Title

(U//FOUO) The HIPS policy must include the signature for protection of the Asset Baseline Monitor registry key. (Cat II impact)

Discussion

Check Content

(U//FOUO) If Asset Baseline Monitor is not being used, this check is N/A. Select the asset to be checked, then select "Assigned Policies", followed by "Host Intrusion Prevention 7:IPS" from the product list. From the "IPS Rules" category, select the "View Effective Policy" hyperlink. Select the "Signatures" tab. Verify the signature of “Protect Asset Baseline Monitor” is present and select the "View" hyperlink. In addition to the signature being present, the “Severity level” must be set to High, “Log status” must be set to "Enable logging", and the “Allow creation of client rules” setting must be disabled. If the signature is not present or the properties are set incorrectly, this is a finding.

Fix Text

(U//FOUO) Install the "Protect Asset Baseline Monitor" signature and set it as follows: “Severity level” set to High, “Log status” set to "Enable logging", and the “Allow creation of client rules” setting is disabled.

Additional Identifiers

Rule ID: SV-15173r3_rule

Vulnerability ID: V-14555

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.