1 # OSSEC Linux Audit - (C) 2018 OSSEC Project
3 # Released under the same license as OSSEC.
4 # More details at the LICENSE file included with OSSEC or online
5 # at: https://github.com/ossec/ossec-hids/blob/master/LICENSE
7 # [Application name] [any or all] [reference]
11 # - f (for file or directory)
12 # - r (registry entry)
13 # - p (process running)
16 # For the registry and for directories, use "->" to look for a specific entry and another
17 # "->" to look for the value.
18 # Also, use " -> r:^\. -> ..." to search all files in a directory
19 # For files, use "->" to look for a specific value in the file.
21 # Values can be preceded by: =: (for equal) - default
22 # r: (for ossec regexes)
23 # >: (for strcmp greater)
24 # <: (for strcmp lower)
25 # Multiple patterns can be specified by using " && " between them.
26 # (All of them must match for it to return true).
28 # http://technet2.microsoft.com/windowsserver/en/library/486896ba-dfa1-4850-9875-13764f749bba1033.mspx?mfr=true
29 [Disabled Registry tools set {PCI_DSS: 10.6.1}] [any] []
30 r:HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DisableRegistryTools -> 1;
31 r:HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DisableRegistryTools -> 1;
33 # http://support.microsoft.com/kb/825750
34 [DCOM disabled {PCI_DSS: 10.6.1}] [any] []
35 r:HKEY_LOCAL_MACHINE\Software\Microsoft\OLE -> EnableDCOM -> N;
37 # http://web.mit.edu/is/topics/windows/server/winmitedu/security.html
38 [LM authentication allowed (weak passwords) {PCI_DSS: 10.6.1, 11.4}] [any] []
39 r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA -> LMCompatibilityLevel -> 0;
40 r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA -> LMCompatibilityLevel -> 1;
42 # http://research.eeye.com/html/alerts/AL20060813.html
43 # Disabled by some Malwares (sometimes by McAfee and Symantec
44 # security center too).
45 [Firewall/Anti Virus notification disabled {PCI_DSS: 10.6.1}] [any] []
46 r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center -> FirewallDisableNotify -> !0;
47 r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center -> antivirusoverride -> !0;
48 r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center -> firewalldisablenotify -> !0;
49 r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center -> firewalldisableoverride -> !0;
51 # Checking for the microsoft firewall.
52 [Microsoft Firewall disabled {PCI_DSS: 10.6.1, 1.4}] [all] []
53 r:HKEY_LOCAL_MACHINE\software\policies\microsoft\windowsfirewall\domainprofile -> enablefirewall -> 0;
54 r:HKEY_LOCAL_MACHINE\software\policies\microsoft\windowsfirewall\standardprofile -> enablefirewall -> 0;
56 #http://web.mit.edu/is/topics/windows/server/winmitedu/security.html
57 [Null sessions allowed {PCI_DSS: 11.4}] [any] []
58 r:HKLM\System\CurrentControlSet\Control\Lsa -> RestrictAnonymous -> 0;
60 [Error reporting disabled {PCI_DSS: 10.6.1}] [any] [http://windowsir.blogspot.com/2007/04/something-new-to-look-for.html]
61 r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting -> DoReport -> 0;
62 r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting -> IncludeKernelFaults -> 0;
63 r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting -> IncludeMicrosoftApps -> 0;
64 r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting -> IncludeWindowsApps -> 0;
65 r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting -> IncludeShutdownErrs -> 0;
66 r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting -> ShowUI -> 0;
68 # http://support.microsoft.com/default.aspx?scid=315231
69 [Automatic Logon enabled {PCI_DSS: 10.6.1}] [any] [http://support.microsoft.com/default.aspx?scid=315231]
70 r:HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon -> DefaultPassword;
71 r:HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon -> AutoAdminLogon -> 1;
73 [Winpcap packet filter driver found {PCI_DSS: 10.6.1}] [any] []
74 f:%WINDIR%\System32\drivers\npf.sys;
projects / ossec-hids.git / blob