5 Replies Latest reply: Nov 14, 2013 3:42 PM by Kary Tankink RSS

    Host Intrusion Prevention for Linux

    fsimmons

      Hey, i'm new to the McAfee community (this is my first post). I'm also new (as of Jan.) to the McAfee product line (new company). What I wanted to find was a network of ninjas (or Security Professionals knowledgable on linux hips) to bounce some tribal knowledge on HIPS for linux around. Coming from other products there are some features that I think would be nice for them to have (*Cough* Network Monitoring, swatch like behavior for matching regular expressions and creating events based on content, Network monitoring, ability to have a backup epo server in the event of the primary going down (for failover), Network Monitoring, and Network Monitoring!

       

      I'm putting together a ruleset of custom rules for file monitoring (you know things that would of been nice to have come standard as part of the basic policy but was not there) of a lot of key OS config files. I'm still a little green with HIPS for the McAfee line so i still need to test to see if i can just monitor /etc and it will grab /etc/[subdir] and /etc/[file] and /etc/[subdir]/[file] without me having to specify every important file in etc. Also, if anyone has any experience in this realm, are there big performance hits by having a lot of tracked files with this?

       

      So, kind of leaving this discussion open ended. Please reply with any tips/tricks things you figured out through trial and error or usage. Things for new people like, helpful log locations such as the hipus log or HipMgtPlugin.log (when hipts message logging is set to all).

       

      Anyone know of a manual (from the server) way to initiate a wake up?

       

      To me it looks like the linux hips agent was there to initially fill a check box but it actually isn't bad with its kernel integration and apache module. It would be awesome if they start supporting Ip tables configuration (giving HIPs for linux a FW configuration that you could centrally configure but uses a well know well vetted fw backend). Which would pave the way nicely for...network monitoring!

        • 1. Re: Host Intrusion Prevention for Linux
          Kary Tankink
          Things for new people like, helpful log locations such as the hipus log or HipMgtPlugin.log (when hipts message logging is set to all).

           

          /opt/McAfee/hip/log/

          HipClient.log

          HipMgtPlugin.log

           

          /opt/McAfee/etc/

          hip-install.log

           

          /opt/McAfee/cma/scratch/etc

          log*

          McScript.log

           

           

           

          Anyone know of a manual (from the server) way to initiate a wake up?

          To my knowledge, you can only initiate a wake up call (for the non-Windows McAfee Agent versions) via an ePO server Agent Wakeup call.  I'm not aware of any client-side command to run.  You can try restarting the McAfee Agent daemon, but I don't think that forces an immediate ASCI (Agent to Server Communication Interval).

          • 2. Re: Host Intrusion Prevention for Linux
            dcobes

            Kary Tankink wrote:

             

            Things for new people like, helpful log locations such as the hipus log or HipMgtPlugin.log (when hipts message logging is set to all).

             

            /opt/McAfee/hip/log/

            HipClient.log

            HipMgtPlugin.log

             

            /opt/McAfee/etc/

            hip-install.log

             

            /opt/McAfee/cma/scratch/etc

            log*

            McScript.log

             

             

             

            Anyone know of a manual (from the server) way to initiate a wake up?

            To my knowledge, you can only initiate a wake up call (for the non-Windows McAfee Agent versions) via an ePO server Agent Wakeup call.  I'm not aware of any client-side command to run.  You can try restarting the McAfee Agent daemon, but I don't think that forces an immediate ASCI (Agent to Server Communication Interval).

             

            You can perform a "Collect and Send Props" via

             

            cd /opt/McAfee/cma/bin && ./cmdagent -P

            • 3. Re: Host Intrusion Prevention for Linux
              Kary Tankink

              dcobes wrote:

               

              You can perform a "Collect and Send Props" via

               

              cd /opt/McAfee/cma/bin && ./cmdagent -P

              Correct, however, this works for the McAfee Agent 4.6 and higher only.

               

              KB52707 - How to use command line switches with CmdAgent

              https://kc.mcafee.com/corporate/index?page=content&id=KB52707

               

               

              NOTE: CmdAgent functionality for non-Windows clients is available in McAfee Agent 4.6 and above.

              • 4. Re: Host Intrusion Prevention for Linux
                greatscott

                I wouldnt call hips a network monitoring tool, there are few signatures that are for network IDS built into HIPS. Further, I am not sure that the NIPS signatures apply to non windows systems.

                • 5. Re: Host Intrusion Prevention for Linux
                  Kary Tankink

                  Further, I am not sure that the NIPS signatures apply to non windows systems.
                  HIPS for non-Windows is Host IPS protection only.  Network IPS and Firewall are Windows-only (this is stated when you're viewing these options in the ePO console and HIPS extension).