X-Git-Url: http://ftp.carnet.hr/carnet-debian/scm?p=ossec-hids.git;a=blobdiff_plain;f=src%2Frootcheck%2Fdb%2Fsystem_audit_rcl.txt;h=56cd4cdc47bff28eda3fd85f8fd544946a0bb315;hp=fb747c4632e7a782cd0c0d0f66a3ffa8eed2d328;hb=3f728675941dc69d4e544d3a880a56240a6e394a;hpb=927951d1c1ad45ba9e7325f07d996154a91c911b

diff --git a/src/rootcheck/db/system_audit_rcl.txt b/src/rootcheck/db/system_audit_rcl.txt
index fb747c4..56cd4cd 100644
--- a/src/rootcheck/db/system_audit_rcl.txt
+++ b/src/rootcheck/db/system_audit_rcl.txt
@@ -1,11 +1,8 @@
-# @(#) $Id: ./src/rootcheck/db/system_audit_rcl.txt, 2012/02/13 dcid Exp $
-
-#
-# OSSEC Linux Audit - (C) 2007 Daniel B. Cid - dcid@ossec.net
+# OSSEC Linux Audit - (C) 2018 OSSEC Project
 #
 # Released under the same license as OSSEC.
 # More details at the LICENSE file included with OSSEC or online
-# at: http://www.ossec.net/en/licensing.html
+# at: https://github.com/ossec/ossec-hids/blob/master/LICENSE
 #
 # [Application name] [any or all] [reference]
 # type:<entry name>;
@@ -16,97 +13,83 @@
 #             - d (any file inside the directory)
 #
 # Additional values:
-# For the registry , use "->" to look for a specific entry and another
+# For the registry and for directories, use "->" to look for a specific entry and another
 # "->" to look for the value.
+# Also, use " -> r:^\. -> ..." to search all files in a directory
 # For files, use "->" to look for a specific value in the file.
 #
-# Values can be preceeded by: =: (for equal) - default
+# Values can be preceded by: =: (for equal) - default
 #                             r: (for ossec regexes)
 #                             >: (for strcmp greater)
 #                             <: (for strcmp  lower)
 # Multiple patterns can be specified by using " && " between them.
 # (All of them must match for it to return true).
- 
-$php.ini=/etc/php.ini,/var/www/conf/php.ini,/etc/php5/apache2/php.ini;
-$web_dirs=/var/www,/var/htdocs,/home/httpd,/usr/local/apache,/usr/local/apache2,/usr/local/www;
 
+$php.ini=/etc/php.ini,/var/www/conf/php.ini,/etc/php5/apache2/php.ini,/usr/local/etc/php.ini;
+$web_dirs=/var/www,/var/htdocs,/home/httpd,/usr/local/apache,/usr/local/apache2,/usr/local/www;
 
 # PHP checks
-[PHP - Register globals are enabled] [any] [http://www.ossec.net/wiki]
+[PHP - Register globals are enabled] [any] []
 f:$php.ini -> r:^register_globals = On;
 
-
 # PHP checks
 [PHP - Expose PHP is enabled] [any] []
 f:$php.ini -> r:^expose_php = On;
 
-
 # PHP checks
 [PHP - Allow URL fopen is enabled] [any] []
 f:$php.ini -> r:^allow_url_fopen = On;
 
-
-
 # PHP checks
 [PHP - Displaying of errors is enabled] [any] []
 f:$php.ini -> r:^display_errors = On;
 
-
 # PHP checks - consider open_basedir && disable_functions
 
 
 ## Looking for common web exploits (might indicate that you are owned).
-## Using http://www.ossec.net/wiki/index.php/WebAttacks_links as a reference.
-#[Web exploits - Possible compromise] [any] [http://www.ossec.net/wiki/index.php/WebAttacks_links]
+## Using http://dcid.me/blog/logsamples/webattacks_links as a reference.
+#[Web exploits - Possible compromise] [any] []
 #d:$web_dirs -> .txt$ -> r:^<?php|^#!;
 
-
 ## Looking for common web exploits files (might indicate that you are owned).
 ## There are not specific, like the above.
-## Using http://www.ossec.net/wiki/index.php/WebAttacks_links as a reference.
-[Web exploits (uncommon file name inside htdocs) - Possible compromise] [any] [http://www.ossec.net/wiki/index.php/WebAttacks_links]
+## Using http://dcid.me/blog/logsamples/webattacks_links as a reference.
+[Web exploits (uncommon file name inside htdocs) - Possible compromise  {PCI_DSS: 6.5, 6.6, 11.4}] [any] []
 d:$web_dirs -> ^.yop$;
 
-[Web exploits (uncommon file name inside htdocs) - Possible compromise] [any] [http://www.ossec.net/wiki/index.php/WebAttacks_links]
+[Web exploits (uncommon file name inside htdocs) - Possible compromise {PCI_DSS: 6.5, 6.6, 11.4}] [any] []
 d:$web_dirs -> ^id$;
 
-[Web exploits (uncommon file name inside htdocs) - Possible compromise] [any] [http://www.ossec.net/wiki/index.php/WebAttacks_links]
+[Web exploits (uncommon file name inside htdocs) - Possible compromise {PCI_DSS: 6.5, 6.6, 11.4}] [any] []
 d:$web_dirs -> ^.ssh$;
 
-[Web exploits (uncommon file name inside htdocs) - Possible compromise] [any] [http://www.ossec.net/wiki/index.php/WebAttacks_links]
+[Web exploits (uncommon file name inside htdocs) - Possible compromise {PCI_DSS: 6.5, 6.6, 11.4}] [any] []
 d:$web_dirs -> ^...$;
 
-[Web exploits (uncommon file name inside htdocs) - Possible compromise] [any] [http://www.ossec.net/wiki/index.php/WebAttacks_links]
+[Web exploits (uncommon file name inside htdocs) - Possible compromise {PCI_DSS: 6.5, 6.6, 11.4}] [any] []
 d:$web_dirs -> ^.shell$;
 
-
 ## Looking for outdated Web applications
 ## Taken from http://sucuri.net/latest-versions
-[Web vulnerability - Outdated WordPress installation] [any] [http://sucuri.net/latest-versions]
-d:$web_dirs -> ^version.php$ -> r:^\.wp_version && >:$wp_version = '3.2.1';
-
-[Web vulnerability - Outdated Joomla (v1.0) installation] [any] [http://sucuri.net/latest-versions]
-d:$web_dirs -> ^version.php$ -> r:var \.RELEASE && r:'1.0';
+[Web vulnerability - Outdated WordPress installation {PCI_DSS: 6.5, 6.6, 11.4}] [any] [http://sucuri.net/latest-versions]
+d:$web_dirs -> ^version.php$ -> r:^\.wp_version && >:$wp_version = '4.4.2';
 
-#[Web vulnerability - Outdated Joomla (v1.5) installation] [any] [http://sucuri.net/latest-versions]
-#d:$web_dirs -> ^version.php$ -> r:var \.RELEASE && r:'1.5' && r:'23'
+[Web vulnerability - Outdated Joomla installation {PCI_DSS: 6.5, 6.6, 11.4}] [any] [http://sucuri.net/latest-versions]
+d:$web_dirs -> ^version.php$ -> r:var \.RELEASE && r:'3.4.8';
 
-[Web vulnerability - Outdated osCommerce (v2.2) installation] [any] [http://sucuri.net/latest-versions]
+[Web vulnerability - Outdated osCommerce (v2.2) installation {PCI_DSS: 6.5, 6.6, 11.4}] [any] [http://sucuri.net/latest-versions]
 d:$web_dirs -> ^application_top.php$ -> r:'osCommerce 2.2-;
 
-
 ## Looking for known backdoors
-[Web vulnerability - Backdoors / Web based malware found - eval(base64_decode] [any] []
+[Web vulnerability - Backdoors / Web based malware found - eval(base64_decode {PCI_DSS: 6.5, 6.6, 11.4}] [any] []
 d:$web_dirs -> .php$ -> r:eval\(base64_decode\(\paWYo;
 
-[Web vulnerability - Backdoors / Web based malware found - eval(base64_decode(POST] [any] []
+[Web vulnerability - Backdoors / Web based malware found - eval(base64_decode(POST {PCI_DSS: 6.5, 6.6, 11.4}] [any] []
 d:$web_dirs -> .php$ -> r:eval\(base64_decode\(\S_POST;
 
-[Web vulnerability - .htaccess file compromised] [any] [http://blog.sucuri.net/2011/05/understanding-htaccess-attacks-part-1.html]
+[Web vulnerability - .htaccess file compromised {PCI_DSS: 6.5, 6.6, 11.4}] [any] [http://blog.sucuri.net/2011/05/understanding-htaccess-attacks-part-1.html]
 d:$web_dirs -> ^.htaccess$ -> r:RewriteCond \S+HTTP_REFERERS \S+google;
 
-[Web vulnerability - .htaccess file compromised - auto append] [any] [http://blog.sucuri.net/2011/05/understanding-htaccess-attacks-part-1.html]
+[Web vulnerability - .htaccess file compromised - auto append {PCI_DSS: 6.5, 6.6, 11.4}] [any] [http://blog.sucuri.net/2011/05/understanding-htaccess-attacks-part-1.html]
 d:$web_dirs -> ^.htaccess$ -> r:php_value auto_append_file;
-
-
-# EOF #