Product guide

ManualsBrandsMcAfee ManualsOtherEPOLICY ORCHESTRATOR 4.0.2 -

McAfee Policy Auditor 5.0

Product Guide

Summary of content (96 pages)

PAGE 1
McAfee Policy Auditor 5.
PAGE 2
COPYRIGHT Copyright © 2008 McAfee, Inc. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies.
PAGE 3
Contents Introducing McAfee Policy Auditor 5.0. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Policy Auditor components and what they do. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Policy Auditor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Policy Auditor Agent Plug-in. . . . . . . . . . . . . . .
PAGE 4
Contents Statement of CVSS Implementation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Statement of XCCDF Implementation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Statement of OVAL Implementation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Managing the Policy Auditor Agent Plug-in. . . .
PAGE 5
Contents Flat unweighted scoring model. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 Absolute scoring model. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 Changing the scoring model. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 Creating and Managing Waivers. . . . . . . . . . . .
PAGE 6
Contents Working with issues. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 Creating issues. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 Creating issues automatically with responses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 Assigning issues. . . . . . . . . . . . . . . . .
PAGE 7
Contents PA: Benchmark Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 PA: Checks Across Benchmarks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 PA: Check Catalog List. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 PA: Check Catalog Usage List. . . . . . . . . . . . . . . . . .
PAGE 8
Introducing McAfee Policy Auditor 5.0 McAfee Policy Auditor evaluates the status of managed systems relative to audits that contain benchmarks. Benchmarks contain rules that describe the desired state of a managed system. Benchmarks are received through or imported into McAfee Benchmark Editor and, once activated, can be used by Policy Auditor.
PAGE 9
Introducing McAfee Policy Auditor 5.0 Policy Auditor components and what they do Contents Policy Auditor components and what they do Where to find McAfee product information Policy Auditor components and what they do McAfee Policy Auditor 5.0 consists of three components that enable you to analyze managed systems for compliance with authoritative, open source complicance standards. • Policy Auditor — manages all aspects of analyzing managed systems for compliance.
PAGE 10
Introducing McAfee Policy Auditor 5.0 Policy Auditor components and what they do Using this guide This guide provides basic information on configuring Policy Auditor. For information on configuring the ePO server, refer to the McAfee ePolicy Orchestrator 4.0.2 Product Guide. This guide provides information on configuring and using your product. For system requirements and installation instructions, see the Installation Guide.
PAGE 11
Introducing McAfee Policy Auditor 5.0 Where to find McAfee product information Where to find McAfee product information The McAfee documentation is designed to provide you with the information you need during each phase of product implementation, from evaluating a new product to maintaining existing ones. Depending on the product, additional documents might be available.
PAGE 12
Configuring Policy Auditor Policy Auditor is configured from the ePO Server. The ePO Server is the center of your managed environment and provides a single location from which you can administer security settings throughout your network.
PAGE 13
Configuring Policy Auditor Server setting categories benchmarks determine compliance with its rules, but they also return results that can be converted to a human-readable format. Server setting categories You should configure Policy Auditor’s server settings before you begin using the product. McAfee supplies default settings, but you might want to use different server settings to fit your organizational needs.
PAGE 14
Configuring Policy Auditor How permission sets work Audit label Policy Auditor allows you to set the names used to describe whether an audit has a status of pass, fail, or unknown. McAfee recommends that you keep the default settings but you may change them to fit your organizational needs or existing security policies.
PAGE 15
Configuring Policy Auditor Built-in permission sets What happens when I install new products? When a new extension is installed it might add one or more sections to the permission sets. For example, when you install a Policy Auditor extension, a Policy Auditor section is added to each permission set. Initially, the newly added section is listed in each permission set with no permissions configured. A global administrator can then grant permissions in the new section.
PAGE 16
Configuring Policy Auditor Policy Auditor Agent Plug-in Permission Set Permissions • Issue Management: Create, edit, view and purge assigned issues • Policy Auditor: View Audits and Assignments • Policy Auditor: Grant and modify Waivers Policy Auditor Agent Plug-in The McAfee Policy Auditor Agent Plug-in is responsible for updating the audit schedule and launching audit scans as required.
PAGE 17
Configuring Policy Auditor Managing Policy Auditor permission sets Before you begin You must have appropriate permissions to perform this task. Task For option definitions, click ? on the page displaying the options. 1 Go to Configuration | Permission Sets, then click New Permission Set. The New Permission Set page appears. 2 Type a Name for the permission set, such as Policy Auditor Editor and select the Users to which the set is assigned. 3 Click Save. The Permission Sets page appears.
PAGE 18
Configuring Policy Auditor Managing Policy Auditor permission sets 2 Click edit next to any section for which you want to grant permissions. 3 On the Edit Permission Set page that appears, select the appropriate options, then click Save. 4 Repeat for all sections of the permission set for which you want to grant permissions. Deleting a permission set Use this task to delete a Policy Auditor permission set. Before you begin You must have appropriate permissions to perform this task.
PAGE 19
Complying with SCAP Policy Auditor uses the Security Content Automation Protocol (SCAP) to perform automated audits, including policy compliance evaluations such as FISMA. Contents Statement of FDCC Compliance Statement of SCAP Implementation Statement of CVE Implementation Statement of CCE Implementation Statement of CPE Implementation Statement of CVSS Implementation Statement of XCCDF Implementation Statement of OVAL Implementation Statement of FDCC Compliance McAfee asserts that Policy Auditor 5.
PAGE 20
Complying with SCAP Statement of CVE Implementation Statement of CVE Implementation McAfee Policy Auditor 5.0 fully implements and supports the Common Vulnerabilities and Exposures (CVE) standard vulnerability dictionary. CVE provides unique, standardized identifiers for security vulnerabilities. CVE does not address compliance items — only vulnerability issues.
PAGE 21
Complying with SCAP Statement of XCCDF Implementation characteristics. Using CVSS weighted scores can help an organization determine and prioritize responses to detected vulnerabilities. Policy Auditor supports all 4 standard SCAP scoring models. By default, it uses a Flat Unweighted scoring model normalized to 100. The scoring can be changed for comparison purposes. Statement of XCCDF Implementation McAfee Policy Auditor 5.0 provides complete implementation of version 1.4.
PAGE 22
Managing the Policy Auditor Agent Plug-in The Policy Auditor Agent Plug-in is an extension of the McAfee agent. The extension manages the schedule for performing audits, runs the audits, and returns the results to Policy Auditor. Are you deploying the McAfee Policy Auditor Agent Plug-in for the first time? When installing and uninstalling the McAfee Policy Auditor Agent Plug-in for the first time: • Understand that the Agent Plug-in can only be installed on systems that already have McAfee Agent 3.
PAGE 23
Managing the Policy Auditor Agent Plug-in Supported platforms Supported platforms Policy Auditor 5.
PAGE 24
Managing the Policy Auditor Agent Plug-in Working with the McAfee Policy Auditor Agent Plug-in Working with the McAfee Policy Auditor Agent Plug-in Use these tasks to manage the installation and uninstallation of the McAfee Policy Auditor Plug-in.
PAGE 25
Managing the Policy Auditor Agent Plug-in Working with the McAfee Policy Auditor Agent Plug-in Deploying the Policy Auditor Agent Plug-in Use this task to deploy the Policy Auditor Agent Plug-in to managed systems on your network. Before you begin • McAfee Agent 3.6 patch 2 or later must be installed on each system Task For option definitions, click ? on the page displaying the options. 1 Go to Systems | System Tree and select the Client Tasks tab. 2 Click New Task.
PAGE 26
Managing the Policy Auditor Agent Plug-in Working with the McAfee Policy Auditor Agent Plug-in 8 Send a manual wake-up call to the appropriate group if you want the task to run immediately. Determining whether the Agent Plug-in is being deployed Use this task to determine whether the Policy Auditor Agent Plug-in is being deployed to a system. Before you begin You must have a Policy Auditor Agent Plug-in install Client Task that is enabled and running.
PAGE 27
Managing the Policy Auditor Agent Plug-in Working with the McAfee Policy Auditor Agent Plug-in Before you begin You must have already installed the Policy Auditor Agent Plug-in on the systems for which you want to verify communication. Task For option definitions, click ? in the interface. 1 Send a manual wake-up call to the group containing the systems that you want to check. 2 Go to Reporting | Audit Log.
PAGE 28
Managing the Policy Auditor Agent Plug-in Working with the McAfee Policy Auditor Agent Plug-in e Set whether to use the local system time or Coordinated Universal Time (UTC) for running the task. f For Schedule, select an option from the dropdown list for how to run the task, and the desired time value or values. You can run the task once at a specific time, repeatedly between two times, or repeatedly starting at a specific time.
PAGE 29
Managing the Policy Auditor Agent Plug-in Working with the McAfee Policy Auditor Agent Plug-in 3 Select More Actions at the bottom left of the page and select Show Agent Log. A new browser window will open that shows the agent log. 4 Search the log for an entry like the following, where is the name of the client task uninstalling the Policy Auditor Agent Plug-in. Scheduler: Task [] is finished McAfee Policy Auditor 5.
PAGE 30
Creating and Managing Audits McAfee Policy Auditor 5.0 makes it easy to demonstrate and report on compliance with recognized corporate and industry security standards. You can create your audits from a McAfee-supplied selection of predefined benchmarks established by government and industry such as SOX, HIPPAA, PCI, and FISMA. You can also customize your own audits, then determine which managed systems pose a risk.
PAGE 31
Creating and Managing Audits Audits and how they work Option Definition New Audit Create a new audit using the New Audit Builder Delete Delete the selected audits Export OVAL Creates an OVAL results file that conforms to the OVAL results schema. This file can be consumed by any tool that understands the OVAL results schema. For example, Remediation Manager 4.5 can import OVAL results.
PAGE 32
Creating and Managing Audits Considerations for including systems in an audit Benchmarks contain rules describing the desired state of a managed system according to recognized standards. Figure 2: Policy Tree Rules contain one or more checks written in the OVAL language. Figure 3: Example Rule When you run an audit against a managed system, the audit reports the configuration status of the system compared with the rules in the benchmarks.
PAGE 33
Creating and Managing Audits Considerations for including systems in an audit • Add Group — a group defined in the ePO System Tree • Add Tag — systems that have been tagged in the ePO System Tree, such as server, workstation, or laptop The second method allows you to include managed systems by specifying Criteria. Criteria can be defined by selecting properties and using comparison operators and values to represent managed systems.
PAGE 34
Creating and Managing Audits Benchmark profiles and their impact on managed systems Benchmark profiles and their impact on managed systems Audits have benchmarks assigned to them. Many benchmarks contain profiles, which are named sets of selected groups, rules, and valued targeted toward different computer system configurations and threat risks.
PAGE 35
Creating and Managing Audits How viewing audit results works than 4 days. Blackout windows are set from 8am to 5pm on weekdays. Whiteout windows cover the remaining period. If the benchmark is scheduled for re-evaluation during the Thursday evening whiteout window, the frequency requirement of 4 days would be calculated so the benchmark must be evaluated no later than Thursday morning. How viewing audit results works Policy Auditor offers a number of options for viewing audit results.
PAGE 36
Creating and Managing Audits Audit exports The page provides a control that allows you to view the results by system group, system subgroup, systems with a specific tag, or even individual systems. You can also adjust the results timeframe to select an audit to review. View Rule Results Column Under the View Results column, clicking rule allows you to view the rule results for each system audited. This is an extension of the Audit Results pane that it allows you to see the results at the rule level.
PAGE 37
Creating and Managing Audits Exporting audits to XCCDF 4 To block out a period of time when audits should not run, click a white square corresponding to your desired day and hour. To allow a period of time when an audit should be able to run, click a blue square corresponding to your desired day and hour. 5 Click Save. Exporting audits to XCCDF Use this task to export an audit to a file that conforms to the XCCDF results schema, saved as a ZIP file.
PAGE 38
Creating and Managing Audits Creating a new audit Tasks Selecting benchmarks Deleting Audits Selecting benchmarks Use this task to select one or more benchmarks for use in an audit. If a benchmark has profiles, you can choose to use one of the profiles in the audit or simply use the base benchmark. Before you begin You must have appropriate permissions to perform this task. Only benchmarks activated by Benchmark Editor are available for selection.
PAGE 39
Creating and Managing Audits Creating a new audit b Select Criteria, then select one or more Available Properties to add to the Computer Properties pane. Choose the Comparison and select or type in the value. 2 If you wish to exclude systems from the audit, click Add System under the Exclude these pane. 3 Click Next. The Define frequency page appears. Defining frequency Use this task to stipulate the frequency for an audit.
PAGE 40
Creating and Managing Audits Creating a new audit Editing existing audits Use these tasks to edit existing audits.
PAGE 41
Creating and Managing Audits Creating a new audit Before you begin You must have appropriate permissions to perform this task. Task For option definitions, click ? on the page displaying the options. 1 Select a method to add systems to the audit. a Select System Tree and Tags and click one or more of Add System, Add Group, or Add Tab to add systems to the audit. b Select Criteria, then select one or more Available Properties to add to the Computer Properties pane.
PAGE 42
Creating and Managing Audits Deleting Audits Task For option definitions, click ? on the page displaying the options. 1 Review your new audit. If changes need to be made, click Back until you have reached the appropriate page. 2 Click Save. Deleting Audits Use this task to delete an existing audit. Before you begin You must have appropriate permissions to perform this task. Task For option definitions, click ? on the page displaying the options. 42 1 Go to Systems | Audits.
PAGE 43
Scoring Audits When Policy Auditor performs an audit on a managed system, it accepts as input the state of the system and any benchmarks in the audit, and produces several types of output, including a human-readable report about compliance that includes the compliance score and a listing of which rules passed and which failed on the system. Policy Auditor supports all of the scoring models described in the XCCDF 1.1.4 specifications.
PAGE 44
Scoring Audits Changing the scoring model model is easy to determine and to understand, scores between different managed systems may not be directly comparable because the maximum score can vary. For example, assume that the rules in a benchmark are not weighted. If Managed System A passes 40 of the rules in an audit and the maximum possible score can be obtained by passing 50 rules, then the score, expressed as a percentage, is 80%.
PAGE 45
Creating and Managing Waivers Waivers provide a way for you to temporarily affect audit scoring for managed systems. Waivers are useful when you have a managed system that is non-compliant with a rule or a benchmark but you do not wish to bring the system into compliance for a temporary period. An example of this would be a system in the Accounting Department that you don't want to patch systems near the end of an accounting cycle.
PAGE 46
Creating and Managing Waivers How waivers work How waivers work Waivers temporarily affect audit scoring for managed systems. Policy Auditor provides three types of waivers with each one exhibiting different functionality. Waivers only appear on the Waivers tab when a user with the proper permissions grants approval for the waiver to take effect. Depending upon the internal security policies of your organization, the persons who request waivers and the persons who grant them may be different people.
PAGE 47
Creating and Managing Waivers Types of waivers Column Description Start Date The date when a waiver takes effect Status A waiver may have a status of Requested, Upcoming, In-effect, or Expired. System The system to which the waiver applies. Each waiver is assigned to only one system. System Group The System Tree group to which the system belongs Waiver Name A name that you give to a waiver. The name does not have to be unique.
PAGE 48
Creating and Managing Waivers Waiver status • Example of scoring impact: A benchmark has 5 rules. An audit is run on a system and 4 rules pass and 1 fail, resulting in a score of 80%. If the system is granted an exemption waiver, that system does not appear in the scoring. Suppression waivers Suppression waivers allow a rule to be included in an audit, but excludes the result, thus altering the benchmark score of a system.
PAGE 49
Creating and Managing Waivers How start dates and expires dates work system-based only and, when you request a waiver, Policy Auditor does not allow you to assign a benchmark and rule. Waivers can only be applied to a single system. When you request a waiver and select a benchmark, the rules applying to that benchmark are automatically populated in the Rule drop-down box. When you select a rule, it is assigned to that waiver.
PAGE 50
Creating and Managing Waivers Filtering waivers Filter Description group of the System Tree . When you select This Group and all Subgroups, Policy Auditor shows waivers in the selected group of the System Tree as well as all subgroups of the selected group. Tasks Filtering waivers by status Filtering waivers as of a specified date Filtering waivers by group Filtering waivers by status Use this task to filter waivers in the Waiver Catalog by status.
PAGE 51
Creating and Managing Waivers Requesting waivers As of today's date of 10/01/2008, Waiver A and Waiver B both have a status of Upcoming. Use the calendar control to reset the As of date to 12/02/2008. The Waivers Catalog shows the following. 1 Waiver A has a status of Expired. 2 Waiver B has a status of In-effect. Use the calendar control to reset the As of date to 01/01/2009. The Waivers Catalog shows the following. 1 Waiver A has a status of Expired. 2 Waiver B has a status of Expired.
PAGE 52
Creating and Managing Waivers Granting waivers 2 Click New Waiver. The Waiver Request page appears. 3 Name the waiver then select the type of waiver that you wish to create from the Waiver Type drop-down list. 4 Click Select. The Quick System Search dialog appears. 5 Type the system name, IP address, MAC address, or user name that you wish to search for. If you do not know the full name or address, you can type in a partial search, like 172.21. Click OK. The Search Results page appears.
PAGE 53
Creating and Managing Waivers Expiring waivers Expiring waivers Use this task to make a waiver expire. Before you begin You must have waiver grantor permissions to perform this task. Task For option definitions, click ? on the page displaying the options. 1 Go to Systems | Waivers. The Waivers tab appears. 2 Select a waiver that has the status of In-effect and click View. 3 Click Expire Waiver. The Waivers tab appears and the status of the waiver is Expired.
PAGE 54
Managing Issues and Tickets The Issue extension allows you to create, modify, assign, and track issues. You can also add tickets to issues for tracking in a ticketing server. Are you working with issues or tickets for the first time? When working with issues and tickets for the first time: • Understand what issues are and how they work. • Ensure users have permissions to work with issues. • To add tickets to issues: • Understand tickets and how they work with issues.
PAGE 55
Managing Issues and Tickets Tickets and how they work How issues are managed How issues are managed and their life cycles are defined by the user and the installed product extensions. An issue's state, priority, severity, resolution, due date, and assignee are all user-defined, and can be changed any time. If the Automatic Response extension is installed, defaults for these can also be specified. The defaults are automatically applied whenever an issue is created based on a user-configured response.
PAGE 56
Managing Issues and Tickets Tickets and how they work Why ticketed issues should not be edited manually Editing a ticketed issue manually breaks the relationship between the ticketed issue and the ticket. Therefore, you should update the associated ticket in the ticketing server. For example, if you close a ticketed issue manually or add an assignee, the issue-to-ticket association is broken and the server task, which synchronizes ticketed issues, cannot retrieve the ticket's state or comments.
PAGE 57
Managing Issues and Tickets Integrations with ticketing servers • If the registered server for the ticketing server is deleted, the system changes the state of each ticketed issue to Assigned or to New if the ticketed issue does not have an assignee specified. Integrations with ticketing servers The integration of a ticketing server allows the system to force the creation of tickets associated with issues that were created in product extensions.
PAGE 58
Managing Issues and Tickets Integrations with ticketing servers Sample mappings When you register your ticketing server, you must also configure the field mappings for issues and tickets. These sample field mappings are provided for reference only. Your mappings will vary based on the fields required in your ticketing server and the values those fields will accept. Sample mapping for Remedy This sample mapping is for reference only. NOTE: Source values, mapped values, and field IDs are case-sensitive.
PAGE 59
Managing Issues and Tickets Integrations with ticketing servers • Operation: Identity • Source field: URL Map Ticket back to Issue Status field NOTE: Because this section only maps the ticket's state/status, you are not prompted to add the ID of the issue's status (state) field. This field is implied.
PAGE 60
Managing Issues and Tickets Working with issues • Source field: Activity Log • Ticket field: Type the name or ID for any open text field • Operation: Identity • Source field: URL Map Ticket back to Issue Status field NOTE: Because this section only maps the ticket's state/status, you are not prompted to add the ID of the issue's status (state) field. This field is implied.
PAGE 61
Managing Issues and Tickets Working with issues 2 In the Action panel, select an issue type, then click OK. This choice determines the options available on the New Issue page. 3 Type a name and description for the issue. 4 Accept the default values for state, priority, severity, and resolution, or select different values. 5 Optionally, type the user name of the user to whom you want the issue assigned. The assignee must have a user account in the system.
PAGE 62
Managing Issues and Tickets Working with issues 15 Accept the default values for state, priority, severity, and resolution, or select different values. 16 Type the name of the user to whom you want the issue assigned. The assignee must have a user account in the system. 17 Provide any additional information based on the issue type selected. 18 Click Next. The Summary page appears. 19 Review the details for the response, then click Save.
PAGE 63
Managing Issues and Tickets Working with issues Editing issues Use this task to edit an issue. An issue can be edited in a similar way when viewing its details. CAUTION: Editing a ticketed issue breaks the association between the ticketed issue and the ticket. Task For option definitions, click ? on the page displaying the options. 1 Go to Reporting | Issues, select the checkbox next to the issue, then click Edit. 2 Edit the issue as needed. 3 Click Save.
PAGE 64
Managing Issues and Tickets Working with ticketing servers Task For option definitions, click ? on the page displaying the options. 1 Go to Automation | Server Tasks, then click New Task. The Description page of the Server Task Builder appears. 2 Type a name and description for the server task. 3 Enable or disable the schedule for the server task. If you disable the schedule, the server task does not run until it is enabled. 4 Click Next. The Actions page appears.
PAGE 65
Managing Issues and Tickets Working with ticketing servers 3 Select the General tab. 4 Under Service status, click Stop. The server is now stopped. 5 Copy the required files for your ticketing server, then repeat steps 1-3. 6 Under Service status, click Start. The server is now running. Copying the Remedy files Use this task to copy the files required for the Remedy extension. For information about these files, see your Remedy documentation. The Remedy extension includes support for the Remedy 6.
PAGE 66
Managing Issues and Tickets Working with ticketing servers • arrpc51.dll • arutl51.dll • If using the Remedy 7.0 API files: • arapi70.dll • arjni70.dll • arrpc70.dll • arutiljni70.dll • arutl70.dll • arxmlutil70.dll • icudt32.dll • icuin32.dll • icuuc32.dll 2 Copy these required files to the Server\common\lib folder of your Policy Auditor installation. For example, C:\Program Files\McAfee\ePolicy Orchestrator\Server\common\lib. • If using the Remedy 5.1 API files: • arapi51.jar • arutil51.
PAGE 67
Managing Issues and Tickets Working with ticketing servers Installing the ticketing server extensions Use this task to install ticketing server extensions. Before you begin • Copy the files required for the ticketing server. • Restart the server. Task 1 Go to Configuration | Extensions, then click Install Extension. 2 Browse to and select the extension (ZIP) file. • For Remedy, select Remedy.zip. This file includes support for Remedy 6.3 and 7.0. • For Service Desk 4.5, select ServiceDesk_4_5.zip.
PAGE 68
Managing Issues and Tickets Working with ticketing servers • On the system running Service Desk 4.5, add the name of that system as a DNS suffix in the IP settings, then reboot the Service Desk 4.5 system. Figure 6: Example of settings for Service Desk 4.5 DNS Registering a ticketing server Use this task to register a ticketing server. This task must be completed before tickets can be associated with issues. Before you begin • Make sure you have installed the extension for your ticketing server.
PAGE 69
Managing Issues and Tickets Working with ticketing servers • Know which fields from the ticketing server need to be mapped. Tasks Mapping issues to tickets Mapping tickets back to issue status Mapping issues to tickets Use this task to configure the field mapping from the issue to the ticket. Task For option definitions, click ? on the page displaying the options. NOTE: Source values, mapped values, and field IDs are case-sensitive. 1 Next to Configure mapping, click Configure. The Mapping page appears.
PAGE 70
Managing Issues and Tickets Working with ticketing servers Mapping tickets back to issue status Use this task to configure the field mapping from the ticket back to the issue's status (state) field. NOTE: Because this section only maps the ticket's state/status, you are not prompted to add the ID of the issue's status (state) field. This field is implied. Task For option definitions, click ? on the page displaying the options. NOTE: Source values, mapped values, and field IDs are case-sensitive.
PAGE 71
Managing Issues and Tickets Working with tickets Before you begin • Make sure the upgraded version of the ticketing server is running. Task CAUTION: If the server task, which synchronizes ticketed issues, runs after the existing registered ticketing server is modified or deleted, but before the upgraded ticketing server is integrated, the issue-to-ticket association is broken. If this occurs, complete this task, then manually add tickets to all previously ticketed issues.
PAGE 72
Managing Issues and Tickets Working with tickets Task 1 Go to Reporting | Issues, select the checkbox next to each issue, then click Add ticket. 2 In the Action panel, click OK to add a ticket to each selected issue. Synchronizing ticketed issues Use this task to run the Issue Synchronization server task, which updates ticketed issues and their associated tickets in the ticketing server. Before you begin Make sure you have integrated a ticketing server.
PAGE 73
Querying the Database Policy Auditor ships with its own querying and reporting capabilities. These are highly customizable and provide flexibility and ease of use. Included is the Query Builder wizard which creates and runs queries that result in user-configured data in user-configured charts and tables. To get you started, McAfee includes a set of default queries which provide the same information as the default reports of previous versions.
PAGE 74
Querying the Database Queries Exported results Query results can be exported to four different formats. Exported results are historical data and are not refreshed like when using queries as dashboard monitors. Like query results and query-based monitors displayed in the console, you can drill down into the HTML exports for more detailed information. Unlike query results in the console, data in exported reports is not actionable.
PAGE 75
Querying the Database Query Builder Query Builder ePolicy Orchestrator provides an easy, four-step builder with which to create and edit custom queries. With the wizard you can configure which data is retrieved and displayed, and how it is displayed. Result types The first selection you make in the Query Builder wizard is a result type. This selection identifies what type of data the query will be retrieving. This selection determines what the available selections are in the rest of the wizard.
PAGE 76
Querying the Database Multi-server roll-up querying Table columns Specify columns for the table. If you select Table as the primary display of the data, this configures that table. If you selected a type of chart as the primary display of data, this configures the drill-down table. Query results displayed in a table are actionable. For example, if the table is populated with systems, you can deploy or wake up agents on those systems directly from the table.
PAGE 77
Querying the Database Preparing for roll-up querying Creating a Data Roll Up server task Registering ePO servers Use this task to register each ePO server with the reporting server that you want to include in roll-up queries. You must also register the reporting server. Registering the servers ensures that summary data can be taken from each to populate the eporollup_ tables in the local database. Task For option definitions, click ? on the page displaying the options.
PAGE 78
Querying the Database Working with queries Working with queries Use these tasks to create, use, and manage queries. Tasks Creating custom queries Running an existing query Running a query on a schedule Making personal queries public Duplicating queries Sharing a query between ePO servers Creating custom queries Use this task to create custom queries with the Query Builder wizard. You can query on system properties, product properties, many of the log files, repositories, and more.
PAGE 79
Querying the Database Working with queries Running an existing query Use this task to run an existing query from the Queries page. Task For option definitions, click ? on the page displaying the options. 1 Go to Reporting | Queries, then select a query from the Queries list. 2 Click Run. The query results appear. Drill down into the report and take actions on items as necessary. Available actions depend on the permissions of the user. 3 Click Close when finished.
PAGE 80
Querying the Database Working with queries • Move To — Moves all systems in the query results to a group in the System Tree. This option is only valid for queries that result in a table of systems. • Change Sorting Status — Enables or disables System Tree sorting on all systems in the query results. This option is only valid for queries that result in a table of systems. • Exclude Tag — Excludes a specified tag from all systems in the query results.
PAGE 81
Querying the Database Working with queries Making personal queries public Use this task to make personal queries public. All users with permissions to public queries have access to any personal queries you make public. Before you begin You must have appropriate permissions to perform this task. Task For option definitions, click ? on the page displaying the options. 1 Go to Reporting | Queries, then select the desired query from the My Queries list. 2 Click Make Public at the bottom of the page.
PAGE 82
Querying the Database Working with queries 2 Click Export, then OK in the Action panel. The File Download dialog box appears. 3 Click Save, select the desired location for the XML file, then click OK. The file is saved in the specified location. Importing queries Use this task to import a query that was exported from another ePO server. Task For option definitions, click ? on the page displaying the options. 1 Go to Reporting | Queries, then click Import Query. The Import Query dialog box appears.
PAGE 83
Querying the Database Default queries and what they display Default queries and what they display Policy Auditor ships with a number of default queries that can be used for some of your most common needs. Each of these queries yields data that can be drilled down multiple times to show increasingly more detailed data. PA: Benchmark Checks Use this query to view a list of checks and the number of times they are used in a benchmark.
PAGE 84
Querying the Database Default queries and what they display Option Definition Export Export the check in a ZIP format Remove Labels Remove labels from check PA: Check Catalog Usage List Use this page to view a list of OVAL checks and its rule and benchmark associations Query results The results of the query are displayed in a list of checkst. Click a check to view information on it. You can perform actions upon a check.
PAGE 85
Querying the Database Default queries and what they display Before you begin This query and its results depend on the Generate Compliance Event server task. Schedule this server task to run at a regular interval. This query depends on a Boolean pie chart query based on managed systems (for example, the default ePO: Compliance Summary query). Query results The results of the query are displayed in a line chart. Details depend on the defined compliance of the ePO: Compliance Summary query.
PAGE 86
Assessing Your Environment With Dashboards Dashboards allow you to keep a constant eye on your environment. Dashboards are collections of monitors. Monitors can be anything from a chart-based query, to a small web application, like the MyAvert Security Threats, that is refreshed at a user-configured interval. Users must have the appropriate permissions to use and create dashboards.
PAGE 87
Assessing Your Environment With Dashboards Setting up dashboard access and behavior • McAfee Links — Hyperlinks to McAfee sites, including ePolicy Orchestrator Support, Avert Labs WebImmune, and Avert Labs Threat Library. Setting up dashboard access and behavior Use these tasks to ensure users have the appropriate access to dashboards, and how often dashboards are refreshed.
PAGE 88
Assessing Your Environment With Dashboards Working with Dashboards Working with Dashboards Use these tasks to create and manage dashboards. Tasks Creating dashboards Making a dashboard active Selecting all active dashboards Making a dashboard public Creating dashboards Use this task to create a dashboard. Task For option definitions, click ? on the page displaying the options. 1 Go to Dashboards, then select Manage Dashboards from the Options drop-down list. The Manage Dashboards page appears.
PAGE 89
Assessing Your Environment With Dashboards Working with Dashboards Task For option definitions, click ? on the page displaying them. 1 Go to Dashboards, click Options, then select Manage Dashboards. The Manage Dashboards page appears. 2 Select a dashboard from the Dashboards list, then click Make Active. 3 Click OK when prompted. 4 Click Close. The selected dashboard is now on the tab bar. Selecting all active dashboards Use this task to select all dashboards that make up your active set.
PAGE 90
Assessing Your Environment With Dashboards Working with Dashboards Task For option definitions, click ? on the page displaying the options. 1 Go to Dashboards, then select Manage Dashboards from the Options drop-down list. 2 Select the desired dashboard from the Available Dashboards list, then click Make Public. 3 Click OK when prompted. The dashboard appears in the Public Dashboards list on the Manage Dashboards page. 90 McAfee Policy Auditor 5.
PAGE 91
Index A B absolute scoring model 44 agent plug-in overview 22 responsibilities 22 audience 10 audit create 38 audit benchmarks pane benchmark ID 35 fail 35 pass 35 profile ID 35 unknown 35 audit creation assign benchmark profiles 34 filter benchmarks based on labels 34 audit editing assign benchmark profiles 34 filter benchmarks based on labels 34 audit exports to OVAL 36, 37 to XCCDF 36, 37 audit label 14 Audit Log 75 audit queries systems 84 audit results exporting 36, 37 audit score 13 audit score cate
PAGE 92
Index CVE Implementation 20 CVSS Implementation 20 D dashboards active set 89 chart-based queries and 86 configuring access and behavior 87 configuring refresh frequency 87 creating 88 default monitors 86 granting permissions to 87 how they work 86 making active 88 making public 89 selecting all in a set 89 data retention 14 Data Roll-Up server task 77 databases multi-server querying 76 public and personal queries 74 queries and retrieving data 73 registering servers for roll-up queries 77 default scoring
PAGE 93
Index permissions (continued) to dashboards 87 policy auditor agent plug-in responsibilities 22 Policy Auditor agent plug-in 9 agent plug-in overview 22 audience 10 concept 9 managing content 23 product guide, using 10 supported platforms 23 Policy Auditor Agent plug-in Policy Auditor, component 9 Policy Auditor Agent Plug-in about 9 overview 22 Policy Auditor Plug-in agent-server communication 26 deploying 25 deployment, checking progress 26 deployment, verifying 26 installation, agent-server communicatio
PAGE 94
Index server tasks scheduling a query 79 servers importing and exporting queries 81 registering, for queries 77 roll-up queries 77 servertasks Data Roll-Up 77 Service Desk sample mappings for (See ticketing servers) 59 start date for waivers 46, 49, 51 status expired 53 in-effect 53 requested 48 upcoming 53 waivers 51, 52 status, waivers expired 46 in-effect 46 requested 46 upcoming 46 stop data maintenance 14 SuperAgents wake-up calls to System Tree groups 24 supported platforms platforms 23 suppression w
PAGE 95
Index waivers (continued) exemption, effect on audit results 47 exemption, effect on scoring 47 expired 48, 50, 53 expires 46, 51 expires date 48 expires date, concept 49 expiring waivers 53 filtering 49, 50, 51 granted by 46, 51, 52 granting 52 in-effect 48, 50 name 46, 51 notes 46, 51 Quick System Search dialog 51 requested 48, 51, 52 requesting 51 rule 46, 48, 51 score computation 43 start date 46, 48, 51, 53 start date, concept 49 status 46, 51, 53 status, expired 48, 50 status, in-effect 48, 50, 52 M
PAGE 96
Index 96 McAfee Policy Auditor 5.