I believe the current guidance is to have McAfee Agent installed only. At
least that is where we are at now, and just went through our IV&V. I also
have uvscan installed along with AIDE w/ daily cron jobs for both. HIPS
etcŠ are not "required". But again I am not an expert and do not delineate
any guidance.
I would have to find the guidance, and am on travel right now, however
when I return my ePo/HBSS "guy" can give me the reference.
Very Respectfully,
Brian Peake
On 9/24/13 4:35 PM, "Moessbauer, David" <david.moessbauer(a)progeny.net>
wrote:
I am not sure about your comment regarding "[HBSS] isn't
*mandated.*"
My experience with the fleet tells me otherwise, as both ODAA during
accreditation and deployed platforms are requiring compliance with HBSS
of our system. Additionally, I do believe I have seen a CTO distributed
by the Navy that states otherwise, though I can't seem to put my hands on
it at the moment.
Please advise if I am incorrect in this belief.
v/r
David Moessbauer
(410) 627-5633 (M)
The Information contained in or attached to this communication may be
confidential and privileged proprietary intended only for the
individual/s or entity to whom/which it is addressed. Any unauthorized
use, distribution, copying or disclosure of this information is strictly
prohibited. If you have received this communication in error please
contact the sender immediately and delete from your system.
-----Original Message-----
From: scap-security-guide-bounces(a)lists.fedorahosted.org
[mailto:scap-security-guide-bounces@lists.fedorahosted.org] On Behalf Of
Truhn, Chad M CTR NSWCDD, CXA30
Sent: Tuesday, September 24, 2013 4:12 PM
To: scap-security-guide(a)lists.fedorahosted.org
Subject: (nwl) RE: RHEL5 vs RHEL6 language on HBSS
Shawn,
Reverting back to an email you sent to gov-sec back in June (attached),
you said:
" So, even though you've configured your system with all these auditing
rules, configured AIDE for integrity checking, *and* have SELinux
enforcing, FSO wants you to layer on an *additional* level of host
intrusion detection which can provide "complementary or duplicative
monitoring, reporting, and reaction capabilities."
As stated in the STIG, DoD provides McAfee HBSS to perform this function.
But it isn't *mandated.*"
Then in ticket #262 from the SSG page:
"HIPS is a category of technology, and while McAfee? is commonly used to
meet this, is not tied to a particular product/vendor. Users would be
wise to select technology which is certified to run on RHEL6 without
disabling key OS level protection mechanisms (e.g., if McAfee? breaks
your system, use something else)." [1]
" MPO/FSO/RH: 3rd party products should work with the operating systems
they run on, without forcing users to disable security mechanisms. Won't
fix."
I have always been confused about this language. Do we want SELinux
enabled *AND* HIPS installed? Or should it be an *OR*? One says McAfee
HBSS/HIPS is fine, another says it isn't. I'm confused!!!
[1]
https://fedorahosted.org/scap-security-guide/ticket/262
-----Original Message-----
From: scap-security-guide-bounces(a)lists.fedorahosted.org
[mailto:scap-security-guide-bounces@lists.fedorahosted.org] On Behalf Of
Shawn Wells
Sent: Tuesday, September 24, 2013 3:21 PM
To: scap-security-guide(a)lists.fedorahosted.org
Subject: RHEL5 vs RHEL6 language on HBSS
I received the following note from a colleague today, outlining the
wording changes between RHEL5 and RHEL6 regarding HBSS. I searched the
mailing archives, and can't figure out *why* the language was changed.
- Anyone remember why?
- Objections to reverting to the RHEL5 language?
EMail:
> from the RHEL 6 STIG:
>
> ============================
> Group ID (Vulid): V-38667
> Group Title: SRG-OS-000196
> Rule ID: SV-50468r1_rule
> Severity: CAT II
> Rule Version (STIG-ID): RHEL-06-000285 Rule Title: The system must
> have a host-based intrusion detection tool installed.
>
> Vulnerability Discussion: Adding host-based intrusion detection tools
>can provide the capability to automatically take actions in response to
>malicious behavior, which can provide additional agility in reacting to
>network threats. These tools also often include a reporting capability
>to provide network awareness of system, which may not otherwise exist in
>an organization's systems management regime.
>
> Check Content:
> Inspect the system to determine if intrusion detection software has
>been installed. Verify the intrusion detection software is active.
> If no host-based intrusion detection tools are installed, this is a
>finding.
>
> Fix Text: The base Red Hat platform already includes a sophisticated
>auditing system that can detect intruder activity, as well as SELinux,
>which provides host-based intrusion prevention capabilities by confining
>privileged programs and user sessions which may become compromised.
>
> Install an additional intrusion detection tool to provide complementary
>or duplicative monitoring, reporting, and reaction capabilities to those
>of the base platform. For DoD systems, the McAfee Host-based Security
>System is provided to fulfill this role.
> ========================
>
>
> to look more like this from the RHEL 5 STIG:
>
> =========================
> Group ID (Vulid): V-782
> Group Title: GEN006480
> Rule ID: SV-37746r2_rule
> Severity: CAT II
> Rule Version (STIG-ID): GEN006480
> Rule Title: The system must have a host-based intrusion detection tool
>installed.
>
> Vulnerability Discussion: Without a host-based intrusion detection
>tool, there is no system-level defense when an intruder gains access to
>a system or network. Additionally, a host-based intrusion detection tool
>can provide methods to immediately lock out detected intrusion attempts.
>
> Responsibility: System Administrator
> IAControls: ECID-1
>
> Check Content:
> Ask the SA or IAO if a host-based intrusion detection application is
>loaded on the system. The preferred intrusion detection system is McAfee
>HBSS available through Cybercom. If another host-based intrusion
>detection application, such as SELinux, is used on the system, this is
>not a finding.
> =========================
>
> People are getting confused and SElinux and HBSS are getting installed
>with SElinux being disabled to make things work.
_______________________________________________
scap-security-guide mailing list
scap-security-guide(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
_______________________________________________
scap-security-guide mailing list
scap-security-guide(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide