--- /dev/null
+# OSSEC Linux Audit - (C) 2018
+#
+# Released under the same license as OSSEC.
+# More details at the LICENSE file included with OSSEC or online
+# at: https://github.com/ossec/ossec-hids/blob/master/LICENSE
+#
+# [Application name] [any or all] [reference]
+# type:<entry name>;
+#
+# Type can be:
+# - f (for file or directory)
+# - p (process running)
+# - d (any file inside the directory)
+#
+# Additional values:
+# For the registry , use "->" to look for a specific entry and another
+# "->" to look for the value.
+# For files, use "->" to look for a specific value in the file.
+#
+# Values can be preceeded by: =: (for equal) - default
+# r: (for ossec regexes)
+# >: (for strcmp greater)
+# <: (for strcmp lower)
+# Multiple patterns can be specified by using " && " between them.
+# (All of them must match for it to return true).
+#
+# Checks for Password Security on Linux Systems
+#
+#1 Set Default Algorithm for Password Encryption to SHA256 or SHA 512
+[Password Hardening - 1: Set Default Algorithm for Password Encryption to SHA256 or SHA 512] [any] [https://security.stackexchange.com/questions/77349/how-can-i-find-out-the-password-hashing-schemes-used-by-the-specific-unix-accoun, https://docs.oracle.com/cd/E26505_01/html/E27224/secsystask-42.html]
+f:/etc/security/policy.conf -> !r:^# && r:^CRYPT_DEFAULT=1|^CRYPT_DEFAULT=2|^CRYPT_DEFAULT=2a|^CRYPT_DEFAULT=2x|^CRYPT_DEFAULT=2y|^CRYPT_DEFAULT=md5|^CRYPT_DEFAULT=__unix__;
+f:/etc/security/policy.conf -> !r:^CRYPT_DEFAULT=\d;
+f:/etc/login.defs -> !r:^# && r:^ENCRYPT_METHOD\s+MD5|^ENCRYPT_METHOD\s+DES;
+f:/etc/login.defs -> !r:^ENCRYPT_METHOD\s+SHA512|^ENCRYPT_METHOD\s+SHA256;
+f:/etc/pam.d/common-password -> !r:^# && r:password\.+pam_unix.so\.+md5|password\.+pam_unix.so\.+des;
+f:/etc/pam.d/common-password -> !r:^password\.+pam_unix.so\.+sha512|^password\.+pam_unix.so\.+sha256;
+f:/etc/pam.d/password-auth -> !r:^# && r:password\.+pam_unix.so\.+md5|password\.+pam_unix.so\.+des;
+f:/etc/pam.d/password-auth -> !r:^password\.+pam_unix.so\.+sha512|^password\.+pam_unix.so\.+sha256;
+f:/etc/pam.d/system-auth -> !r:^# && r:password\.+pam_unix.so\.+md5|password\.+pam_unix.so\.+des;
+f:/etc/pam.d/system-auth -> !r:^password\.+pam_unix.so\.+sha512|^password\.+pam_unix.so\.+sha256;
+f:/etc/pam.d/system-auth-ac -> !r:^# && r:password\.+pam_unix.so\.+md5|password\.+pam_unix.so\.+des;
+f:/etc/pam.d/system-auth-ac -> !r:^password\.+pam_unix.so\.+sha512|^password\.+pam_unix.so\.+sha256;
+#
+#
+#2 Passwords in /etc/shadow not hashed with SHA-256 or SHA-512
+[Password Hardening - 2: Not all Passwords in /etc/shadow are hashed with SHA-256 or SHA-512] [any] [https://linux-audit.com/password-security-with-linux-etc-shadow-file/, https://docs.oracle.com/cd/E19253-01/816-4557/concept-23/index.html]
+f:/etc/shadow -> !r:^# && !r:^\w+:NP:\d+:\d*:\d*:\d*:\d*:\d*:\d*$ && r:^\w+:\w\.*:\d+:\d*:\d*:\d*:\d*:\d*:\d*$;
+f:/etc/shadow -> !r:^# && r:\w+:\$1\$\.+;
+f:/etc/shadow -> !r:^# && r:\w+:\$2\$\.+;
+f:/etc/shadow -> !r:^# && r:\w+:\$2a\$\.+;
+f:/etc/shadow -> !r:^# && r:\w+:\$2x\$\.+;
+f:/etc/shadow -> !r:^# && r:\w+:\$2y\$\.+;
+f:/etc/shadow -> !r:^# && r:\w+:\$md5\$\.+;
+f:/etc/shadow -> !r:^# && r:\w+:\$__unix__\$\.+;
+#
+#
+#3 Set Password Creation Requirement Parameters
+[Password Hardening - 3: Set Password Creation Requirement Parameters] [any] [https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/, https://workbench.cisecurity.org]
+f:/etc/pam.d/common-password -> !r:^password\s*\t*requisite\s*\t*pam_cracklib.so\.+try_first_pass|^password\s*\t*requisite\s*\t*pam_pwquality.so\.+try_first_pass|^password\s*\t*required\s*\t*pam_cracklib.so\.+try_first_pass|^password\s*\t*required\s*\t*pam_pwquality.so\.+try_first_pass;
+f:/etc/pam.d/common-password -> !r:^password\s*\t*requisite\s*\t*pam_cracklib.so\.+retry=\d+|^password\s*\t*requisite\s*\t*pam_pwquality.so\.+retry=\d+|^password\s*\t*required\s*\t*pam_cracklib.so\.+retry=\d+|^password\s*\t*required\s*\t*pam_pwquality.so\.+retry=\d+;
+f:/etc/pam.d/password-auth -> !r:^password\s*\t*requisite\s*\t*pam_cracklib.so\.+try_first_pass|^password\s*\t*requisite\s*\t*pam_pwquality.so\.+try_first_pass|^password\s*\t*required\s*\t*pam_cracklib.so\.+try_first_pass|^password\s*\t*required\s*\t*pam_pwquality.so\.+try_first_pass;
+f:/etc/pam.d/password-auth -> !r:^password\s*\t*requisite\s*\t*pam_cracklib.so\.+retry=\d+|^password\s*\t*requisite\s*\t*pam_pwquality.so\.+retry=\d+|^password\s*\t*required\s*\t*pam_cracklib.so\.+retry=\d+|^password\s*\t*required\s*\t*pam_pwquality.so\.+retry=\d+;
+f:/etc/pam.d/system-auth -> !r:^password\s*\t*requisite\s*\t*pam_cracklib.so\.+try_first_pass|^password\s*\t*requisite\s*\t*pam_pwquality.so\.+try_first_pass|^password\s*\t*required\s*\t*pam_cracklib.so\.+try_first_pass|^password\s*\t*required\s*\t*pam_pwquality.so\.+try_first_pass;
+f:/etc/pam.d/system-auth -> !r:^password\s*\t*requisite\s*\t*pam_cracklib.so\.+retry=\d+|^password\s*\t*requisite\s*\t*pam_pwquality.so\.+retry=\d+|^password\s*\t*required\s*\t*pam_cracklib.so\.+retry=\d+|^password\s*\t*required\s*\t*pam_pwquality.so\.+retry=\d+;
+f:/etc/pam.d/system-auth-ac -> !r:^password\s*\t*requisite\s*\t*pam_cracklib.so\.+try_first_pass|^password\s*\t*requisite\s*\t*pam_pwquality.so\.+try_first_pass|^password\s*\t*required\s*\t*pam_cracklib.so\.+try_first_pass|^password\s*\t*required\s*\t*pam_pwquality.so\.+try_first_pass;
+f:/etc/pam.d/system-auth-ac -> !r:^password\s*\t*requisite\s*\t*pam_cracklib.so\.+retry=\d+|^password\s*\t*requisite\s*\t*pam_pwquality.so\.+retry=\d+|^password\s*\t*required\s*\t*pam_cracklib.so\.+retry=\d+|^password\s*\t*required\s*\t*pam_pwquality.so\.+retry=\d+;
+f:/etc/pam.d/passwd -> !r:^password\s*\t*requisite\s*\t*pam_cracklib.so\.+try_first_pass|^password\s*\t*requisite\s*\t*pam_pwquality.so\.+try_first_pass|^password\s*\t*required\s*\t*pam_cracklib.so\.+try_first_pass|^password\s*\t*required\s*\t*pam_pwquality.so\.+try_first_pass|^@include\s+common-password;
+f:/etc/pam.d/passwd -> !r:^password\s*\t*requisite\s*\t*pam_cracklib.so\.+retry=\d+|^password\s*\t*requisite\s*\t*pam_pwquality.so\.+retry=\d+|^password\s*\t*required\s*\t*pam_cracklib.so\.+retry=\d+|^password\s*\t*required\s*\t*pam_pwquality.so\.+retry=\d+|^@include\s+common-password;
+f:/etc/pam.d/common-password -> r:pam_cracklib.so && !r:minlen=\d\d+;
+f:/etc/pam.d/password-auth -> r:pam_cracklib.so && !r:minlen=\d\d+;
+f:/etc/pam.d/system-auth -> r:pam_cracklib.so && !r:minlen=\d\d+;
+f:/etc/pam.d/passwd -> r:pam_cracklib.so && !r:minlen=\d\d+;
+f:/etc/security/pwquality.conf -> !r:^minlen=\d\d+;
+f:/etc/pam.d/common-password -> r:pam_cracklib.so && !r:dcredit=\p*\d+;
+f:/etc/pam.d/password-auth -> r:pam_cracklib.so && !r:dcredit=\p*\d+;
+f:/etc/pam.d/system-auth -> r:pam_cracklib.so && !r:dcredit=\p*\d+;
+f:/etc/pam.d/passwd -> r:pam_cracklib.so && !r:dcredit=\p*\d+;
+f:/etc/security/pwquality.conf -> !r:^dcredit=\p*\d+;
+f:/etc/pam.d/common-password -> r:pam_cracklib.so && !r:lcredit=\p*\d+;
+f:/etc/pam.d/password-auth -> r:pam_cracklib.so && !r:lcredit=\p*\d+;
+f:/etc/pam.d/system-auth -> r:pam_cracklib.so && !r:lcredit=\p*\d+;
+f:/etc/pam.d/passwd -> r:pam_cracklib.so && !r:lcredit=\p*\d+;
+f:/etc/security/pwquality.conf -> !r:^lcredit=\p*\d+;
+f:/etc/pam.d/common-password -> r:pam_cracklib.so && !r:ocredit=\p*\d+;
+f:/etc/pam.d/password-auth -> r:pam_cracklib.so && !r:ocredit=\p*\d+;
+f:/etc/pam.d/system-auth -> r:pam_cracklib.so && !r:ocredit=\p*\d+;
+f:/etc/pam.d/passwd -> r:pam_cracklib.so && !r:ocredit=\p*\d+;
+f:/etc/security/pwquality.conf -> !r:^ocredit=\p*\d+;
+f:/etc/pam.d/common-password -> r:pam_cracklib.so && !r:ucredit=\p*\d+;
+f:/etc/pam.d/password-auth -> r:pam_cracklib.so && !r:ucredit=\p*\d+;
+f:/etc/pam.d/system-auth -> r:pam_cracklib.so && !r:ucredit=\p*\d+;
+f:/etc/pam.d/passwd -> r:pam_cracklib.so && !r:ucredit=\p*\d+;
+f:/etc/security/pwquality.conf -> !r:^ucredit=\p*\d+;
+#
+#
+#4 Set default password expiration / aging parameters
+[Password Hardening - 4: Set password expiration / aging parameters] [any] [https://www.thegeekdiary.com/understanding-etclogin-defs-file, https://workbench.cisecurity.org/sections/26024/recommendations/63001]
+f:/etc/default/passwd -> !r:^MAXWEEKS=\d\d$;
+f:/etc/default/passwd -> !r:^MINWEEKS=\d;
+f:/etc/default/passwd -> !r:^WARNWEEKS=\d;
+f:/etc/login.defs -> !r:^PASS_MAX_DAYS\s*\t*\d\d$;
+f:/etc/login.defs -> !r:^PASS_MIN_DAYS\s*\t*\d;
+f:/etc/login.defs -> !r:^PASS_WARN_AGE\s*\t*\d;
projects / ossec-hids.git / blobdiff