-# @(#) $Id: ./src/rootcheck/db/win_audit_rcl.txt, 2011/09/08 dcid Exp $
-
-#
-# OSSEC Windows Audit - (C) 2007 Daniel B. Cid - dcid@ossec.net
+# OSSEC Linux Audit - (C) 2018 OSSEC Project
#
# Released under the same license as OSSEC.
# More details at the LICENSE file included with OSSEC or online
-# at: http://www.ossec.net/en/licensing.html
+# at: https://github.com/ossec/ossec-hids/blob/master/LICENSE
#
# [Application name] [any or all] [reference]
# type:<entry name>;
# - p (process running)
#
# Additional values:
-# For the registry , use "->" to look for a specific entry and another
+# For the registry and for directories, use "->" to look for a specific entry and another
# "->" to look for the value.
+# Also, use " -> r:^\. -> ..." to search all files in a directory
# For files, use "->" to look for a specific value in the file.
#
-# Values can be preceeded by: =: (for equal) - default
+# Values can be preceded by: =: (for equal) - default
# r: (for ossec regexes)
# >: (for strcmp greater)
# <: (for strcmp lower)
# Multiple patterns can be specified by using " && " between them.
# (All of them must match for it to return true).
-
-
-
# http://technet2.microsoft.com/windowsserver/en/library/486896ba-dfa1-4850-9875-13764f749bba1033.mspx?mfr=true
-[Disabled Registry tools set] [any] []
-r:HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DisableRegistryTools -> 1;
-r:HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DisableRegistryTools -> 1;
-
-
+[Disabled Registry tools set {PCI_DSS: 10.6.1}] [any] []
+r:HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DisableRegistryTools -> 1;
+r:HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DisableRegistryTools -> 1;
# http://support.microsoft.com/kb/825750
-[DCOM disabled] [any] []
+[DCOM disabled {PCI_DSS: 10.6.1}] [any] []
r:HKEY_LOCAL_MACHINE\Software\Microsoft\OLE -> EnableDCOM -> N;
-
-
# http://web.mit.edu/is/topics/windows/server/winmitedu/security.html
-[LM authentication allowed (weak passwords)] [any] []
+[LM authentication allowed (weak passwords) {PCI_DSS: 10.6.1, 11.4}] [any] []
r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA -> LMCompatibilityLevel -> 0;
r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA -> LMCompatibilityLevel -> 1;
-
-
# http://research.eeye.com/html/alerts/AL20060813.html
# Disabled by some Malwares (sometimes by McAfee and Symantec
# security center too).
-[Firewall/Anti Virus notification disabled] [any] []
+[Firewall/Anti Virus notification disabled {PCI_DSS: 10.6.1}] [any] []
r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center -> FirewallDisableNotify -> !0;
r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center -> antivirusoverride -> !0;
r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center -> firewalldisablenotify -> !0;
r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center -> firewalldisableoverride -> !0;
-
-
# Checking for the microsoft firewall.
-[Microsoft Firewall disabled] [all] []
+[Microsoft Firewall disabled {PCI_DSS: 10.6.1, 1.4}] [all] []
r:HKEY_LOCAL_MACHINE\software\policies\microsoft\windowsfirewall\domainprofile -> enablefirewall -> 0;
r:HKEY_LOCAL_MACHINE\software\policies\microsoft\windowsfirewall\standardprofile -> enablefirewall -> 0;
-
-
#http://web.mit.edu/is/topics/windows/server/winmitedu/security.html
-[Null sessions allowed] [any] []
+[Null sessions allowed {PCI_DSS: 11.4}] [any] []
r:HKLM\System\CurrentControlSet\Control\Lsa -> RestrictAnonymous -> 0;
-
-
-[Error reporting disabled] [any] [http://windowsir.blogspot.com/2007/04/something-new-to-look-for.html]
+[Error reporting disabled {PCI_DSS: 10.6.1}] [any] [http://windowsir.blogspot.com/2007/04/something-new-to-look-for.html]
r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting -> DoReport -> 0;
r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting -> IncludeKernelFaults -> 0;
r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting -> IncludeMicrosoftApps -> 0;
r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting -> IncludeShutdownErrs -> 0;
r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting -> ShowUI -> 0;
-
-
# http://support.microsoft.com/default.aspx?scid=315231
-[Automatic Logon enabled] [any] [http://support.microsoft.com/default.aspx?scid=315231]
+[Automatic Logon enabled {PCI_DSS: 10.6.1}] [any] [http://support.microsoft.com/default.aspx?scid=315231]
r:HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon -> DefaultPassword;
r:HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon -> AutoAdminLogon -> 1;
-
-[Winpcap packet filter driver found] [any] []
+[Winpcap packet filter driver found {PCI_DSS: 10.6.1}] [any] []
f:%WINDIR%\System32\drivers\npf.sys;
-
-
-# EOF #