Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
4888 Views 5 Replies Latest reply: Nov 14, 2013 3:42 PM by Kary Tankink RSS
fsimmons Newcomer 4 posts since
May 12, 2010
Currently Being Moderated

May 12, 2010 2:37 PM

Host Intrusion Prevention for Linux

Hey, i'm new to the McAfee community (this is my first post). I'm also new (as of Jan.) to the McAfee product line (new company). What I wanted to find was a network of ninjas (or Security Professionals knowledgable on linux hips) to bounce some tribal knowledge on HIPS for linux around. Coming from other products there are some features that I think would be nice for them to have (*Cough* Network Monitoring, swatch like behavior for matching regular expressions and creating events based on content, Network monitoring, ability to have a backup epo server in the event of the primary going down (for failover), Network Monitoring, and Network Monitoring!

 

I'm putting together a ruleset of custom rules for file monitoring (you know things that would of been nice to have come standard as part of the basic policy but was not there) of a lot of key OS config files. I'm still a little green with HIPS for the McAfee line so i still need to test to see if i can just monitor /etc and it will grab /etc/[subdir] and /etc/[file] and /etc/[subdir]/[file] without me having to specify every important file in etc. Also, if anyone has any experience in this realm, are there big performance hits by having a lot of tracked files with this?

 

So, kind of leaving this discussion open ended. Please reply with any tips/tricks things you figured out through trial and error or usage. Things for new people like, helpful log locations such as the hipus log or HipMgtPlugin.log (when hipts message logging is set to all).

 

Anyone know of a manual (from the server) way to initiate a wake up?

 

To me it looks like the linux hips agent was there to initially fill a check box but it actually isn't bad with its kernel integration and apache module. It would be awesome if they start supporting Ip tables configuration (giving HIPs for linux a FW configuration that you could centrally configure but uses a well know well vetted fw backend). Which would pave the way nicely for...network monitoring!

  • Kary Tankink McAfee Employee 658 posts since
    Mar 3, 2010
    Currently Being Moderated
    1. Jun 7, 2010 3:48 PM (in response to fsimmons)
    Re: Host Intrusion Prevention for Linux
    Things for new people like, helpful log locations such as the hipus log or HipMgtPlugin.log (when hipts message logging is set to all).

     

    /opt/McAfee/hip/log/

    HipClient.log

    HipMgtPlugin.log

     

    /opt/McAfee/etc/

    hip-install.log

     

    /opt/McAfee/cma/scratch/etc

    log*

    McScript.log

     

     

     

    Anyone know of a manual (from the server) way to initiate a wake up?

    To my knowledge, you can only initiate a wake up call (for the non-Windows McAfee Agent versions) via an ePO server Agent Wakeup call.  I'm not aware of any client-side command to run.  You can try restarting the McAfee Agent daemon, but I don't think that forces an immediate ASCI (Agent to Server Communication Interval).

  • dcobes The Place at McAfee Member 38 posts since
    Nov 1, 2012
    Currently Being Moderated
    2. Nov 8, 2013 4:33 PM (in response to Kary Tankink)
    Re: Host Intrusion Prevention for Linux

    Kary Tankink wrote:

     

    Things for new people like, helpful log locations such as the hipus log or HipMgtPlugin.log (when hipts message logging is set to all).

     

    /opt/McAfee/hip/log/

    HipClient.log

    HipMgtPlugin.log

     

    /opt/McAfee/etc/

    hip-install.log

     

    /opt/McAfee/cma/scratch/etc

    log*

    McScript.log

     

     

     

    Anyone know of a manual (from the server) way to initiate a wake up?

    To my knowledge, you can only initiate a wake up call (for the non-Windows McAfee Agent versions) via an ePO server Agent Wakeup call.  I'm not aware of any client-side command to run.  You can try restarting the McAfee Agent daemon, but I don't think that forces an immediate ASCI (Agent to Server Communication Interval).

     

    You can perform a "Collect and Send Props" via

     

    cd /opt/McAfee/cma/bin && ./cmdagent -P

  • Kary Tankink McAfee Employee 658 posts since
    Mar 3, 2010
    Currently Being Moderated
    3. Nov 8, 2013 4:40 PM (in response to dcobes)
    Re: Host Intrusion Prevention for Linux

    dcobes wrote:

     

    You can perform a "Collect and Send Props" via

     

    cd /opt/McAfee/cma/bin && ./cmdagent -P

    Correct, however, this works for the McAfee Agent 4.6 and higher only.

     

    KB52707 - How to use command line switches with CmdAgent

    https://kc.mcafee.com/corporate/index?page=content&id=KB52707

     

     

    NOTE: CmdAgent functionality for non-Windows clients is available in McAfee Agent 4.6 and above.

  • greatscott Champion 294 posts since
    Jul 18, 2011
    Currently Being Moderated
    4. Nov 14, 2013 2:54 PM (in response to fsimmons)
    Re: Host Intrusion Prevention for Linux

    I wouldnt call hips a network monitoring tool, there are few signatures that are for network IDS built into HIPS. Further, I am not sure that the NIPS signatures apply to non windows systems.

  • Kary Tankink McAfee Employee 658 posts since
    Mar 3, 2010
    Currently Being Moderated
    5. Nov 14, 2013 3:42 PM (in response to greatscott)
    Re: Host Intrusion Prevention for Linux

    Further, I am not sure that the NIPS signatures apply to non windows systems.
    HIPS for non-Windows is Host IPS protection only.  Network IPS and Firewall are Windows-only (this is stated when you're viewing these options in the ePO console and HIPS extension).

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points