X-Git-Url: http://ftp.carnet.hr/carnet-debian/scm?p=ossec-hids.git;a=blobdiff_plain;f=src%2Frootcheck%2Fdb%2Fwin_audit_rcl.txt;h=34d85161b6d4d8c2f98335c465f897ef15f2c3ba;hp=6ce8ddd754aec1cb2bd1ff6ab77fad7abcc09661;hb=3f728675941dc69d4e544d3a880a56240a6e394a;hpb=927951d1c1ad45ba9e7325f07d996154a91c911b diff --git a/src/rootcheck/db/win_audit_rcl.txt b/src/rootcheck/db/win_audit_rcl.txt index 6ce8ddd..34d8516 100644 --- a/src/rootcheck/db/win_audit_rcl.txt +++ b/src/rootcheck/db/win_audit_rcl.txt @@ -1,11 +1,8 @@ -# @(#) $Id: ./src/rootcheck/db/win_audit_rcl.txt, 2011/09/08 dcid Exp $ - -# -# OSSEC Windows Audit - (C) 2007 Daniel B. Cid - dcid@ossec.net +# OSSEC Linux Audit - (C) 2018 OSSEC Project # # Released under the same license as OSSEC. # More details at the LICENSE file included with OSSEC or online -# at: http://www.ossec.net/en/licensing.html +# at: https://github.com/ossec/ossec-hids/blob/master/LICENSE # # [Application name] [any or all] [reference] # type:; @@ -16,65 +13,51 @@ # - p (process running) # # Additional values: -# For the registry , use "->" to look for a specific entry and another +# For the registry and for directories, use "->" to look for a specific entry and another # "->" to look for the value. +# Also, use " -> r:^\. -> ..." to search all files in a directory # For files, use "->" to look for a specific value in the file. # -# Values can be preceeded by: =: (for equal) - default +# Values can be preceded by: =: (for equal) - default # r: (for ossec regexes) # >: (for strcmp greater) # <: (for strcmp lower) # Multiple patterns can be specified by using " && " between them. # (All of them must match for it to return true). - - - # http://technet2.microsoft.com/windowsserver/en/library/486896ba-dfa1-4850-9875-13764f749bba1033.mspx?mfr=true -[Disabled Registry tools set] [any] [] -r:HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DisableRegistryTools -> 1; -r:HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DisableRegistryTools -> 1; - - +[Disabled Registry tools set {PCI_DSS: 10.6.1}] [any] [] +r:HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DisableRegistryTools -> 1; +r:HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DisableRegistryTools -> 1; # http://support.microsoft.com/kb/825750 -[DCOM disabled] [any] [] +[DCOM disabled {PCI_DSS: 10.6.1}] [any] [] r:HKEY_LOCAL_MACHINE\Software\Microsoft\OLE -> EnableDCOM -> N; - - # http://web.mit.edu/is/topics/windows/server/winmitedu/security.html -[LM authentication allowed (weak passwords)] [any] [] +[LM authentication allowed (weak passwords) {PCI_DSS: 10.6.1, 11.4}] [any] [] r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA -> LMCompatibilityLevel -> 0; r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA -> LMCompatibilityLevel -> 1; - - # http://research.eeye.com/html/alerts/AL20060813.html # Disabled by some Malwares (sometimes by McAfee and Symantec # security center too). -[Firewall/Anti Virus notification disabled] [any] [] +[Firewall/Anti Virus notification disabled {PCI_DSS: 10.6.1}] [any] [] r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center -> FirewallDisableNotify -> !0; r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center -> antivirusoverride -> !0; r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center -> firewalldisablenotify -> !0; r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center -> firewalldisableoverride -> !0; - - # Checking for the microsoft firewall. -[Microsoft Firewall disabled] [all] [] +[Microsoft Firewall disabled {PCI_DSS: 10.6.1, 1.4}] [all] [] r:HKEY_LOCAL_MACHINE\software\policies\microsoft\windowsfirewall\domainprofile -> enablefirewall -> 0; r:HKEY_LOCAL_MACHINE\software\policies\microsoft\windowsfirewall\standardprofile -> enablefirewall -> 0; - - #http://web.mit.edu/is/topics/windows/server/winmitedu/security.html -[Null sessions allowed] [any] [] +[Null sessions allowed {PCI_DSS: 11.4}] [any] [] r:HKLM\System\CurrentControlSet\Control\Lsa -> RestrictAnonymous -> 0; - - -[Error reporting disabled] [any] [http://windowsir.blogspot.com/2007/04/something-new-to-look-for.html] +[Error reporting disabled {PCI_DSS: 10.6.1}] [any] [http://windowsir.blogspot.com/2007/04/something-new-to-look-for.html] r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting -> DoReport -> 0; r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting -> IncludeKernelFaults -> 0; r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting -> IncludeMicrosoftApps -> 0; @@ -82,16 +65,10 @@ r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting -> IncludeWindow r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting -> IncludeShutdownErrs -> 0; r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting -> ShowUI -> 0; - - # http://support.microsoft.com/default.aspx?scid=315231 -[Automatic Logon enabled] [any] [http://support.microsoft.com/default.aspx?scid=315231] +[Automatic Logon enabled {PCI_DSS: 10.6.1}] [any] [http://support.microsoft.com/default.aspx?scid=315231] r:HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon -> DefaultPassword; r:HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon -> AutoAdminLogon -> 1; - -[Winpcap packet filter driver found] [any] [] +[Winpcap packet filter driver found {PCI_DSS: 10.6.1}] [any] [] f:%WINDIR%\System32\drivers\npf.sys; - - -# EOF #