X-Git-Url: http://ftp.carnet.hr/carnet-debian/scm?p=ossec-hids.git;a=blobdiff_plain;f=debian%2Fossec-hids%2Fvar%2Fossec%2Fetc%2Fshared%2Fwin_audit_rcl.txt;fp=debian%2Fossec-hids%2Fvar%2Fossec%2Fetc%2Fshared%2Fwin_audit_rcl.txt;h=0000000000000000000000000000000000000000;hp=34d85161b6d4d8c2f98335c465f897ef15f2c3ba;hb=946517cefb8751a43a89bda4220221f065f4e5d1;hpb=3f728675941dc69d4e544d3a880a56240a6e394a diff --git a/debian/ossec-hids/var/ossec/etc/shared/win_audit_rcl.txt b/debian/ossec-hids/var/ossec/etc/shared/win_audit_rcl.txt deleted file mode 100644 index 34d8516..0000000 --- a/debian/ossec-hids/var/ossec/etc/shared/win_audit_rcl.txt +++ /dev/null @@ -1,74 +0,0 @@ -# OSSEC Linux Audit - (C) 2018 OSSEC Project -# -# Released under the same license as OSSEC. -# More details at the LICENSE file included with OSSEC or online -# at: https://github.com/ossec/ossec-hids/blob/master/LICENSE -# -# [Application name] [any or all] [reference] -# type:; -# -# Type can be: -# - f (for file or directory) -# - r (registry entry) -# - p (process running) -# -# Additional values: -# For the registry and for directories, use "->" to look for a specific entry and another -# "->" to look for the value. -# Also, use " -> r:^\. -> ..." to search all files in a directory -# For files, use "->" to look for a specific value in the file. -# -# Values can be preceded by: =: (for equal) - default -# r: (for ossec regexes) -# >: (for strcmp greater) -# <: (for strcmp lower) -# Multiple patterns can be specified by using " && " between them. -# (All of them must match for it to return true). - -# http://technet2.microsoft.com/windowsserver/en/library/486896ba-dfa1-4850-9875-13764f749bba1033.mspx?mfr=true -[Disabled Registry tools set {PCI_DSS: 10.6.1}] [any] [] -r:HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DisableRegistryTools -> 1; -r:HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DisableRegistryTools -> 1; - -# http://support.microsoft.com/kb/825750 -[DCOM disabled {PCI_DSS: 10.6.1}] [any] [] -r:HKEY_LOCAL_MACHINE\Software\Microsoft\OLE -> EnableDCOM -> N; - -# http://web.mit.edu/is/topics/windows/server/winmitedu/security.html -[LM authentication allowed (weak passwords) {PCI_DSS: 10.6.1, 11.4}] [any] [] -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA -> LMCompatibilityLevel -> 0; -r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA -> LMCompatibilityLevel -> 1; - -# http://research.eeye.com/html/alerts/AL20060813.html -# Disabled by some Malwares (sometimes by McAfee and Symantec -# security center too). -[Firewall/Anti Virus notification disabled {PCI_DSS: 10.6.1}] [any] [] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center -> FirewallDisableNotify -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center -> antivirusoverride -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center -> firewalldisablenotify -> !0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center -> firewalldisableoverride -> !0; - -# Checking for the microsoft firewall. -[Microsoft Firewall disabled {PCI_DSS: 10.6.1, 1.4}] [all] [] -r:HKEY_LOCAL_MACHINE\software\policies\microsoft\windowsfirewall\domainprofile -> enablefirewall -> 0; -r:HKEY_LOCAL_MACHINE\software\policies\microsoft\windowsfirewall\standardprofile -> enablefirewall -> 0; - -#http://web.mit.edu/is/topics/windows/server/winmitedu/security.html -[Null sessions allowed {PCI_DSS: 11.4}] [any] [] -r:HKLM\System\CurrentControlSet\Control\Lsa -> RestrictAnonymous -> 0; - -[Error reporting disabled {PCI_DSS: 10.6.1}] [any] [http://windowsir.blogspot.com/2007/04/something-new-to-look-for.html] -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting -> DoReport -> 0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting -> IncludeKernelFaults -> 0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting -> IncludeMicrosoftApps -> 0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting -> IncludeWindowsApps -> 0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting -> IncludeShutdownErrs -> 0; -r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting -> ShowUI -> 0; - -# http://support.microsoft.com/default.aspx?scid=315231 -[Automatic Logon enabled {PCI_DSS: 10.6.1}] [any] [http://support.microsoft.com/default.aspx?scid=315231] -r:HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon -> DefaultPassword; -r:HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon -> AutoAdminLogon -> 1; - -[Winpcap packet filter driver found {PCI_DSS: 10.6.1}] [any] [] -f:%WINDIR%\System32\drivers\npf.sys;