V-782

Discussion

Without a host-based intrusion detection tool, there is no system-level defense when an intruder gains access to a system or network. Additionally, a host-based intrusion detection tool can provide methods to immediately lock out detected intrusion attempts.

Check Content

Ask the SA or IAO if a host-based intrusion detection application is loaded on the system. The preferred intrusion detection system is McAfee HBSS available through Cybercom.  If another host-based intrusion detection application, such as SELinux, is used on the system, this is not a finding. 

Procedure:
Examine the system to see if the Host Intrusion Prevention System (HIPS) is installed

#rpm -qa | grep MFEhiplsm

If the MFEhiplsm package is installed, HBSS is being used on the system.

If another host-based intrusion detection system is loaded on the system

# find / -name <daemon name> 

Where <daemon name> is the name of the primary application daemon to determine if the application is loaded on the system. 

Determine if the application is active on the system.

Procedure:
# ps -ef | grep <daemon name> 

If no host-based intrusion detection system is installed on the system, this is a finding.