X-Git-Url: http://ftp.carnet.hr/carnet-debian/scm?p=ossec-hids.git;a=blobdiff_plain;f=debian%2Fossec-hids%2Fvar%2Fossec%2Fetc%2Fshared%2Fcis_debianlinux7-8_L2_rcl.txt;fp=debian%2Fossec-hids%2Fvar%2Fossec%2Fetc%2Fshared%2Fcis_debianlinux7-8_L2_rcl.txt;h=621152ebbcc3729676002248dee620401b80f1b4;hp=0000000000000000000000000000000000000000;hb=3f728675941dc69d4e544d3a880a56240a6e394a;hpb=927951d1c1ad45ba9e7325f07d996154a91c911b diff --git a/debian/ossec-hids/var/ossec/etc/shared/cis_debianlinux7-8_L2_rcl.txt b/debian/ossec-hids/var/ossec/etc/shared/cis_debianlinux7-8_L2_rcl.txt new file mode 100644 index 0000000..621152e --- /dev/null +++ b/debian/ossec-hids/var/ossec/etc/shared/cis_debianlinux7-8_L2_rcl.txt @@ -0,0 +1,245 @@ +# OSSEC Linux Audit - (C) 2018 +# +# Released under the same license as OSSEC. +# More details at the LICENSE file included with OSSEC or online +# at: https://github.com/ossec/ossec-hids/blob/master/LICENSE +# +# [Application name] [any or all] [reference] +# type:; +# +# Type can be: +# - f (for file or directory) +# - r (registry entry) +# - p (process running) +# +# Additional values: +# For the registry and for directories, use "->" to look for a specific entry and another +# "->" to look for the value. +# Also, use " -> r:^\. -> ..." to search all files in a directory +# For files, use "->" to look for a specific value in the file. +# +# Values can be preceeded by: =: (for equal) - default +# r: (for ossec regexes) +# >: (for strcmp greater) +# <: (for strcmp lower) +# Multiple patterns can be specified by using " && " between them. +# (All of them must match for it to return true). + +# Level 2 CIS Checks for Debian Linux 7 and Debian Linux 8 +# Based on Center for Internet Security Benchmark v1.0.0 for Debian Linux 7 (https://workbench.cisecurity.org/benchmarks/80) and Benchmark v1.0.0 for Debian Linux 8 (https://workbench.cisecurity.org/benchmarks/81) +# +# +$rc_dirfiles=/etc/rc0.d/*,/etc/rc1.d/*,/etc/rc2.d/*,/etc/rc3.d/*,/etc/rc4.d/*,/etc/rc5.d/*,/etc/rc6.d/*,/etc/rc7.d/*,/etc/rc8.d/*,/etc/rc9.d/*,/etc/rca.d/*,/etc/rcb.d/*,/etc/rcc.d/*,/etc/rcs.d/*,/etc/rcS.d/*; +# +# +#2.18 Disable Mounting of cramfs Filesystems +[CIS - Debian Linux 7/8 - 2.18 Disable Mounting of cramfs Filesystems] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] +f:!/etc/modprobe.d/CIS.conf; +f:/etc/modprobe.d/CIS.conf -> !r:^install cramfs /bin/true; +# +# +#2.19 Disable Mounting of freevxfs Filesystems +[CIS - Debian Linux 7/8 - 2.19 Disable Mounting of freevxfs Filesystems] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] +f:!/etc/modprobe.d/CIS.conf; +f:/etc/modprobe.d/CIS.conf -> !r:^install freevxfs /bin/true; +# +# +#2.20 Disable Mounting of jffs2 Filesystems +[CIS - Debian Linux 7/8 - 2.20 Disable Mounting of jffs2 Filesystems] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] +f:!/etc/modprobe.d/CIS.conf; +f:/etc/modprobe.d/CIS.conf -> !r:^install jffs2 /bin/true; +# +# +#2.21 Disable Mounting of hfs Filesystems +[CIS - Debian Linux 7/8 - 2.21 Disable Mounting of hfs Filesystems] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] +f:!/etc/modprobe.d/CIS.conf; +f:/etc/modprobe.d/CIS.conf -> !r:^install hfs /bin/true; +# +# +#2.22 Disable Mounting of hfsplus Filesystems +[CIS - Debian Linux 7/8 - 2.22 Disable Mounting of hfsplus Filesystems] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] +f:!/etc/modprobe.d/CIS.conf; +f:/etc/modprobe.d/CIS.conf -> !r:^install hfsplus /bin/true; +# +# +#2.23 Disable Mounting of squashfs Filesystems +[CIS - Debian Linux 7/8 - 2.23 Disable Mounting of squashfs Filesystems] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] +f:!/etc/modprobe.d/CIS.conf; +f:/etc/modprobe.d/CIS.conf -> !r:^install squashfs /bin/true; +# +# +#2.24 Disable Mounting of udf Filesystems +[CIS - Debian Linux 7/8 - 2.24 Disable Mounting of udf Filesystems] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] +f:!/etc/modprobe.d/CIS.conf; +f:/etc/modprobe.d/CIS.conf -> !r:^install udf /bin/true; +# +# +#4.5 Activate AppArmor +[CIS - Debian Linux 7/8 - 4.5 Activate AppArmor] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] +f:/etc/default/grub -> !r:apparmor=1 && !r:security=apparmor; +# +# +#8.1.1.1 Configure Audit Log Storage Size +[CIS - Debian Linux 7/8 - 8.1.1.1 Configure Audit Log Storage Size] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] +f:!/etc/audit; +f:!/etc/audit/auditd.conf; +f:/etc/audit/auditd.conf -> !r:max_log_file\s*=\s*\d+; +# +# +#8.1.1.2 Disable System on Audit Log Full +[CIS - Debian Linux 7/8 - 8.1.1.2 Disable System on Audit Log Full] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] +f:!/etc/audit; +f:!/etc/audit/auditd.conf; +f:/etc/audit/auditd.conf -> !r:^space_left_action\s*=\s*email; +f:/etc/audit/auditd.conf -> !r:^# && r:space_left_action\s*=\s*ignore|syslog|suspend|single|halt; +f:/etc/audit/auditd.conf -> !r:^action_mail_acct\s*=\s*root; +f:/etc/audit/auditd.conf -> !r:^admin_space_left_action\s*=\s*halt; +f:/etc/audit/auditd.conf -> !r:^# && r:admin_space_left_action\s*=\s*ignore|syslog|email|suspend|single; +# +# +#8.1.1.3 Keep All Auditing Information +[CIS - Debian Linux 7/8 - 8.1.1.3 Keep All Auditing Information] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] +f:!/etc/audit; +f:!/etc/audit/auditd.conf; +f:/etc/audit/auditd.conf -> !r:^max_log_file_action\s*=\s*keep_logs; +f:/etc/audit/auditd.conf -> !r:^# && r:max_log_file_action\s*=\s*ignore|syslog|suspend|rotate; +# +# +#8.1.3 Enable Auditing for Processes That Start Prior to auditd +[CIS - Debian Linux 7/8 - 8.1.3 Enable Auditing for Processes That Start Prior to auditd] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] +f:/etc/default/grub -> !r:^GRUB_CMDLINE_LINUX\s*=\s*\.*audit\s*=\s*1\.*; +# +# +#8.1.4 Record Events That Modify Date and Time Information +[CIS - Debian Linux 7 - 8.1.4 Record Events That Modify Date and Time Information] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] +f:!/etc/audit; +f:!/etc/audit/audit.rules; +f:/etc/audit/audit.rules -> !r:^-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change; +f:/etc/audit/audit.rules -> !r:^-a always,exit -F arch=b32 -S clock_settime -k time-change; +f:/etc/audit/audit.rules -> !r:^-w /etc/localtime -p wa -k time-change; +# +# +#8.1.5 Record Events That Modify User/Group Information +[CIS - Debian Linux 7/8 - 8.1.5 Record Events That Modify User/Group Information] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] +f:!/etc/audit; +f:!/etc/audit/audit.rules; +f:/etc/audit/audit.rules -> !r:^-w /etc/group -p wa -k identity; +f:/etc/audit/audit.rules -> !r:^-w /etc/passwd -p wa -k identity; +f:/etc/audit/audit.rules -> !r:^-w /etc/gshadow -p wa -k identity; +f:/etc/audit/audit.rules -> !r:^-w /etc/shadow -p wa -k identity; +f:/etc/audit/audit.rules -> !r:^-w /etc/security/opasswd -p wa -k identity; +# +# +#8.1.6 Record Events That Modify the System's Network Environment +[CIS - Debian Linux 7/8 - 8.1.6 Record Events That Modify the System's Network Environment] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] +f:!/etc/audit; +f:!/etc/audit/audit.rules; +f:/etc/audit/audit.rules -> !r:^-a exit,always -F arch=b32 -S sethostname -S setdomainname -k system-locale; +f:/etc/audit/audit.rules -> !r:^-w /etc/issue -p wa -k system-locale; +f:/etc/audit/audit.rules -> !r:^-w /etc/issue.net -p wa -k system-locale; +f:/etc/audit/audit.rules -> !r:^-w /etc/hosts -p wa -k system-locale; +f:/etc/audit/audit.rules -> !r:^-w /etc/network -p wa -k system-locale; +# +# +#8.1.7 Record Events That Modify the System's Mandatory Access Controls +[CIS - Debian Linux 7/8 - 8.1.7 Record Events That Modify the System's Mandatory Access Controls] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] +f:!/etc/audit; +f:!/etc/audit/audit.rules; +f:/etc/audit/audit.rules -> !r:^-w /etc/selinux/ -p wa -k MAC-policy; +# +# +#8.1.8 Collect Login and Logout Events +[CIS - Debian Linux 7/8 - 8.1.8 Collect Login and Logout Events] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] +f:!/etc/audit; +f:!/etc/audit/audit.rules; +f:/etc/audit/audit.rules -> !r:^-w /var/log/faillog -p wa -k logins; +f:/etc/audit/audit.rules -> !r:^-w /var/log/lastlog -p wa -k logins; +f:/etc/audit/audit.rules -> !r:^-w /var/log/tallylog -p wa -k logins; +# +# +#8.1.9 Collect Session Initiation Information +[CIS - Debian Linux 7/8 - 8.1.9 Collect Session Initiation Information] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] +f:!/etc/audit; +f:!/etc/audit/audit.rules; +f:/etc/audit/audit.rules -> !r:^-w /var/run/utmp -p wa -k session; +f:/etc/audit/audit.rules -> !r:^-w /var/log/wtmp -p wa -k session; +f:/etc/audit/audit.rules -> !r:^-w /var/log/btmp -p wa -k session; +# +# +#8.1.10 Collect Discretionary Access Control Permission Modification Events +[CIS - Debian Linux 7/8 - 8.1.10 Collect Discretionary Access Control Permission Modification Events] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] +f:!/etc/audit; +f:!/etc/audit/audit.rules; +f:/etc/audit/audit.rules -> !r:^-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 \\; +f:/etc/audit/audit.rules -> !r:^-F auid!=4294967295 -k perm_mod; +f:/etc/audit/audit.rules -> !r:^-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 \\; +f:/etc/audit/audit.rules -> !r:^-F auid!=4294967295 -k perm_mod; +f:/etc/audit/audit.rules -> !r:^-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S \\; +f:/etc/audit/audit.rules -> !r:^lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod; +# +# +#8.1.11 Collect Unsuccessful Unauthorized Access Attempts to Files +[CIS - Debian Linux 7/8 - 8.1.11 Collect Unsuccessful Unauthorized Access Attempts to Files] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] +f:!/etc/audit; +f:!/etc/audit/audit.rules; +f:/etc/audit/audit.rules -> !r:^-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate \\; +f:/etc/audit/audit.rules -> !r:^-F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access; +f:/etc/audit/audit.rules -> !r:^-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate \\; +f:/etc/audit/audit.rules -> !r:^-F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access; +# +# +#8.1.13 Collect Successful File System Mounts +[CIS - Debian Linux 7/8 - 8.1.13 Collect Successful File System Mounts] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] +f:!/etc/audit; +f:!/etc/audit/audit.rules; +f:/etc/audit/audit.rules -> !r:^-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts; +# +# +#8.1.14 Collect File Deletion Events by User +[CIS - Debian Linux 7/8 - 8.1.14 Collect File Deletion Events by User] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] +f:!/etc/audit; +f:!/etc/audit/audit.rules; +f:/etc/audit/audit.rules -> !r:^-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 \\; +f:/etc/audit/audit.rules -> !r:^-F auid!=4294967295 -k delete; +# +# +#8.1.15 Collect Changes to System Administration Scope (sudoers) +[CIS - Debian Linux 7/8 - 8.1.15 Collect Changes to System Administration Scope (sudoers)] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] +f:!/etc/audit; +f:!/etc/audit/audit.rules; +f:/etc/audit/audit.rules -> !r:^-w /etc/sudoers -p wa -k scope; +# +# +#8.1.16 Collect System Administrator Actions (sudolog) +[CIS - Debian Linux 7/8 - 8.1.16 Collect System Administrator Actions (sudolog)] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] +f:!/etc/audit; +f:!/etc/audit/audit.rules; +f:/etc/audit/audit.rules -> !r:^-w /var/log/sudo.log -p wa -k actions; +# +# +#8.1.17 Collect Kernel Module Loading and Unloading +[CIS - Debian Linux 7/8 - 8.1.17 Collect Kernel Module Loading and Unloading] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] +f:!/etc/audit; +f:!/etc/audit/audit.rules; +f:/etc/audit/audit.rules -> !r:^-w /sbin/insmod -p x -k modules; +f:/etc/audit/audit.rules -> !r:^-w /sbin/rmmod -p x -k modules; +f:/etc/audit/audit.rules -> !r:^-w /sbin/modprobe -p x -k modules; +f:/etc/audit/audit.rules -> !r:^-a always,exit -F arch=b32 -S init_module -S delete_module -k modules|-a always,exit -F arch=b64 -S init_module -S delete_module -k modules; +# +# +#8.1.18 Make the Audit Configuration Immutable +[CIS - Debian Linux 7/8 - 8.1.18 Make the Audit Configuration Immutable] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] +f:!/etc/audit; +f:!/etc/audit/audit.rules; +f:/etc/audit/audit.rules -> !r:^-e 2$; +# +# +#8.3.1 Install AIDE +[CIS - Debian Linux 7/8 - 8.3.1 Install AIDE] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] +f:!/usr/sbin/aideinit; +# +# +#8.3.2 Implement Periodic Execution of File Integrity +[CIS - Debian Linux 7/8 - 8.3.2 Implement Periodic Execution of File Integrity] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81] +f:/etc/crontab -> !r:/usr/sbin/aide --check; +#