For use with Wind River Linux 5.0 - McAfee€¦ · McAfee Embedded Control 6.5.1 For use with Wind...

24
User Guide McAfee Embedded Control 6.5.1 For use with Wind River Linux 5.0.1

Transcript of For use with Wind River Linux 5.0 - McAfee€¦ · McAfee Embedded Control 6.5.1 For use with Wind...

Page 1: For use with Wind River Linux 5.0 - McAfee€¦ · McAfee Embedded Control 6.5.1 For use with Wind River Linux 5.0.1. ... McAfee Embedded Control 6.5.1 User Guide 3. ... conf layer.conf

User Guide

McAfee Embedded Control 6.5.1For use with Wind River Linux 5.0.1

Page 2: For use with Wind River Linux 5.0 - McAfee€¦ · McAfee Embedded Control 6.5.1 For use with Wind River Linux 5.0.1. ... McAfee Embedded Control 6.5.1 User Guide 3. ... conf layer.conf

COPYRIGHT

Copyright © 2014 McAfee, Inc., 2821 Mission College Boulevard, Santa Clara, CA 95054, 1.888.847.8766, www.intelsecurity.com

TRADEMARK ATTRIBUTIONSIntel and the Intel logo are registered trademarks of the Intel Corporation in the US and/or other countries. McAfee and the McAfee logo, McAfee ActiveProtection, McAfee DeepSAFE, ePolicy Orchestrator, McAfee ePO, McAfee EMM, McAfee Evader, Foundscore, Foundstone, Global Threat Intelligence,McAfee LiveSafe, Policy Lab, McAfee QuickClean, Safe Eyes, McAfee SECURE, McAfee Shredder, SiteAdvisor, McAfee Stinger, McAfee TechMaster, McAfeeTotal Protection, TrustedSource, VirusScan are registered trademarks or trademarks of McAfee, Inc. or its subsidiaries in the US and other countries.Other marks and brands may be claimed as the property of others.

LICENSE INFORMATION

License AgreementNOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETSFORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOUHAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOURSOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR AFILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SETFORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OFPURCHASE FOR A FULL REFUND.

2 McAfee Embedded Control 6.5.1 User Guide

Page 3: For use with Wind River Linux 5.0 - McAfee€¦ · McAfee Embedded Control 6.5.1 For use with Wind River Linux 5.0.1. ... McAfee Embedded Control 6.5.1 User Guide 3. ... conf layer.conf

Contents

Preface 5About this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Find product documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

1 Introduction 7What is Embedded Control? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8When to use Embedded Control? . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Product features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

2 Installing and configuring the software 11Validate the software installation . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Add the McAfee Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Configure the project . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Using the command-line interface . . . . . . . . . . . . . . . . . . . . . . . . 12Using the Workbench . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

3 Getting started 15Enable the product . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Configure checksum calculation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16Configure execution of Java files . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Add interpreter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18Remove interpreter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18List interpreter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Verify that only authorized applications can run . . . . . . . . . . . . . . . . . . . . . 19Verify that Embedded Control tamper-proofs applications . . . . . . . . . . . . . . . . . 19Perform emergency changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

A Create McAfee ePO-deployable package 21

Index 23

McAfee Embedded Control 6.5.1 User Guide 3

Page 4: For use with Wind River Linux 5.0 - McAfee€¦ · McAfee Embedded Control 6.5.1 For use with Wind River Linux 5.0.1. ... McAfee Embedded Control 6.5.1 User Guide 3. ... conf layer.conf

Contents

4 McAfee Embedded Control 6.5.1 User Guide

Page 5: For use with Wind River Linux 5.0 - McAfee€¦ · McAfee Embedded Control 6.5.1 For use with Wind River Linux 5.0.1. ... McAfee Embedded Control 6.5.1 User Guide 3. ... conf layer.conf

Preface

This guide provides the information you need to work with your McAfee product.

Contents About this guide Find product documentation

About this guideThis information describes the guide's target audience, the typographical conventions and icons usedin this guide, and how the guide is organized.

AudienceMcAfee documentation is carefully researched and written for the target audience.

The information in this guide is intended primarily for:

• Administrators — People who implement and enforce the company's security program.

• Users — People who use the computer where the software is running and can access some or all ofits features.

• Partners — Resellers who contract with McAfee to sell McAfee products.

ConventionsThis guide uses these typographical conventions and icons.

Book title, term,emphasis

Title of a book, chapter, or topic; a new term; emphasis.

Bold Text that is strongly emphasized.

User input, code,message

Commands and other text that the user types; a code sample; a displayedmessage.

Interface text Words from the product interface like options, menus, buttons, and dialogboxes.

Hypertext blue A link to a topic or to an external website.

McAfee Embedded Control 6.5.1 User Guide 5

Page 6: For use with Wind River Linux 5.0 - McAfee€¦ · McAfee Embedded Control 6.5.1 For use with Wind River Linux 5.0.1. ... McAfee Embedded Control 6.5.1 User Guide 3. ... conf layer.conf

Note: Additional information, like an alternate method of accessing anoption.

Tip: Suggestions and recommendations.

Important/Caution: Valuable advice to protect your computer system,software installation, network, business, or data.

Warning: Critical advice to prevent bodily harm when using a hardwareproduct.

Find product documentationAfter a product is released, information about the product is entered into the McAfee online KnowledgeCenter.

Task1 Go to the Knowledge Center tab of the McAfee ServicePortal at http://support.mcafee.com.

2 In the Support Content pane:

• Click Product Documentation to find user documentation.

• Click Technical Articles to find KnowledgeBase articles.

3 Select Do not clear my filters.

4 Enter a product, select a version, then click Search to display a list of documents.

PrefaceFind product documentation

6 McAfee Embedded Control 6.5.1 User Guide

Page 7: For use with Wind River Linux 5.0 - McAfee€¦ · McAfee Embedded Control 6.5.1 For use with Wind River Linux 5.0.1. ... McAfee Embedded Control 6.5.1 User Guide 3. ... conf layer.conf

1Introduction

McAfee®

Embedded Control is a single solution that provides system integrity and change control forembedded devices. This software offers an effective way to block unauthorized applications fromrunning on your embedded systems.

Contents What is Embedded Control? When to use Embedded Control? Product features

1

McAfee Embedded Control 6.5.1 User Guide 7

Page 8: For use with Wind River Linux 5.0 - McAfee€¦ · McAfee Embedded Control 6.5.1 For use with Wind River Linux 5.0.1. ... McAfee Embedded Control 6.5.1 User Guide 3. ... conf layer.conf

What is Embedded Control?Embedded Control is a combination of McAfee Application Control and McAfee Change Controlproducts.

When you deploy Embedded Control, the integrated features of both products are available for use.Here is a high-level overview of the features provided by these products.

For detailed information about these products, see McAfee Application Control 6.1.0 Product Guide andMcAfee Change Control 6.1.0 Product Guide.

When to use Embedded Control?With the adoption of commercial operating systems in embedded devices, there are increased securityrisks. Embedded Control offers a one-stop security solution that enables manufacturers to use acommercial operating system without incurring risks or losing control over the systems.

This product helps you convert a system built on a commercial operating system into a black box so itworks like a proprietary operating system. When you use Embedded Control on devices, it:

• Provides zero‐day protection • Provides real-time visibility

• Minimizes security risks • Offers a deploy-and-forget solution

• Controls what runs on your devices • Helps you to reduce support costs

This release of Embedded Control is designed to work with Wind River Linux version 5.0.1. Wind RiverLinux is the market-leading commercial grade Linux solution for embedded-device development. Formore information about using Wind River Linux, visit the Wind River Support page or see Wind RiverLinux documentation.

1 IntroductionWhat is Embedded Control?

8 McAfee Embedded Control 6.5.1 User Guide

Page 9: For use with Wind River Linux 5.0 - McAfee€¦ · McAfee Embedded Control 6.5.1 For use with Wind River Linux 5.0.1. ... McAfee Embedded Control 6.5.1 User Guide 3. ... conf layer.conf

Product featuresHere is a description of Embedded Control features.

Execution control

Maintain system integrity by controlling what runs on your embedded devices. Embedded Controlallows only authorized software to run and permits validated changes to the systems.

It automatically creates a dynamic whitelist of the authorized programs and applications. After thewhitelist is created and enabled, only programs contained in the whitelist can execute. Other programsscripts and binaries (Executable and Linkable Format) that are not contained in the whitelist areconsidered unauthorized and prevented from executing. This prevents worms, viruses, spyware, andother malware from executing illegitimately.

System integrity

Based on your setup, Embedded Control gives you the flexibility to configure access to the protectedsystems. You can lock down systems to prevent even administrators from changing what is authorizedto run on a system, unless presented with an authentication key.

Change tracking and control

Embedded Control detects and tracks changes in real time. It allows changes to be made only to theneeded target systems and through authorized means. You can enforce change control processes byspecifying authorized means of allowing changes. You can define what can be changed, such as certainfiles or directories, and when the changes can be applied.

Activity record and change visibility

Embedded Control records all activity for protected systems and provides visibility into the sources ofchange. It makes sure that only valid changes are deployed and prevents invalid changes from beingdeployed. The software captures detailed information for every change to a protected system,including who, what, where, when, and how. It provides an accurate, complete, and definitive recordof all system changes.

Low operational expenses and overhead

Embedded Control is deployed with ease and does not have any ongoing maintenance overhead. Also,the software requires a minimal learning period and is functional across all applications immediatelyafter activation. Embedded Control does not depend on rules or signature databases and has a smallfootprint.

Secure Hash Algorithm 256 (SHA256) support

With this release, we have added support for SHA256 to calculate checksum values of inventory items.SHA256 offers improved security as compared to SHA1. Although we continue to support SHA1,checksum values of inventory items will be calculated using SHA256. If you use SHA256 as the hashalgorithm, we compute both SHA1 and SHA256 values while creating the whitelist. However, decisionmaking is primarily based on SHA256 values. For more information, see Configure checksumcalculation.

Java (.jar and .class files) support

With this release, we have added support for whitelisting of Java files, specifically .jar and .class files.You can now whitelist .jar and .class files and protect these files from unauthorized execution. Onlywhitelisted files are allowed to execute on the system. For more information, see Configure executionof Java files.

IntroductionProduct features 1

McAfee Embedded Control 6.5.1 User Guide 9

Page 10: For use with Wind River Linux 5.0 - McAfee€¦ · McAfee Embedded Control 6.5.1 For use with Wind River Linux 5.0.1. ... McAfee Embedded Control 6.5.1 User Guide 3. ... conf layer.conf

1 IntroductionProduct features

10 McAfee Embedded Control 6.5.1 User Guide

Page 11: For use with Wind River Linux 5.0 - McAfee€¦ · McAfee Embedded Control 6.5.1 For use with Wind River Linux 5.0.1. ... McAfee Embedded Control 6.5.1 User Guide 3. ... conf layer.conf

2Installing and configuring the software

Install and configure the software for the Wind River Linux target platforms.

This version of Embedded Control supports only 32-bit architecture.

Contents Validate the software installation Add the McAfee Layer Configure the project

Validate the software installationVerify that Wind River Linux 5.0.1 software is installed on the system.

Task1 Navigate to <installDir>.

2 Confirm that <installDir>/wrlinux‑5 and <installDir>/wrlinux‑addons are present.

3 Open the <installDir>/setup.log file and make sure that the Wind River Linux CDRs listed show5.0.1.x.

For more information, see the Wind River Workbench User's Guide and Wind River Linux 5 GettingStarted Guide.

Add the McAfee LayerAdd the McAfee layer to the Wind River Linux installation to add Embedded Control features.

The layer framework in Wind River Linux provides modular functionality allowing you to easily add ormodify features. You can add your updates as one or more layers on top of the base installation. Eachlayer contributes specific content without changing the base installation. The McAfee layer (wr‑mcafee)allows you to add the Embedded Control functionality.

2

McAfee Embedded Control 6.5.1 User Guide 11

Page 12: For use with Wind River Linux 5.0 - McAfee€¦ · McAfee Embedded Control 6.5.1 For use with Wind River Linux 5.0.1. ... McAfee Embedded Control 6.5.1 User Guide 3. ... conf layer.conf

Task1 Extract the McAfee layer from the package.

2 Add the layer to the <installDir>/wrlinux‑5/layers directory.

After you add the layer, the directory includes these files.

Directory Contents Description

conf layer.conf Layer configuration file

recipes linux/linux‑windriver_3.4.bbappendlinux/mcafee/mcafee.cfglinux/mcafee/mcafee.scc

Configuration files

solidcores3/files/solidcore.confsolidcores3/solidcores3_<version>.bb BitBake recipe file

solidcores3/files/mapkg_det.mcs Packaging-related files

solidcores3/files/mapkg_install.shsolidcores3/files/PkgCatalog.xml

downloads solidcores3‑6.5.1‑<build>.common‑pc.tgz User binary TAR file for supported boards

solidcores3‑ksrc‑6.5.1‑<build>.tgz Kernel source

files common‑licenses/McAfee McAfee end-user license agreement

templates default/README Read me file

default/image.inc Feature template file

Configure the project Configure your Wind River Linux project to add Embedded Control security features to the project.

You can add Embedded Control functionality to the platform project using Wind River Workbench orcommand-line options on the Wind River Linux development host.

Tasks• Using the command-line interface on page 12

Add the McAfee layer to configure your project using the command-line interface (CLI).

• Using the Workbench on page 13Add the McAfee layer to configure your project using the Workbench.

Using the command-line interfaceAdd the McAfee layer to configure your project using the command-line interface (CLI).

Task1 Navigate to your project directory.

These examples use <projDir> to represent the project directory. For example:

$ cd <installDir>/workspace/<projDir>

2 Installing and configuring the softwareConfigure the project

12 McAfee Embedded Control 6.5.1 User Guide

Page 13: For use with Wind River Linux 5.0 - McAfee€¦ · McAfee Embedded Control 6.5.1 For use with Wind River Linux 5.0.1. ... McAfee Embedded Control 6.5.1 User Guide 3. ... conf layer.conf

2 Set the Wind River Linux environment variables on your development host.

This command creates the WIND_LINUX_CONFIGURE environment variable that appears in theexamples.

$ <installDir>/wrenv.sh -p wrlinux-5

3 Configure the platform project to add Embedded Control features.

For example:

• Haswell or Sandy Bridge

$WIND_LINUX_CONFIGURE--enable-board=common-pc --enable-addons=wr-idp --enable-kernel=standard --enable-rootfs=glibc-idp --with-layer=commonpc, wr-mcafee,McAfeeAgent --with-package=tcpdump,grub-ima,curl,ltp --enable-jobs=4 --enable-parallel-pkgbuilds=4 --with-rcpl-version=0010

In the command, the with-layer option specifies the layers to include in your project.

4 Verify that no errors are generated and the directory structure is created in the project directory.

5 Build the target file system and wait until the process is complete.

$ make fs

6 Create the image and deploy the Embedded Control-enabled platform on a target.

For more information, see the Wind River Linux Getting Started Guide, 5, Wind River Linux User'sGuide, 5, and Wind River Workbench By Example (Linux 5 Version), 3.3.

Using the WorkbenchAdd the McAfee layer to configure your project using the Workbench.

Task1 Launch Wind River Workbench, and select File | New | Wind River Workbench Project.

2 Select Wind River Linux Platform Base 5.0.1 and click Next.

3 Select Build Type as Platform and click Next.

4 Type a name for the project and click Next to open the Configure Options screen.

5 Click Advanced >>.

6 Click Reload in the Layers pane.

7 Specify these options in the General settings pane.

• Board — Select a board. For example, common-pc.

• RootFS — Select glibc-idp as the target root file system.

• Kernel — Select standard.

8 Add the McAfee layer to the project.

a Click Add in the Layers pane to open the Select Folder dialog box.

b Select layers | wr-mcafee and click OK.

c Browse and add the commonpc and McAfeeAgent layers.

Installing and configuring the softwareConfigure the project 2

McAfee Embedded Control 6.5.1 User Guide 13

Page 14: For use with Wind River Linux 5.0 - McAfee€¦ · McAfee Embedded Control 6.5.1 For use with Wind River Linux 5.0.1. ... McAfee Embedded Control 6.5.1 User Guide 3. ... conf layer.conf

9 Make sure that the final configuration command is similar to:

$WIND_LINUX_CONFIGURE--enable-board=common-pc --enable-addons=wr-idp --enable-kernel=standard --enable-rootfs=glibc-idp --with-layer=commonpc, wr-mcafee,McAfeeAgent --with-package=tcpdump,grub-ima,curl,ltp --enable-jobs=4 --enable-parallel-pkgbuilds=4 --with-rcpl-version=0010

10 Click Finish to create the project.

11 Build the target file system and wait until the process is complete.

For detailed instructions, see Wind River Linux Getting Started Guide, 5, Wind River Linux User'sGuide, 5, and Wind River Workbench By Example (Linux 5 Version), 3.3.

12 Create the image and deploy the Embedded Control-enabled platform on a target.

2 Installing and configuring the softwareConfigure the project

14 McAfee Embedded Control 6.5.1 User Guide

Page 15: For use with Wind River Linux 5.0 - McAfee€¦ · McAfee Embedded Control 6.5.1 For use with Wind River Linux 5.0.1. ... McAfee Embedded Control 6.5.1 User Guide 3. ... conf layer.conf

3Getting started

After you deploy Embedded Control, enable the product to protect your device.

A few common use-cases are detailed here. For detailed information about all product features, seeMcAfee Application Control 6.1.0 Product Guide and McAfee Change Control 6.1.0 Product Guide.

Contents Enable the product Configure checksum calculation Configure execution of Java files Verify that only authorized applications can run Verify that Embedded Control tamper-proofs applications Perform emergency changes

Enable the productEnable the product to activate the Embedded Control software.

Before you beginTo change the hash algorithm used for checksum calculation, see Configure checksumcalculation.

Task1 Add the license.

sadmin license add <license_key>

2 Restart the service.

service scsrvc restart

3 Determine the hash algorithm to use for checksum calculation in your setup.

3

McAfee Embedded Control 6.5.1 User Guide 15

Page 16: For use with Wind River Linux 5.0 - McAfee€¦ · McAfee Embedded Control 6.5.1 For use with Wind River Linux 5.0.1. ... McAfee Embedded Control 6.5.1 User Guide 3. ... conf layer.conf

Scenario Description

Fresh install For a fresh installation, SHA256 is used by default to calculate checksum values ofinventory items.

Upgrade • If you upgrade in Disabled mode, from the previous release to this release,SHA256 is used by default to calculate checksum values of inventory items.

• If you upgrade in Update mode, from the previous release to this release, SHA1 isused by default to calculate checksum values of inventory items.

4 Create the initial whitelist.

# sadmin soThis command creates a whitelist of all binary and script files present on the system. The whitelistcontrols applications and files that can run on the protected system. The time taken to create thewhitelist varies from a few minutes to an hour, depending on the installed applications and systemconfiguration.

5 Place the product in Enabled mode.

# sadmin enableIn Enabled mode, Embedded Control protects all files in the whitelist from unauthorizedmodification and deletion attempts. Also, Embedded Control prevents unauthorized applications orprograms from running on the system.

6 Restart the McAfee Solidifier service.

# service scsrvc restart

7 Verify that the product is in Enabled mode.

# sadmin status

McAfee Solidifier status is set to Enabled and the volume status is set to Solidified for all volumes.

Configure checksum calculationSpecify whether to use SHA1 or SHA256 to calculate checksum values of inventory items.

Task1 Determine the hash algorithm in use.

Scenario Description

Fresh install For a fresh installation, SHA256 is used by default to calculate checksum values ofinventory items.

Upgrade • If you upgrade in Disabled mode, from the previous release to this release,SHA256 is used by default to calculate checksum values of inventory items.

• If you upgrade in Update mode, from the previous release to this release, SHA1 isused by default to calculate checksum values of inventory items.

2 Change the hash algorithm used to calculate checksum.

a Make sure the software is in Disabled mode.

# sadmin status

If the software is not in Disabled mode, type the # sadmin disable command and reboot thesystem.

3 Getting startedConfigure checksum calculation

16 McAfee Embedded Control 6.5.1 User Guide

Page 17: For use with Wind River Linux 5.0 - McAfee€¦ · McAfee Embedded Control 6.5.1 For use with Wind River Linux 5.0.1. ... McAfee Embedded Control 6.5.1 User Guide 3. ... conf layer.conf

b Configure checksum calculation.

# sadmin config set HashAlgorithm=<sha value><sha value> represents the hash function to use for checksum calculation and can be SHA1 orSHA256.

If you are switching from SHA1 to SHA256, the command might take a few minutes to computenew checksum values.

c Enable the software.

# sadmin enable

d Restart the McAfee Solidifier service.

# service scsrvc restart

Configure execution of Java filesEmbedded Control allows you to configure execution control of Java files. You can establish theassociation between the file-extensions and the interpreter that interprets the content of these files.

After you define the association between a file extension and its interpreter, the actual execution ofthe files is controlled or protected by the script-auth feature. Make sure that this feature is enabled foryour setup.

In this release, default rules are added to allow whitelisting of .jar and .class files. Also, these rulesallow execution control of these files when launched by Java interpreter.

Add, list, or remove interpreters using the sadmin scripts command to configure execution of Javafiles.

Tasks• Add interpreter on page 18

Add interpreters and scripts to control the execution of additional scripts that you want toadd to the whitelist.

• Remove interpreter on page 18Remove the interpreters for scripts on which execution control is not required.

• List interpreter on page 18List the interpreters and scripts for which execution is tracked.

Getting startedConfigure execution of Java files 3

McAfee Embedded Control 6.5.1 User Guide 17

Page 18: For use with Wind River Linux 5.0 - McAfee€¦ · McAfee Embedded Control 6.5.1 For use with Wind River Linux 5.0.1. ... McAfee Embedded Control 6.5.1 User Guide 3. ... conf layer.conf

Add interpreterAdd interpreters and scripts to control the execution of additional scripts that you want to add to thewhitelist.

Task• Run this command at the command prompt.

sadmin scripts add extension interpreter1 [interpreter2]...When you establish an association, these files become the supported file types and they need to bewhitelisted. After they are whitelisted, files having these extensions can be executed by theseinterpreters.

For example:

sadmin scripts add .zip javaThis command enables Embedded Control to track and control the execution of .zip files. Afteradding this rule, if you execute a .zip file using java , the software checks if the file is whitelistedand allows execution. If the file is not whitelisted, the software will prevent execution of the file.

If you attempt to add an interpreter that already exists on this list, no action is taken.

Remove interpreterRemove the interpreters for scripts on which execution control is not required.

Task• Run this command at the command prompt.

sadmin scripts remove extension [interpreter1 [interpreter2]]...If you do not mention any interpreter, this command removes the extension for the entire list.

For example:

sadmin scripts remove .jar java

Files extensions for which rules are removed remain in the whitelist until you remove the files fromthe whitelist. To remove files from the whitelist, you can either run the sadmin unso or sadmincheck –r command for the files.

List interpreterList the interpreters and scripts for which execution is tracked.

Task• Run this command at the command prompt.

sadmin scripts listSample output appears like this:

.jar "java"

.class "java"

3 Getting startedConfigure execution of Java files

18 McAfee Embedded Control 6.5.1 User Guide

Page 19: For use with Wind River Linux 5.0 - McAfee€¦ · McAfee Embedded Control 6.5.1 For use with Wind River Linux 5.0.1. ... McAfee Embedded Control 6.5.1 User Guide 3. ... conf layer.conf

Verify that only authorized applications can runOn a protected system, only authorized applications or programs are allowed to run.

Task1 Run an authorized application.

All applications that were installed before enabling Embedded Control are added to the whitelistand hence authorized. Use the sadmin ls command to list all whitelisted applications, then run oneof them.

2 Verify that the authorized application is allowed to run.

3 Run an unauthorized application.

For example, copy an application from an external storage device, such as a USB drive to thesystem and try to run the application.

4 Verify that the unauthorized application is not allowed to run.

5 Review the solidcore.log file placed in the /usr/local/mcafee/solidcore/log directory.

This entry is added to the log file:

McAfee Solidifier prevented unauthorized execution of <filename> by process <processname> (Process Id:<PID>, User:<user_name>)

Verify that Embedded Control tamper-proofs applicationsWhen Embedded Control is enabled, all files in the whitelist are protected from unauthorizedmodification and deletion attempts.

Task1 Try to move or rename a binary file or application.

For example, run the following command to rename /bin/rm.coreutils.

# mv /bin/rm.coreutils /bin/myrm

2 Verify that the modification attempt fails.

3 Review the solidcore.log file placed in the /usr/local/mcafee/solidcore/log directory.

This entry is added to the log file:

McAfee Solidifier prevented an attempt to modify file <filename> by process <processname> (Process Id:<PID>, User:<user_name>)

Perform emergency changesPlace Embedded Control in Update mode to make emergency changes that override the protection.

Update mode opens a change window that allows you to make the needed changes. For moreinformation about Update mode, see McAfee Application Control 6.1.0 Product Guide.

Getting startedVerify that only authorized applications can run 3

McAfee Embedded Control 6.5.1 User Guide 19

Page 20: For use with Wind River Linux 5.0 - McAfee€¦ · McAfee Embedded Control 6.5.1 For use with Wind River Linux 5.0.1. ... McAfee Embedded Control 6.5.1 User Guide 3. ... conf layer.conf

Task1 Open a change window.

# sadmin buThis command places the product in Update mode.

2 Make the required changes to the system.

3 Close the change window.

# sadmin euThis command ends the Update mode.

3 Getting startedPerform emergency changes

20 McAfee Embedded Control 6.5.1 User Guide

Page 21: For use with Wind River Linux 5.0 - McAfee€¦ · McAfee Embedded Control 6.5.1 For use with Wind River Linux 5.0.1. ... McAfee Embedded Control 6.5.1 User Guide 3. ... conf layer.conf

ACreate McAfee ePO-deployable package

Embedded Control integrates with Wind River Linux 5.0 by using the McAfee layer (wr‑mcafee). To useEmbedded Control on a target configuration, the corresponding Wind River project must be configuredwith the McAfee layer.

After configuring with the McAfee layer, you can install Embedded Control on target boards using oneof these methods:

• Install Embedded Control using the board image (as an integral part of the complete board image).

• Install Embedded Control separately as an individual RPM package.

• Install Embedded Control by using an McAfee ePO deployable package.

Here are instructions on how to create a McAfee ePO-deployable package for Embedded Control.

Prerequisites

Set up a Windows system (supported by McAfee ePO) with these components:

Component Description

eposign.exe file File is required for Pkgcatalog.xml encryption.

McAfee ePO signing serveraccessibility

McAfee ePO signing server that is used to sign the encrypted packagePkgcatalog.z.

IN and OUT folders mappedto corresponding foldershosted by the McAfee ePOsigning server

Required for transferring data to and from the McAfee ePO signingserver. The following syntax is used to map the drives.net use P: \\<IP address of signing server>\Epo2048SignIn /user:<user id> "<password>"net use Q: \\<IP address of signing server>\Epo2048SignOut /user:<user id> "<password>"

Contact the ECM team for the IP address and credentials to accessthe McAfee ePO signing server.

zip.exe utility Required to create the final zip.

McAfee Embedded Control 6.5.1 User Guide 21

Page 22: For use with Wind River Linux 5.0 - McAfee€¦ · McAfee Embedded Control 6.5.1 For use with Wind River Linux 5.0.1. ... McAfee Embedded Control 6.5.1 User Guide 3. ... conf layer.conf

Steps

1 After the Wind River project (configured with wr-mcafee layer) build completes, browse to the <WR_Project‑Dir>/bitbake_build/tmp/work/common_pc‑wrs‑linux/solidcores3‑6.5.1_<build‑number>‑r0 folder.

2 Type the following command to sign the RPM file.

<ProjDir>/bitbake_build/tmp/sysroots/x86_64-linux/opt/sst/SSTsign-rpm --mode=rpm --priv-key=`readlink -f layers/wr-idp/wr-srm/files/keys/vendor-private.pem` --verbose=yes <ProjDir>/bitbake_build/tmp/work/common_pc-wrs-linux/solidcores3-6.5.1_<build>-r0/deploy-rpms/common_pc/solidcores3-6.5.1_<build-number>-r0.common_pc.rpm

3 Make sure the solidcores3_ePO_package.tgz file is present. This file contains:

• solidcores3 rpm file (created as a resultant product of Wind River project build).

• mapkg_det.mcs, Pkgcatalog.xml, and mapkg_install.sh (supporting files).

4 Log on to a Windows system that meets the specified prerequisites.

5 Copy the solidcores3 rpm, mapkg_det.mcs, Pkgcatalog.xml, and mapkg_install.sh files to afolder on the system.

Only these files should exist in the folder. Presence of any additional files might cause McAfee ePOdeployment to fail at a later stage.

6 Use the eposign.exe file to encrypt the Pkgcatalog.xml file.

<path>\eposign.exe PkgCatalog.xml .mcs /a

The Pkgcatalog.z encrypted file is created.

7 Copy the PkgCatalog.z encrypted file to the mapped IN folder. The signing server automaticallypicks up and signs this file, then places the signed Pkgcatalog.z file in the OUT folder.

8 Copy the signed Pkgcatalog.z file to the folder containing the solidcores3 rpm, mapkg_det.mcs,and mapkg_install.sh files (as in step 2).

9 Move the Pkgcatalog.xml file from the folder to a different folder.

10 Use the zip.exe utility to create a zip file containing the Pkgcatalog.z, solidcores3 rpm, mapkg_det.mcs, and mapkg_install.sh files.

McAfee ePO-deployable zip is ready to use. If needed, you can write wrapper scripts to automatethese steps.

A Create McAfee ePO-deployable package

22 McAfee Embedded Control 6.5.1 User Guide

Page 23: For use with Wind River Linux 5.0 - McAfee€¦ · McAfee Embedded Control 6.5.1 For use with Wind River Linux 5.0.1. ... McAfee Embedded Control 6.5.1 User Guide 3. ... conf layer.conf

Index

Aabout this guide 5Application Control 8

BBaytrail-based boards

configure using Workbench 13

boardsconfigure using CLI 12

CChange Control 8change tracking 9configuration

using CLI 12

using Workbench 13

conventions and icons used in this guide 5

Ddirectories

installDir 11, 12

layers 11

projDir 12

documentationaudience for this guide 5product-specific, finding 6typographical conventions and icons 5Wind River Linux 8, 11–13

EEmbedded Control

activate 15

features 9license 15

supported architecture 11

using 19

emergency changes 19

execution control 9

Ggetting started 15

Iinstallation

Wind River Linux 11

MMcAfee ServicePortal, accessing 6modes

Enabled 15

Update 19

Ooperational costs 9

QQuark-based boards

configure using Workbench 13

SServicePortal, finding product documentation 6

Ttechnical support, finding product information 6

Vverification

activation 15

installation 11

protection 19

tamper proofing 19

Wwhitelist

about 9create 15

Wind River Linux 8WIND_LINUX_CONFIGURE variable 12

Zzero-day protection 8

McAfee Embedded Control 6.5.1 User Guide 23

Page 24: For use with Wind River Linux 5.0 - McAfee€¦ · McAfee Embedded Control 6.5.1 For use with Wind River Linux 5.0.1. ... McAfee Embedded Control 6.5.1 User Guide 3. ... conf layer.conf

00