McAfee epolicy Orchestrator: Creating an Apache HTTP Repository

White Paper McAfee epolicy Orchestrator: Creating an Apache HTTP Repository By Peter Straight, Senior Security Consultant McAfee Foundstone Solution Services

Table of Contents Purpose and Use 4 Logical Diagram 4 Software Overview 5 McAfee epolicy Orchestrator software 5 Linux 5 Apache 5 Samba 5 Software Installation 5 McAfee epo software installation 5 Linux installation 5 Server services installation 5 Software Configuration 6 Enabling services 6 Configuring Apache 6 Configuring Samba 10 Configuring SELinux 12 Configure firewall 13 HTTP Repository 13 Creating an HTTP repository in McAfee epo software 13 Verify replication 15 Configure McAfee agent 16 Repository Verification 17 McAfee agent monitor 17 McAfee epo software report for repositories 18 Deploy McAfee Agent to Linux Repository 19 Configure SSH 19 Configure sudoers 20 Adding a Linux system to McAfee epo software 20 McAfee VirusScan Enterprise for Linux 1.7 21 Advanced Logging and Configuration 23 HTTP log files 23 Limiting bandwidth with mod_bw 24 2 McAfee epolicy Orchestrator: Creating an Apache HTTP Repository

References 27 Linux 27 CentOS Linux 27 Apache 27 Samba 27 SSH 27 McAfee epo Installation Guide 27 McAfee Agent Product Guide 27 McAfee VirusScan Enterprise for Linux guides 27 Common vi editor commands 27 Basic firewall configuration 27 SELinux 28 mod_bw 28 About the Author 28 About McAfee Foundstone Solution Services 28 3 McAfee epolicy Orchestrator: Creating an Apache HTTP Repository

Purpose and Use Some McAfee customers have large and complex networks, and securing these networks with McAfee epolicy Orchestrator (McAfee epo ) software often involves a variety of configurations. Organizations with large Linux server farms may need to use only Linux servers in their environments. This document describes how to configure Apache and Samba running on a Linux operating systems (OS) platform for the purpose of creating an Apache HTTP Repository for McAfee epolicy Orchestrator. The Apache repository will allow customers to meet the requirement to have a Linux repository. McAfee supports a variety of repository types such as, super-agent, FTP, UNC, and HTTP. The HTTP repositories are more complex to set up than the other repository types. Logical Diagram Agent-to-McAfee epo Server TCP Port 80 or 443 epo McAfee epo-to-http Repository TCP 137-139, 445 HTTP Repository Agent Wake-Up TCP Port 8081 McAfee epo-console TCP Port 8443 https://eposerver:8443 Agent-to-HTTP Repository TCP Port 80 McAfee Agent Managed Systems Figure 1. Logical diagram. Host System Name IP Address McAfee epo Eposerver.companyname.loc 192.168.1.55 Linux Linuxbox.companyname.loc 1982.168.1.100 Workstation Workstation.companyname.loc 1982.168.1.101 Table 1. Systems information. 4 McAfee epolicy Orchestrator: Creating an Apache HTTP Repository

Software Overview McAfee epolicy Orchestrator software McAfee epo software is widely acknowledged as the most advanced and scalable security management technology in the industry. Unifying security management through an open platform, McAfee epo software makes risk and compliance management simpler and more successful for all organizations. As the foundation of the McAfee Security Management platform, McAfee epo software enables customers to connect industry-leading security solutions to their enterprise infrastructure to increase visibility, gain efficiencies, and strengthen protection. Linux Linux is a Unix-like computer operating system assembled under the free and open source software development and distribution model. The defining component of Linux is the Linux kernel, an OS kernel first released on October 5, 1991 by Linus Torvalds. Apache The Apache HTTP Server Project is an effort to develop and maintain an open-source HTTP server for modern operating systems, including Unix and Microsoft Windows NT. The goal of this project is to provide a secure, efficient, and extensible server that provides HTTP services in sync with current HTTP standards. Apache httpd has been the most popular web server on the Internet since April 1996. The Apache HTTP server ( httpd ) is a project of The Apache Software Foundation. Samba Samba is the standard Windows interoperability suite of programs for Linux and Unix. Samba is free software licensed under the GNU General Public License; the Samba project is a member of the Software Freedom Conservancy. Since 1992, Samba has provided secure, stable, and fast file and print services for all clients using the SMB/CIFS protocol, such as all versions of DOS and Windows, OS/2, Linux, and many others. Samba is an important component to seamlessly integrate Linux/Unix servers and desktops into Microsoft Active Directory (AD) environments using the winbind daemon. Software Installation McAfee epo software installation Install the McAfee epo software server as recommended in the installation guide. Linux installation For the configuration of Linux, CentOS was the Distro of choice. Download and install a Linux Distro of your choice. CentOS is an enterprise-class Linux distribution derived from sources freely provided to the public by a prominent North American enterprise Linux vendor. CentOS conforms to the upstream vendor s redistribution policy and aims to be 100% binary compatible. (CentOS mainly changes packages to remove upstream vendor branding and artwork.) CentOS is free. Downloading the Live CD is the easiest way to install CentOS. This document will not go into great detail on configuring and securing Linux or its services. For more information, visit: http://www.centos.org/modules/ tinycontent/index.php?id=30. If you are using physical hardware, create the LiveCD as a CD. If you are using a virtual infrastructure, simply map to the ISO. Once it boots, run Install to Hard Drive. 1. Click Next on the Default settings. 2. Set hostname, time zone, root password. Server services installation Depending on how you install the Linux OS, you have the option to install services during the initial installation or after it has completed. With the live CD, you have to install the server services after completion. In a production environment, it is recommended that you do a custom install. Only install the required Linux software packages that will be required for the server. You can install additional software packages in two ways: through the GUI or the command line. Depending on your experience, you may choose to use only the command line for the installation and configuration. You will need to be familiar with the Linux terminal command line for some of these configurations. 5 McAfee epolicy Orchestrator: Creating an Apache HTTP Repository

Installing Apache HTTP server GUI installation: 1. Open the software manager under System > Administration > Add/Remove Software. 2. Under Web Services > Web Server, you will find Apache HTTP server. Check the box next to it and click Apply. Command line installation: yum install httpd Installing Samba Under Servers > CIFS file server, you will find Server and Client Software Samba 3.5.x. Click the box next to it and click Apply. Command line installation: yum install samba Software Configuration Enabling services The chkconfig command can also be used to activate and deactivate services. The chkconfig --list command displays a list of system services and whether they are started (on) or stopped (off) in run levels zero through six. Run these commands to configure the httpd and Samba services to run after a reboot: chkconfig --level 2345 httpd on chkconfig --level 2345 smb on Configuring Apache Httpd configuration file The default httpd.conf file will have to be modified or use the example provided. If you are using the default httpd.conf, you will notice that there are more settings than in the example. You do not have to use all the provided modules or settings; you can simply comment out all unnecessary settings by placing the pound sign () in front of each line, or remove the lines entirely. Httpd.conf example Section 1: Global Environment ServerTokens OS ServerRoot "/etc/httpd" PidFile run/httpd.pid ------------------------------------------------------------ Timeout 60 KeepAlive Off MaxKeepAliveRequests 100 KeepAliveTimeout 15 <IfModule prefork.c> StartServers 8 MinSpareServers 5 MaxSpareServers 20 ServerLimit 256 MaxClients 256 MaxRequestsPerChild 4000 </IfModule> StartServers: initial number of server processes to start <IfModule worker.c> StartServers 4 MaxClients 300 MinSpareThreads 25 6 McAfee epolicy Orchestrator: Creating an Apache HTTP Repository

MaxSpareThreads 75 ThreadsPerChild 25 MaxRequestsPerChild 0 </IfModule> Listen 12.34.56.78:80 Listen 80 LoadModule foo_module modules/mod_foo.so --------------------------------------------------------------- LoadModule authz_host_module modules/mod_authz_host.so LoadModule log_config_module modules/mod_log_config.so LoadModule logio_module modules/mod_logio.so LoadModule mime_magic_module modules/mod_mime_magic.so LoadModule mime_module modules/mod_mime.so LoadModule autoindex_module modules/mod_autoindex.so LoadModule vhost_alias_module modules/mod_vhost_alias.so LoadModule dir_module modules/mod_dir.so LoadModule alias_module modules/mod_alias.so Load config files from the config directory "/etc/httpd/conf.d". Include conf.d/*.conf User apache Group apache ServerAdmin root@localhost ServerName linuxbox.mcafee.edu:80 UseCanonicalName Off DocumentRoot "/var/www/html" <Directory /> Options FollowSymLinks AllowOverride None </Directory> ----------------------------------------------------------------- <Directory "/var/www/html"> Options Indexes FollowSymLinks AllowOverride None Order allow,deny Allow from all </Directory> <IfModule mod_userdir.c> UserDir disabled </IfModule> DirectoryIndex index.html index.html.var AccessFileName.htaccess <Files ~ "^\.ht"> Order allow,deny Deny from all Satisfy All </Files> TypesConfig /etc/mime.types DefaultType text/plain --------------------------------------------------------------- 7 McAfee epolicy Orchestrator: Creating an Apache HTTP Repository

<IfModule mod_mime_magic.c> MIMEMagicFile /usr/share/magic.mime MIMEMagicFile conf/magic </IfModule> HostnameLookups Off ErrorLog logs/error_log Possible values include: debug, info, notice, warn, error, crit, alert, emerg. LogLevel warn LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined LogFormat "%h %l %u %t \"%r\" %>s %b" common LogFormat "%{Referer}i -> %U" referer LogFormat "%{User-agent}i" agent CustomLog logs/access_log combined ServerSignature On Alias /icons/ "/var/www/icons/" <Directory "/var/www/icons"> Options Indexes MultiViews FollowSymLinks AllowOverride None Order allow,deny Allow from all </Directory> IndexOptions FancyIndexing VersionSort NameWidth=* HTMLTable Charset=UTF-8 Specify a default charset for all content served; this enables interpretation of all content as UTF-8 by default. To use the default browser choice (ISO-8859-1), or to allow the META tags in HTML content to override this choice, comment out this directive: AddDefaultCharset UTF-8 AddType allows you to add to or override the MIME configuration file mime.types for specific file types. AddType application/x-tar.tgz AddEncoding allows you to have certain browsers uncompress information on the fly. Note: Not all browsers support this. Despite the name similarity, the following Add* directives have nothing to do with the FancyIndexing customization directives above. AddEncoding x-compress.z AddEncoding x-gzip.gz.tgz If the AddEncoding directives above are commented-out, then you probably should define those extensions to indicate media types: 8 McAfee epolicy Orchestrator: Creating an Apache HTTP Repository

AddType application/x-compress.z AddType application/x-gzip.gz.tgz MIME-types for downloading Certificates and CRLs AddType application/x-x509-ca-cert.crt AddType application/x-pkcs7-crl.crl MIME-types for McAfee repository AddType application/bof.bof AddType application/configuration.ini AddType application/incremental.gem AddType application/mcs.mcs AddType application/pkg.pkg AddHandler type-map var AddType text/html.shtml AddOutputFilter INCLUDES.shtml Putting this all together, we can internationalize error responses. Alias /error/ "v/var/www/error/" <IfModule mod_negotiation.c> <IfModule mod_include.c> <Directory "/var/www/error"> AllowOverride None Options IncludesNoExec AddOutputFilter Includes html AddHandler type-map var Order allow,deny Allow from all LanguagePriority en es de fr ForceLanguagePriority Prefer Fallback </Directory> </IfModule> </IfModule> Adding McAfee MIME types In the example provided, you will see additional MIME types. You will have to add these MIME types in order for the McAfee epo software repository to work. If using default httpd.conf file, add these lines under the MIME section: MIME-types for McAfee repository AddType application/bof.bof AddType application/configuration.ini AddType application/incremental.gem AddType application/mcs.mcs AddType application/pkg.pkg 9 McAfee epolicy Orchestrator: Creating an Apache HTTP Repository

MIME Type application/bof application/configuration application/incremental application/mcs application/pkg Extensions bof Ini bem mcs pkg Table 2. McAfee MIME types. VirtualHost configuration file Create a configuration file in /etc/httpd/conf.d called repo.conf, and add the following lines. Modify the lines to match your environment. (Note: You need to provide the correct document root as to where the repository files are replicated.) Repo.conf example <VirtualHost *:80> ServerName linuxbox ServerAlias *.mcafee.edu ServerAdmin webmaster@mcafee.edu ErrorLog /var/log/httpd/repo.error.log CustomLog /var/log/httpd/repo_error.log combined DocumentRoot /data/mcafee/ <Directory "/data/mcafee/"> Options Indexes FollowSymLinks Includes ExecCGI AllowOverride All Order deny,allow Allow from all </Directory> </VirtualHost> Configuring Samba Samba configuration Modify the existing smb.conf file, or use the example provided, and modify for the environment you re working in. The default smb.conf file will have more settings than this example. If necessary, the Linux server can be joined to a Windows domain. Additional Samba configuration options are necessary to make this work. 10 McAfee epolicy Orchestrator: Creating an Apache HTTP Repository

Smb.conf example ======================= Global Settings ============================== [global] ----------------------- Network Related Options --------------------- workgroup = mcafee server string = Samba Server Version %v netbios name = LINUXBOX Configure these two setting for enhanced security, remove the ";" to enable. ; interfaces = lo eth0 192.168.12.2/24 192.168.13.2/24 ; hosts allow = 127. 192.168.12. 192.168.13. --------------------------- Logging Options ------------------------- Log File let you specify where to put logs and how to split them up. Max Log Size let you specify the max size log files should reach logs split per machine log file = /var/log/samba/log.%m max 50KB per log file, then rotate max log size = 50 ----------------------- Standalone Server Options ------------------- security = user passdb backend = tdbsam ============================ Share Definitions ============================= McAfee Repo [Repo] comment = McAfee Repo path = /data/mcafee/repo writeable = yes printable = no valid users = mcafee create mask = 765 Create a directory to store the repository data. Run these commands to create the directory: mkdir data cd data mkdir mcafee cd mcafee chown root.mcafee mcafee/ mkdir repo chmod 775 /data/mcafee/repo/ (Note: Verify that the repository owner is root.mcafee.) Run the following command to start the Samba service: service smb start or /etc/init.d/smb start (Note: When making changes to the smb.conf file, you will have to restart the service.) Create a new user to be used to sync the repository: Useradd mcafee Passwd mcafee "setpassword" Create an SMB user: smbpasswd -a mcafee 11 McAfee epolicy Orchestrator: Creating an Apache HTTP Repository

Test Samba share smbclient //<hostname>/<sharename> -U <username> Verify services listening Verify that Samba and HTTP services are listening by running the netstat -vat command. Here are the results from running the netstat command: [root@linuxbox conf] netstat -vat Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 *:sunrpc *:* LISTEN tcp 0 0 *:ftp *:* LISTEN tcp 0 0 linuxbox:smtp *:* LISTEN tcp 0 0 *:43835 *:* LISTEN tcp 0 0 *:netbios-ssn *:* LISTEN tcp 0 0 *:sunrpc *:* LISTEN tcp 0 0 *:http *:* LISTEN tcp 0 0 *:tproxy *:* LISTEN tcp 0 0 *:56986 *:* LISTEN tcp 0 0 *:microsoft-ds *:* LISTEN Configuring SELinux If problems arise, it most likely will be with SELinux. Provided are the permanent and temporary commands to allow Samba and Apache to use the same folder. Persistent allowing folders To keep the changes to the Samba share, you will need to install policy core utilities: yum -y install policycoreutils-python To make SELinux context changes that survive a file system re-label: Run the semanage fcontext -a options file-name directory-name command, remembering to use the full path to the file or directory. Run the restorecon -v file-name directory-name command to apply the context changes. semanage fcontext -a -t public_content_rw_t "/data/mcafee/repo(/.*)?" restorecon -R -v /data/mcafee/repo/ setsebool -P allow_smbd_anon_write on setsebool -P allow_httpd_anon_write on Temporally allowing folders Apache commands: The following commands maybe required if problems arise: chcon -t httpd_config_t httpd.conf chcon -R -t httpd_sys_content_t /var/www/html/ chcon -R -t httpd_sys_content_t /data/mcafee/repo Samba commands: chcon -t samba_share_t /data/mcafee/repo/ 12 McAfee epolicy Orchestrator: Creating an Apache HTTP Repository

Configure firewall Linux OSs use IPTables as their firewall. IPTables is usually turned on. The firewall will need to have ALLOW rules created for Samba HTTP, SSH, and McAfee products. These rules can be set to only allow connection from McAfee epo software servers and internal addresses. Services Samba HTTP (Default) SSH McAfee Agent (Default) McAfee VirusScan Enterprise for Linux Ports/Protocol 137/udp,138/udp,139/tcp, 445/tcp 80/tcp 22/tcp 8081/tcp 55443/tcp Table 3. Firewall ports. HTTP Repository Creating an HTTP repository in McAfee epo software 1. Log in to the McAfee epo software console, and create a new repository by going to Menu Software Distributed Repositories. 2. Click the Action button and select New Repository. Figure 2. Repository actions. 3. Provide a name for the repository in the repository name field, and click Next. Figure 3. Repository description. 13 McAfee epolicy Orchestrator: Creating an Apache HTTP Repository

4. Provide the URL, port of the Apache web server, and the replication UNC path of the Samba server that was created previously, and then click Next. Figure 4. HTTP repository URL, port, and replication path. 5. Provide the credentials of the agent to repository for more secure connection and the replication credentials for server to repository (Samba share). Click Test Credentials to verify they are correct. Then click Next to continue. (Note: If the owner of repository has not been set up correctly, you may receive an invalid credential error. Using this setting requires the correct httpd.conf configuration. This setting is beyond the scope of this document.) 6. Select All or the selected packages that are required for this repository. Click Next to continue. (Note: Scroll to the bottom and uncheck replicate legacy.dats if you don t need updates to older McAfee products.) Figure 5. HTTP repository package types. 14 McAfee epolicy Orchestrator: Creating an Apache HTTP Repository

7. Review the Summary before clicking Save. Figure 6. HTTP repository summary. After completing the HTTP repository task, the next steps are to run and verify that replications are working as expected. Click Action Replicate now, and select the HTTP repository desired to replicate. Click Next for the first initial replication, select Full, click Next, and then click Start Replication. This will take you to the server task logs. (Note: All further replication can be incremental; a server task can be created to replicate at a specified time.) Verify replication Server task log of replication to Apache repository. Figure 7. HTTP repository server task log details. 15 McAfee epolicy Orchestrator: Creating an Apache HTTP Repository

View the UNC path to the Apache repository from a Windows system to verify replication. This can also be done on the Linux server by running this command: ls al /data/mcafee/repo Figure 8. Repository UNC path. Configure McAfee agent After completing the new HTTP repository, you can test that the policy is working as expected. To do this, you can create a new McAfee agent policy and disable all other repositories from the list so that only the HTTP is enabled. Figure 9. McAfee agent policies. 16 McAfee epolicy Orchestrator: Creating an Apache HTTP Repository

Figure 10. Apache test agent policy. Repository Verification McAfee agent monitor To verify that test agents are using the Apache repository, view the McAfee agent monitor. Right click the McAfee agent monitor status. The monitor will list the repository that the client is connected to. It will be the Info event: Checking update packages from repository New Repository name. Figure 11. McAfee agent monitor. 17 McAfee epolicy Orchestrator: Creating an Apache HTTP Repository

McAfee epo software report for repositories Creating a McAfee epo software query can help assist in the verification process. Create a query using the query builder by selecting the following options: 1. Select Result types and then Client Events. Click Next. 2. Select Stacked Bar from the configured chart and set Stack label: Site Name, Bar. Values will be: Number of Client Events. Bar labels will be: Event Type. Then click Next. Figure 12. Configured chart. 3. Select the desired columns. Click Next. 4. Select filter Event Generated Time = Is within the 1 Week, and Event type = Value is not blank. Click Next. Figure 13. Filters. 18 McAfee epolicy Orchestrator: Creating an Apache HTTP Repository

5. Click Save to save for future use. Then run the query. Figure 14. Query results. Deploy McAfee Agent to Linux Repository McAfee epo software provides the capabilities to deploy McAfee agents to Linux OSs. There are a few steps to complete before adding and deploying the system from McAfee epo software. Configure SSH Secure shell (SSH) is a network protocol for secure data communication, remote shell services, or command execution and other secure network services between two networked computers that it connects via a secure channel over an insecure network. (Note: You will need this service running and configured to complete the next section.) Sshd_config example Port 22 AddressFamily any ListenAddress 192.168.1.100 Protocol 2 HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key ServerKeyBits 1024 SyslogFacility AUTHPRIV LogLevel INFO LoginGraceTime 2m PermitRootLogin yes StrictModes yes RSAAuthentication yes PubkeyAuthentication yes RhostsRSAAuthentication no IgnoreUserKnownHosts yes IgnoreRhosts yes PermitEmptyPasswords no PasswordAuthentication yes ChallengeResponseAuthentication no 19 McAfee epolicy Orchestrator: Creating an Apache HTTP Repository

GSSAPIAuthentication yes GSSAPICleanupCredentials yes UsePAM yes AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE AcceptEnv XMODIFIERS X11Forwarding no X11DisplayOffset 10 PrintMotd yes TCPKeepAlive yes ClientAliveInterval 900 ClientAliveCountMax 0 UseDNS yes PermitTunnel no Subsystem sftp /usr/libexec/openssh/sftp-server Configure sudoers McAfee agent deployment from McAfee epo software to deploy to RedHat Linux-based systems, like CentOS and Fedora, require a sudo configuration change. The /etc/sudoers file requires a modification. The line with Defaults requiretty will need to be commented out with the pond symbol. This allows the remote McAfee agent script to run and log in and run a command without a tty. Edit the /etc/sudoers file with a text editor like vi: Defaults requiretty Adding a Linux system to McAfee epo software Review the McAfee agent guide for the in-depth installation. Below are quick steps for installing the Linux McAfee agent: 1. Log in to McAfee epo software, and go to Menu System Systems System Tree. 2. Click System Tree Action. 3. Click New System. 4. Select Push Agent and Place systems in the System Tree according to sorting criteria. 5. Enter the system name in the target system. 6. Select the non-windows radio button. 7. Enter credentials for agent installation. 8. Click OK. 20 McAfee epolicy Orchestrator: Creating an Apache HTTP Repository

Figure 15. Adding a system to McAfee epo software. Once the McAfee agent has been installed, use the quick find to search the system tree to locate the Linux server. Figure 16. System in System Tree. McAfee VirusScan Enterprise for Linux 1.7 Review the McAfee VirusScan Enterprise for Linux installation, configuration, and product guides for in-depth information on installing and configuring the product Linux. Below are quick steps to install it on the repository. (Note: You will first need to install 32-bit pam and libgcc on 64-bit systems in order install McAfee VirusScan Enterprise for Linux. Run these commands to find which version of libgcc and pam to install: rpm -qa grep -i libgcc rpm -qa grep -i pam Run these commands to install the 32-bit version of pam and libgcc: yum install pam-x.x.x-x.el6_x.x.i686 yum install libgcc-x.x.x-x.el6.i686 21 McAfee epolicy Orchestrator: Creating an Apache HTTP Repository

1. Log in to McAfee epo software, and go to Menu Policy Client Task Catalog. 2. Create a new client task under McAfee Agent Product Deployment. 3. Provide a task name: McAfee VirusScan Enterprise for Linux. 4. Select a target platform: Linux. 5. Select the product and components: McAfee VirusScan Enterprise for Linux, and then click Save. Figure 17. McAfee VirusScan Enterprise for Linux deployment task. 6. Select Menu Systems System Tree. 7. Use the quick find to locate the Linux server. 22 McAfee epolicy Orchestrator: Creating an Apache HTTP Repository

8. Select the Linux server, and Click Actions Agent Modify Tasks on a Single System. Figure 18. Apply McAfee VirusScan for Linux deployment task to a single system. 9. Select Action New Client Task Assignment. 10. Select McAfee Agent Product Deployment McAfee VirusScan Enterprise for Linux or (name for your deployment task), and then click Next. 11. Under Schedule Type, select Run Immediately. 12. Click Next, then click Save, and then click Close. 13. Select the Linux System, and click Wake Up Agent. Then Click OK. Advanced Logging and Configuration HTTP log files Apache logs The Apache service provides access logs and the error log. Within the repo.conf file, you will notice two error log configuration settings. These settings create log files for the virtual directory site in this case, the repo site is used by the McAfee repository. In this configuration, it was named repo_error.log and repo.error.log. Error_log information The server error log, whose name and location is set by the ErrorLog directive, is the most important log file. This where Apache httpd will send diagnostic information and record any errors that it encounters in processing requests. It is the first place to look when a problem occurs when starting the server or with the operation of the server, since it will often contain details of what went wrong and how to fix it. 23 McAfee epolicy Orchestrator: Creating an Apache HTTP Repository

Access log information The server access log records all requests processed by the server. The location and content of the access log are controlled by the CustomLog directive. The LogFormat directive can be used to simplify the selection of the contents of the logs. This section describes how to configure the server to record information in the access log. In the repo_error.log you will see lines like the following when working: 92.168.1.50 - - [24/Aug/2012:15:36:59-0600] "GET /repo/sitestat.xml HTTP/1.1" 200 118 "-" "McAfee Agent" 192.168.1.55 - - [16/Aug/2012:18:00:20-0400] "GET /repo/current/vscandat1000/dat/0000/ V2datinstall.mcs HTTP/1.1" 200 87804 "-" "McAfee Agent" In the repo.error.log when things are not working, the following may show up: [Wed Aug 22 14:31:13 2012] [error] [client 192.168.1.50] File does not exist: /data/mcafee/repo/sitestat.xml [Wed Aug 22 14:37:15 2012] [error] [client 192.168.1.55] (13)Permission denied: access to /repo/sitestat.xml denied Limiting bandwidth with mod_bw The httpd-devel and dependency packages will need to be installed to compile the mod_bw modules. To install packages, the necessary permissions are needed. First, use su to go the root, or use the sudo command. su root yum install httpd-devel This is a list of all the packages that httpd-devel will install: Installed: httpd-devel.x86_64 0:2.2.15-15.el6.centos.1 Dependency installed: apr-devel.x86_64 0:1.3.9-5.el6_2 apr-util-devel.x86_64 0:1.3.9-3.el6_0.1 cyrus-sasl-devel.x86_64 0:2.1.23-13.el6 db4-cxx.x86_64 0:4.7.25-17.el6 db4-devel.x86_64 0:4.7.25-17.el6 expat-devel.x86_64 0:2.0.1-11.el6_2 openldap-devel.x86_64 0:2.4.23-26.el6_3.2 Download the bandwidth package from http://bwmod.sourceforge.net/ Copy to /var/tmp Extract mod_bw-0.7.tgz by running this command: tar -zxf mod_bw-0.7.tgz cd /var/tmp/mod_bw apxs -i -a -c mod_bw.c [activating module 'bw' in /etc/httpd/conf/httpd.conf] The BW module adds the line to the httpd.conf file under the modules section: LoadModule bw_module /usr/lib64/httpd/modules/mod_bw.so Modify the repo.conf file, and add lines to the virtual host. Review the mod_bw.txt under /var/tmp/mod_bw folder for more examples. In the repo.conf file example, the bandwidth for all systems is set to 50 kbps,.dat and.exe files are set to 20 kbps, and bandwidth from 192.168.2.0/24 network is set to 100 kbps. 24 McAfee epolicy Orchestrator: Creating an Apache HTTP Repository

Repo.conf example <VirtualHost *:80> ServerName linuxbox ServerAlias *.mcafee.edu ServerAdmin webmaster@mcafee.edu ErrorLog /var/log/httpd/repo.error.log CustomLog /var/log/httpd/repo_error.log combined BandWidthModule On ForceBandWidthModule On BandWidth 192.168.2.0/24 100000 BandWidth all 50000 LargeFileLimit.dat 1 20000 LargeFileLimit.exe 1 20000 DocumentRoot /data/mcafee/ <Directory "/data/mcafee/"> Options Indexes FollowSymLinks Includes ExecCGI AllowOverride All Order deny, allow Allow from all </Directory> </VirtualHost> Other examples Limit.dat,.exe extensions to 20kb/s: <Virtualhost *> BandwidthModule On ForceBandWidthModule On LargeFileLimit.dat 1 20000 LargeFileLimit.exe 1 20000 Servername linuxbox.mcafee.edu </Virtualhost> Limit every user to a maximum of 10 kb/s on a vhost: <Virtualhost *> BandwidthModule On ForceBandWidthModule On Bandwidth all 10240 MinBandwidth all -1 Servername linuxbox.mcafee.edu </Virtualhost> Limit all internal users (LAN) to 1,000 kb/s with a minimum of 50 kb/s, and files greater than 500 kb to 50 kb/s: <Virtualhost *> BandwidthModule On ForceBandWidthModule On Bandwidth all 1024000 MinBandwidth all 50000 LargeFileLimit * 500 50000 Servername linuxbox.mcafee.edu </Virtualhost> 25 McAfee epolicy Orchestrator: Creating an Apache HTTP Repository

Testing of mod_bw limits EXE 20 kbs Limit for.exe: C:\cygwin\bin>wget.exe http://linuxbox.mcafee.edu/repo/current/viruscan8800/ install/0000/vcredist_x64.exe --2012-08-28 11:39:07-- http://linuxbox.mcafee.edu/repo/current/viruscan8800/install/0000/ vcredist_x64.exe Resolving linuxbox.mcafee.edu (linuxbox.mcafee.edu)... 192.168.1.100 Connecting to linuxbox.mcafee.edu (linuxbox.mcafee.edu) 192.168.1.100 :80...connected. HTTP request sent, awaiting response... 200 OK Length: 4961800 (4.7M) [application/octet-stream] Saving to: 'vcredist_x64.exe' 100%[======================================>] 4,961,800 18.5K/s in 4m 9s 2012-08-28 11:43:17 (19.5 KB/s) - 'vcredist_x64.exe' saved [4961800/4961800] Bandwidth limit of 50 kbs for download of all files C:\cygwin\bin>wget.exe http://linuxbox.mcafee.edu/repo/current/viruscan8800/install/0000/ VSE880.msi --2012-08-28 11:46:13-- http://linuxbox.mcafee.edu/repo/current/viruscan8800/install/0000/ VSE880.msi Resolving linuxbox.mcafee.edu (linuxbox.mcafee.edu)... 192.168.1.100 Connecting to linuxbox.mcafee.edu (linuxbox.mcafee.edu) 192.168.1.100 :80... connected. HTTP request sent, awaiting response... 200 OK Length: 20633088 (20M) [text/plain] Saving to: 'VSE880.msi' 100%[======================================>] 20,633,088 46.3K/s in 6m 54s 2012-08-28 11:53:08 (48.6 KB/s) - 'VSE880.msi' saved [20633088/20633088] Troubleshooting mod_bw After running the following command apxs -i -a -c mod_bw.c, an issue may arise after starting the Apache httpd service. With the new mod_bw module configuration in the httpd.conf file, an error undefined symbol: apr_atomic_cas may occur. The mod_bw will install the module correctly, but when adding the configuration option to the vhost configs, an error can appear: undefined symbol: apr_atomic_cas. When that happens, open the file mod_bw.c and change the following: Before: /* Compatibility for ARP < 1 */ if (APR_MAJOR_VERSION < 1) define apr_atomic_inc32 apr_atomic_inc define apr_atomic_dec32 apr_atomic_dec define apr_atomic_add32 apr_atomic_add define apr_atomic_cas32 apr_atomic_cas define apr_atomic_set32 apr_atomic_set endif 26 McAfee epolicy Orchestrator: Creating an Apache HTTP Repository

After: /* Compatibility for ARP < 1 */ /* if (APR_MAJOR_VERSION < 1) define apr_atomic_inc32 apr_atomic_inc define apr_atomic_dec32 apr_atomic_dec define apr_atomic_add32 apr_atomic_add define apr_atomic_cas32 apr_atomic_cas define apr_atomic_set32 apr_atomic_set endif */ Then recompile again with the apxs -i -a -c mod_bw.c command. References Linux http://en.wikipedia.org/wiki/linux CentOS Linux http://www.centos.org Apache http://httpd.apache.org Samba http://www.samba.org SSH http://en.wikipedia.org/wiki/secure_shell McAfee epo Installation Guide https://kc.mcafee.com/corporate/index?page=content&id=pd22974 McAfee Agent Product Guide https://kc.mcafee.com/corporate/index?page=content&id=pd23185 McAfee VirusScan Enterprise for Linux guides https://kc.mcafee.com/resources/sites/mcafee/content/live/product_documentation/23000/pd23607/ en_us/vsel_1_7_best_practices_guide.pdf https://kc.mcafee.com/resources/sites/mcafee/content/live/product_documentation/23000/pd23470/ en_us/vsel_170_installation_guide_en-us.pdf https://kc.mcafee.com/resources/sites/mcafee/content/live/product_documentation/23000/pd23471/ en_us/vsel_170_product_guide_help_en-us.pdf https://kc.mcafee.com/resources/sites/mcafee/content/live/product_documentation/23000/pd23469/ en_us/vsel_170_config_guide_en-us.pdf Common vi editor commands https://kc.mcafee.com/corporate/index?page=content&id=kb59018 Basic firewall configuration http://www.techotopia.com/index.php/basic_rhel_6_firewall_configuration 27 McAfee epolicy Orchestrator: Creating an Apache HTTP Repository

SELinux https://access.redhat.com/knowledge/docs/en-us/red_hat_enterprise_linux/6/html/security-enhanced_linux/ sect-security-enhanced_linux-selinux_contexts_labeling_files-persistent_changes_semanage_fcontext.html http://wiki.centos.org/howtos/selinux http://selinuxproject.org/page/sambarecipes mod_bw http://blog.mansonthomas.com/2009/02/limit-upload-bandwith-of-your-apache.html http://www.whoopis.com/howtos/web-bandwidth-limit.html About the Author Peter Straight, a senior security consultant with McAfee Solution Services, focuses on architecting, deploying, and supporting enterprise data protection strategies and technologies. He is responsible for providing various product services covering McAfee epo software, McAfee Host DLP, McAfee Application Control, and McAfee DeepSAFE technology Peter holds GSEC, Security+, MCP, CCA, and ITIL professional certifications. About McAfee Foundstone Solution Services For customers needing assistance with security implementations and planning processes, McAfee Foundstone Solution Services provides fast and effective professional services and consulting expertise. Our global team of certified professionals offers deep security experience, decades of deployment expertise, and unmatched knowledge of McAfee solutions. McAfee Foundstone Solution Services treats your business as if it were our own. Whether your enterprise has fifty or five million nodes, we can help you improve time-to-value, maximize your security investment, and reduce risk. About McAfee McAfee, a wholly owned subsidiary of Intel Corporation (NASDAQ:INTC), is the world s largest dedicated security technology company. McAfee delivers proactive and proven solutions and services that help secure systems, networks, and mobile devices around the world, allowing users to safely connect to the Internet, browse, and shop the web more securely. Backed by its unrivaled global threat intelligence, McAfee creates innovative products that empower home users, businesses, the public sector, and service providers by enabling them to prove compliance with regulations, protect data, prevent disruptions, identify vulnerabilities, and continuously monitor and improve their security. McAfee is relentlessly focused on constantly finding new ways to keep our customers safe. http://www.mcafee.com 2821 Mission College Boulevard Santa Clara, CA 95054 888 847 8766 www.mcafee.com McAfee, the McAfee logo, McAfee Foundstone, epolicy Orchestrator, McAfee epo, McAfee VirusScan, and McAfee DeepSAFE are registered trademarks or trademarks of McAfee, Inc. or its subsidiaries in the United States and other countries. Other marks and brands may be claimed as the property of others. The product plans, specifications and descriptions herein are provided for information only and subject to change without notice, and are provided without warranty of any kind, express or implied. Copyright 2013 McAfee, Inc. 60197wp_apache-epo-http_0413_fnl_ETMG