# OSSEC Linux Audit - (C) 2018 # # Released under the same license as OSSEC. # More details at the LICENSE file included with OSSEC or online # at: https://github.com/ossec/ossec-hids/blob/master/LICENSE # # [Application name] [any or all] [reference] # type:; # # Type can be: # - f (for file or directory) # - r (registry entry) # - p (process running) # # Additional values: # For the registry and for directories, use "->" to look for a specific entry and another # "->" to look for the value. # Also, use " -> r:^\. -> ..." to search all files in a directory # For files, use "->" to look for a specific value in the file. # # Values can be preceeded by: =: (for equal) - default # r: (for ossec regexes) # >: (for strcmp greater) # <: (for strcmp lower) # Multiple patterns can be specified by using " && " between them. # (All of them must match for it to return true). # Level 2 CIS Checks for Debian Linux 7 and Debian Linux 8 # Based on Center for Internet Security Benchmark v1.0.0 for Debian Linux 7 (https://workbench.cisecurity.org/benchmarks/80) and Benchmark v1.0.0 for Debian Linux 8 (https://workbench.cisecurity.org/benchmarks/81) # # $rc_dirfiles=/etc/rc0.d/*,/etc/rc1.d/*,/etc/rc2.d/*,/etc/rc3.d/*,/etc/rc4.d/*,/etc/rc5.d/*,/etc/rc6.d/*,/etc/rc7.d/*,/etc/rc8.d/*,/etc/rc9.d/*,/etc/rca.d/*,/etc/rcb.d/*,/etc/rcc.d/*,/etc/rcs.d/*,/etc/rcS.d/*; # # #2.18 Disable Mounting of cramfs Filesystems [CIS - Debian Linux 7/8 - 2.18 Disable Mounting of cramfs Filesystems] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] f:!/etc/modprobe.d/CIS.conf; f:/etc/modprobe.d/CIS.conf -> !r:^install cramfs /bin/true; # # #2.19 Disable Mounting of freevxfs Filesystems [CIS - Debian Linux 7/8 - 2.19 Disable Mounting of freevxfs Filesystems] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] f:!/etc/modprobe.d/CIS.conf; f:/etc/modprobe.d/CIS.conf -> !r:^install freevxfs /bin/true; # # #2.20 Disable Mounting of jffs2 Filesystems [CIS - Debian Linux 7/8 - 2.20 Disable Mounting of jffs2 Filesystems] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] f:!/etc/modprobe.d/CIS.conf; f:/etc/modprobe.d/CIS.conf -> !r:^install jffs2 /bin/true; # # #2.21 Disable Mounting of hfs Filesystems [CIS - Debian Linux 7/8 - 2.21 Disable Mounting of hfs Filesystems] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] f:!/etc/modprobe.d/CIS.conf; f:/etc/modprobe.d/CIS.conf -> !r:^install hfs /bin/true; # # #2.22 Disable Mounting of hfsplus Filesystems [CIS - Debian Linux 7/8 - 2.22 Disable Mounting of hfsplus Filesystems] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] f:!/etc/modprobe.d/CIS.conf; f:/etc/modprobe.d/CIS.conf -> !r:^install hfsplus /bin/true; # # #2.23 Disable Mounting of squashfs Filesystems [CIS - Debian Linux 7/8 - 2.23 Disable Mounting of squashfs Filesystems] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] f:!/etc/modprobe.d/CIS.conf; f:/etc/modprobe.d/CIS.conf -> !r:^install squashfs /bin/true; # # #2.24 Disable Mounting of udf Filesystems [CIS - Debian Linux 7/8 - 2.24 Disable Mounting of udf Filesystems] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] f:!/etc/modprobe.d/CIS.conf; f:/etc/modprobe.d/CIS.conf -> !r:^install udf /bin/true; # # #4.5 Activate AppArmor [CIS - Debian Linux 7/8 - 4.5 Activate AppArmor] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] f:/etc/default/grub -> !r:apparmor=1 && !r:security=apparmor; # # #8.1.1.1 Configure Audit Log Storage Size [CIS - Debian Linux 7/8 - 8.1.1.1 Configure Audit Log Storage Size] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] f:!/etc/audit; f:!/etc/audit/auditd.conf; f:/etc/audit/auditd.conf -> !r:max_log_file\s*=\s*\d+; # # #8.1.1.2 Disable System on Audit Log Full [CIS - Debian Linux 7/8 - 8.1.1.2 Disable System on Audit Log Full] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] f:!/etc/audit; f:!/etc/audit/auditd.conf; f:/etc/audit/auditd.conf -> !r:^space_left_action\s*=\s*email; f:/etc/audit/auditd.conf -> !r:^# && r:space_left_action\s*=\s*ignore|syslog|suspend|single|halt; f:/etc/audit/auditd.conf -> !r:^action_mail_acct\s*=\s*root; f:/etc/audit/auditd.conf -> !r:^admin_space_left_action\s*=\s*halt; f:/etc/audit/auditd.conf -> !r:^# && r:admin_space_left_action\s*=\s*ignore|syslog|email|suspend|single; # # #8.1.1.3 Keep All Auditing Information [CIS - Debian Linux 7/8 - 8.1.1.3 Keep All Auditing Information] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] f:!/etc/audit; f:!/etc/audit/auditd.conf; f:/etc/audit/auditd.conf -> !r:^max_log_file_action\s*=\s*keep_logs; f:/etc/audit/auditd.conf -> !r:^# && r:max_log_file_action\s*=\s*ignore|syslog|suspend|rotate; # # #8.1.3 Enable Auditing for Processes That Start Prior to auditd [CIS - Debian Linux 7/8 - 8.1.3 Enable Auditing for Processes That Start Prior to auditd] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] f:/etc/default/grub -> !r:^GRUB_CMDLINE_LINUX\s*=\s*\.*audit\s*=\s*1\.*; # # #8.1.4 Record Events That Modify Date and Time Information [CIS - Debian Linux 7 - 8.1.4 Record Events That Modify Date and Time Information] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] f:!/etc/audit; f:!/etc/audit/audit.rules; f:/etc/audit/audit.rules -> !r:^-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change; f:/etc/audit/audit.rules -> !r:^-a always,exit -F arch=b32 -S clock_settime -k time-change; f:/etc/audit/audit.rules -> !r:^-w /etc/localtime -p wa -k time-change; # # #8.1.5 Record Events That Modify User/Group Information [CIS - Debian Linux 7/8 - 8.1.5 Record Events That Modify User/Group Information] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] f:!/etc/audit; f:!/etc/audit/audit.rules; f:/etc/audit/audit.rules -> !r:^-w /etc/group -p wa -k identity; f:/etc/audit/audit.rules -> !r:^-w /etc/passwd -p wa -k identity; f:/etc/audit/audit.rules -> !r:^-w /etc/gshadow -p wa -k identity; f:/etc/audit/audit.rules -> !r:^-w /etc/shadow -p wa -k identity; f:/etc/audit/audit.rules -> !r:^-w /etc/security/opasswd -p wa -k identity; # # #8.1.6 Record Events That Modify the System's Network Environment [CIS - Debian Linux 7/8 - 8.1.6 Record Events That Modify the System's Network Environment] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] f:!/etc/audit; f:!/etc/audit/audit.rules; f:/etc/audit/audit.rules -> !r:^-a exit,always -F arch=b32 -S sethostname -S setdomainname -k system-locale; f:/etc/audit/audit.rules -> !r:^-w /etc/issue -p wa -k system-locale; f:/etc/audit/audit.rules -> !r:^-w /etc/issue.net -p wa -k system-locale; f:/etc/audit/audit.rules -> !r:^-w /etc/hosts -p wa -k system-locale; f:/etc/audit/audit.rules -> !r:^-w /etc/network -p wa -k system-locale; # # #8.1.7 Record Events That Modify the System's Mandatory Access Controls [CIS - Debian Linux 7/8 - 8.1.7 Record Events That Modify the System's Mandatory Access Controls] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] f:!/etc/audit; f:!/etc/audit/audit.rules; f:/etc/audit/audit.rules -> !r:^-w /etc/selinux/ -p wa -k MAC-policy; # # #8.1.8 Collect Login and Logout Events [CIS - Debian Linux 7/8 - 8.1.8 Collect Login and Logout Events] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] f:!/etc/audit; f:!/etc/audit/audit.rules; f:/etc/audit/audit.rules -> !r:^-w /var/log/faillog -p wa -k logins; f:/etc/audit/audit.rules -> !r:^-w /var/log/lastlog -p wa -k logins; f:/etc/audit/audit.rules -> !r:^-w /var/log/tallylog -p wa -k logins; # # #8.1.9 Collect Session Initiation Information [CIS - Debian Linux 7/8 - 8.1.9 Collect Session Initiation Information] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] f:!/etc/audit; f:!/etc/audit/audit.rules; f:/etc/audit/audit.rules -> !r:^-w /var/run/utmp -p wa -k session; f:/etc/audit/audit.rules -> !r:^-w /var/log/wtmp -p wa -k session; f:/etc/audit/audit.rules -> !r:^-w /var/log/btmp -p wa -k session; # # #8.1.10 Collect Discretionary Access Control Permission Modification Events [CIS - Debian Linux 7/8 - 8.1.10 Collect Discretionary Access Control Permission Modification Events] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] f:!/etc/audit; f:!/etc/audit/audit.rules; f:/etc/audit/audit.rules -> !r:^-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 \\; f:/etc/audit/audit.rules -> !r:^-F auid!=4294967295 -k perm_mod; f:/etc/audit/audit.rules -> !r:^-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 \\; f:/etc/audit/audit.rules -> !r:^-F auid!=4294967295 -k perm_mod; f:/etc/audit/audit.rules -> !r:^-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S \\; f:/etc/audit/audit.rules -> !r:^lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod; # # #8.1.11 Collect Unsuccessful Unauthorized Access Attempts to Files [CIS - Debian Linux 7/8 - 8.1.11 Collect Unsuccessful Unauthorized Access Attempts to Files] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] f:!/etc/audit; f:!/etc/audit/audit.rules; f:/etc/audit/audit.rules -> !r:^-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate \\; f:/etc/audit/audit.rules -> !r:^-F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access; f:/etc/audit/audit.rules -> !r:^-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate \\; f:/etc/audit/audit.rules -> !r:^-F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access; # # #8.1.13 Collect Successful File System Mounts [CIS - Debian Linux 7/8 - 8.1.13 Collect Successful File System Mounts] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] f:!/etc/audit; f:!/etc/audit/audit.rules; f:/etc/audit/audit.rules -> !r:^-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts; # # #8.1.14 Collect File Deletion Events by User [CIS - Debian Linux 7/8 - 8.1.14 Collect File Deletion Events by User] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] f:!/etc/audit; f:!/etc/audit/audit.rules; f:/etc/audit/audit.rules -> !r:^-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 \\; f:/etc/audit/audit.rules -> !r:^-F auid!=4294967295 -k delete; # # #8.1.15 Collect Changes to System Administration Scope (sudoers) [CIS - Debian Linux 7/8 - 8.1.15 Collect Changes to System Administration Scope (sudoers)] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] f:!/etc/audit; f:!/etc/audit/audit.rules; f:/etc/audit/audit.rules -> !r:^-w /etc/sudoers -p wa -k scope; # # #8.1.16 Collect System Administrator Actions (sudolog) [CIS - Debian Linux 7/8 - 8.1.16 Collect System Administrator Actions (sudolog)] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] f:!/etc/audit; f:!/etc/audit/audit.rules; f:/etc/audit/audit.rules -> !r:^-w /var/log/sudo.log -p wa -k actions; # # #8.1.17 Collect Kernel Module Loading and Unloading [CIS - Debian Linux 7/8 - 8.1.17 Collect Kernel Module Loading and Unloading] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] f:!/etc/audit; f:!/etc/audit/audit.rules; f:/etc/audit/audit.rules -> !r:^-w /sbin/insmod -p x -k modules; f:/etc/audit/audit.rules -> !r:^-w /sbin/rmmod -p x -k modules; f:/etc/audit/audit.rules -> !r:^-w /sbin/modprobe -p x -k modules; f:/etc/audit/audit.rules -> !r:^-a always,exit -F arch=b32 -S init_module -S delete_module -k modules|-a always,exit -F arch=b64 -S init_module -S delete_module -k modules; # # #8.1.18 Make the Audit Configuration Immutable [CIS - Debian Linux 7/8 - 8.1.18 Make the Audit Configuration Immutable] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] f:!/etc/audit; f:!/etc/audit/audit.rules; f:/etc/audit/audit.rules -> !r:^-e 2$; # # #8.3.1 Install AIDE [CIS - Debian Linux 7/8 - 8.3.1 Install AIDE] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] f:!/usr/sbin/aideinit; # # #8.3.2 Implement Periodic Execution of File Integrity [CIS - Debian Linux 7/8 - 8.3.2 Implement Periodic Execution of File Integrity] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] f:/etc/crontab -> !r:/usr/sbin/aide --check; #