kriterion 0.0.1

data/standards/stig_mcafee_application_control_7.x.json

@@ -0,0 +1,203 @@
+{
+  "name": "stig_mcafee_application_control_7.x",
+  "date": "2018-01-03",
+  "description": "This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.",
+  "title": "McAfee Application Control 7.x Security Technical Implementation Guide",
+  "version": "1",
+  "item_syntax": "^\\w-\\d+$",
+  "section_separator": null,
+  "items": [
+    {
+      "id": "V-74175",
+      "title": "A McAfee Application Control written policy must be documented to outline the organization-specific variables for application whitelisting.",
+      "description": "Enabling application whitelisting without adequate design and organization-specific requirements will either result in an implementation which is too relaxed or an implementation which causes denial of service to its user community. Documenting the specific requirements and trust model before configuring and deploying the McAfee Application Control software is mandatory.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-74195",
+      "title": "The Solidcore client Command Line Interface (CLI) Access Password protection process must be documented in the organizations written policy.",
+      "description": "The Solidcore client can be configured locally at the CLI, but only when accessed with the required password.\n\nSince the McAfee Application Control configuration is to be managed by ePO policies, allowing enablement of the CLI to would introduce the capability of local configuration changes. \n\nStrict management of the accessibility of the CLI is necessary in order to prevent its misuse.\n\nThe misuse of the CLI would open the system up to the possible configuration changes potentially allowing malicious applications to execute unknowingly.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-74197",
+      "title": "The requirement for scheduled Solidcore client Command Line Interface (CLI) Access Password changes must be documented in the organizations written policy.",
+      "description": "The Solidcore client can be configured locally at the CLI, but only when accessed with the required password.\n\nThe misuse of the CLI would open the system up to the possible configuration, allowing malicious applications to execute unknowingly. Strict management of the accessibility of the CLI is necessary in order to prevent its misuse.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-74199",
+      "title": "The process by which the Solidcore client Command Line Interface (CLI) Access Password is made available to administrators when needed must be documented in the organizations written policy.",
+      "description": "The Solidcore client can be configured locally at the CLI, but only when accessed with the required password.\n\nSince the McAfee Application Control configuration is to be managed by ePO policies, allowing enablement of the CLI to would introduce the capability of local configuration changes. \n\nStrict management of the accessibility of the CLI is necessary in order to prevent its misuse.\n\nThe misuse of the CLI would open the system up to the possible configuration changes potentially allowing malicious applications to execute unknowingly.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-74201",
+      "title": "The McAfee Application Control Options Advanced Threat Defense (ATD) settings, if being used, must be confined to the organizations enclave.",
+      "description": "Data will be leaving the endpoint to be analyzed by the ATD. Because data could feasibly be intercepted en route, risk of outside threats is minimized by ensuring the ATD is in the same enclave as the endpoints.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-74203",
+      "title": "The configuration of features under McAfee Application Control Options policies Enforce feature control must be documented in the organizations written policy.",
+      "description": "By default, the McAfee Application Control prevents installation of ActiveX controls on endpoints, enforces memory protection techniques on endpoints, and prevents MSI-installers from running on endpoints. The Feature Control allows for those safeguards to be bypassed and in doing so renders the McAfee Application Control less effective.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-74205",
+      "title": "The organizations written policy must include a process for how whitelisted applications are deemed to be allowed.",
+      "description": "Enabling application whitelisting without adequate design and organization-specific requirements will either result in an implementation which is too relaxed or an implementation which causes denial of service to its user community. Documenting the specific requirements and trust model before configuring and deploying the McAfee Application Control software is mandatory.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-74207",
+      "title": "The organizations written policy must include procedures for how often the whitelist of allowed applications is reviewed.",
+      "description": "Enabling application whitelisting without adequate design and organization-specific requirements will either result in an implementation which is too relaxed or an implementation which causes denial of service to its user community. Documenting the specific requirements and trust model before configuring and deploying the McAfee Application Control software is mandatory.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-74209",
+      "title": "The Solidcore client must be enabled.",
+      "description": "The Application Control whitelisting must be enabled on all workstation endpoints. To enable Application Control, the Solidcore client needs to be in enabled mode.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-74211",
+      "title": "The Solidcore client Command Line Interface (CLI) must be in lockdown mode.",
+      "description": "By default, when an endpoint's Solidcore installation is managed by the ePO server, the CLI will automatically be in lockdown mode. This will ensure the endpoint receives all of its Solidcore configuration settings from the ePO server. The CLI can, however, be activated for troubleshooting efforts during which time the ePO settings will not be enforced. Leaving the CLI in an allowed status will prevent the endpoint from receiving changes from the ePO server for the Solidcore client.",
+      "severity": "high"
+    },
+    {
+      "id": "V-74213",
+      "title": "The Solidcore client Command Line Interface (CLI) Access Password must be changed from the default.",
+      "description": "The Solidcore client can be configured locally at the CLI, but only when accessed with the required password.\n\nSince the McAfee Application Control configuration is to be managed by ePO policies, allowing enablement of the CLI to would introduce the capability of local configuration changes. \n\nStrict management of the accessibility of the CLI is necessary in order to prevent its misuse.\n\nThe misuse of the CLI would open the system up to the possible configuration changes potentially allowing malicious applications to execute unknowingly.",
+      "severity": "high"
+    },
+    {
+      "id": "V-74215",
+      "title": "The organization-specific Rules policy must only include executable and dll files that are associated with applications as allowed by the organizations written policy.",
+      "description": "To ensure Solidcore clients are only configured to STIG and organization-specific settings, organization-specific ePO policies must be applied to all organization workstation endpoints.\n\nThe McAfee Application Control installs with two Default Rules policies.\n\nThe McAfee Default Rules policy includes the whitelist for commonly used applications to the platform.\n\nThe McAfee Applications Default Rules policy include the whitelist for McAfee applications.\n\nBoth of these policies are at the \"My Organization\" level of the System Tree and must be inherited by all branches of the System Tree.\n\nOrganization-specific applications would be whitelisted with an organization-specific policy combined with the two Default policies into one effective policy.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-74217",
+      "title": "The McAfee Application Control Options Reputation setting must be configured to use the McAfee Global Threat Intelligence (McAfee GTI) option.",
+      "description": "If a Threat Intelligence Exchange (TIE) server is being used in the organization, reputation for files and certificates is fetched from the TIE server. The reputation values control execution at endpoints and are displayed on the Application Control pages on the McAfee ePO console.\n\nIf the GTI is being used, reputation for files and certificates is fetched from the McAfee GTI.\n\nFor both methods, the administrator can review the reputation values and make informed decisions for inventory items in the enterprise.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-74219",
+      "title": "The use of a Solidcore 7.x local Command Line Interface (CLI) Access Password must be documented in the organizations written policy.",
+      "description": "The Solidcore client can be configured locally at the CLI, but only when accessed with the required password.\n\nSince the McAfee Application Control configuration is to be managed by ePO policies, allowing enablement of the CLI to would introduce the capability of local configuration changes. \n\nStrict management of the accessibility of the CLI is necessary in order to prevent its misuse.\n\nThe misuse of the CLI would open the system up to the possible configuration changes potentially allowing malicious applications to execute unknowingly.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-74221",
+      "title": "The Solidcore client Command Line Interface (CLI) Access password complexity requirements must be documented in the organizations written policy.",
+      "description": "The Solidcore client can be configured locally at the CLI, but only when accessed with the required password.\n\nThe misuse of the CLI would open the system up to the possible configuration, allowing malicious applications to execute unknowingly. Strict management of the accessibility of the CLI is necessary in order to prevent its misuse.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-74223",
+      "title": "The McAfee Application Control Options Reputation-Based Execution settings, if enabled, must be configured to allow Most Likely Trusted or Known Trusted only.",
+      "description": "When a file is executed on an endpoint, the Application Control performs multiple checks to determine whether to allow or ban the execution. Only files with a reputation of \"Most Likely Trusted\", \"Known Trusted\" or \"Might be Trusted\" are considered to be allowed. By configuring the setting to only \"Most Likely Trusted\" or \"Known Trusted\", the files with a reputation of \"Might be Trusted\" are blocked. While this may impact operationally in the beginning, after the inventories are vetted by the administrators, files with a \"Might be Trusted\" value may be recategorized in that organization.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-74225",
+      "title": "The McAfee Application Control Options Advanced Threat Defense (ATD) settings must not be enabled unless an internal ATD is maintained by the organization.",
+      "description": "This option will automatically send files with a specific file reputation to ATD for further analysis. This option is not selected by default and must only be selected if an ATD is being used.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-74227",
+      "title": "The McAfee Application Control Options Advanced Threat Defense (ATD) settings, if being used, must be configured to send all binaries with a reputation of Might be Trusted and below for analysis.",
+      "description": "When the file reputation of \"Might be Trusted\" is configured for being forwarded to ATD, all files with the reputation of \"Might be Trusted\", \"Unknown\", \"Might be Malicious\", \"Most Likely Malicious\" and \"Known Malicious\" are forwarded to the ATD.\n\nThe files with \"Might be Trusted\" reputation may be redesignated as \"Trusted\" after analysis.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-74229",
+      "title": "The McAfee Application Control Options Advanced Threat Defense (ATD) settings, if being used, must be configured to only send binaries with a size of 5 MB or less.",
+      "description": "Since binaries can be large, the file size must be limited to avoid congestion on the network and degradation on the endpoint when sending the binaries to the ATD.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-74231",
+      "title": "Organization-specific McAfee Applications Control Options policies must be created and applied to all endpoints.",
+      "description": "To ensure Solidcore clients are only configured to STIG and organization-specific settings, organization-specific ePO policies must be applied to all organization workstation endpoints rather than resorting to the McAfee Applications Control (Default) policy.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-74233",
+      "title": "The McAfee Application Control Options policy must be configured to disable Self-Approval.",
+      "description": "The McAfee Application Control Self-Approval feature allows the user to take an action when a user tries to run a new or unknown application.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-74235",
+      "title": "The McAfee Application Control Options policy End User Notification, if configured by organization, must have all default variables replaced with the organization-specific data.",
+      "description": "The \"User Message\" option will show a dialog box when an event is detected and display the organization-specified text in the message.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-74237",
+      "title": "The McAfee Application Control Options policies Enforce feature control memory protection must be enabled.",
+      "description": "By default, the McAfee Application Control prevents installation of ActiveX controls on endpoints, enforces memory protection techniques on endpoints, and prevents MSI-installers from running on endpoints. The Feature Control allows for those safeguards to be bypassed and in doing so renders the McAfee Application Control less effective.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-74239",
+      "title": "Enabled features under McAfee Application Control Options policies Enforce feature control must not be configured unless documented in written policy and approved by ISSO/ISSM.",
+      "description": "By default, the McAfee Application Control prevents installation of ActiveX controls on endpoints, enforces memory protection techniques on endpoints, and prevents MSI-installers from running on endpoints. The \"Feature Control\" allows for those safeguards to be bypassed and in doing so renders the McAfee Application Control less effective.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-74241",
+      "title": "The McAfee Application Control Options Inventory option must be configured to hide OS Files.",
+      "description": "By default, the Windows operating system files are excluded from the inventory. By selecting this option, the overwhelming the inventory with legitimate Windows Files in the <system drive>\\Windows folder which are signed by the Microsoft certificate and all files in the <system drive>\\Windows\\winsxs folder will not be included in the inventory.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-74243",
+      "title": "The McAfee Application Control Options Inventory interval option must be configured to pull inventory from endpoints on a regular basis not to exceed seven days.",
+      "description": "When McAfee Application Control is deployed on a system, it creates a whitelist of all executable binaries and scripts present on the system. The whitelist contains all authorized files, and only files that are present in the whitelist are allowed to execute. An executable binary, script, or process that is not in the whitelist is said to be unauthorized and is prevented from running.  McAfee Application Control uses a centralized repository of trusted applications and dynamic whitelisting to reduce manual maintenance effort.\nRunning frequent Pull Inventory tasks ensures inventory information does not become stale. There must be the minimum interval between consecutive inventory pull runs (when the inventory information is fetched from the endpoints). By default, this value is 7 days and is the recommended setting. Pulling at an interval of greater than 7 days will allow for the inventory of endpoints to become stale.\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-74247",
+      "title": "The McAfee Applications Default Rules policy must be part of the effective rules policy applied to every endpoint.",
+      "description": "To ensure Solidcore clients are only configured to STIG and organization-specific settings, organization-specific ePO policies must be applied to all organization workstation endpoints.\n\nThe McAfee Application Control installs with two Default Rules policies.\n\nThe McAfee Default Rules policy includes the whitelist for commonly used applications to the platform.\n\nThe McAfee Applications Default Rules policy include the whitelist for McAfee applications.\n\nBoth of these policies are at the \"My Organization\" level of the System Tree and must be inherited by all branches of the System Tree.\n\nOrganization-specific applications would be whitelisted with an organization-specific policy combined with the two Default policies into one effective policy.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-74249",
+      "title": "A copy of the McAfee Default Rules policy must be part of the effective rules policy applied to every endpoint.",
+      "description": "To ensure Solidcore clients are only configured to STIG and organization-specific settings, an organization-specific ePO policies must be applied to all organization workstation endpoints.\n\nThe McAfee Application Control installs with two Default Rules policies.\n\nThe McAfee Default Rules policy includes the whitelist for commonly used applications to the platform.\n\nThe McAfee Applications Default Rules policy include the whitelist for McAfee applications.\n\nBoth of these policies are at the My Organization level of the System Tree and must be inherited by all branches of the System Tree.\n\nOrganization-specific applications would be whitelisted with an organization-specific policy combined with the two Default policies into one effective policy.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-74251",
+      "title": "The organization-specific Rules policies must be part of the effective rules policy applied to all endpoints.",
+      "description": "To ensure Solidcore clients are only configured to STIG and organization-specific settings, an organization-specific ePO policies must be applied to all organization workstation endpoints.\n\nThe McAfee Application Control installs with two Default Rules policies. \n\nThe McAfee Default Rules policy includes the whitelist for commonly used applications to the platform.\n\nThe McAfee Applications Default Rules policy include the whitelist for McAfee applications.\n\nBoth of these policies are at the \"My Organization\" level of the System Tree and must be inherited by all branches of the System Tree.\n\nOrganization-specific applications would be whitelisted with an organization-specific policy combined with the two Default policies into one effective policy.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-74253",
+      "title": "The organization-specific Solidcore Client Policies must be created and applied to all endpoints.",
+      "description": "McAfee Application Control is deployed with default policies. To ensure the default policies are not used and that an organization knowingly configures their systems to their own configuration requirements, organization-specific policies will need to be created.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-74255",
+      "title": "The Throttling settings must be enabled and configured to settings according to organizations requirements.",
+      "description": "The throttling settings regulate the data flow between the clients and McAfee ePO. The value for each category defines the number of entries that will be sent to the McAfee ePO daily. Clients start caching for the defined category when the specified threshold value is reached. After the cache is full, new data for that category is dropped and not sent to the McAfee ePO. As such, settings must be high enough to allow for all data to reach the McAfee ePO.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-74257",
+      "title": "The Solidcore Client Exception Rules must be documented in the organizations written policy.",
+      "description": "When exceptions are created for applications, it results in potential attack vectors. As such, exceptions should only be created with a full approval by the local ISSO/ISSM. The organization's entire written policy requires approval by the ISSO/ISSM/AO and is required to be under CAB/CCB oversight.",
+      "severity": "medium"
+    }
+  ]
+}

data/standards/stig_mcafee_move_2.63.6.1_multi-platform_client.json

@@ -0,0 +1,149 @@
+{
+  "name": "stig_mcafee_move_2.63.6.1_multi-platform_client",
+  "date": "2016-04-05",
+  "description": "The McAfee MOVE 2.6/3.6.1 Multi-Platform Client STIG is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the NIST 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.",
+  "title": "McAfee MOVE 2.6/3.6.1 Multi-Platform Client STIG",
+  "version": "1",
+  "item_syntax": "^\\w-\\d+$",
+  "section_separator": null,
+  "items": [
+    {
+      "id": "V-42933",
+      "title": "All other antivirus products must be removed from the virtual machine while the McAfee AV Client is running.",
+      "description": "Organizations should deploy antivirus software on all hosts for which satisfactory antivirus software is available. Antivirus software should be installed as soon after OS installation as possible and then updated with the latest signatures and antivirus software patches (to eliminate any known vulnerabilities in the antivirus software itself). To support the security of the host, the antivirus software should be configured and maintained properly so it continues to be effective at detecting and stopping malware. Antivirus software is most effective when its signatures are fully up-to-date. Accordingly, antivirus software should be kept current with the latest signature and software updates to improve malware detection.\n\nMcAfee MOVE AV Client will not function properly with other antivirus products installed.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-42935",
+      "title": "The McAfee MOVE AV [Multi-Platform] Client policies must be configured with, and managed by, the HBSS ePO server.",
+      "description": "Organizations should use centrally managed antivirus software that is controlled and monitored regularly by antivirus administrators, who are also typically responsible for acquiring, testing, approving, and delivering antivirus signature and software updates throughout the organization. Users should not be able to disable or delete antivirus software from their hosts, nor should they be able to alter critical settings. Antivirus administrators should perform continuous monitoring to confirm that hosts are using current antivirus software and that the software is configured properly. Implementing all of these recommendations should strongly support an organization in having a strong and consistent antivirus deployment across the organization.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-42936",
+      "title": "The McAfee MOVE AV [Multi-Platform] Client General policy must be configured to enable malware protection.",
+      "description": "Antivirus software should be installed as soon after OS installation as possible and then updated with the latest signatures and antivirus software patches (to eliminate any known vulnerabilities in the antivirus software itself). The antivirus software should then perform a complete scan of the host to identify any potential infections. To support the security of the host, the antivirus software should be configured and maintained properly so it continues to be effective at detecting and stopping malware. Antivirus software is most effective when its signatures are fully up-to-date. Accordingly, antivirus software should be kept current with the latest signature and software updates to improve malware detection.",
+      "severity": "high"
+    },
+    {
+      "id": "V-42937",
+      "title": "The McAfee MOVE AV [Multi-Platform] Client General policy must be configured with the IP address of the primary Offload Scan Server used by all virtual machines using this policy.",
+      "description": "Organizations should use centrally managed antivirus software that is controlled and monitored regularly by antivirus administrators, who are also typically responsible for acquiring, testing, approving, and delivering antivirus signature and software updates throughout the organization.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-42939",
+      "title": "The McAfee MOVE AV [Multi-Platform] Client General policy must be configured with the IP address of the secondary Offload Scan Server used by all virtual machines using this policy.",
+      "description": "Organizations should use centrally managed antivirus software that is controlled and monitored regularly by antivirus administrators, who are also typically responsible for acquiring, testing, approving, and delivering antivirus signature and software updates throughout the organization.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-42940",
+      "title": "The McAfee MOVE AV [Multi-Platform] Client General policy must be configured with a scan timeout of 180 seconds or more.",
+      "description": "This setting configures the amount of time to wait for a scan to complete, in seconds. The default setting is 45 seconds. This is the duration for which a McAfee MOVE AV Agent will wait for scan response of a file from the Offload Scan Server. Typically, file scans are very fast. However, file scans may take longer time due to large file size, file type or heavy load on the offload scan server. In such case that the file scan takes longer than the scan timeout limit, the file access is allowed and a scan timeout event is generated. Setting the timeout too low may result in scans of a file terminating before the scan is completed, resulting in malware potentially going undetected.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-42942",
+      "title": "The McAfee MOVE AV [Multi-Platform] Client General policy must be configured to cache scan results for files smaller than 40MB.",
+      "description": "This setting configures the maximum file size (in MB) up to which scan results should be cached. The default setting is 40MB. Files smaller than this threshold are copied completely to the Offload Scan Server and scanned. If the file is found to be clean, its scan result is cached based on its SHA 1 checksum for faster future access. Files larger than this size threshold are transferred in chunks that are requested by the Offload Scan Server and scanned and setting that threshold higher could impact the performance of the scan processes.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-42943",
+      "title": "The McAfee MOVE AV [Multi-Platform] Client General policy must be configured to expire cached scan results after a time period of no more than 24 hours.",
+      "description": "Antivirus software should be installed as soon after OS installation as possible and then updated with the latest signatures and antivirus software patches (to eliminate any known vulnerabilities in the antivirus software itself). The antivirus software should then perform a complete scan of the host to identify any potential infections. To support the security of the host, the antivirus software should be configured and maintained properly so it continues to be effective at detecting and stopping malware. Antivirus software is most effective when its signatures are fully up-to-date. Accordingly, antivirus software should be kept current with the latest signature and software updates to improve malware detection.\n\nThe scan cache retains files previously scanned and determined to be clean. Since a cache scan result is not invalidated when a new antivirus signature (DAT) is received, and a cached file will only be re-scanned after the cached result expires, caching files past a 24 hour period allows for newly discovered malware to go undetected in those cached files.  Cached files should expire after no more than 24 hours in order to be scanned with new antivirus signatures every day.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-42944",
+      "title": "The McAfee MOVE AV [Multi-Platform] Client General policy must be configured to scan when writing to disk.",
+      "description": "Antivirus software is the most commonly used technical control for malware threat mitigation. Real-time scanning of files as they are written to disk is a crucial first line of defense from malware attacks.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-42945",
+      "title": "The McAfee MOVE AV [Multi-Platform] General policy must be configured to scan when reading from disk.",
+      "description": "Antivirus software is the most commonly used technical control for malware threat mitigation. Real-time scanning of files as they are read from disk is a crucial first line of defense from malware attacks.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-42946",
+      "title": "The McAfee MOVE AV [Multi-Platform] Client General policy must be configured to scan all file types.",
+      "description": "When scanning for malware, excluding specific file types will increase the risk of a malware-infected file going undetected. By configuring antivirus software to scan all file types, the scanner has a higher success rate at detecting and eradicating malware.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-42947",
+      "title": "If the McAfee MOVE AV [Multi-Platform] Client General policy is configured with path or file exclusions, those exclusions must be formally documented and approved by the ISSO/ISSM.",
+      "description": "When scanning for malware, excluding specific file types will increase the risk of a malware-infected file going undetected. By configuring antivirus software to scan all file types, the scanner has a higher success rate at detecting and eradicating malware. The excluding files, paths, and processes from being scanned expands the potential for malware to be allowed onto the information system. While it is recognized that some file types might need to be excluded for operational reasons and/or because there is protection afforded to those files through a different mechanism, allowing those exclusions should always be vetted, documented, and approved before applying.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-42948",
+      "title": "The McAfee MOVE AV [Multi-Platform] Client General policy must be configured to report malware detections to the client event log.",
+      "description": "Forensic identification is the practice of identifying infected hosts by looking for evidence of recent infections. The evidence may be very recent (only a few minutes old) or not so recent (hours or days old); the older the information is, the less accurate it is likely to be. The most obvious sources of evidence are those that are designed to identify malware activity, such as antivirus software, content filtering (e.g., anti-spam measures), IPS, and SIEM technologies. The logs of security applications might contain detailed records of suspicious activity, and might also indicate whether a security compromise occurred or was prevented. While logging is imperative to forensic analysis, logs could grow to the point of impacting disk space on the system. In order to avoid the risk of logs growing to the size of impacting the operating system, the log size and number of log files will be restricted, but must also be large enough to retain forensic value.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-42949",
+      "title": "The McAfee MOVE AV [Multi-Platform] Client General policy must be configured to send malware detection events to the HBSS ePO server.",
+      "description": "Forensic identification is the practice of identifying infected hosts by looking for evidence of recent infections. The evidence may be very recent (only a few minutes old) or not so recent (hours or days old); the older the information is, the less accurate it is likely to be. The most obvious sources of evidence are those that are designed to identify malware activity, such as antivirus software, content filtering (e.g., anti-spam measures), IPS, and SIEM technologies. The logs of security applications might contain detailed records of suspicious activity, and might also indicate whether a security compromise occurred or was prevented. While logging is imperative to forensic analysis, logs could grow to the point of impacting disk space on the system. In order to avoid the risk of logs growing to the size of impacting the operating system, the log size and number of log files will be restricted, but must also be large enough to retain forensic value.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-42950",
+      "title": "The McAfee MOVE AV [Multi-Platform] Client General policy must be configured to delete files automatically as first action.",
+      "description": "Malware incident containment has two major components:  stopping the spread of malware and preventing further damage to hosts. Disinfecting a file is generally preferable to quarantining it because the malware is removed and the original file restored; however, many infected files cannot be disinfected. The primary goal of eradication is to remove malware from infected hosts.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-42951",
+      "title": "The McAfee MOVE AV [Multi-Platform] Client General policy must be configured to enable the quarantine.",
+      "description": "Malware incident containment has two major components:  stopping the spread of malware and preventing further damage to hosts. Disinfecting a file is generally preferable to quarantining it because the malware is removed and the original file restored; however, many infected files cannot be disinfected. Accordingly, antivirus software should be configured to attempt to disinfect infected files and to either quarantine or delete files that cannot be disinfected. By enabling the quarantine, organizations will have the ability to submit copies of unknown malware to their security software vendors for analysis and will able to conduct internal forensic evaluation.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-42952",
+      "title": "The McAfee MOVE AV [Multi-Platform] Client General policy must be configured with the location of SYSTEM_DRIVE\\quarantine to ensure consistency across all systems.",
+      "description": "The quarantine on each system represents a potential danger should the files contained within the quarantine inadvertently be executed.\n\nTo better manage the quarantine on all systems, the quarantine should always be configured the same across all systems, which will allow management to better control access to those locations.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-42953",
+      "title": "The McAfee MOVE AV [Multi-Platform] Client General policy must be configured to automatically delete quarantined data after a time period of no more than 28 days.",
+      "description": "The quarantine on each system represents a potential danger should the files contained within the quarantine inadvertently be executed. Deleting the quarantine contents on a regular basis will alleviate the ability of malware from being executed. An organization's incident response policy should also contain steps in removing quarantined items after their forensic value has been depleted.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-42954",
+      "title": "The self-protection feature of the McAfee MOVE AV [Multi-Platform] Client, designed to prevent malicious attacks on McAfee MOVE AV Multi-Platform software components, must be enabled.",
+      "description": "The self-protection feature defends files, services, and registry keys on virtual machines and will ensure uninterrupted protection.",
+      "severity": "high"
+    },
+    {
+      "id": "V-42955",
+      "title": "The McAfee MOVE AV [Multi-Platform] Client General policy must be configured to deny access to files if first action fails.",
+      "description": "Malware incident containment has two major components:  stopping the spread of malware and preventing further damage to hosts. Disinfecting a file is generally preferable to quarantining it because the malware is removed and the original file restored; however, many infected files cannot be disinfected. The primary goal of eradication is to remove malware from infected hosts.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-42956",
+      "title": "The McAfee MOVE AV [Multi-Platform] Client General policy must be configured with the listening port of the primary Offload Scan Server used by all virtual machines using this policy.",
+      "description": "Organizations should use centrally managed antivirus software that is controlled and monitored regularly by antivirus administrators, who are also typically responsible for acquiring, testing, approving, and delivering antivirus signature and software updates throughout the organization.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-42957",
+      "title": "The McAfee MOVE AV [Multi-Platform] Client General policy must be configured with the listening port of the secondary Offload Scan Server used by all virtual machines using this policy.",
+      "description": "Organizations should use centrally managed antivirus software that is controlled and monitored regularly by antivirus administrators, who are also typically responsible for acquiring, testing, approving, and delivering antivirus signature and software updates throughout the organization.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-42958",
+      "title": "If the McAfee MOVE AV [Multi-Platform] Client General policy is configured with process exclusions, those exclusions must be formally documented and approved by the ISSO/ISSM.",
+      "description": "When scanning for malware, excluding specific file types will increase the risk of a malware-infected file going undetected. By configuring antivirus software to scan all file types, the scanner has a higher success rate at detecting and eradicating malware. The excluding files, paths, and processes from being scanned expands the potential for malware to be allowed onto the information system. While it is recognized that some file types might need to be excluded for operational reasons and/or because there is protection afforded to those files through a different mechanism, allowing those exclusions should always be vetted, documented, and approved before applying.",
+      "severity": "medium"
+    }
+  ]
+}

data/standards/stig_mcafee_move_2.63.6.1_multi-platform_oss.json

@@ -0,0 +1,101 @@
+{
+  "name": "stig_mcafee_move_2.63.6.1_multi-platform_oss",
+  "date": "2016-04-05",
+  "description": "The McAfee MOVE 2.6/3.6.1 Multi-Platform OSS STIG is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the NIST 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.",
+  "title": "McAfee MOVE 2.6/3.6.1 Multi-Platform OSS STIG",
+  "version": "1",
+  "item_syntax": "^\\w-\\d+$",
+  "section_separator": null,
+  "items": [
+    {
+      "id": "V-42964",
+      "title": "The McAfee MOVE AV [Multi-Platform] Offload Scan Server must have McAfee VirusScan Enterprise 8.8 (or most current version) installed.",
+      "description": "Organizations should deploy anti-virus software on all hosts for which satisfactory anti-virus software is available. Anti-virus software should be installed as soon after OS installation as possible and then updated with the latest signatures and anti-virus software patches (to eliminate any known vulnerabilities in the anti-virus software itself). To support the security of the host, the anti-virus software should be configured and maintained properly so it continues to be effective at detecting and stopping malware. Anti-virus software is most effective when its signatures are fully up-to-date. Accordingly, anti-virus software should be kept current with the latest signature and software updates to improve malware detection.",
+      "severity": "high"
+    },
+    {
+      "id": "V-42965",
+      "title": "The McAfee MOVE AV [Multi-Platform] Offload Scan Server packages policies must be configured with and managed by the HBSS ePO server.",
+      "description": "Organizations should use centrally managed anti-virus software that is controlled and monitored regularly by anti-virus administrators, who are also typically responsible for acquiring, testing, approving, and delivering anti-virus signature and software updates throughout the organization. Users should not be able to disable or delete anti-virus software from their hosts, nor should they be able to alter critical settings. Anti-virus administrators should perform continuous monitoring to confirm that hosts are using current anti-virus software and that the software is configured properly. Implementing all of these recommendations should strongly support an organization in having a strong and consistent anti-virus deployment across the organization.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-42966",
+      "title": "The McAfee MOVE AV [Multi-Platform] Offload Scan Server must be configured with a static IP address.",
+      "description": "Security management devices must be configured to ensure consistent and uninterrupted connectivity to/from the systems it manages/controls. Otherwise, the security management device will be less than effective.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-42968",
+      "title": "The McAfee MOVE AV [Multi-Platform] Offload Scan Server General policy must be configured to maintain a minimum of 7 log files before removing oldest log file.",
+      "description": "Forensic identification is the practice of identifying infected hosts by looking for evidence of recent infections. The evidence may be very recent (only a few minutes old) or not so recent (hours or days old); the older the information is, the less accurate it is likely to be. The most obvious sources of evidence are those that are designed to identify malware activity, such as anti-virus software, content filtering (e.g., anti-spam measures), IPS, and SIEM technologies. The logs of security applications might contain detailed records of suspicious activity, and might also indicate whether a security compromise occurred or was prevented. While logging is imperative to forensic analysis, logs could grow to the point of impacting disk space on the system. In order to avoid the risk of logs growing to the size of impacting the operating system, the log size and number of log files will be restricted, but must also be large enough to retain forensic value.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-42971",
+      "title": "The McAfee MOVE AV [Multi-Platform] Offload Scan Server General policy must be configured to rotate log files when they reach at least 10MB in size.",
+      "description": "Forensic identification is the practice of identifying infected hosts by looking for evidence of recent infections. The evidence may be very recent (only a few minutes old) or not so recent (hours or days old); the older the information is, the less accurate it is likely to be. The most obvious sources of evidence are those that are designed to identify malware activity, such as anti-virus software, content filtering (e.g., anti-spam measures), IPS, and SIEM technologies. The logs of security applications might contain detailed records of suspicious activity, and might also indicate whether a security compromise occurred or was prevented. While logging is imperative to forensic analysis, logs could grow to the point of impacting disk space on the system. In order to avoid the risk of logs growing to the size of impacting the operating system, the log size and number of log files will be restricted, but must also be large enough to retain forensic value.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-42973",
+      "title": "The McAfee MOVE AV [Multi-Platform] Offload Scan Server General policy Scan Settings must be configured to scan inside archive files.",
+      "description": "Malware is often packaged within an archive. In addition, archives might have other archives within. Not scanning archive files introduces the risk of infected files being introduced into the environment.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-42974",
+      "title": "The McAfee MOVE AV [Multi-Platform] Offload Scan Server General policy Scan Settings must be configured to scan for potentially unwanted programs.",
+      "description": "Due to the ability of malware to mutate after infection, standard anti-virus signatures may not be able to catch new strains or variants of the malware. Typically, these strains and variants will share unique characteristics with others in their virus family. By using a generic signature to detect the shared characteristics, using wildcards where differences lie, the generic signature can detect viruses even if they are padded with extra, meaningless code. This method of detection is Heuristic detection.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-42976",
+      "title": "The McAfee MOVE AV [Multi-Platform] Offload Scan Server General policy Scan Settings must be configured to scan for MIME-encoded files.",
+      "description": "Multipurpose Internet Mail Extensions (MIME) encoded files can be crafted to hide a malicious payload. When the MIME encoded file is presented to software that decodes the MIME encoded files, such as an email client, the malware is released. Scanning these files as part of the regularly scheduled scans tasks will mitigate this risk.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-42977",
+      "title": "The McAfee MOVE AV [Multi-Platform] Offload Scan Server General policy Scan Settings must be configured to use McAfee Global Threat Intelligence file reputation, with a sensitivity level of Medium or higher.",
+      "description": "Anti-virus software vendors use collective intelligence from sensors and cross-vector intelligence from web, email, and network threats to compile scores that reflect the likelihood of whether a file in question is malware. The collective intelligence is constantly being updated, more frequently than the typical daily anti-virus signature files. With File Reputation lookup, a more real-time response to potential malicious code is realized than with the local-running anti-virus software, since by querying the cloud-based database when a file appears to be suspicious, up-to-the-minute intelligence is provided. This type of protection reduces the threat protection time period from days to milliseconds, increases malware detection rates, and reduces downtime and remediation costs associated with malware attacks. Using File Reputation lookup is mandated by US CYBERCOM on DoD systems.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-42978",
+      "title": "The McAfee MOVE AV [Multi-Platform] Offload Scan Server General policy alerts must be configured to report all events to the Windows Event Log.",
+      "description": "Forensic identification is the practice of identifying infected hosts by looking for evidence of recent infections. The evidence may be very recent (only a few minutes old) or not so recent (hours or days old); the older the information is, the less accurate it is likely to be. The most obvious sources of evidence are those that are designed to identify malware activity, such as anti-virus software, content filtering (e.g., anti-spam measures), IPS, and SIEM technologies. The logs of security applications might contain detailed records of suspicious activity, and might also indicate whether a security compromise occurred or was prevented.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-42979",
+      "title": "The McAfee MOVE AV [Multi-Platform] Offload Scan Server General policy alerts must be configured to send all events to the HBSS ePO server.",
+      "description": "Organizations should strive to detect and validate malware incidents rapidly to minimize the number of infected hosts and the amount of damage the organization sustains. Recommended actions include analyzing any suspected malware incident and validating that malware is the cause. This includes identifying characteristics of the malware activity by examining detection sources, such as anti-virus software, intrusion prevention systems, and security information and event management (SIEM) technologies and identifying which hosts are infected by the malware, so the hosts can undergo the appropriate containment, eradication, and recovery actions. By sending all events to a central location, the events can be correlated to determine extent of infection.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-42981",
+      "title": "The McAfee MOVE AV [Multi-Platform] Offload Scan Server General policy On-Demand Scan must be configured with On-Demand scanning enabled.",
+      "description": "Anti-virus software is the most commonly used technical control for malware threat mitigation. Anti-virus software on hosts should be configured to scan all hard drives and folders regularly to identify any file system infections and to scan any removable media, if applicable, before media is inserted into the system. Not scheduling a regular scan of the hard drives of a system and/or not configuring the scan to scan all files and running processes introduces a higher risk of threats going undetected.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-42982",
+      "title": "The McAfee MOVE AV [Multi-Platform] Offload Scan Server General policy On-Demand Scan Client Scan interval must be set to no more than every seven days.",
+      "description": "Anti-virus software is the mostly commonly used technical control for malware threat mitigation. Anti-virus software on hosts should be configured to scan all hard drives and folders regularly to identify any file system infections and to scan any removable media, if applicable, before media is inserted into the system. Not scheduling a regular scan of the hard drives of a system and/or not configuring the scan to scan all files and running processes introduces a higher risk of threats going undetected.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-42983",
+      "title": "The McAfee VirusScan Enterprise Access Protection rules must be used for self-protection of the files and folder of Offload Scan Server configuration.",
+      "description": "The VirusScan Enterprise Access Protection rules will defend files, services, and registry keys on the Offload Scan Server.",
+      "severity": "high"
+    },
+    {
+      "id": "V-42986",
+      "title": "The McAfee VirusScan Enterprise Access Protection rules must be used for self-protection of the registry keys of Offload Scan Server configuration.",
+      "description": "The VirusScan Enterprise Access Protection rules will defend files, services, and registry keys on the Offload Scan Server.",
+      "severity": "high"
+    }
+  ]
+}