Group
Guide to the Secure Configuration of McAfee VirusScan Enterprise for Linux
Group contains 4 groups and 39 rules |
Group
McAfee VirusScan Enterprise for Linux (VSEL)
Group contains 3 groups and 39 rules |
[ref]
The McAfee VirusScan Enterprise for Linux software provides a realtime virus scanner for Linux systems. |
Group
General VSEL Settings
Group contains 8 rules |
[ref]
To support a secured and compliant configuration, a number of
settings need to be modified from their default configuration and locked so
that they are prevented from being changed. |
Rule
The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x must be configured to receive automatic updates
[ref] | Anti-virus signature files are updated almost daily by anti-virus software vendors. These files are made available to anti-virus
clients as they are published. Keeping virus signature files as current as possible is vital to the security of any system.
To check that anti-virus signature files are updated, you have to login to the VSEL Web Monitor.
In the VSEL WEB Monitor, under View , select Scheduled Tasks .
Under Scheduled Tasks , under Task Summaries , with the assistance of the McAfee VSEL SA, identify the VirusScan DAT update task.
Verify the Type is Update and the Status is Completed with Results of Update Finished .
Under Task Details for the task, click on the Modify button.
Choose 2. Choose what to update and verify the Virus definition files (also known as DAT files) is selected. | Rationale: | The anti-virus software product must be configured to receive those updates automatically in order to afford the expected protection. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_dats_auto_update | Identifiers and References | References:
CCI-001243, SI-3, SRG-APP-000279, DTAVSEL-002 | |
|
Rule
The anti-virus signature file age must not exceed 7 days
[ref] | Anti-virus signature files are updated almost daily by anti-virus software vendors. These files are made available to anti-virus
clients as they are published. Keeping virus signature files as current as possible is vital to the security of any system.
To check that anti-virus signature files are updated, you have to login to the VSEL Web Monitor.
In the VSEL WEB Monitor, under View , select Host Summary .
In the Host Summary , verify the DAT Date: is within the last 7 days. | Rationale: | By configuring a system to attempt an anti-virus update on a daily basis, the system is ensured of maintaining an anti-virus signature
age of 7 days or less. If the update attempt were to be configured for only once a week, and that attempt failed, the system would be
immediately out of date. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_dats_updated | Identifiers and References | References:
CCI-001240, SI-3, SRG-APP-000276, DTAVSEL-001 | |
|
Rule
The nails user and nailsgroup group must be restricted to the least privilege access required for the intended role
[ref] | The McAfee VirusScan Enterprise for Linux software runs its processes under the nails user, which is part of the nailsgroup group.
The WEB GUI is also accessed using the nails user.
To check that nails and nailsgroup are configured correctly, access the Linux system console command line as root.
Execute the following commands. This command will pipe the results to text files for easier review.
find / -group nailsgroup >nailsgroup.txt
find / -user nails >nails.txt
Execute the following commands to individually review each of the text files of results, pressing space bar to move to each page
until the end of the exported text.
more nailsgroup.txt
more nails.txt
When reviewing the results, verify the nailsgroup group and nails user only own the following paths.
The following paths assume an INSTALLDIR of /opt/NAI/LinuxShield and a RUNTIMEDIR of /var/opt/NAI/LinuxShield .
If alternative folders were used, replace the following paths accordingly when validating.
/var/opt/NAI and sub-folders
/opt/NAI and sub-folders
/McAfee/lib
/var/spool/mail/nails
/proc/##### (where ##### represents the various process IDs for the VSEL processes.)
If any other folder is owned by either the nailsgroup group or the nails user, this is a finding. | Rationale: | Ensuring the nails user/nailsgroup group only has access to the required functions necessary for its
intended role will mitigate the possibility of the nails user/nailsgroup group from being used to perform malicious destruction to the
system in the event of a compromise. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_restricted_user | Identifiers and References | References:
CCI-002235, AC-6(10), SRG-APP-000340, DTAVSEL-202 | |
|
Rule
The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x must scan all media used for system maintenance prior to use
[ref] | It is imperative to protect Linux systems from malware introduced from removable media by ensuring they are scanned before use.
Consult with the System Administrator of the Linux system being reviewed.
Verify procedures are documented which require the manual scanning of all media used for system maintenance before media is used.
If a procedure is not documented requiring the manual scanning of all media used for system maintenance before media is used,
this is a finding. | Rationale: | Removable media such as CD/DVDs allow a path for malware to be introduced to a Linux System. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_scanned_media | Identifiers and References | References:
CCI-000870, MA-3(2), SRG-APP-000073, DTAVSEL-200 | |
|
Rule
The McAfee VirusScan Enterprise must be configured to receive all patches, service packs and updates from a DoD-managed source
[ref] | Anti-virus signature files are updated almost daily by anti-virus software vendors.
These files are made available to anti-virus clients as they are published.
Keeping virus signature files as current as possible is vital to the security of any system.
The anti-virus software product must be configured to receive those updates automatically in order to afford the expected protection.
To check that VSEL settings are configured correctly, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface)
of the Linux system being reviewed from a desktop browser window and logon with the nails user account.
In the VSEL WEB Monitor, under Configure , select Repositories .
Under Repository List , verify all repositories listed point to a local or DoD-managed repository.
If all repositories listed do not point to local or DoD-managed repository, this is a finding. | Rationale: | While obtaining updates, patches, service packs and updates from the vendor are timelier,
the possibility of corruption or malware being introduced to the system is higher.
By obtaining these from an official DoD source and/or downloading them to a separate system
first and validating them before making them available to systems, the possibility of
malware being introduced is mitigated. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_updates_source | Identifiers and References | References:
CCI-001749, CM-5, SRG-APP-000131, DTAVSEL-201 | |
|
Rule
A notification mechanism or process must be in place to notify Administrators of out of date DAT, detected malware and error codes
[ref] | Failure of anti-virus signature updates will eventually render the software to be useless in protecting the Linux system from malware.
To check that VSEL settings are configured correctly, you have to examine the config file
available under /var/opt/NAI/LinuxShield/etc/nailsd.cfg .
If this config file contains the line notifications.virusDetected.active: true ,
Administrators will be notified of events detected. | Rationale: | Administration notification for failed updates, via SMTP, will ensure timely remediation of errors causing DATs to not be updated. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_virus_notification | Identifiers and References | References:
CCI-001240, SI-3, SRG-APP-000276, DTAVSEL-205 | |
|
Rule
The McAfee VirusScan Enterprise for Linux Web interface must be disabled unless the system is on a segregated network
[ref] | The McAfee VirusScan Enterprise for Linux WEB GUI is the method for configuring the McAfee VSEL on a non-managed Linux system.
The WEB GUI on the system could be used maliciously to gain unauthorized access to the system.
To check that VSEL settings are configured correctly, you have to examine the config file
available under /var/opt/NAI/LinuxShield/etc/nailsd.cfg .
If this config file contains the line nailsd.disableCltWebUI: true ,
the WEB GUI will be disabled by default. | Rationale: | By restricting access to interface by implementing firewall rules, the risk of unauthorized access will be mitigated. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_web_client_disabled | Identifiers and References | References:
CCI-001813, CM-5(1), SRG-APP-000380, DTAVSEL-000 | |
|
Rule
Access to the McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x Web UI must be enforced by firewall rules
[ref] | The McAfee VirusScan Enterprise for Linux WEB GUI is the method for configuring the McAfee VSEL on a non-managed Linux system.
The WEB GUI on the system could be used maliciously to gain unauthorized access to the system.
To check that the WEB GUI is restricted, review the iptables configuration and confirm that access is restricted to authorized hosts | Rationale: | By restricting access to interface by implementing firewall rules, the risk of unauthorized access will be mitigated. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_web_client_firewalled | Identifiers and References | References:
CCI-001813, CM-5, SRG-APP-000380, DTAVSEL-301 | |
|
Group
On Access VSEL Settings
Group contains 17 rules |
[ref]
This section defines the settings required for on access scans. |
Rule
The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to Clean as first action when a virus or Trojan is detected
[ref] | Malware may have infected a file that is necessary to the user. By configuring the anti-virus software to first attempt cleaning the infected file, availability to the file is not sacrificed.
If a cleaning attempt is not successful, however, deleting the file is the only safe option to ensure the malware is not introduced onto the system or network.
To check that VSEL settings are configured correctly, you have to examine the config file
available under /var/opt/NAI/LinuxShield/etc/nailsd.cfg .
If this config file contains the line nailsd.profile.OAS.action.App.primary: Clean ,
files will attempted to be cleaned first, preserving the file data. | Rationale: | Malware may have infected a file that is necessary to the user. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_oas_action_app_primary | Identifiers and References | References:
CCI-001243, SI-3, SRG-APP-000279, DTAVSEL-013 | |
|
Rule
The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to Quarantine if first action fails when a virus or Trojan is detected
[ref] | Malware may have infected a file that is necessary to the user. By configuring the anti-virus software to first attempt cleaning the infected file, availability to the file is not sacrificed.
If a cleaning attempt is not successful, however, quarantining the file is the only safe option to ensure the malware is not introduced onto the system or network.
To check that VSEL settings are configured correctly, you have to examine the config file
available under /var/opt/NAI/LinuxShield/etc/nailsd.cfg .
If this config file contains the line nailsd.profile.OAS.action.App.secondary: Quarantine ,
files that cannot be cleaned will be quarantined, preserving the file data. | Rationale: | Malware may have infected a file that is necessary to the user. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_oas_action_app_secondary | Identifiers and References | References:
CCI-001243, SI-3, SRG-APP-000279, DTAVSEL-014 | |
|
Rule
The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to Clean as first action when programs and jokes are found
[ref] | Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers.
While PUPs do not typically have any infection capability on their own, they rely on malware or other attach mechanisms to be installed onto target hosts,
after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms.
To check that VSEL settings are configured correctly, you have to examine the config file
available under /var/opt/NAI/LinuxShield/etc/nailsd.cfg .
If this config file contains the line nailsd.profile.OAS.action.Default.primary: Clean ,
programs/jokes will attempted to be cleaned first, preserving the file data. | Rationale: | Configuring the anti-virus software to attempt to clean the file first will allow for the possibility of a false positive.
In most cases, however, the secondary action of delete will be used, mitigating the risk of the PUPs being installed and used maliciously. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_oas_action_default_primary | Identifiers and References | References:
CCI-001243, SI-3, SRG-APP-000279, DTAVSEL-015 | |
|
Rule
The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to Quarantine if first action fails when programs and jokes are found
[ref] | Malware may have infected a file that is necessary to the user. By configuring the anti-virus software to first attempt cleaning the infected file, availability to the file is not sacrificed.
If a cleaning attempt is not successful, however, quarantining the file is the only safe option to ensure the malware is not introduced onto the system or network.
To check that VSEL settings are configured correctly, you have to examine the config file
available under /var/opt/NAI/LinuxShield/etc/nailsd.cfg .
If this config file contains the line nailsd.profile.OAS.action.Default.secondary: Quarantine ,
programs/jokes that cannot be cleaned will be quarantined, preserving the file data. | Rationale: | Malware may have infected a file that is necessary to the user. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_oas_action_default_secondary | Identifiers and References | References:
CCI-001243, SI-3, SRG-APP-000279, DTAVSEL-016 | |
|
Rule
The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to deny access to the file if an error occurs during scanning
[ref] | Anti-virus software is the most commonly used technical control for malware threat mitigation.
To check that VSEL settings are configured correctly, you have to examine the config file
available under /var/opt/NAI/LinuxShield/etc/nailsd.cfg .
If this config file contains the line nailsd.profile.OAS.action.error: Block ,
any file resulting in an error reading the file will be blocked. | Rationale: | Real-time scanning of files as they are read from disk is a crucial first line of defense from malware attacks. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_oas_action_error | Identifiers and References | References:
CCI-001243, SI-3, SRG-APP-000279, DTAVSEL-017 | |
|
Rule
The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to allow access to files if scanning times out
[ref] | Anti-virus software is the most commonly used technical control for malware threat mitigation.
To check that VSEL settings are configured correctly, you have to examine the config file
available under /var/opt/NAI/LinuxShield/etc/nailsd.cfg .
If this config file contains the line nailsd.profile.OAS.action.timeout: Pass ,
any file resulting in a timeout reading the file will be passed. | Rationale: | Real-time scanning of files as they are read from disk is a crucial first line of defense from malware attacks. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_oas_action_timeout | Identifiers and References | References:
CCI-001243, SI-3, SRG-APP-000279, DTAVSEL-018 | |
|
Rule
The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to scan all file types
[ref] | When scanning for malware, excluding specific file types will increase the risk of a malware-infected file going undetected.
To check that VSEL settings are configured correctly, you have to examine the config file
available under /var/opt/NAI/LinuxShield/etc/nailsd.cfg .
If this config file contains the line nailsd.profile.OAS.allFiles: true ,
all file types will be scanned. | Rationale: | By configuring anti-virus software to scan all file types, the scanner has a higher success rate at detecting and eradicating malware. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_oas_allFiles | Identifiers and References | References:
CCI-001243, SI-3, SRG-APP-000279, DTAVSEL-010 | |
|
Rule
The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to decompress archives when scanning
[ref] | Malware can be hidden within archived files and passed from system to system undetected unless the archive is decompressed and each file scanned.
By disabling the archive scanning capability, archives such as .tar and .tgz files will not be decompressed and any infected files in the archives would go undetected.
To check that VSEL settings are configured correctly, you have to examine the config file
available under /var/opt/NAI/LinuxShield/etc/nailsd.cfg .
If this config file contains the line nailsd.profile.OAS.decompArchive: true ,
compressed archives will be decompressed before being scanned. | Rationale: | Decompression can slow performance, however; any virus-infected file inside an archive cannot become active until it has been extracted. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_oas_decompArchive | Identifiers and References | References:
CCI-001243, SI-3, SRG-APP-000279, DTAVSEL-004 | |
|
Rule
The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x must be configured to enable On-Access scanning
[ref] | For anti-virus software to be effective, it must be running at all times, beginning from the point of the system's initial startup.
Otherwise, the risk is greater for viruses, Trojans, and other malware infecting the system during that startup phase.
To check that VSEL settings are configured correctly, you have to examine the config file
available under /var/opt/NAI/LinuxShield/etc/nailsd.cfg .
If this config file contains the line nailsd.oasEnabled: true ,
the antivirus software will be running at initial startup of the system. | Rationale: | For anti-virus software to be effective, it must be running at all times, beginning from the point of the system's initial startup. | Severity: | high | Rule ID: | xccdf_org.ssgproject.content_rule_oas_enabled | Identifiers and References | References:
CCI-001243, SI-3, SRG-APP-000279, DTAVSEL-003 | |
|
Rule
The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must only be configured with exclusions that are documented and approved by the ISSO/ISSM/AO
[ref] | When scanning for malware, excluding specific files will increase the risk of a malware-infected file going undetected.
To check that VSEL settings are configured correctly, you have to examine the config file
available under /var/opt/NAI/LinuxShield/etc/nailsd.cfg .
If this config file contains the line nailsd.profile.OAS.filter.varlog.type: exclude-path , and the line nailsd.profile.OAS.filter.varlog.path: /var/log
no unapproved exclusions are defined. | Rationale: | By configuring anti-virus software without any exclusions, the scanner has a higher success rate at detecting and eradicating malware. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_oas_exclusions | Identifiers and References | References:
CCI-001243, SI-3, SRG-APP-000279, DTAVSEL-012 | |
|
Rule
The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to find unknown program viruses
[ref] | Due to the ability of malware to mutate after infection, standard anti-virus signatures may not be able to catch new strains or variants of the malware.
Typically, these strains and variants will share unique characteristics with others in their virus family.
To check that VSEL settings are configured correctly, you have to examine the config file
available under /var/opt/NAI/LinuxShield/etc/nailsd.cfg .
If this config file contains the line nailsd.profile.OAS.heuristicAnalysis: true ,
unknown virus programs will be scanned. | Rationale: | By using a generic signature to detect the shared characteristics, using wildcards where differences lie, the generic signature can detect viruses
even if they are padded with extra, meaningless code. This method of detection is Heuristic detection. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_oas_heuristicAnalysis | Identifiers and References | References:
CCI-001243, SI-3, SRG-APP-000279, DTAVSEL-005 | |
|
Rule
The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to find unknown macro viruses
[ref] | Interpreted viruses are executed by an application. Within this subcategory, macro viruses take advantage of the capabilities of
applications' macro programming language to infect application documents and document templates, while scripting viruses infect
scripts that are understood by scripting languages processed by services on the OS.
To check that VSEL settings are configured correctly, you have to examine the config file
available under /var/opt/NAI/LinuxShield/etc/nailsd.cfg .
If this config file contains the line nailsd.profile.OAS.macroAnalysis: true ,
unknown macro viruses will be scanned. | Rationale: | Many attackers use toolkits containing several different types of utilities and scripts that can be used to probe and attack hosts.
Scanning for unknown macro viruses will mitigate zero-day attacks. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_oas_macroAnalysis | Identifiers and References | References:
CCI-001243, SI-3, SRG-APP-000279, DTAVSEL-006 | |
|
Rule
The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to find potentially unwanted programs
[ref] | Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers.
While PUPs do not typically have any infection capability on their own, they rely on malware or other attach mechanisms to be installed onto target hosts,
after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms.
To check that VSEL settings are configured correctly, you have to examine the config file
available under /var/opt/NAI/LinuxShield/etc/nailsd.cfg .
If this config file contains the line nailsd.profile.OAS.program: true ,
potentially unwanted programs will be scanned. | Rationale: | Configuring the anti-virus software to attempt to clean the file first will allow for the possibility of a false positive.
In most cases, however, the secondary action of delete will be used, mitigating the risk of the PUPs being installed and used maliciously. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_oas_program | Identifiers and References | References:
CCI-001243, SI-3, SRG-APP-000279, DTAVSEL-007 | |
|
Rule
The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner maximum scan time must not be less than 45 seconds
[ref] | When anti-virus software is not configured to limit the amount of time spent trying to scan a file, the total effectiveness of
the anti-virus software, and performance on the system being scanned, will be degraded. By limiting the amount of time the anti-virus
software uses when scanning a file, the scan will be able to complete in a timely manner.
To check that VSEL settings are configured correctly, you have to examine the config file
available under /var/opt/NAI/LinuxShield/etc/nailsd.cfg .
If this config file contains the line nailsd.profile.OAS.scanMaxTmo: 45 ,
a scan will not timeout in less than 45 seconds of scanning a file. | Rationale: | Although the description of this requirement indicates a "maximum scan time", the intent of this requirement is to explicitly set a
maximum scan time without impacting the effectiveness of the scan. Left unconfigured, the scan could run indefinitely on one file.
If configured with a value of less than 45 seconds, the scanning of some files will be skipped. If configured with 45 or more seconds,
the success rate of files being completely scanned is higher. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_oas_scanMaxTmo | Identifiers and References | References:
CCI-001243, SI-3, SRG-APP-000279, DTAVSEL-010 | |
|
Rule
The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be enabled to scan mounted volumes when mounted volumes point to a network server without an anti-virus solution installed
[ref] | It is imperative to protect Linux systems from malware introduced from those other network systems by either ensuring the remote systems are protected or by scanning files from those systems when they are accessed.
To check that VSEL settings are configured correctly, you have to examine the config file
available under /var/opt/NAI/LinuxShield/etc/nailsd.cfg .
If this config file contains the line nailsd.profile.OAS.scanNWFiles: true ,
files on network mounts are scanned. | Rationale: | Mounting network volumes to other network systems introduces a path for malware to be introduced. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_oas_scanNWFiles | Identifiers and References | References:
CCI-001242, SI-3, SRG-APP-000278, DTAVSEL-019 | |
|
Rule
The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to scan files when being read from disk
[ref] | Anti-virus software is the most commonly used technical control for malware threat mitigation.
To check that VSEL settings are configured correctly, you have to examine the config file
available under /var/opt/NAI/LinuxShield/etc/nailsd.cfg .
If this config file contains the line nailsd.profile.OAS.scanOnRead: true ,
files will be scanned when read from disk. | Rationale: | Real-time scanning of files as they are read from disk is a crucial first line of defense from malware attacks. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_oas_scanOnRead | Identifiers and References | References:
CCI-001243, SI-3, SRG-APP-000279, DTAVSEL-009 | |
|
Rule
The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to scan files when being written to disk
[ref] | Anti-virus software is the most commonly used technical control for malware threat mitigation.
To check that VSEL settings are configured correctly, you have to examine the config file
available under /var/opt/NAI/LinuxShield/etc/nailsd.cfg .
If this config file contains the line nailsd.profile.OAS.scanOnWrite: true ,
files will be scanned when written to disk. | Rationale: | Real-time scanning of files as they are written to disk is a crucial first line of defense from malware attacks. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_oas_scanOnWrite | Identifiers and References | References:
CCI-001243, SI-3, SRG-APP-000279, DTAVSEL-008 | |
|
Group
On Demand VSEL Settings
Group contains 14 rules |
[ref]
This section defines the settings required for on demand scans. |
Rule
The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must be configured to Clean as first action when a virus or Trojan is detected
[ref] | Malware may have infected a file that is necessary to the user. By configuring the anti-virus software to first attempt cleaning the infected file, availability to the file is not sacrificed.
If a cleaning attempt is not successful, however, deleting the file is the only safe option to ensure the malware is not introduced onto the system or network.
To check that VSEL settings are configured correctly, you have to examine the config file
available under /var/opt/NAI/LinuxShield/etc/ods.cfg .
If this config file contains the line nailsd.profile.ODS.action.App.primary: Clean ,
files will attempted to be cleaned first, preserving the file data. | Rationale: | Malware may have infected a file that is necessary to the user. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_ods_action_app_primary | Identifiers and References | References:
CCI-001241, SI-3, SRG-APP-000277, DTAVSEL-106 | |
|
Rule
The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must be configured to Quarantine if first action fails when a virus or Trojan is detected
[ref] | Malware may have infected a file that is necessary to the user. By configuring the anti-virus software to first attempt cleaning the infected file, availability to the file is not sacrificed.
If a cleaning attempt is not successful, however, quarantining the file is the only safe option to ensure the malware is not introduced onto the system or network.
To check that VSEL settings are configured correctly, you have to examine the config file
available under /var/opt/NAI/LinuxShield/etc/ods.cfg .
If this config file contains the line nailsd.profile.ODS.action.App.secondary: Quarantine ,
files that cannot be cleaned will be quarantined, preserving the file data. | Rationale: | Malware may have infected a file that is necessary to the user. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_ods_action_app_secondary | Identifiers and References | References:
CCI-001241, SI-3, SRG-APP-000277, DTAVSEL-107 | |
|
Rule
The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must be configured to Clean as first action when programs and jokes are found
[ref] | Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers.
While PUPs do not typically have any infection capability on their own, they rely on malware or other attach mechanisms to be installed onto target hosts,
after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms.
To check that VSEL settings are configured correctly, you have to examine the config file
available under /var/opt/NAI/LinuxShield/etc/ods.cfg .
If this config file contains the line nailsd.profile.ODS.action.Default.primary: Clean ,
programs/jokes will attempted to be cleaned first, preserving the file data. | Rationale: | Configuring the anti-virus software to attempt to clean the file first will allow for the possibility of a false positive.
In most cases, however, the secondary action of delete will be used, mitigating the risk of the PUPs being installed and used maliciously. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_ods_action_default_primary | Identifiers and References | References:
CCI-001241, SI-3, SRG-APP-000277, DTAVSEL-110 | |
|
Rule
The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must be configured to Quarantine if first action fails when programs and jokes are found
[ref] | Malware may have infected a file that is necessary to the user. By configuring the anti-virus software to first attempt cleaning the infected file, availability to the file is not sacrificed.
If a cleaning attempt is not successful, however, quarantining the file is the only safe option to ensure the malware is not introduced onto the system or network.
To check that VSEL settings are configured correctly, you have to examine the config file
available under /var/opt/NAI/LinuxShield/etc/ods.cfg .
If this config file contains the line nailsd.profile.ODS.action.Default.secondary: Quarantine ,
programs/jokes that cannot be cleaned will be quarantined, preserving the file data. | Rationale: | Malware may have infected a file that is necessary to the user. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_ods_action_default_secondary | Identifiers and References | References:
CCI-001241, SI-3, SRG-APP-000277, DTAVSEL-111 | |
|
Rule
The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must be configured to scan all file types
[ref] | When scanning for malware, excluding specific file types will increase the risk of a malware-infected file going undetected.
To check that VSEL settings are configured correctly, you have to examine the config file
available under /var/opt/NAI/LinuxShield/etc/ods.cfg .
If this config file contains the line nailsd.profile.ODS.allFiles: true ,
all file types will be scanned. | Rationale: | By configuring anti-virus software to scan all file types, the scanner has a higher success rate at detecting and eradicating malware. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_ods_allFiles | Identifiers and References | References:
CCI-001241, SI-3, SRG-APP-000277, DTAVSEL-105 | |
|
Rule
The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must be configured to decompress archives when scanning
[ref] | Malware can be hidden within archived files and passed from system to system undetected unless the archive is decompressed and each file scanned.
By disabling the archive scanning capability, archives such as .tar and .tgz files will not be decompressed and any infected files in the archives would go undetected.
To check that VSEL settings are configured correctly, you have to examine the config file
available under /var/opt/NAI/LinuxShield/etc/ods.cfg .
If this config file contains the line nailsd.profile.ODS.decompArchive: true ,
compressed archives will be decompressed before being scanned. | Rationale: | Decompression can slow performance, however; any virus-infected file inside an archive cannot become active until it has been extracted. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_ods_decompArchive | Identifiers and References | References:
CCI-001241, SI-3, SRG-APP-000277, DTAVSEL-101 | |
|
Rule
The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x must be configured to run a scheduled On-Demand scan at least once a week
[ref] | Real-time scanning of files as they are read from disk is a crucial first line of defense from malware attacks but to ensure all files
are frequently scanned, a regularly scheduled full scan will ensure malware missed by the real-time scanning will be detected and mitigated.
To check that VSEL settings are configured correctly, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface)
of the Linux system being reviewed from a desktop browser window and logon with the nails user account.
In the VSEL WEB Monitor, review tasks under View , Scheduled Tasks .
With the System Administrator's assistance, determine which task is intended as the regularly scheduled scan task.
Click on the task and review the details under Task Details for .
If Next run does not specify every 1 week , or more frequently, this is a finding.
To validate without the Web interface, access the Linux system being reviewed, either at the console or by a SSH connection.
At the command line, navigate to /var/opt/NAI/LinuxShield/etc .
Enter the command /opt/NAI/LinuxShield/bin/nails task --list .
If the return does not show a task for the LinuxShield On-Demand Scan, this is a finding. | Rationale: | Anti-virus software is the most commonly used technical control for malware threat mitigation. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_ods_enabled | Identifiers and References | References:
CCI-001241, SI-3, SRG-APP-000277, DTAVSEL-100 | |
|
Rule
The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must only be configured with exclusions that are documented and approved by the ISSO/ISSM/AO
[ref] | When scanning for malware, excluding specific files will increase the risk of a malware-infected file going undetected.
To check that VSEL settings are configured correctly, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface)
of the Linux system being reviewed from a desktop browser window and logon with the nails user account.
In the VSEL WEB Monitor, review tasks under View , Scheduled Tasks .
With the System Administrator's assistance, determine which task is intended as the regularly scheduled scan task.
Click on the task, and then click Modify .
Under 2. What to Scan , click Next .
Under 3. Choose Scan Settings , Paths Excluded From Scanning .
If any paths other than the following paths are excluded, and the exclusions have not been documented and approved by the ISSO/ISSM/AO, this is a finding.
/var/log
/_admin/Manage_NSS
/mnt/system/log
/media/nss/.*/(\._NETWARE|\._ADMIN)
/.*\.(vmdk|VMDK|dbl|DBL|ctl|CTL|log|LOG|jar|JAR|war|WAR|dtx|DTX|dbf|DBF|frm|FRM|myd|MYD|myi|MYI|rdo|RDO|arc|ARC)
/cgroup
/dev
/proc
/selinux
/sys | Rationale: | By configuring anti-virus software without any exclusions, the scanner has a higher success rate at detecting and eradicating malware. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_ods_exclusions | Identifiers and References | References:
CCI-001241, SI-3, SRG-APP-000277, DTAVSEL-108 | |
|
Rule
The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must be configured to include all local drives and their sub-directories
[ref] | When scanning for malware, excluding specific file types will increase the risk of a malware-infected file going undetected. By configuring anti-virus software to scan all file types, the scanner has a higher success rate at detecting and eradicating malware.
To check that VSEL settings are configured correctly, you have to examine the config file
available under /var/opt/NAI/LinuxShield/etc/ods.cfg .
If this config file contains a line with "extensions.mode" with values set to anything other than extensions.mode: all ,
associated scans may ignore certain file extensions. | Rationale: | Excluding file types from scans introduces the possibility for infected files to go undetected by the scanner. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_ods_extensions | Identifiers and References | References:
CCI-001241, SI-3, SRG-APP-000277, DTAVSEL-113 | |
|
Rule
The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must be configured to find unknown program viruses
[ref] | Due to the ability of malware to mutate after infection, standard anti-virus signatures may not be able to catch new strains or variants of the malware.
Typically, these strains and variants will share unique characteristics with others in their virus family.
To check that VSEL settings are configured correctly, you have to examine the config file
available under /var/opt/NAI/LinuxShield/etc/ods.cfg .
If this config file contains the line nailsd.profile.ODS.heuristicAnalysis: true ,
unknown virus programs will be scanned. | Rationale: | By using a generic signature to detect the shared characteristics, using wildcards where differences lie, the generic signature can detect viruses
even if they are padded with extra, meaningless code. This method of detection is Heuristic detection. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_ods_heuristicAnalysis | Identifiers and References | References:
CCI-001241, SI-3, SRG-APP-000277, DTAVSEL-102 | |
|
Rule
The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must be configured to find unknown macro viruses
[ref] | Interpreted viruses are executed by an application. Within this subcategory, macro viruses take advantage of the capabilities of
applications' macro programming language to infect application documents and document templates, while scripting viruses infect
scripts that are understood by scripting languages processed by services on the OS.
To check that VSEL settings are configured correctly, you have to examine the config file
available under /var/opt/NAI/LinuxShield/etc/ods.cfg .
If this config file contains the line nailsd.profile.ODS.macroAnalysis: true ,
unknown macro viruses will be scanned. | Rationale: | Many attackers use toolkits containing several different types of utilities and scripts that can be used to probe and attack hosts.
Scanning for unknown macro viruses will mitigate zero-day attacks. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_ods_macroAnalysis | Identifiers and References | References:
CCI-001241, SI-3, SRG-APP-000277, DTAVSEL-103 | |
|
Rule
The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must be configured to decode MIME encoded files.
[ref] | Malware is often packaged within an archive. In addition, archives might have other archives within.
To check that VSEL settings are configured correctly, you have to examine the config file
available under /var/opt/NAI/LinuxShield/etc/ods.cfg .
If this config file contains the line nailsd.profile.ODS.mime: true ,
potentially unwanted programs will be scanned. | Rationale: | Not scanning archive files introduces the risk of infected files being introduced into the environment. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_ods_mime | Identifiers and References | References:
CCI-001241, SI-3, SRG-APP-000277, DTAVSEL-112 | |
|
Rule
The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must be configured to find potentially unwanted programs
[ref] | Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers.
While PUPs do not typically have any infection capability on their own, they rely on malware or other attach mechanisms to be installed onto target hosts,
after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms.
To check that VSEL settings are configured correctly, you have to examine the config file
available under /var/opt/NAI/LinuxShield/etc/ods.cfg .
If this config file contains the line nailsd.profile.ODS.program: true ,
potentially unwanted programs will be scanned. | Rationale: | Configuring the anti-virus software to attempt to clean the file first will allow for the possibility of a false positive.
In most cases, however, the secondary action of delete will be used, mitigating the risk of the PUPs being installed and used maliciously. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_ods_program | Identifiers and References | References:
CCI-001241, SI-3, SRG-APP-000277, DTAVSEL-104 | |
|
Rule
The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must be enabled to scan mounted volumes when mounted volumes point to a network server without an anti-virus solution installed
[ref] | It is imperative to protect Linux systems from malware introduced from those other network systems by either ensuring the remote systems are protected or by scanning files from those systems when they are accessed.
To check that VSEL settings are configured correctly, you have to examine the config file
available under /var/opt/NAI/LinuxShield/etc/ods.cfg .
If this config file contains the line nailsd.profile.ODS.scanNWFiles: true ,
files on network mounts are scanned. | Rationale: | Mounting network volumes to other network systems introduces a path for malware to be introduced. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_ods_scanNWFiles_local | Identifiers and References | References:
CCI-001242, SI-3, SRG-APP-000278, DTAVSEL-019 | |
|