+++ /dev/null
-# OSSEC Linux Audit - (C) 2018
-#
-# Released under the same license as OSSEC.
-# More details at the LICENSE file included with OSSEC or online
-# at: https://github.com/ossec/ossec-hids/blob/master/LICENSE
-#
-# [Application name] [any or all] [reference]
-# type:<entry name>;
-#
-# Type can be:
-# - f (for file or directory)
-# - r (registry entry)
-# - p (process running)
-#
-# Additional values:
-# For the registry and for directories, use "->" to look for a specific entry and another
-# "->" to look for the value.
-# Also, use " -> r:^\. -> ..." to search all files in a directory
-# For files, use "->" to look for a specific value in the file.
-#
-# Values can be preceeded by: =: (for equal) - default
-# r: (for ossec regexes)
-# >: (for strcmp greater)
-# <: (for strcmp lower)
-# Multiple patterns can be specified by using " && " between them.
-# (All of them must match for it to return true).
-
-# Level 2 CIS Checks for Debian Linux 7 and Debian Linux 8
-# Based on Center for Internet Security Benchmark v1.0.0 for Debian Linux 7 (https://workbench.cisecurity.org/benchmarks/80) and Benchmark v1.0.0 for Debian Linux 8 (https://workbench.cisecurity.org/benchmarks/81)
-#
-#
-$rc_dirfiles=/etc/rc0.d/*,/etc/rc1.d/*,/etc/rc2.d/*,/etc/rc3.d/*,/etc/rc4.d/*,/etc/rc5.d/*,/etc/rc6.d/*,/etc/rc7.d/*,/etc/rc8.d/*,/etc/rc9.d/*,/etc/rca.d/*,/etc/rcb.d/*,/etc/rcc.d/*,/etc/rcs.d/*,/etc/rcS.d/*;
-#
-#
-#2.18 Disable Mounting of cramfs Filesystems
-[CIS - Debian Linux 7/8 - 2.18 Disable Mounting of cramfs Filesystems] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:!/etc/modprobe.d/CIS.conf;
-f:/etc/modprobe.d/CIS.conf -> !r:^install cramfs /bin/true;
-#
-#
-#2.19 Disable Mounting of freevxfs Filesystems
-[CIS - Debian Linux 7/8 - 2.19 Disable Mounting of freevxfs Filesystems] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:!/etc/modprobe.d/CIS.conf;
-f:/etc/modprobe.d/CIS.conf -> !r:^install freevxfs /bin/true;
-#
-#
-#2.20 Disable Mounting of jffs2 Filesystems
-[CIS - Debian Linux 7/8 - 2.20 Disable Mounting of jffs2 Filesystems] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:!/etc/modprobe.d/CIS.conf;
-f:/etc/modprobe.d/CIS.conf -> !r:^install jffs2 /bin/true;
-#
-#
-#2.21 Disable Mounting of hfs Filesystems
-[CIS - Debian Linux 7/8 - 2.21 Disable Mounting of hfs Filesystems] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:!/etc/modprobe.d/CIS.conf;
-f:/etc/modprobe.d/CIS.conf -> !r:^install hfs /bin/true;
-#
-#
-#2.22 Disable Mounting of hfsplus Filesystems
-[CIS - Debian Linux 7/8 - 2.22 Disable Mounting of hfsplus Filesystems] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:!/etc/modprobe.d/CIS.conf;
-f:/etc/modprobe.d/CIS.conf -> !r:^install hfsplus /bin/true;
-#
-#
-#2.23 Disable Mounting of squashfs Filesystems
-[CIS - Debian Linux 7/8 - 2.23 Disable Mounting of squashfs Filesystems] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:!/etc/modprobe.d/CIS.conf;
-f:/etc/modprobe.d/CIS.conf -> !r:^install squashfs /bin/true;
-#
-#
-#2.24 Disable Mounting of udf Filesystems
-[CIS - Debian Linux 7/8 - 2.24 Disable Mounting of udf Filesystems] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:!/etc/modprobe.d/CIS.conf;
-f:/etc/modprobe.d/CIS.conf -> !r:^install udf /bin/true;
-#
-#
-#4.5 Activate AppArmor
-[CIS - Debian Linux 7/8 - 4.5 Activate AppArmor] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:/etc/default/grub -> !r:apparmor=1 && !r:security=apparmor;
-#
-#
-#8.1.1.1 Configure Audit Log Storage Size
-[CIS - Debian Linux 7/8 - 8.1.1.1 Configure Audit Log Storage Size] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:!/etc/audit;
-f:!/etc/audit/auditd.conf;
-f:/etc/audit/auditd.conf -> !r:max_log_file\s*=\s*\d+;
-#
-#
-#8.1.1.2 Disable System on Audit Log Full
-[CIS - Debian Linux 7/8 - 8.1.1.2 Disable System on Audit Log Full] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:!/etc/audit;
-f:!/etc/audit/auditd.conf;
-f:/etc/audit/auditd.conf -> !r:^space_left_action\s*=\s*email;
-f:/etc/audit/auditd.conf -> !r:^# && r:space_left_action\s*=\s*ignore|syslog|suspend|single|halt;
-f:/etc/audit/auditd.conf -> !r:^action_mail_acct\s*=\s*root;
-f:/etc/audit/auditd.conf -> !r:^admin_space_left_action\s*=\s*halt;
-f:/etc/audit/auditd.conf -> !r:^# && r:admin_space_left_action\s*=\s*ignore|syslog|email|suspend|single;
-#
-#
-#8.1.1.3 Keep All Auditing Information
-[CIS - Debian Linux 7/8 - 8.1.1.3 Keep All Auditing Information] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:!/etc/audit;
-f:!/etc/audit/auditd.conf;
-f:/etc/audit/auditd.conf -> !r:^max_log_file_action\s*=\s*keep_logs;
-f:/etc/audit/auditd.conf -> !r:^# && r:max_log_file_action\s*=\s*ignore|syslog|suspend|rotate;
-#
-#
-#8.1.3 Enable Auditing for Processes That Start Prior to auditd
-[CIS - Debian Linux 7/8 - 8.1.3 Enable Auditing for Processes That Start Prior to auditd] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:/etc/default/grub -> !r:^GRUB_CMDLINE_LINUX\s*=\s*\.*audit\s*=\s*1\.*;
-#
-#
-#8.1.4 Record Events That Modify Date and Time Information
-[CIS - Debian Linux 7 - 8.1.4 Record Events That Modify Date and Time Information] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:!/etc/audit;
-f:!/etc/audit/audit.rules;
-f:/etc/audit/audit.rules -> !r:^-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change;
-f:/etc/audit/audit.rules -> !r:^-a always,exit -F arch=b32 -S clock_settime -k time-change;
-f:/etc/audit/audit.rules -> !r:^-w /etc/localtime -p wa -k time-change;
-#
-#
-#8.1.5 Record Events That Modify User/Group Information
-[CIS - Debian Linux 7/8 - 8.1.5 Record Events That Modify User/Group Information] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:!/etc/audit;
-f:!/etc/audit/audit.rules;
-f:/etc/audit/audit.rules -> !r:^-w /etc/group -p wa -k identity;
-f:/etc/audit/audit.rules -> !r:^-w /etc/passwd -p wa -k identity;
-f:/etc/audit/audit.rules -> !r:^-w /etc/gshadow -p wa -k identity;
-f:/etc/audit/audit.rules -> !r:^-w /etc/shadow -p wa -k identity;
-f:/etc/audit/audit.rules -> !r:^-w /etc/security/opasswd -p wa -k identity;
-#
-#
-#8.1.6 Record Events That Modify the System's Network Environment
-[CIS - Debian Linux 7/8 - 8.1.6 Record Events That Modify the System's Network Environment] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:!/etc/audit;
-f:!/etc/audit/audit.rules;
-f:/etc/audit/audit.rules -> !r:^-a exit,always -F arch=b32 -S sethostname -S setdomainname -k system-locale;
-f:/etc/audit/audit.rules -> !r:^-w /etc/issue -p wa -k system-locale;
-f:/etc/audit/audit.rules -> !r:^-w /etc/issue.net -p wa -k system-locale;
-f:/etc/audit/audit.rules -> !r:^-w /etc/hosts -p wa -k system-locale;
-f:/etc/audit/audit.rules -> !r:^-w /etc/network -p wa -k system-locale;
-#
-#
-#8.1.7 Record Events That Modify the System's Mandatory Access Controls
-[CIS - Debian Linux 7/8 - 8.1.7 Record Events That Modify the System's Mandatory Access Controls] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:!/etc/audit;
-f:!/etc/audit/audit.rules;
-f:/etc/audit/audit.rules -> !r:^-w /etc/selinux/ -p wa -k MAC-policy;
-#
-#
-#8.1.8 Collect Login and Logout Events
-[CIS - Debian Linux 7/8 - 8.1.8 Collect Login and Logout Events] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:!/etc/audit;
-f:!/etc/audit/audit.rules;
-f:/etc/audit/audit.rules -> !r:^-w /var/log/faillog -p wa -k logins;
-f:/etc/audit/audit.rules -> !r:^-w /var/log/lastlog -p wa -k logins;
-f:/etc/audit/audit.rules -> !r:^-w /var/log/tallylog -p wa -k logins;
-#
-#
-#8.1.9 Collect Session Initiation Information
-[CIS - Debian Linux 7/8 - 8.1.9 Collect Session Initiation Information] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:!/etc/audit;
-f:!/etc/audit/audit.rules;
-f:/etc/audit/audit.rules -> !r:^-w /var/run/utmp -p wa -k session;
-f:/etc/audit/audit.rules -> !r:^-w /var/log/wtmp -p wa -k session;
-f:/etc/audit/audit.rules -> !r:^-w /var/log/btmp -p wa -k session;
-#
-#
-#8.1.10 Collect Discretionary Access Control Permission Modification Events
-[CIS - Debian Linux 7/8 - 8.1.10 Collect Discretionary Access Control Permission Modification Events] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:!/etc/audit;
-f:!/etc/audit/audit.rules;
-f:/etc/audit/audit.rules -> !r:^-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 \\;
-f:/etc/audit/audit.rules -> !r:^-F auid!=4294967295 -k perm_mod;
-f:/etc/audit/audit.rules -> !r:^-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 \\;
-f:/etc/audit/audit.rules -> !r:^-F auid!=4294967295 -k perm_mod;
-f:/etc/audit/audit.rules -> !r:^-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S \\;
-f:/etc/audit/audit.rules -> !r:^lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod;
-#
-#
-#8.1.11 Collect Unsuccessful Unauthorized Access Attempts to Files
-[CIS - Debian Linux 7/8 - 8.1.11 Collect Unsuccessful Unauthorized Access Attempts to Files] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:!/etc/audit;
-f:!/etc/audit/audit.rules;
-f:/etc/audit/audit.rules -> !r:^-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate \\;
-f:/etc/audit/audit.rules -> !r:^-F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access;
-f:/etc/audit/audit.rules -> !r:^-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate \\;
-f:/etc/audit/audit.rules -> !r:^-F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access;
-#
-#
-#8.1.13 Collect Successful File System Mounts
-[CIS - Debian Linux 7/8 - 8.1.13 Collect Successful File System Mounts] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:!/etc/audit;
-f:!/etc/audit/audit.rules;
-f:/etc/audit/audit.rules -> !r:^-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts;
-#
-#
-#8.1.14 Collect File Deletion Events by User
-[CIS - Debian Linux 7/8 - 8.1.14 Collect File Deletion Events by User] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:!/etc/audit;
-f:!/etc/audit/audit.rules;
-f:/etc/audit/audit.rules -> !r:^-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 \\;
-f:/etc/audit/audit.rules -> !r:^-F auid!=4294967295 -k delete;
-#
-#
-#8.1.15 Collect Changes to System Administration Scope (sudoers)
-[CIS - Debian Linux 7/8 - 8.1.15 Collect Changes to System Administration Scope (sudoers)] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:!/etc/audit;
-f:!/etc/audit/audit.rules;
-f:/etc/audit/audit.rules -> !r:^-w /etc/sudoers -p wa -k scope;
-#
-#
-#8.1.16 Collect System Administrator Actions (sudolog)
-[CIS - Debian Linux 7/8 - 8.1.16 Collect System Administrator Actions (sudolog)] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:!/etc/audit;
-f:!/etc/audit/audit.rules;
-f:/etc/audit/audit.rules -> !r:^-w /var/log/sudo.log -p wa -k actions;
-#
-#
-#8.1.17 Collect Kernel Module Loading and Unloading
-[CIS - Debian Linux 7/8 - 8.1.17 Collect Kernel Module Loading and Unloading] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:!/etc/audit;
-f:!/etc/audit/audit.rules;
-f:/etc/audit/audit.rules -> !r:^-w /sbin/insmod -p x -k modules;
-f:/etc/audit/audit.rules -> !r:^-w /sbin/rmmod -p x -k modules;
-f:/etc/audit/audit.rules -> !r:^-w /sbin/modprobe -p x -k modules;
-f:/etc/audit/audit.rules -> !r:^-a always,exit -F arch=b32 -S init_module -S delete_module -k modules|-a always,exit -F arch=b64 -S init_module -S delete_module -k modules;
-#
-#
-#8.1.18 Make the Audit Configuration Immutable
-[CIS - Debian Linux 7/8 - 8.1.18 Make the Audit Configuration Immutable] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:!/etc/audit;
-f:!/etc/audit/audit.rules;
-f:/etc/audit/audit.rules -> !r:^-e 2$;
-#
-#
-#8.3.1 Install AIDE
-[CIS - Debian Linux 7/8 - 8.3.1 Install AIDE] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:!/usr/sbin/aideinit;
-#
-#
-#8.3.2 Implement Periodic Execution of File Integrity
-[CIS - Debian Linux 7/8 - 8.3.2 Implement Periodic Execution of File Integrity] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
-f:/etc/crontab -> !r:/usr/sbin/aide --check;
-#
projects / ossec-hids.git / blobdiff