debian/ossec-hids/var/ossec/etc/shared/system_audit_pw.txt

   1 # OSSEC Linux Audit - (C) 2018
   2 #
   3 # Released under the same license as OSSEC.
   4 # More details at the LICENSE file included with OSSEC or online
   5 # at: https://github.com/ossec/ossec-hids/blob/master/LICENSE
   6 #
   7 # [Application name] [any or all] [reference]
   8 # type:<entry name>;
   9 #
  10 # Type can be:
  11 #             - f (for file or directory)
  12 #             - p (process running)
  13 #             - d (any file inside the directory)
  14 #
  15 # Additional values:
  16 # For the registry , use "->" to look for a specific entry and another
  17 # "->" to look for the value.
  18 # For files, use "->" to look for a specific value in the file.
  19 #
  20 # Values can be preceeded by: =: (for equal) - default
  21 #                             r: (for ossec regexes)
  22 #                             >: (for strcmp greater)
  23 #                             <: (for strcmp  lower)
  24 # Multiple patterns can be specified by using " && " between them.
  25 # (All of them must match for it to return true).
  26 #
  27 # Checks for Password Security on Linux Systems
  28 #
  29 #1 Set Default Algorithm for Password Encryption to SHA256 or SHA 512
  30 [Password Hardening - 1: Set Default Algorithm for Password Encryption to SHA256 or SHA 512] [any] [https://security.stackexchange.com/questions/77349/how-can-i-find-out-the-password-hashing-schemes-used-by-the-specific-unix-accoun, https://docs.oracle.com/cd/E26505_01/html/E27224/secsystask-42.html]
  31 f:/etc/security/policy.conf -> !r:^# && r:^CRYPT_DEFAULT=1|^CRYPT_DEFAULT=2|^CRYPT_DEFAULT=2a|^CRYPT_DEFAULT=2x|^CRYPT_DEFAULT=2y|^CRYPT_DEFAULT=md5|^CRYPT_DEFAULT=__unix__;
  32 f:/etc/security/policy.conf -> !r:^CRYPT_DEFAULT=\d;
  33 f:/etc/login.defs -> !r:^# && r:^ENCRYPT_METHOD\s+MD5|^ENCRYPT_METHOD\s+DES;
  34 f:/etc/login.defs -> !r:^ENCRYPT_METHOD\s+SHA512|^ENCRYPT_METHOD\s+SHA256;
  35 f:/etc/pam.d/common-password -> !r:^# && r:password\.+pam_unix.so\.+md5|password\.+pam_unix.so\.+des;
  36 f:/etc/pam.d/common-password -> !r:^password\.+pam_unix.so\.+sha512|^password\.+pam_unix.so\.+sha256;
  37 f:/etc/pam.d/password-auth -> !r:^# && r:password\.+pam_unix.so\.+md5|password\.+pam_unix.so\.+des;
  38 f:/etc/pam.d/password-auth -> !r:^password\.+pam_unix.so\.+sha512|^password\.+pam_unix.so\.+sha256;
  39 f:/etc/pam.d/system-auth -> !r:^# && r:password\.+pam_unix.so\.+md5|password\.+pam_unix.so\.+des;
  40 f:/etc/pam.d/system-auth -> !r:^password\.+pam_unix.so\.+sha512|^password\.+pam_unix.so\.+sha256;
  41 f:/etc/pam.d/system-auth-ac -> !r:^# && r:password\.+pam_unix.so\.+md5|password\.+pam_unix.so\.+des;
  42 f:/etc/pam.d/system-auth-ac -> !r:^password\.+pam_unix.so\.+sha512|^password\.+pam_unix.so\.+sha256;
  43 #
  44 #
  45 #2 Passwords in /etc/shadow not hashed with SHA-256 or SHA-512
  46 [Password Hardening - 2: Not all Passwords in /etc/shadow are hashed with SHA-256 or SHA-512] [any] [https://linux-audit.com/password-security-with-linux-etc-shadow-file/, https://docs.oracle.com/cd/E19253-01/816-4557/concept-23/index.html]
  47 f:/etc/shadow -> !r:^# && !r:^\w+:NP:\d+:\d*:\d*:\d*:\d*:\d*:\d*$ && r:^\w+:\w\.*:\d+:\d*:\d*:\d*:\d*:\d*:\d*$;
  48 f:/etc/shadow -> !r:^# && r:\w+:\$1\$\.+;
  49 f:/etc/shadow -> !r:^# && r:\w+:\$2\$\.+;
  50 f:/etc/shadow -> !r:^# && r:\w+:\$2a\$\.+;
  51 f:/etc/shadow -> !r:^# && r:\w+:\$2x\$\.+;
  52 f:/etc/shadow -> !r:^# && r:\w+:\$2y\$\.+;
  53 f:/etc/shadow -> !r:^# && r:\w+:\$md5\$\.+;
  54 f:/etc/shadow -> !r:^# && r:\w+:\$__unix__\$\.+;
  55 #
  56 #
  57 #3 Set Password Creation Requirement Parameters
  58 [Password Hardening - 3: Set Password Creation Requirement Parameters] [any] [https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/, https://workbench.cisecurity.org]
  59 f:/etc/pam.d/common-password -> !r:^password\s*\t*requisite\s*\t*pam_cracklib.so\.+try_first_pass|^password\s*\t*requisite\s*\t*pam_pwquality.so\.+try_first_pass|^password\s*\t*required\s*\t*pam_cracklib.so\.+try_first_pass|^password\s*\t*required\s*\t*pam_pwquality.so\.+try_first_pass;
  60 f:/etc/pam.d/common-password -> !r:^password\s*\t*requisite\s*\t*pam_cracklib.so\.+retry=\d+|^password\s*\t*requisite\s*\t*pam_pwquality.so\.+retry=\d+|^password\s*\t*required\s*\t*pam_cracklib.so\.+retry=\d+|^password\s*\t*required\s*\t*pam_pwquality.so\.+retry=\d+;
  61 f:/etc/pam.d/password-auth -> !r:^password\s*\t*requisite\s*\t*pam_cracklib.so\.+try_first_pass|^password\s*\t*requisite\s*\t*pam_pwquality.so\.+try_first_pass|^password\s*\t*required\s*\t*pam_cracklib.so\.+try_first_pass|^password\s*\t*required\s*\t*pam_pwquality.so\.+try_first_pass;
  62 f:/etc/pam.d/password-auth -> !r:^password\s*\t*requisite\s*\t*pam_cracklib.so\.+retry=\d+|^password\s*\t*requisite\s*\t*pam_pwquality.so\.+retry=\d+|^password\s*\t*required\s*\t*pam_cracklib.so\.+retry=\d+|^password\s*\t*required\s*\t*pam_pwquality.so\.+retry=\d+;
  63 f:/etc/pam.d/system-auth -> !r:^password\s*\t*requisite\s*\t*pam_cracklib.so\.+try_first_pass|^password\s*\t*requisite\s*\t*pam_pwquality.so\.+try_first_pass|^password\s*\t*required\s*\t*pam_cracklib.so\.+try_first_pass|^password\s*\t*required\s*\t*pam_pwquality.so\.+try_first_pass;
  64 f:/etc/pam.d/system-auth -> !r:^password\s*\t*requisite\s*\t*pam_cracklib.so\.+retry=\d+|^password\s*\t*requisite\s*\t*pam_pwquality.so\.+retry=\d+|^password\s*\t*required\s*\t*pam_cracklib.so\.+retry=\d+|^password\s*\t*required\s*\t*pam_pwquality.so\.+retry=\d+;
  65 f:/etc/pam.d/system-auth-ac -> !r:^password\s*\t*requisite\s*\t*pam_cracklib.so\.+try_first_pass|^password\s*\t*requisite\s*\t*pam_pwquality.so\.+try_first_pass|^password\s*\t*required\s*\t*pam_cracklib.so\.+try_first_pass|^password\s*\t*required\s*\t*pam_pwquality.so\.+try_first_pass;
  66 f:/etc/pam.d/system-auth-ac -> !r:^password\s*\t*requisite\s*\t*pam_cracklib.so\.+retry=\d+|^password\s*\t*requisite\s*\t*pam_pwquality.so\.+retry=\d+|^password\s*\t*required\s*\t*pam_cracklib.so\.+retry=\d+|^password\s*\t*required\s*\t*pam_pwquality.so\.+retry=\d+;
  67 f:/etc/pam.d/passwd -> !r:^password\s*\t*requisite\s*\t*pam_cracklib.so\.+try_first_pass|^password\s*\t*requisite\s*\t*pam_pwquality.so\.+try_first_pass|^password\s*\t*required\s*\t*pam_cracklib.so\.+try_first_pass|^password\s*\t*required\s*\t*pam_pwquality.so\.+try_first_pass|^@include\s+common-password;
  68 f:/etc/pam.d/passwd -> !r:^password\s*\t*requisite\s*\t*pam_cracklib.so\.+retry=\d+|^password\s*\t*requisite\s*\t*pam_pwquality.so\.+retry=\d+|^password\s*\t*required\s*\t*pam_cracklib.so\.+retry=\d+|^password\s*\t*required\s*\t*pam_pwquality.so\.+retry=\d+|^@include\s+common-password;
  69 f:/etc/pam.d/common-password -> r:pam_cracklib.so && !r:minlen=\d\d+;
  70 f:/etc/pam.d/password-auth -> r:pam_cracklib.so && !r:minlen=\d\d+;
  71 f:/etc/pam.d/system-auth -> r:pam_cracklib.so && !r:minlen=\d\d+;
  72 f:/etc/pam.d/passwd -> r:pam_cracklib.so && !r:minlen=\d\d+;
  73 f:/etc/security/pwquality.conf -> !r:^minlen=\d\d+;
  74 f:/etc/pam.d/common-password -> r:pam_cracklib.so && !r:dcredit=\p*\d+;
  75 f:/etc/pam.d/password-auth -> r:pam_cracklib.so && !r:dcredit=\p*\d+;
  76 f:/etc/pam.d/system-auth -> r:pam_cracklib.so && !r:dcredit=\p*\d+;
  77 f:/etc/pam.d/passwd -> r:pam_cracklib.so && !r:dcredit=\p*\d+;
  78 f:/etc/security/pwquality.conf -> !r:^dcredit=\p*\d+;
  79 f:/etc/pam.d/common-password -> r:pam_cracklib.so && !r:lcredit=\p*\d+;
  80 f:/etc/pam.d/password-auth -> r:pam_cracklib.so && !r:lcredit=\p*\d+;
  81 f:/etc/pam.d/system-auth -> r:pam_cracklib.so && !r:lcredit=\p*\d+;
  82 f:/etc/pam.d/passwd -> r:pam_cracklib.so && !r:lcredit=\p*\d+;
  83 f:/etc/security/pwquality.conf -> !r:^lcredit=\p*\d+;
  84 f:/etc/pam.d/common-password -> r:pam_cracklib.so && !r:ocredit=\p*\d+;
  85 f:/etc/pam.d/password-auth -> r:pam_cracklib.so && !r:ocredit=\p*\d+;
  86 f:/etc/pam.d/system-auth -> r:pam_cracklib.so && !r:ocredit=\p*\d+;
  87 f:/etc/pam.d/passwd -> r:pam_cracklib.so && !r:ocredit=\p*\d+;
  88 f:/etc/security/pwquality.conf -> !r:^ocredit=\p*\d+;
  89 f:/etc/pam.d/common-password -> r:pam_cracklib.so && !r:ucredit=\p*\d+;
  90 f:/etc/pam.d/password-auth -> r:pam_cracklib.so && !r:ucredit=\p*\d+;
  91 f:/etc/pam.d/system-auth -> r:pam_cracklib.so && !r:ucredit=\p*\d+;
  92 f:/etc/pam.d/passwd -> r:pam_cracklib.so && !r:ucredit=\p*\d+;
  93 f:/etc/security/pwquality.conf -> !r:^ucredit=\p*\d+;
  94 #
  95 #
  96 #4 Set default password expiration / aging parameters
  97 [Password Hardening - 4: Set password expiration / aging parameters] [any] [https://www.thegeekdiary.com/understanding-etclogin-defs-file, https://workbench.cisecurity.org/sections/26024/recommendations/63001]
  98 f:/etc/default/passwd -> !r:^MAXWEEKS=\d\d$;
  99 f:/etc/default/passwd -> !r:^MINWEEKS=\d;
 100 f:/etc/default/passwd -> !r:^WARNWEEKS=\d;
 101 f:/etc/login.defs -> !r:^PASS_MAX_DAYS\s*\t*\d\d$;
 102 f:/etc/login.defs -> !r:^PASS_MIN_DAYS\s*\t*\d;
 103 f:/etc/login.defs -> !r:^PASS_WARN_AGE\s*\t*\d;