I received the following note from a colleague today, outlining the
wording changes between RHEL5 and RHEL6 regarding HBSS. I searched the
mailing archives, and can't figure out *why* the language was changed.
- Anyone remember why?
- Objections to reverting to the RHEL5 language?
EMail:
from the RHEL 6 STIG:
============================
Group ID (Vulid): V-38667
Group Title: SRG-OS-000196
Rule ID: SV-50468r1_rule
Severity: CAT II
Rule Version (STIG-ID): RHEL-06-000285
Rule Title: The system must have a host-based intrusion detection tool
installed.
Vulnerability Discussion: Adding host-based intrusion detection tools can
provide the capability to automatically take actions in response to malicious
behavior, which can provide additional agility in reacting to network threats.
These tools also often include a reporting capability to provide network
awareness of system, which may not otherwise exist in an organization's systems
management regime.
Check Content:
Inspect the system to determine if intrusion detection software has been
installed. Verify the intrusion detection software is active.
If no host-based intrusion detection tools are installed, this is a finding.
Fix Text: The base Red Hat platform already includes a sophisticated auditing
system that can detect intruder activity, as well as SELinux, which provides
host-based intrusion prevention capabilities by confining privileged programs
and user sessions which may become compromised.
Install an additional intrusion detection tool to provide complementary or
duplicative monitoring, reporting, and reaction capabilities to those of the
base platform. For DoD systems, the McAfee Host-based Security System is
provided to fulfill this role.
========================
to look more like this from the RHEL 5 STIG:
=========================
Group ID (Vulid): V-782
Group Title: GEN006480
Rule ID: SV-37746r2_rule
Severity: CAT II
Rule Version (STIG-ID): GEN006480
Rule Title: The system must have a host-based intrusion detection tool
installed.
Vulnerability Discussion: Without a host-based intrusion detection tool, there
is no system-level defense when an intruder gains access to a system or
network. Additionally, a host-based intrusion detection tool can provide
methods to immediately lock out detected intrusion attempts.
Responsibility: System Administrator
IAControls: ECID-1
Check Content:
Ask the SA or IAO if a host-based intrusion detection application is loaded on
the system. The preferred intrusion detection system is McAfee HBSS available
through Cybercom. If another host-based intrusion detection application, such
as SELinux, is used on the system, this is not a finding.
=========================
People are getting confused and SElinux and HBSS are getting installed with
SElinux being disabled to make things work.
_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
