GNU Linux McAfee Host Based Security System Cheat Sheet

This is a copy of a McAfee Host Based Security System (HBSS) cheat sheet. I apologize for some of the “inefficiencies”. I’m really just copying and pasting from retro paper document.


GNU Linux Agent Manual Install

 

Open terminal, then switch to the location where you copied the install.sh file. Run these commands, giving root credentials when requested:

#sudo chmod +x install.sh

#sudo ./install.sh -i

-b Upgrades the agent only. The server information is not updated.

-h Shows help

-i Performs a new installation

-n Forbids core generation

-u Upgrades entire install


GNU Linux Agent Manual Removal

Open terminal window on the client system. Run the command appropriate for your operating system, providing root credentials when requested.

#sudo rpm -e MFEcma

#sudo rpm -e MFErt

Run the commands in the listed order. If Virus Scan Enterprise (VSE) or Host Intrusion Prevention System (HIPS) is installed you will receive an error. You must unload/uninstall HIPS and/or VSE first.


GNU Linux Agent Directories

  • /opt/McAfee/cma/
    • All binaries, logs, and agent working area
  • /etc/cma.d/
    • Configuration and management information (including GUID and agent version) needed to manage point-products.
  • /etc/cma.conf
    • Configuration and management information in XML format, allowing point-products to read.
  • /etc/init.d/CMA
    • Script for starting and stopping the agent, manually and when called by the system

GNU Linux Agent Commands

For cmdagent commands (available in ePO managed mode):

 

/opt/McAfee/cma/bin/cmdagent

Usage: cmdagent -P -E -C -F -S

-P Collect and send properties

-E Enforce policies

-C Check for new policies/tasks

-F Forward events

-S Show agent monitor GUI (Only available in Windows CmdAgent; not available in GNU Linux OS. This opens the Status Monitor window.)

-? Help

 

For CMA commands (available in ePO managed and unmanaged mode):

/etc/init.d/cma

Usage: /etc/init.d/cma {start|stop|restart|status|basedir|configdir|reload SOFTWAREID|unload SOFTWAREID}

start – Starts the McAfee Agent if stopped

stop – Stops the McAfee Agent

restart – Stops then starts the McAfee Agent

status – Returns status of stopped or running with process ID

basedir – Returns the folder it’s installed in. The default is /opt/McAfee/cma/.

configdir – Returns the folder containing the configuration files. The default is /etc/cma.d/.

reload SOFTWAREID – Ability to load/reload the install point-product ePO plug-in. For example; /etc/init.d/cma reload LYNXSHLD1700 will unregister and re-register the Virus Scan Enterprise for GNU Linux 1.7x or 1.9 ePO plug-in.

unload SOFTWAREID – Ability to unload the install point-product ePO plug-in. For example; /etc/init.d/cma unload LYNXSHLD2000 will unregister the Virus Scan Enterprise for Linux 2.0 ePO plug-in.


GNU Linux HIPS 7 Manual Removal

  1. Login as ‘root’
  2. Type the following command from the command prompt
    1. /opt/McAfee/hip/hipts engines all:off
    2. Password=<HIP Admin Password>
  3. Type the following commands from the command prompt
    1. #rpm -e MFEhiplsm
    2. #rpm -e MFEhiplsm-kernel
    3. #rpm -e MFEhiplsm-apache
  4. Reboot is needed to clear HIPS kernel/apache/hiplsm

GNU Linux HIPS 8 Manual Removal

You must first disable the client’s IPS policies from the ePO server before manually removing it from the client.

  1. Login as ‘root’
  2. Run the command: rpm -e MFEhiplsm; MFEhiplsm-kernel; MFEhiplsm-apache

GNU Linux HIPS 8 Troubleshooting

  1. Verify Linux installation files
    1. After an installation, check that all the files were installed in the appropriate directory on the client.
    2. The /opt/McAfee/hip directory should contain these essential files and directories
      1. HipClient; HipClient-bin – Linux Client
      2. HipClientPolicy.xml – Policy rules
      3. hipts; hipts-bin – Troubleshooting tool
      4. *.so – Host Intrusion Prevention and ePO agent shared object modules
      5. log directory – Contains log files: HIPShield.log and HIPClient.log
    3. Installation history is written to /opt/McAfee/etc/hip-install.log Refer to this files for any questions about the installation or removal process of the Host Intrusion Prevention client.
  2. Verify the Linux client is running
    1. The client might be installed correctly, but you might encounter problems with its operation. If the Client does not appear in the ePO console, for example, check that it is running using the following command
      1. #ps -ef | grep Hip
  3. Stopping the Linux client
    1. You many need to stop a running client and restart it as part of troubleshooting.
    2. To stop a running client first disable IPS protection. Use one of these procedures.
      1. Set IPS options to Off in the ePO console and apply the policy to the client
      2. Log on as root and run the command: hipts engines MISC:off
    3. Run the command: hipts agent off
  4. Restarting the Linux client
    1. You may need to stop a running client and restart it as part of troubleshooting
    2. To restart a client run the command: hipts agent on
    3. Enable IPS Protection. Use one of these procedures depending on which you used to stop the client
      1. Set IPS options to On in the ePO console and apply the policy to the client
      2. Log on as root and run the command: hipts engines MISC:on

GNU Linux Virus Scanner Enterprise Linux 1.9 Manual Installation

Before you begin:

  • Make sure that there is no user named as “nails” or group named as “nailsgroup” on the computer.
  • Make sure that you have “root” privileges to install Virus Scan Enterprise for Linux (VSE/VSEL)
  • If you are installing VSEL on a 64-bit  RedHat Enterprise Linux (RHEL) 6.X system ensure that 32-bit RHEL 6.X Plug-able Authentication Modules (PAM) libraries are also installed
  1. From the terminal go to the temporary directory and execute the following commands to untar them
    1. #tar -zxvf McAfeeVSEForLinux-1.9.0.<build number>-release.tar.gz
    2. #tar -zxvf McAfeeVSEForLinux-1.9.0.<build number>-others.tar.gz
  2. To install the McAfee Runtime type the following command in the terminal window.
    1. #rpm -ivh MFErt.i686.rpm
  3. To install the McAfee Agent (MA) type the following command in the terminal window.
    1. #rpm -ivh MFEcma.i686.rpm
  4. To confirm that the McAfee Agent is running correctly type the following command in the terminal window
    1. #/etc/init.d/cma status
  5. To install VSEL type the following command in the terminal window
    1. #bash McAfeeVSEForLinux-1.9.0.<build number>-installer
  6. Answer the questions when prompted. Accept the default values or specify your own.
  7. When prompted to start the VSEL services, select the default option “Y”.
  8. To confirm that VSEL is running correctly type the following command in the terminal window
    1. #/etc/init.d/nails status

GNU Linux VSEL Upgrade From 1.6/1.7 To 1.9

  1. To upgrade McAfee Agent type the following command in the terminal window
    1. #rpm -Uvh MFEcma.i686.rpm
  2. To confirm that McAfee Agent is running correctly type the following command in the terminal window
    1. #/etc/init.d/cma status
  3. To upgrade VSEL type the following command in the terminal window
    1. bash McAfeeVSEForLinux-1.9.0<build number>-installer
  4. To confirm that VSEL is running correctly type the following command in the terminal window
    1. #/etc/init.d/nails status
  5. Restart your computer using the command
    1. #reboot

GNU Linux VSEL 1.9 Manual Removal

  1. To uninstall VSEL type the following at the command prompt
    1. #rpm -e McAfeeVSEForLinux
    2. #rpm -e MFEcma
    3. #rpm -e MFErt
  2. Reboot the computer to remove the VSEL kernel modules. You do not have to reboot the computer immediately, because the VSEL kernel modules does not interrupt functioning of any other running services.

GNU Linux VSEL 2.0 Manual Installation

Note: 2.0 only works on 64-bit

  1. Download the McAfeeVSEForLinux-2.0.0.<build number>.ZIP to a temporary directory and execute these commands in the given sequence.
    1. #unzip McAfeeVSEForLinux-2.0.0.<build number>.ZIP
    2. #cd McAfeeVSEForLinux-2.0.0.<build number>
    3. #tar -zxvf McAfeeVSEForLinux-2.0.0.<build number>-release-full.x86_64.tar.gz
    4. #tar -zxvf McAfeeVSEForLinux-2.0.0.<build number>-release.tar.gz
    5. #tar -zxvf McAfeeVSEForLinux-2.0.0.<build number>-others.tar.gz
  2. Install McAfee Runtime
    1. #rpm -ivh MFErt.i686.rpm
  3. Install McAfee Agent
    1. #rpm -ivh MFEcma.i686.rpm
  4. Confirm that the McAfee Agent is running correctly
    1. #/etc/init.d/cma status
  5. Install VSEL
    1. #bash McAfeeVSEForLinux-2.0.0.<build number>-installer
  6. Answer the questions when prompted. Accept the default values or type custom values.
  7. When prompted to start the VSEL services type the default option “Y”.
  8. Confirm that VSEL is installed and running correctly
    1. #/etc/init.d/nails status
    2. The message The McAfeeVSEForLinux daemon is running with process information.

GNU Linux VSEL Upgrade From 1.7/1.9 To 2.0

  1. Upgrade McAfee Agent
    1. For RPM based systems
      1. #rpm -Uvh MFEcma.i686.rpm
    2. For Debian based systems
      1. #dpkg -i MFEcma.i686.deb
  2. Confirm that McAfee Agent is running correctly
    1. #/etc/init.d/cma status
  3. Upgrade VSEL
    1. #bash McAfeeVSEForLinux-2.0.0.<build number>-installer
  4. Confirm that VSEL is running correctly
    1. #/etc/init.d/nails status
  5. Restart the computer
    1. #reboot

When you upgrade the software the existing on-access scan settings, on-demand scan settings, and the exclusions list are migrated.


GNU Linux VSEL 2.0 Manual Removal

  1. Type the following at the command prompt then press enter.
    1. #rpm -e McAfeeVSEForLinux
    2. #rpm -e MFEcma
    3. #rpm -e MFErt

GNU Linux VSEL 2.0 Error Codes

Code Range StartCode Range EndCategoryDetail
30003999Anti-virus Engine ErrorsErrors which occur during scanning or cleaning reported by the anti-virus engine.
50005999Scan Manager ErrorsReported by the nailsd process, which controls the scanners.
60006999Logging Error ErrorsReported by the logging subsystem. If the error logging system fails, errors are directed to SYSLOG.
70007999Configuration ErrorsErrors found when parsing values in the configuration files.
80008999Exclusions and Filtering ErrorsErrors found when processing the information about files excluded from scanning, or which extensions to scan.
90009999Monitoring ErrorsReported by the monitoring process that provide administration of the product.
1100011999IPC Error ErrorsReported during inter-process communication.
1200012999On-Demand Scanner ErrorsErrors reported by the On-Demand scanner.
1300013999Command Processor ErrorsInternal Errors for the commands used during inter-process communication.
1400014999Anti-virus Engine Scan ErrorsErrors reported by the anti-virus engine when processing a specific file.
1500015999Task Scheduler ErrorsErrors reported by the Task Scheduler.
1600016999SMTP Alerting ErrorsErrors reported by the SMTP alerting component.
Bookmark the permalink.

Comments are closed