+++ /dev/null
-# OSSEC Linux Audit - (C) 2018 OSSEC Project
-#
-# Released under the same license as OSSEC.
-# More details at the LICENSE file included with OSSEC or online
-# at: https://github.com/ossec/ossec-hids/blob/master/LICENSE
-#
-# [Application name] [any or all] [reference]
-# type:<entry name>;
-#
-# Type can be:
-# - f (for file or directory)
-# - r (registry entry)
-# - p (process running)
-#
-# Additional values:
-# For the registry and for directories, use "->" to look for a specific entry and another
-# "->" to look for the value.
-# Also, use " -> r:^\. -> ..." to search all files in a directory
-# For files, use "->" to look for a specific value in the file.
-#
-# Values can be preceded by: =: (for equal) - default
-# r: (for ossec regexes)
-# >: (for strcmp greater)
-# <: (for strcmp lower)
-# Multiple patterns can be specified by using " && " between them.
-# (All of them must match for it to return true).
-
-# http://technet2.microsoft.com/windowsserver/en/library/486896ba-dfa1-4850-9875-13764f749bba1033.mspx?mfr=true
-[Disabled Registry tools set {PCI_DSS: 10.6.1}] [any] []
-r:HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DisableRegistryTools -> 1;
-r:HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DisableRegistryTools -> 1;
-
-# http://support.microsoft.com/kb/825750
-[DCOM disabled {PCI_DSS: 10.6.1}] [any] []
-r:HKEY_LOCAL_MACHINE\Software\Microsoft\OLE -> EnableDCOM -> N;
-
-# http://web.mit.edu/is/topics/windows/server/winmitedu/security.html
-[LM authentication allowed (weak passwords) {PCI_DSS: 10.6.1, 11.4}] [any] []
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA -> LMCompatibilityLevel -> 0;
-r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA -> LMCompatibilityLevel -> 1;
-
-# http://research.eeye.com/html/alerts/AL20060813.html
-# Disabled by some Malwares (sometimes by McAfee and Symantec
-# security center too).
-[Firewall/Anti Virus notification disabled {PCI_DSS: 10.6.1}] [any] []
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center -> FirewallDisableNotify -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center -> antivirusoverride -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center -> firewalldisablenotify -> !0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center -> firewalldisableoverride -> !0;
-
-# Checking for the microsoft firewall.
-[Microsoft Firewall disabled {PCI_DSS: 10.6.1, 1.4}] [all] []
-r:HKEY_LOCAL_MACHINE\software\policies\microsoft\windowsfirewall\domainprofile -> enablefirewall -> 0;
-r:HKEY_LOCAL_MACHINE\software\policies\microsoft\windowsfirewall\standardprofile -> enablefirewall -> 0;
-
-#http://web.mit.edu/is/topics/windows/server/winmitedu/security.html
-[Null sessions allowed {PCI_DSS: 11.4}] [any] []
-r:HKLM\System\CurrentControlSet\Control\Lsa -> RestrictAnonymous -> 0;
-
-[Error reporting disabled {PCI_DSS: 10.6.1}] [any] [http://windowsir.blogspot.com/2007/04/something-new-to-look-for.html]
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting -> DoReport -> 0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting -> IncludeKernelFaults -> 0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting -> IncludeMicrosoftApps -> 0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting -> IncludeWindowsApps -> 0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting -> IncludeShutdownErrs -> 0;
-r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting -> ShowUI -> 0;
-
-# http://support.microsoft.com/default.aspx?scid=315231
-[Automatic Logon enabled {PCI_DSS: 10.6.1}] [any] [http://support.microsoft.com/default.aspx?scid=315231]
-r:HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon -> DefaultPassword;
-r:HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon -> AutoAdminLogon -> 1;
-
-[Winpcap packet filter driver found {PCI_DSS: 10.6.1}] [any] []
-f:%WINDIR%\System32\drivers\npf.sys;
projects / ossec-hids.git / blobdiff