chapter 14.26 - 16 test review
What is ABM?
ABM provides automated support for INFOCON baseline assessments by monitoring for changes to the existing baseline.
What is a repository pull?
Retrieves packages from the source site, and then places them in the master repository.
Boundary Protection Number 2 - Systems Management Isolation
systems contained on the management VLAN contain root credentials for all native and hosted resources; therefore, additional security controls are applied
Where is DHCP installed?
the IAEXET and WEB VMs on the UNCLAS and Secret enclaves.
What is FOUO NetIQ system software used for?
to aggregate audit info collected from all CANES networked components and provides detailed info
What are GPOs used for?
to ensure specific policy settings, user rights, and computer behavior apply to all client computers and users
What is an enforcer?
used by Symantec Network Access Control to allow or deny access to the enterprise network
What is threat management gateway policy used for?
utilized to review web traffic by inspecting at the network, application, and content layers
debug_Syncit log
very helpful for troubleshooting Retina Update issues. The events recorded in it can often provide a clue as to what issue is preventing updates from happening
What are the install types?
Complete reinstallation from install CDs, Reinstallation while preserving the virtual machine environment, Restoring individual VMs, Installing new VMs, Reinstallation using administrator-exported .ovf files,
What is the activity tab used for?
shows changes to monitored activities grouped by activity description and the number of activities
What is the scan error tab used for?
shows errors encountered by the software when monitoring systems.
What is a snapshot?
stores the state and data of your system at the time of the snapshot.
What is run query?
Runs a selected query and allows you to chain sub actions related to the query results.
What can commands be rated as during INSURV?
SAT, DEG, UNSAT, NA, or RBO.
What are the two MSSQL VM services?
SQL Server and SQL Server Agent
NT Domain/ Active Directory Synchronization
Synchronizes select Windows NT domains and Active Directory containers that are mapped to System Tree groups
What is repository replication?
Updates distributed repositories from the master repository.
What are the specific compliance checks that NCDOC Rollup runs?
-McAfee Agent services -Virus scan -Anti Spyware - HIP -PA -Assets - DAT files
What does FIM allow you to?
1) Define which files should be tracked. You can use wildcard characters in file and path names. 2) Define which files should not be tracked. 3) Specify the frequency for detecting file changes. 4) See and receive notification about changes to the file or file attributes.
What are the stages of CRI?
1. admin review (1-2 days) 2. Unit Level Technical Assistance Visit (TAV) (3-5 days) 3. CSI (5 days)
When a query runs, it generates data regarding the compliance of systems for how long?
5 days
What are the components of HBSS IPS?
CANES firewalls, Boundary protection number 3- host based intrusion detection system, and HBSS IPS
What does admin review step of CRI consist of?
Generally, this inspection takes 1-2 days. This is an internal review of IA and cyber security administration, leadership engagement, and personnel training and qualifications.
What is event migration?
If you upgrade from a previous ePO Orchestrator installation, use this task to migrate events from the old database to the new database, so that you can run queries against your historical data.
What is Roll Up Data: Compliance History?
Imports summary compliance data from other registered ePO servers.
What is Roll Up Data: Managed Systems?
Imports summary data from other registered ePO servers.
What do less frequently performed tasks under operation include?
Less frequently performed tasks will include limiting internal network users access to the internet (setting River City), creating or editing user defined protocol definitions (as defined per Fleet Advisory Message (FAM)), or performing disaster recovery to restore TMG to an operational state following a failure.
What is the boot order?
MSSQL- SCCVI or ACAS scanner - HBSS
Where is the NCDOC rollup query found?
Menu - queries - Shared Groups - NCDOC Rollup
What is the purpose of WSUS?
Windows service that helps in distribution of Microsoft's updates to clients in network. It downloads updates from a central Microsoft Update server and installs the updates to client computers in network so that each computer does not need access to the Internet and download updates from Microsoft website itself
UAC?
a feature that was integrated into Windows operating systems initially in Windows Vista.
what is the TMG server deployed as?
a member server of the COMPOSE domain
What is the McAfee Agent GUI?
a more detailed version of the log available
What are the PA navigation categories?
audits, waivers, benchmarks, and checks
What are the two types of scans?
baseline and activity
How does COMPOSE manage security?
by providing automated security hardening by employing baseline security templates that accommodate all enclaves.
What is Client Module Configuration configured by?
configured in accordance with OPORD 12-1016
What does COMPOSE security involve?
configuring group policies, setting file/registry permissions, setting auditing and draws upon the guidelines listed in the security documents and requirements.
MSSQl VM Logs
contains database logs that are required to be reviewed in accordance with PMS checks.
EpoApSvr.log
details all actions of the ePO Application Server. The application server is responsible for repository updates, as well as the installation of McAfee agents.
Server.log
details all actions of the ePO server itself
What are the server task actions?
event migration, inactive agent cleanup, NT Domain/ active directory synchronization, purge audit log, purge event logs, purge notification log, purge server task logs, repository replication, repository replication, roll up data: managed systems, roll up data: compliance history, run query, run tag criteria, duplicate agent GUID
What are the two required backups?
full USB backups and manual backups
HIPS log
generated on each managed asset and are accessible via the Client UI Activity Log. All information in these logs is then reported to ePO during every ASCI
What is a red script?
in the place of the DoD banner on the ePO login screen is the first indication of an issue with the MSSQL VM
What is inactive agent cleanup?
nactive Agent Cleanup task is set for systems older than 14 days. Moves to inactive group.
Where is Symantec installed?
only on EX0001
What does the Tumbleweed Validation Authority suite provide?
our real-time digital certificate status checking using a digital certificate status responder.
What does Cisco Firewall/IDS/IPS provide?
provides boundary protection consisting of a firewall, NIPS, and Virtual Local Area Networks (VLANs).
RSDSensor_out.log
provides detailed information of all actions performed by Rogue System Sensors
eventparser.log
provides detailed information regarding the event parser server for ePO. Use this log to review event processing if receiving errors with the ePO server itself.
What are the logging requirements?
set by DoD and Navy instructions and policies; therefore, logging on CANES devices must meet the same standards.
What is the trusted activity tab used for?
shows activities that are trusted. Trusted activities do not trigger an event when the activity scan discovers changes to a system's monitored activities.
What are the audit components?
• A benchmark or selected profile within a benchmark • A system or group of systems • An audit frequency or how often data should be gathered • An optional waiver to temporarily exclude systems or audit results
What are the four types of enforcers?
• Gateway Enforcer • LAN Enforcer • DHCP Enforcer • Integrated Enforcer