STIGQter STIGQter: STIG Summary: Red Hat Enterprise Linux 7 Security Technical Implementation Guide Version: 3 Release: 3 Benchmark Date: 23 Apr 2021:

The Red Hat Enterprise Linux operating system must have a host-based intrusion detection tool installed.

DISA Rule

SV-214800r603261_rule

Vulnerability Number

V-214800

Group Title

SRG-OS-000480-GPOS-00227

Rule Version

RHEL-07-020019

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Install and enable the latest McAfee HIPS package or McAfee ENSL.

Check Contents

Per OPORD 16-0080, the preferred intrusion detection system is McAfee Host Intrusion Prevention System (HIPS) in conjunction with SELinux. McAfee Endpoint Security for Linux (ENSL) is an approved alternative to McAfee Virus Scan Enterprise (VSE) and HIPS. For RHEL 7 systems, SELinux is an approved alternative to McAfee HIPS.

Procedure:
Examine the system to determine if the Host Intrusion Prevention System (HIPS) is installed:

# rpm -qa | grep MFEhiplsm

Verify that the McAfee HIPS module is active on the system:

# ps -ef | grep -i “hipclient”

If the MFEhiplsm package is not installed, check for another intrusion detection system:

# find / -name <daemon name>

Where <daemon name> is the name of the primary application daemon to determine if the application is loaded on the system.

Determine if the application is active on the system:

# ps -ef | grep -i <daemon name>

If the MFEhiplsm package is not installed and an alternate host-based intrusion detection application has not been documented for use, this is a finding.

If no host-based intrusion detection system is installed and running on the system, this is a finding.

Vulnerability Number

V-214800

Documentable

False

Rule Version

RHEL-07-020019

Severity Override Guidance

Per OPORD 16-0080, the preferred intrusion detection system is McAfee Host Intrusion Prevention System (HIPS) in conjunction with SELinux. McAfee Endpoint Security for Linux (ENSL) is an approved alternative to McAfee Virus Scan Enterprise (VSE) and HIPS. For RHEL 7 systems, SELinux is an approved alternative to McAfee HIPS.

Procedure:
Examine the system to determine if the Host Intrusion Prevention System (HIPS) is installed:

# rpm -qa | grep MFEhiplsm

Verify that the McAfee HIPS module is active on the system:

# ps -ef | grep -i “hipclient”

If the MFEhiplsm package is not installed, check for another intrusion detection system:

# find / -name <daemon name>

Where <daemon name> is the name of the primary application daemon to determine if the application is loaded on the system.

Determine if the application is active on the system:

# ps -ef | grep -i <daemon name>

If the MFEhiplsm package is not installed and an alternate host-based intrusion detection application has not been documented for use, this is a finding.

If no host-based intrusion detection system is installed and running on the system, this is a finding.

Check Content Reference

M

Target Key

2899

Comments