McAfee PASCDE-AB-IA Product Guide - Page 60
File information monitored, File baselines, Monitored and excluded files
View all McAfee PASCDE-AB-IA manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 60 highlights
File Integrity Monitoring and entitlement reporting How file integrity monitoring works • Show a side-by-side comparison of file changes and indicate which lines have been added, deleted, or modified. File information monitored The file integrity monitoring feature of McAfee Policy Auditor tracks a number of file attributes. A change in an attribute generates an event notifying you of the change. The monitored attributes differ between the various supported operating systems.The software monitors these attributes on all operating systems. • File size (in bytes) • File created (date and time) • Last modified (date and time) • Read only • Hidden • System • Owner • Group On Windows systems, the software monitors these attributes, the Archive attribute, plus permissions from the Discretionary Access Control List (DACL) File baselines When you create and apply a policy, the agent plug-in scans the file to create a baseline. The baseline contains information about the file attributes, and contains the file text if file versioning is enabled. If the file is changed, the software generates an event that is logged to the File Integrity Monitor page, included in reports, and can be handled by the issues and tickets feature of ePolicy Orchestrator software software. McAfee Policy Auditor software monitors the MD5 and SHA-1 hashes of a file as well as the file attributes and permissions information. These values are stored in a database that is created on each system and on the software server. Each time the file is scanned, the software compares its configuration to the baseline. When the file or an attribute changes, the agent plug-in detects the change and sends an event back to the server according to the monitoring frequency. If versioning is enabled, the text file contents are sent to the server as well. Reset file baselines You can create a new baseline for all monitored files on a system from the Systems tab of the File Integrity page. You can also accept file integrity monitoring events, which creates a new baseline for the selected file and discards old baseline versions. Monitored and excluded files You can create a policy to monitor file changes on a regular schedule. The interface allows to specify files to monitor and files to exclude from monitoring. It also provides the capability to monitor subfolders under each specified path and to monitor symbolic links. 60 McAfee Policy Auditor 6.0 software Product Guide for ePolicy Orchestrator 4.6