X-Git-Url: http://ftp.carnet.hr/carnet-debian/scm?a=blobdiff_plain;ds=sidebyside;f=debian%2Fossec-hids%2Fvar%2Fossec%2Fetc%2Fshared%2Fwin_audit_rcl.txt;fp=debian%2Fossec-hids%2Fvar%2Fossec%2Fetc%2Fshared%2Fwin_audit_rcl.txt;h=34d85161b6d4d8c2f98335c465f897ef15f2c3ba;hb=3f728675941dc69d4e544d3a880a56240a6e394a;hp=0000000000000000000000000000000000000000;hpb=927951d1c1ad45ba9e7325f07d996154a91c911b;p=ossec-hids.git diff --git a/debian/ossec-hids/var/ossec/etc/shared/win_audit_rcl.txt b/debian/ossec-hids/var/ossec/etc/shared/win_audit_rcl.txt new file mode 100644 index 0000000..34d8516 --- /dev/null +++ b/debian/ossec-hids/var/ossec/etc/shared/win_audit_rcl.txt @@ -0,0 +1,74 @@ +# OSSEC Linux Audit - (C) 2018 OSSEC Project +# +# Released under the same license as OSSEC. +# More details at the LICENSE file included with OSSEC or online +# at: https://github.com/ossec/ossec-hids/blob/master/LICENSE +# +# [Application name] [any or all] [reference] +# type:; +# +# Type can be: +# - f (for file or directory) +# - r (registry entry) +# - p (process running) +# +# Additional values: +# For the registry and for directories, use "->" to look for a specific entry and another +# "->" to look for the value. +# Also, use " -> r:^\. -> ..." to search all files in a directory +# For files, use "->" to look for a specific value in the file. +# +# Values can be preceded by: =: (for equal) - default +# r: (for ossec regexes) +# >: (for strcmp greater) +# <: (for strcmp lower) +# Multiple patterns can be specified by using " && " between them. +# (All of them must match for it to return true). + +# http://technet2.microsoft.com/windowsserver/en/library/486896ba-dfa1-4850-9875-13764f749bba1033.mspx?mfr=true +[Disabled Registry tools set {PCI_DSS: 10.6.1}] [any] [] +r:HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DisableRegistryTools -> 1; +r:HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DisableRegistryTools -> 1; + +# http://support.microsoft.com/kb/825750 +[DCOM disabled {PCI_DSS: 10.6.1}] [any] [] +r:HKEY_LOCAL_MACHINE\Software\Microsoft\OLE -> EnableDCOM -> N; + +# http://web.mit.edu/is/topics/windows/server/winmitedu/security.html +[LM authentication allowed (weak passwords) {PCI_DSS: 10.6.1, 11.4}] [any] [] +r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA -> LMCompatibilityLevel -> 0; +r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA -> LMCompatibilityLevel -> 1; + +# http://research.eeye.com/html/alerts/AL20060813.html +# Disabled by some Malwares (sometimes by McAfee and Symantec +# security center too). +[Firewall/Anti Virus notification disabled {PCI_DSS: 10.6.1}] [any] [] +r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center -> FirewallDisableNotify -> !0; +r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center -> antivirusoverride -> !0; +r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center -> firewalldisablenotify -> !0; +r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center -> firewalldisableoverride -> !0; + +# Checking for the microsoft firewall. +[Microsoft Firewall disabled {PCI_DSS: 10.6.1, 1.4}] [all] [] +r:HKEY_LOCAL_MACHINE\software\policies\microsoft\windowsfirewall\domainprofile -> enablefirewall -> 0; +r:HKEY_LOCAL_MACHINE\software\policies\microsoft\windowsfirewall\standardprofile -> enablefirewall -> 0; + +#http://web.mit.edu/is/topics/windows/server/winmitedu/security.html +[Null sessions allowed {PCI_DSS: 11.4}] [any] [] +r:HKLM\System\CurrentControlSet\Control\Lsa -> RestrictAnonymous -> 0; + +[Error reporting disabled {PCI_DSS: 10.6.1}] [any] [http://windowsir.blogspot.com/2007/04/something-new-to-look-for.html] +r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting -> DoReport -> 0; +r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting -> IncludeKernelFaults -> 0; +r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting -> IncludeMicrosoftApps -> 0; +r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting -> IncludeWindowsApps -> 0; +r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting -> IncludeShutdownErrs -> 0; +r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting -> ShowUI -> 0; + +# http://support.microsoft.com/default.aspx?scid=315231 +[Automatic Logon enabled {PCI_DSS: 10.6.1}] [any] [http://support.microsoft.com/default.aspx?scid=315231] +r:HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon -> DefaultPassword; +r:HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon -> AutoAdminLogon -> 1; + +[Winpcap packet filter driver found {PCI_DSS: 10.6.1}] [any] [] +f:%WINDIR%\System32\drivers\npf.sys;