The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must be enabled to scan mounted volumes when mounted volumes point to a network server without an anti-virus solution installed.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-63135	DTAVSEL-114	SV-77625r2_rule		Medium

Description
Mounting network volumes to other network systems introduces a path for malware to be introduced. It is imperative to protect Linux systems from malware introduced from those other network systems by either ensuring the remote systems are protected or by scanning files from those systems when they are accessed.

STIG	Date
McAfee VSEL 1.9/2.0 Local Client Security Technical Implementation Guide	2019-03-20

Details

Check Text ( C-63887r1_chk )
With the System Administrator's assistance, determine network mounted volumes on the Linux system being reviewed. If network mounted volumes are mounted, verify whether anti-virus protection is locally installed and configured to protect the network servers to which the mounted volumes connect. If all network servers to which mounted volumes connect are protected by locally installed and configured anti-virus protection, this check for the Linux system being reviewed is Not Applicable. If no network mounted volumes are configured on the Linux system being reviewed, this check is Not Applicable. If mounted volumes exist on the Linux system being reviewed which are connecting to network servers which lack locally installed and configured anti-virus protection, this check must be validated. From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, review tasks under "View", "Scheduled Tasks". With the System Administrator's assistance, determine which task is intended as the regularly scheduled scan task. Click on the task, and then click "Modify". Select "2. What to Scan". Verify all otherwise unprotected network servers to which this Linux system has mounted volumes have been included. If all otherwise unprotected network servers to which this Linux system has mounted volumes have not been included, this is a finding. To validate without the Web interface, access the Linux system being reviewed, either at the console or by a SSH connection. At the command line, navigate to /var/opt/NAI/LinuxShield/etc. Enter the command "grep "nailsd.profile.ODS.scanNWFiles" ods.cfg" If the response given for "nailsd.profile.ODS.scanNWFiles" is not "true", this is a finding.

Check Text ( C-63887r1_chk )

With the System Administrator's assistance, determine network mounted volumes on the Linux system being reviewed. If network mounted volumes are mounted, verify whether anti-virus protection is locally installed and configured to protect the network servers to which the mounted volumes connect.

If all network servers to which mounted volumes connect are protected by locally installed and configured anti-virus protection, this check for the Linux system being reviewed is Not Applicable.

If no network mounted volumes are configured on the Linux system being reviewed, this check is Not Applicable.

If mounted volumes exist on the Linux system being reviewed which are connecting to network servers which lack locally installed and configured anti-virus protection, this check must be validated.

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account.

In the VSEL WEB Monitor, review tasks under "View", "Scheduled Tasks".
With the System Administrator's assistance, determine which task is intended as the regularly scheduled scan task.
Click on the task, and then click "Modify".
Select "2. What to Scan".
Verify all otherwise unprotected network servers to which this Linux system has mounted volumes have been included.

If all otherwise unprotected network servers to which this Linux system has mounted volumes have not been included, this is a finding.

To validate without the Web interface, access the Linux system being reviewed, either at the console or by a SSH connection.
At the command line, navigate to /var/opt/NAI/LinuxShield/etc.
Enter the command "grep "nailsd.profile.ODS.scanNWFiles" ods.cfg"

If the response given for "nailsd.profile.ODS.scanNWFiles" is not "true", this is a finding.

Fix Text (F-69053r1_fix)
From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, review tasks under "View", "Scheduled Tasks". With the System Administrator's assistance, determine which task is intended as the regularly scheduled scan task. Click on the task, and then click "Modify". Select "2. What to Scan". Under "Path", add each otherwise unprotected network server to which this Linux system has mounted volumes, and click "Add". Once all mounted volumes have been added, click "Next", and then click "Finish"

Fix Text (F-69053r1_fix)

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account.

In the VSEL WEB Monitor, review tasks under "View", "Scheduled Tasks".
With the System Administrator's assistance, determine which task is intended as the regularly scheduled scan task.
Click on the task, and then click "Modify".
Select "2. What to Scan".
Under "Path", add each otherwise unprotected network server to which this Linux system has mounted volumes, and click "Add".
Once all mounted volumes have been added, click "Next", and then click "Finish"