Policy enforcement with the Linux client | McAfee 6.1 instruction

McAfee® Host Intrusion Prevention 6.1 Product Guide	Host Intrusion Prevention Client
	Linux client

9

Linux client

The Host Intrusion Prevention 6.1 Linux client identifies and prevents potentially harmful attempts to compromise a Linux server’s files and applications. It leverages the native SELinux protection mechanism, translating IPS policies into SELinux rules and SELinux events back to IPS events, and provides easy management from the ePO console.

Policy enforcement with the Linux client

Not all policies that protect a Windows client are available for the Linux client. In brief, Host Intrusion Prevention protects the host server from harmful attacks but does not offer network intrusion protection, including buffer overflow. The policies that are valid are listed here.

With this policy...	These options are available...

HIP 6.1 GENERAL:
Client UI	None except admin or time-based password to allow use
	of the troubleshooting tool.

Trusted Networks	None
Trusted Applications	Only Mark as trusted for IPS and New Process Name to add
	trusted applications.

HIP 6.1 IPS:
IPS Options		Enable HIPS
		Enable Adaptive Mode
	Retain existing Client Rules

IPS Protection	All
IPS Rules		Exception Rules
	Signatures (default and custom HIPS rules only)
	Note: NIPS signatures and Application Protection Rules
	are not available.

IPS Events	All
IPS Client Rules	All

Search IPS Exception Rules	All
HIP 6.1 FIREWALL	None

HIP 6.1 APPLICATION BLOCKING	None

Notes about the Linux client

If you have an existing SELinux policy in place or are using default protection settings, installing a Linux client replaces the policy with a default McAfee Host Intrusion Prevention policy. Uninstalling the Linux client restores the previous SELinux policy.

The Linux client requires that SELinux be installed and enabled (set to enforce or permissive). If it is installed but disabled, enable it, set it to targeted policy, and restart the computer before installing the Linux client.

Linux controls file attribute changes with a single SELinux permission (file:setattr). It does not have individual control of chdir or symlink, control of changing directory, or control of creating a symbolic link.

156

Image 156

McAfee 6.1 manual Policy enforcement with the Linux client

Contents

McAfee Host Intrusion Prevention Page McAfee Host Intrusion Prevention Copyright Contents IPS Policies General Policies 103 Frequently Asked Questions 160 Writing Custom Signatures 164 IntroducingPrevention Host Intrusion New features What’s new in this releaseChanges from the previous release Using this guide Audience Conventions This guide uses the following conventionsBold Condensed Example Getting product information Standard documentation Customer Service Professional ServicesContact information IPS feature Basic ConceptsSignature rules Behavioral rules EventsReactions Exception rules Firewall feature Firewall rulesClient firewall rules Application Blocking feature General featureClient application blocking rules Policy management Policy enforcementPolicies and policy categories Policy inheritance and assignment Policy ownershipPolicy assignment locking Preset protection Adaptive and Learn modeDeployment and management Tuning Reports Using ePolicy Orchestrator „ Deploy Host Intrusion Prevention clients EPolicy Orchestrator console EPolicy Orchestrator console Policy management Assign Policies Installing the Host Intrusion Prevention server Host Intrusion Prevention operationsAssigning owners to policies Generating notifications Deploying Host Intrusion Prevention clients Viewing and working with client data Placing clients in Adaptive or Learn mode Configuring policies Policy viewing alerts Fine-tuning Active X control security warning Using Help Help navigation procedures Help in the user interface IPS Events/SignaturesIPS Exception Rules IPS Signature Rules IPS Policies Overview Host and network IPS signature rules Benefits of Host IPS Preset IPS policies Behavioral rulesBenefits of Network IPS Configuring the IPS Options policy Quick accessTo configure the IPS Options policy Click Apply To create a new IPS Options policyIPS Options dialog box appears Select the needed options Configuring the IPS Protection policy To configure the IPS Protection policy To create a new IPS Protection policy IPS Protection dialog box appears Select the type of reaction for each severity level Configuring the IPS Rules policy To assign IPS Rules policiesTo create a new IPS Rules policy IPS Rules policy details Creating exception rules To create an exception Editing exception rules You can view and edit details of an existing exceptionTo edit an exception rule To disable/enable an exception Enabling and disabling exception rulesDeleting exception rules Moving exception rules to another policy Signatures Types of signaturesHost signatures Custom host signatures Viewing signatures IPS Rules-Signatures tab To modify default signatures Modifying host and network signaturesCreating custom signatures To modify the view of signatures Using the wizard to create signatures To create signatures using the wizard Using the standard mode to create signatures To create a signature with the standard mode New Custom Signature-General tab Editing custom signatures Deleting custom signaturesTo use Standard Method To use Expert Method To edit a custom signature Application Protection Rules 11 Application Protection Rules analysis To create an application protection rule 12 IPS Rules-Application Protection Rules 13 New Trusted Application dialog box-General tab IPS Events Editing Application Protection RulesEnabling and disabling Application Protection Rules Deleting Application Protection Rules Viewing events To view IPS events Configuring the event view Filtering eventsTo change the event view Marking events To mark an event as readTo mark an event as unread To hide an event Marking similar events To mark similar events„ Agent „ Signatures „ User „ Process „ Severity Level Hidden Viewing event details Creating event-based exceptions and trusted applicationsTo view event details To create an event-based exception To create an event-based trusted application IPS Client Rules Searching for related exceptionsTo search for a related exception Regular View To migrate client rules to an IPS Rules policy Aggregated View To aggregate client rulesClick the Aggregate View tab on the IPS Client Rules tab Search IPS Exception Rules To search for exceptions and manage the list of exceptions 22 Search IPS Exception Rules tab Firewall Policies HIP 6.0 rules HIP 6.1 rules State table Stateful packet filteringStateful packet inspection How firewall rules work Ordering the firewall rule list How stateful filtering works Stateful filtering process How stateful packet inspection works Stateful protocol trackingProtocol Description of handling Firewall rule groups and connection-aware groups TCP Overview Firewall Learn and Adaptive modes Stateful filtering Quarantine policies and rules Preset Firewall policies Migrating custom 6.0 firewall rules to 6.1 rulesTo migrate rules Configuring the Firewall Options policy To configure the Firewall Options policySelect For these settings Off McAfee Default Learn Create New Policy dialog box appears „ Select New Policy Configuring the Firewall Rules policy Creating new Firewall Rules policiesTo create a Firewall Rules policy Include Local Subnet Automatically selected Select this For this protection Policy Server Medium Server High Viewing and editing firewall rules Do any of the followingTo view and edit a firewall rule Add Policy or Duplicate Policy Select the appropriate settings Click OK Creating a new firewall rule or firewall groupTo create a firewall rule To create a new rule group Firewall Rule Group dialog box appearsTo create a connection-aware group Type a name for this group in the Name field Deleting a firewall rule or group To add predefined rulesTo delete a firewall rule or group Viewing firewall client rules To view all firewall client rulesTo modify the view, do any of the following To view aggregated firewall client rules To view details of an aggregated firewall rule Configuring the Quarantine Options policy To configure the Quarantine Options policySelect New Policy Configuring the Quarantine Rules policy Quarantine Rules policy provides access forCreating new Quarantine Rules policies To create a Quarantine Rules policy Viewing and editing quarantine rules To view and edit a quarantine ruleClick Properties Creating a new quarantine rule or group Deleting a quarantine rule or groupTo create a quarantine rule To delete a quarantine rule or group Application Blocking Policies Application creation Preset Application Blocking policies Application Blocking feature contains two policy categoriesApplication hooking Configuring the Application Blocking Options policy Select this policy For these settings Off McAfee DefaultTo apply an Application Blocking Options policy Application Blocking Options Configuring the Application Blocking Rules policy Creating new Application Blocking Rules policiesTo create an Application Blocking Rules policy Viewing and editing Application Blocking Rules To view and edit an application blocking rule Creating new Application Blocking Rules To create a new application blocking ruleApplication Rule dialog box appears 100 Deleting an application blocking rule Viewing application client rulesTo delete an application blocking rule To view all client application rules To view aggregated client application rules To view details of an aggregated client application rule General Policies Preset General policies General feature contains four policy categories Configuring Enforce Policies Configuring the Client UI policyTo change the policy setting Regular User Administrator User To configure a Client UI policyCreating and applying a Client UI policy Disconnected User Setting passwords 107 To create an administrator password Click the Advanced Options tab in the Client UI policy108 To create a time-based password Tray icon controlTo provide tray icon control of Windows UI Configuring the Trusted Networks policy To configure trusted network options110 Select To do this Add EditRemove Include Local Subnet Configuring the Trusted Applications policy Creating and applying Trusted Applications policiesTo create a new policy Trusted Application tab appears Creating trusted applications To create a trusted application To disable/enable a trusted application Editing trusted applicationsEnabling and disabling trusted applications Deleting trusted applications Maintenance Fine-tuning a deploymentAnalyzing IPS events 115 Creating exception rules and trusted application rules Working with client exception rulesCreating and applying new policies For details on working with client rules, see Policy maintenance and tasks To view and reset broken inheritance below a specific nodePolicies tab Policy inheritance and assignment To copy and paste policy assignments of a node Click Copy policy assignments To view nodes where a policy is assigned Policy CatalogViewing policy information To view all policies that have been created To view the settings and owner of a policy To view assignments where policy enforcement is disabledEditing policy information To edit a policy Running server tasks Directory GatewayEvent Archiver Property Translator Setting up notifications for events How notifications workCreating rules Host Intrusion Prevention notifications 124 Running reports Pre-defined reportsReport repository Report content control Host Intrusion Prevention reportsSummary information and details IPS Events Summary by Signature IPS Event Summary by Target Network Intrusion Summary by Source IPSignature Top 10 Attacked Nodes for IPS Top 10 Triggered SignaturesBlocked Application Summary Filters on platform and signature type Failed Quarantine Updates Top 10 Blocked ApplicationsInitial View Drill Down Host Name Checking in the update package To add update packages automaticallyUpdating From the Task type list, select Repository Pull To add update packages manually To run an update taskTo have a client request an update Updating clients Host Intrusion Prevention Client Windows client System tray icon Client console133 Setting options Unlocking the client interfaceTo unlock the Host Intrusion Prevention interface To customize client options Error Reporting TroubleshootingShow tray icon Error Reporting Select For this To set IPS logging options To set Firewall logging optionsSecurity Violations Alerts Intrusion alerts137 To respond to a firewall Learn Mode alert Firewall alerts138 Has the Treat rule match as an intrusion option selected Application Blocking alerts Quarantine alerts Spoof Detected alerts„ The IP address that the traffic pretends to come from 140 141 IP Spoof Detected Alert dialog box IPS Policy tab IPS Policy optionsTo customize IPS Policy options 142 IPS Policy exception rules Exception rules listTo edit the exception rules 143 Firewall Policy tab Firewall Policy optionsTo customize Firewall Policy options 144 Firewall Policy Rules Firewall rules list145 Application Policy tab Application Policy optionsTo customize Application Policy options 146 Application Policy rules Application rules list147 Blocked Hosts tab Blocked Hosts list148 Column What it shows To edit the Blocked Hosts list 149Until removed Application Protection tab Application Protection listThis list shows all monitored processes on the client 150 Activity Log tab Activity Log optionsTo customize Activity Log options 151 Activity Log list 152Select Create Sniffer Capture... McAfee Host Intrusion Prevention Options Troubleshooting Client installation issuesSolaris client Policy enforcement with the Solaris client Client operations issues Run this command To do this154 File/Directory Name Description To stop a Solaris client To restart a Solaris client155 Linux client Policy enforcement with the Linux client Verifying the client is running File Name Description Troubleshooting tool 158 Run the command hipts agent off To stop a Linux clientTo restart a Linux client 159 Frequently Asked Questions What is a policy?What is the McAfee Default policy? 160 161 How do I view IPS events triggered by clients? How do I create an exception based on an IPS Event? How do I create custom signatures for an IPS Policy? How do I find existing policies that match a given profile? Writing Custom Signatures Rule StructureBasic structure of a rule is the following 164 Mandatory common sections 165Section Name Value Description Use of Include and Exclude Name/domain user name Optional common sections Section value variablesUse of the dependencies section Use of wildcards Use of environment variablesUse of predefined variables Windows IIS Web Server MS SQL Database Server Solaris Apache and iPlanet169 This topic describes how to write Windows custom signatures Windows Custom SignaturesClass Files 170 171 Advanced Details GUI name Explanation Class Isapi Machine where the client is installed in the manner host Windows Custom Signatures Class Registry 177 Class Services Section Values Meaning/remarks GUI Name Explanation Possible Values Windows Custom Signatures This topic describes how to write Solaris custom signatures Solaris Custom SignaturesClass UNIXfile 181 Relevant X directives per section Directive File Source File permission New permission Advanced Details Class UNIXapache183 Solaris Custom Signatures Linux Custom Signatures 185 Summary of parameters and directives List of parameters according to typeList of directives according to type 186 Glossary 187 188 Blocked host 189 Console tree 190 EPolicy Orchestrator database server 191 See also minimal properties 192 Inactive agent 193 Policy enforcement interval 194 Severity level 195 SYN flood Index Working with clients Signatures, 46 creating, 48 creating custom Firewall policy tab rules List IPS Policy tab Page Mcafee.com