The CTO to which David is referring is 10-17 (28 July 2010) which mandates that HBSS be deployed on all Linux and Unix systems.I asked DISA about the HBSS/SELinux conflict and this was their reply: "SELinux is not compatible with HBSS...you can either use SELinux as is and submit a waiver to Cybercom, disable the SE features and install the required point product(s) (if possible), or migrate to a different OS." When I contacted the HBSS office to find out how to get a waiver, they told me that a waiver was not necessary and that there was a "verbal understanding" between Cybercom and HBSS to give *nix systems flexibility in their configuration until the HBSS/SELinux conflict is resolved which is why Brain's system made it through IV&V. Granted, informal "understandings" within the DoD make me nervous but that is where we are in right now. So what's the best way to articulate this within a STIG? Beats me. I suggest the following for group discussion: ============================ Group ID (Vulid): V-38667 Group Title: SRG-OS-000196 Rule ID: SV-50468r1_rule Severity: CAT II Rule Version (STIG-ID): RHEL-06-000285 Rule Title: The system must have a host-based intrusion detection tool and/or a host-based intrusion prevention tool installed. Vulnerability Discussion: Adding host-based intrusion detection tools can provide the capability to automatically take actions in response to malicious behavior, which can provide additional agility in reacting to network threats. These tools also often include a reporting capability to provide network awareness of the system, which may not otherwise exist in an organization's systems management regime. For DoD systems, the McAfee Host-based Security System (HBSS) is provided to fulfill this role. Adding host-based intrusion prevention tools increases system security by confining privileged programs and user sessions. SELinux is provided to fulfill this role. At this time, HBSS and SELinux are not compatible.
<snip> What if the last 3 sentences were:Adding host-based intrusion prevention tools increases system security by confining privileged programs and user sessions. SELinux can be configured to fulfill the security prevention role. At this time, HBSS and SELinux are not compatible.
-josh
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
