Re: [PATCH 12/21] Give SELinux precedence over HBSS in install_hids/RHEL-06-000285

Sun, 27 Jul 2014 20:38:29 -0700 


On 7/27/14, 11:26 PM, Shawn Wells wrote:

From: Leland Steinke <[email protected]>

- Update VRelease
- Provide clarification if users should disable SELinux to enable 3rd party 
tools (e.g. HBSS)

Signed-off-by: Leland Steinke <[email protected]>
---
  RHEL/6/input/auxiliary/stig_overlay.xml    |    2 +-
  RHEL/6/input/system/software/integrity.xml |    6 +++++-
  2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/RHEL/6/input/auxiliary/stig_overlay.xml 
b/RHEL/6/input/auxiliary/stig_overlay.xml
index 86a5b5e..958b119 100644
--- a/RHEL/6/input/auxiliary/stig_overlay.xml
+++ b/RHEL/6/input/auxiliary/stig_overlay.xml
@@ -816,7 +816,7 @@
                <title>The system must use and update a DoD-approved virus scan 
program.</title>
        </overlay>
        <overlay owner="disastig" ruleid="install_hids" ownerid="RHEL-06-000285" disa="1263" 
severity="medium">
-               <VMSinfo VKey="38667" SVKey="50468" VRelease="1" />
+               <VMSinfo VKey="38667" SVKey="50468" VRelease="2" />
                <title>The system must have a host-based intrusion detection tool 
installed.</title>
        </overlay>
        <overlay owner="disastig" ruleid="disable_ctrlaltdel_reboot" ownerid="RHEL-06-000286" 
disa="366" severity="high">
diff --git a/RHEL/6/input/system/software/integrity.xml 
b/RHEL/6/input/system/software/integrity.xml
index 73a0629..0c14ecc 100644
--- a/RHEL/6/input/system/software/integrity.xml
+++ b/RHEL/6/input/system/software/integrity.xml
@@ -197,7 +197,11 @@ software may not be appropriate for some specialized 
systems.
  The base Red Hat platform already includes a sophisticated auditing system 
that
  can detect intruder activity, as well as SELinux, which provides host-based
  intrusion prevention capabilities by confining privileged programs and user
-sessions which may become compromised.
+sessions which may become compromised.<br />
+In DoD environments, supplemental intrusion detection tools, such as, the 
McAfee
+Host-based Security System, are available to integrate with existing 
infrastructure.
+When these supplemental tools interfere with the proper functioning of 
SELinux, SELinux
+takes precedence.
  <br/>
  </description>
  <ocil clause="no host-based intrusion detection tools are installed">

ack
--
SCAP Security Guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
https://github.com/OpenSCAP/scap-security-guide/

Reply via email to