A security measure to enforce all network connected servers to comply with a set of international security standards and practices. To enforce the standards, a piece of agent software will need to be installed on each campus server for conducting compliance assessment and detecting security vulnerability (the cost is HK$200 for each physical CPU core). Newly installed servers will have to get the agent software installed and keep it online upon the assignment of a fixed IP address by ITS. Please fill in this form for update of server information.
Annual and quarterly reports on the compliance level of the servers and the list of non-compliance items will be sent to departments for taking remedial actions, if any. Compliance level is assessed based on a set of HKU Server Compliance Baseline Policies and 65% is set as the alarm level. Departments will be urged to take immediate remedial actions if the alarm level was hit in two consecutive quarterly reports.
For security reasons, IP addresses of the servers will be blocked if
- they are not installed with the agent software; or
- they are not listed in the quarterly compliance reports for 2 consecutive months (e.g. the agent software is turned off); or
- no remedial action is taken after the alarm level was hit in 2 consecutive months
Baseline Policies and Software Agent Packages
Baseline policies are hardening checklist formulated based on the Policy Statement and Checklists produced by DISA (Defense Information Systems Agency) (reference here). Our Baseline Policies are distilled from the DISA lists which only include the most critical items. These policies are specific to individual operating systems and the currently available policies are listed below-
|Supported Platforms||Software Agent Packages||Suggested Compliance Guidelines|
|Microsoft Windows Platforms||Windows 8.1, Windows Server 2012 – 2019||Microsoft Windows Platform Agent Installation Package (Windows 8.1/ Server 2012-2022)|
|Linux Platforms||RHEL 7-9 and it’s derivatives (such as CentOS/Rocky/AlmaLinux/CloudLinux/OEL)||IEM Agent Packages for RHEL derivatives (7-9, 64bits)|
|Other Platforms||IEM Agent Packages for Ubuntu||Ubuntu|