Archive for McAfee Products

Installing McAfee Change Control 6.1.3 and monitoring a CIFS Share

McAfee ChangeControl

What is McAfee Change and Application Control?

Changes in server environments are constantly taking place in many organizations today—and going undetected. It’s a situation that is dangerous, both in terms of security and compliance. McAfee® Change Control delivers continuous, enterprise-wide detection of authorized changes as they occur. It blocks unauthorized changes to critical system files, directories, and configurations while streamlining the implementation of new policies and compliance measures.

Key Advantages

  • Gain continuous visibility and real-time management of changes to critical system, configuration, or content files.
  • Prevent tampering with critical files and registry keys by unauthorized parties.
  • Fulfill the PCI DSS regulation requirement for file integrity monitoring system.
  • Easy to get started with out-of the- box FIM rules.
  • QSA-friendly reports for easy PCI reporting.
  • One-click exclusion feature to avoid tracking irrelevant information.
  • Tight policy enforcement via proactively blocking of out-ofprocess and unwanted changes before they occur.
  • Integrates with McAfee® ePolicy Orchestrator® (McAfee ePO™) console for centralized IT management.

The Task

Install Change Control or Application Control in the McAfee® ePolicy Orchestrator® (McAfee ePO™) environment. For use with ePolicy Orchestrator 4.6.0 – 5.1.0 Software

Pre-Requisites

  • Verify that the McAfee ePO server and database are installed and configured. McAfee ePO is a management tool that installs software and deploys policies on the managed endpoints. It also allows you to monitor client activity, create reports, and store and distribute content and software updates. For instructions, see the ePolicy Orchestrator Installation Guide and ePolicy Orchestrator Product Guide.
  • Make sure that the McAfee Agent is installed on each endpoint on which you want to install Change Control or Application Control. McAfee Agent acts as the intermediary between the Solidcore client and McAfee ePO server. It sends data to the client from the McAfee ePO server and vice versa.
  • Download the Solidcore extension package from the McAfee Downloads site. The Solidcore extension file is typically named Solidcore_epo_extn_<ver>.<build>.zip.
  • Download the Solidcore client package from the McAfee Downloads site. Here are the available Solidcore client packages.

Change01

  • Make sure that the endpoints on which you need to install the Solidcore client are supported. See KB76459 (for Change Control) and KB73341 (for Application Control)
  • Review the KnowledgeBase article (see KB76544) to determine if a precompiled binary is available for your Linux target kernel.
  • If a precompiled binary is available for your target kernel, you need not meet any prerequisites and can directly proceed with installation (see Install the Solidcore client on the endpoints).
  • If a precompiled binary is unavailable for your target kernel, see Linux installation workflow for information on prerequisites and installation.
  • Determine the database sizing requirements for your setup (see KB72753).
  • Review the minimum system requirements for Change Control and Application Control (see KB76579).
  • Review the release notes to acquaint yourself with the known issues and identify dependencies you need to consider.

Installation Steps

  • Install the Solidcore extension. The Solidcore extension integrates with the McAfee ePO console and provides Change Control and Application Control features. The Solidcore extension installs on versions 4.6, 5.0, and 5.1 of the McAfee ePO server.
  • Log into your EPO Server
  • Make sure that the extension file is stored at an accessible location.
  • On the McAfee ePO console, select Menu | Software | Extensions to open the Extensions page.

Change02

  • Click Install Extension.

Change03

  • Browse and select the Solidcore_epo_extn_<ver>.<build>.zip file, then click OK
  • Verify the information on the Install Extension page, then click OK
  • Verify that the Solidcore product name appears in the Extensions list.

Change04

  • On the McAfee ePO console, select Menu | Configuration | Server Settings to open the Setting Categories page.

Change05

  • Select Solidcore, then click Edit to open the Edit Solidcore page.
  • Enter the license keys, then click Save. Evaulation Licenses last for 30 days

Change06

  • Now we need to install the Solidcore client
  • The Solidcore client provides change monitoring, change prevention, and whitelisting features on the endpoints on which it is installed. You can install and deploy the Solidcore client on Windows, Linux, and AIX platforms. For all supported platforms, the Solidcore client works well on both physical and virtual machines (VM)
  • On the McAfee ePO console, select Menu | Software | Master Repository.
  • From the Packages in the Master Repository page, select Actions | Check In Package.

Change07

  • Set the package type to Product or Update (.ZIP).

Change08

  • Browse and select the package zip file and click Next to open the Package Options page.
  • Confirm the information.
    • Package Info: Verify the package details.
    • Branch: Select the desired branch. Set to Current for new products.
    • Options: Optionally, select Move the existing package to the Previous branch to move an existing package to
    the previous branch.
    • Package signing: Indicates if the package is signed by McAfee or is a third-party package.
  • Click Save to add the package. The new package appears in Packages in Master Repository list.

Change10

  • Now we need to set up a task to install the Client on a test endpoint
  • On the McAfee ePO console, select Menu | Systems | System Tree.
  • Perform one of these actions:
    • To apply the client task to a group, select a group in the System Tree and switch to the Assigned Client Tasks tab.
    • To apply the client task to an endpoint, select the endpoint on the Systems page and click Actions | Agent | Modify Tasks on a Single System.
  • I am just testing this on my VDI VM at the moment so I choose the first option as per below screenprint

Change11

  • Click Actions | New Client Task Assignment to open the Client Task Assignment Builder page.

Change12

  • Select the McAfee Agent product and Product Deployment task type, then click Create New Task.

Change13

  • Specify the task name and add any descriptive information.
  • Select the target platform. For example, when installing the Solidcore client package on the Windows operating system, select Windows as the target platform.
  • Specify the component and action.
    a Select the appropriate package from the Products and components list.
    b Select the Install action.
    c Select the language of the package.
    d Specify the branch from which to add the package.
  • Click Save, then click Next to open the Schedule page.

Change14

  • Specify scheduling details, then click Next.
  • Review and verify the task details, then click Save.
  • Next select your test VM and click Action > Agent > Run Client Task Now

Change15

  • Choose the following as per the screenprint below

Change16

  • Click Run Task now and wait until this task completes
  • Note you may need to wake up the agents. Click on your test VM and click Wake up Agents as below

Change17

  • Now we can check the verify the agent installation by checking the log
  • Select Actions | Agent | Show Agent Log to view the agent log for the endpoint.

Change18

  • We now need to place the Solidcore client in Enabled mode to activate the software.
  • On the McAfee ePO console, select Menu | Systems | System Tree.
  • Perform one of these actions:
    • To apply the client task to a group, select a group in the System Tree and switch to the Assigned Client Tasks tab.
    • To apply the client task to an endpoint, select the endpoint on the Systems page and click Actions | Agent | Modify Tasks on a Single System.
  • Click Actions | New Client Task Assignment to open the Client Task Assignment Builder page.
  • Select the Solidcore 6.1.3 product and SC: Enable task type, then click Create New Task.
  • On the Client Task Catalog page, specify the task name and add any descriptive information.
    6 Select these fields.
    a Select the platform.
    b Select the subplatform (only for the Windows and Unix platforms).
    c Select the version (only for the All except NT/2000 subplatform).
    d Indicate whether to enable Change Control, Application Control, or both
  • Click OK and if you go back into it, it should look like the below

Change19

  • No reboot should be necessary at this point
  • Next select your test VM and click Action > Agent > Run Client Task Now and select the following to run the Enable Task

Change20

  • We now need to create a task that enables network tracking
  • Select the endpoint on the Systems page and click Actions | Agent | Modify Tasks on a Single System.
  • Click Actions > New Client Task Assignment
  • Under Product Select Solidcore 6.1.3
  • Under Task Type Select SC: Run Commands
  • Under Task Name select to Create new Task
  • In Run Commands type features enable network-tracking
  • Click Save

Change21

  • Set the schedule as per below screen-print

Change22

  • Click Next and you will see a summary then click Save

Change23

  • Next select your test VM and click Action > Agent > Run Client Task Now and select the following to run the Enable Task

Change24

  • Next we need to create Rule Groups
  • A rule group is a collection of rules. Although you can directly add rules to any McAfee ePO-based policy, the rules defined within a policy are specific to that policy. In contrast, a rule group is an independent unit that collates a set of similar or related rules. After you define a rule group, you can reuse the rules within the rule group by associating the rule group with different policies. Also, if you need to modify a rule, simply update the rule in the rule group and the change cascades across all associated policies automatically.
  • On the McAfee EPO Console, select Menu > Configuration > Solidcore Rules

Change25

  • Keep Integrity Rules selected and because we have Windows 7 client machines which have a Netapp CIFS Share mapped on them, I am going to duplicate the Windows 7 (64 bit) Base Filters Rule Group. If you have Windows 2008 file servers, you would duplicate a rule group for these.
  • Select the Windows 7 (64 bit) Base Filters Rule Group and click Duplicate

Change26

  • Put a name in your Rule Group

Change27

  • Click Edit on your duplicate rule group

Change28

  • Have a look through the top options – File, Registry, Extension, Program, User, Filters
  • What we are going to do on the File column is click Add and add our Netapp Filer share which is \\nasuser-a\shared\group
  • This share is also mapped to our I Drive so I will add this in as well as I:\

Change29

Change31

  • Click Save Rule Group
  • It should now look like the below

Change32

  • Next within Rule Groups, change from Integrity Control to Change Control

Change33

  • Click Add Rule Group
  • Put a name in and keep Change Control selected and Windows

Change34

  • Click OK and click Save Rule Group
  • Next we need to set up an Integrity Policy and a Change Control Policy
  • Go to Menu > Policy > Policy Catalog

Change36

  • Switch to Solidcore 6.1.3 Integrity Monitor and Integrity Monitoring Rules (Windows)

Change37

  • Click Actions > New Policy and give it a name. You can also duplicate the policy

Change38

  • The Rule Group box will appear. Click Add Rule Group and select your Rule Group

Change39

  • Click Save
  • You should now see your Monitoring Policy as per below screenprint

Change41

  • Next in the Policy Catalog change to Solidcore 6.1.3 Change Control and Change Control Rules (Windows)

Change42

  • Click Actions > New Policy > Decide whether to create a policy from a blank template and put in a name

Change43

  • In the Rules you can add your existing Rule Group or add some test rules under My Rules

Change44

  • Click Save
  • Go back to System tree and select your test VDI and click on Action > Agent > Set Policy inheritance

Change45

  • Choose your Integrity Monitor Policy and Break Inheritance and click Save

Change46

  • Next we need to do the same but for the Change Control Policy
  • Click Action > Agent > Set Policy and Inheritance
  • Choose your Change Control Settings

Change47

  • Go back to System Tree and click on your VDI and select Wake up Agent

Change48

  • Now we need to log on to our VDI and check some bits and pieces and test accessing a folder and file and see what gets logged within the EPO Console in the Solidcore events
  • Once you have edited a file, come back to the EPO and go to Menu > Reporting > Solidcore Events