McAfee Boot Attestation Service 3.5.0

Similar documents
Boot Attestation Service 3.0.0

Installation Guide. McAfee Endpoint Security for Servers 5.0.0

McAfee Data Protection for Cloud 1.0.1

McAfee Firewall Enterprise epolicy Orchestrator Extension

McAfee Rogue Database Detection For use with epolicy Orchestrator Software

McAfee Host Intrusion Prevention 8.0

Data Loss Prevention Discover 11.0

Addendum. McAfee Virtual Advanced Threat Defense

McAfee Management for Optimized Virtual Environments AntiVirus 4.5.0

Migration Guide. McAfee File and Removable Media Protection 5.0.0

McAfee epolicy Orchestrator Software

Best Practices Guide. Amazon OpsWorks and Data Center Connector for AWS

Installation Guide Revision B. McAfee Cloud Workload Security 5.0.0

Reference Guide Revision B. McAfee Cloud Workload Security 5.0.0

Addendum. McAfee Virtual Advanced Threat Defense

McAfee Application Control Windows Installation Guide. (McAfee epolicy Orchestrator)

McAfee Endpoint Security

Installation Guide. McAfee Web Gateway. for Riverbed Services Platform

Installation Guide. McAfee Web Gateway Cloud Service

Cloud Workload Discovery 4.5.1

McAfee MOVE AntiVirus Installation Guide. (McAfee epolicy Orchestrator)

McAfee SiteAdvisor Enterprise 3.5.0

Product Guide Revision A. Intel Security Controller 1.2

McAfee Client Proxy Installation Guide

McAfee Endpoint Security for Servers Product Guide. (McAfee epolicy Orchestrator)

McAfee File and Removable Media Protection 6.0.0

McAfee Content Security Reporter Installation Guide. (McAfee epolicy Orchestrator)

McAfee MVISION Mobile Microsoft Intune Integration Guide

McAfee Change Control and McAfee Application Control 6.1.4

McAfee Management of Native Encryption 3.0.0

McAfee Endpoint Security for Servers Product Guide

Product Guide Revision B. McAfee Cloud Workload Security 5.0.0

McAfee Change Control and McAfee Application Control 8.0.0

McAfee Policy Auditor 6.2.2

McAfee MVISION Endpoint 1808 Installation Guide

McAfee MVISION Mobile Microsoft Intune Integration Guide

McAfee MVISION Endpoint 1811 Installation Guide

McAfee Enterprise Mobility Management 12.0 Software

McAfee Client Proxy Product Guide

McAfee Network Security Platform 8.3

Firewall Enterprise epolicy Orchestrator

McAfee Client Proxy Product Guide. (McAfee epolicy Orchestrator)

Product Guide Revision A. McAfee Client Proxy 2.3.2

McAfee File and Removable Media Protection Installation Guide

McAfee Network Security Platform 8.3

McAfee Cloud Workload Security Product Guide

McAfee Content Security Reporter 2.6.x Migration Guide

McAfee Network Security Platform 9.1

Migration Guide. McAfee Content Security Reporter 2.4.0

McAfee Client Proxy Product Guide. (McAfee epolicy Orchestrator)

McAfee Cloud Workload Security Suite Amazon Machine Image Installation Guide

McAfee Endpoint Security Threat Prevention Installation Guide - Linux

Installation Guide. McAfee Enterprise Mobility Management 10.1

Scripting Guide. McAfee Drive Encryption 7.2.0

Product Guide. McAfee Plugins for Microsoft Threat Management Gateway Software

Archiving Service. Exchange server setup (2010) Secure Gateway (SEG) Service Administrative Guides

McAfee MVISION Mobile epo Extension Product Guide

McAfee Content Security Reporter Release Notes. (McAfee epolicy Orchestrator)

Hardware Guide. McAfee MVM3200 Appliance

McAfee Network Security Platform

McAfee Firewall Enterprise Control Center

McAfee Content Security Reporter 2.6.x Installation Guide

McAfee Application Control Windows Installation Guide

McAfee MVISION Mobile IBM MaaS360 Integration Guide

McAfee Network Security Platform 8.1

Installation Guide. McAfee epolicy Orchestrator Software. Draft for Beta

McAfee Investigator Product Guide

McAfee Drive Encryption Client Transfer Migration Guide. (McAfee epolicy Orchestrator)

McAfee Agent Interface Reference Guide. (McAfee epolicy Orchestrator Cloud)

Account Management. Administrator Guide. Secure Gateway (SEG) Service Administrative Guides. Revised August 2013

McAfee MVISION Mobile IBM MaaS360 Integration Guide

McAfee Active Response 2.0.0

McAfee Rogue System Detection 5.0.0

McAfee epolicy Orchestrator 5.9.1

McAfee MVISION Mobile Citrix XenMobile Integration Guide

McAfee Endpoint Security Migration Guide. (McAfee epolicy Orchestrator)

McAfee MVISION Mobile MobileIron Integration Guide

Product Guide. McAfee Endpoint Upgrade Assistant 1.5.0

McAfee Cloud Identity Manager

McAfee Threat Intelligence Exchange Installation Guide. (McAfee epolicy Orchestrator)

Product Guide Revision A. Endpoint Intelligence Agent 2.2.0

Product Guide. McAfee Endpoint Upgrade Assistant 1.4.0

McAfee MVISION Mobile Silverback Integration Guide

McAfee Application Control and McAfee Change Control Linux Product Guide Linux

McAfee Application Control Windows Installation Guide. (Unmanaged)

McAfee Endpoint Upgrade Assistant Product Guide. (McAfee epolicy Orchestrator 5.9.0)

McAfee Cloud Identity Manager

McAfee Endpoint Upgrade Assistant Product Guide. (McAfee epolicy Orchestrator)

McAfee Cloud Identity Manager

McAfee Cloud Identity Manager

Dell Storage Compellent Integration Tools for VMware

McAfee Endpoint Security Threat Prevention Installation Guide - macos

Revision A. Intel Security Controller Product Guide

McAfee Cloud Identity Manager

MOVE AntiVirus page-level reference

Product Guide. McAfee Web Gateway Cloud Service

McAfee Cloud Identity Manager

McAfee File and Removable Media Protection Product Guide

McAfee epo Deep Command 1.0.0

McAfee Rogue System Detection 5.0.5

Transcription:

Product Guide McAfee Boot Attestation Service 3.5.0 For use with epolicy Orchestrator 4.6.7, 4.6.8, 5.1.0 Software

COPYRIGHT Copyright 2014 McAfee, Inc. Do not copy without permission. TRADEMARK ATTRIBUTIONS McAfee, the McAfee logo, McAfee Active Protection, McAfee DeepSAFE, epolicy Orchestrator, McAfee epo, McAfee EMM, Foundscore, Foundstone, Policy Lab, McAfee QuickClean, Safe Eyes, McAfee SECURE, SecureOS, McAfee Shredder, SiteAdvisor, McAfee Stinger, McAfee Total Protection, TrustedSource, VirusScan, WaveSecure are trademarks or registered trademarks of McAfee, Inc. or its subsidiaries in the United States and other countries. Other names and brands may be claimed as the property of others. Product and feature names and descriptions are subject to change without notice. Please visit mcafee.com for the most current products and features. LICENSE INFORMATION License Agreement NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND. 2 McAfee Boot Attestation Service 3.5.0 Product Guide

Contents Preface 5 About this guide.................................. 5 Conventions................................. 5 Find product documentation.............................. 6 1 Introduction 7 Boot attestation made easy.............................. 7 Components and what they do............................. 7 2 Installation and configuration 9 Overview of installation and configuration........................ 9 Requirements................................... 10 Download the software packages........................... 10 Deploy the OVA package............................... 10 Deploy using vsphere client.......................... 11 Install the extensions................................ 13 Register a VMware vcenter account.......................... 14 Install Boot Attestation Service extension........................ 16 Register the Boot Attestation server with McAfee epo................... 17 Upgrading Boot Attestation Service.......................... 17 Upgrade Boot Attestation server......................... 17 Configuring the template.............................. 18 Create a template.............................. 18 Create template through Hypervisors tab..................... 19 Edit template................................ 20 Assign template............................... 21 Delete template............................... 22 Registered vcenter account details and boot status.................... 23 3 Dashboard 25 Boot Attestation Service dashboard.......................... 25 Index 27 McAfee Boot Attestation Service 3.5.0 Product Guide 3

Contents 4 McAfee Boot Attestation Service 3.5.0 Product Guide

Preface This guide provides the information you need to work with your McAfee product. Contents About this guide Find product documentation About this guide This information describes the guide's target audience, the typographical conventions and icons used in this guide, and how the guide is organized. Conventions This guide uses these typographical conventions and icons. Book title, term, emphasis Bold User input, code, message Interface text Hypertext blue Title of a book, chapter, or topic; a new term; emphasis. Text that is strongly emphasized. Commands and other text that the user types; a code sample; a displayed message. Words from the product interface like options, menus, buttons, and dialog boxes. A link to a topic or to an external website. Note: Additional information, like an alternate method of accessing an option. Tip: Suggestions and recommendations. Important/Caution: Valuable advice to protect your computer system, software installation, network, business, or data. Warning: Critical advice to prevent bodily harm when using a hardware product. McAfee Boot Attestation Service 3.5.0 Product Guide 5

Preface Find product documentation Find product documentation After a product is released, information about the product is entered into the McAfee online Knowledge Center. Task 1 Go to the McAfee ServicePortal at http://support.mcafee.com and click Knowledge Center. 2 Enter a product name, select a version, then click Search to display a list of documents. 6 McAfee Boot Attestation Service 3.5.0 Product Guide

1 Introduction 1 McAfee Boot Attestation Service provides a secure mechanism to verify the boot trust of VMWare ESXi on host servers in a data center. It is targeted for Intel servers built with Intel Trusted Execution Technology (Intel TXT). This mechanism verifies that only trusted and certified applications figure in the operating system boot-up sequence. For details on how Intel TXT works and related use cases, see www.intel.com/txt. Contents Boot attestation made easy Components and what they do Boot attestation made easy Boot Attestation Service verifies the launch-time measurements of the platform with VMware ESXi hypervisors. The purpose of this attestation is to: Verify the boot trust of VMWare ESXi Generate the trust reports Check compliance This activity takes place in VMware environments. The cloud/virtualization resource schedulers, SIEMs, and policy engines can use the attestation solution. Components and what they do Each component performs specific functions to verify the trust of VMware ESXi hypervisors. epolicy Orchestrator Allows you to configure Boot Attestation Service, and display the boot attestation status of the virtual environment. Boot Attestation Service Provides a secure mechanism to whitelist an ESXi host and to retrieve the boot attestation status of the hypervisors and report it to the McAfee epo server. Data Center Connector for vsphere Integrates the management and automation feature of McAfee epo to discover and manage your guest VMs. Hypervisor (ESXi) Allows multiple operating systems to run concurrently on a hosted system. The hypervisor is a virtual operating platform that manages the execution of the guest operating systems. ESXi is an embedded hypervisor for servers that run directly on server hardware without requiring an extra underlying operating system. McAfee Boot Attestation Service 3.5.0 Product Guide 7

1 Introduction Components and what they do VMware vcenter Console that manages the ESXi servers, which host the guest VMs that require protection. Virtual Machines (VMs) Completely isolated guest operating system installation within a normal host operating system that supports both virtual desktops and virtual servers. 8 McAfee Boot Attestation Service 3.5.0 Product Guide

2 Installation 2 and configuration Before you set up your environment for Boot Attestation Service, you must first configure your VMware vcenter console, which manages the ESXi servers. Contents Overview of installation and configuration Requirements Download the software packages Deploy the OVA package Install the extensions Register a VMware vcenter account Install Boot Attestation Service extension Register the Boot Attestation server with McAfee epo Upgrading Boot Attestation Service Configuring the template Registered vcenter account details and boot status Overview of installation and configuration The Data Center Connector for vsphere extension is installed on the McAfee epolicy Orchestrator server (McAfee epo ) for the virtual machines and hosts discovery functionality. Discovering the hosts is necessary before registering the Boot Attestation server. The overall Boot Attestation Service installation and ESXi deployment process can be simplified into these steps, assuming that you already have McAfee epo installed. 1 Deploy the OVA package. 2 Install the Data Center Connector for vsphere, vsphere extension, and Boot Attestation Service on McAfee epo server. 3 Configure the Boot Attestation template. 4 Retrieve and view the Boot Attestation status of the host. 5 Boot Attestation status details can be viewed from these areas of McAfee epo: Dashboard System Tree Queries and Reports McAfee Boot Attestation Service 3.5.0 Product Guide 9

2 Installation and configuration Requirements Requirements Make sure that your environment includes these components, and that they meet the requirements. Software requirements epolicy Orchestrator 4.6.7, 4.6.8, or 5.1.0 vcenter Server/ESXi 5.1 update 1c / 5.5 VMware vsphere Client 5.1 or 5.5 For details on system requirements and instructions for setting up the epolicy Orchestrator environment, see McAfee epolicy Orchestrator Installation Guide. For Intel TXT and TPM hardware requirement details, see http://www.intel.com/content/dam/www/public/us/en/documents/datasheets/ trusted-execution-technology-server-platforms-matrix.pdf. Download the software packages You must download the Data Center Connector for vsphere, the BAS Extension files, and the OVA file before they can be installed on epolicy Orchestrator. Boot Attestation Service 3.5.0 is compatible only with MDCC 3.5.0 and vsphere 3.5.0 Task From the McAfee download site (http://www.mcafee.com/us/downloads/), download these packages. MDCC_3.5.0.zip VSPHEREDCEXTN.zip Boot_Attestation_Service_<version number>.zip If you installed the epolicy Orchestrator server 4.6.x using Installer for McAfee Endpoint Suites, the Data Center Connector for vsphere extension is already installed and ready for use in McAfee epo. Deploy the OVA package You must deploy the open virtual appliance (OVA) package and set up the Boot Attestation server before you can configure the Boot Attestation server on McAfee epo. Tasks Deploy using vsphere client on page 11 Deploy the OVA, which is included in the product package, using vsphere client on a hypervisor. 10 McAfee Boot Attestation Service 3.5.0 Product Guide

Installation and configuration Deploy the OVA package 2 Deploy using vsphere client Deploy the OVA, which is included in the product package, using vsphere client on a hypervisor. Before you begin From the McAfee download site, download and extract the contents of Boot_Attestation_Service_<version number>.zip. Make sure that your ESXi host, where you import the OVA, has Internet connection. The vsphere client must be connected to the vcenter server, not directly to a hypervisor. Task 1 From the vsphere client, select the resource pool or the hypervisor where you want to deploy the OVA, then click File Deploy OVF Template to open the OVF wizard. The vsphere client must be connected to a vcenter server to successfully deploy the OVA. 2 Apply these settings to deploy the OVF: For this option... Source OVF Template Details Name and Location Storage Disk Format Network Mapping Do this... Browse to and select the Boot_Attestation_Service_<version number>.ova file. Review details about the OVA. Specify the name of the hypervisor and the inventory location. Select the storage drive from the list. Select the format for disk provisioning. Map the networks used in the OVF template to networks in your inventory. McAfee Boot Attestation Service 3.5.0 Product Guide 11

2 Installation and configuration Deploy the OVA package For this option... Properties Do this... Specify these Boot Attestation server details on the Properties page: McAfee epolicy Orchestrator IP IP address of the epolicy Orchestrator server, which is trusted from the Boot Attestation server. You can add multiple IP addresses separated by commas. PostgreSQL Password Password for the Postgres user on the Boot Attestation server. Create a password for the database with only alphanumeric characters; no special characters are permitted. User Name User name for the Boot Attestation management portal. If you do not provide a user name, the default user name is taken as admin. Password Password for the Boot Attestation management portal. If you do not provide a password, the default password is taken as password. Host Name Host name for the Boot Attestation server account. If you do not provide a host name, the default host name is taken as BootAttestationServer. Specify these networking details on the Properties page: DNS IP address of the DNS server for the Boot Attestation server. You can add multiple IP addresses separated by a blank space. Gateway IP address of the gateway for the Boot Attestation server. IP Address Static IP address for the Boot Attestation server Netmask The netmask details of the Boot Attestation server. Interface Interface on which the Boot Attestation server IP address must be configured. If you do not provide interface details, the default value is eth0. On specifying the correct configuration information on the Properties page, the Boot Attestation server is configured and ready during the initial start. If you do not specify the correct configuration information and continue with the deployment, the Boot Attestation server might not be configured correctly. If so, you might have to repeat the entire configuration. Ready to Complete Review the options you selected. You can select to turn on the virtual machine after the import or you can manually turn it on. 3 Click Finish. When you log on to the Boot Attestation server VM for the first time, make sure that you change the default password, P@ssw0rd. All user credentials must be configured for security reasons. 12 McAfee Boot Attestation Service 3.5.0 Product Guide

Installation and configuration Install the extensions 2 4 When the deployment is complete, verify that all Boot Attestation services report as Running. Log on to the Boot Attestation server VM as root with your new password and run this command: mtwilson status 5 (Optional) Restart the Boot Attestation server VM. If any service reports as Not Running, or if the command fails to run, check for the correct property details on the OVF Template details page. If you see the error again, report to McAfee support and share the log file: /root/ McAfee_BootAttestation_Install_Logs.tar.gz. The Boot Attestation server is now ready to be configured and to communicate with the trusted McAfee epo server. 6 (Optional) Configure the Boot Attestation server with an additional McAfee epo server: a From the vsphere client console or ssh, log on to the Boot Attestation server. b Run these commands: cd /root bash trusthost.sh <epoip> Install the extensions You must install the Data Center Connector for vsphere extension and the vsphere extension on the McAfee epo server, which then can discover and import your ESXi servers that host the guest VMs. Before you begin Make sure that the extension files are in an accessible location on the network. McAfee Boot Attestation Service 3.5.0 Product Guide 13

2 Installation and configuration Register a VMware vcenter account Task For option definitions, click? in the interface. 1 Log on to the epolicy Orchestrator server as an administrator. 2 Click Menu Software Extensions Install Extension. 3 For each extension, browse to and select the extension file. then click OK. VSPHEREDCEXTN.zip MDCC_3.5.0.zip The Install Extension page displays the extension name and version details. 4 Click OK. Register a VMware vcenter account Using Data Center Connector for vsphere, register a VMware vcenter account with McAfee epo so that McAfee epo communicates with the VMware vcenter, which manages the ESXi servers. Before you begin Make sure that you have configured your VMware vcenter server that manages the ESXi servers, which host the guest VMs. The Registered Cloud Accounts option is available only after installing the Data Center Connector for vsphere extension. Task For option definitions, click? in the interface. 1 Log on to the McAfee epo server as an administrator. 2 Click Menu Configuration Registered Cloud Accounts, then click Add Cloud Account to open the Add Cloud Account page. 14 McAfee Boot Attestation Service 3.5.0 Product Guide

Installation and configuration Register a VMware vcenter account 2 3 From the Choose Connector drop-down list on the Description page, select VMware vsphere, then click OK. 4 On the vcenter Account Details page, type these details: Account Name A name for the VMware vcenter account in McAfee epo. Account names can include characters a z, A Z, 0 9, and [_.-], without space. Server Address (Required) IP address or the host name of the available VMware vcenter. vcenter Username (Required) User name of the available VMware vcenter account. This user's minimum role can be read-only. This user can be a domain account. This user can also be a Single-Sign-On (SSO) user. The default user name of the SSO user is admin@system-domain. vcenter Password (Required) Password of the available VMware vcenter account. Connection protocol The protocol required to establish the connection with the VMware vcenter. Sync Interval (In Minutes) Specify the time interval for running subsequent vcenter discovery. Port No The port number required to establish the connection with the available VMware vcenter. Tag This is given by the admin to identify the VMs. Tag name can include characters a z, A Z, 0 9, and [_.-], with space. 5 Click Test Connection to validate VMware vcenter account details and verify the connection to the VMware vcenter, then click Next to open the Validate Certificate page. 6 Click Accept to validate the certificate, then click Finish. McAfee Boot Attestation Service 3.5.0 Product Guide 15

2 Installation and configuration Install Boot Attestation Service extension 7 When prompted to confirm, click OK to register the vcenter account. This action registers the VMware vcenter and imports all discovered virtual machines, which are unmanaged, into the McAfee epo System Tree. The instances are imported with the similar structure and hierarchy present in VMware vcenter. The virtual machines that are already added and managed by McAfee epo are retained with the existing policy settings, but the virtualization properties for these machines are added. 8 View the imported VMs: click Menu Systems System Tree in McAfee epo. After the discovery, you can find your vcenter account under the group vsphere. The clusters and hosts from vcenter are logically grouped under each Data Center group in McAfee epo. Install Boot Attestation Service extension You must install the Boot Attestation Service extension to allow the Boot Attestation server communicate with the McAfee epo server and retrieve the attestation details of the host. Task For option definitions, click? in the interface. 1 Log on to the epolicy Orchestrator server as an administrator. 2 Click Menu Software Extensions Install Extension. 3 Browse to and select the extension file BootAttestationService.zip, then click OK. The Install Extension page displays the extension name and version details. 4 Click OK. 16 McAfee Boot Attestation Service 3.5.0 Product Guide

Installation and configuration Register the Boot Attestation server with McAfee epo 2 Register the Boot Attestation server with McAfee epo It is necessary to register the Boot Attestation server with McAfee epo in order to perform the host mapping. Before you begin Make sure that you installed the extension for Data Center Connector for vsphere on McAfee epo. Task For option definitions, click? in the interface. 1 Log on to the epolicy Orchestrator server as an administrator. 2 Click Menu Configuration Registered Servers, then click New Server to open the Registered Server Builder wizard. 3 From the Server type drop down list on the Description page, select Boot attestation server, specify a unique user friendly name and any details, then click Next. 4 On the Details page, type the IP address. 5 Click Test Connection to verify that the connection to the server works, then click Save. You can register only one Boot Attestation Server on a single McAfee epo server. Upgrading Boot Attestation Service To upgrade Boot Attestation Service from 3.0.1 to 3.5.0, you must first upgrade the extension for Data Center, Data Center Connector for vsphere. You must then upgrade the Boot Attestation server and install the Boot Attestation Service extension. For details about upgrading the extensions for Data Center and Data Center Connector for vsphere, see Install the extensions. Upgrade Boot Attestation server Follow this procedure to upgrade the Boot Attestation server 1.1.5 and 1.1.6 to 3.5.0 Task 1 Download the Boot Attestation Service upgrade package. 2 Copy the package to the /root directory on the Boot Attestation server VM. 3 Extract the file using the command unzip BootAttestationUpgrade.zip. 4 Run this upgrade script from the current directory: bash <upgradebootattestation.sh>. A confirmation message appears for both the success and failure status. After upgrading the extensions and Boot Attestation server, you will be able to view the Boot Attestation status on the McAfee epo server. Make sure you take a backup of the existing setup before upgrading to Boot Attestation Service 3.5.0. McAfee Boot Attestation Service 3.5.0 Product Guide 17

2 Installation and configuration Configuring the template Template creation and mapping will happen automatically when the Boot Attestation Service 3.5.0 upgrade is complete. Configuring the template All the Boot Attestation templates can be configured according to your requirements. You can create, edit, assign, or delete templates. Create a template You can create a new template from the Hypervisors tab and the Templates tab by using the create template option. Steps to create template through the Templates tab: Task For option definitions, click? in the interface. 1 Log on to the McAfee epo server as an administrator. 2 Click Menu Configuration Boot Attestation Configuration. 3 Go to the Templates tab, then click Actions from the bottom left corner. 4 Select Create Template. 18 McAfee Boot Attestation Service 3.5.0 Product Guide

Installation and configuration Configuring the template 2 5 On the Create Template window, type these details: Template name A name for the template Manufacturer Select the appropriate manufacturer. Firmware version Select firmware version to filter hosts. VMM version Select VMM version to filter hosts. Select host Choose the host for which the template must be created. Select the Firmware version and VMM version sensor settings. 6 Click OK. Creating a template through the Templates tab is the recommended approach when the number of hosts are more. Create template through Hypervisors tab The Hypervisors tab provides an option to create templates for the selected hosts. Steps to create template through the Hypervisors tab: Task For option definitions, click? in the interface. 1 Log on to the McAfee epo server as an administrator. 2 Click Menu Configuration Boot Attestation Configuration. 3 Select a host from the list of hosts available in the Hypervisors tab. McAfee Boot Attestation Service 3.5.0 Product Guide 19

2 Installation and configuration Configuring the template 4 Click Actions, and select Create Template. The Create Template window appears on the screen. 5 On the Create template window, type these details: Template name Type a name for the template Select the Firmware version and VMM version sensor settings accordingly. 6 Click OK to complete creating the template. Edit template You can change or update the template name and the sensor settings options by using the Edit Template option. Task For option definitions, click? in the interface. 1 Log on to the McAfee epo server as an administrator. 2 Click Menu Configuration Boot Attestation Configuration. 3 Go to the Templates tab and select the template that has to be edited. 4 Click Actions from the bottom left corner of the screen. 5 Select Edit Template. 20 McAfee Boot Attestation Service 3.5.0 Product Guide

Installation and configuration Configuring the template 2 6 Update the Template name or change the firmware and VMM sensor settings. 7 Click OK. Assign template The Assign template option is used to assign templates to hosts through the Hypervisors tab. Automatic template assignment happens at regular intervals, which assigns the template to the appropriate hosts. Task For option definitions, click? in the interface. 1 Log on to the McAfee epo server as an administrator. 2 Click Menu Configuration Boot Attestation Configuration. 3 From the Hypervisors tab, select the host where the template must be assigned. 4 Click Actions from the bottom left corner of the screen. 5 Select Assign Template. McAfee Boot Attestation Service 3.5.0 Product Guide 21

2 Installation and configuration Configuring the template 6 From the Choose template option, select the template to be assigned. 7 Click OK. Delete template You can delete a template by using the delete template option. Task For option definitions, click? in the interface. 1 Log on to the McAfee epo server as an administrator. 2 Click Menu Configuration Boot Attestation Configuration. 3 Go to the Templates tab and select the template that has to be deleted. 4 Click Actions from the bottom left corner of the screen. 5 Select Delete Template. A confirmation question appears on screen. 6 Click Yes to complete deleting the template. You can navigate to the audit log file and view the detailed information on the success and failure status of the template tasks such as create, edit, assign, and delete. 22 McAfee Boot Attestation Service 3.5.0 Product Guide

Installation and configuration Registered vcenter account details and boot status 2 Registered vcenter account details and boot status When you register the host, it appears in the System Tree in McAfee epo, and displays boot attestation details. You can also view account details of the registered vcenter. Property Name Type Last Successful Sync Last Sync Status Total VMs Running VMs Managed VMs Auto Deploy MA Actions Description Name of the vcenter that you registered in McAfee epo. Type of the Data Center Connector. Displays the date and time when the last synchronization between McAfee epo and VCenter occurred. Displays the synchronization status such as Synch Scheduled, Success, In Progress, and Failed. Displays the number of VMs that are available under the registered vcenter. Displays the number of VMs that are up and running under the registered vcenter. Displays the number of VMs that are managed by McAfee epo. Specifies if the administrator enabled the Auto deploy McAfee Agent task for the registered vcenter account. Not available in this version. You can edit, delete, and synchronize the Vcenter account using McAfee epo. By default, the Firmware Trust Status and VMM Trust Status columns don't appear under System Tree. You must select and add them using the Choose Columns option under System Tree Actions. Boot Attestation Service provides five different types of attestation status: Trusted Firmware and VMM values are matched with mapped host template configuration Untrusted Firmware, VMM, or both values are not matched with the mapped host template configuration. Unknown The ESXi host is not registered or whitelisted, or the hardware used is not supported by Intel TXT. Error The McAfee epo server is not able to retrieve the boot attestation details. Disabled The host is assigned to a template which has both firmware and VMM sensors disabled, or either one of them is disabled. You can view the boot attestation details of a host by double-clicking the host name listed under System Tree. The boot attestation details are on the Virtualization tab. McAfee Boot Attestation Service 3.5.0 Product Guide 23

2 Installation and configuration Registered vcenter account details and boot status 24 McAfee Boot Attestation Service 3.5.0 Product Guide

3 3 Dashboard Dashboards, which are comprised of monitors, help you track the key metric boot attestation status of launch time measurements of the platform with VMWare ESXi hypervisors. McAfee epo 4.6 Dashboards are grouped under Private Dashboards. McAfee epo 5.1 Reports are grouped under McAfee Dashboards. Boot Attestation Service dashboard The Boot Attestation Service dashboard is added to your McAfee epo server when you install the Data Center Connector for vsphere extension. The dashboard displays a collection of monitors based on the results of the default Boot Attestation Service query. This is the default monitor for Boot Attestation Service, which appears under the Data Center dashboard. Boot Attestation Status of Hypervisors Displays the boot attestation status of vcenter hypervisors. McAfee Boot Attestation Service 3.5.0 Product Guide 25

3 Dashboard Boot Attestation Service dashboard The boot status of the host's firmware and VMM versions are: Trusted Both VMM and firmware versions of the registered ESXi host are trusted, or both the sensors are disabled in the template assigned to the host. Untrusted Either VMM or firmware version of the registered host is not trusted. Unknown The ESXi host is not registered or whitelisted, or the hardware used is not supported by Intel TXT. Error The McAfee epo server is not able to retrieve the boot attestation details. You can view the boot attestation details of a host by double-clicking the host name listed in the System Tree. The boot attestation details are on the Virtualization tab. 26 McAfee Boot Attestation Service 3.5.0 Product Guide

Index A about this guide 5 accounts, registering 14 automatic mapping 17 B boot attestation server components 7 configuring 11 registering 9, 17 setting up 9, 10 verifying boot status 7 boot attestation service about 7 boot verification 7 installing 9 upgrading 17 boot status displaying 25 retrieving and displaying 23 C configuration 18 connector, choosing 14 conventions and icons used in this guide 5 D dashboard boot status 25 dashboards boot status 25 viewing 25 documentation product-specific, finding 6 typographical conventions and icons 5 E epolicy Orchestrator components 7 install extension 13 ESXi host deploying 11 extension downloading 10 installing 9, 10, 13 H hypervisors 14 I installation deploying the OVA package 9 downloading the software 9 installing the extensions 9 overview 9 requirements 10 upgrading the service 9 M McAfee ServicePortal, accessing 6 O open virtual appliance, importing 11 S ServicePortal, finding product documentation 6 status boot status 25 viewing 25 System Tree 23 T tags, defining 14 technical support, finding product information 6 templates assigning 21 configuring 18 creating 18 deleting 22 editing 20 V vcenter, defining 9 McAfee Boot Attestation Service 3.5.0 Product Guide 27

Index verification, boot 7 virtual machines boot status 14 discovering 14 virtual properties, displaying 14 VMware vcenter account defining 14 VMware vcenter account (continued) registering 9, 14 viewing details 23 vsphere client 11 28 McAfee Boot Attestation Service 3.5.0 Product Guide

00

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback