McAfee Application Control Linux Product Guide. (Unmanaged)

Transcription

1 McAfee Application Control Linux Product Guide (Unmanaged)

2 COPYRIGHT Copyright 2018 McAfee, LLC TRADEMARK ATTRIBUTIONS McAfee and the McAfee logo, McAfee Active Protection, epolicy Orchestrator, McAfee epo, McAfee EMM, Foundstone, McAfee LiveSafe, McAfee QuickClean, Safe Eyes, McAfee SECURE, SecureOS, McAfee Shredder, SiteAdvisor, McAfee Stinger, True Key, TrustedSource, VirusScan are trademarks or registered trademarks of McAfee, LLC or its subsidiaries in the US and other countries. Other marks and brands may be claimed as the property of others. LICENSE INFORMATION License Agreement NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND. 2 McAfee Application Control Linux Product Guide

3 Contents 1 Product overview 5 Overview Key features How it works Using Application Control 7 Application Control modes Use the command-line interpreter Overriding protection Configuring Application Control Add the license Create the whitelist Place Application Control in Enabled mode Using updaters What are updaters? Add updaters Specifying files to be added as updaters View updaters Remove updaters Using trusted directories When to add trusted directories Adding trusted directories Specifying directory paths View trusted directories Exclude specific directories from the list of trusted directories Remove trusted directories Using trusted users Add trusted users List trusted users Remove trusted users Using interpreters Map an interpreter with a file extension View interpreter and file extension associations Remove interpreter and file extension associations Maintain your systems 17 View product status and version Managing the whitelist Managing product features Making emergency changes Switch to Update mode Exit Update mode Enable or disable password protection Configuring log files Disable Application Control McAfee Application Control Linux Product Guide 3

4 Contents A Application Control event list 25 B Command short forms 31 4 McAfee Application Control Linux Product Guide

5 1 Product 1 overview Contents Overview Key features How it works Overview McAfee Application Control is a security software that blocks unauthorized applications from running on your systems. Application Control uses dynamic whitelisting to guarantee that only trusted applications run on servers, devices, and desktops. It eliminates the need for IT administrators to manually maintain lists of approved applications. It also gives IT control over endpoints to help enforce software license compliance. The software uses a dynamic trust model and innovative security features to prevent advanced persistent threats (APT) without requiring signature updates. It guarantees protection without impacting productivity. With Application Control, you can: Prevent any malicious, untrusted, or unwanted software from executing. Automatically identify trusted software and grant it authorization to run. Block users from introducing software that poses a risk to your company. Key features Application Control protects your organization against malware attacks before they occur by proactively controlling the applications that run on your desktops, laptops, and servers. It enforces control on connected or disconnected servers, virtual machines (VMs), endpoints, and devices. Dynamic whitelisting Application Control protects your organization against malware attacks before they occur by proactively controlling the applications that are executed on your system. You can manage your whitelist in a secure and dynamic way. IT administrators don t need to manually maintain lists of approved applications. Application Control groups executable across your company by application and vendor. McAfee Application Control Linux Product Guide 5

6 1 Product overview How it works Protection against threats Application Control extends coverage to executable files, libraries, drivers, Java applications for greater control over application components. It enforces control on connected or disconnected servers, virtual machines, endpoints, and fixed devices, such as kiosks and point-of-sale (POS) terminals. It also locks down protected endpoints against threats and unwanted changes, with no file system scanning or other periodic activity that might impact system performance. How it works Application Control creates a whitelist of all authorized executable files. When you run an executable file that isn't whitelisted, the software blocks its execution. The whitelist details authorized files and determines trusted or known files. In Enabled mode, only files that are present in the whitelist are allowed to run. All files in the whitelist are protected and can't be changed or deleted. An executable binary or script that isn't in the whitelist is said to be unauthorized and is prevented from running. Application Control stores the whitelist for each drive or volume at the following location: <volume>/.solidcore/scinv 6 McAfee Application Control Linux Product Guide

7 2 Using 2 Application Control Contents Application Control modes Use the command-line interpreter Overriding protection Configuring Application Control Using updaters Using trusted directories Using trusted users Using interpreters Application Control modes Application Control ensures that only whitelisted, legitimate, and authorized applications and files run on the system. It can operate in four different modes. Each mode is different in principle and usage. Disabled This mode indicates that Application Control isn't running on your system. Although the application is installed, its features are disabled. After installation, the application appears in Disabled mode by default. You can then switch to Update or Enabled mode. Enabled This mode indicates that only whitelisted applications and files are allowed to run. Execution of unauthorized software, such as a virus or spyware, is prevented. In Enabled mode, Application Control protects files in the whitelist from unauthorized change. After the initial whitelist is created, switch to Enabled mode which makes sure that no unauthorized changes are allowed. Update This mode indicates that protection is effective but changes are allowed on protected endpoints. When you perform software updates in Update mode, Application Control tracks and records each change. Also, it dynamically updates the whitelist to make sure that the changed or added binaries and files are authorized to execute when the system returns to Enabled mode. If you delete any software and program files from the system, the respective files are removed from the whitelist. Use the command-line interpreter The command-line interpreter (sadmin) allows you to manage the Application Control configuration and features. The method you use to open the command-line interpreter depends on your operating system. McAfee Application Control Linux Product Guide 7

8 2 Using Application Control Overriding protection 1 To open the command-line interpreter on Linux: In a Linux terminal, access the command-line interpreter from <install directory>/mcafee/ solidcore/bin/sadmin. 2 Use these commands to get help information. sadmin help Lists basic help information. sadmin help <command> Provides basic help for the specified command. sadmin help-advanced <command> Provides advanced help for the specified command. Overriding protection On a protected system, overriding applied protection allows components to execute using different methods. If a component is configured as an updater, it can also update the software on a protected system. You can authorize execution of a program or file on a protected system by using one of these methods. Updater process Trusted directory Adding to the whitelist Defining attribute-based rules for file execution The whitelist is the most common method to determine the trusted or known files. Typically, most applications and executable files remain unchanged over prolonged periods of time. But, if needed, you can allow certain applications and executable files to create, change, or delete files in the whitelist. To design a trust model and allow more users or programs to change a protected system, you can use one the methods listed in this table. Method Updaters Binary names Trusted directories Description If a component is configured as an updater, it is allowed to install new software and update existing software components on a protected system. Authorize execution of binaries (programs and files) by specifying their names. But, when you authorize execution of a binary by name, all binaries that have the same name and are present on the system or network shares are authorized to execute on a protected system. On a protected system, you can add directories (local or network directories) as trusted directories to run any software present in these directories. Trusted directories are identified by their Universal Naming Convention (UNC) path. 8 McAfee Application Control Linux Product Guide

9 Using Application Control Configuring Application Control 2 Method Update mode Defining attribute-based rules for file execution Description Update mode is an authorized mode to perform software updates on a protected system. When Application Control is in Update mode, changes are allowed on a protected system. Place the system in Update mode to perform software updates. Use this method when none of the other methods, such as using trusted users, trusted directories, certificates, or checksum values meet your requirements and the software isn't present in the updaters list. For example, you can use Update mode to complete maintenance tasks, such as install patches or upgrade software. When a file's execution is undetermined after the checks, attribute-based or execution control rules, if any are defined, come into play. You can define specific rules using one or more attributes of a process to allow, block, or monitor the process. Configuring Application Control Contents Add the license Create the whitelist Place Application Control in Enabled mode Add the license The license determines if the product features are available. You must specify a valid license after installation. 1 Verify if a license is already added (provided during installation) by entering the following command and pressing Enter. sadmin license list All licenses that are already installed on the system are listed. 2 If no license is listed, add a license now: sadmin license add <license_key> 3 Restart Application Control: service scsrvc restart. Create the whitelist Application Control creates a whitelist of authorized executable files. When you run an executable file that isn't whitelisted, Application Control blocks its execution. 1 Run this command at the command prompt. sadmin so The time the system takes to create the whitelist varies from a few minutes to an hour, depending on your system configuration, including CPU speed, RAM, and applications installed on the system. After the whitelist is created, a message similar to this message appears. Solidifying volume / 00:04:11: Total files scanned 12265, solidified 6342 McAfee Application Control Linux Product Guide 9

10 2 Using Application Control Using updaters 2 Verify that the drive or volume is whitelisted. a Run this command at the command prompt. sadmin status The status of Application Control is displayed. You can view the operational mode, operational mode on system restart, connectivity with McAfee epo, CLI access status, and whitelist status of the drives or volumes. However, in the standalone configuration of the product, connectivity with McAfee epo is not applicable. b Review the whitelist status of the drives or volumes, and make sure that the status is Solidified. Place Application Control in Enabled mode Place Application Control in Enabled mode to allow only whitelisted applications to run on your system. 1 Run this command at the command prompt. sadmin enable 2 Place Application Control in Enabled mode using one of these methods: Restart the Application Control service to enable the software: service scsrvc restart 3 Verify that Application Control is in Enabled mode: sadmin status. The status is displayed. You can view the operational mode, operational mode on system restart, CLI access status, and whitelist status of all drives. a Review the operational mode. b Verify that the current operational mode is Enabled. Using updaters Contents What are updaters? Add updaters Specifying files to be added as updaters View updaters Remove updaters What are updaters? Updaters are authorized components that are allowed to update the system. By default, if you provide updater rights to a component, the child component automatically inherits the same rights. For example, if you specify Adobe 8.0 program as an updater, it can periodically patch all needed files. Updaters work at a global level and are not application-specific or license-specific. When a program is defined as an updater, it can change any protected file. To qualify as updaters, components must match one of these requirements: 10 McAfee Application Control Linux Product Guide

11 Using Application Control Using updaters 2 They must be present in the whitelist. They must be defined as authorized binaries. Application Control also includes predefined default updater rights for commonly used applications that might need to update the systems frequently. These applications are known as default updaters. For example, default updater permissions are defined for Yahoo, Oracle, and McAfee products. When to add updaters Certain programs frequently update software components on the system automatically. Add such programs as updaters to allow them to update the software components. Add updaters when they are frequently required to make changes to the system. Add updaters You can add various components as updaters to allow them to update the system. If a program is configured as an updater, it can install new software and update existing software. Run this command at the command prompt. sadmin updaters add <filename> This table lists the supported arguments, descriptions, and examples. Argument Description -d Excludes the child process of the file from inheriting the updater permissions. sadmin updaters add d <filename> -n Disables event logging for a file to be added as an updater. sadmin updaters add n <filename> -t Performs these operations: Include the tags for a file to be added as an updater. To add a user with a tag name as an updater. -p Adds a file as an updater, only when its parent execution file is running. sadmin updaters add -p <parentname> <filename> Specifying files to be added as updaters You can specify files using the file name or checksum value. This table describes the methods to specify a file to be added as an updater. Method Specify the file name Description If the file name is added as an updater, the updater permissions apply only to the file name and, even if the file path is changed, the updater permissions are in effect. You can specify the absolute or relative path of the file. But, if you specify the absolute path of the file as an updater, the updater permissions are applicable only to that specific path. If you specify full path names with the drive letter, the drive letter isn't considered. Paths can include wildcard characters to specify file paths and file names. McAfee Application Control Linux Product Guide 11

12 2 Using Application Control Using trusted directories View updaters Updaters are authorized components that are permitted to update the system. When a program is defined as an updater, it can change any protected file. View the list of all components defined as updaters on the system: sadmin updaters list Remove updaters You can remove updaters to restrict them from making changes to the system. 1 Delete all components from the updaters list: sadmin updaters flush 2 Remove a specific component from the updaters list: sadmin updaters remove This table lists how to remove specific components as updaters. Component Installers Scripts Binaries Command sadmin updaters remove <installername> sadmin updaters remove Ica32Pkg.msi sadmin updaters remove <scriptname> sadmin updaters remove myscript12.bat sadmin updaters remove <filename> sadmin updaters remove update.exe After using this command, restart the system to remove the binaries from the updaters list. Using trusted directories You can override the protection applied to a system using trusted directories. After you add directories as trusted directories, systems can run any software present in these directories. On a protected system, you can add directories (local or network share) as trusted directories to run any software present in these directories. Trusted directories are identified by their UNC path. When to add trusted directories If you maintain shared folders with installers for licensed applications on the internal network in your organization, you can add trusted directories for such network shares. When enabled, Application Control tracks files over network shares and blocks their execution until the network share is added as a trusted share. Application Control also prevents protected systems from executing any file residing on a network share. If needed, you can allow the software at the UNC path to install software on the protected systems. For example, when logging on to a Domain Controller from a protected system, you need to define \\domain name \SYSVOL as a trusted directory (to allow execution of scripts and binaries). 12 McAfee Application Control Linux Product Guide

13 Using Application Control Using trusted directories 2 Adding trusted directories You can add directories as trusted directories to run any software present in these directories on a protected system. This table describes how to add trusted directories. Command sadmin trusted i <pathname1...pathnamen> Description You can specify one or more paths to the directories to be added as trusted directories. You can also specify paths to the directories located on network shares. For example: sadmin trusted i \\ \documents sadmin trusted i /etc/security sadmin trusted u <pathname1...pathnamen> You can specify one or more paths to the directories to be added as trusted directories. This command adds all binaries and scripts present in the directories as updaters. You can also specify paths to the directories located on network shares. For example: sadmin trusted u \\ \documents You can also add a trusted volume by specifying a volume name with this command to include all binaries and scripts present in the specified volume as updaters. Use the sadmin trusted i -u <volumename> command to specify the volume name. Specifying directory paths You can specify directory paths on a mounted network file system using these methods. Command sadmin trusted i \\server-name \share-name sadmin trusted i \\server-name sadmin trusted i \\* Description You can specify the server name that has a network share or the name of the network share. You can specify the server name. You can specify all network shares by all servers. Paths can include the wildcard characters to specify file paths and file names. When using wildcards, ensure that specified string matches a limited set of file paths or file names. If the specified string matches many files, we recommend you revise the string. Paths can include the * wildcard character. Using /abc/*/def is allowed while /abc/*.sh, /abc/*.*, or /abc/doc.* is not supported. View trusted directories You can view the list of directories that are added as trusted directories on the system. Run this command at the command prompt: sadmin trusted -l This command lists all trusted directories added on the system. McAfee Application Control Linux Product Guide 13

14 2 Using Application Control Using trusted users Exclude specific directories from the list of trusted directories You can exclude specific directories from the list of directories that you added as trusted on the system. 1 Run this command at the command prompt: sadmin trusted e <pathname1...pathnamen> 2 Run this command to specify one or more paths to the directories to be excluded from the list of trusted directories: sadmin trusted e /etc/security Remove trusted directories You can remove trusted directories to restrict them to run any software present in them. Remove the trusted directories using these methods. Command sadmin trusted r <pathname1...pathnamen> sadmin trusted f Description To specify one or more paths to the directories to be removed as trusted directories. For example: sadmin trusted r /etc/security To flush all rules for trusted directories. If you specify this argument, all rules for the trusted directories are removed from the system. Using trusted users A trusted user is an authorized user with updater permissions to dynamically add to the whitelist. You can add users as updaters to allow users to perform update operations on a protected system. If you provide updater permissions to a user, the user is defined as a trusted user. For example, add administrators as trusted users to allow them to install or update any software. While adding the user information, you can also provide the domain details. Of all strategies that allow changes to protected systems, this is the least preferred one because it offers minimal security. After a trusted user is added, there are no restrictions on what the user can change or run on the system. Add trusted users Add trusted users to allow them to perform update operations on a protected system. Run this command at the command prompt. sadmin updaters add u <username> This table lists the supported arguments, descriptions, and examples. 14 McAfee Application Control Linux Product Guide

15 Using Application Control Using interpreters 2 Argument Description -u Specify the u argument to add a user as a trusted user. All update operations by the specified user name are allowed. You can add these types of user names as trusted users. Simple name For example john_smith. sadmin updaters add u john_smith Domain name For example john_smith@mycompany. sadmin updaters add u john_smith@mycompany Hierarchical domain name (domain name\user name) For example mydomain\john_smith. sadmin updaters add u mydomain\john_smith When you specify the u argument, other arguments supported for sadmin updaters add command, such as -l, -p, -d, and n are not applicable. -t Specify the t argument to add a user with a tag name as an updater. Tag name is an identification label which is present in the logs for all files processed by this rule. sadmin updaters add t <tagname> u <username> sadmin updaters add t McAfee001 -u john_smith List trusted users You can view the list of all users who have updater permissions on the system. Run this command at the command prompt. sadmin updaters list This command lists all trusted users and other components defined as updaters in the system. Remove trusted users When you remove a trusted user, the updater permissions assigned to that user are removed. Run this command at the command prompt. sadmin updaters remove -u <username> For example, sadmin updaters remove -u john_smith After using this command, restart the system to remove updater permissions from the users. Using interpreters You can configure interpreters to control the execution of additional scripts. Unlike executables, a script needs an interpreter to read and execute the instructions written in a scripting language. To manage execution of scripts in your setup: McAfee Application Control Linux Product Guide 15

16 2 Using Application Control Using interpreters 1 Check that relevant interpreters and scripts are whitelisted. 2 Map appropriate file extensions of scripts with specific interpreters. The software controls execution of scripts with #! when run using the./ <script name> syntax. By default, scripts with #! are not allowed to execute. So, to manage script execution, use the following syntax:./ <script name> Application Control provides additional and granular control for file and script execution. For example, you can choose to block an interpreter from running except when run by a specific user or by specific arguments. Map an interpreter with a file extension You can associate an interpreter with a file or script extension to control execution for a certain script type. Run this command at the command prompt. sadmin scripts add extension interpreter1 [interpreter2]... The file with specified extension or type is associated with the specified interpreters. View interpreter and file extension associations You can view the existing interpreter and file or script extension associations defined in your setup to control file execution. Run this command at the command prompt. sadmin scripts list Sample output appears like this:.ps1.bat.cmd.pif.sys.vbe 16Bit.vbs.exe "powershell.exe" "cmd.exe" "cmd.exe" "ntvdm.exe" "ntvdm.exe" "cscript.exe" "wscript.exe" "ntvdm.exe" "wowexec.exe" "cscript.exe" "wscript.exe" "ntvdm.exe" Remove interpreter and file extension associations Remove existing interpreter and file or script extension associations defined in your setup. Run one of these command at the command prompt. sadmin scripts remove extension [interpreter1 [interpreter2]]... Removes the specified interpreter associations for the file or script type. sadmin scripts remove extension Removes all interpreter associations for the specified file or script type. 16 McAfee Application Control Linux Product Guide

17 3 Maintain your systems Contents View product status and version Managing the whitelist Managing product features Making emergency changes Enable or disable password protection Configuring log files Disable Application Control View product status and version You can view Application Control status for product status details, such as operational mode, operational mode after restart, and whitelist status. You can also view the software version to see details of the installed product and the copyright information. 1 View Application Control status: sadmin status [volume] Include [Volume] to view details of a single volume. a A message similar to this example displays the system details. The following table describes the fields and their meaning. McAfee Solidifier: Disabled McAfee Solidifier on reboot: Disabled epo Managed: No Local CLI access: Recovered [fstype] [status] [driver status] [volume] * NTFS Solidified Unattached C:\ Status detail McAfee Solidifier McAfee Solidifier on reboot McAfee epo Managed Description Specifies the operational mode of Application Control. Specifies the operational mode of Application Control after system restart. Displays the connectivity status of Application Control with McAfee epo. In standalone configuration of the product, this status is No. McAfee Application Control Linux Product Guide 17

18 3 Maintain your systems Managing the whitelist Status detail Local CLI access fstype status driver status volume Description Displays the lockdown or recovered status of the local CLI. In standalone configuration of the product, this status is Recovered. Displays the supported file systems for a volume. Displays the current whitelist status for all supported volumes on a system. If a volume name is specified, only the whitelist status for that volume is displayed. Displays whether the Application Control driver is loaded on a volume. If the driver is loaded on a volume, status is attached; otherwise the status is unattached. Displays the volume names. 2 View version and copyright details of Application Control installed on the system. sadmin version Managing the whitelist An important part of system maintenance is managing the whitelist. You can perform various tasks to manage the whitelist. Whitelist thread priority The whitelist thread priority (SoPriority) determines the usage of system resources and the time required to create the whitelist. You can configure the whitelist thread priority before creating the initial whitelist. By default, the thread runs on low priority (value of 0) and if you do not specify the thread priority, Application Control considers the default priority to create the whitelist. sadmin config set SoPriority=<value> The SoPriority value that you specify is based on your preference. This table describes the SoPriority values that you can specify. Value Priority Advantages and disadvantages 0 Low (Recommended) The low value, takes more time to create the whitelist but causes minimal performance impact on the system. 1 Medium N/A 2 High The high value takes less time but uses more system resources and can cause performance impact on the system. Adding and removing executables You can add new components to the initial whitelist to allow their execution on a protected system. If needed, you can also remove components from the whitelist. Specify the components as file names, directory names, or volume names. Do not remove a system drive or volume from the whitelist. This causes a blue screen or system failure. 18 McAfee Application Control Linux Product Guide

19 Maintain your systems Managing the whitelist 3 Action Command syntax Description Add components to the whitelist. Remove all components from the whitelist. Remove selected components from the whitelist. sadmin so [<arguments> <components>] sadmin unso sadmin unso [<arguments> <components>] After the initial whitelist is created, execution is blocked for the components that are not included in the whitelist. If needed, add more components to the whitelist. Remove all components from the whitelist using this command. When you remove components, they are no longer allowed to execute. Specify the components that you want to remove from the whitelist. You can add or remove components from the whitelist as described in this table. Component Description File name Add files to the whitelist. For example, sadmin solidify filename1... filenamen Remove files from the whitelist. For example, sadmin unsolidify filename1... filenamen Directory name Add all supported files under specified directories to the whitelist. For example, sadmin solidify directoryname1... directorynamen Remove all supported files in one or more directories from the whitelist. For example, sadmin unsolidify directoryname1... directorynamen Volume name Add all supported files (recursively) under specified system volumes to the whitelist. For example, sadmin solidify volumename1... volumenamen Remove all supported files in one or more system volumes from the whitelist. For example, sadmin unsolidify volumename1... volumenamen File name Directory name Volume name Optionally, you can specify supported arguments with the command. Add sadmin solidify [ q v ] filename1... filenamen directoryname1... directorynamen volumename1... volumenamen Remove sadmin unsolidify [ v ] filename1... filenamen directoryname1... directorynamen volumename1... volumenamen Here are the arguments descriptions: The -q argument displays only error messages. The -v argument displays all messages. Viewing components added to the whitelist You can view lists of all whitelisted and non-whitelisted files, directories, and drives/volumes on the system. McAfee Application Control Linux Product Guide 19

20 3 Maintain your systems Managing the whitelist Action List all whitelisted components. List all non-whitelisted components. Command syntax sadmin ls sadmin lu Description This command lists all whitelisted components. You can specify the names of files, directories, and drive/volumes to narrow the results. This command lists all non-whitelisted components using this command. You can specify the names of files, directories, and drive/volumes to narrow the results. You can narrow the results by specifying components as described in this table. Component File name Description List all whitelisted files from the specified list of files. If only one file name is specified, this command shows the file name only if the file is whitelisted. Specify a set of files to list the whitelisted files from that file set. For example, sadmin list-solidified filename1... filenamen Lists all non-whitelisted files from the specified list of files. If only one file name is specified, this command shows the file only if the file is non-whitelisted. Specify a set of files to list non-whitelisted files from that file set. For example, sadmin list-unsolidified filename1... filenamen Directory name List all whitelisted files present in the specified directories. For example, sadmin list-solidified directoryname1...directorynamen List all non-whitelisted files present in the specified directories. Specify directory names with this command to list all non-whitelisted files in the specified directories. For example, sadmin list-unsolidified directoryname1...directorynamen Volume name List all whitelisted files present in the specified drives/volumes. For example, sadmin list-solidified volumename1...volumenamen List all non-whitelisted files present in specified volumes. Specify volume names with this command to list all non-whitelisted files in the specified volumes. For example, sadmin list-unsolidified volumename1...volumenamen File name Directory name Volume name List details about the files, such as file type, file path, and file checksum. For example, sadmin list-solidified [ -l ] filename1... filenamen directoryname1...directorynamen volumename1...volumenamen Checking and updating the status of whitelisted components You can compare the current whitelist status and checksum values of whitelisted files, directories, and volumes with the status and values stored in the whitelist. If they are not current, you can update the whitelist and fix inconsistencies. If the components in the whitelist are changed or removed and the whitelist is not updated, the execution of these components is blocked by Application Control. This results in inconsistencies in the whitelist. You can run this command to check the status of whitelisted components: sadmin check [ -r ] file directory volume You can narrow the results by specifying the names of files, directories, and drive/volumes with this command. 20 McAfee Application Control Linux Product Guide

21 Maintain your systems Managing product features 3 Also, you can specify the -r argument. This argument fixes inconsistencies by updating the whitelist with the latest checksum values of the components and adds the components to the whitelist, if the components are not already present. If you do not specify a component, inconsistencies in all supported drives/volumes are fixed. Managing product features When Application Control is installed in a system, the product features are in their default status which is critical to provide protection to your system. You might need to change the default status of one or more features to allow configuration changes. Reviewing the features You can review the list of all Application Control features and check their status (enabled or disabled) in your system: sadmin features list The features list has been minimized to show only the features that require changes regularly. Feature Description Default status deny-read Read-protects the specified components. When this feature is applied on components, they can't be read. Read protection works only when the software is running in Enabled mode. deny-write Write-protects the specified components. When this feature is applied on the components, they are rendered as read-only to protect your data. integrity Protects Application Control files and registry keys from unauthorized tampering. Allows the product code to run even when the components aren't present in the whitelist. This feature ensures that all product components are protected. It prevents accidental or malicious removal of components from the whitelist to ensure that the product doesn't become unusable. In update mode, it's disabled to facilitate product upgrades. Disabled Enabled Enabled script-auth Prevents the execution of supported script files that aren't in the whitelist. Only whitelisted script files are allowed to execute on the system. For example, script files with #! (hash exclamation point) for supported local file systems are added to the whitelist and are allowed to execute. Enabled Enabling or disabling features If needed, you can change the default status of a feature by enabling or disabling features. After disabling a feature, the system is no longer protected by that feature. Use caution and see McAfee Support before enabling or disabling a feature. It can affect the core functionality of the product and might make your system vulnerable to security threats. Action Enable a feature. Disable a feature. Command sadmin features enable <featurename> sadmin features disable <featurename> McAfee Application Control Linux Product Guide 21

22 3 Maintain your systems Making emergency changes Making emergency changes Run Application Control in Update mode to perform emergency changes on a protected system. When the product is in effect, you can allow scheduled or emergency changes to the system and track the changes made to the system by running the product in Update mode. Use Update mode to make changes that cannot be made when Application Control is running in Enabled mode. When possible, use these other methods to allow changes. Trusted directories Updaters In Enabled mode, if you install new software or add new files, the files aren't added to the whitelist or allowed to execute unless you use a trusted method to add them. But, if you install or uninstall software, or add new files in Update mode, changes are tracked and added to the whitelist. To approve changes to the system, a change window is defined, where users and programs can make changes to the system. Update mode allows you to perform these tasks: Schedule software and patch installations. Remove or change software. Dynamically update the whitelist. From Update mode, you can switch to Enabled or Disabled mode. Switch to Update mode Switch Application Control to Update mode to perform scheduled or emergency changes in a system. If the product is in Enabled or Disabled mode, perform these steps to switch to Update mode. Run this command at the command prompt. sadmin bu [workflow-id [comment]] Optionally, specify these arguments with the command. Attribute Description workflow-id Specify a workflow ID for the current Update mode session. This is an identification ID that can be used for a Change Management or Ticketing System. If you don't provide the workflow ID, the workflow ID is set to an automatically generated string, AUTO_n, where n is a number that is incremented each time an update window is opened. comment Specify a comment that describes the current Update mode session. This information can be used for a Change Management or Ticketing System. If Application Control is in Enabled mode, it is switched to Update mode. If Application Control is in Disabled mode, perform one of these extra steps. Step Restart the system. Restart the Application Control service. Description When you restart the system, the product is switched to Update mode. Restarting the system is a recommended way to switch to Update mode. Or, you can restart the Application Control service to switch to Update mode. But only limited features will be enabled after service restart. 22 McAfee Application Control Linux Product Guide

23 Maintain your systems Enable or disable password protection 3 Exit Update mode Exit Update mode after making scheduled or emergency changes, patch installations, or software updates in your system. Run this command at the command prompt. sadmin eu Enable or disable password protection You can restrict users from running critical sadmin commands by enabling password protection. When password protection is enabled, Application Control allows these critical commands to run only when the user enters the correct password. If you do not need password protection, remove the password, which allows users to run all sadmin commands. Passwords are encrypted with the SHA2 hashing algorithm. To protect password details, a random number is added to the password before the hash is computed. The SHA5012 encryption algorithm, a subset of SHA2, generates a hash of 512 bits, which protects the password from rainbow table attacks. 1 Type the sadmin passwd command to set a password. When you set a password, users can no longer run critical commands without providing the correct password. Only a limited set of non-critical commands can run without the password. You can use the -z switch to prevent the system from prompting for the password. It can be used in all CLI commands. For example, sadmin solidify -z <password> is used for unmanaged CLI operations, and is different from the password for the McAfee epo administrator used for CLI lockdown. If you already set the password, Application Control prompts you to enter your password. Type the old password and press Enter. You are now asked to set the new password and retype it. If you didn't set the password earlier, Application Control prompts you to enter a new password. Set the new password and retype it. 2 Type the sadmin passwd -d command to remove the password. 3 Press Enter. McAfee Application Control Linux Product Guide 23

24 3 Maintain your systems Configuring log files Configuring log files Application Control generates log messages for all actions and errors related to the product. These log messages are stored in log files that are used for troubleshooting errors. Log file Path Description solidcore.log /var/log/mcafee/ solidcore/ After the product is deployed on a system, a log file named solidcore.log is created in the solidcore directory. This file is also known as debuglog. You can configure the solidcore.log file size and number of solidcore.log files that you want to create on the system. Configuring log files is applicable only to the solidcore.log file. You can't change the configuration of any other log file. Solidcore _Installer.log and solidcores3 _install_<rel> <build>.log /tmp/solidcores3 _install.log /var/log/mcafee/ solidcore/ solidcores3_install.log Application Control installation logs are stored in this file. If installation fails, the file is stored at: /tmp/solidcores3 _install_<rel> <build>.log. If installation is successful, the file is stored at: /var/log/ mcafee/solidcore/solidcores3_install_<rel> <build>.log Disable Application Control Switch to Disabled mode to deactivate the features of Application Control. 1 Type the sadmin disable command. 2 Press Enter. 3 Restart the system. 24 McAfee Application Control Linux Product Guide

25 A Application Control event list Application Control specific events with the name, event ID, severity, and the description are described in this table. Event names with a suffix (_UPDATE) indicate that events are generated in Update mode. Event ID (on systems) Threat event ID (on McAfee epo) Event name Severity Description PROCESS_TERMINATED Major McAfee Solidifier prevented an attempt to hijack the process <string> (Process Id: <string>, User: <string>), by illegally calling the API '<string>'. The process was terminated WRITE_DENIED Major McAfee Solidifier prevented an attempt to change file <string> by process/script <string> (sha1: <string>, md5: <string>, sha256: <string> ) (Process Id: <string>, User: <string>) EXECUTION_DENIED Major McAfee Solidifier prevented unauthorized execution of '<string>' (sha1: <string>, md5: <string>, sha256: <string>, File Type: <string>) by process <string> (Process Id:<string>, User: <string>) whose parent is process <string>, deny_reason : <string> (deny reason code: <string>) reputation score: <string> PROCESS_TERMINATED_UNAUTH_SYSCALL Major McAfee Solidifier prevented process <string>, run by <string>, from making unauthorized syscall %d (return address %d). The process was terminated PROCESS_TERMINATED_UNAUTH_API Major McAfee Solidifier prevented process <string>, run by <string>, from making unauthorized access to API <string> (return address <string>). The process was terminated McAfee Application Control Linux Product Guide 25

26 A Application Control event list Event ID (on systems) Threat event ID (on McAfee epo) Event name Severity Description REG_VALUE_WRITE_DENIED Major McAfee Solidifier prevented an attempt to change Registry key '<string>' with value '<string>' by process <string> (Process Id: <string>, User: <string>) REG_KEY_WRITE_DENIED Major McAfee Solidifier prevented an attempt to change Registry key '<string>' by process <string> (Process Id: <string>, User: <string>) REG_KEY_CREATED_UPDATE Info McAfee Solidifier detected creation of registry key '<string>' by program <string> (User: <string>, Workflow Id: <string>) REG_KEY_DELETED_UPDATE Info McAfee Solidifier detected deletion of registry key '<string>' by program <string> (User: <string>, Workflow Id: <string>) REG_VALUE_DELETED_UPDATE Info McAfee Solidifier detected deletion of registry value '<string>' under key '<string>' by program <string> (User: <string>, Workflow Id: <string>) OWNER_MODIFIED_UPDATE Info McAfee Solidifier detected modification to OWNER of '<string>' by program <string> (User: <string>, Workflow Id: <string>) PROCESS_HIJACKED Major McAfee Solidifier detected an attempt to exploit process <string> (sha1: <string>, md5: <string>, sha256: <string>) from address <string> INVENTORY_CORRUPT Critical McAfee Solidifier detected that its internal inventory for the volume <string> is corrupt FILE_CREATED_UPDATE Info McAfee Solidifier detected creation of '<string>' by program <string> (User: <string>, Original User: <string>, Workflow Id: <string>) FILE_DELETED_UPDATE Info McAfee Solidifier detected deletion of '<string>' by program <string> (User: <string>, Original User: <string>, Workflow Id: <string>) FILE_MODIFIED_UPDATE Info McAfee Solidifier detected modification of '<string>' by program <string> (User: <string>, Original User: <string>, Workflow Id: <string>) 26 McAfee Application Control Linux Product Guide

27 Application Control event list A Event ID (on systems) Threat event ID (on McAfee epo) Event name Severity Description FILE_RENAMED_UPDATE Info McAfee Solidifier detected renaming of '<string>' to '<string>' by program <string> (User: <string>, Original User: <string>, Workflow Id: <string>) FILE_SOLIDIFIED Info <string>' was solidified which was created by program <string>(user: <string>, Workflow Id: <string>) FILE_UNSOLIDIFIED Info <string>' was unsolidified which was deleted by program <string>(user: <string>, Workflow Id: <string>) READ_DENIED Major McAfee Solidifier prevented an attempt to read file '<string>' by process <string> (Process Id: <string>, User: <string>) PKG_MODIFICATION_PREVENTED Critical McAfee Solidifier prevented package modification by '<string>'(sha1: <string>, md5: <string>, sha256: <string>) by user: '<string>' PKG_MODIFICATION_ALLOWED_UPDATE Info McAfee Solidifier allowed package modification by <string>'(sha1: <string>, md5: <string>, sha256: <string>) by user: '<string>'. (Workflow Id: <string>) PKG_MODIFICATION_PREVENTED_2 Critical McAfee Solidifier prevented package modification by '<string>' by user: '<string>' NX_VIOLATION_DETECTED Critical McAfee Solidifier prevented an attempt to hijack the process '<string>' (Process Id: '<string>', SHA1: <string>, MD5: <string>, SHA256: <string>, User: '<string>'), by executing code from an address outside of code pages region. Faulting address '<string>'. The process was terminated REG_VALUE_MODIFIED_UPDATE Info McAfeeSolidifier detected modification to registry value '<string>' of type '<string>' under key '<string>' by program '<string>' (User: <string>, Workflow Id: <string>), with data: <string> FILE_READ_UPDATE Info McAfee Solidifier detected read for '<string>' by program <string> (User: <string>, Original User: <string>, Workflow Id: <string>) McAfee Application Control Linux Product Guide 27