Compliant Product - McAfee Policy Auditor 6.0 with ePolicy Orchestrator 4.6
Certificate Date: 05 May 2012
Validation Report Number: CCEVS-VR-10484-2012
Product Type: Enterprise Security Management
Conformance Claim: EAL2 Augmented with ALC_FLR.2
PP Identifiers: None
CC Testing Lab: COACT Inc. CAFE Laboratory
McAfee Policy Auditor 6.0 is an agent-based, purpose-built IT policy audit solution that leverages the XCCDF and OVAL security standards to automate the processes required for internal and external IT audits. McAfee Policy Auditor evaluates the status of managed systems relative to audits that contain benchmarks. Benchmarks contain rules that describe the desired state of a managed system. Benchmarks are distributed with the TOE or imported into McAfee Benchmark Editor and, once activated, can be used by Policy Auditor. Benchmarks are written in the open-source XML standard formats Extensible Configuration Checklist Description Format (XCCDF) and the Open Vulnerability Assessment Language (OVAL). XCCDF describes what to check while OVAL specifies how to perform the check.
Seamless integration with McAfee ePolicy Orchestrator® (ePO™) eases agent deployment, management, and reporting. ePO provides the user interface for the TOE via a GUI accessed from remote systems using web browsers. The ePO web dashboard represents policy compliance by benchmark. Custom reports can be fully automated, scheduled, or exported. ePO requires user to identify and authenticate themselves before access is granted to any data or management functions. Audit records are generated to record configuration changes made by users. The audit records may be reviewed via the GUI.
Based upon per-user permissions, users may configure the systems to be audited for policy compliance (the “managed systems”) along with the benchmarks to be checked. The Policy Auditor Agent Plug-In executing on the managed systems performs the policy audit and returns the results to Policy Auditor. Policy Auditor allows you to conduct policy audits on various releases of the following operating systems:
A) Microsoft Windows
B) Macintosh OS X
E) Red Hat Linux
Users can review the results of the policy audits via ePO. Access to this information is again limited by per-user permissions.
Communication between the distributed components of the TOE is protected from disclosure and modification by cryptographic functionality provided by the operational environment.
SECURITY EVALUATION SUMMARY
The evaluation was carried out in accordance to the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The evaluation demonstrated that McAfee Policy Auditor 6.0 and McAfee ePolicy Orchestrator 4.6 Security Target, version 0.4, Dated February 15, 2012 meets the security requirements contained in the Security Target.
The criteria against which McAfee Policy Auditor 6.0 and McAfee ePolicy Orchestrator 4.6 Security Target, version 0.4, Dated February 15, 2012 was judged is described in the Common Criteria for Information Technology Security Evaluation, Version 3.1. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1. The COACT, Inc. CAFE Lab determined that the evaluation assurance level (EAL) for McAfee Policy Auditor 6.0 and McAfee ePolicy Orchestrator 4.6 Security Target, version 0.4, Dated February 15, 2012 is EAL 2 + ALC_FLR.2. The TOE, configured as specified in the installation guide, satisfies all of the security functional requirements stated in the Security Target.
A team of Validators on behalf of the CCEVS Validation Body monitored the evaluation carried out by the COACT, Inc. CAFE Lab. The evaluation was completed in February 2012. Results of the evaluation and associated validation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report.
The TOE’s Security Functions are:
The TOE evaluates the status of managed systems relative to audits that contain benchmarks. Benchmarks contain rules that describe the desired state of a managed system. Benchmarks are received through or imported into McAfee Benchmark Editor and, once activated, can be used by Policy Auditor. Benchmarks are written in the open-source XML standard formats Extensible Configuration Checklist Description Format (XCCDF) and the Open Vulnerability Assessment Language (OVAL). XCCDF describes what to check while OVAL specifies how to perform the check.
Identification and Authentication (I&A)
Users must log in to ePO with a valid user name and password supplied via a GUI before any access is granted by the TOE to TOE functions or data. When the credentials are presented by the user, ePO determines if the user name is defined and enabled. If not, the login process is terminated and the login GUI is redisplayed.
The supplied password is passed to Windows for validation. If it is successful, the TOE grants access to additional TOE functionality. If the validation is not successful, the login GUI is redisplayed. Note that all the Windows I&A protection mechanisms (e.g., account lock after multiple consecutive login failures) that may be configured still apply since Windows applies those constraints when performing the validation.
Upon successful login, the Global Administrator status and the union of all the permissions from the permission sets from the user account configuration are bound to the session. Those attributes remain fixed for the duration of the session (until the user logs off). If the attributes for a logged in user are changed, those changes will not be bound to a session until the next login by the user.
The TOE’s Management Security Function provides administrator support functionality that enables a user to configure and manage TOE components. Management of the TOE may be performed via the ePO GUI. Management permissions are defined per-user.
The TOE provides functionality to manage the following:
A) ePO User Accounts,
B) Permission Sets,
C) Audit Log,
D) Event Log,
F) Event Filtering,
G) System Tree,
I) Product Policies,
M) Policy Auditor,
N) Policy Audits, and
The Audit Log maintains a record of ePO user actions. The auditable events are specified in the Audit Events and Details table in the FAU_GEN.1 section of the ST.
The Audit Log entries display in a sortable table. For added flexibility, a user can also filter the log so that it only displays failed actions, or only entries that are within a certain age. The Audit Log displays seven columns:
A) Action — The name of the action the ePO user attempted.
B) Completion Time — The time the action finished.
C) Details — More information about the action.
D) Priority — Importance of the action.
E) Start Time — The time the action was initiated.
F) Success — Specifies whether the action was successfully completed.
G) User Name — User name of the logged-on user account that was used to take the action.
Audit Log entries can be queried by a Global Administrator or users with the “View Audit Log” permission. The Audit Log entries are automatically purged based upon a Global Administrator-configured age. Other than automatic purging, no mechanisms are provided for users to modify or delete entries. The audit log entries are stored in the database; if space is exhausted, new entries are discarded.
System Information Import
ePO offers integration with both Active Directory and NT domains as a source for systems, and even (in the case of Active Directory) as a source for the structure of the System Tree.
If the network runs Active Directory, a user can use Active Directory synchronization to create, populate, and maintain part or all of the System Tree with Active Directory synchronization. Once defined, the System Tree is updated with any new systems (and subcontainers) in the Active Directory.
There are two types of Active Directory synchronization (systems only and systems and structure). Which one to use depends on the level of integration desired with Active Directory.
With each type, a user may control the synchronization by selecting whether to:
A) Deploy agents automatically to systems new to ePolicy Orchestrator.
B) Delete systems from ePolicy Orchestrator (and remove their agents) when they are deleted from Active Directory.
C) Prevent adding systems to the group if they exist elsewhere in the System Tree.
D) Exclude certain Active Directory containers from the synchronization. These containers and their systems are ignored during synchronization.
The NT domains may also be used as a source for populating the System Tree. When a group is synchronized to an NT domain, all systems from the domain are put in the group as a flat list. A user can manage those systems in the single group, or can create subgroups for more granular organizational needs.
When systems are imported, their placement in the System Tree may be automatically determined by criteria-based sorting of two forms. IP address sorting may be used if IP address organization coincides with management’s needs for the System Tree. Tag based sorting may be used to sort systems based on tags associated with them.
The server has three modes for criteria-based sorting:
A) Disable System Tree sorting
B) Sort systems on each agent-server communication — Systems are sorted again at each agent-server communication. When sorting criteria on groups is changed, systems move to the new group at their next agent-server communication.
C) Sort systems once — Systems are sorted at the next agent-server communication and marked to never be sorted again.
SCAP Data Exchange
The TOE must be able to import and export SCAP benchmark assessment data. This functionality ensures that the assessments remain current as new benchmarks are developed and allows custom-designed benchmarks in the TOE to be made available to other systems.