Add SSG content for McAfee VSEL

CMakeLists.txt

@@ -89,6 +89,7 @@ option(SSG_PRODUCT_SLE15 "If enabled, the SLE15 SCAP content will be built" ${SS
 option(SSG_PRODUCT_UBUNTU1404 "If enabled, the Ubuntu 14.04 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
 option(SSG_PRODUCT_UBUNTU1604 "If enabled, the Ubuntu 16.04 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
 option(SSG_PRODUCT_UBUNTU1804 "If enabled, the Ubuntu 18.04 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
+option(SSG_PRODUCT_VSEL "If enabled, the McAfee VSEL SCAP content will be built" TRUE)
 option(SSG_PRODUCT_WRLINUX8 "If enabled, the WRLinux8 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
 option(SSG_PRODUCT_WRLINUX1019 "If enabled, the WRLinux1019 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
 
@@ -262,6 +263,7 @@ message(STATUS "SUSE 15: ${SSG_PRODUCT_SLE15}")
 message(STATUS "Ubuntu 14.04: ${SSG_PRODUCT_UBUNTU1404}")
 message(STATUS "Ubuntu 16.04: ${SSG_PRODUCT_UBUNTU1604}")
 message(STATUS "Ubuntu 18.04: ${SSG_PRODUCT_UBUNTU1804}")
+message(STATUS "McAfee VSEL: ${SSG_PRODUCT_VSEL}")
 message(STATUS "WRLinux 8: ${SSG_PRODUCT_WRLINUX8}")
 message(STATUS "WRLinux 1019: ${SSG_PRODUCT_WRLINUX1019}")
 
@@ -382,6 +384,9 @@ endif()
 if (SSG_PRODUCT_UBUNTU1804)
     add_subdirectory("ubuntu1804")
 endif()
+if (SSG_PRODUCT_VSEL)
+    add_subdirectory("vsel")
+endif()
 if (SSG_PRODUCT_WRLINUX8)
     add_subdirectory("wrlinux8")
 endif()

build_product

@@ -290,6 +290,7 @@ all_cmake_products=(
 	UBUNTU1404
 	UBUNTU1604
 	UBUNTU1804
+	VSEL
 	WRLINUX8
 	WRLINUX1019
 )

ssg/constants.py

@@ -23,6 +23,7 @@
     'rhv4',
     'sle11', 'sle12', 'sle15',
     'ubuntu1404', 'ubuntu1604', 'ubuntu1804',
+    'vsel',
     'wrlinux8', 'wrlinux1019'
 ]
 
@@ -153,6 +154,7 @@
     "Apple macOS 10.15": "macos1015",
     "Red Hat OpenShift Container Platform 3": "ocp3",
     "Red Hat OpenShift Container Platform 4": "ocp4",
+    "McAfee VirusScan Enterprise for Linux": "vsel",
     "Red Hat Enterprise Linux CoreOS 4": "rhcos4",
     "Oracle Linux 7": "ol7",
     "Oracle Linux 8": "ol8",
@@ -312,6 +314,10 @@
     "ubuntu1804": [
         "cpe:/o:canonical:ubuntu_linux:18.04",
     ],
+    "vsel": [
+        "cpe:/a:mcafee:virusscan_enterprise_for_linux:1.9",
+        "cpe:/a:mcafee:virusscan_enterprise_for_linux:2.0",
+    ],
     "wrlinux8": [
         "cpe:/o:windriver:wrlinux:8",
     ],
@@ -518,6 +524,7 @@
     'fuse': 'JBoss Fuse',
     'opensuse': 'openSUSE',
     'sle': 'SUSE Linux Enterprise',
+    'vsel': 'McAfee VirusScan Enterprise for Linux',
     'wrlinux': 'WRLinux',
     'example': 'Example Linux Content',
     'ol': 'Oracle Linux',

vsel/CMakeLists.txt

@@ -0,0 +1,6 @@
+# Sometimes our users will try to do: "cd vsel; cmake ." That needs to error in a nice way.
+if ("${CMAKE_SOURCE_DIR}" STREQUAL "${CMAKE_CURRENT_SOURCE_DIR}")
+    message(FATAL_ERROR "cmake has to be used on the root CMakeLists.txt, see the developer_guide.adoc for more details!")
+endif()
+
+ssg_build_product("vsel")

vsel/checks/oval/installed_app_is_vsel.xml

@@ -0,0 +1,39 @@
+<def-group>
+  <definition class="inventory" id="installed_app_is_vsel" version="1">
+    <metadata>
+      <title>McAfee VirusScan Enterprise for Linux</title>
+      <affected family="unix">
+        <product>McAfee VirusScan Enterprise for Linux</product>
+      </affected>
+      <reference ref_id="installed_app_is_vsel" source="CPE" />
+      <description>The application installed on the system is McAfee VSEL 1.9 or 2.0.</description>
+    </metadata>
+    <criteria operator="OR">
+	  <criterion comment="McAfee's VSEL 1.9.x is installed" test_ref="test_vsel_19" />
+	  <criterion comment="McAfee's VSEL 2.0.x is installed" test_ref="test_vsel_20" />
+    </criteria>
+  </definition>
+
+  <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="McAfee's VSEL 1.9.x is installed" id="test_vsel_19" version="1">
+    <linux:object object_ref="obj_vsel_19" />
+	<linux:state state_ref="state_vsel_19" />
+  </linux:rpminfo_test>
+  <linux:rpminfo_object id="obj_vsel_19" version="1">
+    <linux:name operation="pattern match">^McAfeeVSEForLinux$</linux:name>
+  </linux:rpminfo_object>
+  <linux:rpminfo_state id="state_vsel_19" version="1">
+    <linux:version operation="pattern match">^1.9.*$</linux:version>
+  </linux:rpminfo_state>
+
+  <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="McAfee's VSEL 2.0.x is installed" id="test_vsel_20" version="1">
+    <linux:object object_ref="obj_vsel_20" />
+	<linux:state state_ref="state_vsel_20" />
+  </linux:rpminfo_test>
+  <linux:rpminfo_object id="obj_vsel_20" version="1">
+    <linux:name operation="pattern match">^McAfeeVSEForLinux$</linux:name>
+  </linux:rpminfo_object>
+  <linux:rpminfo_state id="state_vsel_20" version="1">
+    <linux:version operation="pattern match">^2.0.*$</linux:version>
+  </linux:rpminfo_state>
+
+</def-group>

vsel/cpe/vsel-cpe-dictionary.xml

@@ -0,0 +1,15 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<cpe-list xmlns="http://cpe.mitre.org/dictionary/2.0"
+          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+          xsi:schemaLocation="http://cpe.mitre.org/dictionary/2.0 http://cpe.mitre.org/files/cpe-dictionary_2.1.xsd">
+      <cpe-item name="cpe:/a:mcafee:virusscan_enterprise_for_linux:1.9">
+            <title xml:lang="en-us">McAfee's VirusScan Enterprise for Linux (VSEL) 1.9.x</title>
+            <!-- the check references an OVAL file that contains an inventory definition -->
+            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_app_is_vsel</check>
+      </cpe-item>
+      <cpe-item name="cpe:/a:mcafee:virusscan_enterprise_for_linux:2.0">
+            <title xml:lang="en-us">McAfee's VirusScan Enterprise for Linux (VSEL) 2.0.x</title>
+            <!-- the check references an OVAL file that contains an inventory definition -->
+            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_app_is_vsel</check>
+      </cpe-item>
+</cpe-list>

vsel/guide/benchmark.yml

@@ -0,0 +1,53 @@
+---
+documentation_complete: true
+
+title: Guide to the Secure Configuration of {{{ full_name }}}
+
+status: draft
+
+description: |
+    This guide presents a catalog of security-relevant
+    configuration settings for {{{ full_name }}}. It is a rendering of
+    content structured in the eXtensible Configuration Checklist Description Format (XCCDF)
+    in order to support security automation.  The SCAP content is
+    is available in the <tt>scap-security-guide</tt> package which is developed at
+    {{{ weblink(link="https://www.open-scap.org/security-policies/scap-security-guide") }}}.
+    <br/><br/>
+    Providing system administrators with such guidance informs them how to securely
+    configure systems under their control in a variety of network roles. Policy
+    makers and baseline creators can use this catalog of settings, with its
+    associated references to higher-level security control catalogs, in order to
+    assist them in security baseline creation. This guide is a <em>catalog, not a
+    checklist</em>, and satisfaction of every item is not likely to be possible or
+    sensible in many operational scenarios. However, the XCCDF format enables
+    granular selection and adjustment of settings, and their association with OVAL
+    and OCIL content provides an automated checking capability. Transformations of
+    this document, and its associated automated checking content, are capable of
+    providing baselines that meet a diverse set of policy objectives. Some example
+    XCCDF <em>Profiles</em>, which are selections of items that form checklists and
+    can be used as baselines, are available with this guide. They can be
+    processed, in an automated fashion, with tools that support the Security
+    Content Automation Protocol (SCAP). The DISA STIG for {{{ full_name }}},
+    which provides required settings for US Department of Defense systems, is
+    one example of a baseline created from this guidance.
+
+notice:
+    id: terms_of_use
+    description: |
+        Do not attempt to implement any of the settings in
+        this guide without first testing them in a non-operational environment. The
+        creators of this guidance assume no responsibility whatsoever for its use by
+        other parties, and makes no guarantees, expressed or implied, about its
+        quality, reliability, or any other characteristic.
+
+front-matter: |
+    The SCAP Security Guide Project<br/>
+    {{{ weblink(link="https://www.open-scap.org/security-policies/scap-security-guide") }}}
+
+rear-matter: |
+    Red Hat and Red Hat Enterprise Linux are either registered
+    trademarks or trademarks of Red Hat, Inc. in the United States and other
+    countries. All other names are registered trademarks or trademarks of their
+    respective companies.
+
+version: 0.9

vsel/guide/vsel/general_settings/dats_auto_update/rule.yml

@@ -0,0 +1,37 @@
+documentation_complete: true
+
+title: 'The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x must be configured to receive automatic updates'
+
+description: |-
+    Anti-virus signature files are updated almost daily by anti-virus software vendors. These files are made available to anti-virus 
+    clients as they are published. Keeping virus signature files as current as possible is vital to the security of any system.
+
+    To check that anti-virus signature files are updated, you have to login to the VSEL Web Monitor.
+    In the VSEL WEB Monitor, under <tt>View</tt>, select <tt>Scheduled Tasks</tt>.
+    Under <tt>Scheduled Tasks</tt>, under <tt>Task Summaries</tt>, with the assistance of the McAfee VSEL SA, identify the VirusScan DAT update task.
+    Verify the <tt>Type</tt> is <tt>Update</tt> and the <tt>Status</tt> is <tt>Completed</tt> with Results of <tt>Update Finished</tt>.
+    Under <tt>Task Details</tt> for the task, click on the <tt>Modify</tt> button.
+    Choose <tt>2. Choose what to update</tt> and verify the <tt>Virus definition files (also known as DAT files)</tt> is selected.    
+
+rationale: |-
+    The anti-virus software product must be configured to receive those updates automatically in order to afford the expected protection.
+
+severity: medium
+
+references:
+    disa@vsel: "1243"
+    nist: SI-3
+    srg@vsel: SRG-APP-000279
+    stigid@vsel: DTAVSEL-002
+
+ocil_clause: |-
+    the VirusScan DAT update task doesn't exist or <tt>2. Choose what to update</tt> does not have <tt>Virus definition files (also known as DAT files)</tt> selected
+
+ocil: |-
+    To verify that anti-virus signature files are updated, login to VSEL Web Monitor and verify the following:
+    Under <tt>View</tt>, select <tt>Scheduled Tasks</tt>.
+    Under <tt>Scheduled Tasks</tt>, under <tt>Task Summaries</tt>, with the assistance of the McAfee VSEL SA, identify the VirusScan DAT update task.
+    Verify the <tt>Type</tt> is <tt>Update</tt> and the <tt>Status</tt> is <tt>Completed</tt> with Results of <tt>Update Finished</tt>.
+    Under <tt>Task Details</tt> for the task, click on the <tt>Modify</tt> button.
+    Choose <tt>2. Choose what to update</tt> and verify the <tt>Virus definition files (also known as DAT files)</tt> is selected.
+

vsel/guide/vsel/general_settings/dats_updated/rule.yml

@@ -0,0 +1,32 @@
+documentation_complete: true
+
+title: 'The anti-virus signature file age must not exceed 7 days'
+
+description: |-
+    Anti-virus signature files are updated almost daily by anti-virus software vendors. These files are made available to anti-virus 
+    clients as they are published. Keeping virus signature files as current as possible is vital to the security of any system.
+
+    To check that anti-virus signature files are updated, you have to login to the VSEL Web Monitor.
+    In the VSEL WEB Monitor, under <tt>View</tt>, select <tt>Host Summary</tt>.
+    In the <tt>Host Summary</tt>, verify the <tt>DAT Date:</tt> is within the last 7 days.
+
+rationale: |-
+    By configuring a system to attempt an anti-virus update on a daily basis, the system is ensured of maintaining an anti-virus signature 
+    age of 7 days or less. If the update attempt were to be configured for only once a week, and that attempt failed, the system would be 
+    immediately out of date.
+
+severity: high
+
+references:
+    disa@vsel: "1240"
+    nist: SI-3
+    srg@vsel: SRG-APP-000276
+    stigid@vsel: DTAVSEL-001
+
+ocil_clause: |-
+    the <tt>DAT Date:</tt> is older than 7 days
+
+ocil: |-
+    To verify that anti-virus signature files are updated, login to VSEL Web Monitor and verify the following:
+    Under <tt>View</tt>, select <tt>Host Summary</tt>.
+    In the <tt>Host Summary</tt>, verify the <tt>DAT Date:</tt> is within the last 7 days.

vsel/guide/vsel/general_settings/group.yml

@@ -0,0 +1,8 @@
+documentation_complete: true
+
+title: 'General VSEL Settings'
+
+description: |-
+    To support a secured and compliant configuration, a number of 
+    settings need to be modified from their default configuration and locked so 
+    that they are prevented from being changed.

vsel/guide/vsel/general_settings/restricted_user/rule.yml

@@ -0,0 +1,44 @@
+documentation_complete: true
+
+title: 'The nails user and nailsgroup group must be restricted to the least privilege access required for the intended role'
+
+description: |-
+    The McAfee VirusScan Enterprise for Linux software runs its processes under the nails user, which is part of the nailsgroup group. 
+    The WEB GUI is also accessed using the nails user. 
+
+    To check that nails and nailsgroup are configured correctly, access the Linux system console command line as root.
+    Execute the following commands. This command will pipe the results to text files for easier review. 
+
+    <tt>find / -group nailsgroup >nailsgroup.txt</tt>
+    <tt>find / -user nails >nails.txt</tt>
+
+    Execute the following commands to individually review each of the text files of results, pressing space bar to move to each page 
+    until the end of the exported text. 
+
+    <tt>more nailsgroup.txt</tt>
+    <tt>more nails.txt</tt>
+
+    When reviewing the results, verify the nailsgroup group and nails user only own the following paths.
+    The following paths assume an INSTALLDIR of <tt>/opt/NAI/LinuxShield</tt> and a RUNTIMEDIR of <tt>/var/opt/NAI/LinuxShield</tt>. 
+    If alternative folders were used, replace the following paths accordingly when validating.
+
+    <tt>/var/opt/NAI</tt> and sub-folders
+    <tt>/opt/NAI</tt> and sub-folders
+    <tt>/McAfee/lib</tt>
+    <tt>/var/spool/mail/nails</tt>
+    <tt>/proc/#####</tt> (where ##### represents the various process IDs for the VSEL processes.)
+
+    If any other folder is owned by either the nailsgroup group or the nails user, this is a finding.
+
+rationale: |-
+    Ensuring the nails user/nailsgroup group only has access to the required functions necessary for its 
+    intended role will mitigate the possibility of the nails user/nailsgroup group from being used to perform malicious destruction to the 
+    system in the event of a compromise.
+
+severity: medium
+
+references:
+    disa@vsel: "2235"
+    nist: AC-6(10)
+    srg@vsel: SRG-APP-000340
+    stigid@vsel: DTAVSEL-202

vsel/guide/vsel/general_settings/scanned_media/rule.yml

@@ -0,0 +1,24 @@
+documentation_complete: true
+
+title: 'The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x must scan all media used for system maintenance prior to use'
+
+description: |-
+    It is imperative to protect Linux systems from malware introduced from removable media by ensuring they are scanned before use.
+
+    Consult with the System Administrator of the Linux system being reviewed.
+
+    Verify procedures are documented which require the manual scanning of all media used for system maintenance before media is used.
+
+    If a procedure is not documented requiring the manual scanning of all media used for system maintenance before media is used, 
+    this is a finding.
+
+rationale: |-
+    Removable media such as CD/DVDs allow a path for malware to be introduced to a Linux System.
+
+severity: medium
+
+references:
+    disa@vsel: "870"
+    nist: MA-3(2)
+    srg@vsel: SRG-APP-000073
+    stigid@vsel: DTAVSEL-200

vsel/guide/vsel/general_settings/updates_source/rule.yml

@@ -0,0 +1,33 @@
+documentation_complete: true
+
+title: 'The McAfee VirusScan Enterprise must be configured to receive all patches, service packs and updates from a DoD-managed source'
+
+description: |-
+    Anti-virus signature files are updated almost daily by anti-virus software vendors. 
+    These files are made available to anti-virus clients as they are published. 
+    Keeping virus signature files as current as possible is vital to the security of any system. 
+    The anti-virus software product must be configured to receive those updates automatically in order to afford the expected protection.
+
+    To check that VSEL settings are configured correctly, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) 
+    of the Linux system being reviewed from a desktop browser window and logon with the nails user account.
+
+    In the VSEL WEB Monitor, under <tt>Configure</tt>, select <tt>Repositories</tt>.
+    Under <tt>Repository List</tt>, verify all repositories listed point to a local or DoD-managed repository.
+
+    If all repositories listed do not point to local or DoD-managed repository, this is a finding.
+
+rationale: |-
+    While obtaining updates, patches, service packs and updates from the vendor are timelier, 
+    the possibility of corruption or malware being introduced to the system is higher. 
+    By obtaining these from an official DoD source and/or downloading them to a separate system 
+    first and validating them before making them available to systems, the possibility of 
+    malware being introduced is mitigated.
+
+severity: medium
+
+references:
+    disa@vsel: "1749"
+    nist: CM-5
+    srg@vsel: SRG-APP-000131
+    stigid@vsel: DTAVSEL-201
+

vsel/guide/vsel/general_settings/virus_notification/bash/shared.sh

@@ -0,0 +1,7 @@
+# platform =  McAfee VirusScan Enterprise for Linux
+
+# Include source function library.
+. /usr/share/scap-security-guide/remediation_functions
+
+NAILS_CONFIG_FILE="/var/opt/NAI/LinuxShield/etc/nailsd.cfg"
+replace_or_append "$NAILS_CONFIG_FILE" '^notifications.virusDetected.active' 'true' '@CCENUM@' '%s: %s'