The system must have a host-based intrusion detection tool installed.

From Red Hat Enterprise Linux 6 Security Technical Implementation Guide

Part of SRG-OS-000196

Associated with: CCI-001263

SV-50468r3_rule The system must have a host-based intrusion detection tool installed.

Vulnerability discussion

Adding host-based intrusion detection tools can provide the capability to automatically take actions in response to malicious behavior, which can provide additional agility in reacting to network threats. These tools also often include a reporting capability to provide network awareness of system, which may not otherwise exist in an organization's systems management regime.

Check content

Ask the SA or ISSO if a host-based intrusion detection application is loaded on the system. Per OPORD 16-0080 the preferred intrusion detection system is McAfee HBSS available through Cybercom. If another host-based intrusion detection application is in use, such as SELinux, this must be documented and approved by the local Authorizing Official. Procedure: Examine the system to see if the Host Intrusion Prevention System (HIPS) is installed: # rpm -qa | grep MFEhiplsm Verify that the McAfee HIPS module is active on the system: # ps -ef | grep -i “hipclient” If the MFEhiplsm package is not installed, check for another intrusion detection system: # find / -name Where is the name of the primary application daemon to determine if the application is loaded on the system. Determine if the application is active on the system: # ps -ef | grep -i If the MFEhiplsm package is not installed and an alternate host-based intrusion detection application has not been documented for use, this is a finding. If no host-based intrusion detection system is installed and running on the system, this is a finding.

Fix text

Install and enable the latest McAfee HIPS package, available from Cybercom. If the system does not support the McAfee HIPS package, install and enable a supported intrusion detection system application and document its use with the Authorizing Official.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer