I believe the current guidance is to have McAfee Agent installed only. At least that is where we are at now, and just went through our IV&V. I also have uvscan installed along with AIDE w/ daily cron jobs for both. HIPS etcŠ are not "required". But again I am not an expert and do not delineate any guidance.
I would have to find the guidance, and am on travel right now, however when I return my ePo/HBSS "guy" can give me the reference. Very Respectfully, Brian Peake On 9/24/13 4:35 PM, "Moessbauer, David" <[email protected]> wrote: >I am not sure about your comment regarding "[HBSS] isn't *mandated.*" > >My experience with the fleet tells me otherwise, as both ODAA during >accreditation and deployed platforms are requiring compliance with HBSS >of our system. Additionally, I do believe I have seen a CTO distributed >by the Navy that states otherwise, though I can't seem to put my hands on >it at the moment. > >Please advise if I am incorrect in this belief. > > >v/r > >David Moessbauer >(410) 627-5633 (M) > >The Information contained in or attached to this communication may be >confidential and privileged proprietary intended only for the >individual/s or entity to whom/which it is addressed. Any unauthorized >use, distribution, copying or disclosure of this information is strictly >prohibited. If you have received this communication in error please >contact the sender immediately and delete from your system. > > >-----Original Message----- >From: [email protected] >[mailto:[email protected]] On Behalf Of >Truhn, Chad M CTR NSWCDD, CXA30 >Sent: Tuesday, September 24, 2013 4:12 PM >To: [email protected] >Subject: (nwl) RE: RHEL5 vs RHEL6 language on HBSS > >Shawn, > >Reverting back to an email you sent to gov-sec back in June (attached), >you said: > >" So, even though you've configured your system with all these auditing >rules, configured AIDE for integrity checking, *and* have SELinux >enforcing, FSO wants you to layer on an *additional* level of host >intrusion detection which can provide "complementary or duplicative >monitoring, reporting, and reaction capabilities." > >As stated in the STIG, DoD provides McAfee HBSS to perform this function. >But it isn't *mandated.*" > > >Then in ticket #262 from the SSG page: > >"HIPS is a category of technology, and while McAfee? is commonly used to >meet this, is not tied to a particular product/vendor. Users would be >wise to select technology which is certified to run on RHEL6 without >disabling key OS level protection mechanisms (e.g., if McAfee? breaks >your system, use something else)." [1] > >" MPO/FSO/RH: 3rd party products should work with the operating systems >they run on, without forcing users to disable security mechanisms. Won't >fix." > > > > >I have always been confused about this language. Do we want SELinux >enabled *AND* HIPS installed? Or should it be an *OR*? One says McAfee >HBSS/HIPS is fine, another says it isn't. I'm confused!!! > > >[1] https://fedorahosted.org/scap-security-guide/ticket/262 > > > > >-----Original Message----- >From: [email protected] >[mailto:[email protected]] On Behalf Of >Shawn Wells >Sent: Tuesday, September 24, 2013 3:21 PM >To: [email protected] >Subject: RHEL5 vs RHEL6 language on HBSS > >I received the following note from a colleague today, outlining the >wording changes between RHEL5 and RHEL6 regarding HBSS. I searched the >mailing archives, and can't figure out *why* the language was changed. > >- Anyone remember why? >- Objections to reverting to the RHEL5 language? > >EMail: >> from the RHEL 6 STIG: >> >> ============================ >> Group ID (Vulid): V-38667 >> Group Title: SRG-OS-000196 >> Rule ID: SV-50468r1_rule >> Severity: CAT II >> Rule Version (STIG-ID): RHEL-06-000285 Rule Title: The system must >> have a host-based intrusion detection tool installed. >> >> Vulnerability Discussion: Adding host-based intrusion detection tools >>can provide the capability to automatically take actions in response to >>malicious behavior, which can provide additional agility in reacting to >>network threats. These tools also often include a reporting capability >>to provide network awareness of system, which may not otherwise exist in >>an organization's systems management regime. >> >> Check Content: >> Inspect the system to determine if intrusion detection software has >>been installed. Verify the intrusion detection software is active. >> If no host-based intrusion detection tools are installed, this is a >>finding. >> >> Fix Text: The base Red Hat platform already includes a sophisticated >>auditing system that can detect intruder activity, as well as SELinux, >>which provides host-based intrusion prevention capabilities by confining >>privileged programs and user sessions which may become compromised. >> >> Install an additional intrusion detection tool to provide complementary >>or duplicative monitoring, reporting, and reaction capabilities to those >>of the base platform. For DoD systems, the McAfee Host-based Security >>System is provided to fulfill this role. >> ======================== >> >> >> to look more like this from the RHEL 5 STIG: >> >> ========================= >> Group ID (Vulid): V-782 >> Group Title: GEN006480 >> Rule ID: SV-37746r2_rule >> Severity: CAT II >> Rule Version (STIG-ID): GEN006480 >> Rule Title: The system must have a host-based intrusion detection tool >>installed. >> >> Vulnerability Discussion: Without a host-based intrusion detection >>tool, there is no system-level defense when an intruder gains access to >>a system or network. Additionally, a host-based intrusion detection tool >>can provide methods to immediately lock out detected intrusion attempts. >> >> Responsibility: System Administrator >> IAControls: ECID-1 >> >> Check Content: >> Ask the SA or IAO if a host-based intrusion detection application is >>loaded on the system. The preferred intrusion detection system is McAfee >>HBSS available through Cybercom. If another host-based intrusion >>detection application, such as SELinux, is used on the system, this is >>not a finding. >> ========================= >> >> People are getting confused and SElinux and HBSS are getting installed >>with SElinux being disabled to make things work. > > > >_______________________________________________ >scap-security-guide mailing list >[email protected] >https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide >_______________________________________________ >scap-security-guide mailing list >[email protected] >https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide > _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
