Home
McAfee Embedded Control 6.5.0 User Guide For use with
Contents
1. 2 In the Support Content pane e Click Product Documentation to find user documentation e Click Technical Articles to find KnowledgeBase articles 3 Select Do not clear my filters 4 Enter a product select a version then click Search to display a list of documents 6 McAfee Embedded Control 6 5 0 User Guide Introduction McAfee Embedded Control is a single solution that provides system integrity and change control for embedded devices This software offers an effective way to block unauthorized applications from running on your embedded systems Contents What is Embedded Control When to use Embedded Control gt Product features McAfee Embedded Control 6 5 0 User Guide 1 Introduction What is Embedded Control What is Embedded Control Embedded Control is a combination of McAfee Application Control and McAfee Change Control products When you deploy Embedded Control the integrated features of both products are available for use Here is a high level overview of the features provided by these products Application Control Change Control Provides dynamic Monitors and whitelisting prevents changes to Secures against zero the file system day attacks Write protects files Prevents unauthorized Em b e d d e d from unauthorized updates tampering Prevents execution of Control Read protects critical unauthorized software l files and scripts Tracks changes to Protects fixed function files in re
2. D directories installDir 11 13 layers 11 12 projDir 13 wr mcafee 12 documentation audience for this guide 5 product specific finding 6 typographical conventions and icons 5 Wind River Linux 8 11 13 Embedded Control activate 15 features 9 install 11 license 15 supported architecture 11 using 17 emergency changes 18 execution control 9 McAfee Embedded Control 6 5 0 G getting started 15 I installation Embedded Control 11 Wind River Linux 11 M McAfee layer 12 McAfee ServicePortal accessing 6 modes Enabled 15 Update 18 Oo operational costs 9 Q Quark based boards configure using Workbench 13 S ServicePortal finding product documentation 6 T technical support finding product information 6 V verification activation 15 installation 11 license 11 protection 17 tamper proofing 17 WwW whitelist about 9 create 15 User Guide 19 Index Wind River Linux 8 Z install 11 zero day protection 8 layer framework 12 license 11 WIND_LINUX_CONFIGURE variable 13 20 McAfee Embedded Control 6 5 0 User Guide 00 intel Security Y a
3. FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT DO NOT INSTALL THE SOFTWARE IF APPLICABLE YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND 2 McAfee Embedded Control 6 5 0 User Guide Contents Preface About this guide Audience Conventions Find product documentation Introduction What is Embedded Control When to use Embedded Control Product features Installing and configuring the software Validate the software installation McAfee layer Configure the project os ee Se Using the command line interface Using the Workbench Getting started Enable the product Configure checksum calculatio Eur a Verify that only authorized applications can run Verify that Embedded Control tamper proofs applications Perform emergency changes Index McAfee Embedded Control 6 5 0 nuuun UW Ooo N 15 15 16 17 17 18 19 User Guide Contents McAfee Embedded Control 6 5 0 User Guide Preface This guide provides the information you need to work with your McAfee product Contents About this guide gt Find product documentation About this guide This information describes the guide s target audience the typographical conventions and icons used in this guide and how the guide is organized Audience McAfee documentation is carefully researched and written for the target audien
4. e Click OK to open the Configure Options dialog box 7 Click Reload in the Layers pane 8 Specify these options in the General settings pane e Board Select a board For example intel quark e RootFS Select glibc idp as the target root file system e Kernel Select standard 9 Make sure that the final configuration command is similar to SWIND LINUX CONFIGURE enable board intel quark enable kernel standard enabl e rootfs glibc idp enable addons wr idp enable parallel pkgbuilds 4 enable jo bs 4 10 Click Finish to create the project 11 Build the target file system and wait until the process is complete For detailed instructions see Wind River Linux Getting Started Guide 5 Wind River Linux User s Guide 5 and Wind River Workbench By Example Linux 5 Version 3 3 12 Create the image and deploy the Embedded Control enabled platform on a target McAfee Embedded Control 6 5 0 User Guide Getting started After you deploy Embedded Control enable the product to protect your device A few common use cases are detailed here For detailed information about all product features see McAfee Application Control 6 1 0 Product Guide and McAfee Change Control 6 1 0 Product Guide Contents Enable the product gt Configure checksum calculation Verify that only authorized applications can run gt Verify that Embedded Control tamper proofs applications gt Perform emergency changes Enable th
5. template file Configure the project Configure your Wind River Linux project to add Embedded Control security features to the project You can add Embedded Control functionality to the platform project using Wind River Workbench or command line options on the Wind River Linux development host Tasks e Using the command line interface on page 13 Add the McAfee layer to configure your project using the command line interface CLI e Using the Workbench on page 13 Add the McAfee layer to configure your project using the Workbench 12 McAfee Embedded Control 6 5 0 User Guide Installing and configuring the software 2 Configure the project Using the command line interface Add the McAfee layer to configure your project using the command line interface CLI Task 1 6 Navigate to your project directory These examples use lt projDir gt to represent the project directory For example cd lt installDir gt workspace lt projDir gt Set the Wind River Linux environment variables on your development host This command creates the WIND_LINUX_CONFIGURE environment variable that appears in the examples lt installDir gt wrenv sh p wrlinux 5 Configure the platform project to add Embedded Control features For example e Quark SWIND LINUX CONFIGURE enable board intel quark enable kernel standard enabl e rootfs glibc idp enable addons wr idp e Baytrail SWIND LINUX CONFIGURE ena
6. al time systems Records who made Provides a trust model changes to which files to authorize changes For detailed information about these products see McAfee Application Control 6 1 0 Product Guide and McAfee Change Control 6 1 0 Product Guide When to use Embedded Control With the adoption of commercial operating systems in embedded devices there are increased security risks Embedded Control offers a one stop security solution that enables manufacturers to use a commercial operating system without incurring risks or losing control over the systems This product helps you convert a system built on a commercial operating system into a black box so it works like a proprietary operating system When you use Embedded Control on devices it e Provides zero day protection e Provides real time visibility e Minimizes security risks e Offers a deploy and forget solution e Controls what runs on your devices e Helps you to reduce support costs This release of Embedded Control is designed to work with Wind River Linux version 5 0 1 Wind River Linux is the market leading commercial grade Linux solution for embedded device development For more information about using Wind River Linux visit the Wind River Support page or see Wind River Linux documentation 8 McAfee Embedded Control 6 5 0 User Guide Introduction 1 Product features Product features Here is a description of Embedded Control features Execution control Maintain
7. ble rootfs glibc idp enable kernel standard enabl e board intel atom baytrail enable addons wr idp In the command the wr mcafee layer is included by default To exclude the layer add the without layer wr mcafee option Verify that no errors are generated and the directory structure is created in the project directory Build the target file system and wait until the process is complete make fs Create the image and deploy the Embedded Control enabled platform on a target For more information see the Wind River Linux Getting Started Guide 5 Wind River Linux User s Guide 5 and Wind River Workbench By Example Linux 5 Version 3 3 Using the Workbench Add the McAfee layer to configure your project using the Workbench Task 1 2 Launch Wind River Workbench and select File New Wind River Workbench Project Select Wind River Linux Platform Base 5 0 1 and click Next Select Build Type as Platform and click Next Type a name for the project and click Next to open the Configure Options screen Click Advanced gt gt McAfee Embedded Control 6 5 0 User Guide 13 14 Installing and configuring the software Configure the project 6 Add the enable addons option a Navigate to the Option and Value table b Click Add to open the Configure Options dialog box c Select the enable addons option The selected option is displayed in the Option field d Set the option value to enable addons wr idp
8. ce The information in this guide is intended primarily for e Administrators People who implement and enforce the company s security program e Users People who use the computer where the software is running and can access some or all of its features e Partners Resellers who contract with McAfee to sell McAfee products Conventions This guide uses these typographical conventions and icons Book title term Title of a book chapter or topic a new term emphasis emphasis Bold Text that is strongly emphasized User input code Commands and other text that the user types a code sample a displayed message message Interface text Words from the product interface like options menus buttons and dialog boxes Hypertext blue A link to a topic or to an external website McAfee Embedded Control 6 5 0 User Guide 5 Preface Find product documentation Note Additional information like an alternate method of accessing an option Tip Suggestions and recommendations Important Caution Valuable advice to protect your computer system software installation network business or data gt On Warning Critical advice to prevent bodily harm when using a hardware product Find product documentation After a product is released information about the product is entered into the McAfee online Knowledge Center Task 1 Go to the Knowledge Center tab of the McAfee ServicePortal at http support mcafee com
9. d modification and deletion attempts Task 1 Try to move or rename a binary file or application For example run the following command to rename bin rm coreutils mv bin rm coreutils bin myrm McAfee Embedded Control 6 5 0 User Guide 17 3 Getting started Perform emergency changes 2 Verify that the modification attempt fails 3 Review the solidcore 1log file placed in the usr local mcafee solidcore log directory This entry is added to the log file McAfee Solidifier prevented an attempt to modify file lt filename gt by process lt processname gt Process Id lt PID gt User lt user_name gt Perform emergency changes Place Embedded Control in Update mode to make emergency changes that override the protection Update mode opens a change window that allows you to make the needed changes For more information about Update mode see McAfee Application Control 6 1 0 Product Guide Task 1 Open a change window sadmin bu This command places the product in Update mode 2 Make the required changes to the system 3 Close the change window sadmin eu This command ends the Update mode 18 McAfee Embedded Control 6 5 0 User Guide Index A about this guide 5 Application Control 8 Baytrail based boards configure using Workbench 13 boards configure using CLI 13 C Change Control 8 change tracking 9 configuration using CLI 13 using Workbench 13 conventions and icons used in this guide 5
10. e deployed and prevents invalid changes from being deployed The software captures detailed information for every change to a protected system including who what where when and how It provides an accurate complete and definitive record of all system changes Low operational expenses and overhead Embedded Control is deployed with ease and does not have any ongoing maintenance overhead Also the software requires a minimal learning period and is functional across all applications immediately after activation Embedded Control does not depend on rules or signature databases and has a small footprint Secure Hash Algorithm 256 SHA256 support With this release we have added support for SHA256 to calculate checksum values of inventory items SHA256 offers improved security as compared to SHA1 Although we continue to support SHA1 checksum values of inventory items will be calculated using SHA256 If you use SHA256 as the hash algorithm we compute both SHA1 and SHA256 values while creating the whitelist However decision making is primarily based on SHA256 values For more information see Configure checksum calculation Startup script changes With this release the scsrvc service does not start at system restart for non configured systems If the software is not configured we no longer start the Embedded Control service Sscsrvc at system start The software is said to be not configured when Embedded Control is installed software is
11. e product Enable the product to activate the Embedded Control software Before you begin Determine the hash algorithm to use for checksum calculation in your setup Scenario Description Fresh install For a fresh installation SHA256 is used by default to calculate checksum values of inventory items Upgrade e If you upgrade in Disabled mode from the previous release to this release SHA256 is used by default to calculate checksum values of inventory items e If you upgrade in Update mode from the previous release to this release SHA1 is used by default to calculate checksum values of inventory items To change the hash algorithm used for checksum calculation see Configure checksum calculation With this release Application Control and Change Control licenses are shipped with Embedded Control so manual addition of license is not needed McAfee Embedded Control 6 5 0 User Guide 15 Getting started Configure checksum calculation Task 1 Create the initial whitelist sadmin so This command creates a whitelist of all binary and script files present on the system The whitelist controls applications and files that can run on the protected system The time taken to create the whitelist varies from a few minutes to an hour depending on the installed applications and system configuration Place the product in Enabled mode sadmin enable In Enabled mode Embedded Control protects a
12. fee layer Use the McAfee layer for Wind River Linux to add Embedded Control features The layer framework in Wind River Linux provides modular functionality allowing you to easily add or modify features You can add your updates as one or more layers on top of the base installation Each layer contributes specific content without changing the base installation The McAfee layer wr mcafee allows you to add the Embedded Control functionality It is added to the standard Wind River Linux IDP installation in the lt installDir gt wrlinux addons wr idp layers directory After you configure the project based on instructions in the Configure the project topic the lt projDir gt layers wr idp wr mcafee directory includes these files Directory Contents Description conf layer conf Layer configuration file recipes e linux linux windriver 3 4 bbappend Configuration files e linux mcafee mcafee cfg e linux mcafee mcafee scc solidcores3 files solidcore conf solidcores3 solidcores3 lt version gt bb BitBake recipe file downloads solidcores3 lt version gt intel atom baytrail User binary TAR file for tgz Baytrail based boards solidcores3 lt version gt intel quark tgz User binary TAR file for Quark based boards solidcores3 ksre lt version gt tgz Kernel source files common licenses McAfee McAfee end user license agreement templates default README Read me file default image inc Feature
13. hm lt sha value gt lt sha value gt represents the hash function to use for checksum calculation and can be SHA1 or SHA256 If you are switching from SHA1 to SHA256 the command might take a few minutes to compute new checksum values c Enable the software sadmin enable d Restart the McAfee Solidifier service service scsrvc restart Verify that only authorized applications can run On a protected system only authorized applications or programs are allowed to run Task 1 Run an authorized application All applications that were installed before enabling Embedded Control are added to the whitelist and hence authorized Use the sadmin 1s command to list all whitelisted applications then run one of them Verify that the authorized application is allowed to run Run an unauthorized application For example copy an application from an external storage device such as a USB drive to the system and try to run the application Verify that the unauthorized application is not allowed to run Review the solidcore log file placed in the usr local mcafee solidcore log directory This entry is added to the log file McAfee Solidifier prevented unauthorized execution of lt filename gt by process lt processname gt Process Id lt PID gt User lt user_name gt Verify that Embedded Control tamper proofs applications When Embedded Control is enabled all files in the whitelist are protected from unauthorize
14. in disabled mode and system volume is not solidified McAfee Embedded Control 6 5 0 User Guide 9 10 Introduction Product features McAfee Embedded Control 6 5 0 User Guide Installing and configuring the software Install and configure the software for the Wind River Linux target platforms This version of Embedded Control supports only 32 bit architecture Contents gt Validate the software installation McAfee layer gt Configure the project Validate the software installation Verify that Wind River Linux software and required licenses are installed on the system Task 1 Make sure that Wind River Linux 5 0 1 is installed on the development host a Navigate to lt installDir gt b Confirm that lt installDir gt wrlinux 5 and lt installDir gt wrlinux addons are present c Open the lt installDir gt setup log file and make sure that the Wind River Linux CDRs listed show 5 0 1 x 2 Make sure that the Embedded Control software package is installed with your standard Wind River Linux installation a Navigate to the lt installDir gt wrlinux addons wr idp layers directory b Verify that the wr mcafee directory exists 3 Validate that your license allows you to use Embedded Control For more information see the Wind River Workbench User s Guide and Wind River Linux 5 Getting Started Guide McAfee Embedded Control 6 5 0 User Guide 11 2 Installing and configuring the software McAfee layer McA
15. intel Security Y User Guide McAfee Embedded Control 6 5 0 For use with Wind River Linux 5 0 1 COPYRIGHT Copyright 2014 McAfee Inc 2821 Mission College Boulevard Santa Clara CA 95054 1 888 847 8766 www intelsecurity com TRADEMARK ATTRIBUTIONS Intel and the Intel logo are registered trademarks of the Intel Corporation in the US and or other countries McAfee and the McAfee logo McAfee Active Protection McAfee DeepSAFE ePolicy Orchestrator McAfee ePO McAfee EMM McAfee Evader Foundscore Foundstone Global Threat Intelligence McAfee LiveSafe Policy Lab McAfee QuickClean Safe Eyes McAfee SECURE McAfee Shredder SiteAdvisor McAfee Stinger McAfee TechMaster McAfee Total Protection TrustedSource VirusScan are registered trademarks or trademarks of McAfee Inc or its subsidiaries in the US and other countries Other marks and brands may be claimed as the property of others LICENSE INFORMATION License Agreement NOTICE TO ALL USERS CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE AS A BOOKLET A FILE ON THE PRODUCT CD OR A FILE AVAILABLE ON THE WEBSITE
16. ll files in the whitelist from unauthorized modification and deletion attempts Also Embedded Control prevents unauthorized applications or programs from running on the system Restart the McAfee Solidifier service service scsrvc restart Verify that the product is in Enabled mode sadmin status McAfee Solidifier status is set to Enabled and the volume status is set to Solidified for all volumes Configure checksum calculation Specify whether to use SHA1 or SHA256 to calculate checksum values of inventory items 16 Task 1 Determine the hash algorithm in use Scenario Description Fresh install For a fresh installation SHA256 is used by default to calculate checksum values of inventory items Upgrade e If you upgrade in Disabled mode from the previous release to this release SHA256 is used by default to calculate checksum values of inventory items e If you upgrade in Update mode from the previous release to this release SHA1 is used by default to calculate checksum values of inventory items 2 Change the hash algorithm used to calculate checksum a Make sure the software is in Disabled mode sadmin status If the software is not in Disabled mode type the sadmin disable command and reboot the system McAfee Embedded Control 6 5 0 User Guide Getting started 3 Verify that only authorized applications can run b Configure checksum calculation sadmin config set HashAlgorit
17. system integrity by controlling what runs on your embedded devices Embedded Control allows only authorized software to run and permits validated changes to the systems It automatically creates a dynamic whitelist of the authorized programs and applications After the whitelist is created and enabled only programs contained in the whitelist can execute Other programs scripts and binaries Executable and Linkable Format that are not contained in the whitelist are considered unauthorized and prevented from executing This prevents worms viruses spyware and other malware from executing illegitimately System integrity Based on your setup Embedded Control gives you the flexibility to configure access to the protected systems You can lock down systems to prevent even administrators from changing what is authorized to run on a system unless presented with an authentication key Change tracking and control Embedded Control detects and tracks changes in real time It allows changes to be made only to the needed target systems and through authorized means You can enforce change control processes by specifying authorized means of allowing changes You can define what can be changed such as certain files or directories and when the changes can be applied Activity record and change visibility Embedded Control records all activity for protected systems and provides visibility into the sources of change It makes sure that only valid changes ar
Download Pdf Manuals
Related Search
Related Contents
登録申請書類について 【引取業】 【フロン類回収業】 Rappresentanze Termotecniche Rubano 301V/301V-W Peerless Cat5e, RJ45/RJ45, 2m Boxxer Service Manual.qxd Descargar el manual de usuario Orthodontie - tap-schiene Uma plataforma Integrada de Computação e Copyright © All rights reserved.
Failed to retrieve file