# OSSEC Linux Audit - (C) 2018 OSSEC Project # # Released under the same license as OSSEC. # More details at the LICENSE file included with OSSEC or online # at: https://github.com/ossec/ossec-hids/blob/master/LICENSE # # [Application name] [any or all] [reference] # type:; # # Type can be: # - f (for file or directory) # - p (process running) # - d (any file inside the directory) # # Additional values: # For the registry and for directories, use "->" to look for a specific entry and another # "->" to look for the value. # Also, use " -> r:^\. -> ..." to search all files in a directory # For files, use "->" to look for a specific value in the file. # # Values can be preceded by: =: (for equal) - default # r: (for ossec regexes) # >: (for strcmp greater) # <: (for strcmp lower) # Multiple patterns can be specified by using " && " between them. # (All of them must match for it to return true). $php.ini=/etc/php.ini,/var/www/conf/php.ini,/etc/php5/apache2/php.ini,/usr/local/etc/php.ini; $web_dirs=/var/www,/var/htdocs,/home/httpd,/usr/local/apache,/usr/local/apache2,/usr/local/www; # PHP checks [PHP - Register globals are enabled] [any] [] f:$php.ini -> r:^register_globals = On; # PHP checks [PHP - Expose PHP is enabled] [any] [] f:$php.ini -> r:^expose_php = On; # PHP checks [PHP - Allow URL fopen is enabled] [any] [] f:$php.ini -> r:^allow_url_fopen = On; # PHP checks [PHP - Displaying of errors is enabled] [any] [] f:$php.ini -> r:^display_errors = On; # PHP checks - consider open_basedir && disable_functions ## Looking for common web exploits (might indicate that you are owned). ## Using http://dcid.me/blog/logsamples/webattacks_links as a reference. #[Web exploits - Possible compromise] [any] [] #d:$web_dirs -> .txt$ -> r:^ ^.yop$; [Web exploits (uncommon file name inside htdocs) - Possible compromise {PCI_DSS: 6.5, 6.6, 11.4}] [any] [] d:$web_dirs -> ^id$; [Web exploits (uncommon file name inside htdocs) - Possible compromise {PCI_DSS: 6.5, 6.6, 11.4}] [any] [] d:$web_dirs -> ^.ssh$; [Web exploits (uncommon file name inside htdocs) - Possible compromise {PCI_DSS: 6.5, 6.6, 11.4}] [any] [] d:$web_dirs -> ^...$; [Web exploits (uncommon file name inside htdocs) - Possible compromise {PCI_DSS: 6.5, 6.6, 11.4}] [any] [] d:$web_dirs -> ^.shell$; ## Looking for outdated Web applications ## Taken from http://sucuri.net/latest-versions [Web vulnerability - Outdated WordPress installation {PCI_DSS: 6.5, 6.6, 11.4}] [any] [http://sucuri.net/latest-versions] d:$web_dirs -> ^version.php$ -> r:^\.wp_version && >:$wp_version = '4.4.2'; [Web vulnerability - Outdated Joomla installation {PCI_DSS: 6.5, 6.6, 11.4}] [any] [http://sucuri.net/latest-versions] d:$web_dirs -> ^version.php$ -> r:var \.RELEASE && r:'3.4.8'; [Web vulnerability - Outdated osCommerce (v2.2) installation {PCI_DSS: 6.5, 6.6, 11.4}] [any] [http://sucuri.net/latest-versions] d:$web_dirs -> ^application_top.php$ -> r:'osCommerce 2.2-; ## Looking for known backdoors [Web vulnerability - Backdoors / Web based malware found - eval(base64_decode {PCI_DSS: 6.5, 6.6, 11.4}] [any] [] d:$web_dirs -> .php$ -> r:eval\(base64_decode\(\paWYo; [Web vulnerability - Backdoors / Web based malware found - eval(base64_decode(POST {PCI_DSS: 6.5, 6.6, 11.4}] [any] [] d:$web_dirs -> .php$ -> r:eval\(base64_decode\(\S_POST; [Web vulnerability - .htaccess file compromised {PCI_DSS: 6.5, 6.6, 11.4}] [any] [http://blog.sucuri.net/2011/05/understanding-htaccess-attacks-part-1.html] d:$web_dirs -> ^.htaccess$ -> r:RewriteCond \S+HTTP_REFERERS \S+google; [Web vulnerability - .htaccess file compromised - auto append {PCI_DSS: 6.5, 6.6, 11.4}] [any] [http://blog.sucuri.net/2011/05/understanding-htaccess-attacks-part-1.html] d:$web_dirs -> ^.htaccess$ -> r:php_value auto_append_file;