McAfee VSEL 1.9/2.0 Local Client Security Technical Implementation Guide

  • Version/Release: V1R6
  • Published: 2020-03-24
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.
b
The McAfee VirusScan Enterprise for Linux Web interface must be disabled unless the system is on a segregated network.
CM-5 - Medium - CCI-001813 - V-62791 - SV-77281r1_rule
RMF Control
CM-5
Severity
Medium
CCI
CCI-001813
Version
DTAVSEL-000
Vuln IDs
  • V-62791
Rule IDs
  • SV-77281r1_rule
The McAfee VirusScan Enterprise for Linux WEB GUI is the method for configuring the McAfee VSEL on a non-managed Linux system. The WEB GUI on the system could be used maliciously to gain unauthorized access to the system. By restricting access to interface by implementing firewall rules, the risk of unauthorized access will be mitigated.
Checks: C-63599r1_chk

Verify the location of the system being reviewed. If it is on a segregated network, without access to the Internet nor access to the Local Area Network, nor is it managed by a McAfee ePO server, this check is Not Applicable. If the system being reviewed has access to the Internet, is reachable from the Local Area Network and/or is managed by a McAfee ePO server, this check must be validated. To validate without the Web interface, access the Linux system being reviewed, either at the console or by a SSH connection. At the command line, navigate to /var/opt/NAI/LinuxShield/etc. Enter the command "grep "nailsd.disableCltWebUI" nailsd.cfg". If the response given for "nailsd.disableCltWebUI" is "false", this is a finding.

Fix: F-68711r1_fix

To validate without the Web interface, access the Linux system being reviewed, either at the console or by a SSH connection. At the command line, navigate to /var/opt/NAI/LinuxShield/etc. Modify the nailsd.cfg file. Find the line "nailsd.disableCltWebUI: false" Change the "false" to "true". Reload the nails processes by running the following command: /etc/init.d/nails reload

c
The anti-virus signature file age must not exceed 7 days.
SI-3 - High - CCI-001240 - V-63071 - SV-77561r1_rule
RMF Control
SI-3
Severity
High
CCI
CCI-001240
Version
DTAVSEL-001
Vuln IDs
  • V-63071
Rule IDs
  • SV-77561r1_rule
Anti-virus signature files are updated almost daily by anti-virus software vendors. These files are made available to anti-virus clients as they are published. Keeping virus signature files as current as possible is vital to the security of any system. By configuring a system to attempt an anti-virus update on a daily basis, the system is ensured of maintaining an anti-virus signature age of 7 days or less. If the update attempt were to be configured for only once a week, and that attempt failed, the system would be immediately out of date.
Checks: C-63823r1_chk

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, under "View", select "Host Summary". In the "Host Summary", verify the "DAT Date:" is within the last 7 days. If the "DAT Date:" is not within the last 7 days, this is a finding. To validate without the Web interface, access the Linux system being reviewed, either at the console or by a SSH connection. At the command line, enter the command "ls -lt /opt/NAI/LinuxShield/engine/dat". The command will return a listing of the avvclean.dat, avvnames.dat and avvscan.dat files. If their respective file dates are not within the last 7 days, this is a finding.

Fix: F-68989r1_fix

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, under "Schedule", select "Product Update". Under "When to update", select the "Immediately" radio button, and click on "Next". Under "Choose what to update", select "Virus definition files (also known as DAT files)", click on "Next". Under "Enter a task name", type a unique name for this task, and click on "Finish". Re-validate anti-virus signature file age. To run the Update task manually without the Web interface, access the Linux system being review, either at the console or by a SSH connection. Add a task to /etc/crontab to run the nails updater. At the command line, enter the command "/opt/NAI/LinuxShield/bin/nails task -l". After the task runs, a (Completed) response will be returned.

b
The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x must be configured to receive automatic updates.
SI-3 - Medium - CCI-001240 - V-63073 - SV-77563r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001240
Version
DTAVSEL-002
Vuln IDs
  • V-63073
Rule IDs
  • SV-77563r1_rule
Anti-virus signature files are updated almost daily by anti-virus software vendors. These files are made available to anti-virus clients as they are published. Keeping virus signature files as current as possible is vital to the security of any system. The anti-virus software product must be configured to receive those updates automatically in order to afford the expected protection.
Checks: C-63825r1_chk

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. Under "View", select "Scheduled Tasks". Under "Scheduled Tasks", under "Task Summaries", with the assistance of the McAfee VSEL SA, identify the VirusScan DAT update task. Verify the "Type" is "Update" and the "Status" is "Completed" with Results of "Update Finished". Under "Task Details" for the task, click on the "Modify" button. Choose "2. Choose what to update" and verify the "Virus definition files (also known as DAT files)" is selected. If there is not a task designated as the regularly scheduled DAT Update task, this is a finding. If there exists a task designated as the regularly scheduled DAT Update task, but "Virus definition files (also known as DAT files)" selection under the "2. Choose what to update" section is not selected, this is a finding. To validate without the Web interface, access the Linux system being reviewed, either at the console or by a SSH connection. At the command line, enter the command "/opt/NAI/LinuxShield/bin/nails task --list". The command will return a response similar to the following: LinuxShield configured tasks: 1 "LinuxShield Update" (Running) If the response does not return a configured task for "LinuxShield Update", this is a finding.

Fix: F-68991r1_fix

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, under "Schedule", select "Product Update". Under "1. When to update", select "Daily" and choose every "1" day(s), click on "Next". Under "2. Choose what to update", select "Virus definition files (also known as DAT files), and click on "Next". Under "3. Enter a task name", give the task a unique task name for the daily update, and click on "Finish". Configure an /etc/crontab entry for the LinuxShield Update. To run the Update task manually without the Web interface, access the Linux system being review, either at the console or by a SSH connection. At the command line, enter the command "/opt/NAI/LinuxShield/bin/nails task -l". After the task runs, a (Completed) response will be returned.

c
The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x must be configured to enable On-Access scanning.
SI-3 - High - CCI-001243 - V-63075 - SV-77565r1_rule
RMF Control
SI-3
Severity
High
CCI
CCI-001243
Version
DTAVSEL-003
Vuln IDs
  • V-63075
Rule IDs
  • SV-77565r1_rule
For anti-virus software to be effective, it must be running at all times, beginning from the point of the system's initial startup. Otherwise, the risk is greater for viruses, Trojans, and other malware infecting the system during that startup phase.
Checks: C-63827r1_chk

Note: McAfee VSEL On-Access scan is not compatible with NFS Version 4. On client systems with the NFS 4.0 client as default, execute the following command to use NFS version 3.0 as a workaround: mount -t nfs -o nfsvers=3 <NFS_Path> <Mount_point> If mounting with NFS version 3.0 is not an option, this is a finding. Only in such case, if STIG ID DTAVSEL-100 is configured for a daily scheduled scan and DTAVSEL-101 through DTAVSEL-114 are not a finding, the severity of this check can be reduced to a CAT 2. From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, under "Configure", select "On-Access Settings". Under "Anti-virus Scanning Options", verify the "Enable On-Access scanning" check box is selected. Verify the "Quarantine directory" field is populated with "/quarantine" (or another valid location as determined by the organization). If the check box "Enable On-Access scanning" is not selected, this is a finding. If the "Quarantine directory" field is not populated, this is a finding. To validate without the Web interface, access the Linux system being reviewed, either at the console or by a SSH connection. At the command line, navigate to /var/opt/NAI/LinuxShield/etc. Enter the command "grep "oasEnabled" nailsd.cfg" If the response given is "nailsd.oasEnabled: false" or is "nailsd.oasEnabled: true" with a preceding #, this is a finding.

Fix: F-68993r1_fix

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, under "Configure", select "On-Access Settings". Under "Anti-virus Scanning Options", select the "Enable On-Access scanning" check box. In the "Quarantine directory" field, populate with "/quarantine" (or another valid location as determined by the organization). Click "Apply".

b
The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to decompress archives when scanning.
SI-3 - Medium - CCI-001243 - V-63077 - SV-77567r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001243
Version
DTAVSEL-004
Vuln IDs
  • V-63077
Rule IDs
  • SV-77567r1_rule
Malware can be hidden within archived files and passed from system to system undetected unless the archive is decompressed and each file scanned. By disabling the archive scanning capability, archives such as .tar and .tgz files will not be decompressed and any infected files in the archives would go undetected. Decompression can slow performance, however; any virus-infected file inside an archive cannot become active until it has been extracted. Recognizing the slow performance potential
Checks: C-63829r1_chk

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, under "Configure", select "On-Access Settings". Under "Anti-virus Scanning Options", verify the "Decompress archives" check box is selected. If the check box "Decompress archives" is not selected, this is a finding. If the check box for "Decompress archives" is not selected but the On-Demand scan decompress of archives is configured in the regularly scheduled scan, as specified in STIG ID DTAVSEL-101, this is a finding and severity of this can be dropped to a CAT 3. To validate without the Web interface, access the Linux system being reviewed, either at the console or by a SSH connection. At the command line, navigate to /var/opt/NAI/LinuxShield/etc. Enter the command "grep "decompArchive" nailsd.cfg" If the response given includes "nailsd.profile.OAS.decompArchive: false" or includes "nailsd.profile.OAS.decompArchive: true" with a preceding #, this is a finding.

Fix: F-68995r1_fix

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, under "Configure", select "On-Access Settings". Under "Anti-virus Scanning Options", select the "Decompress archives" check box. Click "Apply".

b
The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to find unknown program viruses.
SI-3 - Medium - CCI-001243 - V-63079 - SV-77569r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001243
Version
DTAVSEL-005
Vuln IDs
  • V-63079
Rule IDs
  • SV-77569r1_rule
Due to the ability of malware to mutate after infection, standard anti-virus signatures may not be able to catch new strains or variants of the malware. Typically, these strains and variants will share unique characteristics with others in their virus family. By using a generic signature to detect the shared characteristics, using wildcards where differences lie, the generic signature can detect viruses even if they are padded with extra, meaningless code. This method of detection is Heuristic detection.
Checks: C-63831r1_chk

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, under "Configure", select "On-Access Settings". Under "Anti-virus Scanning Options", verify the "Find unknown program viruses" check box is selected. If the check box "Find unknown program viruses" is not selected, this is a finding. To validate without the Web interface, access the Linux system being reviewed, either at the console or by a SSH connection. At the command line, navigate to /var/opt/NAI/LinuxShield/etc. Enter the command "grep "heuristicAnalysis" nailsd.cfg" If the response given is "nailsd.profile.OAS.heuristicAnalysis: false" or is "nailsd.profile.OAS.heuristicAnalysis: true" with a preceding #, this is a finding.

Fix: F-68997r1_fix

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, under "Configure", select "On-Access Settings". Under "Anti-virus Scanning Options", select the "Find unknown program viruses" check box. Click "Apply".

b
The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to find unknown macro viruses.
SI-3 - Medium - CCI-001243 - V-63081 - SV-77571r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001243
Version
DTAVSEL-006
Vuln IDs
  • V-63081
Rule IDs
  • SV-77571r1_rule
Interpreted viruses are executed by an application. Within this subcategory, macro viruses take advantage of the capabilities of applications' macro programming language to infect application documents and document templates, while scripting viruses infect scripts that are understood by scripting languages processed by services on the OS. Many attackers use toolkits containing several different types of utilities and scripts that can be used to probe and attack hosts. Scanning for unknown macro viruses will mitigate zero-day attacks.
Checks: C-63833r1_chk

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, under "Configure", select "On-Access Settings". Under "Anti-virus Scanning Options", verify the "Find unknown macro viruses" check box is selected. If the check box "Find unknown macro viruses" is not selected, this is a finding. To validate without the Web interface, access the Linux system being reviewed, either at the console or by a SSH connection. At the command line, navigate to /var/opt/NAI/LinuxShield/etc. Enter the command "grep "macroAnalysis" nailsd.cfg" If the response given is "nailsd.profile.OAS.macroAnalysis: false" or is "nailsd.profile.OAS.macroAnalysis: true" with a preceding #, this is a finding.

Fix: F-68999r1_fix

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, under "Configure", select "On-Access Settings". Under "Anti-virus Scanning Options", select the "Find unknown macro viruses" check box. Click "Apply".

b
The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to find potentially unwanted programs.
SI-3 - Medium - CCI-001243 - V-63083 - SV-77573r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001243
Version
DTAVSEL-007
Vuln IDs
  • V-63083
Rule IDs
  • SV-77573r1_rule
Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attach mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the anti-virus software to attempt to clean the file first will allow for the possibility of a false positive. In most cases, however, the secondary action of delete will be used, mitigating the risk of the PUPs being installed and used maliciously.
Checks: C-63835r1_chk

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, under "Configure", select "On-Access Settings". Under "Anti-virus Scanning Options", verify the "Find potentially unwanted programs" check box is selected. If the check box "Find potentially unwanted programs" is not selected, this is a finding. To validate without the Web interface, access the Linux system being reviewed, either at the console or by a SSH connection. At the command line, navigate to /var/opt/NAI/LinuxShield/etc. Enter the command "grep "OAS.program" nailsd.cfg" If the response given is "nailsd.profile.OAS.program: false" or is "nailsd.profile.OAS.program: true" with a preceding #, this is a finding.

Fix: F-69001r1_fix

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, under "Configure", select "On-Access Settings". Under "Anti-virus Scanning Options", select the "Find potentially unwanted programs" check box. Click "Apply".

b
The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to scan files when being written to disk.
SI-3 - Medium - CCI-001243 - V-63085 - SV-77575r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001243
Version
DTAVSEL-008
Vuln IDs
  • V-63085
Rule IDs
  • SV-77575r1_rule
Anti-virus software is the most commonly used technical control for malware threat mitigation. Real-time scanning of files as they are written to disk is a crucial first line of defense from malware attacks.
Checks: C-63837r1_chk

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, under "Configure", select "On-Access Settings". Under "Anti-virus Scanning Options", verify the "Scan files when writing to disk" check box is selected. If the check box "Scan files when writing to disk" is not selected, this is a finding. To validate without the Web interface, access the Linux system being reviewed, either at the console or by a SSH connection. At the command line, navigate to /var/opt/NAI/LinuxShield/etc. Enter the command "grep "scanOnWrite" nailsd.cfg" If the response given is "nailsd.profile.OAS.scanOnWrite: false" or is "nailsd.profile.OAS.scanOnWrite: true" with a preceding #, this is a finding.

Fix: F-69003r1_fix

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, under "Configure", select "On-Access Settings". Under "Anti-virus Scanning Options", select the "Scan files when writing to disk" check box. Click "Apply".

b
The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to scan files when being read from disk.
SI-3 - Medium - CCI-001243 - V-63087 - SV-77577r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001243
Version
DTAVSEL-009
Vuln IDs
  • V-63087
Rule IDs
  • SV-77577r1_rule
Anti-virus software is the most commonly used technical control for malware threat mitigation. Real-time scanning of files as they are read from disk is a crucial first line of defense from malware attacks.
Checks: C-63839r1_chk

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, under "Configure", select "On-Access Settings". Under "Anti-virus Scanning Options", verify the "Scan files when reading from disk" check box is selected. If the check box "Scan files when reading from disk" is not selected, this is a finding. To validate without the Web interface, access the Linux system being reviewed, either at the console or by a SSH connection. At the command line, navigate to /var/opt/NAI/LinuxShield/etc. Enter the command "grep "scanOnRead" nailsd.cfg" If the response given is "nailsd.profile.OAS.scanOnRead: false" or is "nailsd.profile.OAS.scanOnRead: true" with a preceding #, this is a finding.

Fix: F-69005r1_fix

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, under "Configure", select "On-Access Settings". Under "Anti-virus Scanning Options", select the "Scan files when reading from disk" check box. Click "Apply".

b
The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to scan all file types.
SI-3 - Medium - CCI-001243 - V-63089 - SV-77579r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001243
Version
DTAVSEL-010
Vuln IDs
  • V-63089
Rule IDs
  • SV-77579r1_rule
When scanning for malware, excluding specific file types will increase the risk of a malware-infected file going undetected. By configuring anti-virus software to scan all file types, the scanner has a higher success rate at detecting and eradicating malware.
Checks: C-63841r1_chk

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, under "Configure", select "On-Access Settings". Under "Extension Base Scanning", verify the "Scan all files" radio button is selected. If the radio button "Scan all files" is not selected, this is a finding. To validate without the Web interface, access the Linux system being reviewed, either at the console or by a SSH connection. At the command line, navigate to /var/opt/NAI/LinuxShield/etc. Enter the command "grep "allFiles" nailsd.cfg" If the response given is "nailsd.profile.OAS.allFiles: false" or is "nailsd.profile.OAS.allFiles: true" with a preceding #, this is a finding.

Fix: F-69007r1_fix

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, under "Configure", select "On-Access Settings". Select the "Edit" button. Under "Extension Base Scanning", select the "Scan all files" radio button. Click "Apply".

b
The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner maximum scan time must not be less than 45 seconds.
SI-3 - Medium - CCI-001243 - V-63091 - SV-77581r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001243
Version
DTAVSEL-011
Vuln IDs
  • V-63091
Rule IDs
  • SV-77581r1_rule
When anti-virus software is not configured to limit the amount of time spent trying to scan a file, the total effectiveness of the anti-virus software, and performance on the system being scanned, will be degraded. By limiting the amount of time the anti-virus software uses when scanning a file, the scan will be able to complete in a timely manner. Although the description of this requirement indicates a "maximum scan time", the intent of this requirement is to explicitly set a maximum scan time without impacting the effectiveness of the scan. Left unconfigured, the scan could run indefinitely on one file. If configured with a value of less than 45 seconds, the scanning of some files will be skipped. If configured with 45 or more seconds, the success rate of files being completely scanned is higher.
Checks: C-63843r1_chk

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, under "Configure", select "On-Access Settings". Under "Anti-virus Scanning Options", verify the "Maximum scan time (seconds)" is configured with at least "45" or more seconds. If the "Maximum scan time (seconds)" is not configured with at least "45" or more seconds, this is a finding. To validate without the Web interface, access the Linux system being reviewed, either at the console or by a SSH connection. At the command line, navigate to /var/opt/NAI/LinuxShield/etc. Enter the command "grep "scanMaxTmo" nailsd.cfg" If the response given for "nailsd.profile.OAS_default.scanMaxTmo" is "44" or less, or if the response give for "nailsd.profile.OAS.scanMaxTmo" is "45" or more but with a preceding #, this is a finding.

Fix: F-69009r1_fix

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, under "Configure", select "On-Access Settings". Under "Anti-virus Scanning Options", configure the "Maximum scan time (seconds)" with at least "45" or more seconds. Click "Apply".

b
The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must only be configured with exclusions that are documented and approved by the ISSO/ISSM/AO.
SI-3 - Medium - CCI-001243 - V-63093 - SV-77583r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001243
Version
DTAVSEL-012
Vuln IDs
  • V-63093
Rule IDs
  • SV-77583r1_rule
When scanning for malware, excluding specific files will increase the risk of a malware-infected file going undetected. By configuring anti-virus software without any exclusions, the scanner has a higher success rate at detecting and eradicating malware.
Checks: C-63845r1_chk

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, under "Configure", select "On-Access Settings". Under "Paths Excluded From Scanning", verify no entries exist other than the following: /var/log /_admin/Manage_NSS /mnt/system/log /media/nss/.*/(\._NETWARE|\._ADMIN) /.*\.(vmdk|VMDK|dbl|DBL|ctl|CTL|log|LOG|jar|JAR|war|WAR|dtx|DTX|dbf|DBF|frm|FRM|myd|MYD|myi|MYI|rdo|RDO|arc|ARC) /cgroup /dev /proc /selinux /sys If any entries other than the above referenced paths are present in the "Paths Excluded From Scanning" field, verify the exclusion of those files and paths have been formally documented by the System Administrator and has been approved by the ISSO/ISSM. If they have not been formally documented by the System Administrator and approved by the ISSO/ISSM, this is a finding. If they have not been formally documented by the System Administrator and approved by the ISSO/ISSM but are validated as being scanned within the regularly scheduled scan, this is a finding but can be dropped to a CAT 3. To validate without the Web interface, access the Linux system being reviewed, either at the console or by a SSH connection. At the command line, navigate to /var/opt/NAI/LinuxShield/etc. Enter the command "grep "exclude-path" nailsd.cfg -A 5" If the response given is: "nailsd.profile.OAS.filter.varlog.type: exclude-path" and "nailsd.profile.OAS.filter.varlog.path:" includes anything other than the above paths", this is a finding.

Fix: F-69011r1_fix

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, under "Configure", select "On-Access Settings". Click "Edit". Under "Paths Excluded From Scanning", remove all entries other than the default "/var/log". Click "Apply".

b
The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to Clean as first action when a virus or Trojan is detected.
SI-3 - Medium - CCI-001243 - V-63095 - SV-77585r2_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001243
Version
DTAVSEL-013
Vuln IDs
  • V-63095
Rule IDs
  • SV-77585r2_rule
Malware may have infected a file that is necessary to the user. By configuring the anti-virus software to first attempt cleaning the infected file, availability to the file is not sacrificed. If a cleaning attempt is not successful, however, deleting the file is the only safe option to ensure the malware is not introduced onto the system or network.
Checks: C-63847r4_chk

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, under "Configure", select "On-Access Settings". Under "Anti-virus Actions", verify "Clean" is selected from the first drop-down list for "Actions for viruses and Trojans". If "Clean" is not selected from the first drop-down list for "Actions for viruses and Trojans", this is a finding. To validate without the Web interface, access the Linux system being reviewed, either at the console or by a SSH connection. At the command line, navigate to /var/opt/NAI/LinuxShield/etc. Enter the command: grep ‘nailsd.profile.OAS.action.App.primary’ nailsd.cfg If the response given for "nailsd.profile.OAS.action.App.primary" is not "Clean", this is a finding.

Fix: F-69013r1_fix

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, under "Configure", select "On-Access Settings". Under "Anti-virus Actions", select "Clean" from the first drop-down list for "Actions for viruses and Trojans". Click "Apply".

b
The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to Quarantine if first action fails when a virus or Trojan is detected.
SI-3 - Medium - CCI-001243 - V-63097 - SV-77587r2_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001243
Version
DTAVSEL-014
Vuln IDs
  • V-63097
Rule IDs
  • SV-77587r2_rule
Malware may have infected a file that is necessary to the user. By configuring the anti-virus software to first attempt cleaning the infected file, availability to the file is not sacrificed. If a cleaning attempt is not successful, however, deleting the file is the only safe option to ensure the malware is not introduced onto the system or network.
Checks: C-63849r2_chk

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, under "Configure", select "On-Access Settings". Under "Anti-virus Actions", verify "Quarantine" is selected from the second drop-down list for "Actions for viruses and Trojans". If "Quarantine" is not selected from the second drop-down list for "Actions for viruses and Trojans", this is a finding. To validate without the Web interface, access the Linux system being reviewed, either at the console or by a SSH connection. At the command line, navigate to /var/opt/NAI/LinuxShield/etc. Enter the command: grep ‘nailsd.profile.OAS.action.App.secondary’ nailsd.cfg If the response given for "nailsd.profile.OAS.action.App.secondary" is not "Quarantine", this is a finding.

Fix: F-69015r1_fix

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, under "Configure", select "On-Access Settings". Under "Anti-virus Actions", select "Quarantine" from the second drop-down list for "Actions for viruses and Trojans" if first action fails. Click "Apply".

b
The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to Clean as first action when programs and jokes are found.
SI-3 - Medium - CCI-001243 - V-63099 - SV-77589r2_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001243
Version
DTAVSEL-015
Vuln IDs
  • V-63099
Rule IDs
  • SV-77589r2_rule
Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attach mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the anti-virus software to attempt to clean the file first will allow for the possibility of a false positive. In most cases, however, the secondary action of delete will be used, mitigating the risk of the PUPs being installed and used maliciously.
Checks: C-63851r2_chk

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, under "Configure", select "On-Access Settings". Under "Anti-virus Actions", verify "Clean" is selected from the first drop-down list for "Actions for Programs and Jokes". If "Clean" is not selected from the first drop-down list for "Actions for Programs and Jokes", this is a finding. To validate without the Web interface, access the Linux system being reviewed, either at the console or by a SSH connection. At the command line, navigate to /var/opt/NAI/LinuxShield/etc. Enter the command: grep ‘nailsd.profile.OAS.action.Default.primary’ nailsd.cfg If the response given for "nailsd.profile.OAS.action.Default.primary" is not "Clean", this is a finding.

Fix: F-69017r1_fix

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, under "Configure", select "On-Access Settings". Under "Anti-virus Actions", select "Clean" from the first drop-down list for "Actions for Programs and Jokes". Click "Apply".

b
The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to Quarantine if first action fails when programs and jokes are found.
SI-3 - Medium - CCI-001243 - V-63101 - SV-77591r2_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001243
Version
DTAVSEL-016
Vuln IDs
  • V-63101
Rule IDs
  • SV-77591r2_rule
Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attach mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the anti-virus software to attempt to clean the file first will allow for the possibility of a false positive. In most cases, however, the secondary action of delete will be used, mitigating the risk of the PUPs being installed and used maliciously.
Checks: C-63853r2_chk

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, under "Configure", select "On-Access Settings". Under "Anti-virus Actions", verify "Quarantine" is selected from the second drop-down list for "Actions for Programs and Jokes". If "Quarantine" is not selected from the second drop-down list for "Actions for Programs and Jokes", this is a finding. To validate without the Web interface, access the Linux system being reviewed, either at the console or by a SSH connection. At the command line, navigate to /var/opt/NAI/LinuxShield/etc. Enter the command: grep ‘nailsd.profile.OAS.action.Default.secondary ‘ nailsd.cfg If the response given for "nailsd.profile.OAS.action.Default.secondary" is not "Quarantine", this is a finding.

Fix: F-69019r1_fix

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, under "Configure", select "On-Access Settings". Under "Anti-virus Actions", select "Quarantine" from the second drop-down list for "Actions for Programs and Jokes" if first action fails. Click "Apply".

b
The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to deny access to the file if an error occurs during scanning.
SI-3 - Medium - CCI-001243 - V-63103 - SV-77593r2_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001243
Version
DTAVSEL-017
Vuln IDs
  • V-63103
Rule IDs
  • SV-77593r2_rule
Anti-virus software is the most commonly used technical control for malware threat mitigation. Real-time scanning of files as they are read from disk is a crucial first line of defense from malware attacks.
Checks: C-63855r2_chk

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, under "Configure", select "On-Access Settings". Under "Anti-virus Actions", verify the "Block" radio button is selected for "Action if an error occurs during scanning". If the "Block" radio button is not selected for "Action if an error occurs during scanning", this is a finding. To validate without the Web interface, access the Linux system being reviewed, either at the console or by a SSH connection. At the command line, navigate to /var/opt/NAI/LinuxShield/etc. Enter the command: grep ‘nailsd.profile.OAS.action.error’ nailsd.cfg If the response given for "nailsd.profile.OAS.action.error" is not "Block", this is a finding.

Fix: F-69021r1_fix

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, under "Configure", select "On-Access Settings". Under "Anti-virus Actions", select the "Block" radio button for "Action if an error occurs during scanning". Click "Apply".

b
The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to allow access to files if scanning times out.
SI-3 - Medium - CCI-001243 - V-63105 - SV-77595r2_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001243
Version
DTAVSEL-018
Vuln IDs
  • V-63105
Rule IDs
  • SV-77595r2_rule
Anti-virus software is the most commonly used technical control for malware threat mitigation. Real-time scanning of files as they are read from disk is a crucial first line of defense from malware attacks.
Checks: C-63857r2_chk

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, under "Configure", select "On-Access Settings". Under "Anti-virus Actions", verify the "Allow access" radio button is selected for "Action on timeout". If the "Allow access" radio button is not selected for "Action on timeout", this is a finding. To validate without the Web interface, access the Linux system being reviewed, either at the console or by a SSH connection. At the command line, navigate to /var/opt/NAI/LinuxShield/etc. Enter the command: grep ‘nailsd.profile.OAS.action.timeout ‘ nailsd.cfg If the response given for "nailsd.profile.OAS.action.timeout" is not "Pass", this is a finding.

Fix: F-69023r1_fix

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, under "Configure", select "On-Access Settings". Under "Anti-virus Actions", select the "Allow access" radio button for "Action on timeout". Click "Apply".

b
The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be enabled to scan mounted volumes when mounted volumes point to a network server without an anti-virus solution installed.
SI-3 - Medium - CCI-001242 - V-63107 - SV-77597r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001242
Version
DTAVSEL-019
Vuln IDs
  • V-63107
Rule IDs
  • SV-77597r1_rule
Mounting network volumes to other network systems introduces a path for malware to be introduced. It is imperative to protect Linux systems from malware introduced from those other network systems by either ensuring the remote systems are protected or by scanning files from those systems when they are accessed.
Checks: C-63859r1_chk

With the System Administrator's assistance, determine network mounted volumes on the Linux system being reviewed. If network mounted volumes are mounted, verify whether anti-virus protection is locally installed on, and configured to protect, the network servers to which the mounted volumes connect. If all network servers to which mounted volumes connect are protected by locally installed and configured anti-virus protection, this check for the Linux system being reviewed is Not Applicable. If no network mounted volumes are configured on the Linux system being reviewed, this check is Not Applicable. If mounted volumes exist on the Linux system being reviewed which are connecting to network servers which lack locally installed and configured anti-virus protection, this check must be validated. From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, under "Configure", select "On-Access Settings". Under "Anti-virus Scanning Options", verify check box for "Scan files on network mounted volumes" is selected. If the check box for "Scan files on network mounted volumes" is not selected, this is a finding. To validate without the Web interface, access the Linux system being reviewed, either at the console or by a SSH connection. At the command line, navigate to /var/opt/NAI/LinuxShield/etc. Enter the command "grep "nailsd.profile.OAS.scanNWFiles:" nailsd.cfg" If the response given for "nailsd.profile.OAS.scanNWFiles" is not "true", this is a finding.

Fix: F-69025r1_fix

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, under "Configure", select "On-Access Settings". Under "Anti-virus Scanning Options", select the check box for "Scan files on network mounted volumes". Click "Apply".

b
The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x must be configured to run a scheduled On-Demand scan at least once a week.
SI-3 - Medium - CCI-001241 - V-63109 - SV-77599r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001241
Version
DTAVSEL-100
Vuln IDs
  • V-63109
Rule IDs
  • SV-77599r1_rule
Anti-virus software is the most commonly used technical control for malware threat mitigation. Real-time scanning of files as they are read from disk is a crucial first line of defense from malware attacks but to ensure all files are frequently scanned, a regularly scheduled full scan will ensure malware missed by the real-time scanning will be detected and mitigated.
Checks: C-63861r1_chk

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, review tasks under "View", "Scheduled Tasks". With the System Administrator's assistance, determine which task is intended as the regularly scheduled scan task. Click on the task and review the details under "Task Details for". If "Next run" does not specify "every 1 week", or more frequently, this is a finding. To validate without the Web interface, access the Linux system being reviewed, either at the console or by a SSH connection. At the command line, navigate to /var/opt/NAI/LinuxShield/etc. Enter the command "/opt/NAI/LinuxShield/bin/nails task --list". If the return does not show a task for the LinuxShield On-Demand Scan, this is a finding.

Fix: F-69027r1_fix

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, under "Schedule", select "On-Demand Scan". Under "1. When to Scan "select Weekly, Daily or Hourly and indicate day and/or time to regularly execute, and click "Next". Under "2. What to Scan", enter "/", click "Add". Click "Next". Under "3. Choose Scan Settings", select required settings as specified in remaining On-Demand scan requirements, and click "Next". Under "4. Enter a task name", type a unique name for the task to reflect its frequency, and click "Finish".

b
The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must be configured to decompress archives when scanning.
SI-3 - Medium - CCI-001241 - V-63111 - SV-77601r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001241
Version
DTAVSEL-101
Vuln IDs
  • V-63111
Rule IDs
  • SV-77601r1_rule
Malware is often packaged within an archive. In addition, archives might have other archives within. Not scanning archive files introduces the risk of infected files being introduced into the environment.
Checks: C-63863r1_chk

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, review tasks under "View", "Scheduled Tasks". With the System Administrator's assistance, determine which task is intended as the regularly scheduled scan task. Click on the task, and then click "Modify". Under "2. What to Scan", click "Next". Under "3. Choose Scan Settings", "Anti-virus Scanning Options", verify the "Decompress archives" check box has been selected. If the "Decompress archives" check box has not been selected, this is a finding. To validate without the Web interface, access the Linux system being reviewed, either at the console or by a SSH connection. At the command line, navigate to /var/opt/NAI/LinuxShield/etc. Enter the command "grep "ODS.decompArchive" ods.cfg" If the response given for "nailsd.profile.ODS.decompArchive" is not "true", this is a finding.

Fix: F-69029r1_fix

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, review tasks under "View", "Scheduled Tasks". With the System Administrator's assistance, determine which task is intended as the regularly scheduled scan task. Click on the task, and then click "Modify". Under "2. What to Scan", click "Next". Under "3. Choose Scan Settings", "Anti-virus Scanning Options", select the "Decompress archives" check box, click "Next", and then click "Finish".

b
The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must be configured to find unknown program viruses.
SI-3 - Medium - CCI-001241 - V-63113 - SV-77603r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001241
Version
DTAVSEL-102
Vuln IDs
  • V-63113
Rule IDs
  • SV-77603r1_rule
Due to the ability of malware to mutate after infection, standard anti-virus signatures may not be able to catch new strains or variants of the malware. Typically, these strains and variants will share unique characteristics with others in their virus family. By using a generic signature to detect the shared characteristics, using wildcards where differences lie, the generic signature can detect viruses even if they are padded with extra, meaningless code. This method of detection is Heuristic detection.
Checks: C-63865r1_chk

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, review tasks under "View", "Scheduled Tasks". With the System Administrator's assistance, determine which task is intended as the regularly scheduled scan task. Click on the task, and then click "Modify". Under "2. What to Scan", click "Next". Under "3. Choose Scan Settings", "Anti-virus Scanning Options", verify the "Perform heuristic virus analysis" check box has been selected. If the "Perform heuristic virus analysis" check box has not been selected, this is a finding. To validate without the Web interface, access the Linux system being reviewed, either at the console or by a SSH connection. At the command line, navigate to /var/opt/NAI/LinuxShield/etc. Enter the command "grep "ODS.heuristicAnalysis" ods.cfg" If the response given for "nailsd.profile.ODS.heuristicAnalysis" is not "true", this is a finding.

Fix: F-69031r1_fix

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, review tasks under "View", "Scheduled Tasks". With the System Administrator's assistance, determine which task is intended as the regularly scheduled scan task. Click on the task, and then click "Modify". Under "2. What to Scan", click "Next". Under "3. Choose Scan Settings", "Anti-virus Scanning Options", select the "Perform heuristic virus analysis" check box, click "Next", and then click "Finish".

b
The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must be configured to find unknown macro viruses.
SI-3 - Medium - CCI-001241 - V-63115 - SV-77605r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001241
Version
DTAVSEL-103
Vuln IDs
  • V-63115
Rule IDs
  • SV-77605r1_rule
Interpreted viruses are executed by an application. Within this subcategory, macro viruses take advantage of the capabilities of applications' macro programming language to infect application documents and document templates, while scripting viruses infect scripts that are understood by scripting languages processed by services on the OS. Many attackers use toolkits containing several different types of utilities and scripts that can be used to probe and attack hosts. Scanning for unknown macro viruses will mitigate zero-day attacks.
Checks: C-63867r1_chk

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, review tasks under "View", "Scheduled Tasks". With the System Administrator's assistance, determine which task is intended as the regularly scheduled scan task. Click on the task, and then click "Modify". Under "2. What to Scan", click "Next". Under "3. Choose Scan Settings", "Anti-virus Scanning Options", verify the "Perform macro analysis" check box has been selected. If the "Perform macro analysis" check box has not been selected, this is a finding. To validate without the Web interface, access the Linux system being reviewed, either at the console or by a SSH connection. At the command line, navigate to /var/opt/NAI/LinuxShield/etc. Enter the command "grep "ODS.macroAnalysis" ods.cfg" If the response given for "nailsd.profile.ODS.macroAnalysis" is not "true", this is a finding.

Fix: F-69033r1_fix

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, review tasks under "View", "Scheduled Tasks". With the System Administrator's assistance, determine which task is intended as the regularly scheduled scan task. Click on the task, and then click "Modify". Under "2. What to Scan", click "Next". Under "3. Choose Scan Settings", "Anti-virus Scanning Options", select the "Perform macro analysis" check box, click "Next", and then click "Finish".

b
The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must be configured to find potentially unwanted programs.
SI-3 - Medium - CCI-001241 - V-63117 - SV-77607r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001241
Version
DTAVSEL-104
Vuln IDs
  • V-63117
Rule IDs
  • SV-77607r1_rule
Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attach mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the anti-virus software to attempt to clean the file first will allow for the possibility of a false positive. In most cases, however, the secondary action of delete will be used, mitigating the risk of the PUPs being installed and used maliciously.
Checks: C-63869r1_chk

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, review tasks under "View", "Scheduled Tasks". With the System Administrator's assistance, determine which task is intended as the regularly scheduled scan task. Click on the task, and then click "Modify". Under "2. What to Scan", click "Next". Under "3. Choose Scan Settings", "Anti-virus Scanning Options", verify the "Find potentially unwanted programs" check box has been selected. If the "Find potentially unwanted programs" check box has not been selected, this is a finding. To validate without the Web interface, access the Linux system being reviewed, either at the console or by a SSH connection. At the command line, navigate to /var/opt/NAI/LinuxShield/etc. Enter the command "grep "ODS.program" ods.cfg" If the response given for "nailsd.profile.ODS.program" is not "true", this is a finding.

Fix: F-69035r1_fix

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, review tasks under "View", "Scheduled Tasks". With the System Administrator's assistance, determine which task is intended as the regularly scheduled scan task. Click on the task, and then click "Modify". Under "2. What to Scan", click "Next". Under "3. Choose Scan Settings", "Anti-virus Scanning Options", select the "Find potentially unwanted programs" check box, click "Next", and then click "Finish".

b
The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must be configured to scan all file types.
SI-3 - Medium - CCI-001241 - V-63119 - SV-77609r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001241
Version
DTAVSEL-105
Vuln IDs
  • V-63119
Rule IDs
  • SV-77609r1_rule
When scanning for malware, excluding specific file types will increase the risk of a malware-infected file going undetected. By configuring anti-virus software to scan all file types, the scanner has a higher success rate at detecting and eradicating malware.
Checks: C-63871r1_chk

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, review tasks under "View", "Scheduled Tasks". With the System Administrator's assistance, determine which task is intended as the regularly scheduled scan task. Click on the task, and then click "Modify". Under "2. What to Scan", click "Next". Under "3. Choose Scan Settings", "Extension Based Scanning", verify the "Scan all files" check box is selected. If the "Scan all files" check box is not selected, this is a finding. To validate without the Web interface, access the Linux system being reviewed, either at the console or by a SSH connection. At the command line, navigate to /var/opt/NAI/LinuxShield/etc. Enter the command "grep "ODS.allFiles" ods.cfg" If the response given for "nailsd.profile.ODS.allFiles" is not "true", this is a finding.

Fix: F-69037r1_fix

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, review tasks under "View", "Scheduled Tasks". With the System Administrator's assistance, determine which task is intended as the regularly scheduled scan task. Click on the task, and then click "Modify". Under "2. What to Scan", click "Next". Under "3. Choose Scan Settings", "Extension Based Scanning", select the "Scan all files" check box, click "Next", and then click "Finish".

b
The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must be configured to Clean infected files automatically as first action when a virus or Trojan is detected.
SI-3 - Medium - CCI-001241 - V-63121 - SV-77611r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001241
Version
DTAVSEL-106
Vuln IDs
  • V-63121
Rule IDs
  • SV-77611r1_rule
Malware may have infected a file that is necessary to the user. By configuring the anti-virus software to first attempt cleaning the infected file, availability to the file is not sacrificed. If a cleaning attempt is not successful, however, deleting the file is the only safe option to ensure the malware is not introduced onto the system or network.
Checks: C-63873r1_chk

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, review tasks under "View", "Scheduled Tasks". With the System Administrator's assistance, determine which task is intended as the regularly scheduled scan task. Click on the task, and then click "Modify". Under "2. What to Scan", click "Next". Under "3. Choose Scan Settings", "Anti-virus Actions", verify "Clean" is selected in the first dropdown list for "Actions for Viruses and Trojans". If "Clean" is not selected in the first dropdown list for "Actions for Viruses and Trojans", this is a finding. To validate without the Web interface, access the Linux system being reviewed, either at the console or by a SSH connection. At the command line, navigate to /var/opt/NAI/LinuxShield/etc. Enter the command "grep "ODS.action.App.primary" ods.cfg" If the response given for "nailsd.profile.ODS.action.App.primary" is not "Clean", this is a finding.

Fix: F-69039r1_fix

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, review tasks under "View", "Scheduled Tasks". With the System Administrator's assistance, determine which task is intended as the regularly scheduled scan task. Click on the task, and then click "Modify". Under "2. What to Scan", click "Next". Under "3. Choose Scan Settings", Anti-virus Actions", select "Clean" from the first dropdown list for "Actions for Viruses and Trojans", click "Next", and then click "Finish".

b
The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must be configured to Move infected files to the quarantine directory if first action fails when a virus or Trojan is detected.
SI-3 - Medium - CCI-001241 - V-63123 - SV-77613r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001241
Version
DTAVSEL-107
Vuln IDs
  • V-63123
Rule IDs
  • SV-77613r1_rule
Malware may have infected a file that is necessary to the user. By configuring the anti-virus software to first attempt cleaning the infected file, availability to the file is not sacrificed. If a cleaning attempt is not successful, however, deleting the file is the only safe option to ensure the malware is not introduced onto the system or network.
Checks: C-63875r1_chk

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, review tasks under "View", "Scheduled Tasks". With the System Administrator's assistance, determine which task is intended as the regularly scheduled scan task. Click on the task, and then click "Modify". Under "2. What to Scan", click "Next". Under "3. Choose Scan Settings", "Anti-virus Actions", verify "Quarantine" is selected in the second dropdown list "Actions for Viruses and Trojans" if first action fails. If "Quarantine" is not selected in the second dropdown list "Actions for Viruses and Trojans" if first action fails, this is a finding. To validate without the Web interface, access the Linux system being reviewed, either at the console or by a SSH connection. At the command line, navigate to /var/opt/NAI/LinuxShield/etc. Enter the command "grep "ODS.action.App.secondary" ods.cfg" If the response given for "nailsd.profile.ODS.action.App.secondary" is not "Quarantine", this is a finding.

Fix: F-69041r1_fix

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, review tasks under "View", "Scheduled Tasks". With the System Administrator's assistance, determine which task is intended as the regularly scheduled scan task. Click on the task, and then click "Modify". Under "2. What to Scan", click "Next". Under "3. Choose Scan Settings", Anti-virus Actions", select "Quarantine" from the second dropdown list "Actions for Viruses and Trojans" if first action fails, click "Next", and then click "Finish".

b
The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must only be configured with exclusions that are documented and approved by the ISSO/ISSM/AO.
SI-3 - Medium - CCI-001241 - V-63125 - SV-77615r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001241
Version
DTAVSEL-108
Vuln IDs
  • V-63125
Rule IDs
  • SV-77615r1_rule
When scanning for malware, excluding specific files will increase the risk of a malware-infected file going undetected. By configuring anti-virus software without any exclusions, the scanner has a higher success rate at detecting and eradicating malware.
Checks: C-63877r1_chk

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, review tasks under "View", "Scheduled Tasks". With the System Administrator's assistance, determine which task is intended as the regularly scheduled scan task. Click on the task, and then click "Modify". Under "2. What to Scan", click "Next". Under "3. Choose Scan Settings", "Paths Excluded From Scanning". If any paths other than the following paths are excluded, and the exclusions have not been documented and approved by the ISSO/ISSM/AO, this is a finding. /var/log /_admin/Manage_NSS /mnt/system/log /media/nss/.*/(\._NETWARE|\._ADMIN) /.*\.(vmdk|VMDK|dbl|DBL|ctl|CTL|log|LOG|jar|JAR|war|WAR|dtx|DTX|dbf|DBF|frm|FRM|myd|MYD|myi|MYI|rdo|RDO|arc|ARC) /cgroup /dev /proc /selinux /sys

Fix: F-69043r1_fix

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, review tasks under "View", "Scheduled Tasks". With the System Administrator's assistance, determine which task is intended as the regularly scheduled scan task. Click on the task, and then click "Modify". Under "2. What to Scan", click "Next". Under "3. Choose Scan Settings", "Paths Excluded From Scanning", removed all unauthorized excluded paths, click "Next, and then click "Finish".

b
The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must be configured to Clean infected files automatically as first action when programs and jokes are found.
SI-3 - Medium - CCI-001241 - V-63127 - SV-77617r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001241
Version
DTAVSEL-110
Vuln IDs
  • V-63127
Rule IDs
  • SV-77617r1_rule
Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attach mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the anti-virus software to attempt to clean the file first will allow for the possibility of a false positive. In most cases, however, the secondary action of delete will be used, mitigating the risk of the PUPs being installed and used maliciously.
Checks: C-63879r1_chk

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, review tasks under "View", "Scheduled Tasks". With the System Administrator's assistance, determine which task is intended as the regularly scheduled scan task. Click on the task, and then click "Modify". Under "2. What to Scan", click "Next". Under "3. Choose Scan Settings", "Anti-virus Actions", verify "Clean" is selected in the first dropdown list for "Actions for Programs and Jokes". If "Clean" is not selected in the first dropdown list for "Actions for Programs and Jokes", this is a finding. To validate without the Web interface, access the Linux system being reviewed, either at the console or by a SSH connection. At the command line, navigate to /var/opt/NAI/LinuxShield/etc. Enter the command "grep "ODS.action.Default.primary" ods.cfg" If the response given for "ODS.action.Default.primary" is not "Clean", this is a finding.

Fix: F-69045r1_fix

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, review tasks under "View", "Scheduled Tasks". With the System Administrator's assistance, determine which task is intended as the regularly scheduled scan task. Click on the task, and then click "Modify". Under "2. What to Scan", click "Next". Under "3. Choose Scan Settings", Anti-virus Actions", select "Clean" from the first dropdown list for "Actions for Programs and Jokes", click "Next", and then click "Finish".

b
The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must be configured to Move infected files to the quarantine directory if first action fails when programs and jokes are found.
SI-3 - Medium - CCI-001241 - V-63129 - SV-77619r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001241
Version
DTAVSEL-111
Vuln IDs
  • V-63129
Rule IDs
  • SV-77619r1_rule
Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attach mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the anti-virus software to attempt to clean the file first will allow for the possibility of a false positive. In most cases, however, the secondary action of delete will be used, mitigating the risk of the PUPs being installed and used maliciously.
Checks: C-63881r1_chk

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, review tasks under "View", "Scheduled Tasks". With the System Administrator's assistance, determine which task is intended as the regularly scheduled scan task. Click on the task, and then click "Modify". Under "2. What to Scan", click "Next". Under "3. Choose Scan Settings", "Anti-virus Actions", verify "Quarantine" is selected in the second dropdown list "Actions for Programs and Jokes" if first action fails. If "Quarantine" is not selected in the second dropdown list "Actions for Programs and Jokes" if first action fails, this is a finding. To validate without the Web interface, access the Linux system being reviewed, either at the console or by a SSH connection. At the command line, navigate to /var/opt/NAI/LinuxShield/etc. Enter the command "grep "ODS.action.Default.secondary" ods.cfg" If the response given for "ODS.action.Default.secondary" is not "Quarantine", this is a finding.

Fix: F-69047r1_fix

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, review tasks under "View", "Scheduled Tasks". With the System Administrator's assistance, determine which task is intended as the regularly scheduled scan task. Click on the task, and then click "Modify". Under "2. What to Scan", click "Next". Under "3. Choose Scan Settings", Anti-virus Actions", select "Quarantine" from the second dropdown list "Actions for Programs and Jokes" if first action fails, click "Next", and then click "Finish".

b
The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must be configured to decode MIME encoded files.
SI-3 - Medium - CCI-001241 - V-63131 - SV-77621r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001241
Version
DTAVSEL-112
Vuln IDs
  • V-63131
Rule IDs
  • SV-77621r1_rule
Malware is often packaged within an archive. In addition, archives might have other archives within. Not scanning archive files introduces the risk of infected files being introduced into the environment.
Checks: C-63883r1_chk

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, review tasks under "View", "Scheduled Tasks". With the System Administrator's assistance, determine which task is intended as the regularly scheduled scan task. Click on the task, and then click "Modify". Under "2. What to Scan", click "Next". Under "3. Choose Scan Settings", "Anti-virus Scanning Options", verify the "Decode MIME encoded files" check box has been selected. If the "Decode MIME encoded files" check box has not been selected, this is a finding. To validate without the Web interface, access the Linux system being reviewed, either at the console or by a SSH connection. At the command line, navigate to /var/opt/NAI/LinuxShield/etc. Enter the command "grep "nailsd.profile.ODS.mime" ods.cfg" If the response given for "nailsd.profile.ODS.mime" is not "true", this is a finding.

Fix: F-69049r1_fix

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, review tasks under "View", "Scheduled Tasks". With the System Administrator's assistance, determine which task is intended as the regularly scheduled scan task. Click on the task, and then click "Modify". Under "2. What to Scan", click "Next". Under "3. Choose Scan Settings", "Anti-virus Scanning Options", select the "Decode MIME encoded files" check box, click "Next", and then click "Finish".

b
The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must be configured to include all local drives and their sub-directories.
SI-3 - Medium - CCI-001241 - V-63133 - SV-77623r2_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001241
Version
DTAVSEL-113
Vuln IDs
  • V-63133
Rule IDs
  • SV-77623r2_rule
When scanning for malware, excluding specific file types will increase the risk of a malware-infected file going undetected. By configuring anti-virus software to scan all file types, the scanner has a higher success rate at detecting and eradicating malware.
Checks: C-63885r2_chk

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, review tasks under "View", "Scheduled Tasks". With the System Administrator's assistance, determine which task is intended as the regularly scheduled scan task. Click on the task, and then click "Modify". Under "3. Choose Scan Settings", verify “Scan all files” check box is selected. If the Scan Settings are not configured to Scan all files, this is a finding. To validate without the Web interface, access the Linux system being reviewed, either at the console or by a SSH connection. At the command line, navigate to /var/opt/NAI/LinuxShield/etc. Enter the command "grep "cat /var/opt/NAI.LinuxShield/etc/ods.cfg | grep extension.mode" If the response given is not "All", this is a finding.

Fix: F-69051r2_fix

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, review tasks under "View", "Scheduled Tasks". With the System Administrator's assistance, determine which task is intended as the regularly scheduled scan task. Click on the task, and then click "Modify". Under "3. Choose Scan Settings", select the “Scan all files” check box.

b
The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x must scan all media used for system maintenance prior to use.
MA-3 - Medium - CCI-000870 - V-63137 - SV-77627r1_rule
RMF Control
MA-3
Severity
Medium
CCI
CCI-000870
Version
DTAVSEL-200
Vuln IDs
  • V-63137
Rule IDs
  • SV-77627r1_rule
Removable media such as CD/DVDs allow a path for malware to be introduced to a Linux System. It is imperative to protect Linux systems from malware introduced from removable media by ensuring they are scanned before use.
Checks: C-63889r1_chk

Consult with the System Administrator of the Linux system being reviewed. Verify procedures are documented which require the manual scanning of all media used for system maintenance before media is used. If a procedure is not documented requiring the manual scanning of all media used for system maintenance before media is used, this is a finding.

Fix: F-69055r1_fix

Create procedures, or add to existing system administration procedures, which require the scanning of all media used for system maintenance before media is used.

b
The McAfee VirusScan Enterprise must be configured to receive all patches, service packs and updates from a DoD-managed source.
CM-5 - Medium - CCI-001749 - V-63139 - SV-77629r1_rule
RMF Control
CM-5
Severity
Medium
CCI
CCI-001749
Version
DTAVSEL-201
Vuln IDs
  • V-63139
Rule IDs
  • SV-77629r1_rule
Anti-virus signature files are updated almost daily by anti-virus software vendors. These files are made available to anti-virus clients as they are published. Keeping virus signature files as current as possible is vital to the security of any system. The anti-virus software product must be configured to receive those updates automatically in order to afford the expected protection. While obtaining updates, patches, service packs and updates from the vendor are timelier, the possibility of corruption or malware being introduced to the system is higher. By obtaining these from an official DoD source and/or downloading them to a separate system first and validating them before making them available to systems, the possibility of malware being introduced is mitigated.
Checks: C-63891r1_chk

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, under "Configure", select "Repositories". Under "Repository List", verify all repositories listed point to a local or DoD-managed repository. If all repositories listed do not point to local or DoD-managed repository, this is a finding.

Fix: F-69057r1_fix

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, under "Configure", select "Repositories". Under "Repository List", configure all repositories to point to a local or DoD-managed repository, and click "Apply".

b
The nails user and nailsgroup group must be restricted to the least privilege access required for the intended role.
AC-6 - Medium - CCI-002235 - V-63141 - SV-77631r1_rule
RMF Control
AC-6
Severity
Medium
CCI
CCI-002235
Version
DTAVSEL-202
Vuln IDs
  • V-63141
Rule IDs
  • SV-77631r1_rule
The McAfee VirusScan Enterprise for Linux software runs its processes under the nails user, which is part of the nailsgroup group. The WEB GUI is also accessed using the nails user. Ensuring this account only has access to the required functions necessary for its intended role will mitigate the possibility of the nails user/nailsgroup group from being used to perform malicious destruction to the system in the event of a compromise.
Checks: C-63893r1_chk

Access the Linux system console command line as root. Execute the following commands. This command will pipe the results to text files for easier review. find / -group nailsgroup >nailsgroup.txt find / -user nails >nails.txt Execute the following commands to individually review each of the text files of results, pressing space bar to move to each page until the end of the exported text. more nailsgroup.txt more nails.txt When reviewing the results, verify the nailsgroup group and nails user only own the following paths. The following paths assume an INSTALLDIR of /opt/NAI/LinuxShield and a RUNTIMEDIR of /var/opt/NAI/LinuxShield. If alternative folders were used, replace the following paths accordingly when validating. /var/opt/NAI and sub-folders /opt/NAI and sub-folders /McAfee/lib /var/spool/mail/nails /proc/##### (where ##### represents the various process IDs for the VSEL processes.) If any other folder is owned by either the nailsgroup group or the nails user, this is a finding.

Fix: F-69059r1_fix

Access the Linux system console command line as root. Navigate to each path to which the nails user or nailsgroup group has unnecessary permissions/ownership. Using the chmod command, reduce, or remove permissions for the nails user. Using the chown command remove ownership by the nails user or nailsgroup group.

b
A notification mechanism or process must be in place to notify Administrators of out of date DAT, detected malware and error codes.
SI-3 - Medium - CCI-001240 - V-63143 - SV-77633r2_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001240
Version
DTAVSEL-205
Vuln IDs
  • V-63143
Rule IDs
  • SV-77633r2_rule
Failure of anti-virus signature updates will eventually render the software to be useless in protecting the Linux system from malware. Administration notification for failed updates, via SMTP, will ensure timely remediation of errors causing DATs to not be updated.
Checks: C-63895r2_chk

The preferred method for notification is via SMTP alerts. Consult with the System Administrator to determine whether SMTP alerts are configured or whether some other notification mechanism (i.e., regular manual review of reports)is used. If SMTP alerts are not configured, some other notification mechanism must be configured. For SMTP alert configuration in VSEL WEB Monitor: From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, review tasks under "Configure", "Notifications". Review the configured Notifications. Verify the check box for "Item Detected" is selected. Verify check boxes for "Viruses", "Trojans", "Programs", "Jokes" and "Include alerts for on-demand tasks" are selected. Verify the check box for "Out of date" is selected and "Alert for DAT files which are # days old" is configured to "7" or less. Verify the check box for "Configuration changes" is selected. Verify the check box for "System events" is selected. Verify check box for "Type" is selected and "Error" is selected from drop-down list. Verify check box for "Code" is selected and "3000-3999" is entered in Code field. Verify SMTP Settings are configured with valid email address(es) for System Administrators. For SMTP alert configuration without the Web interface: Access the Linux system being reviewed, either at the console or by a SSH connection. At the command line, navigate to /var/opt/NAI/LinuxShield/etc. Enter the command "grep "notifications.virusDetected.active" nailsd.cfg" If SMTP alert settings are not configured to send notifications to System Administrators, or some other mechanism is not used to provide this notification to System Administrators, this is a finding.

Fix: F-69061r1_fix

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, under "Configure", "Notifications", select the check box for "Item Detected". Select check boxes for "Viruses", "Trojans", "Programs", "Jokes" and "Include alerts for on-demand tasks". Select the check box for "Out of date" and configure "Alert for DAT files which are # days old" to "7" or less. Select the check box for "Configuration changes". Select the check box for "System events". Select check box for "Type" and select "Error" from drop-down list. Select check box for "Code" and configured with "3000-3999" in Code field. Configure the SMTP Settings with valid email address(es) for System Administrators.

b
Access to the McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x Web UI must be enforced by firewall rules.
CM-5 - Medium - CCI-001813 - V-63145 - SV-77635r1_rule
RMF Control
CM-5
Severity
Medium
CCI
CCI-001813
Version
DTAVSEL-301
Vuln IDs
  • V-63145
Rule IDs
  • SV-77635r1_rule
The McAfee VirusScan Enterprise for Linux WEB GUI is the method for configuring the McAfee VSEL on a non-managed Linux system. The WEB GUI on the system could be used maliciously to gain unauthorized access to the system. By restricting access to interface by implementing firewall rules, the risk of unauthorized access will be mitigated.
Checks: C-63897r1_chk

With the System Administrator's assistance, review the host-based firewall for rules to the McAfee VSEL Web UI's TCP/IP port. If the host-based firewall does not have rules to restrict access to the McAfee VSEL Web UI, limiting access to specific IP addresses of System Administrators only, determine if the network-based firewall provides for that restriction. If neither a host-based firewall nor a network-based firewall restricts access to the McAfee VSEL Web UI, this is a finding.

Fix: F-69063r1_fix

Configure a host-based firewall or network-based firewall with rules to restrict access to the McAfee VSEL Web UI, limiting access to specific IP addresses of System Administrators only.