Shawn,
Reverting back to an email you sent to gov-sec back in June (attached), you
said:
" So, even though you've configured your system with all these auditing rules,
configured AIDE for integrity checking, *and* have SELinux enforcing, FSO wants
you to layer on an *additional* level of host intrusion detection which can
provide "complementary or duplicative monitoring, reporting, and reaction
capabilities."
As stated in the STIG, DoD provides McAfee HBSS to perform this function. But
it isn't *mandated.*"
Then in ticket #262 from the SSG page:
"HIPS is a category of technology, and while McAfee? is commonly used to meet
this, is not tied to a particular product/vendor. Users would be wise to select
technology which is certified to run on RHEL6 without disabling key OS level
protection mechanisms (e.g., if McAfee? breaks your system, use something
else)." [1]
" MPO/FSO/RH: 3rd party products should work with the operating systems they
run on, without forcing users to disable security mechanisms. Won't fix."
I have always been confused about this language. Do we want SELinux enabled
*AND* HIPS installed? Or should it be an *OR*? One says McAfee HBSS/HIPS is
fine, another says it isn't. I'm confused!!!
[1] https://fedorahosted.org/scap-security-guide/ticket/262
-----Original Message-----
From: [email protected]
[mailto:[email protected]] On Behalf Of Shawn
Wells
Sent: Tuesday, September 24, 2013 3:21 PM
To: [email protected]
Subject: RHEL5 vs RHEL6 language on HBSS
I received the following note from a colleague today, outlining the wording
changes between RHEL5 and RHEL6 regarding HBSS. I searched the mailing
archives, and can't figure out *why* the language was changed.
- Anyone remember why?
- Objections to reverting to the RHEL5 language?
EMail:
> from the RHEL 6 STIG:
>
> ============================
> Group ID (Vulid): V-38667
> Group Title: SRG-OS-000196
> Rule ID: SV-50468r1_rule
> Severity: CAT II
> Rule Version (STIG-ID): RHEL-06-000285 Rule Title: The system must
> have a host-based intrusion detection tool installed.
>
> Vulnerability Discussion: Adding host-based intrusion detection tools can
> provide the capability to automatically take actions in response to malicious
> behavior, which can provide additional agility in reacting to network
> threats. These tools also often include a reporting capability to provide
> network awareness of system, which may not otherwise exist in an
> organization's systems management regime.
>
> Check Content:
> Inspect the system to determine if intrusion detection software has been
> installed. Verify the intrusion detection software is active.
> If no host-based intrusion detection tools are installed, this is a finding.
>
> Fix Text: The base Red Hat platform already includes a sophisticated auditing
> system that can detect intruder activity, as well as SELinux, which provides
> host-based intrusion prevention capabilities by confining privileged programs
> and user sessions which may become compromised.
>
> Install an additional intrusion detection tool to provide complementary or
> duplicative monitoring, reporting, and reaction capabilities to those of the
> base platform. For DoD systems, the McAfee Host-based Security System is
> provided to fulfill this role.
> ========================
>
>
> to look more like this from the RHEL 5 STIG:
>
> =========================
> Group ID (Vulid): V-782
> Group Title: GEN006480
> Rule ID: SV-37746r2_rule
> Severity: CAT II
> Rule Version (STIG-ID): GEN006480
> Rule Title: The system must have a host-based intrusion detection tool
> installed.
>
> Vulnerability Discussion: Without a host-based intrusion detection tool,
> there is no system-level defense when an intruder gains access to a system or
> network. Additionally, a host-based intrusion detection tool can provide
> methods to immediately lock out detected intrusion attempts.
>
> Responsibility: System Administrator
> IAControls: ECID-1
>
> Check Content:
> Ask the SA or IAO if a host-based intrusion detection application is loaded
> on the system. The preferred intrusion detection system is McAfee HBSS
> available through Cybercom. If another host-based intrusion detection
> application, such as SELinux, is used on the system, this is not a finding.
> =========================
>
> People are getting confused and SElinux and HBSS are getting installed with
> SElinux being disabled to make things work.
_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
--- Begin Message ---
On 6/4/13 12:47 PM, Justin Townsend wrote:
You should probably check with your local IA personnel too-there is
guidance besides the STIGs on HBSS implementation that the STIG does not
override. Unfortunately, a lot of this info is FOUO so details on a public list
are difficult..
+1 to double checking with IA folk. Local interpretation always overrules.
DISA FSO is always the authoritative source for gov't perspectives, though we
(RedHat) were involved with the RHEL6 STIG authoring. The fundamental
requirement all this traces back to is SRG-OS-000196 which states:
The operating system must provide a near real-time alert when any of
the organization-defined list of compromise or potential compromise indicators
occurs.
And then elaborates:
When an intrusion detection security event occurs it is imperative the
operating system that has detected the event immediately notify the appropriate
support personnel so they can respond accordingly.
As documented in the current RHEL6 STIG, SRG-OS-000196 is met through:
- [RHEL-06-000305] Install & Configure AIDE (provides notification upon
integrity changes to system files)
- [RHEL-06-000145] Configure & Enable auditd (near real-time alerting of events)
- [RHEL-06-000285] Install "Intrusion Detection Software"
When you take a look at RHEL-06-000285, the 'Check Content' and 'Fix Text'
language is:
Check Content:
Inspect the system to determine if intrusion detection software has
been installed. Verify the intrusion detection software is active.
If no host-based intrusion detection tools are installed, this is a
finding.
Fix Text: The base Red Hat platform already includes a sophisticated
auditing system that can detect intruder activity, as well as SELinux, which
provides host-based intrusion prevention capabilities by confining privileged
programs and user sessions which may become compromised.
Install an additional intrusion detection tool to provide complementary
or duplicative monitoring, reporting, and reaction capabilities to those of the
base platform. For DoD systems, the McAfee Host-based Security System is
provided to fulfill this role.
So, even though you've configured your system with all these auditing rules,
configured AIDE for integrity checking, *and* have SELinux enforcing, FSO wants
you to layer on an *additional* level of host intrusion detection which can
provide "complementary or duplicative monitoring, reporting, and reaction
capabilities."
As stated in the STIG, DoD provides McAfee HBSS to perform this function. But
it isn't *mandated.*
Some people utilize things like Splunk to provide complimentary functionality,
easing the administrative burden of shifting through gobs of audit logs. Others
use Snort. The list of software/hardware that can provide "complementary or
duplicative monitoring, reporting, and reaction capabilities" is exhausting.
Many within DoD utilize McAfee, while others (e.g. Intelligence Community)
utilize things like SNORT or SOURCEfire. The guiding principal is to provide
defense in depth. One of the more humorous implementations I've seen was a cron
script that scp'd audit logs to another machine, just to meet their DAAs
interpretation of "complementary reporting capabilities."
_______________________________________________
gov-sec mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/gov-sec
--- End Message ---
_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
