Showing results for 
Search instead for 
Did you mean: 
Level 9
Report Inappropriate Content
Message 1 of 5

Policy Auditor Unix Run Level Check Problem

Hello all.

I'm trying to create a benchmark with a couple of checks. The checks will validate if some services are disabled. For this I'm using the template Unix Run Level Check to validate if sendmail service is disabled in the audited server. The sendmail service was disabled previously by using the chkconfig command.

The parameters follows:

runlevel: pattern matching - type = [3-5]

name: equals - type = sendmail

kill at start up: equals - type = true

However this seems correct, according to the user guide, the checks fails everytime.

The system being audited is a RHCE 5.

Thanks in advance.


4 Replies
Level 9
Report Inappropriate Content
Message 2 of 5

Re: Policy Auditor Unix Run Level Check Problem

Ok, let me rephrase the question (actually into multiple questions):

Is anyone successfully using custom unix checks with PA?

How do you specify the path argument ( /usr/bin or /usr/bin/ )?

Does the following workflow work for you?:

1. create benchmark;

2. create new rule and check (based on a unix template);

3. activate the benchmark;

4. create and run audit;

If this works (i.e. the check passes the audit) for everyone than its really odd, because all my unix checks fail.

My lab setup is (server:W2003, ePO45+P3, PA53 / client: RHCE5, SOLARIS10).

Thanks in advance.


Message was edited by: epo909 on 1/31/11 4:28:58 AM CST

Re: Policy Auditor Unix Run Level Check Problem


I am a started in Policy Auditor and I want to deploy a test benchmark (from scratch) that would include all the checks of  one of the windows GPOs I have here. So far, I was creating new Rules from Checks (eg. Account Lockdown Settings, etc). However, I reached a point where few of the checks I want are not included in McAfee Checklists. So, I need to create on my own new Checks from scratch...

Have you found any good resource for such thing showing examples I could follow and adjust them to what I want?

Thank you in advance!

Level 9
Report Inappropriate Content
Message 4 of 5

Re: Policy Auditor Unix Run Level Check Problem

Hello Argyris.

You're more lucky than me if you were able to use some of the built-ins checks. We had code all checks from scratch (near 400!) and import them into our benchmarks. The best advice I can give you is that you should learn the OVAL language, so that you can understand the check and debug any problems. Take a look into the guides from and read the schemas (focus on the ones you need):

You can also export the mcafee checks that more closely approach what you need and modify them, to meet your needs, then import them back and test them. Anyways you should know OVAL structure, because it will help a lot.

See you around.


Re: Policy Auditor Unix Run Level Check Problem

This issue was resolved in Audit Engine Content 1060/1061. The primitives used to provide the framework for custom checks still used a handful of legacy cpe references. Checks created using the latest content update should no longer cause this issue.

More McAfee Tools to Help You
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • Visit: Business Service Portal
  • More: Search Knowledge Articles
  • ePolicy Orchestrator Support
  • The McAfee ePO Support Center Plug-in is now available in the Software Manager. Follow the instructions in the Product Guide for more.