and passed from system to system undetected unless the archive is decompressed and each file scanned. By disabling the archive scanning capability, archives such as .tar and .tgz files will not be decompressed and any infected files in the archives would go undetected. Decompression can slow performance, however; any virus-infected file inside an archive cannot become active until it has been extracted. Recognizing the slow performance potential

Checks

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account.

In the VSEL WEB Monitor, under "Configure", select "On-Access Settings".
Under "Anti-virus Scanning Options", verify the "Decompress archives" check box is selected.

If the check box "Decompress archives" is not selected, this is a finding.

If the check box for "Decompress archives" is not selected but the On-Demand scan decompress of archives is configured in the regularly scheduled scan, as specified in STIG ID DTAVSEL-101, this is a finding and severity of this can be dropped to a CAT 3.

To validate without the Web interface, access the Linux system being reviewed, either at the console or by a SSH connection.
At the command line, navigate to /var/opt/NAI/LinuxShield/etc.
Enter the command "grep "decompArchive" nailsd.cfg"

If the response given includes "nailsd.profile.OAS.decompArchive: false" or includes "nailsd.profile.OAS.decompArchive: true" with a preceding #, this is a finding.

Fix

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account.

In the VSEL WEB Monitor, under "Configure", select "On-Access Settings".
Under "Anti-virus Scanning Options", select the "Decompress archives" check box.
Click "Apply".
V-63079 No Change
Findings ID: DTAVSEL-005 Rule ID: SV-77569r1_rule Severity: medium CCI: CCI-001243

Discussion

Due to the ability of malware to mutate after infection, standard anti-virus signatures may not be able to catch new strains or variants of the malware. Typically, these strains and variants will share unique characteristics with others in their virus family. By using a generic signature to detect the shared characteristics, using wildcards where differences lie, the generic signature can detect viruses even if they are padded with extra, meaningless code. This method of detection is Heuristic detection.

Checks

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account.

In the VSEL WEB Monitor, under "Configure", select "On-Access Settings".
Under "Anti-virus Scanning Options", verify the "Find unknown program viruses" check box is selected.

If the check box "Find unknown program viruses" is not selected, this is a finding.

To validate without the Web interface, access the Linux system being reviewed, either at the console or by a SSH connection.
At the command line, navigate to /var/opt/NAI/LinuxShield/etc.
Enter the command "grep "heuristicAnalysis" nailsd.cfg"

If the response given is "nailsd.profile.OAS.heuristicAnalysis: false" or is "nailsd.profile.OAS.heuristicAnalysis: true" with a preceding #, this is a finding.

Fix

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account.

In the VSEL WEB Monitor, under "Configure", select "On-Access Settings".
Under "Anti-virus Scanning Options", select the "Find unknown program viruses" check box.

Click "Apply".
V-63081 No Change
Findings ID: DTAVSEL-006 Rule ID: SV-77571r1_rule Severity: medium CCI: CCI-001243

Discussion

Interpreted viruses are executed by an application. Within this subcategory, macro viruses take advantage of the capabilities of applications' macro programming language to infect application documents and document templates, while scripting viruses infect scripts that are understood by scripting languages processed by services on the OS. Many attackers use toolkits containing several different types of utilities and scripts that can be used to probe and attack hosts. Scanning for unknown macro viruses will mitigate zero-day attacks.

Checks

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account.

In the VSEL WEB Monitor, under "Configure", select "On-Access Settings".
Under "Anti-virus Scanning Options", verify the "Find unknown macro viruses" check box is selected.

If the check box "Find unknown macro viruses" is not selected, this is a finding.

To validate without the Web interface, access the Linux system being reviewed, either at the console or by a SSH connection.
At the command line, navigate to /var/opt/NAI/LinuxShield/etc.
Enter the command "grep "macroAnalysis" nailsd.cfg"
If the response given is "nailsd.profile.OAS.macroAnalysis: false" or is "nailsd.profile.OAS.macroAnalysis: true" with a preceding #, this is a finding.

Fix

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account.

In the VSEL WEB Monitor, under "Configure", select "On-Access Settings".
Under "Anti-virus Scanning Options", select the "Find unknown macro viruses" check box.

Click "Apply".
V-63083 No Change
Findings ID: DTAVSEL-007 Rule ID: SV-77573r1_rule Severity: medium CCI: CCI-001243

Discussion

Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attach mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the anti-virus software to attempt to clean the file first will allow for the possibility of a false positive. In most cases, however, the secondary action of delete will be used, mitigating the risk of the PUPs being installed and used maliciously.

Checks

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account.

In the VSEL WEB Monitor, under "Configure", select "On-Access Settings".
Under "Anti-virus Scanning Options", verify the "Find potentially unwanted programs" check box is selected.

If the check box "Find potentially unwanted programs" is not selected, this is a finding.

To validate without the Web interface, access the Linux system being reviewed, either at the console or by a SSH connection.
At the command line, navigate to /var/opt/NAI/LinuxShield/etc.
Enter the command "grep "OAS.program" nailsd.cfg"

If the response given is "nailsd.profile.OAS.program: false" or is "nailsd.profile.OAS.program: true" with a preceding #, this is a finding.

Fix

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account.

In the VSEL WEB Monitor, under "Configure", select "On-Access Settings".
Under "Anti-virus Scanning Options", select the "Find potentially unwanted programs" check box.

Click "Apply".
V-63085 No Change
Findings ID: DTAVSEL-008 Rule ID: SV-77575r1_rule Severity: medium CCI: CCI-001243

Discussion

Anti-virus software is the most commonly used technical control for malware threat mitigation. Real-time scanning of files as they are written to disk is a crucial first line of defense from malware attacks.

Checks

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account.

In the VSEL WEB Monitor, under "Configure", select "On-Access Settings".
Under "Anti-virus Scanning Options", verify the "Scan files when writing to disk" check box is selected.

If the check box "Scan files when writing to disk" is not selected, this is a finding.

To validate without the Web interface, access the Linux system being reviewed, either at the console or by a SSH connection.
At the command line, navigate to /var/opt/NAI/LinuxShield/etc.
Enter the command "grep "scanOnWrite" nailsd.cfg"

If the response given is "nailsd.profile.OAS.scanOnWrite: false" or is "nailsd.profile.OAS.scanOnWrite: true" with a preceding #, this is a finding.

Fix

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account.

In the VSEL WEB Monitor, under "Configure", select "On-Access Settings".
Under "Anti-virus Scanning Options", select the "Scan files when writing to disk" check box.

Click "Apply".
V-63087 No Change
Findings ID: DTAVSEL-009 Rule ID: SV-77577r1_rule Severity: medium CCI: CCI-001243

Discussion

Anti-virus software is the most commonly used technical control for malware threat mitigation. Real-time scanning of files as they are read from disk is a crucial first line of defense from malware attacks.

Checks

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account.

In the VSEL WEB Monitor, under "Configure", select "On-Access Settings".
Under "Anti-virus Scanning Options", verify the "Scan files when reading from disk" check box is selected.

If the check box "Scan files when reading from disk" is not selected, this is a finding.

To validate without the Web interface, access the Linux system being reviewed, either at the console or by a SSH connection.
At the command line, navigate to /var/opt/NAI/LinuxShield/etc.
Enter the command "grep "scanOnRead" nailsd.cfg"

If the response given is "nailsd.profile.OAS.scanOnRead: false" or is "nailsd.profile.OAS.scanOnRead: true" with a preceding #, this is a finding.

Fix

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account.

In the VSEL WEB Monitor, under "Configure", select "On-Access Settings".
Under "Anti-virus Scanning Options", select the "Scan files when reading from disk" check box.

Click "Apply".
V-63089 No Change
Findings ID: DTAVSEL-010 Rule ID: SV-77579r1_rule Severity: medium CCI: CCI-001243

Discussion

When scanning for malware, excluding specific file types will increase the risk of a malware-infected file going undetected. By configuring anti-virus software to scan all file types, the scanner has a higher success rate at detecting and eradicating malware.

Checks

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account.

In the VSEL WEB Monitor, under "Configure", select "On-Access Settings".
Under "Extension Base Scanning", verify the "Scan all files" radio button is selected.

If the radio button "Scan all files" is not selected, this is a finding.

To validate without the Web interface, access the Linux system being reviewed, either at the console or by a SSH connection.
At the command line, navigate to /var/opt/NAI/LinuxShield/etc.
Enter the command "grep "allFiles" nailsd.cfg"

If the response given is "nailsd.profile.OAS.allFiles: false" or is "nailsd.profile.OAS.allFiles: true" with a preceding #, this is a finding.

Fix

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account.

In the VSEL WEB Monitor, under "Configure", select "On-Access Settings".
Select the "Edit" button.
Under "Extension Base Scanning", select the "Scan all files" radio button.

Click "Apply".
V-63091 No Change
Findings ID: DTAVSEL-011 Rule ID: SV-77581r1_rule Severity: medium CCI: CCI-001243

Discussion

When anti-virus software is not configured to limit the amount of time spent trying to scan a file, the total effectiveness of the anti-virus software, and performance on the system being scanned, will be degraded. By limiting the amount of time the anti-virus software uses when scanning a file, the scan will be able to complete in a timely manner.

Although the description of this requirement indicates a "maximum scan time", the intent of this requirement is to explicitly set a maximum scan time without impacting the effectiveness of the scan. Left unconfigured, the scan could run indefinitely on one file. If configured with a value of less than 45 seconds, the scanning of some files will be skipped. If configured with 45 or more seconds, the success rate of files being completely scanned is higher.

Checks

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account.

In the VSEL WEB Monitor, under "Configure", select "On-Access Settings".
Under "Anti-virus Scanning Options", verify the "Maximum scan time (seconds)" is configured with at least "45" or more seconds.

If the "Maximum scan time (seconds)" is not configured with at least "45" or more seconds, this is a finding.

To validate without the Web interface, access the Linux system being reviewed, either at the console or by a SSH connection.
At the command line, navigate to /var/opt/NAI/LinuxShield/etc.
Enter the command "grep "scanMaxTmo" nailsd.cfg"

If the response given for "nailsd.profile.OAS_default.scanMaxTmo" is "44" or less, or if the response give for "nailsd.profile.OAS.scanMaxTmo" is "45" or more but with a preceding #, this is a finding.

Fix

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account.

In the VSEL WEB Monitor, under "Configure", select "On-Access Settings".
Under "Anti-virus Scanning Options", configure the "Maximum scan time (seconds)" with at least "45" or more seconds.

Click "Apply".
V-63093 No Change
Findings ID: DTAVSEL-012 Rule ID: SV-77583r1_rule Severity: medium CCI: CCI-001243

Discussion

When scanning for malware, excluding specific files will increase the risk of a malware-infected file going undetected. By configuring anti-virus software without any exclusions, the scanner has a higher success rate at detecting and eradicating malware.

Checks

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account.

In the VSEL WEB Monitor, under "Configure", select "On-Access Settings".

Under "Paths Excluded From Scanning", verify no entries exist other than the following:
/var/log
/_admin/Manage_NSS
/mnt/system/log
/media/nss/.*/(\._NETWARE|\._ADMIN)
/.*\.(vmdk|VMDK|dbl|DBL|ctl|CTL|log|LOG|jar|JAR|war|WAR|dtx|DTX|dbf|DBF|frm|FRM|myd|MYD|myi|MYI|rdo|RDO|arc|ARC)
/cgroup
/dev
/proc
/selinux
/sys

If any entries other than the above referenced paths are present in the "Paths Excluded From Scanning" field, verify the exclusion of those files and paths have been formally documented by the System Administrator and has been approved by the ISSO/ISSM.

If they have not been formally documented by the System Administrator and approved by the ISSO/ISSM, this is a finding.

If they have not been formally documented by the System Administrator and approved by the ISSO/ISSM but are validated as being scanned within the regularly scheduled scan, this is a finding but can be dropped to a CAT 3.

To validate without the Web interface, access the Linux system being reviewed, either at the console or by a SSH connection.
At the command line, navigate to /var/opt/NAI/LinuxShield/etc.
Enter the command "grep "exclude-path" nailsd.cfg -A 5"

If the response given is: "nailsd.profile.OAS.filter.varlog.type: exclude-path" and "nailsd.profile.OAS.filter.varlog.path:" includes anything other than the above paths", this is a finding.

Fix

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account.

In the VSEL WEB Monitor, under "Configure", select "On-Access Settings".
Click "Edit".
Under "Paths Excluded From Scanning", remove all entries other than the default "/var/log".

Click "Apply".
V-63095 Updated
Findings ID: DTAVSEL-013 Rule ID: SV-77585r12_rule Severity: medium CCI: CCI-001243

Discussion

Malware may have infected a file that is necessary to the user. By configuring the anti-virus software to first attempt cleaning the infected file, availability to the file is not sacrificed. If a cleaning attempt is not successful, however, deleting the file is the only safe option to ensure the malware is not introduced onto the system or network.

Checks

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account.

In the VSEL WEB Monitor, under "Configure", select "On-Access Settings".
Under "Anti-virus Actions", verify "Clean" is selected from the first drop-down list for "Actions for viruses and Trojans".

If "Clean" is not selected from the first drop-down list for "Actions for viruses and Trojans", this is a finding.

To validate without the Web interface, access the Linux system being reviewed, either at the console or by a SSH connection.
At the command line, navigate to /var/opt/NAI/LinuxShield/etc.
Enter the command
": grep "ScanAction" nailsd.cfg -A 5"‘nailsd.profile.OAS.action.App.primaryâ nailsd.cfg"

If the response given for "nailsd.profile.OAS.action.App.primary" is not "Clean", this is a finding.


Fix

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account.

In the VSEL WEB Monitor, under "Configure", select "On-Access Settings".
Under "Anti-virus Actions", select "Clean" from the first drop-down list for "Actions for viruses and Trojans".

Click "Apply".
V-63097 Updated
Findings ID: DTAVSEL-014 Rule ID: SV-77587r12_rule Severity: medium CCI: CCI-001243

Discussion

Malware may have infected a file that is necessary to the user. By configuring the anti-virus software to first attempt cleaning the infected file, availability to the file is not sacrificed. If a cleaning attempt is not successful, however, deleting the file is the only safe option to ensure the malware is not introduced onto the system or network.

Checks

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account.

In the VSEL WEB Monitor, under "Configure", select "On-Access Settings".
Under "Anti-virus Actions", verify "Quarantine" is selected from the second drop-down list for "Actions for viruses and Trojans".

If "Quarantine" is not selected from the second drop-down list for "Actions for viruses and Trojans", this is a finding.

To validate without the Web interface, access the Linux system being reviewed, either at the console or by a SSH connection.
At the command line, navigate to /var/opt/NAI/LinuxShield/etc.
Enter the command
": grep "ScanAction" nailsd.cfg -A 5"‘nailsd.profile.OAS.action.App.secondaryâ nailsd.cfg"

If the response given for "nailsd.profile.OAS.action.App.secondary" is not "Quarantine", this is a finding.

Fix

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account.

In the VSEL WEB Monitor, under "Configure", select "On-Access Settings".
Under "Anti-virus Actions", select "Quarantine" from the second drop-down list for "Actions for viruses and Trojans" if first action fails.

Click "Apply".
V-63099 Updated
Findings ID: DTAVSEL-015 Rule ID: SV-77589r12_rule Severity: medium CCI: CCI-001243

Discussion

Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attach mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the anti-virus software to attempt to clean the file first will allow for the possibility of a false positive. In most cases, however, the secondary action of delete will be used, mitigating the risk of the PUPs being installed and used maliciously.

Checks

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account.

In the VSEL WEB Monitor, under "Configure", select "On-Access Settings".
Under "Anti-virus Actions", verify "Clean" is selected from the first drop-down list for "Actions for Programs and Jokes".

If "Clean" is not selected from the first drop-down list for "Actions for Programs and Jokes", this is a finding.

To validate without the Web interface, access the Linux system being reviewed, either at the console or by a SSH connection.
At the command line, navigate to /var/opt/NAI/LinuxShield/etc.
Enter the command
": grep "ScanAction" nailsd.cfg -A 5"‘nailsd.profile.OAS.action.Default.primaryâ nailsd.cfg"

If the response given for "nailsd.profile.OAS.action.Default.primary" is not "Clean", this is a finding.

Fix

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account.

In the VSEL WEB Monitor, under "Configure", select "On-Access Settings".
Under "Anti-virus Actions", select "Clean" from the first drop-down list for "Actions for Programs and Jokes".

Click "Apply".
V-63101 Updated
Findings ID: DTAVSEL-016 Rule ID: SV-77591r12_rule Severity: medium CCI: CCI-001243

Discussion

Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attach mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the anti-virus software to attempt to clean the file first will allow for the possibility of a false positive. In most cases, however, the secondary action of delete will be used, mitigating the risk of the PUPs being installed and used maliciously.

Checks

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account.

In the VSEL WEB Monitor, under "Configure", select "On-Access Settings".
Under "Anti-virus Actions", verify "Quarantine" is selected from the second drop-down list for "Actions for Programs and Jokes".

If "Quarantine" is not selected from the second drop-down list for "Actions for Programs and Jokes", this is a finding.

To validate without the Web interface, access the Linux system being reviewed, either at the console or by a SSH connection.
At the command line, navigate to /var/opt/NAI/LinuxShield/etc.
Enter the command
": grep "ScanAction" nailsd.cfg -A 5"‘nailsd.profile.OAS.action.Default.secondary â nailsd.cfg"

If the response given for "nailsd.profile.OAS.action.Default.secondary" is not "Quarantine", this is a finding.

Fix

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account.

In the VSEL WEB Monitor, under "Configure", select "On-Access Settings".
Under "Anti-virus Actions", select "Quarantine" from the second drop-down list for "Actions for Programs and Jokes" if first action fails.

Click "Apply".
V-63103 Updated
Findings ID: DTAVSEL-017 Rule ID: SV-77593r12_rule Severity: medium CCI: CCI-001243

Discussion

Anti-virus software is the most commonly used technical control for malware threat mitigation. Real-time scanning of files as they are read from disk is a crucial first line of defense from malware attacks.

Checks

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account.

In the VSEL WEB Monitor, under "Configure", select "On-Access Settings".
Under "Anti-virus Actions", verify the "Block" radio button is selected for "Action if an error occurs during scanning".

If the "Block" radio button is not selected for "Action if an error occurs during scanning", this is a finding.

To validate without the Web interface, access the Linux system being reviewed, either at the console or by a SSH connection.
At the command line, navigate to /var/opt/NAI/LinuxShield/etc.
Enter the command
": grep "ScanAction" nailsd.cfg -A 5"‘nailsd.profile.OAS.action.errorâ nailsd.cfg"

If the response given for "nailsd.profile.OAS.action.error" is not "Block", this is a finding.

Fix

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account.

In the VSEL WEB Monitor, under "Configure", select "On-Access Settings".
Under "Anti-virus Actions", select the "Block" radio button for "Action if an error occurs during scanning".

Click "Apply".
V-63105 Updated
Findings ID: DTAVSEL-018 Rule ID: SV-77595r12_rule Severity: medium CCI: CCI-001243

Discussion

Anti-virus software is the most commonly used technical control for malware threat mitigation. Real-time scanning of files as they are read from disk is a crucial first line of defense from malware attacks.

Checks

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account.

In the VSEL WEB Monitor, under "Configure", select "On-Access Settings".
Under "Anti-virus Actions", verify the "Allow access" radio button is selected for "Action on timeout".

If the "Allow access" radio button is not selected for "Action on timeout", this is a finding.

To validate without the Web interface, access the Linux system being reviewed, either at the console or by a SSH connection.
At the command line, navigate to /var/opt/NAI/LinuxShield/etc.
Enter the command
": grep "ScanAction" nailsd.cfg -A 5"‘nailsd.profile.OAS.action.timeout â nailsd.cfg"

If the response given for "nailsd.profile.OAS.action.timeout" is not "Pass", this is a finding.

Fix

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account.

In the VSEL WEB Monitor, under "Configure", select "On-Access Settings".
Under "Anti-virus Actions", select the "Allow access" radio button for "Action on timeout".

Click "Apply".
V-63107 No Change
Findings ID: DTAVSEL-019 Rule ID: SV-77597r1_rule Severity: medium CCI: CCI-001242

Discussion

Mounting network volumes to other network systems introduces a path for malware to be introduced. It is imperative to protect Linux systems from malware introduced from those other network systems by either ensuring the remote systems are protected or by scanning files from those systems when they are accessed.

Checks

With the System Administrator's assistance, determine network mounted volumes on the Linux system being reviewed.

If network mounted volumes are mounted, verify whether anti-virus protection is locally installed on, and configured to protect, the network servers to which the mounted volumes connect.

If all network servers to which mounted volumes connect are protected by locally installed and configured anti-virus protection, this check for the Linux system being reviewed is Not Applicable.

If no network mounted volumes are configured on the Linux system being reviewed, this check is Not Applicable.

If mounted volumes exist on the Linux system being reviewed which are connecting to network servers which lack locally installed and configured anti-virus protection, this check must be validated.

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account.

In the VSEL WEB Monitor, under "Configure", select "On-Access Settings".
Under "Anti-virus Scanning Options", verify check box for "Scan files on network mounted volumes" is selected.

If the check box for "Scan files on network mounted volumes" is not selected, this is a finding.

To validate without the Web interface, access the Linux system being reviewed, either at the console or by a SSH connection.
At the command line, navigate to /var/opt/NAI/LinuxShield/etc.
Enter the command "grep "nailsd.profile.OAS.scanNWFiles:" nailsd.cfg"

If the response given for "nailsd.profile.OAS.scanNWFiles" is not "true", this is a finding.

Fix

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account.

In the VSEL WEB Monitor, under "Configure", select "On-Access Settings".
Under "Anti-virus Scanning Options", select the check box for "Scan files on network mounted volumes".

Click "Apply".
V-63109 No Change
Findings ID: DTAVSEL-100 Rule ID: SV-77599r1_rule Severity: medium CCI: CCI-001241

Discussion

Anti-virus software is the most commonly used technical control for malware threat mitigation. Real-time scanning of files as they are read from disk is a crucial first line of defense from malware attacks but to ensure all files are frequently scanned, a regularly scheduled full scan will ensure malware missed by the real-time scanning will be detected and mitigated.

Checks

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account.

In the VSEL WEB Monitor, review tasks under "View", "Scheduled Tasks".
With the System Administrator's assistance, determine which task is intended as the regularly scheduled scan task.
Click on the task and review the details under "Task Details for".

If "Next run" does not specify "every 1 week", or more frequently, this is a finding.

To validate without the Web interface, access the Linux system being reviewed, either at the console or by a SSH connection.
At the command line, navigate to /var/opt/NAI/LinuxShield/etc.
Enter the command "/opt/NAI/LinuxShield/bin/nails task --list".

If the return does not show a task for the LinuxShield On-Demand Scan, this is a finding.

Fix

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account.

In the VSEL WEB Monitor, under "Schedule", select "On-Demand Scan".
Under "1. When to Scan "select Weekly, Daily or Hourly and indicate day and/or time to regularly execute, and click "Next".
Under "2. What to Scan", enter "/", click "Add".
Click "Next".
Under "3. Choose Scan Settings", select required settings as specified in remaining On-Demand scan requirements, and click "Next".
Under "4. Enter a task name", type a unique name for the task to reflect its frequency, and click "Finish".
V-63111 No Change
Findings ID: DTAVSEL-101 Rule ID: SV-77601r1_rule Severity: medium CCI: CCI-001241

Discussion

Malware is often packaged within an archive. In addition, archives might have other archives within. Not scanning archive files introduces the risk of infected files being introduced into the environment.

Checks

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account.

In the VSEL WEB Monitor, review tasks under "View", "Scheduled Tasks".
With the System Administrator's assistance, determine which task is intended as the regularly scheduled scan task.
Click on the task, and then click "Modify".
Under "2. What to Scan", click "Next".
Under "3. Choose Scan Settings", "Anti-virus Scanning Options", verify the "Decompress archives" check box has been selected.

If the "Decompress archives" check box has not been selected, this is a finding.

To validate without the Web interface, access the Linux system being reviewed, either at the console or by a SSH connection.
At the command line, navigate to /var/opt/NAI/LinuxShield/etc.
Enter the command "grep "ODS.decompArchive" ods.cfg"

If the response given for "nailsd.profile.ODS.decompArchive" is not "true", this is a finding.

Fix

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account.

In the VSEL WEB Monitor, review tasks under "View", "Scheduled Tasks".
With the System Administrator's assistance, determine which task is intended as the regularly scheduled scan task.
Click on the task, and then click "Modify".
Under "2. What to Scan", click "Next".
Under "3. Choose Scan Settings", "Anti-virus Scanning Options", select the "Decompress archives" check box, click "Next", and then click "Finish".
V-63113 No Change
Findings ID: DTAVSEL-102 Rule ID: SV-77603r1_rule Severity: medium CCI: CCI-001241

Discussion

Due to the ability of malware to mutate after infection, standard anti-virus signatures may not be able to catch new strains or variants of the malware. Typically, these strains and variants will share unique characteristics with others in their virus family. By using a generic signature to detect the shared characteristics, using wildcards where differences lie, the generic signature can detect viruses even if they are padded with extra, meaningless code. This method of detection is Heuristic detection.

Checks

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account.

In the VSEL WEB Monitor, review tasks under "View", "Scheduled Tasks".
With the System Administrator's assistance, determine which task is intended as the regularly scheduled scan task.
Click on the task, and then click "Modify".
Under "2. What to Scan", click "Next".
Under "3. Choose Scan Settings", "Anti-virus Scanning Options", verify the "Perform heuristic virus analysis" check box has been selected.

If the "Perform heuristic virus analysis" check box has not been selected, this is a finding.

To validate without the Web interface, access the Linux system being reviewed, either at the console or by a SSH connection.
At the command line, navigate to /var/opt/NAI/LinuxShield/etc.
Enter the command "grep "ODS.heuristicAnalysis" ods.cfg"

If the response given for "nailsd.profile.ODS.heuristicAnalysis" is not "true", this is a finding.

Fix

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account.

In the VSEL WEB Monitor, review tasks under "View", "Scheduled Tasks".
With the System Administrator's assistance, determine which task is intended as the regularly scheduled scan task.
Click on the task, and then click "Modify".
Under "2. What to Scan", click "Next".
Under "3. Choose Scan Settings", "Anti-virus Scanning Options", select the "Perform heuristic virus analysis" check box, click "Next", and then click "Finish".
V-63115 No Change
Findings ID: DTAVSEL-103 Rule ID: SV-77605r1_rule Severity: medium CCI: CCI-001241

Discussion

Interpreted viruses are executed by an application. Within this subcategory, macro viruses take advantage of the capabilities of applications' macro programming language to infect application documents and document templates, while scripting viruses infect scripts that are understood by scripting languages processed by services on the OS. Many attackers use toolkits containing several different types of utilities and scripts that can be used to probe and attack hosts. Scanning for unknown macro viruses will mitigate zero-day attacks.

Checks

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account.

In the VSEL WEB Monitor, review tasks under "View", "Scheduled Tasks".
With the System Administrator's assistance, determine which task is intended as the regularly scheduled scan task.
Click on the task, and then click "Modify".
Under "2. What to Scan", click "Next".
Under "3. Choose Scan Settings", "Anti-virus Scanning Options", verify the "Perform macro analysis" check box has been selected.

If the "Perform macro analysis" check box has not been selected, this is a finding.

To validate without the Web interface, access the Linux system being reviewed, either at the console or by a SSH connection.
At the command line, navigate to /var/opt/NAI/LinuxShield/etc.
Enter the command "grep "ODS.macroAnalysis" ods.cfg"

If the response given for "nailsd.profile.ODS.macroAnalysis" is not "true", this is a finding.

Fix

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account.

In the VSEL WEB Monitor, review tasks under "View", "Scheduled Tasks".
With the System Administrator's assistance, determine which task is intended as the regularly scheduled scan task.
Click on the task, and then click "Modify".
Under "2. What to Scan", click "Next".
Under "3. Choose Scan Settings", "Anti-virus Scanning Options", select the "Perform macro analysis" check box, click "Next", and then click "Finish".
V-63117 No Change
Findings ID: DTAVSEL-104 Rule ID: SV-77607r1_rule Severity: medium CCI: CCI-001241

Discussion

Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attach mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the anti-virus software to attempt to clean the file first will allow for the possibility of a false positive. In most cases, however, the secondary action of delete will be used, mitigating the risk of the PUPs being installed and used maliciously.

Checks

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account.

In the VSEL WEB Monitor, review tasks under "View", "Scheduled Tasks".
With the System Administrator's assistance, determine which task is intended as the regularly scheduled scan task.
Click on the task, and then click "Modify".
Under "2. What to Scan", click "Next".
Under "3. Choose Scan Settings", "Anti-virus Scanning Options", verify the "Find potentially unwanted programs" check box has been selected.

If the "Find potentially unwanted programs" check box has not been selected, this is a finding.

To validate without the Web interface, access the Linux system being reviewed, either at the console or by a SSH connection.
At the command line, navigate to /var/opt/NAI/LinuxShield/etc.
Enter the command "grep "ODS.program" ods.cfg"

If the response given for "nailsd.profile.ODS.program" is not "true", this is a finding.

Fix

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account.

In the VSEL WEB Monitor, review tasks under "View", "Scheduled Tasks".
With the System Administrator's assistance, determine which task is intended as the regularly scheduled scan task.
Click on the task, and then click "Modify".
Under "2. What to Scan", click "Next".
Under "3. Choose Scan Settings", "Anti-virus Scanning Options", select the "Find potentially unwanted programs" check box, click "Next", and then click "Finish".
V-63119 No Change
Findings ID: DTAVSEL-105 Rule ID: SV-77609r1_rule Severity: medium CCI: CCI-001241

Discussion

When scanning for malware, excluding specific file types will increase the risk of a malware-infected file going undetected. By configuring anti-virus software to scan all file types, the scanner has a higher success rate at detecting and eradicating malware.

Checks

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account.

In the VSEL WEB Monitor, review tasks under "View", "Scheduled Tasks".
With the System Administrator's assistance, determine which task is intended as the regularly scheduled scan task.
Click on the task, and then click "Modify".
Under "2. What to Scan", click "Next".
Under "3. Choose Scan Settings", "Extension Based Scanning", verify the "Scan all files" check box is selected.

If the "Scan all files" check box is not selected, this is a finding.

To validate without the Web interface, access the Linux system being reviewed, either at the console or by a SSH connection.
At the command line, navigate to /var/opt/NAI/LinuxShield/etc.
Enter the command "grep "ODS.allFiles" ods.cfg"

If the response given for "nailsd.profile.ODS.allFiles" is not "true", this is a finding.

Fix

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account.

In the VSEL WEB Monitor, review tasks under "View", "Scheduled Tasks".
With the System Administrator's assistance, determine which task is intended as the regularly scheduled scan task.
Click on the task, and then click "Modify".
Under "2. What to Scan", click "Next".
Under "3. Choose Scan Settings", "Extension Based Scanning", select the "Scan all files" check box, click "Next", and then click "Finish".
V-63121 No Change
Findings ID: DTAVSEL-106 Rule ID: SV-77611r1_rule Severity: medium CCI: CCI-001241

Discussion

Malware may have infected a file that is necessary to the user. By configuring the anti-virus software to first attempt cleaning the infected file, availability to the file is not sacrificed. If a cleaning attempt is not successful, however, deleting the file is the only safe option to ensure the malware is not introduced onto the system or network.

Checks

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account.

In the VSEL WEB Monitor, review tasks under "View", "Scheduled Tasks".
With the System Administrator's assistance, determine which task is intended as the regularly scheduled scan task.
Click on the task, and then click "Modify".
Under "2. What to Scan", click "Next".
Under "3. Choose Scan Settings", "Anti-virus Actions", verify "Clean" is selected in the first dropdown list for "Actions for Viruses and Trojans".

If "Clean" is not selected in the first dropdown list for "Actions for Viruses and Trojans", this is a finding.

To validate without the Web interface, access the Linux system being reviewed, either at the console or by a SSH connection.
At the command line, navigate to /var/opt/NAI/LinuxShield/etc.
Enter the command "grep "ODS.action.App.primary" ods.cfg"

If the response given for "nailsd.profile.ODS.action.App.primary" is not "Clean", this is a finding.

Fix

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account.

In the VSEL WEB Monitor, review tasks under "View", "Scheduled Tasks".
With the System Administrator's assistance, determine which task is intended as the regularly scheduled scan task.
Click on the task, and then click "Modify".
Under "2. What to Scan", click "Next".
Under "3. Choose Scan Settings", Anti-virus Actions", select "Clean" from the first dropdown list for "Actions for Viruses and Trojans", click "Next", and then click "Finish".
V-63123 No Change
Findings ID: DTAVSEL-107 Rule ID: SV-77613r1_rule Severity: medium CCI: CCI-001241

Discussion

Malware may have infected a file that is necessary to the user. By configuring the anti-virus software to first attempt cleaning the infected file, availability to the file is not sacrificed. If a cleaning attempt is not successful, however, deleting the file is the only safe option to ensure the malware is not introduced onto the system or network.

Checks

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account.

In the VSEL WEB Monitor, review tasks under "View", "Scheduled Tasks".
With the System Administrator's assistance, determine which task is intended as the regularly scheduled scan task.
Click on the task, and then click "Modify".
Under "2. What to Scan", click "Next".
Under "3. Choose Scan Settings", "Anti-virus Actions", verify "Quarantine" is selected in the second dropdown list "Actions for Viruses and Trojans" if first action fails.

If "Quarantine" is not selected in the second dropdown list "Actions for Viruses and Trojans" if first action fails, this is a finding.

To validate without the Web interface, access the Linux system being reviewed, either at the console or by a SSH connection.
At the command line, navigate to /var/opt/NAI/LinuxShield/etc.
Enter the command "grep "ODS.action.App.secondary" ods.cfg"

If the response given for "nailsd.profile.ODS.action.App.secondary" is not "Quarantine", this is a finding.

Fix

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account.

In the VSEL WEB Monitor, review tasks under "View", "Scheduled Tasks".
With the System Administrator's assistance, determine which task is intended as the regularly scheduled scan task.
Click on the task, and then click "Modify".
Under "2. What to Scan", click "Next".
Under "3. Choose Scan Settings", Anti-virus Actions", select "Quarantine" from the second dropdown list "Actions for Viruses and Trojans" if first action fails, click "Next", and then click "Finish".
V-63125 No Change
Findings ID: DTAVSEL-108 Rule ID: SV-77615r1_rule Severity: medium CCI: CCI-001241

Discussion

When scanning for malware, excluding specific files will increase the risk of a malware-infected file going undetected. By configuring anti-virus software without any exclusions, the scanner has a higher success rate at detecting and eradicating malware.

Checks

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account.

In the VSEL WEB Monitor, review tasks under "View", "Scheduled Tasks".
With the System Administrator's assistance, determine which task is intended as the regularly scheduled scan task.
Click on the task, and then click "Modify".
Under "2. What to Scan", click "Next".
Under "3. Choose Scan Settings", "Paths Excluded From Scanning".

If any paths other than the following paths are excluded, and the exclusions have not been documented and approved by the ISSO/ISSM/AO, this is a finding.

/var/log
/_admin/Manage_NSS
/mnt/system/log
/media/nss/.*/(\._NETWARE|\._ADMIN)
/.*\.(vmdk|VMDK|dbl|DBL|ctl|CTL|log|LOG|jar|JAR|war|WAR|dtx|DTX|dbf|DBF|frm|FRM|myd|MYD|myi|MYI|rdo|RDO|arc|ARC)
/cgroup
/dev
/proc
/selinux
/sys

Fix

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account.

In the VSEL WEB Monitor, review tasks under "View", "Scheduled Tasks".
With the System Administrator's assistance, determine which task is intended as the regularly scheduled scan task.
Click on the task, and then click "Modify".
Under "2. What to Scan", click "Next".
Under "3. Choose Scan Settings", "Paths Excluded From Scanning", removed all unauthorized excluded paths, click "Next, and then click "Finish".
V-63127 No Change
Findings ID: DTAVSEL-110 Rule ID: SV-77617r1_rule Severity: medium CCI: CCI-001241

Discussion

Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attach mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the anti-virus software to attempt to clean the file first will allow for the possibility of a false positive. In most cases, however, the secondary action of delete will be used, mitigating the risk of the PUPs being installed and used maliciously.

Checks

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account.

In the VSEL WEB Monitor, review tasks under "View", "Scheduled Tasks".
With the System Administrator's assistance, determine which task is intended as the regularly scheduled scan task.
Click on the task, and then click "Modify".
Under "2. What to Scan", click "Next".
Under "3. Choose Scan Settings", "Anti-virus Actions", verify "Clean" is selected in the first dropdown list for "Actions for Programs and Jokes".

If "Clean" is not selected in the first dropdown list for "Actions for Programs and Jokes", this is a finding.

To validate without the Web interface, access the Linux system being reviewed, either at the console or by a SSH connection.
At the command line, navigate to /var/opt/NAI/LinuxShield/etc.
Enter the command "grep "ODS.action.Default.primary" ods.cfg"

If the response given for "ODS.action.Default.primary" is not "Clean", this is a finding.

Fix

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account.

In the VSEL WEB Monitor, review tasks under "View", "Scheduled Tasks".
With the System Administrator's assistance, determine which task is intended as the regularly scheduled scan task.
Click on the task, and then click "Modify".
Under "2. What to Scan", click "Next".
Under "3. Choose Scan Settings", Anti-virus Actions", select "Clean" from the first dropdown list for "Actions for Programs and Jokes", click "Next", and then click "Finish".
V-63129 No Change
Findings ID: DTAVSEL-111 Rule ID: SV-77619r1_rule Severity: medium CCI: CCI-001241

Discussion

Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attach mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the anti-virus software to attempt to clean the file first will allow for the possibility of a false positive. In most cases, however, the secondary action of delete will be used, mitigating the risk of the PUPs being installed and used maliciously.

Checks

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account.

In the VSEL WEB Monitor, review tasks under "View", "Scheduled Tasks".
With the System Administrator's assistance, determine which task is intended as the regularly scheduled scan task.
Click on the task, and then click "Modify".
Under "2. What to Scan", click "Next".
Under "3. Choose Scan Settings", "Anti-virus Actions", verify "Quarantine" is selected in the second dropdown list "Actions for Programs and Jokes" if first action fails.

If "Quarantine" is not selected in the second dropdown list "Actions for Programs and Jokes" if first action fails, this is a finding.

To validate without the Web interface, access the Linux system being reviewed, either at the console or by a SSH connection.
At the command line, navigate to /var/opt/NAI/LinuxShield/etc.
Enter the command "grep "ODS.action.Default.secondary" ods.cfg"

If the response given for "ODS.action.Default.secondary" is not "Quarantine", this is a finding.

Fix

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account.

In the VSEL WEB Monitor, review tasks under "View", "Scheduled Tasks".
With the System Administrator's assistance, determine which task is intended as the regularly scheduled scan task.
Click on the task, and then click "Modify".
Under "2. What to Scan", click "Next".
Under "3. Choose Scan Settings", Anti-virus Actions", select "Quarantine" from the second dropdown list "Actions for Programs and Jokes" if first action fails, click "Next", and then click "Finish".
V-63131 No Change
Findings ID: DTAVSEL-112 Rule ID: SV-77621r1_rule Severity: medium CCI: CCI-001241

Discussion

Malware is often packaged within an archive. In addition, archives might have other archives within. Not scanning archive files introduces the risk of infected files being introduced into the environment.

Checks

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account.

In the VSEL WEB Monitor, review tasks under "View", "Scheduled Tasks".
With the System Administrator's assistance, determine which task is intended as the regularly scheduled scan task.
Click on the task, and then click "Modify".
Under "2. What to Scan", click "Next".
Under "3. Choose Scan Settings", "Anti-virus Scanning Options", verify the "Decode MIME encoded files" check box has been selected.

If the "Decode MIME encoded files" check box has not been selected, this is a finding.

To validate without the Web interface, access the Linux system being reviewed, either at the console or by a SSH connection.
At the command line, navigate to /var/opt/NAI/LinuxShield/etc.
Enter the command "grep "nailsd.profile.ODS.mime" ods.cfg"

If the response given for "nailsd.profile.ODS.mime" is not "true", this is a finding.

Fix

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account.

In the VSEL WEB Monitor, review tasks under "View", "Scheduled Tasks".
With the System Administrator's assistance, determine which task is intended as the regularly scheduled scan task.
Click on the task, and then click "Modify".
Under "2. What to Scan", click "Next".
Under "3. Choose Scan Settings", "Anti-virus Scanning Options", select the "Decode MIME encoded files" check box, click "Next", and then click "Finish".
V-63133 No Change
Findings ID: DTAVSEL-113 Rule ID: SV-77623r1_rule Severity: medium CCI: CCI-001241

Discussion

When scanning for malware, excluding specific file types will increase the risk of a malware-infected file going undetected. By configuring anti-virus software to scan all file types, the scanner has a higher success rate at detecting and eradicating malware.

Checks

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account.

In the VSEL WEB Monitor, review tasks under "View", "Scheduled Tasks".
With the System Administrator's assistance, determine which task is intended as the regularly scheduled scan task.
Click on the task, and then click "Modify".
Under "2. What to Scan", "Path", verify all mounted volumes or "\" is specified and the "Scan Sub-Directories" check box is selected.

If all mounted volumes or "\" is not specified under "Path "or the "Scan Sub-Directories" check box is not selected for every "Path" specified, this is a finding.

To validate without the Web interface, access the Linux system being reviewed, either at the console or by a SSH connection.
At the command line, navigate to /var/opt/NAI/LinuxShield/etc.
Enter the command "grep "nailsd.profile.ODS.scanNWFiles" ods.cfg"

If the response given for "nailsd.profile.ODS.scanNWFiles" is not "true", this is a finding.

Fix

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account.

In the VSEL WEB Monitor, review tasks under "View", "Scheduled Tasks".
With the System Administrator's assistance, determine which task is intended as the regularly scheduled scan task.
Click on the task, and then click "Modify".
Under "2. What to Scan", "Path", enter all mounted volumes or "\" and select the "Scan Sub-Directories" check box, click "Next", and then click "Finish".
V-63135 No Change
Findings ID: DTAVSEL-114 Rule ID: SV-77625r1_rule Severity: medium CCI: CCI-001242

Discussion

Mounting network volumes to other network systems introduces a path for malware to be introduced. It is imperative to protect Linux systems from malware introduced from those other network systems by either ensuring the remote systems are protected or by scanning files from those systems when they are accessed.

Checks

With the System Administrator's assistance, determine network mounted volumes on the Linux system being reviewed. If network mounted volumes are mounted, verify whether anti-virus protection is locally installed and configured to protect the network servers to which the mounted volumes connect.

If all network servers to which mounted volumes connect are protected by locally installed and configured anti-virus protection, this check for the Linux system being reviewed is Not Applicable.

If no network mounted volumes are configured on the Linux system being reviewed, this check is Not Applicable.

If mounted volumes exist on the Linux system being reviewed which are connecting to network servers which lack locally installed and configured anti-virus protection, this check must be validated.

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account.

In the VSEL WEB Monitor, review tasks under "View", "Scheduled Tasks".
With the System Administrator's assistance, determine which task is intended as the regularly scheduled scan task.
Click on the task, and then click "Modify".
Select "2. What to Scan".
Verify all otherwise unprotected network servers to which this Linux system has mounted volumes have been included.

If all otherwise unprotected network servers to which this Linux system has mounted volumes have not been included, this is a finding.

To validate without the Web interface, access the Linux system being reviewed, either at the console or by a SSH connection.
At the command line, navigate to /var/opt/NAI/LinuxShield/etc.
Enter the command "grep "nailsd.profile.ODS.scanNWFiles" ods.cfg"

If the response given for "nailsd.profile.ODS.scanNWFiles" is not "true", this is a finding.

Fix

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account.

In the VSEL WEB Monitor, review tasks under "View", "Scheduled Tasks".
With the System Administrator's assistance, determine which task is intended as the regularly scheduled scan task.
Click on the task, and then click "Modify".
Select "2. What to Scan".
Under "Path", add each otherwise unprotected network server to which this Linux system has mounted volumes, and click "Add".
Once all mounted volumes have been added, click "Next", and then click "Finish"
V-63137 No Change
Findings ID: DTAVSEL-200 Rule ID: SV-77627r1_rule Severity: medium CCI: CCI-000870

Discussion

Removable media such as CD/DVDs allow a path for malware to be introduced to a Linux System. It is imperative to protect Linux systems from malware introduced from removable media by ensuring they are scanned before use.

Checks

Consult with the System Administrator of the Linux system being reviewed.

Verify procedures are documented which require the manual scanning of all media used for system maintenance before media is used.

If a procedure is not documented requiring the manual scanning of all media used for system maintenance before media is used, this is a finding.

Fix

Create procedures, or add to existing system administration procedures, which require the scanning of all media used for system maintenance before media is used.
V-63139 No Change
Findings ID: DTAVSEL-201 Rule ID: SV-77629r1_rule Severity: medium CCI: CCI-001749

Discussion

Anti-virus signature files are updated almost daily by anti-virus software vendors. These files are made available to anti-virus clients as they are published. Keeping virus signature files as current as possible is vital to the security of any system. The anti-virus software product must be configured to receive those updates automatically in order to afford the expected protection.

While obtaining updates, patches, service packs and updates from the vendor are timelier, the possibility of corruption or malware being introduced to the system is higher. By obtaining these from an official DoD source and/or downloading them to a separate system first and validating them before making them available to systems, the possibility of malware being introduced is mitigated.

Checks

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account.

In the VSEL WEB Monitor, under "Configure", select "Repositories".
Under "Repository List", verify all repositories listed point to a local or DoD-managed repository.

If all repositories listed do not point to local or DoD-managed repository, this is a finding.

Fix

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account.

In the VSEL WEB Monitor, under "Configure", select "Repositories".

Under "Repository List", configure all repositories to point to a local or DoD-managed repository, and click "Apply".
V-63141 No Change
Findings ID: DTAVSEL-202 Rule ID: SV-77631r1_rule Severity: medium CCI: CCI-002235

Discussion

The McAfee VirusScan Enterprise for Linux software runs its processes under the nails user, which is part of the nailsgroup group. The WEB GUI is also accessed using the nails user. Ensuring this account only has access to the required functions necessary for its intended role will mitigate the possibility of the nails user/nailsgroup group from being used to perform malicious destruction to the system in the event of a compromise.

Checks

Access the Linux system console command line as root.
Execute the following commands. This command will pipe the results to text files for easier review.

find / -group nailsgroup >nailsgroup.txt
find / -user nails >nails.txt

Execute the following commands to individually review each of the text files of results, pressing space bar to move to each page until the end of the exported text.

more nailsgroup.txt
more nails.txt

When reviewing the results, verify the nailsgroup group and nails user only own the following paths. The following paths assume an INSTALLDIR of /opt/NAI/LinuxShield and a RUNTIMEDIR of /var/opt/NAI/LinuxShield. If alternative folders were used, replace the following paths accordingly when validating.

/var/opt/NAI and sub-folders
/opt/NAI and sub-folders
/McAfee/lib
/var/spool/mail/nails
/proc/##### (where ##### represents the various process IDs for the VSEL processes.)

If any other folder is owned by either the nailsgroup group or the nails user, this is a finding.

Fix

Access the Linux system console command line as root.
Navigate to each path to which the nails user or nailsgroup group has unnecessary permissions/ownership.

Using the chmod command, reduce, or remove permissions for the nails user.

Using the chown command remove ownership by the nails user or nailsgroup group.
V-63143 No Change
Findings ID: DTAVSEL-205 Rule ID: SV-77633r2_rule Severity: medium CCI: CCI-001240

Discussion

Failure of anti-virus signature updates will eventually render the software to be useless in protecting the Linux system from malware. Administration notification for failed updates, via SMTP, will ensure timely remediation of errors causing DATs to not be updated.

Checks

The preferred method for notification is via SMTP alerts.

Consult with the System Administrator to determine whether SMTP alerts are configured or whether some other notification mechanism (i.e., regular manual review of reports)is used.

If SMTP alerts are not configured, some other notification mechanism must be configured.

For SMTP alert configuration in VSEL WEB Monitor:

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account.

In the VSEL WEB Monitor, review tasks under "Configure", "Notifications".
Review the configured Notifications.
Verify the check box for "Item Detected" is selected. Verify check boxes for "Viruses", "Trojans", "Programs", "Jokes" and "Include alerts for on-demand tasks" are selected.
Verify the check box for "Out of date" is selected and "Alert for DAT files which are # days old" is configured to "7" or less.
Verify the check box for "Configuration changes" is selected.
Verify the check box for "System events" is selected. Verify check box for "Type" is selected and "Error" is selected from drop-down list.
Verify check box for "Code" is selected and "3000-3999" is entered in Code field.
Verify SMTP Settings are configured with valid email address(es) for System Administrators.


For SMTP alert configuration without the Web interface:

Access the Linux system being reviewed, either at the console or by a SSH connection.
At the command line, navigate to /var/opt/NAI/LinuxShield/etc.
Enter the command "grep "notifications.virusDetected.active" nailsd.cfg"

If SMTP alert settings are not configured to send notifications to System Administrators, or some other mechanism is not used to provide this notification to System Administrators, this is a finding.

Fix

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account.

In the VSEL WEB Monitor, under "Configure", "Notifications", select the check box for "Item Detected".
Select check boxes for "Viruses", "Trojans", "Programs", "Jokes" and "Include alerts for on-demand tasks".
Select the check box for "Out of date" and configure "Alert for DAT files which are # days old" to "7" or less.
Select the check box for "Configuration changes".
Select the check box for "System events". Select check box for "Type" and select "Error" from drop-down list.
Select check box for "Code" and configured with "3000-3999" in Code field.
Configure the SMTP Settings with valid email address(es) for System Administrators.
V-63145 No Change
Findings ID: DTAVSEL-301 Rule ID: SV-77635r1_rule Severity: medium CCI: CCI-001813

Discussion

The McAfee VirusScan Enterprise for Linux WEB GUI is the method for configuring the McAfee VSEL on a non-managed Linux system. The WEB GUI on the system could be used maliciously to gain unauthorized access to the system. By restricting access to interface by implementing firewall rules, the risk of unauthorized access will be mitigated.

Checks

With the System Administrator's assistance, review the host-based firewall for rules to the McAfee VSEL Web UI's TCP/IP port.

If the host-based firewall does not have rules to restrict access to the McAfee VSEL Web UI, limiting access to specific IP addresses of System Administrators only, determine if the network-based firewall provides for that restriction.

If neither a host-based firewall nor a network-based firewall restricts access to the McAfee VSEL Web UI, this is a finding.

Fix

Configure a host-based firewall or network-based firewall with rules to restrict access to the McAfee VSEL Web UI, limiting access to specific IP addresses of System Administrators only.