The Red Hat Enterprise Linux operating system must have a host-based intrusion detection tool installed.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-214800 | RHEL-07-020019 | SV-214800r603261_rule | Medium |
| Description |
|---|
| Adding host-based intrusion detection tools can provide the capability to automatically take actions in response to malicious behavior, which can provide additional agility in reacting to network threats. These tools also often include a reporting capability to provide network awareness of the system, which may not otherwise exist in an organization's systems management regime. |
| STIG | Date |
|---|---|
| Red Hat Enterprise Linux 7 Security Technical Implementation Guide | 2021-03-01 |
Details
| Check Text ( C-16000r462531_chk ) |
|---|
| Per OPORD 16-0080, the preferred intrusion detection system is McAfee Host Intrusion Prevention System (HIPS) in conjunction with SELinux. McAfee Endpoint Security for Linux (ENSL) is an approved alternative to McAfee Virus Scan Enterprise (VSE) and HIPS. For RHEL 7 systems, SELinux is an approved alternative to McAfee HIPS. Procedure: Examine the system to determine if the Host Intrusion Prevention System (HIPS) is installed: # rpm -qa | grep MFEhiplsm Verify that the McAfee HIPS module is active on the system: # ps -ef | grep -i “hipclient” If the MFEhiplsm package is not installed, check for another intrusion detection system: # find / -name Where Determine if the application is active on the system: # ps -ef | grep -i If the MFEhiplsm package is not installed and an alternate host-based intrusion detection application has not been documented for use, this is a finding. If no host-based intrusion detection system is installed and running on the system, this is a finding. |
| Fix Text (F-36317r602660_fix) |
|---|
| Install and enable the latest McAfee HIPS package or McAfee ENSL. |