The McAfee MOVE AV [Multi-Platform] Offload Scan Server General policy must be configured to maintain a minimum of 7 log files before removing oldest log file.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-42968	AV-MOVE-OSS-005	SV-55697r1_rule		Medium

Description
Forensic identification is the practice of identifying infected hosts by looking for evidence of recent infections. The evidence may be very recent (only a few minutes old) or not so recent (hours or days old); the older the information is, the less accurate it is likely to be. The most obvious sources of evidence are those that are designed to identify malware activity, such as anti-virus software, content filtering (e.g., anti-spam measures), IPS, and SIEM technologies. The logs of security applications might contain detailed records of suspicious activity, and might also indicate whether a security compromise occurred or was prevented. While logging is imperative to forensic analysis, logs could grow to the point of impacting disk space on the system. In order to avoid the risk of logs growing to the size of impacting the operating system, the log size and number of log files will be restricted, but must also be large enough to retain forensic value.

Description

Forensic identification is the practice of identifying infected hosts by looking for evidence of recent infections. The evidence may be very recent (only a few minutes old) or not so recent (hours or days old); the older the information is, the less accurate it is likely to be. The most obvious sources of evidence are those that are designed to identify malware activity, such as anti-virus software, content filtering (e.g., anti-spam measures), IPS, and SIEM technologies. The logs of security applications might contain detailed records of suspicious activity, and might also indicate whether a security compromise occurred or was prevented. While logging is imperative to forensic analysis, logs could grow to the point of impacting disk space on the system. In order to avoid the risk of logs growing to the size of impacting the operating system, the log size and number of log files will be restricted, but must also be large enough to retain forensic value.

STIG	Date
McAfee MOVE 2.6 Multi-Platform OSS STIG	2015-10-05

Details

Check Text ( C-49148r1_chk )
From the ePO server console System Tree, select the Systems tab, find and click on the asset representing the McAfee MOVE Offload Scan Server to open its properties, select Actions, select Agent, and select Modify Policies on a Single System. From the product drop-down list, select MOVE AV [Multi-Platform] Offload Scan Server 2.x.x. Click on the MOVE AV [Multi-Platform] Offload Scan Server policy to open the properties. On the General tab, ensure the "Number of Log Files:" is set to 7 or more. If the "Number of Log Files:" is set to less than 7, this is a finding. On the system designated as the McAfee MOVE Offload Scan Server, access a cmd window, running as administrator. Navigate to the path to which the McAfee MOVE AV Server software has been installed (default is C:\Program Files (x86)\McAfee\MOVE AV Server). Execute the following command: mvadm config show From the displayed configuration, ensure the "LogFileNum" value is set to 7 or more. If the "LogFileNum" is set to less than 7, this is a finding.

Check Text ( C-49148r1_chk )

From the ePO server console System Tree, select the Systems tab, find and click on the asset representing the McAfee MOVE Offload Scan Server to open its properties, select Actions, select Agent, and select Modify Policies on a Single System.

From the product drop-down list, select MOVE AV [Multi-Platform] Offload Scan Server 2.x.x. Click on the MOVE AV [Multi-Platform] Offload Scan Server policy to open the properties.

On the General tab, ensure the "Number of Log Files:" is set to 7 or more.

If the "Number of Log Files:" is set to less than 7, this is a finding.

On the system designated as the McAfee MOVE Offload Scan Server, access a cmd window, running as administrator.
Navigate to the path to which the McAfee MOVE AV Server software has been installed (default is C:\Program Files (x86)\McAfee\MOVE AV Server).

Execute the following command:
mvadm config show

From the displayed configuration, ensure the "LogFileNum" value is set to 7 or more.
If the "LogFileNum" is set to less than 7, this is a finding.

Fix Text (F-48549r1_fix)
From the ePO server console System Tree, select the Systems tab, find and click on the asset representing the McAfee MOVE Offload Scan Server to open its properties, select Actions, select Agent, and select Modify Policies on a Single System. From the product drop-down list, select MOVE AV [Multi-Platform] Offload Scan Server 2.x.x. Click on the MOVE AV [Multi-Platform] Offload Scan Server policy to open the properties. On the General tab, enter a value of "7" or more for the "Number of Log Files:". Click Save.

Fix Text (F-48549r1_fix)