Guide to the Secure Configuration of McAfee VirusScan Enterprise for Linux

with profile McAfee VirusScan Enterprise for Linux (VSEL) STIG
The McAfee VirusScan Enterprise for Linux software provides a realtime virus scanner for Linux systems.

The SCAP Security Guide Project
https://www.open-scap.org/security-policies/scap-security-guide

This guide presents a catalog of security-relevant configuration settings for McAfee VirusScan Enterprise for Linux. It is a rendering of content structured in the eXtensible Configuration Checklist Description Format (XCCDF) in order to support security automation. The SCAP content is is available in the scap-security-guide package which is developed at https://www.open-scap.org/security-policies/scap-security-guide.

Providing system administrators with such guidance informs them how to securely configure systems under their control in a variety of network roles. Policy makers and baseline creators can use this catalog of settings, with its associated references to higher-level security control catalogs, in order to assist them in security baseline creation. This guide is a catalog, not a checklist, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. However, the XCCDF format enables granular selection and adjustment of settings, and their association with OVAL and OCIL content provides an automated checking capability. Transformations of this document, and its associated automated checking content, are capable of providing baselines that meet a diverse set of policy objectives. Some example XCCDF Profiles, which are selections of items that form checklists and can be used as baselines, are available with this guide. They can be processed, in an automated fashion, with tools that support the Security Content Automation Protocol (SCAP). The DISA STIG for McAfee VirusScan Enterprise for Linux, which provides required settings for US Department of Defense systems, is one example of a baseline created from this guidance.

Do not attempt to implement any of the settings in this guide without first testing them in a non-operational environment. The creators of this guidance assume no responsibility whatsoever for its use by other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile Title	McAfee VirusScan Enterprise for Linux (VSEL) STIG
Profile ID	xccdf_org.ssgproject.content_profile_stig

CPE Platforms

cpe:/a:mcafee:virusscan_enterprise_for_linux:1.9
cpe:/a:mcafee:virusscan_enterprise_for_linux:2.0

Revision History

Current version: 0.1.56

draft (as of 2021-05-26)

McAfee VirusScan Enterprise for Linux (VSEL)

Checklist

Group Guide to the Secure Configuration of McAfee VirusScan Enterprise for Linux Group contains 4 groups and 39 rules

Group McAfee VirusScan Enterprise for Linux (VSEL) Group contains 3 groups and 39 rules

[ref] The McAfee VirusScan Enterprise for Linux software provides a realtime virus scanner for Linux systems.

Group General VSEL Settings Group contains 8 rules

[ref] To support a secured and compliant configuration, a number of settings need to be modified from their default configuration and locked so that they are prevented from being changed.

Rule A notification mechanism or process must be in place to notify Administrators of out of date DAT, detected malware and error codes [ref]
Failure of anti-virus signature updates will eventually render the software to be useless in protecting the Linux system from malware. To check that VSEL settings are configured correctly, you have to examine the config file available under `/var/opt/NAI/LinuxShield/etc/nailsd.cfg`. If this config file contains the line `notifications.virusDetected.active: true`, Administrators will be notified of events detected.
Rationale:	Administration notification for failed updates, via SMTP, will ensure timely remediation of errors causing DATs to not be updated.
Severity:	medium
Rule ID:	xccdf_org.ssgproject.content_rule_virus_notification
Identifiers and References	References: CCI-001240, SI-3, SRG-APP-000276, DTAVSEL-205
Remediation Shell script ⇲ NAILS_CONFIG_FILE="/var/opt/NAI/LinuxShield/etc/nailsd.cfg" # Function to replace configuration setting in config file or add the configuration setting if # it does not exist. # # Expects arguments: # # config_file: Configuration file that will be modified # key: Configuration option to change # value: Value of the configuration option to change # cce: The CCE identifier or '@CCENUM@' if no CCE identifier exists # format: The printf-like format string that will be given stripped key and value as arguments, # so e.g. '%s=%s' will result in key=value subsitution (i.e. without spaces around =) # # Optional arugments: # # format: Optional argument to specify the format of how key/value should be # modified/appended in the configuration file. The default is key = value. # # Example Call(s): # # With default format of 'key = value': # replace_or_append '/etc/sysctl.conf' '^kernel.randomize_va_space' '2' '@CCENUM@' # # With custom key/value format: # replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' 'disabled' '@CCENUM@' '%s=%s' # # With a variable: # replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state '@CCENUM@' '%s=%s' # function replace_or_append { local default_format='%s = %s' case_insensitive_mode=yes sed_case_insensitive_option='' grep_case_insensitive_option='' local config_file=$1 local key=$2 local value=$3 local cce=$4 local format=$5 if [ "$case_insensitive_mode" = yes ]; then sed_case_insensitive_option="i" grep_case_insensitive_option="-i" fi [ -n "$format" ] \|\| format="$default_format" # Check sanity of the input [ $# -ge "3" ] \|\| { echo "Usage: replace_or_append <config_file_location> <key_to_search> <new_value> [<CCE number or literal '@CCENUM@' if unknown>] [printf-like format, default is '$default_format']" >&2; exit 1; } # Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed. # Otherwise, regular sed command will do. sed_command=('sed' '-i') if test -L "$config_file"; then sed_command+=('--follow-symlinks') fi # Test that the cce arg is not empty or does not equal @CCENUM@. # If @CCENUM@ exists, it means that there is no CCE assigned. if [ -n "$cce" ] && [ "$cce" != '@CCENUM@' ]; then cce="${cce}" else cce="CCE" fi # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. stripped_key=$(sed 's/[\^=\$,;+]//g' <<< "$key") # shellcheck disable=SC2059 printf -v formatted_output "$format" "$stripped_key" "$value" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. if LC_ALL=C grep -q -m 1 $grep_case_insensitive_option -e "${key}\\>" "$config_file"; then "${sed_command[@]}" "s/${key}\\>./$formatted_output/g$sed_case_insensitive_option" "$config_file" else # \n is precaution for case where file ends without trailing newline printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "$config_file" >> "$config_file" printf '%s\n' "$formatted_output" >> "$config_file" fi } replace_or_append "$NAILS_CONFIG_FILE" '^notifications.virusDetected.active' 'true' '' '%s: %s'

Rule The anti-virus signature file age must not exceed 7 days [ref]
Anti-virus signature files are updated almost daily by anti-virus software vendors. These files are made available to anti-virus clients as they are published. Keeping virus signature files as current as possible is vital to the security of any system. To check that anti-virus signature files are updated, you have to login to the VSEL Web Monitor. In the VSEL WEB Monitor, under `View`, select `Host Summary`. In the `Host Summary`, verify the `DAT Date:` is within the last 7 days.
Rationale:	By configuring a system to attempt an anti-virus update on a daily basis, the system is ensured of maintaining an anti-virus signature age of 7 days or less. If the update attempt were to be configured for only once a week, and that attempt failed, the system would be immediately out of date.
Severity:	high
Rule ID:	xccdf_org.ssgproject.content_rule_dats_updated
Identifiers and References	References: CCI-001240, SI-3, SRG-APP-000276, DTAVSEL-001

Rule The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x must be configured to receive automatic updates [ref]
Anti-virus signature files are updated almost daily by anti-virus software vendors. These files are made available to anti-virus clients as they are published. Keeping virus signature files as current as possible is vital to the security of any system. To check that anti-virus signature files are updated, you have to login to the VSEL Web Monitor. In the VSEL WEB Monitor, under `View`, select `Scheduled Tasks`. Under `Scheduled Tasks`, under `Task Summaries`, with the assistance of the McAfee VSEL SA, identify the VirusScan DAT update task. Verify the `Type` is `Update` and the `Status` is `Completed` with Results of `Update Finished`. Under `Task Details` for the task, click on the `Modify` button. Choose `2. Choose what to update` and verify the `Virus definition files (also known as DAT files)` is selected.
Rationale:	The anti-virus software product must be configured to receive those updates automatically in order to afford the expected protection.
Severity:	medium
Rule ID:	xccdf_org.ssgproject.content_rule_dats_auto_update
Identifiers and References	References: CCI-001243, SI-3, SRG-APP-000279, DTAVSEL-002

Rule The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x must scan all media used for system maintenance prior to use [ref]
It is imperative to protect Linux systems from malware introduced from removable media by ensuring they are scanned before use. Consult with the System Administrator of the Linux system being reviewed. Verify procedures are documented which require the manual scanning of all media used for system maintenance before media is used. If a procedure is not documented requiring the manual scanning of all media used for system maintenance before media is used, this is a finding.
Rationale:	Removable media such as CD/DVDs allow a path for malware to be introduced to a Linux System.
Severity:	medium
Rule ID:	xccdf_org.ssgproject.content_rule_scanned_media
Identifiers and References	References: CCI-000870, MA-3(2), SRG-APP-000073, DTAVSEL-200

Rule The McAfee VirusScan Enterprise must be configured to receive all patches, service packs and updates from a DoD-managed source [ref]
Anti-virus signature files are updated almost daily by anti-virus software vendors. These files are made available to anti-virus clients as they are published. Keeping virus signature files as current as possible is vital to the security of any system. The anti-virus software product must be configured to receive those updates automatically in order to afford the expected protection. To check that VSEL settings are configured correctly, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed from a desktop browser window and logon with the nails user account. In the VSEL WEB Monitor, under `Configure`, select `Repositories`. Under `Repository List`, verify all repositories listed point to a local or DoD-managed repository. If all repositories listed do not point to local or DoD-managed repository, this is a finding.
Rationale:	While obtaining updates, patches, service packs and updates from the vendor are timelier, the possibility of corruption or malware being introduced to the system is higher. By obtaining these from an official DoD source and/or downloading them to a separate system first and validating them before making them available to systems, the possibility of malware being introduced is mitigated.
Severity:	medium
Rule ID:	xccdf_org.ssgproject.content_rule_updates_source
Identifiers and References	References: CCI-001749, CM-5, SRG-APP-000131, DTAVSEL-201

Rule The McAfee VirusScan Enterprise for Linux Web interface must be disabled unless the system is on a segregated network [ref]
The McAfee VirusScan Enterprise for Linux WEB GUI is the method for configuring the McAfee VSEL on a non-managed Linux system. The WEB GUI on the system could be used maliciously to gain unauthorized access to the system. To check that VSEL settings are configured correctly, you have to examine the config file available under `/var/opt/NAI/LinuxShield/etc/nailsd.cfg`. If this config file contains the line `nailsd.disableCltWebUI: true`, the WEB GUI will be disabled by default.
Rationale:	By restricting access to interface by implementing firewall rules, the risk of unauthorized access will be mitigated.
Severity:	medium
Rule ID:	xccdf_org.ssgproject.content_rule_web_client_disabled
Identifiers and References	References: CCI-001813, CM-5(1), SRG-APP-000380, DTAVSEL-000
Remediation Shell script ⇲ NAILS_CONFIG_FILE="/var/opt/NAI/LinuxShield/etc/nailsd.cfg" # Function to replace configuration setting in config file or add the configuration setting if # it does not exist. # # Expects arguments: # # config_file: Configuration file that will be modified # key: Configuration option to change # value: Value of the configuration option to change # cce: The CCE identifier or '@CCENUM@' if no CCE identifier exists # format: The printf-like format string that will be given stripped key and value as arguments, # so e.g. '%s=%s' will result in key=value subsitution (i.e. without spaces around =) # # Optional arugments: # # format: Optional argument to specify the format of how key/value should be # modified/appended in the configuration file. The default is key = value. # # Example Call(s): # # With default format of 'key = value': # replace_or_append '/etc/sysctl.conf' '^kernel.randomize_va_space' '2' '@CCENUM@' # # With custom key/value format: # replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' 'disabled' '@CCENUM@' '%s=%s' # # With a variable: # replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state '@CCENUM@' '%s=%s' # function replace_or_append { local default_format='%s = %s' case_insensitive_mode=yes sed_case_insensitive_option='' grep_case_insensitive_option='' local config_file=$1 local key=$2 local value=$3 local cce=$4 local format=$5 if [ "$case_insensitive_mode" = yes ]; then sed_case_insensitive_option="i" grep_case_insensitive_option="-i" fi [ -n "$format" ] \|\| format="$default_format" # Check sanity of the input [ $# -ge "3" ] \|\| { echo "Usage: replace_or_append <config_file_location> <key_to_search> <new_value> [<CCE number or literal '@CCENUM@' if unknown>] [printf-like format, default is '$default_format']" >&2; exit 1; } # Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed. # Otherwise, regular sed command will do. sed_command=('sed' '-i') if test -L "$config_file"; then sed_command+=('--follow-symlinks') fi # Test that the cce arg is not empty or does not equal @CCENUM@. # If @CCENUM@ exists, it means that there is no CCE assigned. if [ -n "$cce" ] && [ "$cce" != '@CCENUM@' ]; then cce="${cce}" else cce="CCE" fi # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. stripped_key=$(sed 's/[\^=\$,;+]//g' <<< "$key") # shellcheck disable=SC2059 printf -v formatted_output "$format" "$stripped_key" "$value" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. if LC_ALL=C grep -q -m 1 $grep_case_insensitive_option -e "${key}\\>" "$config_file"; then "${sed_command[@]}" "s/${key}\\>./$formatted_output/g$sed_case_insensitive_option" "$config_file" else # \n is precaution for case where file ends without trailing newline printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "$config_file" >> "$config_file" printf '%s\n' "$formatted_output" >> "$config_file" fi } replace_or_append "$NAILS_CONFIG_FILE" '^nailsd.disableCltWebUI' 'true' '' '%s: %s'

Rule Access to the McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x Web UI must be enforced by firewall rules [ref]
The McAfee VirusScan Enterprise for Linux WEB GUI is the method for configuring the McAfee VSEL on a non-managed Linux system. The WEB GUI on the system could be used maliciously to gain unauthorized access to the system. To check that the WEB GUI is restricted, review the iptables configuration and confirm that access is restricted to authorized hosts
Rationale:	By restricting access to interface by implementing firewall rules, the risk of unauthorized access will be mitigated.
Severity:	medium
Rule ID:	xccdf_org.ssgproject.content_rule_web_client_firewalled
Identifiers and References	References: CCI-001813, CM-5, SRG-APP-000380, DTAVSEL-301

Rule The nails user and nailsgroup group must be restricted to the least privilege access required for the intended role [ref]
The McAfee VirusScan Enterprise for Linux software runs its processes under the nails user, which is part of the nailsgroup group. The WEB GUI is also accessed using the nails user. To check that nails and nailsgroup are configured correctly, access the Linux system console command line as root. Execute the following commands. This command will pipe the results to text files for easier review. `find / -group nailsgroup >nailsgroup.txt` `find / -user nails >nails.txt` Execute the following commands to individually review each of the text files of results, pressing space bar to move to each page until the end of the exported text. `more nailsgroup.txt` `more nails.txt` When reviewing the results, verify the nailsgroup group and nails user only own the following paths. The following paths assume an INSTALLDIR of `/opt/NAI/LinuxShield` and a RUNTIMEDIR of `/var/opt/NAI/LinuxShield`. If alternative folders were used, replace the following paths accordingly when validating. `/var/opt/NAI` and sub-folders `/opt/NAI` and sub-folders `/McAfee/lib` `/var/spool/mail/nails` `/proc/#####` (where ##### represents the various process IDs for the VSEL processes.) If any other folder is owned by either the nailsgroup group or the nails user, this is a finding.
Rationale:	Ensuring the nails user/nailsgroup group only has access to the required functions necessary for its intended role will mitigate the possibility of the nails user/nailsgroup group from being used to perform malicious destruction to the system in the event of a compromise.
Severity:	medium
Rule ID:	xccdf_org.ssgproject.content_rule_restricted_user
Identifiers and References	References: CCI-002235, AC-6(10), SRG-APP-000340, DTAVSEL-202

Group On Access VSEL Settings Group contains 17 rules

[ref] This section defines the settings required for on access scans.

Rule The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to find unknown macro viruses [ref]
Interpreted viruses are executed by an application. Within this subcategory, macro viruses take advantage of the capabilities of applications' macro programming language to infect application documents and document templates, while scripting viruses infect scripts that are understood by scripting languages processed by services on the OS. To check that VSEL settings are configured correctly, you have to examine the config file available under `/var/opt/NAI/LinuxShield/etc/nailsd.cfg`. If this config file contains the line `nailsd.profile.OAS.macroAnalysis: true`, unknown macro viruses will be scanned.
Rationale:	Many attackers use toolkits containing several different types of utilities and scripts that can be used to probe and attack hosts. Scanning for unknown macro viruses will mitigate zero-day attacks.
Severity:	medium
Rule ID:	xccdf_org.ssgproject.content_rule_oas_macroAnalysis
Identifiers and References	References: CCI-001243, SI-3, SRG-APP-000279, DTAVSEL-006
Remediation Shell script ⇲ NAILS_CONFIG_FILE="/var/opt/NAI/LinuxShield/etc/nailsd.cfg" # Function to replace configuration setting in config file or add the configuration setting if # it does not exist. # # Expects arguments: # # config_file: Configuration file that will be modified # key: Configuration option to change # value: Value of the configuration option to change # cce: The CCE identifier or '@CCENUM@' if no CCE identifier exists # format: The printf-like format string that will be given stripped key and value as arguments, # so e.g. '%s=%s' will result in key=value subsitution (i.e. without spaces around =) # # Optional arugments: # # format: Optional argument to specify the format of how key/value should be # modified/appended in the configuration file. The default is key = value. # # Example Call(s): # # With default format of 'key = value': # replace_or_append '/etc/sysctl.conf' '^kernel.randomize_va_space' '2' '@CCENUM@' # # With custom key/value format: # replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' 'disabled' '@CCENUM@' '%s=%s' # # With a variable: # replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state '@CCENUM@' '%s=%s' # function replace_or_append { local default_format='%s = %s' case_insensitive_mode=yes sed_case_insensitive_option='' grep_case_insensitive_option='' local config_file=$1 local key=$2 local value=$3 local cce=$4 local format=$5 if [ "$case_insensitive_mode" = yes ]; then sed_case_insensitive_option="i" grep_case_insensitive_option="-i" fi [ -n "$format" ] \|\| format="$default_format" # Check sanity of the input [ $# -ge "3" ] \|\| { echo "Usage: replace_or_append <config_file_location> <key_to_search> <new_value> [<CCE number or literal '@CCENUM@' if unknown>] [printf-like format, default is '$default_format']" >&2; exit 1; } # Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed. # Otherwise, regular sed command will do. sed_command=('sed' '-i') if test -L "$config_file"; then sed_command+=('--follow-symlinks') fi # Test that the cce arg is not empty or does not equal @CCENUM@. # If @CCENUM@ exists, it means that there is no CCE assigned. if [ -n "$cce" ] && [ "$cce" != '@CCENUM@' ]; then cce="${cce}" else cce="CCE" fi # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. stripped_key=$(sed 's/[\^=\$,;+]//g' <<< "$key") # shellcheck disable=SC2059 printf -v formatted_output "$format" "$stripped_key" "$value" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. if LC_ALL=C grep -q -m 1 $grep_case_insensitive_option -e "${key}\\>" "$config_file"; then "${sed_command[@]}" "s/${key}\\>./$formatted_output/g$sed_case_insensitive_option" "$config_file" else # \n is precaution for case where file ends without trailing newline printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "$config_file" >> "$config_file" printf '%s\n' "$formatted_output" >> "$config_file" fi } replace_or_append "$NAILS_CONFIG_FILE" '^nailsd.profile.OAS.macroAnalysis' 'true' '' '%s: %s'

Rule The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner maximum scan time must not be less than 45 seconds [ref]
When anti-virus software is not configured to limit the amount of time spent trying to scan a file, the total effectiveness of the anti-virus software, and performance on the system being scanned, will be degraded. By limiting the amount of time the anti-virus software uses when scanning a file, the scan will be able to complete in a timely manner. To check that VSEL settings are configured correctly, you have to examine the config file available under `/var/opt/NAI/LinuxShield/etc/nailsd.cfg`. If this config file contains the line `nailsd.profile.OAS.scanMaxTmo: 45`, a scan will not timeout in less than 45 seconds of scanning a file.
Rationale:	Although the description of this requirement indicates a "maximum scan time", the intent of this requirement is to explicitly set a maximum scan time without impacting the effectiveness of the scan. Left unconfigured, the scan could run indefinitely on one file. If configured with a value of less than 45 seconds, the scanning of some files will be skipped. If configured with 45 or more seconds, the success rate of files being completely scanned is higher.
Severity:	medium
Rule ID:	xccdf_org.ssgproject.content_rule_oas_scanMaxTmo
Identifiers and References	References: CCI-001243, SI-3, SRG-APP-000279, DTAVSEL-010
Remediation Shell script ⇲ NAILS_CONFIG_FILE="/var/opt/NAI/LinuxShield/etc/nailsd.cfg" # Function to replace configuration setting in config file or add the configuration setting if # it does not exist. # # Expects arguments: # # config_file: Configuration file that will be modified # key: Configuration option to change # value: Value of the configuration option to change # cce: The CCE identifier or '@CCENUM@' if no CCE identifier exists # format: The printf-like format string that will be given stripped key and value as arguments, # so e.g. '%s=%s' will result in key=value subsitution (i.e. without spaces around =) # # Optional arugments: # # format: Optional argument to specify the format of how key/value should be # modified/appended in the configuration file. The default is key = value. # # Example Call(s): # # With default format of 'key = value': # replace_or_append '/etc/sysctl.conf' '^kernel.randomize_va_space' '2' '@CCENUM@' # # With custom key/value format: # replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' 'disabled' '@CCENUM@' '%s=%s' # # With a variable: # replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state '@CCENUM@' '%s=%s' # function replace_or_append { local default_format='%s = %s' case_insensitive_mode=yes sed_case_insensitive_option='' grep_case_insensitive_option='' local config_file=$1 local key=$2 local value=$3 local cce=$4 local format=$5 if [ "$case_insensitive_mode" = yes ]; then sed_case_insensitive_option="i" grep_case_insensitive_option="-i" fi [ -n "$format" ] \|\| format="$default_format" # Check sanity of the input [ $# -ge "3" ] \|\| { echo "Usage: replace_or_append <config_file_location> <key_to_search> <new_value> [<CCE number or literal '@CCENUM@' if unknown>] [printf-like format, default is '$default_format']" >&2; exit 1; } # Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed. # Otherwise, regular sed command will do. sed_command=('sed' '-i') if test -L "$config_file"; then sed_command+=('--follow-symlinks') fi # Test that the cce arg is not empty or does not equal @CCENUM@. # If @CCENUM@ exists, it means that there is no CCE assigned. if [ -n "$cce" ] && [ "$cce" != '@CCENUM@' ]; then cce="${cce}" else cce="CCE" fi # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. stripped_key=$(sed 's/[\^=\$,;+]//g' <<< "$key") # shellcheck disable=SC2059 printf -v formatted_output "$format" "$stripped_key" "$value" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. if LC_ALL=C grep -q -m 1 $grep_case_insensitive_option -e "${key}\\>" "$config_file"; then "${sed_command[@]}" "s/${key}\\>./$formatted_output/g$sed_case_insensitive_option" "$config_file" else # \n is precaution for case where file ends without trailing newline printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "$config_file" >> "$config_file" printf '%s\n' "$formatted_output" >> "$config_file" fi } replace_or_append "$NAILS_CONFIG_FILE" '^nailsd.profile.OAS.scanMaxTmo' '45' '' '%s: %s'

Rule The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must only be configured with exclusions that are documented and approved by the ISSO/ISSM/AO [ref]
When scanning for malware, excluding specific files will increase the risk of a malware-infected file going undetected. To check that VSEL settings are configured correctly, you have to examine the config file available under `/var/opt/NAI/LinuxShield/etc/nailsd.cfg`. If this config file contains the line `nailsd.profile.OAS.filter.varlog.type: exclude-path`, and the line `nailsd.profile.OAS.filter.varlog.path: /var/log` no unapproved exclusions are defined.
Rationale:	By configuring anti-virus software without any exclusions, the scanner has a higher success rate at detecting and eradicating malware.
Severity:	medium
Rule ID:	xccdf_org.ssgproject.content_rule_oas_exclusions
Identifiers and References	References: CCI-001243, SI-3, SRG-APP-000279, DTAVSEL-012

Rule The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x must be configured to enable On-Access scanning [ref]
For anti-virus software to be effective, it must be running at all times, beginning from the point of the system's initial startup. Otherwise, the risk is greater for viruses, Trojans, and other malware infecting the system during that startup phase. To check that VSEL settings are configured correctly, you have to examine the config file available under `/var/opt/NAI/LinuxShield/etc/nailsd.cfg`. If this config file contains the line `nailsd.oasEnabled: true`, the antivirus software will be running at initial startup of the system.
Rationale:	For anti-virus software to be effective, it must be running at all times, beginning from the point of the system's initial startup.
Severity:	high
Rule ID:	xccdf_org.ssgproject.content_rule_oas_enabled
Identifiers and References	References: CCI-001243, SI-3, SRG-APP-000279, DTAVSEL-003
Remediation Shell script ⇲ NAILS_CONFIG_FILE="/var/opt/NAI/LinuxShield/etc/nailsd.cfg" # Function to replace configuration setting in config file or add the configuration setting if # it does not exist. # # Expects arguments: # # config_file: Configuration file that will be modified # key: Configuration option to change # value: Value of the configuration option to change # cce: The CCE identifier or '@CCENUM@' if no CCE identifier exists # format: The printf-like format string that will be given stripped key and value as arguments, # so e.g. '%s=%s' will result in key=value subsitution (i.e. without spaces around =) # # Optional arugments: # # format: Optional argument to specify the format of how key/value should be # modified/appended in the configuration file. The default is key = value. # # Example Call(s): # # With default format of 'key = value': # replace_or_append '/etc/sysctl.conf' '^kernel.randomize_va_space' '2' '@CCENUM@' # # With custom key/value format: # replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' 'disabled' '@CCENUM@' '%s=%s' # # With a variable: # replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state '@CCENUM@' '%s=%s' # function replace_or_append { local default_format='%s = %s' case_insensitive_mode=yes sed_case_insensitive_option='' grep_case_insensitive_option='' local config_file=$1 local key=$2 local value=$3 local cce=$4 local format=$5 if [ "$case_insensitive_mode" = yes ]; then sed_case_insensitive_option="i" grep_case_insensitive_option="-i" fi [ -n "$format" ] \|\| format="$default_format" # Check sanity of the input [ $# -ge "3" ] \|\| { echo "Usage: replace_or_append <config_file_location> <key_to_search> <new_value> [<CCE number or literal '@CCENUM@' if unknown>] [printf-like format, default is '$default_format']" >&2; exit 1; } # Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed. # Otherwise, regular sed command will do. sed_command=('sed' '-i') if test -L "$config_file"; then sed_command+=('--follow-symlinks') fi # Test that the cce arg is not empty or does not equal @CCENUM@. # If @CCENUM@ exists, it means that there is no CCE assigned. if [ -n "$cce" ] && [ "$cce" != '@CCENUM@' ]; then cce="${cce}" else cce="CCE" fi # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. stripped_key=$(sed 's/[\^=\$,;+]//g' <<< "$key") # shellcheck disable=SC2059 printf -v formatted_output "$format" "$stripped_key" "$value" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. if LC_ALL=C grep -q -m 1 $grep_case_insensitive_option -e "${key}\\>" "$config_file"; then "${sed_command[@]}" "s/${key}\\>./$formatted_output/g$sed_case_insensitive_option" "$config_file" else # \n is precaution for case where file ends without trailing newline printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "$config_file" >> "$config_file" printf '%s\n' "$formatted_output" >> "$config_file" fi } replace_or_append "$NAILS_CONFIG_FILE" '^nailsd.oasEnabled' 'true' '' '%s: %s'

Rule The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to scan files when being read from disk [ref]
Anti-virus software is the most commonly used technical control for malware threat mitigation. To check that VSEL settings are configured correctly, you have to examine the config file available under `/var/opt/NAI/LinuxShield/etc/nailsd.cfg`. If this config file contains the line `nailsd.profile.OAS.scanOnRead: true`, files will be scanned when read from disk.
Rationale:	Real-time scanning of files as they are read from disk is a crucial first line of defense from malware attacks.
Severity:	medium
Rule ID:	xccdf_org.ssgproject.content_rule_oas_scanOnRead
Identifiers and References	References: CCI-001243, SI-3, SRG-APP-000279, DTAVSEL-009
Remediation Shell script ⇲ NAILS_CONFIG_FILE="/var/opt/NAI/LinuxShield/etc/nailsd.cfg" # Function to replace configuration setting in config file or add the configuration setting if # it does not exist. # # Expects arguments: # # config_file: Configuration file that will be modified # key: Configuration option to change # value: Value of the configuration option to change # cce: The CCE identifier or '@CCENUM@' if no CCE identifier exists # format: The printf-like format string that will be given stripped key and value as arguments, # so e.g. '%s=%s' will result in key=value subsitution (i.e. without spaces around =) # # Optional arugments: # # format: Optional argument to specify the format of how key/value should be # modified/appended in the configuration file. The default is key = value. # # Example Call(s): # # With default format of 'key = value': # replace_or_append '/etc/sysctl.conf' '^kernel.randomize_va_space' '2' '@CCENUM@' # # With custom key/value format: # replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' 'disabled' '@CCENUM@' '%s=%s' # # With a variable: # replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state '@CCENUM@' '%s=%s' # function replace_or_append { local default_format='%s = %s' case_insensitive_mode=yes sed_case_insensitive_option='' grep_case_insensitive_option='' local config_file=$1 local key=$2 local value=$3 local cce=$4 local format=$5 if [ "$case_insensitive_mode" = yes ]; then sed_case_insensitive_option="i" grep_case_insensitive_option="-i" fi [ -n "$format" ] \|\| format="$default_format" # Check sanity of the input [ $# -ge "3" ] \|\| { echo "Usage: replace_or_append <config_file_location> <key_to_search> <new_value> [<CCE number or literal '@CCENUM@' if unknown>] [printf-like format, default is '$default_format']" >&2; exit 1; } # Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed. # Otherwise, regular sed command will do. sed_command=('sed' '-i') if test -L "$config_file"; then sed_command+=('--follow-symlinks') fi # Test that the cce arg is not empty or does not equal @CCENUM@. # If @CCENUM@ exists, it means that there is no CCE assigned. if [ -n "$cce" ] && [ "$cce" != '@CCENUM@' ]; then cce="${cce}" else cce="CCE" fi # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. stripped_key=$(sed 's/[\^=\$,;+]//g' <<< "$key") # shellcheck disable=SC2059 printf -v formatted_output "$format" "$stripped_key" "$value" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. if LC_ALL=C grep -q -m 1 $grep_case_insensitive_option -e "${key}\\>" "$config_file"; then "${sed_command[@]}" "s/${key}\\>./$formatted_output/g$sed_case_insensitive_option" "$config_file" else # \n is precaution for case where file ends without trailing newline printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "$config_file" >> "$config_file" printf '%s\n' "$formatted_output" >> "$config_file" fi } replace_or_append "$NAILS_CONFIG_FILE" '^nailsd.profile.OAS.scanOnRead' 'true' '' '%s: %s'

Rule The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to Quarantine if first action fails when a virus or Trojan is detected [ref]
Malware may have infected a file that is necessary to the user. By configuring the anti-virus software to first attempt cleaning the infected file, availability to the file is not sacrificed. If a cleaning attempt is not successful, however, quarantining the file is the only safe option to ensure the malware is not introduced onto the system or network. To check that VSEL settings are configured correctly, you have to examine the config file available under `/var/opt/NAI/LinuxShield/etc/nailsd.cfg`. If this config file contains the line `nailsd.profile.OAS.action.App.secondary: Quarantine`, files that cannot be cleaned will be quarantined, preserving the file data.
Rationale:	Malware may have infected a file that is necessary to the user.
Severity:	medium
Rule ID:	xccdf_org.ssgproject.content_rule_oas_action_app_secondary
Identifiers and References	References: CCI-001243, SI-3, SRG-APP-000279, DTAVSEL-014
Remediation Shell script ⇲ NAILS_CONFIG_FILE="/var/opt/NAI/LinuxShield/etc/nailsd.cfg" # Function to replace configuration setting in config file or add the configuration setting if # it does not exist. # # Expects arguments: # # config_file: Configuration file that will be modified # key: Configuration option to change # value: Value of the configuration option to change # cce: The CCE identifier or '@CCENUM@' if no CCE identifier exists # format: The printf-like format string that will be given stripped key and value as arguments, # so e.g. '%s=%s' will result in key=value subsitution (i.e. without spaces around =) # # Optional arugments: # # format: Optional argument to specify the format of how key/value should be # modified/appended in the configuration file. The default is key = value. # # Example Call(s): # # With default format of 'key = value': # replace_or_append '/etc/sysctl.conf' '^kernel.randomize_va_space' '2' '@CCENUM@' # # With custom key/value format: # replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' 'disabled' '@CCENUM@' '%s=%s' # # With a variable: # replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state '@CCENUM@' '%s=%s' # function replace_or_append { local default_format='%s = %s' case_insensitive_mode=yes sed_case_insensitive_option='' grep_case_insensitive_option='' local config_file=$1 local key=$2 local value=$3 local cce=$4 local format=$5 if [ "$case_insensitive_mode" = yes ]; then sed_case_insensitive_option="i" grep_case_insensitive_option="-i" fi [ -n "$format" ] \|\| format="$default_format" # Check sanity of the input [ $# -ge "3" ] \|\| { echo "Usage: replace_or_append <config_file_location> <key_to_search> <new_value> [<CCE number or literal '@CCENUM@' if unknown>] [printf-like format, default is '$default_format']" >&2; exit 1; } # Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed. # Otherwise, regular sed command will do. sed_command=('sed' '-i') if test -L "$config_file"; then sed_command+=('--follow-symlinks') fi # Test that the cce arg is not empty or does not equal @CCENUM@. # If @CCENUM@ exists, it means that there is no CCE assigned. if [ -n "$cce" ] && [ "$cce" != '@CCENUM@' ]; then cce="${cce}" else cce="CCE" fi # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. stripped_key=$(sed 's/[\^=\$,;+]//g' <<< "$key") # shellcheck disable=SC2059 printf -v formatted_output "$format" "$stripped_key" "$value" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. if LC_ALL=C grep -q -m 1 $grep_case_insensitive_option -e "${key}\\>" "$config_file"; then "${sed_command[@]}" "s/${key}\\>./$formatted_output/g$sed_case_insensitive_option" "$config_file" else # \n is precaution for case where file ends without trailing newline printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "$config_file" >> "$config_file" printf '%s\n' "$formatted_output" >> "$config_file" fi } replace_or_append "$NAILS_CONFIG_FILE" '^nailsd.profile.OAS.action.App.secondary' 'Quarantine' '' '%s: %s'

Rule The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to find potentially unwanted programs [ref]
Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attach mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. To check that VSEL settings are configured correctly, you have to examine the config file available under `/var/opt/NAI/LinuxShield/etc/nailsd.cfg`. If this config file contains the line `nailsd.profile.OAS.program: true`, potentially unwanted programs will be scanned.
Rationale:	Configuring the anti-virus software to attempt to clean the file first will allow for the possibility of a false positive. In most cases, however, the secondary action of delete will be used, mitigating the risk of the PUPs being installed and used maliciously.
Severity:	medium
Rule ID:	xccdf_org.ssgproject.content_rule_oas_program
Identifiers and References	References: CCI-001243, SI-3, SRG-APP-000279, DTAVSEL-007
Remediation Shell script ⇲ NAILS_CONFIG_FILE="/var/opt/NAI/LinuxShield/etc/nailsd.cfg" # Function to replace configuration setting in config file or add the configuration setting if # it does not exist. # # Expects arguments: # # config_file: Configuration file that will be modified # key: Configuration option to change # value: Value of the configuration option to change # cce: The CCE identifier or '@CCENUM@' if no CCE identifier exists # format: The printf-like format string that will be given stripped key and value as arguments, # so e.g. '%s=%s' will result in key=value subsitution (i.e. without spaces around =) # # Optional arugments: # # format: Optional argument to specify the format of how key/value should be # modified/appended in the configuration file. The default is key = value. # # Example Call(s): # # With default format of 'key = value': # replace_or_append '/etc/sysctl.conf' '^kernel.randomize_va_space' '2' '@CCENUM@' # # With custom key/value format: # replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' 'disabled' '@CCENUM@' '%s=%s' # # With a variable: # replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state '@CCENUM@' '%s=%s' # function replace_or_append { local default_format='%s = %s' case_insensitive_mode=yes sed_case_insensitive_option='' grep_case_insensitive_option='' local config_file=$1 local key=$2 local value=$3 local cce=$4 local format=$5 if [ "$case_insensitive_mode" = yes ]; then sed_case_insensitive_option="i" grep_case_insensitive_option="-i" fi [ -n "$format" ] \|\| format="$default_format" # Check sanity of the input [ $# -ge "3" ] \|\| { echo "Usage: replace_or_append <config_file_location> <key_to_search> <new_value> [<CCE number or literal '@CCENUM@' if unknown>] [printf-like format, default is '$default_format']" >&2; exit 1; } # Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed. # Otherwise, regular sed command will do. sed_command=('sed' '-i') if test -L "$config_file"; then sed_command+=('--follow-symlinks') fi # Test that the cce arg is not empty or does not equal @CCENUM@. # If @CCENUM@ exists, it means that there is no CCE assigned. if [ -n "$cce" ] && [ "$cce" != '@CCENUM@' ]; then cce="${cce}" else cce="CCE" fi # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. stripped_key=$(sed 's/[\^=\$,;+]//g' <<< "$key") # shellcheck disable=SC2059 printf -v formatted_output "$format" "$stripped_key" "$value" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. if LC_ALL=C grep -q -m 1 $grep_case_insensitive_option -e "${key}\\>" "$config_file"; then "${sed_command[@]}" "s/${key}\\>./$formatted_output/g$sed_case_insensitive_option" "$config_file" else # \n is precaution for case where file ends without trailing newline printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "$config_file" >> "$config_file" printf '%s\n' "$formatted_output" >> "$config_file" fi } replace_or_append "$NAILS_CONFIG_FILE" '^nailsd.profile.OAS.program' 'true' '' '%s: %s'

Rule The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to Quarantine if first action fails when programs and jokes are found [ref]
Malware may have infected a file that is necessary to the user. By configuring the anti-virus software to first attempt cleaning the infected file, availability to the file is not sacrificed. If a cleaning attempt is not successful, however, quarantining the file is the only safe option to ensure the malware is not introduced onto the system or network. To check that VSEL settings are configured correctly, you have to examine the config file available under `/var/opt/NAI/LinuxShield/etc/nailsd.cfg`. If this config file contains the line `nailsd.profile.OAS.action.Default.secondary: Quarantine`, programs/jokes that cannot be cleaned will be quarantined, preserving the file data.
Rationale:	Malware may have infected a file that is necessary to the user.
Severity:	medium
Rule ID:	xccdf_org.ssgproject.content_rule_oas_action_default_secondary
Identifiers and References	References: CCI-001243, SI-3, SRG-APP-000279, DTAVSEL-016
Remediation Shell script ⇲ NAILS_CONFIG_FILE="/var/opt/NAI/LinuxShield/etc/nailsd.cfg" # Function to replace configuration setting in config file or add the configuration setting if # it does not exist. # # Expects arguments: # # config_file: Configuration file that will be modified # key: Configuration option to change # value: Value of the configuration option to change # cce: The CCE identifier or '@CCENUM@' if no CCE identifier exists # format: The printf-like format string that will be given stripped key and value as arguments, # so e.g. '%s=%s' will result in key=value subsitution (i.e. without spaces around =) # # Optional arugments: # # format: Optional argument to specify the format of how key/value should be # modified/appended in the configuration file. The default is key = value. # # Example Call(s): # # With default format of 'key = value': # replace_or_append '/etc/sysctl.conf' '^kernel.randomize_va_space' '2' '@CCENUM@' # # With custom key/value format: # replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' 'disabled' '@CCENUM@' '%s=%s' # # With a variable: # replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state '@CCENUM@' '%s=%s' # function replace_or_append { local default_format='%s = %s' case_insensitive_mode=yes sed_case_insensitive_option='' grep_case_insensitive_option='' local config_file=$1 local key=$2 local value=$3 local cce=$4 local format=$5 if [ "$case_insensitive_mode" = yes ]; then sed_case_insensitive_option="i" grep_case_insensitive_option="-i" fi [ -n "$format" ] \|\| format="$default_format" # Check sanity of the input [ $# -ge "3" ] \|\| { echo "Usage: replace_or_append <config_file_location> <key_to_search> <new_value> [<CCE number or literal '@CCENUM@' if unknown>] [printf-like format, default is '$default_format']" >&2; exit 1; } # Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed. # Otherwise, regular sed command will do. sed_command=('sed' '-i') if test -L "$config_file"; then sed_command+=('--follow-symlinks') fi # Test that the cce arg is not empty or does not equal @CCENUM@. # If @CCENUM@ exists, it means that there is no CCE assigned. if [ -n "$cce" ] && [ "$cce" != '@CCENUM@' ]; then cce="${cce}" else cce="CCE" fi # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. stripped_key=$(sed 's/[\^=\$,;+]//g' <<< "$key") # shellcheck disable=SC2059 printf -v formatted_output "$format" "$stripped_key" "$value" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. if LC_ALL=C grep -q -m 1 $grep_case_insensitive_option -e "${key}\\>" "$config_file"; then "${sed_command[@]}" "s/${key}\\>./$formatted_output/g$sed_case_insensitive_option" "$config_file" else # \n is precaution for case where file ends without trailing newline printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "$config_file" >> "$config_file" printf '%s\n' "$formatted_output" >> "$config_file" fi } replace_or_append "$NAILS_CONFIG_FILE" '^nailsd.profile.OAS.action.Default.secondary' 'Quarantine' '' '%s: %s'

Rule The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to deny access to the file if an error occurs during scanning [ref]
Anti-virus software is the most commonly used technical control for malware threat mitigation. To check that VSEL settings are configured correctly, you have to examine the config file available under `/var/opt/NAI/LinuxShield/etc/nailsd.cfg`. If this config file contains the line `nailsd.profile.OAS.action.error: Block`, any file resulting in an error reading the file will be blocked.
Rationale:	Real-time scanning of files as they are read from disk is a crucial first line of defense from malware attacks.
Severity:	medium
Rule ID:	xccdf_org.ssgproject.content_rule_oas_action_error
Identifiers and References	References: CCI-001243, SI-3, SRG-APP-000279, DTAVSEL-017
Remediation Shell script ⇲ NAILS_CONFIG_FILE="/var/opt/NAI/LinuxShield/etc/nailsd.cfg" # Function to replace configuration setting in config file or add the configuration setting if # it does not exist. # # Expects arguments: # # config_file: Configuration file that will be modified # key: Configuration option to change # value: Value of the configuration option to change # cce: The CCE identifier or '@CCENUM@' if no CCE identifier exists # format: The printf-like format string that will be given stripped key and value as arguments, # so e.g. '%s=%s' will result in key=value subsitution (i.e. without spaces around =) # # Optional arugments: # # format: Optional argument to specify the format of how key/value should be # modified/appended in the configuration file. The default is key = value. # # Example Call(s): # # With default format of 'key = value': # replace_or_append '/etc/sysctl.conf' '^kernel.randomize_va_space' '2' '@CCENUM@' # # With custom key/value format: # replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' 'disabled' '@CCENUM@' '%s=%s' # # With a variable: # replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state '@CCENUM@' '%s=%s' # function replace_or_append { local default_format='%s = %s' case_insensitive_mode=yes sed_case_insensitive_option='' grep_case_insensitive_option='' local config_file=$1 local key=$2 local value=$3 local cce=$4 local format=$5 if [ "$case_insensitive_mode" = yes ]; then sed_case_insensitive_option="i" grep_case_insensitive_option="-i" fi [ -n "$format" ] \|\| format="$default_format" # Check sanity of the input [ $# -ge "3" ] \|\| { echo "Usage: replace_or_append <config_file_location> <key_to_search> <new_value> [<CCE number or literal '@CCENUM@' if unknown>] [printf-like format, default is '$default_format']" >&2; exit 1; } # Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed. # Otherwise, regular sed command will do. sed_command=('sed' '-i') if test -L "$config_file"; then sed_command+=('--follow-symlinks') fi # Test that the cce arg is not empty or does not equal @CCENUM@. # If @CCENUM@ exists, it means that there is no CCE assigned. if [ -n "$cce" ] && [ "$cce" != '@CCENUM@' ]; then cce="${cce}" else cce="CCE" fi # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. stripped_key=$(sed 's/[\^=\$,;+]//g' <<< "$key") # shellcheck disable=SC2059 printf -v formatted_output "$format" "$stripped_key" "$value" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. if LC_ALL=C grep -q -m 1 $grep_case_insensitive_option -e "${key}\\>" "$config_file"; then "${sed_command[@]}" "s/${key}\\>./$formatted_output/g$sed_case_insensitive_option" "$config_file" else # \n is precaution for case where file ends without trailing newline printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "$config_file" >> "$config_file" printf '%s\n' "$formatted_output" >> "$config_file" fi } replace_or_append "$NAILS_CONFIG_FILE" '^nailsd.profile.OAS.action.error' 'Block' '' '%s: %s'

Rule The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to Clean as first action when a virus or Trojan is detected [ref]
Malware may have infected a file that is necessary to the user. By configuring the anti-virus software to first attempt cleaning the infected file, availability to the file is not sacrificed. If a cleaning attempt is not successful, however, deleting the file is the only safe option to ensure the malware is not introduced onto the system or network. To check that VSEL settings are configured correctly, you have to examine the config file available under `/var/opt/NAI/LinuxShield/etc/nailsd.cfg`. If this config file contains the line `nailsd.profile.OAS.action.App.primary: Clean`, files will attempted to be cleaned first, preserving the file data.
Rationale:	Malware may have infected a file that is necessary to the user.
Severity:	medium
Rule ID:	xccdf_org.ssgproject.content_rule_oas_action_app_primary
Identifiers and References	References: CCI-001243, SI-3, SRG-APP-000279, DTAVSEL-013
Remediation Shell script ⇲ NAILS_CONFIG_FILE="/var/opt/NAI/LinuxShield/etc/nailsd.cfg" # Function to replace configuration setting in config file or add the configuration setting if # it does not exist. # # Expects arguments: # # config_file: Configuration file that will be modified # key: Configuration option to change # value: Value of the configuration option to change # cce: The CCE identifier or '@CCENUM@' if no CCE identifier exists # format: The printf-like format string that will be given stripped key and value as arguments, # so e.g. '%s=%s' will result in key=value subsitution (i.e. without spaces around =) # # Optional arugments: # # format: Optional argument to specify the format of how key/value should be # modified/appended in the configuration file. The default is key = value. # # Example Call(s): # # With default format of 'key = value': # replace_or_append '/etc/sysctl.conf' '^kernel.randomize_va_space' '2' '@CCENUM@' # # With custom key/value format: # replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' 'disabled' '@CCENUM@' '%s=%s' # # With a variable: # replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state '@CCENUM@' '%s=%s' # function replace_or_append { local default_format='%s = %s' case_insensitive_mode=yes sed_case_insensitive_option='' grep_case_insensitive_option='' local config_file=$1 local key=$2 local value=$3 local cce=$4 local format=$5 if [ "$case_insensitive_mode" = yes ]; then sed_case_insensitive_option="i" grep_case_insensitive_option="-i" fi [ -n "$format" ] \|\| format="$default_format" # Check sanity of the input [ $# -ge "3" ] \|\| { echo "Usage: replace_or_append <config_file_location> <key_to_search> <new_value> [<CCE number or literal '@CCENUM@' if unknown>] [printf-like format, default is '$default_format']" >&2; exit 1; } # Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed. # Otherwise, regular sed command will do. sed_command=('sed' '-i') if test -L "$config_file"; then sed_command+=('--follow-symlinks') fi # Test that the cce arg is not empty or does not equal @CCENUM@. # If @CCENUM@ exists, it means that there is no CCE assigned. if [ -n "$cce" ] && [ "$cce" != '@CCENUM@' ]; then cce="${cce}" else cce="CCE" fi # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. stripped_key=$(sed 's/[\^=\$,;+]//g' <<< "$key") # shellcheck disable=SC2059 printf -v formatted_output "$format" "$stripped_key" "$value" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. if LC_ALL=C grep -q -m 1 $grep_case_insensitive_option -e "${key}\\>" "$config_file"; then "${sed_command[@]}" "s/${key}\\>./$formatted_output/g$sed_case_insensitive_option" "$config_file" else # \n is precaution for case where file ends without trailing newline printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "$config_file" >> "$config_file" printf '%s\n' "$formatted_output" >> "$config_file" fi } replace_or_append "$NAILS_CONFIG_FILE" '^nailsd.profile.OAS.action.App.primary' 'Clean' '' '%s: %s'

Rule The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to allow access to files if scanning times out [ref]
Anti-virus software is the most commonly used technical control for malware threat mitigation. To check that VSEL settings are configured correctly, you have to examine the config file available under `/var/opt/NAI/LinuxShield/etc/nailsd.cfg`. If this config file contains the line `nailsd.profile.OAS.action.timeout: Pass`, any file resulting in a timeout reading the file will be passed.
Rationale:	Real-time scanning of files as they are read from disk is a crucial first line of defense from malware attacks.
Severity:	medium
Rule ID:	xccdf_org.ssgproject.content_rule_oas_action_timeout
Identifiers and References	References: CCI-001243, SI-3, SRG-APP-000279, DTAVSEL-018
Remediation Shell script ⇲ NAILS_CONFIG_FILE="/var/opt/NAI/LinuxShield/etc/nailsd.cfg" # Function to replace configuration setting in config file or add the configuration setting if # it does not exist. # # Expects arguments: # # config_file: Configuration file that will be modified # key: Configuration option to change # value: Value of the configuration option to change # cce: The CCE identifier or '@CCENUM@' if no CCE identifier exists # format: The printf-like format string that will be given stripped key and value as arguments, # so e.g. '%s=%s' will result in key=value subsitution (i.e. without spaces around =) # # Optional arugments: # # format: Optional argument to specify the format of how key/value should be # modified/appended in the configuration file. The default is key = value. # # Example Call(s): # # With default format of 'key = value': # replace_or_append '/etc/sysctl.conf' '^kernel.randomize_va_space' '2' '@CCENUM@' # # With custom key/value format: # replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' 'disabled' '@CCENUM@' '%s=%s' # # With a variable: # replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state '@CCENUM@' '%s=%s' # function replace_or_append { local default_format='%s = %s' case_insensitive_mode=yes sed_case_insensitive_option='' grep_case_insensitive_option='' local config_file=$1 local key=$2 local value=$3 local cce=$4 local format=$5 if [ "$case_insensitive_mode" = yes ]; then sed_case_insensitive_option="i" grep_case_insensitive_option="-i" fi [ -n "$format" ] \|\| format="$default_format" # Check sanity of the input [ $# -ge "3" ] \|\| { echo "Usage: replace_or_append <config_file_location> <key_to_search> <new_value> [<CCE number or literal '@CCENUM@' if unknown>] [printf-like format, default is '$default_format']" >&2; exit 1; } # Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed. # Otherwise, regular sed command will do. sed_command=('sed' '-i') if test -L "$config_file"; then sed_command+=('--follow-symlinks') fi # Test that the cce arg is not empty or does not equal @CCENUM@. # If @CCENUM@ exists, it means that there is no CCE assigned. if [ -n "$cce" ] && [ "$cce" != '@CCENUM@' ]; then cce="${cce}" else cce="CCE" fi # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. stripped_key=$(sed 's/[\^=\$,;+]//g' <<< "$key") # shellcheck disable=SC2059 printf -v formatted_output "$format" "$stripped_key" "$value" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. if LC_ALL=C grep -q -m 1 $grep_case_insensitive_option -e "${key}\\>" "$config_file"; then "${sed_command[@]}" "s/${key}\\>./$formatted_output/g$sed_case_insensitive_option" "$config_file" else # \n is precaution for case where file ends without trailing newline printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "$config_file" >> "$config_file" printf '%s\n' "$formatted_output" >> "$config_file" fi } replace_or_append "$NAILS_CONFIG_FILE" '^nailsd.profile.OAS.action.timeout' 'Pass' '' '%s: %s'

Rule The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to scan files when being written to disk [ref]
Anti-virus software is the most commonly used technical control for malware threat mitigation. To check that VSEL settings are configured correctly, you have to examine the config file available under `/var/opt/NAI/LinuxShield/etc/nailsd.cfg`. If this config file contains the line `nailsd.profile.OAS.scanOnWrite: true`, files will be scanned when written to disk.
Rationale:	Real-time scanning of files as they are written to disk is a crucial first line of defense from malware attacks.
Severity:	medium
Rule ID:	xccdf_org.ssgproject.content_rule_oas_scanOnWrite
Identifiers and References	References: CCI-001243, SI-3, SRG-APP-000279, DTAVSEL-008
Remediation Shell script ⇲ NAILS_CONFIG_FILE="/var/opt/NAI/LinuxShield/etc/nailsd.cfg" # Function to replace configuration setting in config file or add the configuration setting if # it does not exist. # # Expects arguments: # # config_file: Configuration file that will be modified # key: Configuration option to change # value: Value of the configuration option to change # cce: The CCE identifier or '@CCENUM@' if no CCE identifier exists # format: The printf-like format string that will be given stripped key and value as arguments, # so e.g. '%s=%s' will result in key=value subsitution (i.e. without spaces around =) # # Optional arugments: # # format: Optional argument to specify the format of how key/value should be # modified/appended in the configuration file. The default is key = value. # # Example Call(s): # # With default format of 'key = value': # replace_or_append '/etc/sysctl.conf' '^kernel.randomize_va_space' '2' '@CCENUM@' # # With custom key/value format: # replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' 'disabled' '@CCENUM@' '%s=%s' # # With a variable: # replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state '@CCENUM@' '%s=%s' # function replace_or_append { local default_format='%s = %s' case_insensitive_mode=yes sed_case_insensitive_option='' grep_case_insensitive_option='' local config_file=$1 local key=$2 local value=$3 local cce=$4 local format=$5 if [ "$case_insensitive_mode" = yes ]; then sed_case_insensitive_option="i" grep_case_insensitive_option="-i" fi [ -n "$format" ] \|\| format="$default_format" # Check sanity of the input [ $# -ge "3" ] \|\| { echo "Usage: replace_or_append <config_file_location> <key_to_search> <new_value> [<CCE number or literal '@CCENUM@' if unknown>] [printf-like format, default is '$default_format']" >&2; exit 1; } # Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed. # Otherwise, regular sed command will do. sed_command=('sed' '-i') if test -L "$config_file"; then sed_command+=('--follow-symlinks') fi # Test that the cce arg is not empty or does not equal @CCENUM@. # If @CCENUM@ exists, it means that there is no CCE assigned. if [ -n "$cce" ] && [ "$cce" != '@CCENUM@' ]; then cce="${cce}" else cce="CCE" fi # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. stripped_key=$(sed 's/[\^=\$,;+]//g' <<< "$key") # shellcheck disable=SC2059 printf -v formatted_output "$format" "$stripped_key" "$value" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. if LC_ALL=C grep -q -m 1 $grep_case_insensitive_option -e "${key}\\>" "$config_file"; then "${sed_command[@]}" "s/${key}\\>./$formatted_output/g$sed_case_insensitive_option" "$config_file" else # \n is precaution for case where file ends without trailing newline printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "$config_file" >> "$config_file" printf '%s\n' "$formatted_output" >> "$config_file" fi } replace_or_append "$NAILS_CONFIG_FILE" '^nailsd.profile.OAS.scanOnWrite' 'true' '' '%s: %s'

Rule The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to decompress archives when scanning [ref]
Malware can be hidden within archived files and passed from system to system undetected unless the archive is decompressed and each file scanned. By disabling the archive scanning capability, archives such as .tar and .tgz files will not be decompressed and any infected files in the archives would go undetected. To check that VSEL settings are configured correctly, you have to examine the config file available under `/var/opt/NAI/LinuxShield/etc/nailsd.cfg`. If this config file contains the line `nailsd.profile.OAS.decompArchive: true`, compressed archives will be decompressed before being scanned.
Rationale:	Decompression can slow performance, however; any virus-infected file inside an archive cannot become active until it has been extracted.
Severity:	medium
Rule ID:	xccdf_org.ssgproject.content_rule_oas_decompArchive
Identifiers and References	References: CCI-001243, SI-3, SRG-APP-000279, DTAVSEL-004
Remediation Shell script ⇲ NAILS_CONFIG_FILE="/var/opt/NAI/LinuxShield/etc/nailsd.cfg" # Function to replace configuration setting in config file or add the configuration setting if # it does not exist. # # Expects arguments: # # config_file: Configuration file that will be modified # key: Configuration option to change # value: Value of the configuration option to change # cce: The CCE identifier or '@CCENUM@' if no CCE identifier exists # format: The printf-like format string that will be given stripped key and value as arguments, # so e.g. '%s=%s' will result in key=value subsitution (i.e. without spaces around =) # # Optional arugments: # # format: Optional argument to specify the format of how key/value should be # modified/appended in the configuration file. The default is key = value. # # Example Call(s): # # With default format of 'key = value': # replace_or_append '/etc/sysctl.conf' '^kernel.randomize_va_space' '2' '@CCENUM@' # # With custom key/value format: # replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' 'disabled' '@CCENUM@' '%s=%s' # # With a variable: # replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state '@CCENUM@' '%s=%s' # function replace_or_append { local default_format='%s = %s' case_insensitive_mode=yes sed_case_insensitive_option='' grep_case_insensitive_option='' local config_file=$1 local key=$2 local value=$3 local cce=$4 local format=$5 if [ "$case_insensitive_mode" = yes ]; then sed_case_insensitive_option="i" grep_case_insensitive_option="-i" fi [ -n "$format" ] \|\| format="$default_format" # Check sanity of the input [ $# -ge "3" ] \|\| { echo "Usage: replace_or_append <config_file_location> <key_to_search> <new_value> [<CCE number or literal '@CCENUM@' if unknown>] [printf-like format, default is '$default_format']" >&2; exit 1; } # Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed. # Otherwise, regular sed command will do. sed_command=('sed' '-i') if test -L "$config_file"; then sed_command+=('--follow-symlinks') fi # Test that the cce arg is not empty or does not equal @CCENUM@. # If @CCENUM@ exists, it means that there is no CCE assigned. if [ -n "$cce" ] && [ "$cce" != '@CCENUM@' ]; then cce="${cce}" else cce="CCE" fi # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. stripped_key=$(sed 's/[\^=\$,;+]//g' <<< "$key") # shellcheck disable=SC2059 printf -v formatted_output "$format" "$stripped_key" "$value" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. if LC_ALL=C grep -q -m 1 $grep_case_insensitive_option -e "${key}\\>" "$config_file"; then "${sed_command[@]}" "s/${key}\\>./$formatted_output/g$sed_case_insensitive_option" "$config_file" else # \n is precaution for case where file ends without trailing newline printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "$config_file" >> "$config_file" printf '%s\n' "$formatted_output" >> "$config_file" fi } replace_or_append "$NAILS_CONFIG_FILE" '^nailsd.profile.OAS.decompArchive' 'true' '' '%s: %s'

Rule The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to Clean as first action when programs and jokes are found [ref]
Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attach mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. To check that VSEL settings are configured correctly, you have to examine the config file available under `/var/opt/NAI/LinuxShield/etc/nailsd.cfg`. If this config file contains the line `nailsd.profile.OAS.action.Default.primary: Clean`, programs/jokes will attempted to be cleaned first, preserving the file data.
Rationale:	Configuring the anti-virus software to attempt to clean the file first will allow for the possibility of a false positive. In most cases, however, the secondary action of delete will be used, mitigating the risk of the PUPs being installed and used maliciously.
Severity:	medium
Rule ID:	xccdf_org.ssgproject.content_rule_oas_action_default_primary
Identifiers and References	References: CCI-001243, SI-3, SRG-APP-000279, DTAVSEL-015
Remediation Shell script ⇲ NAILS_CONFIG_FILE="/var/opt/NAI/LinuxShield/etc/nailsd.cfg" # Function to replace configuration setting in config file or add the configuration setting if # it does not exist. # # Expects arguments: # # config_file: Configuration file that will be modified # key: Configuration option to change # value: Value of the configuration option to change # cce: The CCE identifier or '@CCENUM@' if no CCE identifier exists # format: The printf-like format string that will be given stripped key and value as arguments, # so e.g. '%s=%s' will result in key=value subsitution (i.e. without spaces around =) # # Optional arugments: # # format: Optional argument to specify the format of how key/value should be # modified/appended in the configuration file. The default is key = value. # # Example Call(s): # # With default format of 'key = value': # replace_or_append '/etc/sysctl.conf' '^kernel.randomize_va_space' '2' '@CCENUM@' # # With custom key/value format: # replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' 'disabled' '@CCENUM@' '%s=%s' # # With a variable: # replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state '@CCENUM@' '%s=%s' # function replace_or_append { local default_format='%s = %s' case_insensitive_mode=yes sed_case_insensitive_option='' grep_case_insensitive_option='' local config_file=$1 local key=$2 local value=$3 local cce=$4 local format=$5 if [ "$case_insensitive_mode" = yes ]; then sed_case_insensitive_option="i" grep_case_insensitive_option="-i" fi [ -n "$format" ] \|\| format="$default_format" # Check sanity of the input [ $# -ge "3" ] \|\| { echo "Usage: replace_or_append <config_file_location> <key_to_search> <new_value> [<CCE number or literal '@CCENUM@' if unknown>] [printf-like format, default is '$default_format']" >&2; exit 1; } # Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed. # Otherwise, regular sed command will do. sed_command=('sed' '-i') if test -L "$config_file"; then sed_command+=('--follow-symlinks') fi # Test that the cce arg is not empty or does not equal @CCENUM@. # If @CCENUM@ exists, it means that there is no CCE assigned. if [ -n "$cce" ] && [ "$cce" != '@CCENUM@' ]; then cce="${cce}" else cce="CCE" fi # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. stripped_key=$(sed 's/[\^=\$,;+]//g' <<< "$key") # shellcheck disable=SC2059 printf -v formatted_output "$format" "$stripped_key" "$value" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. if LC_ALL=C grep -q -m 1 $grep_case_insensitive_option -e "${key}\\>" "$config_file"; then "${sed_command[@]}" "s/${key}\\>./$formatted_output/g$sed_case_insensitive_option" "$config_file" else # \n is precaution for case where file ends without trailing newline printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "$config_file" >> "$config_file" printf '%s\n' "$formatted_output" >> "$config_file" fi } replace_or_append "$NAILS_CONFIG_FILE" '^nailsd.profile.OAS.action.Default.primary' 'Clean' '' '%s: %s'

Rule The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to scan all file types [ref]
When scanning for malware, excluding specific file types will increase the risk of a malware-infected file going undetected. To check that VSEL settings are configured correctly, you have to examine the config file available under `/var/opt/NAI/LinuxShield/etc/nailsd.cfg`. If this config file contains the line `nailsd.profile.OAS.allFiles: true`, all file types will be scanned.
Rationale:	By configuring anti-virus software to scan all file types, the scanner has a higher success rate at detecting and eradicating malware.
Severity:	medium
Rule ID:	xccdf_org.ssgproject.content_rule_oas_allFiles
Identifiers and References	References: CCI-001243, SI-3, SRG-APP-000279, DTAVSEL-010
Remediation Shell script ⇲ NAILS_CONFIG_FILE="/var/opt/NAI/LinuxShield/etc/nailsd.cfg" # Function to replace configuration setting in config file or add the configuration setting if # it does not exist. # # Expects arguments: # # config_file: Configuration file that will be modified # key: Configuration option to change # value: Value of the configuration option to change # cce: The CCE identifier or '@CCENUM@' if no CCE identifier exists # format: The printf-like format string that will be given stripped key and value as arguments, # so e.g. '%s=%s' will result in key=value subsitution (i.e. without spaces around =) # # Optional arugments: # # format: Optional argument to specify the format of how key/value should be # modified/appended in the configuration file. The default is key = value. # # Example Call(s): # # With default format of 'key = value': # replace_or_append '/etc/sysctl.conf' '^kernel.randomize_va_space' '2' '@CCENUM@' # # With custom key/value format: # replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' 'disabled' '@CCENUM@' '%s=%s' # # With a variable: # replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state '@CCENUM@' '%s=%s' # function replace_or_append { local default_format='%s = %s' case_insensitive_mode=yes sed_case_insensitive_option='' grep_case_insensitive_option='' local config_file=$1 local key=$2 local value=$3 local cce=$4 local format=$5 if [ "$case_insensitive_mode" = yes ]; then sed_case_insensitive_option="i" grep_case_insensitive_option="-i" fi [ -n "$format" ] \|\| format="$default_format" # Check sanity of the input [ $# -ge "3" ] \|\| { echo "Usage: replace_or_append <config_file_location> <key_to_search> <new_value> [<CCE number or literal '@CCENUM@' if unknown>] [printf-like format, default is '$default_format']" >&2; exit 1; } # Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed. # Otherwise, regular sed command will do. sed_command=('sed' '-i') if test -L "$config_file"; then sed_command+=('--follow-symlinks') fi # Test that the cce arg is not empty or does not equal @CCENUM@. # If @CCENUM@ exists, it means that there is no CCE assigned. if [ -n "$cce" ] && [ "$cce" != '@CCENUM@' ]; then cce="${cce}" else cce="CCE" fi # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. stripped_key=$(sed 's/[\^=\$,;+]//g' <<< "$key") # shellcheck disable=SC2059 printf -v formatted_output "$format" "$stripped_key" "$value" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. if LC_ALL=C grep -q -m 1 $grep_case_insensitive_option -e "${key}\\>" "$config_file"; then "${sed_command[@]}" "s/${key}\\>./$formatted_output/g$sed_case_insensitive_option" "$config_file" else # \n is precaution for case where file ends without trailing newline printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "$config_file" >> "$config_file" printf '%s\n' "$formatted_output" >> "$config_file" fi } replace_or_append "$NAILS_CONFIG_FILE" '^nailsd.profile.OAS.allFiles' 'true' '' '%s: %s'

Rule The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to find unknown program viruses [ref]
Due to the ability of malware to mutate after infection, standard anti-virus signatures may not be able to catch new strains or variants of the malware. Typically, these strains and variants will share unique characteristics with others in their virus family. To check that VSEL settings are configured correctly, you have to examine the config file available under `/var/opt/NAI/LinuxShield/etc/nailsd.cfg`. If this config file contains the line `nailsd.profile.OAS.heuristicAnalysis: true`, unknown virus programs will be scanned.
Rationale:	By using a generic signature to detect the shared characteristics, using wildcards where differences lie, the generic signature can detect viruses even if they are padded with extra, meaningless code. This method of detection is Heuristic detection.
Severity:	medium
Rule ID:	xccdf_org.ssgproject.content_rule_oas_heuristicAnalysis
Identifiers and References	References: CCI-001243, SI-3, SRG-APP-000279, DTAVSEL-005
Remediation Shell script ⇲ NAILS_CONFIG_FILE="/var/opt/NAI/LinuxShield/etc/nailsd.cfg" # Function to replace configuration setting in config file or add the configuration setting if # it does not exist. # # Expects arguments: # # config_file: Configuration file that will be modified # key: Configuration option to change # value: Value of the configuration option to change # cce: The CCE identifier or '@CCENUM@' if no CCE identifier exists # format: The printf-like format string that will be given stripped key and value as arguments, # so e.g. '%s=%s' will result in key=value subsitution (i.e. without spaces around =) # # Optional arugments: # # format: Optional argument to specify the format of how key/value should be # modified/appended in the configuration file. The default is key = value. # # Example Call(s): # # With default format of 'key = value': # replace_or_append '/etc/sysctl.conf' '^kernel.randomize_va_space' '2' '@CCENUM@' # # With custom key/value format: # replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' 'disabled' '@CCENUM@' '%s=%s' # # With a variable: # replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state '@CCENUM@' '%s=%s' # function replace_or_append { local default_format='%s = %s' case_insensitive_mode=yes sed_case_insensitive_option='' grep_case_insensitive_option='' local config_file=$1 local key=$2 local value=$3 local cce=$4 local format=$5 if [ "$case_insensitive_mode" = yes ]; then sed_case_insensitive_option="i" grep_case_insensitive_option="-i" fi [ -n "$format" ] \|\| format="$default_format" # Check sanity of the input [ $# -ge "3" ] \|\| { echo "Usage: replace_or_append <config_file_location> <key_to_search> <new_value> [<CCE number or literal '@CCENUM@' if unknown>] [printf-like format, default is '$default_format']" >&2; exit 1; } # Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed. # Otherwise, regular sed command will do. sed_command=('sed' '-i') if test -L "$config_file"; then sed_command+=('--follow-symlinks') fi # Test that the cce arg is not empty or does not equal @CCENUM@. # If @CCENUM@ exists, it means that there is no CCE assigned. if [ -n "$cce" ] && [ "$cce" != '@CCENUM@' ]; then cce="${cce}" else cce="CCE" fi # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. stripped_key=$(sed 's/[\^=\$,;+]//g' <<< "$key") # shellcheck disable=SC2059 printf -v formatted_output "$format" "$stripped_key" "$value" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. if LC_ALL=C grep -q -m 1 $grep_case_insensitive_option -e "${key}\\>" "$config_file"; then "${sed_command[@]}" "s/${key}\\>./$formatted_output/g$sed_case_insensitive_option" "$config_file" else # \n is precaution for case where file ends without trailing newline printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "$config_file" >> "$config_file" printf '%s\n' "$formatted_output" >> "$config_file" fi } replace_or_append "$NAILS_CONFIG_FILE" '^nailsd.profile.OAS.heuristicAnalysis' 'true' '' '%s: %s'

Rule The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be enabled to scan mounted volumes when mounted volumes point to a network server without an anti-virus solution installed [ref]
It is imperative to protect Linux systems from malware introduced from those other network systems by either ensuring the remote systems are protected or by scanning files from those systems when they are accessed. To check that VSEL settings are configured correctly, you have to examine the config file available under `/var/opt/NAI/LinuxShield/etc/nailsd.cfg`. If this config file contains the line `nailsd.profile.OAS.scanNWFiles: true`, files on network mounts are scanned.
Rationale:	Mounting network volumes to other network systems introduces a path for malware to be introduced.
Severity:	medium
Rule ID:	xccdf_org.ssgproject.content_rule_oas_scanNWFiles
Identifiers and References	References: CCI-001242, SI-3, SRG-APP-000278, DTAVSEL-019
Remediation Shell script ⇲ NAILS_CONFIG_FILE="/var/opt/NAI/LinuxShield/etc/nailsd.cfg" # Function to replace configuration setting in config file or add the configuration setting if # it does not exist. # # Expects arguments: # # config_file: Configuration file that will be modified # key: Configuration option to change # value: Value of the configuration option to change # cce: The CCE identifier or '@CCENUM@' if no CCE identifier exists # format: The printf-like format string that will be given stripped key and value as arguments, # so e.g. '%s=%s' will result in key=value subsitution (i.e. without spaces around =) # # Optional arugments: # # format: Optional argument to specify the format of how key/value should be # modified/appended in the configuration file. The default is key = value. # # Example Call(s): # # With default format of 'key = value': # replace_or_append '/etc/sysctl.conf' '^kernel.randomize_va_space' '2' '@CCENUM@' # # With custom key/value format: # replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' 'disabled' '@CCENUM@' '%s=%s' # # With a variable: # replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state '@CCENUM@' '%s=%s' # function replace_or_append { local default_format='%s = %s' case_insensitive_mode=yes sed_case_insensitive_option='' grep_case_insensitive_option='' local config_file=$1 local key=$2 local value=$3 local cce=$4 local format=$5 if [ "$case_insensitive_mode" = yes ]; then sed_case_insensitive_option="i" grep_case_insensitive_option="-i" fi [ -n "$format" ] \|\| format="$default_format" # Check sanity of the input [ $# -ge "3" ] \|\| { echo "Usage: replace_or_append <config_file_location> <key_to_search> <new_value> [<CCE number or literal '@CCENUM@' if unknown>] [printf-like format, default is '$default_format']" >&2; exit 1; } # Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed. # Otherwise, regular sed command will do. sed_command=('sed' '-i') if test -L "$config_file"; then sed_command+=('--follow-symlinks') fi # Test that the cce arg is not empty or does not equal @CCENUM@. # If @CCENUM@ exists, it means that there is no CCE assigned. if [ -n "$cce" ] && [ "$cce" != '@CCENUM@' ]; then cce="${cce}" else cce="CCE" fi # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. stripped_key=$(sed 's/[\^=\$,;+]//g' <<< "$key") # shellcheck disable=SC2059 printf -v formatted_output "$format" "$stripped_key" "$value" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. if LC_ALL=C grep -q -m 1 $grep_case_insensitive_option -e "${key}\\>" "$config_file"; then "${sed_command[@]}" "s/${key}\\>./$formatted_output/g$sed_case_insensitive_option" "$config_file" else # \n is precaution for case where file ends without trailing newline printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "$config_file" >> "$config_file" printf '%s\n' "$formatted_output" >> "$config_file" fi } replace_or_append "$NAILS_CONFIG_FILE" '^nailsd.profile.OAS.scanNWFiles' 'true' '' '%s: %s'

Group On Demand VSEL Settings Group contains 14 rules

[ref] This section defines the settings required for on demand scans.

Rule The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must be configured to Clean as first action when programs and jokes are found [ref]
Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attach mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. To check that VSEL settings are configured correctly, you have to examine the config file available under `/var/opt/NAI/LinuxShield/etc/ods.cfg`. If this config file contains the line `nailsd.profile.ODS.action.Default.primary: Clean`, programs/jokes will attempted to be cleaned first, preserving the file data.
Rationale:	Configuring the anti-virus software to attempt to clean the file first will allow for the possibility of a false positive. In most cases, however, the secondary action of delete will be used, mitigating the risk of the PUPs being installed and used maliciously.
Severity:	medium
Rule ID:	xccdf_org.ssgproject.content_rule_ods_action_default_primary
Identifiers and References	References: CCI-001241, SI-3, SRG-APP-000277, DTAVSEL-110
Remediation Shell script ⇲ NAILS_CONFIG_FILE="/var/opt/NAI/LinuxShield/etc/ods.cfg" # Function to replace configuration setting in config file or add the configuration setting if # it does not exist. # # Expects arguments: # # config_file: Configuration file that will be modified # key: Configuration option to change # value: Value of the configuration option to change # cce: The CCE identifier or '@CCENUM@' if no CCE identifier exists # format: The printf-like format string that will be given stripped key and value as arguments, # so e.g. '%s=%s' will result in key=value subsitution (i.e. without spaces around =) # # Optional arugments: # # format: Optional argument to specify the format of how key/value should be # modified/appended in the configuration file. The default is key = value. # # Example Call(s): # # With default format of 'key = value': # replace_or_append '/etc/sysctl.conf' '^kernel.randomize_va_space' '2' '@CCENUM@' # # With custom key/value format: # replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' 'disabled' '@CCENUM@' '%s=%s' # # With a variable: # replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state '@CCENUM@' '%s=%s' # function replace_or_append { local default_format='%s = %s' case_insensitive_mode=yes sed_case_insensitive_option='' grep_case_insensitive_option='' local config_file=$1 local key=$2 local value=$3 local cce=$4 local format=$5 if [ "$case_insensitive_mode" = yes ]; then sed_case_insensitive_option="i" grep_case_insensitive_option="-i" fi [ -n "$format" ] \|\| format="$default_format" # Check sanity of the input [ $# -ge "3" ] \|\| { echo "Usage: replace_or_append <config_file_location> <key_to_search> <new_value> [<CCE number or literal '@CCENUM@' if unknown>] [printf-like format, default is '$default_format']" >&2; exit 1; } # Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed. # Otherwise, regular sed command will do. sed_command=('sed' '-i') if test -L "$config_file"; then sed_command+=('--follow-symlinks') fi # Test that the cce arg is not empty or does not equal @CCENUM@. # If @CCENUM@ exists, it means that there is no CCE assigned. if [ -n "$cce" ] && [ "$cce" != '@CCENUM@' ]; then cce="${cce}" else cce="CCE" fi # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. stripped_key=$(sed 's/[\^=\$,;+]//g' <<< "$key") # shellcheck disable=SC2059 printf -v formatted_output "$format" "$stripped_key" "$value" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. if LC_ALL=C grep -q -m 1 $grep_case_insensitive_option -e "${key}\\>" "$config_file"; then "${sed_command[@]}" "s/${key}\\>./$formatted_output/g$sed_case_insensitive_option" "$config_file" else # \n is precaution for case where file ends without trailing newline printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "$config_file" >> "$config_file" printf '%s\n' "$formatted_output" >> "$config_file" fi } replace_or_append "$NAILS_CONFIG_FILE" '^nailsd.profile.ODS.action.Default.primary' 'Clean' '' '%s: %s'

Rule The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must be configured to Quarantine if first action fails when programs and jokes are found [ref]
Malware may have infected a file that is necessary to the user. By configuring the anti-virus software to first attempt cleaning the infected file, availability to the file is not sacrificed. If a cleaning attempt is not successful, however, quarantining the file is the only safe option to ensure the malware is not introduced onto the system or network. To check that VSEL settings are configured correctly, you have to examine the config file available under `/var/opt/NAI/LinuxShield/etc/ods.cfg`. If this config file contains the line `nailsd.profile.ODS.action.Default.secondary: Quarantine`, programs/jokes that cannot be cleaned will be quarantined, preserving the file data.
Rationale:	Malware may have infected a file that is necessary to the user.
Severity:	medium
Rule ID:	xccdf_org.ssgproject.content_rule_ods_action_default_secondary
Identifiers and References	References: CCI-001241, SI-3, SRG-APP-000277, DTAVSEL-111
Remediation Shell script ⇲ NAILS_CONFIG_FILE="/var/opt/NAI/LinuxShield/etc/ods.cfg" # Function to replace configuration setting in config file or add the configuration setting if # it does not exist. # # Expects arguments: # # config_file: Configuration file that will be modified # key: Configuration option to change # value: Value of the configuration option to change # cce: The CCE identifier or '@CCENUM@' if no CCE identifier exists # format: The printf-like format string that will be given stripped key and value as arguments, # so e.g. '%s=%s' will result in key=value subsitution (i.e. without spaces around =) # # Optional arugments: # # format: Optional argument to specify the format of how key/value should be # modified/appended in the configuration file. The default is key = value. # # Example Call(s): # # With default format of 'key = value': # replace_or_append '/etc/sysctl.conf' '^kernel.randomize_va_space' '2' '@CCENUM@' # # With custom key/value format: # replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' 'disabled' '@CCENUM@' '%s=%s' # # With a variable: # replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state '@CCENUM@' '%s=%s' # function replace_or_append { local default_format='%s = %s' case_insensitive_mode=yes sed_case_insensitive_option='' grep_case_insensitive_option='' local config_file=$1 local key=$2 local value=$3 local cce=$4 local format=$5 if [ "$case_insensitive_mode" = yes ]; then sed_case_insensitive_option="i" grep_case_insensitive_option="-i" fi [ -n "$format" ] \|\| format="$default_format" # Check sanity of the input [ $# -ge "3" ] \|\| { echo "Usage: replace_or_append <config_file_location> <key_to_search> <new_value> [<CCE number or literal '@CCENUM@' if unknown>] [printf-like format, default is '$default_format']" >&2; exit 1; } # Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed. # Otherwise, regular sed command will do. sed_command=('sed' '-i') if test -L "$config_file"; then sed_command+=('--follow-symlinks') fi # Test that the cce arg is not empty or does not equal @CCENUM@. # If @CCENUM@ exists, it means that there is no CCE assigned. if [ -n "$cce" ] && [ "$cce" != '@CCENUM@' ]; then cce="${cce}" else cce="CCE" fi # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. stripped_key=$(sed 's/[\^=\$,;+]//g' <<< "$key") # shellcheck disable=SC2059 printf -v formatted_output "$format" "$stripped_key" "$value" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. if LC_ALL=C grep -q -m 1 $grep_case_insensitive_option -e "${key}\\>" "$config_file"; then "${sed_command[@]}" "s/${key}\\>./$formatted_output/g$sed_case_insensitive_option" "$config_file" else # \n is precaution for case where file ends without trailing newline printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "$config_file" >> "$config_file" printf '%s\n' "$formatted_output" >> "$config_file" fi } replace_or_append "$NAILS_CONFIG_FILE" '^nailsd.profile.ODS.action.Default.secondary' 'Quarantine' '' '%s: %s'

Rule The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must be configured to find potentially unwanted programs [ref]
Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attach mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. To check that VSEL settings are configured correctly, you have to examine the config file available under `/var/opt/NAI/LinuxShield/etc/ods.cfg`. If this config file contains the line `nailsd.profile.ODS.program: true`, potentially unwanted programs will be scanned.
Rationale:	Configuring the anti-virus software to attempt to clean the file first will allow for the possibility of a false positive. In most cases, however, the secondary action of delete will be used, mitigating the risk of the PUPs being installed and used maliciously.
Severity:	medium
Rule ID:	xccdf_org.ssgproject.content_rule_ods_program
Identifiers and References	References: CCI-001241, SI-3, SRG-APP-000277, DTAVSEL-104
Remediation Shell script ⇲ NAILS_CONFIG_FILE="/var/opt/NAI/LinuxShield/etc/ods.cfg" # Function to replace configuration setting in config file or add the configuration setting if # it does not exist. # # Expects arguments: # # config_file: Configuration file that will be modified # key: Configuration option to change # value: Value of the configuration option to change # cce: The CCE identifier or '@CCENUM@' if no CCE identifier exists # format: The printf-like format string that will be given stripped key and value as arguments, # so e.g. '%s=%s' will result in key=value subsitution (i.e. without spaces around =) # # Optional arugments: # # format: Optional argument to specify the format of how key/value should be # modified/appended in the configuration file. The default is key = value. # # Example Call(s): # # With default format of 'key = value': # replace_or_append '/etc/sysctl.conf' '^kernel.randomize_va_space' '2' '@CCENUM@' # # With custom key/value format: # replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' 'disabled' '@CCENUM@' '%s=%s' # # With a variable: # replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state '@CCENUM@' '%s=%s' # function replace_or_append { local default_format='%s = %s' case_insensitive_mode=yes sed_case_insensitive_option='' grep_case_insensitive_option='' local config_file=$1 local key=$2 local value=$3 local cce=$4 local format=$5 if [ "$case_insensitive_mode" = yes ]; then sed_case_insensitive_option="i" grep_case_insensitive_option="-i" fi [ -n "$format" ] \|\| format="$default_format" # Check sanity of the input [ $# -ge "3" ] \|\| { echo "Usage: replace_or_append <config_file_location> <key_to_search> <new_value> [<CCE number or literal '@CCENUM@' if unknown>] [printf-like format, default is '$default_format']" >&2; exit 1; } # Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed. # Otherwise, regular sed command will do. sed_command=('sed' '-i') if test -L "$config_file"; then sed_command+=('--follow-symlinks') fi # Test that the cce arg is not empty or does not equal @CCENUM@. # If @CCENUM@ exists, it means that there is no CCE assigned. if [ -n "$cce" ] && [ "$cce" != '@CCENUM@' ]; then cce="${cce}" else cce="CCE" fi # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. stripped_key=$(sed 's/[\^=\$,;+]//g' <<< "$key") # shellcheck disable=SC2059 printf -v formatted_output "$format" "$stripped_key" "$value" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. if LC_ALL=C grep -q -m 1 $grep_case_insensitive_option -e "${key}\\>" "$config_file"; then "${sed_command[@]}" "s/${key}\\>./$formatted_output/g$sed_case_insensitive_option" "$config_file" else # \n is precaution for case where file ends without trailing newline printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "$config_file" >> "$config_file" printf '%s\n' "$formatted_output" >> "$config_file" fi } replace_or_append "$NAILS_CONFIG_FILE" '^nailsd.profile.ODS.program' 'true' '' '%s: %s'

Rule The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must be configured to Clean as first action when a virus or Trojan is detected [ref]
Malware may have infected a file that is necessary to the user. By configuring the anti-virus software to first attempt cleaning the infected file, availability to the file is not sacrificed. If a cleaning attempt is not successful, however, deleting the file is the only safe option to ensure the malware is not introduced onto the system or network. To check that VSEL settings are configured correctly, you have to examine the config file available under `/var/opt/NAI/LinuxShield/etc/ods.cfg`. If this config file contains the line `nailsd.profile.ODS.action.App.primary: Clean`, files will attempted to be cleaned first, preserving the file data.
Rationale:	Malware may have infected a file that is necessary to the user.
Severity:	medium
Rule ID:	xccdf_org.ssgproject.content_rule_ods_action_app_primary
Identifiers and References	References: CCI-001241, SI-3, SRG-APP-000277, DTAVSEL-106
Remediation Shell script ⇲ NAILS_CONFIG_FILE="/var/opt/NAI/LinuxShield/etc/ods.cfg" # Function to replace configuration setting in config file or add the configuration setting if # it does not exist. # # Expects arguments: # # config_file: Configuration file that will be modified # key: Configuration option to change # value: Value of the configuration option to change # cce: The CCE identifier or '@CCENUM@' if no CCE identifier exists # format: The printf-like format string that will be given stripped key and value as arguments, # so e.g. '%s=%s' will result in key=value subsitution (i.e. without spaces around =) # # Optional arugments: # # format: Optional argument to specify the format of how key/value should be # modified/appended in the configuration file. The default is key = value. # # Example Call(s): # # With default format of 'key = value': # replace_or_append '/etc/sysctl.conf' '^kernel.randomize_va_space' '2' '@CCENUM@' # # With custom key/value format: # replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' 'disabled' '@CCENUM@' '%s=%s' # # With a variable: # replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state '@CCENUM@' '%s=%s' # function replace_or_append { local default_format='%s = %s' case_insensitive_mode=yes sed_case_insensitive_option='' grep_case_insensitive_option='' local config_file=$1 local key=$2 local value=$3 local cce=$4 local format=$5 if [ "$case_insensitive_mode" = yes ]; then sed_case_insensitive_option="i" grep_case_insensitive_option="-i" fi [ -n "$format" ] \|\| format="$default_format" # Check sanity of the input [ $# -ge "3" ] \|\| { echo "Usage: replace_or_append <config_file_location> <key_to_search> <new_value> [<CCE number or literal '@CCENUM@' if unknown>] [printf-like format, default is '$default_format']" >&2; exit 1; } # Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed. # Otherwise, regular sed command will do. sed_command=('sed' '-i') if test -L "$config_file"; then sed_command+=('--follow-symlinks') fi # Test that the cce arg is not empty or does not equal @CCENUM@. # If @CCENUM@ exists, it means that there is no CCE assigned. if [ -n "$cce" ] && [ "$cce" != '@CCENUM@' ]; then cce="${cce}" else cce="CCE" fi # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. stripped_key=$(sed 's/[\^=\$,;+]//g' <<< "$key") # shellcheck disable=SC2059 printf -v formatted_output "$format" "$stripped_key" "$value" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. if LC_ALL=C grep -q -m 1 $grep_case_insensitive_option -e "${key}\\>" "$config_file"; then "${sed_command[@]}" "s/${key}\\>./$formatted_output/g$sed_case_insensitive_option" "$config_file" else # \n is precaution for case where file ends without trailing newline printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "$config_file" >> "$config_file" printf '%s\n' "$formatted_output" >> "$config_file" fi } replace_or_append "$NAILS_CONFIG_FILE" '^nailsd.profile.ODS.action.App.primary' 'Clean' '' '%s: %s'

Rule The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must be configured to scan all file types [ref]
When scanning for malware, excluding specific file types will increase the risk of a malware-infected file going undetected. To check that VSEL settings are configured correctly, you have to examine the config file available under `/var/opt/NAI/LinuxShield/etc/ods.cfg`. If this config file contains the line `nailsd.profile.ODS.allFiles: true`, all file types will be scanned.
Rationale:	By configuring anti-virus software to scan all file types, the scanner has a higher success rate at detecting and eradicating malware.
Severity:	medium
Rule ID:	xccdf_org.ssgproject.content_rule_ods_allFiles
Identifiers and References	References: CCI-001241, SI-3, SRG-APP-000277, DTAVSEL-105
Remediation Shell script ⇲ NAILS_CONFIG_FILE="/var/opt/NAI/LinuxShield/etc/ods.cfg" # Function to replace configuration setting in config file or add the configuration setting if # it does not exist. # # Expects arguments: # # config_file: Configuration file that will be modified # key: Configuration option to change # value: Value of the configuration option to change # cce: The CCE identifier or '@CCENUM@' if no CCE identifier exists # format: The printf-like format string that will be given stripped key and value as arguments, # so e.g. '%s=%s' will result in key=value subsitution (i.e. without spaces around =) # # Optional arugments: # # format: Optional argument to specify the format of how key/value should be # modified/appended in the configuration file. The default is key = value. # # Example Call(s): # # With default format of 'key = value': # replace_or_append '/etc/sysctl.conf' '^kernel.randomize_va_space' '2' '@CCENUM@' # # With custom key/value format: # replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' 'disabled' '@CCENUM@' '%s=%s' # # With a variable: # replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state '@CCENUM@' '%s=%s' # function replace_or_append { local default_format='%s = %s' case_insensitive_mode=yes sed_case_insensitive_option='' grep_case_insensitive_option='' local config_file=$1 local key=$2 local value=$3 local cce=$4 local format=$5 if [ "$case_insensitive_mode" = yes ]; then sed_case_insensitive_option="i" grep_case_insensitive_option="-i" fi [ -n "$format" ] \|\| format="$default_format" # Check sanity of the input [ $# -ge "3" ] \|\| { echo "Usage: replace_or_append <config_file_location> <key_to_search> <new_value> [<CCE number or literal '@CCENUM@' if unknown>] [printf-like format, default is '$default_format']" >&2; exit 1; } # Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed. # Otherwise, regular sed command will do. sed_command=('sed' '-i') if test -L "$config_file"; then sed_command+=('--follow-symlinks') fi # Test that the cce arg is not empty or does not equal @CCENUM@. # If @CCENUM@ exists, it means that there is no CCE assigned. if [ -n "$cce" ] && [ "$cce" != '@CCENUM@' ]; then cce="${cce}" else cce="CCE" fi # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. stripped_key=$(sed 's/[\^=\$,;+]//g' <<< "$key") # shellcheck disable=SC2059 printf -v formatted_output "$format" "$stripped_key" "$value" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. if LC_ALL=C grep -q -m 1 $grep_case_insensitive_option -e "${key}\\>" "$config_file"; then "${sed_command[@]}" "s/${key}\\>./$formatted_output/g$sed_case_insensitive_option" "$config_file" else # \n is precaution for case where file ends without trailing newline printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "$config_file" >> "$config_file" printf '%s\n' "$formatted_output" >> "$config_file" fi } replace_or_append "$NAILS_CONFIG_FILE" '^nailsd.profile.ODS.allFiles' 'true' '' '%s: %s'

Rule The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must only be configured with exclusions that are documented and approved by the ISSO/ISSM/AO [ref]
When scanning for malware, excluding specific files will increase the risk of a malware-infected file going undetected. To check that VSEL settings are configured correctly, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed from a desktop browser window and logon with the nails user account. In the VSEL WEB Monitor, review tasks under `View`, `Scheduled Tasks`. With the System Administrator's assistance, determine which task is intended as the regularly scheduled scan task. Click on the task, and then click `Modify`. Under `2. What to Scan`, click `Next`. Under `3. Choose Scan Settings`, `Paths Excluded From Scanning`. If any paths other than the following paths are excluded, and the exclusions have not been documented and approved by the ISSO/ISSM/AO, this is a finding. `/var/log` `/_admin/Manage_NSS` `/mnt/system/log` `/media/nss/./(\._NETWARE\|\._ADMIN)` `/.\.(vmdk\|VMDK\|dbl\|DBL\|ctl\|CTL\|log\|LOG\|jar\|JAR\|war\|WAR\|dtx\|DTX\|dbf\|DBF\|frm\|FRM\|myd\|MYD\|myi\|MYI\|rdo\|RDO\|arc\|ARC)` `/cgroup` `/dev` `/proc` `/selinux` `/sys`
Rationale:	By configuring anti-virus software without any exclusions, the scanner has a higher success rate at detecting and eradicating malware.
Severity:	medium
Rule ID:	xccdf_org.ssgproject.content_rule_ods_exclusions
Identifiers and References	References: CCI-001241, SI-3, SRG-APP-000277, DTAVSEL-108

Rule The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x must be configured to run a scheduled On-Demand scan at least once a week [ref]
Real-time scanning of files as they are read from disk is a crucial first line of defense from malware attacks but to ensure all files are frequently scanned, a regularly scheduled full scan will ensure malware missed by the real-time scanning will be detected and mitigated. To check that VSEL settings are configured correctly, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed from a desktop browser window and logon with the nails user account. In the VSEL WEB Monitor, review tasks under `View`, `Scheduled Tasks`. With the System Administrator's assistance, determine which task is intended as the regularly scheduled scan task. Click on the task and review the details under `Task Details for`. If `Next run` does not specify `every 1 week`, or more frequently, this is a finding. To validate without the Web interface, access the Linux system being reviewed, either at the console or by a SSH connection. At the command line, navigate to `/var/opt/NAI/LinuxShield/etc`. Enter the command `/opt/NAI/LinuxShield/bin/nails task --list`. If the return does not show a task for the LinuxShield On-Demand Scan, this is a finding.
Rationale:	Anti-virus software is the most commonly used technical control for malware threat mitigation.
Severity:	medium
Rule ID:	xccdf_org.ssgproject.content_rule_ods_enabled
Identifiers and References	References: CCI-001241, SI-3, SRG-APP-000277, DTAVSEL-100

Rule The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must be configured to find unknown macro viruses [ref]
Interpreted viruses are executed by an application. Within this subcategory, macro viruses take advantage of the capabilities of applications' macro programming language to infect application documents and document templates, while scripting viruses infect scripts that are understood by scripting languages processed by services on the OS. To check that VSEL settings are configured correctly, you have to examine the config file available under `/var/opt/NAI/LinuxShield/etc/ods.cfg`. If this config file contains the line `nailsd.profile.ODS.macroAnalysis: true`, unknown macro viruses will be scanned.
Rationale:	Many attackers use toolkits containing several different types of utilities and scripts that can be used to probe and attack hosts. Scanning for unknown macro viruses will mitigate zero-day attacks.
Severity:	medium
Rule ID:	xccdf_org.ssgproject.content_rule_ods_macroAnalysis
Identifiers and References	References: CCI-001241, SI-3, SRG-APP-000277, DTAVSEL-103
Remediation Shell script ⇲ NAILS_CONFIG_FILE="/var/opt/NAI/LinuxShield/etc/ods.cfg" # Function to replace configuration setting in config file or add the configuration setting if # it does not exist. # # Expects arguments: # # config_file: Configuration file that will be modified # key: Configuration option to change # value: Value of the configuration option to change # cce: The CCE identifier or '@CCENUM@' if no CCE identifier exists # format: The printf-like format string that will be given stripped key and value as arguments, # so e.g. '%s=%s' will result in key=value subsitution (i.e. without spaces around =) # # Optional arugments: # # format: Optional argument to specify the format of how key/value should be # modified/appended in the configuration file. The default is key = value. # # Example Call(s): # # With default format of 'key = value': # replace_or_append '/etc/sysctl.conf' '^kernel.randomize_va_space' '2' '@CCENUM@' # # With custom key/value format: # replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' 'disabled' '@CCENUM@' '%s=%s' # # With a variable: # replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state '@CCENUM@' '%s=%s' # function replace_or_append { local default_format='%s = %s' case_insensitive_mode=yes sed_case_insensitive_option='' grep_case_insensitive_option='' local config_file=$1 local key=$2 local value=$3 local cce=$4 local format=$5 if [ "$case_insensitive_mode" = yes ]; then sed_case_insensitive_option="i" grep_case_insensitive_option="-i" fi [ -n "$format" ] \|\| format="$default_format" # Check sanity of the input [ $# -ge "3" ] \|\| { echo "Usage: replace_or_append <config_file_location> <key_to_search> <new_value> [<CCE number or literal '@CCENUM@' if unknown>] [printf-like format, default is '$default_format']" >&2; exit 1; } # Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed. # Otherwise, regular sed command will do. sed_command=('sed' '-i') if test -L "$config_file"; then sed_command+=('--follow-symlinks') fi # Test that the cce arg is not empty or does not equal @CCENUM@. # If @CCENUM@ exists, it means that there is no CCE assigned. if [ -n "$cce" ] && [ "$cce" != '@CCENUM@' ]; then cce="${cce}" else cce="CCE" fi # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. stripped_key=$(sed 's/[\^=\$,;+]//g' <<< "$key") # shellcheck disable=SC2059 printf -v formatted_output "$format" "$stripped_key" "$value" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. if LC_ALL=C grep -q -m 1 $grep_case_insensitive_option -e "${key}\\>" "$config_file"; then "${sed_command[@]}" "s/${key}\\>./$formatted_output/g$sed_case_insensitive_option" "$config_file" else # \n is precaution for case where file ends without trailing newline printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "$config_file" >> "$config_file" printf '%s\n' "$formatted_output" >> "$config_file" fi } replace_or_append "$NAILS_CONFIG_FILE" '^nailsd.profile.ODS.macroAnalysis' 'true' '' '%s: %s'

Rule The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must be configured to decompress archives when scanning [ref]
Malware can be hidden within archived files and passed from system to system undetected unless the archive is decompressed and each file scanned. By disabling the archive scanning capability, archives such as .tar and .tgz files will not be decompressed and any infected files in the archives would go undetected. To check that VSEL settings are configured correctly, you have to examine the config file available under `/var/opt/NAI/LinuxShield/etc/ods.cfg`. If this config file contains the line `nailsd.profile.ODS.decompArchive: true`, compressed archives will be decompressed before being scanned.
Rationale:	Decompression can slow performance, however; any virus-infected file inside an archive cannot become active until it has been extracted.
Severity:	medium
Rule ID:	xccdf_org.ssgproject.content_rule_ods_decompArchive
Identifiers and References	References: CCI-001241, SI-3, SRG-APP-000277, DTAVSEL-101
Remediation Shell script ⇲ NAILS_CONFIG_FILE="/var/opt/NAI/LinuxShield/etc/ods.cfg" # Function to replace configuration setting in config file or add the configuration setting if # it does not exist. # # Expects arguments: # # config_file: Configuration file that will be modified # key: Configuration option to change # value: Value of the configuration option to change # cce: The CCE identifier or '@CCENUM@' if no CCE identifier exists # format: The printf-like format string that will be given stripped key and value as arguments, # so e.g. '%s=%s' will result in key=value subsitution (i.e. without spaces around =) # # Optional arugments: # # format: Optional argument to specify the format of how key/value should be # modified/appended in the configuration file. The default is key = value. # # Example Call(s): # # With default format of 'key = value': # replace_or_append '/etc/sysctl.conf' '^kernel.randomize_va_space' '2' '@CCENUM@' # # With custom key/value format: # replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' 'disabled' '@CCENUM@' '%s=%s' # # With a variable: # replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state '@CCENUM@' '%s=%s' # function replace_or_append { local default_format='%s = %s' case_insensitive_mode=yes sed_case_insensitive_option='' grep_case_insensitive_option='' local config_file=$1 local key=$2 local value=$3 local cce=$4 local format=$5 if [ "$case_insensitive_mode" = yes ]; then sed_case_insensitive_option="i" grep_case_insensitive_option="-i" fi [ -n "$format" ] \|\| format="$default_format" # Check sanity of the input [ $# -ge "3" ] \|\| { echo "Usage: replace_or_append <config_file_location> <key_to_search> <new_value> [<CCE number or literal '@CCENUM@' if unknown>] [printf-like format, default is '$default_format']" >&2; exit 1; } # Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed. # Otherwise, regular sed command will do. sed_command=('sed' '-i') if test -L "$config_file"; then sed_command+=('--follow-symlinks') fi # Test that the cce arg is not empty or does not equal @CCENUM@. # If @CCENUM@ exists, it means that there is no CCE assigned. if [ -n "$cce" ] && [ "$cce" != '@CCENUM@' ]; then cce="${cce}" else cce="CCE" fi # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. stripped_key=$(sed 's/[\^=\$,;+]//g' <<< "$key") # shellcheck disable=SC2059 printf -v formatted_output "$format" "$stripped_key" "$value" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. if LC_ALL=C grep -q -m 1 $grep_case_insensitive_option -e "${key}\\>" "$config_file"; then "${sed_command[@]}" "s/${key}\\>./$formatted_output/g$sed_case_insensitive_option" "$config_file" else # \n is precaution for case where file ends without trailing newline printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "$config_file" >> "$config_file" printf '%s\n' "$formatted_output" >> "$config_file" fi } replace_or_append "$NAILS_CONFIG_FILE" '^nailsd.profile.ODS.decompArchive' 'true' '' '%s: %s'

Rule The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must be configured to include all local drives and their sub-directories [ref]
When scanning for malware, excluding specific file types will increase the risk of a malware-infected file going undetected. By configuring anti-virus software to scan all file types, the scanner has a higher success rate at detecting and eradicating malware. To check that VSEL settings are configured correctly, you have to examine the config file available under `/var/opt/NAI/LinuxShield/etc/ods.cfg`. If this config file contains a line with "extensions.mode" with values set to anything other than `extensions.mode: all`, associated scans may ignore certain file extensions.
Rationale:	Excluding file types from scans introduces the possibility for infected files to go undetected by the scanner.
Severity:	medium
Rule ID:	xccdf_org.ssgproject.content_rule_ods_extensions
Identifiers and References	References: CCI-001241, SI-3, SRG-APP-000277, DTAVSEL-113
Remediation Shell script ⇲ NAILS_CONFIG_FILE="/var/opt/NAI/LinuxShield/etc/ods.cfg" if ! grep -q extensions.mode "$NAILS_CONFIG_FILE"; then sed -i '$a nailsd.profile.ODS_default.filter.extensions.mode: all' "$NAILS_CONFIG_FILE" else # Function to replace configuration setting in config file or add the configuration setting if # it does not exist. # # Expects arguments: # # config_file: Configuration file that will be modified # key: Configuration option to change # value: Value of the configuration option to change # cce: The CCE identifier or '@CCENUM@' if no CCE identifier exists # format: The printf-like format string that will be given stripped key and value as arguments, # so e.g. '%s=%s' will result in key=value subsitution (i.e. without spaces around =) # # Optional arugments: # # format: Optional argument to specify the format of how key/value should be # modified/appended in the configuration file. The default is key = value. # # Example Call(s): # # With default format of 'key = value': # replace_or_append '/etc/sysctl.conf' '^kernel.randomize_va_space' '2' '@CCENUM@' # # With custom key/value format: # replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' 'disabled' '@CCENUM@' '%s=%s' # # With a variable: # replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state '@CCENUM@' '%s=%s' # function replace_or_append { local default_format='%s = %s' case_insensitive_mode=yes sed_case_insensitive_option='' grep_case_insensitive_option='' local config_file=$1 local key=$2 local value=$3 local cce=$4 local format=$5 if [ "$case_insensitive_mode" = yes ]; then sed_case_insensitive_option="i" grep_case_insensitive_option="-i" fi [ -n "$format" ] \|\| format="$default_format" # Check sanity of the input [ $# -ge "3" ] \|\| { echo "Usage: replace_or_append <config_file_location> <key_to_search> <new_value> [<CCE number or literal '@CCENUM@' if unknown>] [printf-like format, default is '$default_format']" >&2; exit 1; } # Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed. # Otherwise, regular sed command will do. sed_command=('sed' '-i') if test -L "$config_file"; then sed_command+=('--follow-symlinks') fi # Test that the cce arg is not empty or does not equal @CCENUM@. # If @CCENUM@ exists, it means that there is no CCE assigned. if [ -n "$cce" ] && [ "$cce" != '@CCENUM@' ]; then cce="${cce}" else cce="CCE" fi # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. stripped_key=$(sed 's/[\^=\$,;+]//g' <<< "$key") # shellcheck disable=SC2059 printf -v formatted_output "$format" "$stripped_key" "$value" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. if LC_ALL=C grep -q -m 1 $grep_case_insensitive_option -e "${key}\\>" "$config_file"; then "${sed_command[@]}" "s/${key}\\>./$formatted_output/g$sed_case_insensitive_option" "$config_file" else # \n is precaution for case where file ends without trailing newline printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "$config_file" >> "$config_file" printf '%s\n' "$formatted_output" >> "$config_file" fi } replace_or_append "$NAILS_CONFIG_FILE" 'extensions.mode' 'all' '' '%s: %s' fi

Rule The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must be configured to find unknown program viruses [ref]
Due to the ability of malware to mutate after infection, standard anti-virus signatures may not be able to catch new strains or variants of the malware. Typically, these strains and variants will share unique characteristics with others in their virus family. To check that VSEL settings are configured correctly, you have to examine the config file available under `/var/opt/NAI/LinuxShield/etc/ods.cfg`. If this config file contains the line `nailsd.profile.ODS.heuristicAnalysis: true`, unknown virus programs will be scanned.
Rationale:	By using a generic signature to detect the shared characteristics, using wildcards where differences lie, the generic signature can detect viruses even if they are padded with extra, meaningless code. This method of detection is Heuristic detection.
Severity:	medium
Rule ID:	xccdf_org.ssgproject.content_rule_ods_heuristicAnalysis
Identifiers and References	References: CCI-001241, SI-3, SRG-APP-000277, DTAVSEL-102
Remediation Shell script ⇲ NAILS_CONFIG_FILE="/var/opt/NAI/LinuxShield/etc/ods.cfg" # Function to replace configuration setting in config file or add the configuration setting if # it does not exist. # # Expects arguments: # # config_file: Configuration file that will be modified # key: Configuration option to change # value: Value of the configuration option to change # cce: The CCE identifier or '@CCENUM@' if no CCE identifier exists # format: The printf-like format string that will be given stripped key and value as arguments, # so e.g. '%s=%s' will result in key=value subsitution (i.e. without spaces around =) # # Optional arugments: # # format: Optional argument to specify the format of how key/value should be # modified/appended in the configuration file. The default is key = value. # # Example Call(s): # # With default format of 'key = value': # replace_or_append '/etc/sysctl.conf' '^kernel.randomize_va_space' '2' '@CCENUM@' # # With custom key/value format: # replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' 'disabled' '@CCENUM@' '%s=%s' # # With a variable: # replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state '@CCENUM@' '%s=%s' # function replace_or_append { local default_format='%s = %s' case_insensitive_mode=yes sed_case_insensitive_option='' grep_case_insensitive_option='' local config_file=$1 local key=$2 local value=$3 local cce=$4 local format=$5 if [ "$case_insensitive_mode" = yes ]; then sed_case_insensitive_option="i" grep_case_insensitive_option="-i" fi [ -n "$format" ] \|\| format="$default_format" # Check sanity of the input [ $# -ge "3" ] \|\| { echo "Usage: replace_or_append <config_file_location> <key_to_search> <new_value> [<CCE number or literal '@CCENUM@' if unknown>] [printf-like format, default is '$default_format']" >&2; exit 1; } # Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed. # Otherwise, regular sed command will do. sed_command=('sed' '-i') if test -L "$config_file"; then sed_command+=('--follow-symlinks') fi # Test that the cce arg is not empty or does not equal @CCENUM@. # If @CCENUM@ exists, it means that there is no CCE assigned. if [ -n "$cce" ] && [ "$cce" != '@CCENUM@' ]; then cce="${cce}" else cce="CCE" fi # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. stripped_key=$(sed 's/[\^=\$,;+]//g' <<< "$key") # shellcheck disable=SC2059 printf -v formatted_output "$format" "$stripped_key" "$value" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. if LC_ALL=C grep -q -m 1 $grep_case_insensitive_option -e "${key}\\>" "$config_file"; then "${sed_command[@]}" "s/${key}\\>./$formatted_output/g$sed_case_insensitive_option" "$config_file" else # \n is precaution for case where file ends without trailing newline printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "$config_file" >> "$config_file" printf '%s\n' "$formatted_output" >> "$config_file" fi } replace_or_append "$NAILS_CONFIG_FILE" '^nailsd.profile.ODS.heuristicAnalysis' 'true' '' '%s: %s'

Rule The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must be configured to decode MIME encoded files. [ref]
Malware is often packaged within an archive. In addition, archives might have other archives within. To check that VSEL settings are configured correctly, you have to examine the config file available under `/var/opt/NAI/LinuxShield/etc/ods.cfg`. If this config file contains the line `nailsd.profile.ODS.mime: true`, potentially unwanted programs will be scanned.
Rationale:	Not scanning archive files introduces the risk of infected files being introduced into the environment.
Severity:	medium
Rule ID:	xccdf_org.ssgproject.content_rule_ods_mime
Identifiers and References	References: CCI-001241, SI-3, SRG-APP-000277, DTAVSEL-112
Remediation Shell script ⇲ NAILS_CONFIG_FILE="/var/opt/NAI/LinuxShield/etc/ods.cfg" # Function to replace configuration setting in config file or add the configuration setting if # it does not exist. # # Expects arguments: # # config_file: Configuration file that will be modified # key: Configuration option to change # value: Value of the configuration option to change # cce: The CCE identifier or '@CCENUM@' if no CCE identifier exists # format: The printf-like format string that will be given stripped key and value as arguments, # so e.g. '%s=%s' will result in key=value subsitution (i.e. without spaces around =) # # Optional arugments: # # format: Optional argument to specify the format of how key/value should be # modified/appended in the configuration file. The default is key = value. # # Example Call(s): # # With default format of 'key = value': # replace_or_append '/etc/sysctl.conf' '^kernel.randomize_va_space' '2' '@CCENUM@' # # With custom key/value format: # replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' 'disabled' '@CCENUM@' '%s=%s' # # With a variable: # replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state '@CCENUM@' '%s=%s' # function replace_or_append { local default_format='%s = %s' case_insensitive_mode=yes sed_case_insensitive_option='' grep_case_insensitive_option='' local config_file=$1 local key=$2 local value=$3 local cce=$4 local format=$5 if [ "$case_insensitive_mode" = yes ]; then sed_case_insensitive_option="i" grep_case_insensitive_option="-i" fi [ -n "$format" ] \|\| format="$default_format" # Check sanity of the input [ $# -ge "3" ] \|\| { echo "Usage: replace_or_append <config_file_location> <key_to_search> <new_value> [<CCE number or literal '@CCENUM@' if unknown>] [printf-like format, default is '$default_format']" >&2; exit 1; } # Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed. # Otherwise, regular sed command will do. sed_command=('sed' '-i') if test -L "$config_file"; then sed_command+=('--follow-symlinks') fi # Test that the cce arg is not empty or does not equal @CCENUM@. # If @CCENUM@ exists, it means that there is no CCE assigned. if [ -n "$cce" ] && [ "$cce" != '@CCENUM@' ]; then cce="${cce}" else cce="CCE" fi # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. stripped_key=$(sed 's/[\^=\$,;+]//g' <<< "$key") # shellcheck disable=SC2059 printf -v formatted_output "$format" "$stripped_key" "$value" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. if LC_ALL=C grep -q -m 1 $grep_case_insensitive_option -e "${key}\\>" "$config_file"; then "${sed_command[@]}" "s/${key}\\>./$formatted_output/g$sed_case_insensitive_option" "$config_file" else # \n is precaution for case where file ends without trailing newline printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "$config_file" >> "$config_file" printf '%s\n' "$formatted_output" >> "$config_file" fi } replace_or_append "$NAILS_CONFIG_FILE" '^nailsd.profile.ODS.mime' 'true' '' '%s: %s'

Rule The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must be enabled to scan mounted volumes when mounted volumes point to a network server without an anti-virus solution installed [ref]
It is imperative to protect Linux systems from malware introduced from those other network systems by either ensuring the remote systems are protected or by scanning files from those systems when they are accessed. To check that VSEL settings are configured correctly, you have to examine the config file available under `/var/opt/NAI/LinuxShield/etc/ods.cfg`. If this config file contains the line `nailsd.profile.ODS.scanNWFiles: true`, files on network mounts are scanned.
Rationale:	Mounting network volumes to other network systems introduces a path for malware to be introduced.
Severity:	medium
Rule ID:	xccdf_org.ssgproject.content_rule_ods_scanNWFiles_local
Identifiers and References	References: CCI-001242, SI-3, SRG-APP-000278, DTAVSEL-019
Remediation Shell script ⇲ NAILS_CONFIG_FILE="/var/opt/NAI/LinuxShield/etc/ods.cfg" # Function to replace configuration setting in config file or add the configuration setting if # it does not exist. # # Expects arguments: # # config_file: Configuration file that will be modified # key: Configuration option to change # value: Value of the configuration option to change # cce: The CCE identifier or '@CCENUM@' if no CCE identifier exists # format: The printf-like format string that will be given stripped key and value as arguments, # so e.g. '%s=%s' will result in key=value subsitution (i.e. without spaces around =) # # Optional arugments: # # format: Optional argument to specify the format of how key/value should be # modified/appended in the configuration file. The default is key = value. # # Example Call(s): # # With default format of 'key = value': # replace_or_append '/etc/sysctl.conf' '^kernel.randomize_va_space' '2' '@CCENUM@' # # With custom key/value format: # replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' 'disabled' '@CCENUM@' '%s=%s' # # With a variable: # replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state '@CCENUM@' '%s=%s' # function replace_or_append { local default_format='%s = %s' case_insensitive_mode=yes sed_case_insensitive_option='' grep_case_insensitive_option='' local config_file=$1 local key=$2 local value=$3 local cce=$4 local format=$5 if [ "$case_insensitive_mode" = yes ]; then sed_case_insensitive_option="i" grep_case_insensitive_option="-i" fi [ -n "$format" ] \|\| format="$default_format" # Check sanity of the input [ $# -ge "3" ] \|\| { echo "Usage: replace_or_append <config_file_location> <key_to_search> <new_value> [<CCE number or literal '@CCENUM@' if unknown>] [printf-like format, default is '$default_format']" >&2; exit 1; } # Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed. # Otherwise, regular sed command will do. sed_command=('sed' '-i') if test -L "$config_file"; then sed_command+=('--follow-symlinks') fi # Test that the cce arg is not empty or does not equal @CCENUM@. # If @CCENUM@ exists, it means that there is no CCE assigned. if [ -n "$cce" ] && [ "$cce" != '@CCENUM@' ]; then cce="${cce}" else cce="CCE" fi # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. stripped_key=$(sed 's/[\^=\$,;+]//g' <<< "$key") # shellcheck disable=SC2059 printf -v formatted_output "$format" "$stripped_key" "$value" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. if LC_ALL=C grep -q -m 1 $grep_case_insensitive_option -e "${key}\\>" "$config_file"; then "${sed_command[@]}" "s/${key}\\>./$formatted_output/g$sed_case_insensitive_option" "$config_file" else # \n is precaution for case where file ends without trailing newline printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "$config_file" >> "$config_file" printf '%s\n' "$formatted_output" >> "$config_file" fi } replace_or_append "$NAILS_CONFIG_FILE" '^nailsd.profile.ODS.scanNWFiles' 'true' '' '%s: %s'

Rule The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must be configured to Quarantine if first action fails when a virus or Trojan is detected [ref]
Malware may have infected a file that is necessary to the user. By configuring the anti-virus software to first attempt cleaning the infected file, availability to the file is not sacrificed. If a cleaning attempt is not successful, however, quarantining the file is the only safe option to ensure the malware is not introduced onto the system or network. To check that VSEL settings are configured correctly, you have to examine the config file available under `/var/opt/NAI/LinuxShield/etc/ods.cfg`. If this config file contains the line `nailsd.profile.ODS.action.App.secondary: Quarantine`, files that cannot be cleaned will be quarantined, preserving the file data.
Rationale:	Malware may have infected a file that is necessary to the user.
Severity:	medium
Rule ID:	xccdf_org.ssgproject.content_rule_ods_action_app_secondary
Identifiers and References	References: CCI-001241, SI-3, SRG-APP-000277, DTAVSEL-107
Remediation Shell script ⇲ NAILS_CONFIG_FILE="/var/opt/NAI/LinuxShield/etc/ods.cfg" # Function to replace configuration setting in config file or add the configuration setting if # it does not exist. # # Expects arguments: # # config_file: Configuration file that will be modified # key: Configuration option to change # value: Value of the configuration option to change # cce: The CCE identifier or '@CCENUM@' if no CCE identifier exists # format: The printf-like format string that will be given stripped key and value as arguments, # so e.g. '%s=%s' will result in key=value subsitution (i.e. without spaces around =) # # Optional arugments: # # format: Optional argument to specify the format of how key/value should be # modified/appended in the configuration file. The default is key = value. # # Example Call(s): # # With default format of 'key = value': # replace_or_append '/etc/sysctl.conf' '^kernel.randomize_va_space' '2' '@CCENUM@' # # With custom key/value format: # replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' 'disabled' '@CCENUM@' '%s=%s' # # With a variable: # replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state '@CCENUM@' '%s=%s' # function replace_or_append { local default_format='%s = %s' case_insensitive_mode=yes sed_case_insensitive_option='' grep_case_insensitive_option='' local config_file=$1 local key=$2 local value=$3 local cce=$4 local format=$5 if [ "$case_insensitive_mode" = yes ]; then sed_case_insensitive_option="i" grep_case_insensitive_option="-i" fi [ -n "$format" ] \|\| format="$default_format" # Check sanity of the input [ $# -ge "3" ] \|\| { echo "Usage: replace_or_append <config_file_location> <key_to_search> <new_value> [<CCE number or literal '@CCENUM@' if unknown>] [printf-like format, default is '$default_format']" >&2; exit 1; } # Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed. # Otherwise, regular sed command will do. sed_command=('sed' '-i') if test -L "$config_file"; then sed_command+=('--follow-symlinks') fi # Test that the cce arg is not empty or does not equal @CCENUM@. # If @CCENUM@ exists, it means that there is no CCE assigned. if [ -n "$cce" ] && [ "$cce" != '@CCENUM@' ]; then cce="${cce}" else cce="CCE" fi # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. stripped_key=$(sed 's/[\^=\$,;+]//g' <<< "$key") # shellcheck disable=SC2059 printf -v formatted_output "$format" "$stripped_key" "$value" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. if LC_ALL=C grep -q -m 1 $grep_case_insensitive_option -e "${key}\\>" "$config_file"; then "${sed_command[@]}" "s/${key}\\>./$formatted_output/g$sed_case_insensitive_option" "$config_file" else # \n is precaution for case where file ends without trailing newline printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "$config_file" >> "$config_file" printf '%s\n' "$formatted_output" >> "$config_file" fi } replace_or_append "$NAILS_CONFIG_FILE" '^nailsd.profile.ODS.action.App.secondary' 'Quarantine' '' '%s: %s'

Red Hat and Red Hat Enterprise Linux are either registered trademarks or trademarks of Red Hat, Inc. in the United States and other countries. All other names are registered trademarks or trademarks of their respective companies.